Weird processes getting through Wordfence

  • Resolved Song Simian

    (@song-simian)


    6 years, 7 months ago

    Hi, I’m a Wordfence Premium user. My site is songsimian.com. Somtimes, my Bluehost VPS server goes down and when I check my processes in my Access Logs, I see a host of weird ones. They all come at once and seemingly overwhelms my server’s resources. I’ve set Wordfence rate limits to 30 pages per user, but it doesn’t seem to stop these people. The site went down this morning (4/20/18), and I’m attaching a couple of what I think are the bad processes responsible during that time (5:30am PDT or, in the process timeframe 06:30:12 -0600]).

    They look totally different from legit processes—when a human accesses my site, the processes would ask for plugins, themes, jpegs, etc., but these processes ask for none of these. Here are a couple of examples of what I mean:

    64.112.94.100 – – [20/Apr/2018:06:30:12 -0600] “GET /ht/htw-allentown-morning-call.js HTTP/1.1” 500 200 “https://www.songsimian.com/best-amp-for-alpine-type-r-12-10-inch-subwoofer-e-amplifier-review/” “Mozilla/5.0 (Linux; Android 7.1.2; Pixel Build/NHG47Q) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.109 Mobile Safari/537.36”

    64.112.94.100 – – [20/Apr/2018:06:30:12 -0600] “GET /tronc/mcallnguxprod/serverComponent.php?r=6277469.980148558&ClientID=2115&PageID=http%3A%2F%2Fwww.songsimian.com%2Fbest-amp-for-alpine-type-r-12-10-inch-subwoofer-e-amplifier-review%2F HTTP/1.1” 503 200 “https://www.songsimian.com/best-amp-for-alpine-type-r-12-10-inch-subwoofer-e-amplifier-review/” “Mozilla/5.0 (Linux; Android 7.1.2; Pixel Build/NHG47Q) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.109 Mobile Safari/537.36”

    Anyways, can Wordfence help me in blocking these–I don’t know about IP addresses since I’ve noticed they come from different ones, though this morning, they all began with a 64.112. On April 13th, my site went down repeatedly, and when I checked the access logs, there were, for example, 2,429 processes that included the word “allentown” in them (I live in California and know nobody from Allentown, Pennsylvania).

    Anyone have any ideas how to help? Thanks!

    The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)

  • Hi Song,
    There are many ways to block these requests in Wordfence, one of them would be blocking by IP address range since you mentioned that most of them begin with 64.112.x.x, you can do that in (Wordfence > Firewall > Blocking > Custom Pattern). Also, you can block by hostname on the same page if you can identify their hostname in Wordfence Live Traffic feed.
    It’s worth to mention also that both requests you shared got server response (500, 503) respectively, so they could be from a bot that is scanning for a vulnerability to exploit, hitting URLs that don’t exist or require specific permissions to access them.

    Since you are using the premium version, please open a support ticket from here in case you haven’t already done so, as we only support the free version of the plugin here on the forums.

    Thanks.

Viewing 1 replies (of 1 total)
  • The topic ‘Weird processes getting through Wordfence’ is closed to new replies.