Malicious Traffic Targeting Non-Existent Files from Cloudflare IPs

Website, Application, Performance Security
1

What is the name of the domain?

What is the error message?

“Malicious Access to Non-Existent Files”.

What is the issue you’re encountering

“Malicious Traffic Targeting Non-Existent Files from Cloudflare IPs”

What steps have you taken to resolve the issue?

“I am experiencing malicious traffic from Cloudflare IPs targeting non-existent files on my website. The attacks are trying to access various non-existent URLs, such as /wp-content/plugins/super-interactive-maps/, /wp-content/plugins/WordPressCore/include.php, /wp-admin/, and other random paths that do not exist on my server. These IPs are distributed across different Cloudflare addresses, making it difficult to block them effectively.”

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Flexible

What are the steps to reproduce the issue?

“The issue occurs when attempting to access non-existent files on my website, resulting in a 404 error. The malicious IPs from Cloudflare continue to try accessing specific paths, which are being flagged by my firewall but not completely blocked due to the nature of Cloudflare’s network.”

2

Your site is using the Cloudflare proxy so every request to your origin will appear to be from a Cloudflare IP address…

Make sure to restore visitor IPs so you can see the real client IP at your server…

Such requests are normal from bots that are scanning the internet. You can use Cloudflare WAF custom rules to block them if you wish by IP, ASN, URL or other.

Make sure your firewall only allows Cloudflare IP addresses to connect to your webserver.

2 Likes
3

Do you mean WordPress firewall or server firewall?

4

It will be your server firewall.

  1. Allowing only Cloudflare IP addresses on your server firewall.

  2. Configuring your web server properly, so it is restoring original visitor IPs from Cloudflare.

When you have configured this properly, your own server will see the real visitor IPs (e.g. my IP address), even though traffic is going through Cloudflare.

1 Like
5

النوع: محظور

Amsterdam, The Netherlands كانتم حظره بواسطة جدار الحماية لـ Known malicious User-Agents في https://al3ilm.net/wp-content/plugins/WordPressCore/include.php

٤‏/٧‏/١٤٤٦ هـ ٦:٢٢:٤٦ م (1 minute ago)

IP: 172.71.95.106 Hostname: 172.71.95.106

الإنسان / الروبوت: بوت

Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36

النوع: محظور

Amsterdam, The Netherlands كانتم حظره بواسطة جدار الحماية لـ Known malicious User-Agents في https://al3ilm.net/wp-content/plugins/WordPressCore/include.php

٤‏/٧‏/١٤٤٦ هـ ٦:٢٢:٣٣ م (1 minute ago)

IP: 172.71.95.106 Hostname: 172.71.95.106

الإنسان / الروبوت: بوت

Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36

6

Yes, this is available on the server.

7

Where is this bot from?

8

The IP address 172.71.95.106 is one of the many IP addresses of the Cloudflare Proxy, which will indicate that you still haven’t set up “restoring original visitor IP” on your web server properly.

It will therefore be impossible to tell where exactly the end user (or bot) is from, based on the information provided above.

1 Like
9

I found the solution by adding Cloudflare’s IPs to my WordPress firewall allowlist. Thanks everyone for the helpful comments. IP Ranges

2 Likes
10

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.