Can not block an IP address

  • Resolved Emmageddon

    (@emmageddon)


    2 years, 5 months ago

    Hello, I’m having some issues with one of my clients sites. I’m currently doing a scan but have not had any alerts to errors so far.

    However I have a user account which up till recently seemed to just be a regular account, but over the past few days it’s logging in. It’s doing after going to these “addresses” on site:

    cloner.php and cloner.php?nocache&gddebug=1&key=thsvurnfxgpwg1yssfwy83fxrwutj1ei

    I’ve checked our backend and can not find either of these within site files.

    As you can imagine this does not seem normal and is of concern. I’ve done a check on the IP address for the “user” and it has been flagged across the internet:

    https://www.ipqualityscore.com/free-ip-lookup-proxy-vpn-test/lookup/54.191.137.17
    https://www.abuseipdb.com/check/54.191.137.17?page=1

    And yet when I try to block them, Wordfence is not allowing me to do so. Instead it gives me this error message pop-up:

    “An error occurred
    The IP address 54.191.137.17 is in a range of IP addresses that Wordfence does not block. The IP range may be internal or belong to a service safe to allow access for.”

    As you can see from the abuseipdb.com link, the IP address has also been flagged for the cloner.php that I highlighted above.

    I’m a little concerned as nothing has been flagged by Wordfence, and of course to not be able to block an ip that I have not whitelisted and is not known to me, and is showing signs of abusive behaviour is very concerning.

    I’m not highlighting my clients site as to protect the client.

    However any help will be gratefully received. If the scan I am doing right now brings anything up I will add it in a reply to this thread.

    Thank you.

    UPDATED:

    Also getting this error message on the scan (have removed the data that could identify the database):

    “`[JUN 13 17:47:21] Notice: Trying to access array offset on value of type null in /home/[databaseID]/public_html/wp-content/mu-plugins/PluginOrganizerMU.class.php on line 31 Notice: Trying to access array offset on value of type null in /home/[databaseID]/public_html/wp-content/mu-plugins/PluginOrganizerMU.class.php on line 32 Notice: Trying to access array offset on value of type null in /home/[databaseID]/public_html/wp-content/mu-plugins/PluginOrganizerMU.class.php on line 33 Notice: Trying to access array offset on value of type null in /home/[databaseID]/public_html/wp-content/mu-plugins/PluginOrganizerMU.class.php on line 34”

    Please note, no suspicious files etc have been found.`

    • This topic was modified 2 years, 5 months ago by Emmageddon. Reason: Adding scan error details too
Viewing 1 replies (of 1 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @emmageddon, thanks for your detailed message to help us out on this one.

    That IP appears to be a ManageWP address:
    https://managewp.com/troubleshooting/general/managewp-ips-can-white-list

    If you’re not using ManageWP, you can turn it off under “Allowlisted services” in Wordfence > All Options > Firewall Options > Advanced Firewall Options so that you can then block the IP.

    It might also be worth checking whether your site is detecting IPs correctly at Wordfence > Dashboard > Global Options > General Wordfence Options > How does Wordfence get IPs and ensure you’ve selected the option that displays your current IP address as seen on https://whatsmyip.com/. If you need to change this, make sure to click the SAVE CHANGES button once you’re done.

    There are some further explanations of IP detection and which option to select if your site is using Cloudflare here: https://www.wordfence.com/help/dashboard/options/

    Thanks,

    Peter.

Viewing 1 replies (of 1 total)
  • The topic ‘Can not block an IP address’ is closed to new replies.