Extremely Strange Activity In live Log!

  • Normally, I see the usual xlmrpc/login attempts by the slimeballs but this is an absolute first since I’ve been using Wordfence.

    Here is the copy paste in case the image doesn’t work:

    Los Angeles, United States visited https://www.9966bct.com/
    4/12/2017 10:51:22 AM (1 hour 28 mins ago) IP: 104.148.75.20 [unblock] Hostname: 104.148.75.20
    Browser: IE version 8.0 running on Win7
    Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

    *NOTE: that link is NOT my website…how is that possible???

    I’m worried about this activity so I would appreciate prompt and any knowledgeable feed back. How is this possible for someone to visit my site and it shows they visited a completely different URL in Wordfence activity log? And of course the site is that is shown in that link is a chinese website. My site url is still going to my site and it was only in this ONE specific log activity that shows this strange url being visited as my site…

    Also I see from time that these slimeballs are visiting my site via the site’s IP address, is there anything to worry about when they do that?

    • This topic was modified 7 years, 11 months ago by skygazer.
    • This topic was modified 7 years, 11 months ago by skygazer.
Viewing 3 replies - 1 through 3 (of 3 total)

  • I’m just a Wordfence user in the trenches… I’m pretty sure those are tests to see if your server will function as an open proxy that the criminal can use. I see the same thing in my logs and I’ve been mystified, so I googled for a while and that’s what I found. Anyone else with help for this?

    MTN

    Thread Starter skygazer

    (@skygazer)

    Hi MTN.

    Thanks for the input, very much appreciated. So far I haven’t seen that happen again but of course I haven’t gone over every single activity but based on my casual look over of the activity log it doesn’t seem to have happened again, but that was really strange, to me it meant they somehow had penetrated my server..how else would it record a url visit to another site on my Wordfence activity log. As for the other thing where they visit my IP instead of my site URL, well that still happens on occasion, not sure if there is anyway to actually stop that one either.

    SG

    Hi @skygazer
    I have seen issues like that before when Apache server is not configured correctly, your website is -most likely- set as the default website in the virtual hosts configuration, so when any user agent makes a request to your server with a host header that does not match any other virtual host, the default virtual host (which is your website) will handle this request.

    If you are running your own VPS server, you should find this guide helpful regarding configuration Apache virtual hosts.

    Otherwise, you may need to contact your host about this issue.

    Thanks.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Extremely Strange Activity In live Log!’ is closed to new replies.