edited with new, hopefully relevant info
Hi, I’m totally new to this, so I apologize in advance for, well, everything.
I recently installed Wordfence onto my Wordpress site that has Cloudflare through my host. All of a sudden (day or two after installation) I got these notification from Wordfence about my username logging in from across country through these specific IP addresses:
172.68.65.174
172.69.62.52
172.68.65.222
These happened very shortly after I logged into my website. Thinking I was ‘hacked,’ I first changed my username, which then more of these IP’s popped up to tell me that someone with the new user name had logged in across country, and then I placed 2 blacklist ranges to address the 172.68.65.00 and the 172.69.62.00 set. I then found my own IP blacklisted when I changed my username again and was logged out. I naturally assumed someone had gotten into my website and then blacklisted my IP. I shut my site down (just in case) and took some time to think.
The IP addresses listed above when doing a whois IP search claim to belong to Cloudflare, but when I went to the Cloudflare IP lists found on their site, the IPs I dealt with aren’t there. At least, if they are, I don’t have the understanding to pick them out of the predefined ranges.
I have since then turned the site back on–I had to take down all IP blacklists to do so–and when logging in, I have not had any notifications/warnings or signs of Cloudflare IP addresses logging into my site from anywhere.
So, what am I looking at? Does anyone know? Was this a thing where Cloudflare was used to get into my site (or my login was hacked and the Cloudflare IPs used to disguise the culprit,) or am I just ignorant to how Cloudflare works? Is Cloudflare a continuous thing that would have continuous results when logging into a website, or is it more sporadic with different results depending on, I dunno, techy reasons beyond my understanding?
I’m lost, and I’m trying to figure out if this is something I should be concerned about or not.
*** edit ( I don’t know if this community finds it rude to edit a post after posted. Please let me know and I will put it in a comment in the future!**
I have additional info once looking at the WordFence logs. This info really makes me believe this was an attack and not just some sort of login echo, but again, my ignorance of how to read this data may be skewing my perspective. It looks like an account from (or disguised as) Cloudflare is trying to get through constantly, and is failing. Except for the times it did get through and I shut my site down. It’s either following me because it’s some sort of Cloudflare echo, or it’s a hack attempt. But I don’t know. I don’t know if I’m reading this data correctly.
These are the Successful login attempts and their time stamps. I’ve removed certain information just to keep things safe/respectful of my users logins and my own.
|–my latest loginusername–|...* (my personal IP)|5 hours 4 mins ago|
|–my changed loginusername–|172.68.65.222|March 5, 2019 6:52 am|
|–my changed loginusername–|172.68.65.174|March 5, 2019 6:49 am|
|–my original loginusername–|172.69.62.52|March 5, 2019 6:35 am|
|–unknown username kati***–|172.68.110.46|March 5, 2019 4:44 am|
|–my original loginusername–|...* (my personal IP)|March 5, 2019 12:20 am|
|–username kati***–|172.68.110.100|March 4, 2019 6:09 pm|
|–username rog***–|172.68.47.102|March 3, 2019 11:29 pm|
These are failed logins occurring around the same time:
–my latest loginusername–|...* (my personal IP)|4 hours 12 mins ago|
|–useremail kati***@gmail.com–|172.68.110.100|4 hours 36 mins ago|
|–useremail kati***@gmail.com–|172.68.110.100|4 hours 36 mins ago|
|–my original loginusername–|172.68.65.120|5 hours 8 mins ago|
|–my unencrytped loginusername–|172.68.65.120|5 hours 8 mins ago|
|–my latest loginusername–|172.68.65.174|March 5, 2019 12:03 pm|
|–my changed loginusername–|172.68.65.174|March 5, 2019 11:49 am|
|–useremail *** @yahoo.com–|172.68.90.82|March 5, 2019 12:26 am|
|–user Bra***–|..208.192|March 4, 2019 9:38 pm|
|–useremail rog**@hotmail.com–|172.68.211.220|March 4, 2019 4:24 am|
|–useremail rog***@hotmail.com–|172.68.211.220|March 4, 2019 4:24 am|
|–useremail rog***@hotmail.com–|172.68.211.220|March 4, 2019 4:24 am|
|–useremail kati***@gmail.com–|172.68.110.46|March 3, 2019 9:36 pm|
|–unknown M.n!mm,m.Mm.!mMmM,bM,mMmlllolKilllolKLkkkklkjkklLK–|172.68.65.120|March 3, 2019 3:16 pm|
|–unknownM.n!mm,m.Mm.!mMmM,bM,mMmlllolKilllolKLkkkklkjkklL–|172.68.65.120|March 3, 2019 3:16 pm|
|–unknownM.n!mm,m.Mm.!mMmM,bM,mMmlllolKilllolKLkkkklkjkkl–|172.68.65.120|March 3, 2019 3:16 pm|
|–unknownM.n!mm,m.Mm.!mMmM,bM,mMmlllolKilllolK–|172.68.65.120|March 3, 2019 3:16 pm|
|–unknownM.n!mm,m.Mm.!mMmM,bM,mMmlllolKilllolK–|172.68.65.120|March 3, 2019 3:16 pm|
|–unknownM.n!mm,m.Mm.!mMmM,bM,mMmlllolKilllol–|172.68.65.120|March 3, 2019 3:16 pm|
|–unknownM.n!mm,m.Mm.!mMmM,bM,mMmlllolKilllol–|172.68.65.120|March 3, 2019 3:16 pm|
|–unknownM.n!mm,m.Mm.!mMmM,bM,mMmlllolKill–|172.68.65.120|March 3, 2019 3:16 pm|
|–unknownM.n!mm,m.Mm.!mMmM,bM,mMmlllol–|172.68.65.120|March 3, 2019 3:16 pm|
|–unknownM.n!mm,m.Mm.!mMmM,bM,mMmll–|172.68.65.120|March 3, 2019 3:16 pm|
|–unknownM.n!mm,m.Mm.!mMmM,bM,mMm–|2601:14d:8101:49dc:8917:1f88:53a5:d3bf|March 3, 2019 3:13 pm|