Word Fence Log Question

  • Resolved nootkan

    (@nootkan)


    7 years, 11 months ago

    Just wondering if someone could shed some light on whether this log I am seeing is a legitimate request from wordfence or a hacker trying his luck at the plugin. I want to add the command line to my notification ignore whitelist but need to know if this is a legitimate request from the plugin or not. All three files exist in the wflogs folder. Haven’t been able to determine this using other methods so thought I’d ask here.

    Executable:

    /usr/bin/php

    Command Line (often faked in exploits):

    /usr/bin/php /home/mywebsite/public_html/wp-admin/admin-ajax.php

    Network connections by the process (if any):

    tcp: myipaddress:38949 -> myipaddress:80

    Files open by the process (if any):

    /dev/urandom
    /home/mywebsite/public_html/wp-content/wflogs/ips.php
    /home/mywebsite/public_html/wp-content/wflogs/config.php
    /home/mywebsite/public_html/wp-content/wflogs/attack-data.php
    /tmp/sess_907049acba362e28d691d3f5aab143c5

    • This topic was modified 7 years, 11 months ago by nootkan.
Viewing 4 replies - 1 through 4 (of 4 total)

  • Hi nootkan,
    It happens that some servers might have certain software installed that notifies you about some PHP processes that have been run more than a specific time and consider them as suspicious processes, since Wordfence runs a scan daily for a longer period of time than most PHP scripts -to scan all your site’s files- the plugin divides this scan time into short stages, the time for each stage depends on your server’s configuration.

    To prevent the scan process from appearing suspicious, you can set the “Maximum execution time for each scan stage” near the bottom of the Wordfence options page to different values, for example (60 seconds, 30 seconds, or 15 seconds).

    Please check this page for a comprehensive description about this issue.

    Thanks.

    Thread Starter nootkan

    (@nootkan)

    Okay thanks for the reply. I whitelisted the notification in my WAF (CSF). By the way is the ip address that wordfence uses for the scans located in Denmark by chance? Trying to match up the ip(s) being used for this service in my logs.

    • This reply was modified 7 years, 11 months ago by nootkan. Reason: added text

    Sorry, but where did you see this IP? It could be your server IP address as it ends up that your server is connecting back to itself to start the scan, check this article for more details about “How do scans work internally?“.

    Thanks.

    Thread Starter nootkan

    (@nootkan)

    Thanks again for your reply. I was just trying to determine if some of the ips in my logs with high packets volume were associated with this scan. But it seems that based on the link you provided in the previous reply, the packets would show up under my server ip address which I have also been seeing occasionally so that helps explain those logs. ??

    • This reply was modified 7 years, 11 months ago by nootkan.
Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Word Fence Log Question’ is closed to new replies.