Hello webby1973,
are you using a backup service for WordPress?
Hi,
I’m using the plugin BackWPup.
I’m not sure, but maybe that action has been triggerred by the backup automatically sent to my Dropbox folder? Or when I manually download a backup?
But the IP was not mine, nor a Dropbox one.
Hello webby1973,
It definitely looks like a request to get a backup but of course I can’t promise that it is legit. If you go to Wordfence “Whois lookup” and enter the IP there, do the results look suspicious? If you want help interpreting it, copy paste the results of the Whois lookup and email it to asa@wordfence.com. Include a link to this support thread so I know who the email is coming from. Thanks!
Hi, I deleted the whitelisted entry so I can’t check that IP now, but I remember I did an whois and it was not something relative to Dropbox or any of my connections.
If it happens again I’ll deactivate the record and let you know.
I see the same URLs whitelisted on another site:
/wp-admin/tools.php request.queryString[download_backup_file] 23/4/2016, 19:20:57 Whitelisted while in Learning Mode. - 62.210.162.209
/wp-admin/admin-ajax.php request.path 23/4/2016, 21:30:58 Whitelisted while in Learning Mode. - 62.210.162.209
IP 62.210.162.209 = 62-210-162-209.rev.poneytelecom.eu
this reverse is not much helpful and the RIPE says it’s part of a big pool assigned to some “Iliad-Entreprises Business Hosting Customers”.
I now suspended the whitelisting, also because the plugin I’m using for the backups had a vulnerability (fixed), and I’m waiting to know more about this.
And I found this IP listed on the Project Honey Pot where 3 people confirmed attacks from it:
http://www.projecthoneypot.org/ip_62.210.162.209
Hello again webby1973,
Thanks for checking back in. Yes, I completely agree that looks like a bad request and it should be blocked.
Hi there,
Just reading through your post, I have the same issue, How do I remove this from whitelist and block permanently.
wp-admin/tools.php request.queryString[download_backup_file] 5/27/2016, 9:40:03 AM Whitelisted while in Learning Mode. – 43.227.253.48
Looks like the IP is pointing to China.
