Newbie question: wordpress attack, but cPanel shows ALL activity from my webhost's ip address?

[wilsonca]

Ok, so I noticed that the activity log (in cPanel) for my wordpress site is showing the same IP address for all entries. That is, all entries/visitors/requests are being recorded as 192.X.Y.Z. (Is there a reason not to show the IP address here? I'll use X, Y, and Z for now.)

The weird thing is, when I google that IP address, it comes up as belonging to my domain host /website hosting provider. (It seems to be one of their nameservers, though to be honest, I'm not sure what that means.)

Any idea what's going on?

The reason I'm putting this in the "Security" forum is that my wordpress login page is being accessed repeatedly, with unsuccessful login attempts. So I assume someone is trying to break into my site. Unfortunately, I can't ban their IP address because I can't see their IP address; it just shows up as the same 192.X.Y.Z in cPanel.

 

[quizknows]

Are you behind a load balancer? Regardless, you really need to open a ticket with your hosting provider; they may have a compromised machine, or your own server may be hacked and being used to try to login to your own sites. For example if another website on the server is hacked and used to attempt logins to other sites, the server will see the attempts from its own IP address.

Again, open a ticket with your web host, or consult a security professional.

 

[wilsonca]

Thanks for the reply. I opened up a ticket yesterday, but haven't heard back. For now, I've denied access to all (via my .htaccess file) to my wordpress login php file. But who knows what else may be happening...

In the meanwhile, is there anything else I should do? Change permissions on files/folders? Change my .htaccess in some other way?

 

[quizknows]

Assuming you have root access, I would check the process list (ps faux) for any strange processes running as "nobody" (the apache user) or your cPanel username.

Sad your hosting company hasn't replied yet. I'd recommend a different one but it's probably against forum rules.

I would also recommend you run a quick clamscan or maldet scan, i.e.

clamscan -ir /home/*/public_html

edit; also, there have been a ton of indiscriminate WP brute force attacks going on lately, it could also just be you're seeing this and nobody is targeting you specifically. Still, I'd be hounding your host to look into it since it looks like one of their IP addresses.

 

[cPanelMichael]

Hello

Do you have root access to this system? If not, I recommend consulting with your web hosting provider to see what additional steps they can take to assist you with this problem.

Thank you.

 

[SageBrian]

Wordpress and Joomla sites are getting very very big brute force attacks lately. The bots are looking to take advantage of all the users of Joomla and Wordpress that don't bother upgrading their versions.

 

[wilsonca]

SOLVED, sort of.

I was using WordFence, and there's an option that allows me to change how WordFence is reading the IP address when behind a reverse proxy. I changed it so that it reads the IP address from the HTTP header. And lo and behold, everything seems to work now; when I check the cPanel activity logs, I'm seeing the visitors' real IP address, rather than my server's IP address. (And so now it's very easy for me to pick out and block the address that's been the source of all those login attempts.)

Now, I have no idea why changing that setting in WordFence would change anything having to do with cPanel, but hey, I'm not going to worry about it...