Home Forums WordPress Plugins Hide My WP Unusual IDS log

This topic is: not resolved
Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • November 22, 2015 at 8:42 pm #6015
    dtective
    Post count: 6

    Hi,
    I am seeing this 1 unusual entry in my log:
    Name: server
    Value: http://[my-server-ip-address]:80/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo
    Page: /jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo
    Impact/Total: 9 / 9
    IP: `[my-server-ip-address!]
    Guest`

    Why is it showing my server IP? I have received 200 “[Hide My WP] Someone is mousing!” notifications in the last hour also – it says the visitor IP is my server’s IP address and the page is the wp-login.php page.

    November 23, 2015 at 4:30 am #6020
    Suman M.
    Post count: 12480

    Hi, if you think it’s a valid request then goto Dashboard >> Intrusions, hover over the request name and click on “Exclude”.
    And you get “Someone is mousing!” notification if someone tries to visit wp-admin or wp-login.php without HMWP secret code, and when 404 page is loaded. You can disable this notification by disabling “Spy Notify” option under HMWP general settings tab.

    November 23, 2015 at 12:14 pm #6039
    dtective
    Post count: 6

    Yes, I already understand all of that.
    My question was, why is my server’s IP showing up in the intrusion log and the “Someone is mousing!” notifications?

    • This reply was modified 9 years, 2 months ago by dtective.
    November 23, 2015 at 4:39 pm #6050
    Suman M.
    Post count: 12480

    HMWP IDS might detect incoming request as malicious or potentially dangerous depending upon the nature of the request, regardless of the IP. And ‘someone is mousing’ notification is sent when 404 not found page is visited, i.e. if any invalid url is visited.

    November 23, 2015 at 4:46 pm #6051
    dtective
    Post count: 6

    Sorry, Suman, you’re not really answering my questions.
    Does HMWP store the IP of the actual visitor who visited these invalid urls? Rather than seeing my server’s IP address in all the ‘someone is mousing’ notifications, can I see the actual IP of the visitor anywhere?

    November 23, 2015 at 4:54 pm #6054
    Suman M.
    Post count: 12480

    Hi, the IP you see in the notification is the visitor’s IP. So, is it that no one from your IP has visited 404 page, but still the IP reported in the notification is yours?

    November 23, 2015 at 5:07 pm #6057
    dtective
    Post count: 6

    Yes, the IP showing up on the notifications is my server’s IP (I have no routing/VPN setup). I find that very unusual…

    November 23, 2015 at 5:21 pm #6058
    Suman M.
    Post count: 12480

    Alright, I’ve assigned this ticket to the sr. support so that he can have further look into the issue.

    November 23, 2015 at 5:22 pm #6059
    dtective
    Post count: 6

    Thank you, Suman.

    November 25, 2015 at 4:10 am #6077
    Hassan
    Post count: 955

    Hi,

    Yes, it’s visitor’s IP i.e the one who request the page.

    If you use latest version (>4.52) it’s exactly: $_[‘REMOTE_ADDR’]

    Why you see your server IP as visitor?
    It may happen in one of following scenarios:
    – There’s a saved cron job by you or one of installed software which request a file in certain period. Say, one per 120 seconds.

    – You use your server as VPN or proxy and that file was executed in frontend (JS) indirectly.

    -You use some kind of reverse proxy in your server (not sure about this one)

    The first case is more common.

  • Author
    Posts
Viewing 10 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.