Someone from Iran is really interested in my website. A little too interested. And I am 99% sure that they are on this forum. Exposing their data:
And I am setting up special trackers for this stuff now. So if you are reading this, stop.
3 Likes
?
I mean, what is wrong with them accessing your website?
And no, Iām not from Iran. I think Bayo was, though. 
Probably other people here from Iran.
2 Likes
Look what they are trying to view.
And I know itās not you, you are in the clear
2 Likes
I didnāt see what they were trying to access?
Wordpress webpages? WP admin?
You should track login attempts if you can. I know if I make websites myself I can easily integrate login attempts, but it might be a bit harder if you use a pre-made login system.
1 Like
I donāt even have a login system. Administrative stuff is taken care of off-site. The entire thing is custom-coded, there is no WP (And one can just look at the source code to confirm that).
3 Likes
Ah. What is so wrong with the queries, then?
1 Like
Absolutely nothing 
It is called being board and wanting to do something
2 Likes
So, was this staged?
Or, are you saying that that person is bored?
If the latter, then why be concerned or mad?
1 Like
Huh? No
No, I am board, so I decided to do something about it. If I had lots of things to do, I would have just ignored it.
3 Likes
OH.
Eh, I mean, you should set up your system to be more dynamic, so that you can simply pin down an IP address for your system to track.
1 Like
Nope. It is a rotating IP system, every request used a different IP.
2 Likes
Huh, interesting.
Didnāt notice that
1 Like
News Flash! The Web Share API is now is now available in Firefox (starting with 100.0b2). That means it is available in all major updated desktop browsers, but sadly that excludes IE (duh) and Opera.
I just pressed a button and found out, so I thought Iād share it here, but not like anyone cares .
3 Likes
What is web share api?
1 Like
4 Likes
The attacker is definitely finding security vulnerabilities in your site. Even though it is nonsense for most people since the directories doesnāt exist, a friendly reminder: please be careful. Observing the pattern, attackerās goal was to know if your site is using a known software. Why? It is easy for him/her to exploit and hack the website if the software is commonly used since as we all know, there is no 100% secure code.
Luckily, you havenāt used WP. The attacker failed but likely will try other testing techniques.
If you have used libraries, please try to hide it from public. In your case, simply denying the access is enough. If you really serious for security (like me), you can follow OWASP guidelines for secure website. And note: security is a process.
Keeping the site secure helps visitors to build trust on the site.
4 Likes
Donāt you have a real log from Logflare?
this one from your images returns Cloudflare IPs so it is not useful
itās a lot more useful when you see them trying XY stuff
and as might be expected - IP is on the blacklist
3 Likes
Yea, I do, but it clears itself every 24 hours and says I have to pay to make it log it longer. That was another reason why I made my own system. And there is more info I logged that is not visible in the screenshot.
Call it MyOwnFreeTrackingSoftware MOFTS
1 Like
the live version has a 24h display
but the logs are kept for three days
and you can see them when you log in and do a search there
Your system should dig out the real IP from the user instead of getting these from CF
e.g.
// CF
function ip_in_range($ipoxy, $range) {
if (strpos($range, '/') == false)
$range .= '/32';
// $range is in IP/CIDR format eg 127.0.0.1/24
list($range, $netmask) = explode('/', $range, 2);
$range_decimal = ip2long($range);
$ip_decimal = ip2long($ipoxy);
$wildcard_decimal = pow(2, (32 - $netmask)) - 1;
$netmask_decimal = ~ $wildcard_decimal;
return (($ip_decimal & $netmask_decimal) == ($range_decimal & $netmask_decimal));
}
// oxy list https://www.cloudflare.com/ips/
function _cloudflare_CheckIP($ipoxy) {
$cf_ips = array(
'173.245.48.0/20',
'103.21.244.0/22',
'103.22.200.0/22',
'103.31.4.0/22',
'141.101.64.0/18',
'108.162.192.0/18',
'190.93.240.0/20',
'188.114.96.0/20',
'197.234.240.0/22',
'198.41.128.0/17',
'162.158.0.0/15',
'172.64.0.0/13',
'131.0.72.0/22',
'104.16.0.0/13',
'104.24.0.0/14'
);
$is_cf_ip = false;
foreach ($cf_ips as $cf_ip) {
if (ip_in_range($ipoxy, $cf_ip)) {
$is_cf_ip = true;
break;
}
} return $is_cf_ip;
}
function _cloudflare_Requests_Check() {
$flag = true;
if(!isset($_SERVER['HTTP_CF_CONNECTING_IP'])) $flag = false;
if(!isset($_SERVER['HTTP_CF_IPCOUNTRY'])) $flag = false;
if(!isset($_SERVER['HTTP_CF_RAY'])) $flag = false;
if(!isset($_SERVER['HTTP_CF_VISITOR'])) $flag = false;
return $flag;
}
function isCloudflare() {
$ipCheck = _cloudflare_CheckIP($_SERVER['REMOTE_ADDR']);
$requestCheck = _cloudflare_Requests_Check();
return ($ipCheck && $requestCheck);
}
// Use when handling ip's
function getRequestIP() {
$check = isCloudflare();
if($check) {
return $_SERVER['HTTP_CF_CONNECTING_IP'];
} else {
return $_SERVER['REMOTE_ADDR'];
}
}
$ipoxy = getRequestIP();
$cf = isCloudflare();
it says Iran
but it can be just some VPN server out there and whoever is behind it may be from a completely different country
so itās good to see the real IP so you can check if itās a VPN
and then block the whole ASN
4 Likes