My IP address has changed from Netherlands to US overnight

  • Resolved Emmageddon

    (@emmageddon)


    2 years, 6 months ago

    Hello,

    A very weird thing has happened. My IP address (as detected by Wordfence) has been changed. I’m in the Netherlands where I manage my clients site and yet overnight something has happened to change it to a US IP. It even says on my location in Live Traffic that I’ve logged in from the US.

    I’m also seeing activity overnight that shows this “new” IP address trying to access the site and being flagged by Wordfence as “blocked for Exceeded the maximum number of page not found errors per minute for a crawler” and “blocked by firewall for Directory Traversal in query string“. And I can’t now block that erroneous IP as Wordfence thinks it’s me. But I’m worried that Wordfence flagging it may impact me.

    Plus, of course worried that someone is trying to spoof me to gain access to my clients site (can not name site openly).

    I checked logins and the only login has been me (yesterday NL, today US). On the All Options page for Wordfence it’s showing the US IP as my “detected IP”. I’m using the “Let Wordfence use the most secure method to get visitor IP addresses. Prevents spoofing and works with most sites. (Recommended)” setting. Was wondering if this could be connected to WordPress’s security and maintenance overnight release to 6.0.2.???

    Your help would be gratefully appreciated.

    UPDATE: I’ve also checked on our hosting site and it seems that our website (and Wordfence) is picking up the hosts IP as my IP address?!?! I don’t understand how this could happen.

    • This topic was modified 2 years, 6 months ago by Emmageddon.
    • This topic was modified 2 years, 6 months ago by Emmageddon.
    • This topic was modified 2 years, 6 months ago by Emmageddon.
    • This topic was modified 2 years, 6 months ago by Emmageddon.
    • This topic was modified 2 years, 6 months ago by Emmageddon.
Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter Emmageddon

    (@emmageddon)

    Just wanted to add one more update. We also have a testing site and it is also showing my IP as the US one (same as is happening on the main site) instead of my NL one.

    I do think this is linked to our hosts but again the only thing that has happened overnight is a wordpress automatic update. I can not see any other thing that has happened.

    Thread Starter Emmageddon

    (@emmageddon)

    UPDATE: My hosts are saying it’s NOT their issue but Wordfences.

    From chat:

    As per the screenshot (I sent them latest logs and server log) I could see that it is a DDOS attack on the website, may I know is the firewall activated on the website?

    I can understand your concern here I request you to once check with the Firewall settings or contact the plugin provider where the firewall is added as it is plugin issue we will have limited scope os support.

    I checked the firewall settings and nothing appears to have changed but I’m also now not getting login emails.

    They believe it is a bot attack.

    They say the bot is mirroring our server IP (and somehow overriding my local IP):

    …as it is bot attack it will not show the bot it it will reflect the Hosting IP address that is the reason in logs it is showing as IP address of the Hosting.

    Oh and I tried a new scan but Wordfence is not flagging any (new) issues plus the only activity I’m seeing is from the US located IP now.

    The host support also says:

    …in the DDOS attacks the IP will override that is functionality you will have to check the firewall settings to fix this issue.

    To clarify, this is when the Wordfence Firewall first flagged this “erroneous” IP (or what is claiming to be this IP):

    United States was blocked by firewall for Directory Traversal in query string: lang=%2F..%2F..%2F..%2F..%2F%2F%2F%2F%2F%2F%2F%2F%2F%2Fdev%2Fcmdb%2Fsslvpn_websession at https://removed for security/remote/fgt_lang?lang=%2F..%2F..%2F..%2F..%2F%2F%2F%2F%2F%2F%2F%2F%2F%2Fdev%2Fcmdb%…
    31/08/2022 01:42:26 (18 hours 37 mins ago)
    IP: removed for security reasons Hostname: ip-removed for security reasonsip.secureserver.net
    Human/Bot: Bot
    Python-urllib/3.8

    I’ve removed the IP for security reasons but can give privately if needed.

