Emmageddon

~Hi,

Just an update. Having done a (fair) bit of searching through the different forums, I see the menu (I’m using the TwentyTwenty theme for now) is controlled by Gutenberg and this is an issue that is still being looked at if I am following the Github conversations correctly.

I will mark this as resolved and follow the relevant Github conversations and hopefully this is resolved soon in the Gutenberg core for WordPress.

• This reply was modified 1 year, 1 month ago by Emmageddon.

Hi @wfpeter – I tend to block IP’s that are showing a persistent behaviour. Probably over cautious but this is a big site for a client and before we had Wordfence we were the victim of a terroristic cyber attack years ago, so I’m overly cautious for a reason. ??

Thank you for the detailed information on how to stop seeing these IP’s within Live Traffic. I will have a look at these solutions today and hopefully it will stop them dropping into the feed (they’re still going).

Appreciate the help as always. If this fixes the issue I will mark this as resolved. ??

Oh actually there are three. I mentioned: 20.29.110.170 which is also flagged on abuseip with the same pattern as the others (20.109.241.82, 13.67.224.13):https://www.abuseipdb.com/check/20.29.110.170

Hi @wfpeter

Thanks for getting back to me on this. I’ve been thinking about this a lot for the past few days and I was already thinking my hosts were feeding some “*** covering” excuses to make sure that whatever was happening was not traced to them. I was recalling the chat I did with them and I realised as soon as I mentioned the security plugin, everything they said was about the issue being a DDOS attack and being yours/Wordfence’s fault.

I made sure to give as much info as possible at the time because as you can understand it was a pretty scary day and I could not for the life of me understand why or how the security had been bypassed. I’m pretty fastidious about managing my clients site as it’s a big site and a few years ago was the victim of a cyber attack linked to terroristic activities (we had to get the FBI involved). Ever since then Wordfence has been hooked in and is one of the first plugins I add to any new clients site and even to staging sites.

I really appreciate the insight and it aligns with the way I have been looking at this over the past few days (and a nagging thought at the time) – that the hosts had done something that had caused an error in the system but were unwilling to say “oops, our bad, sorry”. I mean, the thing is, less than an hour after I finished my chat with them, Wordfence’s log for the site says everything went back to normal.

I will continue to monitor the site but am grateful for the way Wordfence protects us and for all the useful info we get from your team.

Thank you again for getting back to me and talking to your team about the issue. Glad the info I supplied was of help. I do try to be thorough. ??

So an update. Overnight everything seems to be working again. I’m seeing all Live Traffic logs instead of just the server IP. My IP has gone back to my actual local IP instead of the server IP.

I’m still absolutely perplexed as to what happened as all Wordfence scans I did never showed anything that would suggest a breach. And of course our hosts are adamantly denying it was anything they did their end claiming it was a DDOS.

If anyone from WF has any clue as to what could have happened, I’m happy to know as it was a worrying 24 hours or so. But for now (fingers, toes and everything in between crossed) it seems to have resolved itself.

I will keep this thread open just in case anyone from WF would like to give some insight/possible reasons for what happened so I know what possibly to look out if (god no) it happens again. Thank you.

• This reply was modified 2 years, 2 months ago by Emmageddon.

UPDATE: My hosts are saying it’s NOT their issue but Wordfences.

From chat:

As per the screenshot (I sent them latest logs and server log) I could see that it is a DDOS attack on the website, may I know is the firewall activated on the website?

I can understand your concern here I request you to once check with the Firewall settings or contact the plugin provider where the firewall is added as it is plugin issue we will have limited scope os support.

I checked the firewall settings and nothing appears to have changed but I’m also now not getting login emails.

They believe it is a bot attack.

They say the bot is mirroring our server IP (and somehow overriding my local IP):

…as it is bot attack it will not show the bot it it will reflect the Hosting IP address that is the reason in logs it is showing as IP address of the Hosting.

Oh and I tried a new scan but Wordfence is not flagging any (new) issues plus the only activity I’m seeing is from the US located IP now.

The host support also says:

…in the DDOS attacks the IP will override that is functionality you will have to check the firewall settings to fix this issue.

To clarify, this is when the Wordfence Firewall first flagged this “erroneous” IP (or what is claiming to be this IP):

United States was blocked by firewall for Directory Traversal in query string: lang=%2F..%2F..%2F..%2F..%2F%2F%2F%2F%2F%2F%2F%2F%2F%2Fdev%2Fcmdb%2Fsslvpn_websession at https://removed for security/remote/fgt_lang?lang=%2F..%2F..%2F..%2F..%2F%2F%2F%2F%2F%2F%2F%2F%2F%2Fdev%2Fcmdb%…
31/08/2022 01:42:26 (18 hours 37 mins ago)
IP: removed for security reasons Hostname: ip-removed for security reasonsip.secureserver.net
Human/Bot: Bot
Python-urllib/3.8

I’ve removed the IP for security reasons but can give privately if needed.

