I’m blocking Ukraine in a firewall rule but my access log (example below) is showing Ukraine IP addresses. Ukraine is sometimes blocked and sometimes not.
The IP address is shown as “owned” by Cloudflare.
It’s certainly a hacking attempt.
2022-07-02 09:06:37 Access 126.96.36.199 302 GET example.php?who=-1178%27%29%20UNION%20ALL%20SELECT%
Cloudflare uses anycast for their IPs and routes traffic from all their datacenters. As long as the IP is coming from Cloudflare, then it was screened by Cloudflare. You need to restore visitor IPs to see if the request actually came from Ukraine and not Cloudflare in Ukraine.
Err. I’m not sure if my hosting company will let me do that.
I turned off Cloudflare.
The raw IP addresses are showing up.
The hacking attempt is coming from 188.8.131.52 (it’s the one IP address I’ve captured).
IP address locators say it’s in Netherlands, Turkey, or Panama. Not sure how there can be 3 different locations.
IP locators are nothing more than user-maintained databases - they might be up to date or accurate, they might not.
There’s only a single thing that ‘links’ an IP address to a location and that’s where it was registered, and that means nothing since you can use/advertise an IP anywhere. Cloudflare’s IPs will likely show as being registered in the US even though they’re anycast and effectively global.
I’ll block the IP address. Let’s hope it’s one IP address.
(The Cloudflare IP addresses appear to be coming from different locations. At least, sometimes.)
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.