    I did notice this in the attack-data php file:

    `<?php exit(‘Access denied’); __halt_compiler(); ?>
    wfWAFèú`

    That “wfWAFèú” looks odd.

    • This reply was modified 2 years, 6 months ago by Emmageddon.
    • This reply was modified 2 years, 6 months ago by Emmageddon.
    • This reply was modified 2 years, 6 months ago by Emmageddon.
    • This reply was modified 2 years, 6 months ago by Emmageddon.
    • This reply was modified 2 years, 6 months ago by Emmageddon.
    • This reply was modified 2 years, 6 months ago by Emmageddon.
    • This reply was modified 2 years, 6 months ago by Emmageddon.
    • This reply was modified 2 years, 6 months ago by Emmageddon.
    • This reply was modified 2 years, 6 months ago by Emmageddon.
    • This reply was modified 2 years, 6 months ago by Emmageddon.
    • This reply was modified 2 years, 6 months ago by Emmageddon.
    • This reply was modified 2 years, 6 months ago by Emmageddon.
    Thread Starter Emmageddon

    (@emmageddon)

    So an update. Overnight everything seems to be working again. I’m seeing all Live Traffic logs instead of just the server IP. My IP has gone back to my actual local IP instead of the server IP.

    I’m still absolutely perplexed as to what happened as all Wordfence scans I did never showed anything that would suggest a breach. And of course our hosts are adamantly denying it was anything they did their end claiming it was a DDOS.

    If anyone from WF has any clue as to what could have happened, I’m happy to know as it was a worrying 24 hours or so. But for now (fingers, toes and everything in between crossed) it seems to have resolved itself.

    I will keep this thread open just in case anyone from WF would like to give some insight/possible reasons for what happened so I know what possibly to look out if (god no) it happens again. Thank you.

    • This reply was modified 2 years, 6 months ago by Emmageddon.
    Plugin Support wfpeter

    (@wfpeter)

    Hi @emmageddon, thanks for your messsage and plenty of detail.

    I’ve consulted with the rest of the team, as this sounded like IP Detection on Wordfence had been affected by a change in how the IP was communicated to your site.

    It sounds to us like your host put the site behind a DDOS mitigation proxy with a US IP, but didn’t correctly set the headers to retain IP detection, so all IPs were showing as either the proxy IP or your host server IP.

    The bot mirroring the server IP, or overriding your local IP is not possible.

    Thanks,

    Peter.

    Thread Starter Emmageddon

    (@emmageddon)

    Hi @wfpeter

    Thanks for getting back to me on this. I’ve been thinking about this a lot for the past few days and I was already thinking my hosts were feeding some “*** covering” excuses to make sure that whatever was happening was not traced to them. I was recalling the chat I did with them and I realised as soon as I mentioned the security plugin, everything they said was about the issue being a DDOS attack and being yours/Wordfence’s fault.

    I made sure to give as much info as possible at the time because as you can understand it was a pretty scary day and I could not for the life of me understand why or how the security had been bypassed. I’m pretty fastidious about managing my clients site as it’s a big site and a few years ago was the victim of a cyber attack linked to terroristic activities (we had to get the FBI involved). Ever since then Wordfence has been hooked in and is one of the first plugins I add to any new clients site and even to staging sites.

    I really appreciate the insight and it aligns with the way I have been looking at this over the past few days (and a nagging thought at the time) – that the hosts had done something that had caused an error in the system but were unwilling to say “oops, our bad, sorry”. I mean, the thing is, less than an hour after I finished my chat with them, Wordfence’s log for the site says everything went back to normal.

    I will continue to monitor the site but am grateful for the way Wordfence protects us and for all the useful info we get from your team.

    Thank you again for getting back to me and talking to your team about the issue. Glad the info I supplied was of help. I do try to be thorough. ??

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘My IP address has changed from Netherlands to US overnight’ is closed to new replies.