Welcome to Centmin Mod Community
Register Now

Wordpress WordFence wordfence_syncAttackData ?

Discussion in 'Blogs & CMS usage' started by narji, Sep 20, 2016.

  1. narji

    narji Member

    69
    6
    8
    Feb 4, 2016
    Ratings:
    +12
    Local Time:
    2:38 PM
    anyone know about this bot

    Code:
    my own ip - - [20/Sep/2016:16:04:33 +0700] "POST /?wordfence_syncAttackData=1474362273.6271 HTTP/1.1" 444 0 "https://www.mydomain?wordfence_syncAttack
    Data=1474362273.6271" "WordPress/4.6.1; https://www.mydomain" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
    
    my own ip - - [20/Sep/2016:16:04:32 +0700] "POST /?wordfence_syncAttackData=1474362272.7793 HTTP/1.1" 444 0 "https://www.mydomain?wordfence_syncAttack
    Data=1474362272.7793" "WordPress/4.6.1; https://www.mydomain" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
    
    my own ip - - [20/Sep/2016:16:04:33 +0700] "POST /?wordfence_syncAttackData=1474362272.9984 HTTP/1.1" 444 0 "https://www.mydomain/?wordfence_syncAttac
    kData=1474362272.9984" "WordPress/4.6.1; https://www.mydomain" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
    
    my own ip - - [20/Sep/2016:16:05:20 +0700] "POST /?wordfence_syncAttackData=1474362320.5041 HTTP/1.1" 444 0 "https://www.mydomain/?wordfence_syncAttac
    kData=1474362320.5041" "WordPress/4.6.1; https://www.mydomain" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
    
    coming from my own ip and post in my own domain
    delay last week about every hours and this day delay about a minute
     
    Last edited: Sep 21, 2016
  2. SeaTea

    SeaTea Premium Member Premium Member

    49
    13
    8
    Feb 20, 2015
    the Netherlands
    Ratings:
    +28
    Local Time:
    9:38 AM
    Nginx:1.11
    MariaDB-10
    Maybe your own wordpress plugin ?
    Google showed me this, looks the same
     
    • Informative Informative x 1
  3. eva2000

    eva2000 Administrator Staff Member

    30,155
    6,782
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,133
    Local Time:
    5:38 PM
    Nginx 1.13.x
    MariaDB 5.5
    yeah looks like WordFence wordpress plugin issue View: Plugin Support « WordPress.org Forums

    from Topic: Firewall Sync Is Excesive « WordPress.org Forums
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,155
    6,782
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,133
    Local Time:
    5:38 PM
    Nginx 1.13.x
    MariaDB 5.5
    however, did you enable the bad bot request as instructed at Blocking bad or aggressive bots | Centmin Mod Community ? If so, you could of blocked WordPress useragent that WordFence uses for those /?wordfence_syncAttackData calls as they all have 444 status which would be apart of the blocking bad aggressive bots setup outlined here.
     
  5. narji

    narji Member

    69
    6
    8
    Feb 4, 2016
    Ratings:
    +12
    Local Time:
    2:38 PM
    yes i did place botlimit.conf in nginx.conf and blockbots.conf in vhost domain.conf , i did get more unknown ip in vhost access.log , cross check them with abuseipdb.com for suspicious visitor , then type csf -d ip block them , its painfull and no automatic way to cross check and block those suspicious visitor
     
  6. narji

    narji Member

    69
    6
    8
    Feb 4, 2016
    Ratings:
    +12
    Local Time:
    2:38 PM
    this is suspicious visitor sample i get from access log, some of them get through status 200 and some of them get status 400 and 444

    Code:
    91.194.84.106 - - [20/Sep/2016:20:25:13 +0700] "GET /?longurlwascutoff_0&&&&&&&&&&&&& HTTP/1.0" 444 0 "-" "Mozilla/5.0 (compatible; MJ12bot/v1.4.5; [URL='http://www.majestic12.co.uk/bot.php?+']Majestic-12 : DSearch : MJ12bot[/URL]" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
    
    106.186.113.132 - - [20/Sep/2016:18:49:17 +0700] "\x00\x9C\x00\x01\x1A+<M\x00\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00" 400 166 "-" "-" "-" rt=0.100 ua="-" us="-" ut="-" ul="-" cs=-
    
    106.186.113.132 - - [20/Sep/2016:18:49:19 +0700] "\x05\x02\x00\x02" 400 166 "-" "-" "-" rt=0.200 ua="-" us="-" ut="-" ul="-" cs=-
    
     
    Last edited: Sep 21, 2016
  7. narji

    narji Member

    69
    6
    8
    Feb 4, 2016
    Ratings:
    +12
    Local Time:
    2:38 PM
    for today access.log

    Code:
    125.161.63.43 - - [21/Sep/2016:10:29:27 +0700] "GET / HTTP/2.0" 200 8400 "https://www.google.co.id/" "Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=-
    
    125.161.63.43 - - [21/Sep/2016:10:29:28 +0700] "GET /?wordfence_syncAttackData=1474410355.1746 HTTP/2.0" 200 182 "https://www.mydomain/" "Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0" "-" rt=0.800 ua="127.0.0.1:9000" us="200" ut="0.189" ul="16" cs=-
    
    125.161.63.43 - - [21/Sep/2016:10:29:37 +0700] "GET /?wordfence_logHuman=1&hid=06649C9CEF9DDB2DBD595D34D0AB6652&r=0.9717685031846551 HTTP/2.0" 200 390 "https://mydomain/" "Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0" "-" rt=7.600 ua="127.0.0.1:9000" us="200" ut="0.100" ul="20" cs=-
    
    66.249.65.155 - - [21/Sep/2016:10:31:08 +0700] "GET / HTTP/1.1" 200 8244 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" "-" rt=0.600 ua="127.0.0.1:9000" us="200" ut="0.600" ul="37894" cs=-
    
    66.249.65.147 - - [21/Sep/2016:10:28:30 +0700] "GET /?wordfence_syncAttackData=1472256000.1746 HTTP/1.1" 200 5 "http://mydomain/" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" "-" rt=0.900 ua="127.0.0.1:9000" us="200" ut="0.900" ul="23" cs=-
    
    my ip - - [21/Sep/2016:10:53:52 +0700] "POST /wp-cron.php?doing_wp_cron=1474430032.2843470573425292968750 HTTP/1.1" 200 31 "http://www.mydomain/wp-cron.php?doing_wp_cron=1474430032.2843470573425292968750" "WordPress/4.6.1; https://www.mydomain" "-" rt=0.100 ua="127.0.0.1:9000" us="200" ut="0.100" ul="20" cs=-
    
    66.249.65.177 - - [21/Sep/2016:10:54:04 +0700] "GET /?wordfence_syncAttackData=1474410355.1746 HTTP/1.1" 200 5 "https://www.mydomain/" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" "-" rt=0.300 ua="127.0.0.1:9000" us="200" ut="0.300" ul="16" cs=-
    
    125.161.63.43 suspicious visitor first using his or her own ip to testing attack my domain

    66.249.65.177
    then using google ip to attact my domain

    how is this possible ?
     
  8. eva2000

    eva2000 Administrator Staff Member

    30,155
    6,782
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,133
    Local Time:
    5:38 PM
    Nginx 1.13.x
    MariaDB 5.5