Hey! This is my first time in the forums. LOVE the plugin.
I often get emails telling me that WF has detected and blocked a possible SQL Injection attack. Sometimes I check up on the IPs, sometimes I don’t. This time I did. The results are baffling:
Web Page: newyorktraveler.net/
Offending Parameter: __gads = ID=2d61acce4548d02d:T=1345045601:S=ALNI_MZqjTInnSGUl1dgHIfY1c371-0xDA
I looked up the IP, and its the White House. Of the President of the United States….
Anybody got any ideas? Is this a spoofed IP address or is the White House really attacking my website! :S
I’m also a little alarmed that it says that the main URL of my site may contain malicious content. My server and blogs were severely hacked a few months ago so I’m very jumpy. Please help, anyone! Thanks
I must admit this is one of the more intriguing posts I’ve received this week. That security alert is not a message generated by Wordfence. It is generated by the “WordPress firewall plugin”, but it looks like you may have already figured that out:
Julio, who is replying to you on that forum appears to be mistaken based on my research. Several location databases including Maxmind, which is in my opinion the most reputable, show that IP as belonging to the Executive Office of the President of the United States. I’d like to see data suggesting otherwise because I could not find any.
You can look it up yourself here: http://www.maxmind.com/app/locate_demo_ip
I would encourage you to contact the makers of WordPress Firewall and ask them about this, which appears to be a false positive. Here is why:
The “Offending parameter” that they list is the “__gads” cookie which is used by “DoubleClick For Publishers – Small Business” which is a division of Google. You can find out more about it here:
So it looks like Mr President may have clicked an ad which brought him to your site and DFP included a query string parameter called “__gads” for tracking purposes so that any DFP code you may have running on your site could set a cookie. Or maybe it was the janitor, who knows.
Either way I think I’d be pretty happy to get the Whitehouse visiting my site. Congrats on being interesting enough for that. It’s unfortunate though that this message makes it appear that WordPress Firewall blocked them from actually visiting your site. I’m not sure how that plugin works, but that’s at least what the message suggests.
Hope that helps, let me know if you have more questions, or found any data conflicting with my hypotheses above. I’m sure the community here may also have some input, perhaps this is something they’ve seen before. By the way, I’m going to change the Title on this topic to be a little more descriptive in case someone else has this issue, so hope you don’t mind.
Mark, thank you for your kind reply. Yes, after posting the thread here, I realized (with much chagrin) that I had the plugin names confused. Still, I love WordFence and thank God it protects me from all the attacks! It’s saved my websites many times since I installed it in May. So thanks for a great plugin. I’m still in the “testing” stage and will probably purchase it for added protection. I really appreciate you offering such a good plugin for free, too.
In reading your response, Mark– it brings up even more questions! I do not have any advertisements for my website, that I am aware of! I would love to have the executive office visiting my site… but I don’t know where they are coming from and exactly why they are rebuffed.
Interesting thanks for sharing Rebecca. If you like you can email me those log entries to firstname.lastname@example.org. It’s possible it is something like a caching proxy that is “pre loading” data very rapidly by doing a kind of crawl. Or it could be that you have pages on your site that include other content on the site (like in iframes for example) so it appears that you’re getting many page hits when it fact it’s one page that loads multiple URL’s.
I’m always interested in seeing what the Whitehouse is up to ;-) so I’d like to see what kind of traffic you got from that IP.
And moving into crazy conspiracy theory territory… maybe one of their servers was compromised and is in fact being used as an attack platform. Now wouldn’t it be cool if we broke that story? Highly unlikely of course.
Just for fun I wanted to update this.
I did some research at ARIN and found that the owner of this block of IP addresses is:
Name Executive Office Of The President
They own the following blocks of IP’s:
MBOE-A (NET6-2620-10F-B000-1) 2620:10F:B000:: – 2620:10F:B0FF:FFFF:FFFF:FFFF:FFFF:FFFF
Here’s the full entry: http://whois.arin.net/rest/org/EXOP/pft
EOPNET-B is a big one which is over 65,000 addresses. They own everything that starts with 165.119.
The other two blocks are smaller , roughly 512 and 255 addresses if you exclude network and broadcast addresses.
The block in question is a block of 512 addresses. Keep in mind that even 1 IP address can have hundreds of thousands of employees behind it if it is a firewall or proxy server, which is most definitely the case for the whitehouse.
What I did find with some Googling is that the http://www.ustr.gov/ or Office of the United States Trade Representative used to be on the block of IP’s that accessed your site. But they’re now on a different block. Just to give you an idea of how diverse the people and services are that are all lumped into the US president’s office.
The topic ‘Possible attack from 18.104.22.168 – IP appears to belong to the WhiteHouse?’ is closed to new replies.