Not sure if IP hacked or it's Cloudflare (wordpress login) *solved!*


#1

edited with new, hopefully relevant info
Hi, I’m totally new to this, so I apologize in advance for, well, everything.

I recently installed Wordfence onto my Wordpress site that has cloudflare through my host. All of a sudden (day or two after installation) I got these notification from Wordfence about my username logging in from across country through these specific IP addresses:

172.68.65.174
172.69.62.52
172.68.65.222

These happened very shortly after I logged into my website. Thinking I was ‘hacked,’ I first changed my username, which then more of these IP’s popped up to tell me that someone with the new user name had logged in across country, and then I placed 2 blacklist ranges to address the 172.68.65.00 and the 172.69.62.00 set. I then found my own IP blacklisted when I changed my username again and was logged out. I naturally assumed someone had gotten into my website and then blacklisted my IP. I shut my site down (just in case) and took some time to think.

The IP addresses listed above when doing a whois IP search claim to belong to Cloudflare, but when I went to the Cloudflare IP lists found on their site, the IPs I dealt with aren’t there. At least, if they are, I don’t have the understanding to pick them out of the predefined ranges.

I have since then turned the site back on–I had to take down all IP blacklists to do so–and when logging in, I have not had any notifications/warnings or signs of Cloudflare IP addresses logging into my site from anywhere.

So, what am I looking at? Does anyone know? Was this a thing where Cloudflare was used to get into my site (or my login was hacked and the Cloudflare IPs used to disguise the culprit,) or am I just ignorant to how Cloudflare works? Is Cloudflare a continuous thing that would have continuous results when logging into a website, or is it more sporadic with different results depending on, I dunno, techy reasons beyond my understanding?

I’m lost, and I’m trying to figure out if this is something I should be concerned about or not.

*** edit ( I don’t know if this community finds it rude to edit a post after posted. Please let me know and I will put it in a comment in the future!**

I have additional info once looking at the WordFence logs. This info really makes me believe this was an attack and not just some sort of login echo, but again, my ignorance of how to read this data may be skewing my perspective. It looks like an account from (or disguised as) cloudflare is trying to get through constantly, and is failing. Except for the times it did get through and I shut my site down. It’s either following me because it’s some sort of cloudflare echo, or it’s a hack attempt. But I don’t know. I don’t know if I’m reading this data correctly.

These are the Successful login attempts and their time stamps. I’ve removed certain information just to keep things safe/respectful of my users logins and my own.
|–my latest loginusername–|...* (my personal IP)|5 hours 4 mins ago|
|–my changed loginusername–|172.68.65.222|March 5, 2019 6:52 am|
|–my changed loginusername–|172.68.65.174|March 5, 2019 6:49 am|
|–my original loginusername–|172.69.62.52|March 5, 2019 6:35 am|
|–unknown username kati***–|172.68.110.46|March 5, 2019 4:44 am|
|–my original loginusername–|...* (my personal IP)|March 5, 2019 12:20 am|
|–username kati***–|172.68.110.100|March 4, 2019 6:09 pm|
|–username rog***–|172.68.47.102|March 3, 2019 11:29 pm|

These are failed logins occurring around the same time:
–my latest loginusername–|...* (my personal IP)|4 hours 12 mins ago|
|–useremail kati***@gmail.com–|172.68.110.100|4 hours 36 mins ago|
|–useremail kati***@gmail.com–|172.68.110.100|4 hours 36 mins ago|
|–my original loginusername–|172.68.65.120|5 hours 8 mins ago|
|–my unencrytped loginusername–|172.68.65.120|5 hours 8 mins ago|
|–my latest loginusername–|172.68.65.174|March 5, 2019 12:03 pm|
|–my changed loginusername–|172.68.65.174|March 5, 2019 11:49 am|
|–useremail *** @yahoo.com–|172.68.90.82|March 5, 2019 12:26 am|
|–user Bra***–|.*.208.192|March 4, 2019 9:38 pm|
|–useremail rog***@hotmail.com–|172.68.211.220|March 4, 2019 4:24 am|
|–useremail rog***@hotmail.com–|172.68.211.220|March 4, 2019 4:24 am|
|–useremail rog***@hotmail.com–|172.68.211.220|March 4, 2019 4:24 am|
|–useremail kati***@gmail.com–|172.68.110.46|March 3, 2019 9:36 pm|
|–unknown M.n!mm,m.Mm.!mMmM,bM,mMmlllolKilllolKLkkkklkjkklLK–|172.68.65.120|March 3, 2019 3:16 pm|
|–unknownM.n!mm,m.Mm.!mMmM,bM,mMmlllolKilllolKLkkkklkjkklL–|172.68.65.120|March 3, 2019 3:16 pm|
|–unknownM.n!mm,m.Mm.!mMmM,bM,mMmlllolKilllolKLkkkklkjkkl–|172.68.65.120|March 3, 2019 3:16 pm|
|–unknownM.n!mm,m.Mm.!mMmM,bM,mMmlllolKilllolK–|172.68.65.120|March 3, 2019 3:16 pm|
|–unknownM.n!mm,m.Mm.!mMmM,bM,mMmlllolKilllolK–|172.68.65.120|March 3, 2019 3:16 pm|
|–unknownM.n!mm,m.Mm.!mMmM,bM,mMmlllolKilllol–|172.68.65.120|March 3, 2019 3:16 pm|
|–unknownM.n!mm,m.Mm.!mMmM,bM,mMmlllolKilllol–|172.68.65.120|March 3, 2019 3:16 pm|
|–unknownM.n!mm,m.Mm.!mMmM,bM,mMmlllolKill–|172.68.65.120|March 3, 2019 3:16 pm|
|–unknownM.n!mm,m.Mm.!mMmM,bM,mMmlllol–|172.68.65.120|March 3, 2019 3:16 pm|
|–unknownM.n!mm,m.Mm.!mMmM,bM,mMmll–|172.68.65.120|March 3, 2019 3:16 pm|
|–unknownM.n!mm,m.Mm.!mMmM,bM,mMm–|2601:14d:8101:49dc:8917:1f88:53a5:d3bf|March 3, 2019 3:13 pm|


