Support » Plugin: Wordfence Security - Firewall & Malware Scan » Odd warnings from server IP

  • Resolved clubafterlifeq

    (@clubafterlifeq)


    Hi, I seem to be getting strange warnings from Wordfence which says it’s blocked an IP. However – the IP is the address of our website server. This happens quite a lot. Currently there are over 2500 blocked attempts from this IP all similar to the one below. Can anyone explain? Is it just a false positive I should ignore?

    November 6, 2017 8:35am  [redacted IP] (Unknown)     Blocked for Directory Traversal in POST body: tribe_eventcategory=../../../../../../../../../../../../../../../proc/version
    November 6, 2017 8:35am  [redacted IP] (Unknown)     Blocked for Directory Traversal in query string: tribe-bar-geoloc=invalid../../../../../../../../../../etc/passwd/././././././././././././././././././././././././././ê
    November 6, 2017 8:35am  [redacted IP] (Unknown)     Blocked for Directory Traversal in POST body: tribe_eventcategory=../../../../../../../../../../etc/passwd
    November 6, 2017 8:35am  [redacted IP] (Unknown)     Blocked for Directory Traversal in query string: tribe-bar-geoloc=../.../.././../.../.././../.../.././../.../.././../.../.././../.../.././etc/passwd
    November 6, 2017 8:35am  [redacted IP] (Unknown)     Blocked for Directory Traversal in query string: tribe-bar-geoloc=../..//../..//../..//../..//../..//../..//../..//../..//etc/passwd
    
Viewing 7 replies - 1 through 7 (of 7 total)
  • Hi,
    Could you please share a screenshot showing “IPs” section in (Wordfence > Tools > Diagnostics)?

    Most probably “How does Wordfence get IPs” option is misconfigured, in the “IPs” section mentioned above you should see your own IP address detected, can you confirm?

    Thanks.

    I’m not sure how to post screencap here on my phone, sorry. However we under IP section I see the correct IP address in REMOTE_ADDR but it does not say ‘In use’. It says that under an IP I haven’t seen before (X-Real-IP)

    Connecting back to this site OK – 192.168.253.183
    IPs Value Used
    REMOTE_ADDR 192.168.253.183
    CF-Connecting-IP (not set)
    X-Real-IP 119.236.11.190 In use
    X-Forwarded-For 119.236.11.190

    I got many more warnings last night. We also run over 20 sites on the same IP so I received warnings from them for the IP listed above.

    Thanks

    This IP address “192.168.253.183” is related to your server, I think your server is behind certain type of proxy and this is your IP address “119.236.11.190”, so it’s fine that the plugin is detecting the visitor IP address from “X-Real-IP” not the server one, that means you have set “How does Wordfence get IPs” option to use the “X-Real-IP” is that right?

    Please check the “Live Traffic” entries to double check that the plugin can detect all the users IPs correctly, also I would appreciate if you can share a screenshot (please check this guide to know how to take a screenshot) showing these blocked attempts in Live Traffic feed.

    Thanks.

    Here’s a screencap :

    https://snag.gy/lRQWDp.jpg

    The blocked IP is below half way as ‘unknown location’

    But honestly i’ve received 20 emails in the past 2 days with this error. It used to happen rarely and now it is going crazy.

    https://snag.gy/OFLbze.jpg

    It all seems to be coming from one plugin (tribe events calendar) from the URLs

    Any updates?

    I would really hate to have to deactivate Wordfence on every single site we own.

    Hi,
    Sorry for the late reply, so this attacking IP “192.168.253.183” not really the server IP address, it’s an internal IP in your network. So it sounds like someone inside your network is trying to do some experiments/penetration testing on your site. I recommend reporting this issue to your network administrator. The reason why this IP is being reported might be because the script used to generate these request has been run from your server (using python lib) so the IP could be derived from “REMOTE_ADDR” header.

    Thanks.

    Can you clarify what you mean by ‘on your network’? Sorry, I’m a web dev, not a server admin, I’m not sure of the terminology. Is IP spoofing possible in this case? Our server is blocked from outside traffic by firewall except from users within the network / using the WiFi IPs.

    We are an education organisation and I would think that we don’t have anyone capable of hacking or running those type of tests.

    Thanks for your reply…

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Odd warnings from server IP’ is closed to new replies.