The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Newbie question: wordpress attack, but cPanel shows ALL activity from my webhost's ip address?

Discussion in 'Security' started by wilsonca, Sep 9, 2013.

  1. wilsonca

    wilsonca Registered

    Joined:
    Sep 9, 2013
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Ok, so I noticed that the activity log (in cPanel) for my wordpress site is showing the same IP address for all entries. That is, all entries/visitors/requests are being recorded as 192.X.Y.Z. (Is there a reason not to show the IP address here? I'll use X, Y, and Z for now.)

    The weird thing is, when I google that IP address, it comes up as belonging to my domain host /website hosting provider. (It seems to be one of their nameservers, though to be honest, I'm not sure what that means.)

    Any idea what's going on?

    The reason I'm putting this in the "Security" forum is that my wordpress login page is being accessed repeatedly, with unsuccessful login attempts. So I assume someone is trying to break into my site. Unfortunately, I can't ban their IP address because I can't see their IP address; it just shows up as the same 192.X.Y.Z in cPanel.
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Are you behind a load balancer? Regardless, you really need to open a ticket with your hosting provider; they may have a compromised machine, or your own server may be hacked and being used to try to login to your own sites. For example if another website on the server is hacked and used to attempt logins to other sites, the server will see the attempts from its own IP address.

    Again, open a ticket with your web host, or consult a security professional.
     
  3. wilsonca

    wilsonca Registered

    Joined:
    Sep 9, 2013
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Thanks for the reply. I opened up a ticket yesterday, but haven't heard back. For now, I've denied access to all (via my .htaccess file) to my wordpress login php file. But who knows what else may be happening...

    In the meanwhile, is there anything else I should do? Change permissions on files/folders? Change my .htaccess in some other way?
     
    #3 wilsonca, Sep 9, 2013
    Last edited: Sep 9, 2013
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Assuming you have root access, I would check the process list (ps faux) for any strange processes running as "nobody" (the apache user) or your cPanel username.

    Sad your hosting company hasn't replied yet. I'd recommend a different one but it's probably against forum rules.

    I would also recommend you run a quick clamscan or maldet scan, i.e.

    clamscan -ir /home/*/public_html

    edit; also, there have been a ton of indiscriminate WP brute force attacks going on lately, it could also just be you're seeing this and nobody is targeting you specifically. Still, I'd be hounding your host to look into it since it looks like one of their IP addresses.
     
    #4 quizknows, Sep 9, 2013
    Last edited: Sep 9, 2013
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Do you have root access to this system? If not, I recommend consulting with your web hosting provider to see what additional steps they can take to assist you with this problem.

    Thank you.
     
  6. SageBrian

    SageBrian Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    415
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    NY/CT (US)
    cPanel Access Level:
    Root Administrator
    Wordpress and Joomla sites are getting very very big brute force attacks lately. The bots are looking to take advantage of all the users of Joomla and Wordpress that don't bother upgrading their versions.
     
  7. wilsonca

    wilsonca Registered

    Joined:
    Sep 9, 2013
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    SOLVED, sort of.

    I was using WordFence, and there's an option that allows me to change how WordFence is reading the IP address when behind a reverse proxy. I changed it so that it reads the IP address from the HTTP header. And lo and behold, everything seems to work now; when I check the cPanel activity logs, I'm seeing the visitors' real IP address, rather than my server's IP address. (And so now it's very easy for me to pick out and block the address that's been the source of all those login attempts.)

    Now, I have no idea why changing that setting in WordFence would change anything having to do with cPanel, but hey, I'm not going to worry about it...
     
Loading...

Share This Page