I did notice this in the attack-data php file:

`<?php exit(‘Access denied’); __halt_compiler(); ?>
wfWAFèú`

That “wfWAFèú” looks odd.

• This reply was modified 2 years, 2 months ago by Emmageddon.
• This reply was modified 2 years, 2 months ago by Emmageddon.
• This reply was modified 2 years, 2 months ago by Emmageddon.
• This reply was modified 2 years, 2 months ago by Emmageddon.
• This reply was modified 2 years, 2 months ago by Emmageddon.
• This reply was modified 2 years, 2 months ago by Emmageddon.
• This reply was modified 2 years, 2 months ago by Emmageddon.
• This reply was modified 2 years, 2 months ago by Emmageddon.
• This reply was modified 2 years, 2 months ago by Emmageddon.
• This reply was modified 2 years, 2 months ago by Emmageddon.
• This reply was modified 2 years, 2 months ago by Emmageddon.
• This reply was modified 2 years, 2 months ago by Emmageddon.

Just wanted to add one more update. We also have a testing site and it is also showing my IP as the US one (same as is happening on the main site) instead of my NL one.

I do think this is linked to our hosts but again the only thing that has happened overnight is a wordpress automatic update. I can not see any other thing that has happened.

Sorry to “hijack” your thread BUT thank goodness! I thought I was going mad after recently updating to WordPress 5.9. using the Twenty Twenty theme. Also have the same issue with the button outline not showing on the live page. I’m in the middle of a huge site rebuild and all my buttons are outline. After the update I even tried to make sure the default setting for buttons was outline but to no avail.

Do you have the issue that when you are editing the page you see the outline but on the live, published page you don’t see it?

Going to try your custom code to see if that helps for now. Hope this can be properly looked at.

Admin, if I need to create my own thread to address this issue please let me know. Was just “pleased” to know I’m not the only one with this issue.

UPDATE: Have created my own thread too to highlight the issue.

• This reply was modified 2 years, 10 months ago by Emmageddon.
• This reply was modified 2 years, 10 months ago by Emmageddon. Reason: Have now created my own thread so not "hijacking" this thread with same issue

Okay, a maybe solution to anyone else going through this. I just reinstalled the latest WordPress update and that appears to have fixed the post publishing issue. Worth giving that a try as I’ve just seen a few more posts also noting an issue.

Would also like to add my voice to this problem. Site has been updated to the latest version of WordPress. Have tried refreshing but no luck.

Can confirm the error I was experiencing has now resolved itself.

Also seeing this. Just started today.

Getting the same error message:

[MAY 30 13:52:29] Call to Wordfence API to resolve IPs failed: There was an error connecting to the Wordfence scanning servers: cURL error 60: SSL certificate problem: certificate has expired

Apologies if I was supposed to start a new thread. Wasn’t sure if I should but hopped on this one because I saw the same issue I am experiencing.

• This reply was modified 4 years, 6 months ago by Emmageddon.
• This reply was modified 4 years, 6 months ago by Emmageddon.

I’ve found the bug already thanks to you, so no more issues in a next version, just make sure to keep udpating the plugin..

YAY! Glad to be of help @alesmal ??

Thanks @alesmal – glad to be of help. And glad t0 have stopped the emails. Believe me I was worried that when it comes to waking up in the morning I was going to be facing a LOT of emails pinging through.

Just glad that’s not the case now as changing the site to a new look etc is tense enough without also getting hundreds (and possibly thousands) of emails too. ??

Enjoy the weekend.

• This reply was modified 4 years, 10 months ago by Emmageddon.

Hi @alesmal

I appreciate you getting back to me.

I think I may have figured it out but hopefully my investigations will help.

I had – before I settled on the Hardwork CMP theme to use while the site gets updated, tried the Countdown theme but decided I didn’t want to be using a theme with a countdown in case there were issues in the transfer of new site to the old. I just went in and re-enabled that theme and noticed the countdown was still enabled, but as I was not using that theme anymore, it certainly seems strange it was sending out emails as if I was.

It may be worth looking to see if there is a way that once a theme is disabled, it’s settings don’t interfere if you ultimately end up using another theme as I have. Disabled or rather enabling another theme, should disable all settings from a previous CMP theme.

Luckily this has stopped the flood of emails I was getting. But hopefully from my own investigation this will help you when troubleshooting for everyone else.

Again thank you for the quick reply. I will also use the disable emails setting you have given as a workaround just to be sure.

EDIT: Just seen your second post. I’d not updated to the most latest version yet as I have been busy getting the transferred new look site in. I will do that update too. Just in case.

• This reply was modified 4 years, 10 months ago by Emmageddon.