can we block ip from undefined brownser ?

  • Hello

    Recently, my friend website seems to be hacked. I do install wordfence for him to check.
    The scan has shown with no issue (just merely an outdated visual composer).
    But to see the live traffic will show a list of different IP from multi-country access to the site and use this wordpress site to send e-mail (mail topic -> “please read fax message” or “new fax message coming” etc.)

    This site is using postman plugin as a smtp service.

    currently, I got two choice. first is to block those from live traffic ip each time T-T..
    second is to deactivate postman smtp service so stop sending e-mail ( SMTP via google mail)

    Do your know this issue ? (I did see a common message from wordfence that all incomming ip traffic using undefined browser so this may also a way (interim) if wordfend can block IP with a condition of undefined browser

    any suggestion ?

Viewing 6 replies - 1 through 6 (of 6 total)
  • wfalaa

    (@wfalaa)

    Hi ninegolfy,
    There is an option to block IPs based on “User-Agent (browser)” from (Wordfence > Advanced Blocking => “User-Agent (browser) that matches”) but since there is no browser called “undefined”, it will not block anything.

    Please share with us a screenshot showing these entries you have in “Live Traffic” log, perhaps there is another way to block these attempts.

    Thanks.

    I too am looking for a way to block a barrage of fake google bots with “undefined” browser. They are coming from a different location and IP in the world every few minutes.

    fake google bots screenshot

    wfalaa

    (@wfalaa)

    Hi @cortela,
    You might need to enable “Immediately block fake Google crawlers” option under (Wordfence > Options => Rate Limiting Rules).

    Thanks.

    Hi,

    This option is already enabled, but it is not blocking these bots.

    I am unsure if the fact I am on shared hosting is causing an issue.

    Thanks

    DeaJae

    (@deajae)

    Seeing the same on a VPS install, but fake Googlebot’ers seem to be directed at ‘https://server-appname’ (serverpilot setup). doubt blocking them will make any difference until anyone figures out what they are and what they are up to.

    Thread Starter ninegolfy

    (@ninegolfy)

    Alright, it was similar to Cris’s screent shot.

    Also, I found the problem same as this as below:

    “the last couple of days I played around with several plugins for creating forms and sending mails to the customer. Now I got an mail from my hoster that there were mails sent out from my account via ‘/wp-includes/class-phpmailer.php’. While this is a core file, I was curious how this can happen. I found in my /plugins folder a plugin with the name ‘WPCoreMailSys’. I never installed a plugin called like this and it is also not shown in my WP admin dashboard. Inside the folder there is just one file called ‘WPCoreMailSys.php’ which looks like it is responsible for my issue. I could not even find anything in Google about this name. So what I want is just A) Did someone ever hear about this plugin? or if not B) I just want to warn those guys who will google the name. I deleted the folder and will just see if there are still any issues occuring. I can just not really name the plugin which was responsible for the install.”

    and here

    Yeah I removed it and nothing happened again so far. Additionally I found those suspicious files in my root folder named ‘Criminal Case against_You.B26__Fujitsu_fi-7260 LMI_DRD.rar’ or ‘criminal case against_you.L85.BVF.IT6.rar’. Might be the same cause and I removed them as well.

    So far, I did remove this. it seems to be alright. but doubt that there still is a hole or some infect hidden in the file or not ?

    Core file seems not to change as wordfence is never claim this issue on my system.

    Cheers,

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘can we block ip from undefined brownser ?’ is closed to new replies.