Ok found the source of the traffic. Still don't now why Wordfence would be trying to phone home constantly on different ports and hitting each port twice. noc3.wordfence.com = 69.46.36.10 Maybe I should just remove the function and see what breaks ... be easier if the author would simply explain it.
private static function wfsnIsBlocked($IP, $type){
try {
$curl = curl_init('http://noc3.wordfence.com:9050/hackAttempt/?k=' . wfConfig::get('apiKey') . '&IP=' . wfUtils::inet_aton($IP) . '&t=' . $type );
curl_setopt($curl, CURLOPT_TIMEOUT, 3);
curl_setopt ($curl, CURLOPT_USERAGENT, "Wordfence.com UA " . (defined('WORDFENCE_VERSION') ? WORDFENCE_VERSION : '[Unknown version]') );
curl_setopt ($curl, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt ($curl, CURLOPT_HEADER, 0);
curl_setopt ($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt ($curl, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($curl, CURLOPT_POST, false);
$result = curl_exec($curl);
if(preg_match('/BLOCKED:(\d+)/', $result, $matches) && (! self::getLog()->isWhitelisted($IP)) ){
return $matches[1];
}
return false;
} catch(Exception $err){
return false;
}
}