Spoofing or goofing?


#1

Cloudflare IPs being spoofed in Wordpress attacks? (Same IPs appear regularly, same geographical regions). Anyone else seeing this?

|3 hours ago|141.101.77.31|REQUEST_URI|/wp-content/plugins/ungallery/source_vuln.php?pic=…/…/…/…/…/wp-config.php|
|3 hours ago|162.158.111.36|REQUEST_URI|/wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/admin/downloadAttachment.php?path=…/…/…/…/…/wp-config.php|
|3 hours ago|162.158.111.84|FILES|settings_auto.php|
|3 hours ago|141.101.104.190|REQUEST_URI|/wp-admin/admin-ajax.php?action=revslider_show_image&img=…/wp-config.php|


#2

I assume your site is on Cloudflare, is it not?

In that case nothing is being spoofed but you havent rewritten the IP addresses of the requests you receive through Cloudflare’s proxies.


#3

#4

Thanks for the link.