I’ve not too long ago migrated a number of websites to a brand new server utilizing easyengine, which created a separate set of docker photographs for every WP web site. Internally on my server, every of those websites will get a non-public IP (172.x.x.x) and externally after all domains are routed through dns to the exterior server named and served up usually. I seen that a few my migrated websites are experiencing failed logins (proven within the exercise log plugin) that don’t have any referrer and appear to return from the non-public IP of the server itself. Once I study the logs I see entries like this on the actual time of failure:
172.19.0.1 - - [29/Oct/2021:10:20:27 +0000] "POST /wp-cron.php?doing_wp_cron=1635502827.4259769916534423828125 HTTP/1.1" 200 31 "https://mysitename.com/wp-cron.php?doing_wp_cron=1635502827.4259769916534423828125" "WordPress/5.8.1; https://mysitename.com"
Generally the logs present the identical inner IP making an attempt to POST to xmlrpc and a few different recordsdata.
Regardless that I’ve wordfence arrange and it ought to block failed login makes an attempt, it ignores these (I assume as a result of they’re native, non-public IPs) so that they by no means get blocked. It doesn’t but seem that somebody has been capable of login, however that is very regarding and I am unable to monitor it down but. Listed below are the issues I discover and the questions I’ve about this exercise:
- May somebody presumably spoof an inner IP from an outdoor request? This appears unlikely as it’s only taking place on the 2 websites that got here from the identical previous server, the opposite websites nonetheless appear unaffected.
- I’ve combed by means of all the recordsdata and may’t discover any malicious code. And I’ve utterly reinstalled WP on considered one of them and exported and reimported utilizing the WP importer (as an alternative of straight copying the db), however nonetheless have these makes an attempt
- I am unable to discover any reference to a hack like this, does anybody have any thought the way it could possibly be tracked down?
- To this point, none of those makes an attempt has guessed an present username, they usually have all did not login
Thanks!