• Resolved bobsled

    (@bobsled)


    Hi,

    In my live traffic, I see that there is always a long list of “blocked by firewall for XSS: Cross Site Scripting” but I am sure this is blocking Cloudflare.

    When I check Who Is, it reads;
    NetName: CLOUDFLARENET
    NetHandle: NET-162-158-0-0-1
    Parent: NET162 (NET-162-0-0-0-0)
    NetType: Direct Assignment
    OriginAS: AS13335
    Organization: Cloudflare, Inc. (CLOUD14)
    OrgName: Cloudflare, Inc.
    OrgId: CLOUD14
    Address: 101 Townsend Street
    City: San Francisco

    Should I Whitelist this from the firewall, or do I need to whitelist all the IP addresses?
    Or should I just ignore the notice?

Viewing 13 replies - 1 through 13 (of 13 total)
  • Hi @bobsled,

    It’s possible that an attacker has attempted an XSS attack, however their IP showed up as CloudFlare because Wordfence is obtaining its IPs incorrectly.

    Can you provide me with these two pieces of information?

    1. Go to Wordfence -> Tools -> Live Traffic, and find one of the rows where it was blocked for XSS. See exactly why it was blocked, you can expand the row and Wordfence should provide more details.

    2. Go to Wordfence -> All Options -> How does Wordfence get IPs. See if the Your IP with this setting matches your actual IP address. (You can get your actual IP address from https://www.google.com/search?q=what+is+my+ip )

    Dave

    Thread Starter bobsled

    (@bobsled)

    Hi,

    Thanks for getting back so quickly.

    There are two locations that are always on the list, so here is the info for each one.

    Ashburn, United States was blocked by firewall for XSS: Cross Site Scripting in POST body: wp-piwik=%3Cscript%20language%3Djavascript%3Eeval(String.fromCharCode(118%2C%2097%2C%20114%2C%2032%2C%20100%2… at https://justpublishingadvice.com/
    07/06/2019 01:32:13 (14 hours 7 mins ago) IP: 162.158.78.127 [block] Hostname: 162.158.78.127
    Browser: Chrome version 0.0 running on Win7
    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36

    Los Angeles, United States was blocked by firewall for XSS: Cross Site Scripting in query string: file=data%3Aimage%2Fphp%3Bbase64%2CPD9waHAgQGV2YWwoJF9QT1NUW3NoZWxsXSk7Pz5ibHNoZWxs at https://justpublishingadvice.com//index.php?c=api&m=data2&auth=50ce0d2401ce4802751739552c8e4467&param=update_avatar&file=data%3Aimage%2…
    07/06/2019 10:47:14 (4 hours 52 mins ago) IP: 108.162.215.211 [block] Hostname: 108.162.215.211
    Browser: undefined
    Mozilla/5.0 (compatible; bingbot/2.0; +https://www.bing.com/bingbot.htm)

    As for the IP, my IP is correct in Wordfence and matches my IP.

    Let me know if you need more info.

    Hi again,

    I’ve discussed this with some other members on the team.

    Because your current website is behind CloudFlare, we are hesitant to recommend simply blocking the IP addresses in question.

    I’d like to see a bit more information regarding your site. From Wordfence diagnostics, can you send an email report to [email protected]? Put your forum username, and I’ll take a look at it once I receive it.

    Dave

    Thread Starter bobsled

    (@bobsled)

    Okay, Dave.

    Sent.

    Hi again,

    So I took a look at all the information provided, and without exposing any IP addresses, here’s what I found:

    Your server’s Cloudflare is located in Switzerland, but the attacks are originating from a Cloudflare server in the United States.

    The two attacks are different but both malicious:

    1. wp-piwik=%3Cscript%20... attempts to exploit the WP-Matomo plugin into displaying a remote script for anyone who visits the same link.

    2. file=data%3Aimage... attempts to exploit Finecms V5.0.9, allowing the attacker to upload files or execute SQL statements.

    I’m going to recommend blocking these two IP addresses from accessing your website. You can do this by going into Wordfence -> Firewall -> Blocking -> Create a Blocking Rule -> IP Address.

    Dave

    Thread Starter bobsled

    (@bobsled)

    Many thanks, Dave.

    I really appreciate your efforts with this issue.

    I’ll now add the blocking rules as you suggest.

    I have five other sites, so I will also check to see if the same IP addresses need blocking.

    Thread Starter bobsled

    (@bobsled)

    Hi again.

    I must be missing something. I can’t find an option to Create a Blocking Rule in the Firewall tab or Options.

    Please let me know if you see the offending IP addresses show up on different servers.

    Thanks!

    Dave

    Thread Starter bobsled

    (@bobsled)

    Yes, I have just seen another one similar. Again, with a Cloudflare IP.

    Chicago, United States was blocked by firewall for XSS: Cross Site Scripting in POST body: wp-piwik=%3Cscript%20language%3Djavascript%3Eeval(String.fromCharCode(118%2C%2097%2C%20114%2C%2032%2C%20100%2… at https://justpublishingadvice.com/
    08/06/2019 09:07:23 (4 hours 40 mins ago) IP: 172.68.59.33 [block] Hostname: 172.68.59.33
    Browser: Chrome version 0.0 running on Win7
    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36

    Hi again,

    For the firewall blocking, it should look like this: https://i.imgur.com/Mriyv96.png

    So it looks like various Cloudflare IP addresses are sending out blind attacks on your website. The best thing you can do is to permanently block them from accessing your site.

    Dave

    Thread Starter bobsled

    (@bobsled)

    Hi,

    Your screenshot is different to what I have with my plugin. https://pasteboard.co/Iiv4qkt.png

    I don’t have a blocking setting on my Firewall tab. I have blocked the IPs from the Blocking tab, however.

    Is it the same result?

    It looks like either an old version of Wordfence, or just a custom theme that is changing the appearance.

    In any case, Wordfence -> Blocking tab is the same thing, so you’re all good to go!

    Dave

    Thread Starter bobsled

    (@bobsled)

    Hi,

    I always make sure my Wordfence plugin is updated. So perhaps it’s a theme thing, as you say. I don’t think I’ll bother with a re-install though.

    But good to know that all is under control. I’ll keep an eye on my live view and block any IP that is exhibiting the same behaviour.

    Many, many thanks again for your assistance with this issue, Dave.

    Edit to comment:

    I must have been taking stupid pills. I just checked and my auto-updating app hasn’t been updating Wordfence.

    So now, all my sites are correctly updated and I can see what you have been trying to show me.

    Silly me, but I got there. ??

    Thanks again.

    • This reply was modified 5 years, 5 months ago by bobsled.
Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘Blocking Cloudflare’ is closed to new replies.