Blocking Cloudflare

Hi @bobsled,

It’s possible that an attacker has attempted an XSS attack, however their IP showed up as CloudFlare because Wordfence is obtaining its IPs incorrectly.

Can you provide me with these two pieces of information?

1. Go to Wordfence -> Tools -> Live Traffic, and find one of the rows where it was blocked for XSS. See exactly why it was blocked, you can expand the row and Wordfence should provide more details.

2. Go to Wordfence -> All Options -> How does Wordfence get IPs. See if the Your IP with this setting matches your actual IP address. (You can get your actual IP address from https://www.google.com/search?q=what+is+my+ip )

Dave

Hi,

Thanks for getting back so quickly.

There are two locations that are always on the list, so here is the info for each one.

Ashburn, United States was blocked by firewall for XSS: Cross Site Scripting in POST body: wp-piwik=%3Cscript%20language%3Djavascript%3Eeval(String.fromCharCode(118%2C%2097%2C%20114%2C%2032%2C%20100%2… at https://justpublishingadvice.com/
07/06/2019 01:32:13 (14 hours 7 mins ago) IP: 162.158.78.127 [block] Hostname: 162.158.78.127
Browser: Chrome version 0.0 running on Win7
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36

Los Angeles, United States was blocked by firewall for XSS: Cross Site Scripting in query string: file=data%3Aimage%2Fphp%3Bbase64%2CPD9waHAgQGV2YWwoJF9QT1NUW3NoZWxsXSk7Pz5ibHNoZWxs at https://justpublishingadvice.com//index.php?c=api&m=data2&auth=50ce0d2401ce4802751739552c8e4467&param=update_avatar&file=data%3Aimage%2…
07/06/2019 10:47:14 (4 hours 52 mins ago) IP: 108.162.215.211 [block] Hostname: 108.162.215.211
Browser: undefined
Mozilla/5.0 (compatible; bingbot/2.0; +https://www.bing.com/bingbot.htm)

As for the IP, my IP is correct in Wordfence and matches my IP.

Let me know if you need more info.

Hi again,

I’ve discussed this with some other members on the team.

Because your current website is behind CloudFlare, we are hesitant to recommend simply blocking the IP addresses in question.

I’d like to see a bit more information regarding your site. From Wordfence diagnostics, can you send an email report to [email protected]? Put your forum username, and I’ll take a look at it once I receive it.

Dave

Okay, Dave.

Sent.

Hi again,

So I took a look at all the information provided, and without exposing any IP addresses, here’s what I found:

Your server’s Cloudflare is located in Switzerland, but the attacks are originating from a Cloudflare server in the United States.

The two attacks are different but both malicious:

1. wp-piwik=%3Cscript%20... attempts to exploit the WP-Matomo plugin into displaying a remote script for anyone who visits the same link.

2. file=data%3Aimage... attempts to exploit Finecms V5.0.9, allowing the attacker to upload files or execute SQL statements.

I’m going to recommend blocking these two IP addresses from accessing your website. You can do this by going into Wordfence -> Firewall -> Blocking -> Create a Blocking Rule -> IP Address.

Dave

Many thanks, Dave.

I really appreciate your efforts with this issue.

I’ll now add the blocking rules as you suggest.

I have five other sites, so I will also check to see if the same IP addresses need blocking.

Hi again.

I must be missing something. I can’t find an option to Create a Blocking Rule in the Firewall tab or Options.

Please let me know if you see the offending IP addresses show up on different servers.

Thanks!

Dave

Yes, I have just seen another one similar. Again, with a Cloudflare IP.

Chicago, United States was blocked by firewall for XSS: Cross Site Scripting in POST body: wp-piwik=%3Cscript%20language%3Djavascript%3Eeval(String.fromCharCode(118%2C%2097%2C%20114%2C%2032%2C%20100%2… at https://justpublishingadvice.com/
08/06/2019 09:07:23 (4 hours 40 mins ago) IP: 172.68.59.33 [block] Hostname: 172.68.59.33
Browser: Chrome version 0.0 running on Win7
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36

Hi again,

For the firewall blocking, it should look like this: https://i.imgur.com/Mriyv96.png

So it looks like various Cloudflare IP addresses are sending out blind attacks on your website. The best thing you can do is to permanently block them from accessing your site.

Dave

Hi,

Your screenshot is different to what I have with my plugin. https://pasteboard.co/Iiv4qkt.png

I don’t have a blocking setting on my Firewall tab. I have blocked the IPs from the Blocking tab, however.

Is it the same result?

It looks like either an old version of Wordfence, or just a custom theme that is changing the appearance.

In any case, Wordfence -> Blocking tab is the same thing, so you’re all good to go!

Dave

Hi,

I always make sure my Wordfence plugin is updated. So perhaps it’s a theme thing, as you say. I don’t think I’ll bother with a re-install though.

But good to know that all is under control. I’ll keep an eye on my live view and block any IP that is exhibiting the same behaviour.

Many, many thanks again for your assistance with this issue, Dave.

Edit to comment:

I must have been taking stupid pills. I just checked and my auto-updating app hasn’t been updating Wordfence.

So now, all my sites are correctly updated and I can see what you have been trying to show me.

Silly me, but I got there. ??

Thanks again.

• This reply was modified 5 years, 5 months ago by bobsled.