#2

Those are all through Cloudflare…so those are more than likely your own proper logins.

Under Wordfence’s “All Options” page, the General Wordfence options lets you choose how it gets the visitor’s IP address. There’s an automatic option which usually works well, but there’s also a Cloudflare option you should try.

Regardless of the option, right below that shows the IP address it thinks you’re using. Keep an eye on that if it’s correct.


#3

Thank you!

If you don’t mind me picking your brain a bit, so as a Wordpress user and a Cloudflare user, would you recommend any particular plugin for my site when it comes to security so I won’t have this confusion again?

This probably sounds terrible, but although I made this website a few years back, I haven’t really looked too much into why it hasn’t been hacked yet, you know? I can only assume my hosting company was really awesome when they gave me tools like Cloudflare, and my ignorance did not mess that up. But now that I’m looking at it after this bit of a shock, I’m trying to figure out how to make sure Cloudflare is working for me, and that I’m not sabotaging it with these security plugins, etc. You seem to know Wordfence, so any advice when you find some time would be totally welcome.


#4

Oh, also, now that I’ve looked at the All Options tab in Wordfence and changed to the Cloudflare option. The IP address is the same as my own router, aka, it’s not one of the 172… options that I’m still not sure are an echo of my own IP through cloudflare or not. Don’t know if that info helps narrow things down or not.


#5

Wordfence does a super job! I installed it years ago when a site I ran got hacked and I couldn’t successfully clean it up manually. Wordfence cleaned it up and has been protecting it ever since.

If you want to confirm your home’s IP address, visit https://www.whatsmydns.net/whats-my-ip-address.html

**Pro Tip: Under Scan Options, turn on everything except for “Scan images, binary, and other files as if they were executable” and “Enable HIGH SENSITIVITY scanning (may give false positives)”. Having it scan plugins and themes (I think this starts off as disabled) can find critical problems.

I think you’re on the right track. Cloudflare’s proxy setup confuses some because visitors now seem to be coming from Cloudflare.

If you have any more questions, post 'em.


#6

Gonna try it now. Seriously, thanks! I think I better throw down the money and get the pro version of Wordfence just in case. I think I’m actually looking at a problem and not me just barking in the dark. :disappointed_relieved:


#7

I feel better with the Pro version because it gets realtime updates.

Another lifesaver is backups. I use All-in-One Migrator. If the site isn’t bigger than 512 megs, it’s free for backups.


#8

Thank you! I’ll check this one out too.

So… I think it was just a cloudflare echo. Pretty sure. I had another login plugin running that I had ignored because users logging into Wordpress didn’t seem to trigger it. But it caught data on both the incident on the 5th, as well as a brute force attack on the 2nd, and the IP shown were distinctly not through cloudflare. The time stamps for the weird echoes logging into my admin that showed as a foreign IP to Wordfence, revealed as my IP on this other login plugin.

Aka, I’ve been freaking myself out over nothing. Yay!???

I’m going to throw a solved up on the title and go feel like an idiot for a while. :sweat: Thanks for all your help. If anything, you showed me how to inform WordFence about Cloudflare so that it will hopefully read the IPs properly in the future.