Extra chilli online slot.REGISTER NOW GET FREE 888 PESOS REWARDS!

Resolved CroydonWeb
(@croydonweb)

7 years, 6 months ago

I’ve have seen over the last few days queries look like this:

https://mydomain/?wordfence_syncAttackData=1503137409.6009
https://mydomain.com/?wordfence_syncAttackData=1503145454.4908

from different countries such Canada, Turkey, Ukraine, France etc.

Question:
Is this Wordfence or is this some kind new attack on a new vulnerability in Wordfence?

Viewing 3 replies - 1 through 3 (of 3 total)

Caleb
(@crudhunter)

7 years, 6 months ago

It is not a vulnerability or a new type of attack.. It is a parameter your local WordFence use to call itself, that under normal conditions should NOT become visible to the outside.
Unfortunately there are conditions where WordFence panics and spews it out into page code using Javascript, where visitors, Google, and other bots can find the link.

In either case, the parameter is there by accident, not an attack it itself. When someone OTHER THAN your own server calls with it, it means that they have found and called the query link, but calling it is not a security risk. It is part of slightly abnormal “normal business”. ??
Mostly a nuisance with Google Search Console when GoogleBot finds it, since they now are thinking your site uses query args it does not.

Given the Epoch timestamps you show, these links were caught/seen/called on

Saturday, August 19, 2017 4:10:09.600 AM GMT-06:00 DST
and
Saturday, August 19, 2017 6:24:14.490 AM GMT-06:00 DST

so these particular ones obviously just recently happened.

I think you are seeing another unfortunate side-effect of this case, which you might wanna read through:

https://www.ads-software.com/support/topic/syncattackdata-query-parameters/

Caleb
(@crudhunter)

7 years, 6 months ago

I am seeing repeated accesses by GoogleBot with this WordFence parameter as well:

/?wordfence_logHuman=1&hid=xxxxxx

For that one there is no excuse of “redirect” like for the previous incident linked above. the LogHuman test comes out attached to page headers, and gets caught by GoogleBot and others on some of their accesses. Probably for Google on some of the test-site accesses.

It is another case of side-effects from WordFence injecting Javascript based links into random pages just for internal purposes.

It is a decidedly bad idea to modify a site’s page code with goofy links/parameters that should not be there. I prefer to control my own page content and links, thank you very much.

wfalaa
(@wfalaa)

7 years, 6 months ago

Hi @croydonweb
In Wordfence, “wordfence_syncAttackData” query parameter is used to update the “Live Traffic” with information about any recent attacks on your website. Normally this link shouldn’t be available publicly, but on some websites if this query parameter can’t be called in the default way (perhaps due to a plugin/theme conflict), an alternative way is used which might reveal this link, so bots can track it and multiple hits might be seen in Live Traffic referencing this link, but there is nothing to worry about here.

Thanks.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Suspicious Query?’ is closed to new replies.