Scanning For Vulnerabilities: 185.16.237.59

In reviewing a website log this morning I came across this string of hits. The of this traffic is about 1 hit every 3 seconds, or 20 hits per minute. This is clearly from a bot at IP 185.16.237.59, in Sakarya, Turkey. This log includes the Referrer (where the traffic was came from) which I know is fake because none to these folders are listed in Google Search. This is a hacker. He or she is probing the site for old copies. None of the directories exist, so each hit was logged as a 404.

TimeIPPathReferrerLocation
04:59185.16.237.59/wpwww.google.comSakarya, Turkey
04:59185.16.237.59/wordpresswww.google.comSakarya, Turkey
04:59185.16.237.59/******www.google.comSakarya, Turkey
04:59185.16.237.59/newkeepwww.google.comSakarya, Turkey
04:59185.16.237.59/web_oldwww.google.comSakarya, Turkey
04:59185.16.237.59/******www.google.comSakarya, Turkey
04:59185.16.237.59/devswww.google.comSakarya, Turkey
04:59185.16.237.59/betawww.google.comSakarya, Turkey
04:59185.16.237.59/BACKUP2www.google.comSakarya, Turkey
04:59185.16.237.59/stagingwww.google.comSakarya, Turkey
04:59185.16.237.59/landingwww.google.comSakarya, Turkey
04:59185.16.237.59/Oldfileswww.google.comSakarya, Turkey
04:59185.16.237.59/wp2www.google.comSakarya, Turkey
04:59185.16.237.59/BKPwww.google.comSakarya, Turkey
04:59185.16.237.59/old-sitewww.google.comSakarya, Turkey
04:59185.16.237.59/123www.google.comSakarya, Turkey
04:59185.16.237.59/oldwebsitewww.google.comSakarya, Turkey
04:59185.16.237.59/oldwww.google.comSakarya, Turkey
04:59185.16.237.59/blogwww.google.comSakarya, Turkey
04:59185.16.237.59/devwww.google.comSakarya, Turkey
05:00185.16.237.59/newsitewww.google.comSakarya, Turkey
05:00185.16.237.59/bkpwww.google.comSakarya, Turkey
05:00185.16.237.59/testwww.google.comSakarya, Turkey
05:00185.16.237.59/homewww.google.comSakarya, Turkey
05:00185.16.237.59/BACKUPwww.google.comSakarya, Turkey
05:00185.16.237.59/backupwww.google.comSakarya, Turkey
05:00185.16.237.59/old_fileswww.google.comSakarya, Turkey
05:00185.16.237.59/new1www.google.comSakarya, Turkey
05:00185.16.237.59/Oldwww.google.comSakarya, Turkey
05:00185.16.237.59/demowww.google.comSakarya, Turkey
05:00185.16.237.59/sitewww.google.comSakarya, Turkey
05:00185.16.237.59/wordpress-oldwww.google.comSakarya, Turkey
Log of a bot in from Sakarya Turkey, scanning a website in the US for vulnerabilities.

What Is This From?

The log file is from a website. None of the folders exist so the system records the interactions as 404 file-not-found errors. This is a hacker, scanning the site for vulnerabilities:

  1. old staging copy of WordPress. If the CRM is not up-to-date this could be an easy target to break into.
  2. backup or ZIP file of the site. A backup or ZIP file may include the database password and connection details. Like handing the hacker your keys.

AbuseIPDB.com – IP Abuse Report For 185.16.237.59

IP address 185.16.237.59 has been reported for abuse 42 times over the last 7 month. This IP was first reported on January 31st 2022.

DateWebsite Administrator Comments
27 Jul 2022Bot scanning for vulnerabilities
24 Jul 2022Backdrop CMS module – Request: /backup-core
22 Jul 2022Brute-force WordPress attack.
21 Jul 2022Repeated Apache mod_security rule triggers
04 Jul 2022185.16.237.59 – – [05/Jul/2022:02:52:54 +0200] “GET / HTTP/2.0” 444 0 “www.google.com”
02 Jul 2022https crap
01 Jul 2022Too many 4xx responses in a short time
01 Jul 2022Fail2Ban Ban Triggered
HTTP Exploit Attempt
29 Jun 2022/wp
25 Jun 2022Too many 4xx responses in a short time
25 Jun 2022blocked by firewall for Known malicious User-Agents
20 Jun 2022185.16.237.59 – – [21/Jun/2022:04:23:36 +0100] 443 “GET /wp HTTP/1.1” 404 6104 “www.google.com”
17 Jun 2022[nut] – trolling for installation vulnerabilities [17/Jun/2022:06:53:15 “GET /WordPress”]
15 Jun 2022fail2ban apache-modsecurity [msg “Inbound Anomaly Score Exceeded (Total Score: 5)”] [uri “/”]
14 Jun 2022Blocked by firewall for Known malicious User-Agents 13/06/2022 23:01:27 (10 hours 15 mins ago
From abuseipdb.com

Reference: https://www.abuseipdb.com/check/185.16.237.59

So, What Should You Do?

To ensure a hacker like this one is not successful in breaking into your website, here are 3 simple steps you should take:

  1. Do not leave backup files accessible on your domain.
  2. Remove staging copies of the site when you no longer need them.
  3. Have a Pro review your website for security risks.

Published by

Kimball

Kimball is a website designer and developer in Goffstown, NH.

Leave a Reply

Your email address will not be published. Required fields are marked *