31

Wordfence reports the following visitor:

An unknown location at IP 0.0.0.0 visited
4 hours 45 mins ago   IP: 0.0.0.0
Browser: Baiduspider version 2.0
Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)

An unknown location at IP 0.0.0.0 visited
4 hours 45 mins ago   IP: 0.0.0.0 
Browser: Opera version 12.15 running on Win7
Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.15
Peter Mortensen
  • 895
  • 5
  • 10
ovtorne
  • 461
  • 1
  • 4
  • 5

3 Answers3

69

I suspect that your Wordfence plug-in is blindly trusting the X-Forwarded-For header. This header is used by proxies to indicate the IP address of the computers sending traffic trough them, but can easily be spoofed. It is also very well possible that some of the visits from “0.0.0.0” aren't malicious, but simply users behind a misconfigured proxy.

Edit: Wordfence is indeed doing this, but this is configurable and is meant to accommodate for reverse proxies such as CloudFlare. See the comment by Wordfence founder Mark Maunder below.

user2428118
  • 2,786
  • 17
  • 23
  • 14
    I took a look at the source code: https://github.com/wp-plugins/wordfence/blob/9f5590ade4492ebc8ec7bc73fefd89f56c3d17da/lib/wfUtils.php This function relies on the X-Forwarded-For header by default like you said. So this will be most likely the case. – D. Schalla Jun 02 '14 at 14:24
  • 2
    You're welcome to configure your setup to block X-Forwarded-For with invalid IP addresses, but that will just cause people start using valid IP addresses in the X-Forwarded-For. – Snowbody Jun 03 '14 at 01:21
  • I have now chosen the following option in wordfence: "Set this option if you're seeing visitors from fake IP addresses or who appear to be from your internal network but aren't." I would like to block X-Forwarded-For with invalid IP addresses – ovtorne Jun 03 '14 at 10:45
  • 10
    Actually Wordfence provides several options that lets the site admin choose how they want to get the visitor IP. We used to default to PHP's $_SERVER['REMOTE_ADDR'] but many customers are using nginx as a front-end and REMOTE_ADDR is often an internal address. So we provided several options including support for Cloudflare. The OP needs to probably set their site to use REMOTE_ADDR and the issue will be resolved. ~Mark Maunder - Wordfence Founder. – Mark Maunder Jun 03 '14 at 14:01
18

Since the address "0.0.0.0" is not valid, that's either a spoofed packet (unlikely) or a bug in Wordfence (likely).

On the unlikely chance that someone's doing a packet-spoofing attack, update your firewall to block incoming packets with invalid addresses (see, for example, this question and its answers for a list of ranges and reasons).

Community
  • 1
Mark
  • 34,646
  • 9
  • 87
  • 137
  • 7
    I'm pretty sure it's not possible to complete a HTTP request using address spoofing on the IP level. – Michael Borgwardt Jun 02 '14 at 13:02
  • 1
    @MichaelBorgwardt if you can somehow guess the TCP sequence number, you can – Red Alert Jun 02 '14 at 17:48
  • I added this to .htaccess, and I hope someone will tell me if this is correct and will work. # block IP addresses <limit GET POST PUT> Order Allow,Deny Allow from all # uncomment/edit/repeat to block IPs deny from 0.0.0.0/8 deny from 10.0.0.0/8 deny from 10.1.3.0/24 deny from 127.0.0.0/8 deny from 172.16.0.0/12 deny from 192.168.0.0/16 deny from 224.0.0.0/3 </limit> – ovtorne Jun 03 '14 at 10:56
0

If the IP address cannot be resolved prperly, it come as 0.0.0.0.

Maybe, it's an distributed port scan attack. This uses multiple IP addresses to scan target device ports. Configure your infrastructure to prevent this.

prochor666
  • 1