Suspicious file requests with Cloudflare IP address

Hello,

I have several WordPress sites under my account. Our managed hosting’s Cpanel dashboard has an “Errors” page where they list the access errors to our websites.

Today I found a strange error. The hosting’s firewall has stopped the request so there was no harm this time.

The request URI was this: /wp-includes/images/css.php, and it came from a Cloudflare IP address (108.162.245.5 / Seattle, Washington, United States). I have to mention that this file doesn’t exist on my server, of course.

I have a WAF rule that stops these kinds of requests but allows them for “good bots”. (see the see the attachment)

So my question is, why does Cloudflare want to see a clearly malicious file (a PHP file with CSS name inside an images folder), or why my WAF rule doesn’t stop the request?

ps: If you want to open the file yourself from my server, you will get an “Access denied” error. I cannot open this link, either.
https://fortmax.hu/wp-includes/images/css.php

Best regards,
Gergo Simko

Are you using the “Security Insights” Cloudflare feature?

Dear @solider_21, I don’t know exactrly. Where can I find this?

Dear @soldier_21, I’ve found the “Security Insights” page, it says there aren’t any issues on my sites.

No I was just wondering if you had run scans previously with that feature, which could explain the weird request from Cloudflare

Where do you see the request coming from 108.162.245.5 ?

Are you restoring original visitor IPs? https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.