WordPress.org

Forums

Centrora Security™
[resolved] Why is whois.domaintools.com blocked? (6 posts)

  1. Dutchintouch
    Member
    Posted 2 years ago #

    I'm new to OSE Firewall, and wonder why I get countless emails telling me 'Malicious User Agent' whois.domaintools.com is blocked.

    Each instance has a different IP number associated with it, and those IP numbers are all over the place.

    http://wordpress.org/extend/plugins/ose-firewall/

  2. osexcel
    Member
    Plugin Author

    Posted 2 years ago #

    whois.domaintools.com is not blocked, the link shows you the IP information in whois.domaintools.com, it does not mean whois.domaintools.com is blocked.

    For the malicious user agent, please copy-paste the alert email here. we will take a look.

  3. Dutchintouch
    Member
    Posted 2 years ago #

    Ah, after applying come strong coffee I see that whois.domaintools.com simply gives me info about the IP number that was blocked.

    Cool.

    Here are some samples I get:

    ===Begin Quote===
    TYPE: Found Malicious User Agent
    DETECTED ATTACK VALUE: EMail Exractor
    ACTION: Blocked
    LOGTIME: 2013-02-21 06:29:30
    FROM IP: http://whois.domaintools.com/61.58.82.230
    URI: http://uniekewinkeltjes.com/about-unieke-winkeltjes
    METHOD: GET
    USERAGENT: EMail Exractor
    REFERRER: N/A

    TYPE: Found Malicious User Agent
    DETECTED ATTACK VALUE: Java/1.7.0_02
    ACTION: Blocked
    LOGTIME: 2013-02-22 02:40:04
    FROM IP: http://whois.domaintools.com/176.58.28.111
    URI: http://uniekewinkeltjes.com/26/pollux-cafe-restaurant
    METHOD: GET
    USERAGENT: Java/1.7.0_02
    REFERRER: N/A

    TYPE: Found Basic DoS Attacks
    DETECTED ATTACK VALUE: dDos Attack
    ACTION: Blocked
    LOGTIME: 2013-02-22 02:41:32
    FROM IP: http://whois.domaintools.com/38.113.234.181
    URI: http://uniekewinkeltjes.com/26/pollux-cafe-restaurant
    METHOD: GET
    USERAGENT: N/A
    REFERRER: N/A
    ===End Quote===

  4. osexcel
    Member
    Plugin Author

    Posted 2 years ago #

    Hi there

    The first two should be spammers that tries to extract email addresses from your website then spam your email box. The last one does not have a user agent so suspicious, I would recommend to leave them as it is, no need to whitelist these IPs.

    Hope this helps. :)

  5. Dutchintouch
    Member
    Posted 2 years ago #

    Yes, it does. Thanks!

    That said, how are we to know whether or not to whitelist any blocked IPs? Or is is better not to worry about it?

  6. osexcel
    Member
    Plugin Author

    Posted 2 years ago #

    It is not necessary to worry about it. In the future release, we will more functions and explanations so you can know whether they should be blocked permanently.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Centrora Security™
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic