In reviewing a website log this morning I came across this string of hits. The of this traffic is about 1 hit every 3 seconds, or 20 hits per minute. This is clearly from a bot at IP 185.16.237.59, in Sakarya, Turkey. This log includes the Referrer (where the traffic was came from) which I know is fake because none to these folders are listed in Google Search. This is a hacker. He or she is probing the site for old copies. None of the directories exist, so each hit was logged as a 404.
| Time | IP | Path | Referrer | Location |
|---|---|---|---|---|
| 04:59 | 185.16.237.59 | /wp | www.google.com | Sakarya, Turkey |
| 04:59 | 185.16.237.59 | /wordpress | www.google.com | Sakarya, Turkey |
| 04:59 | 185.16.237.59 | /****** | www.google.com | Sakarya, Turkey |
| 04:59 | 185.16.237.59 | /newkeep | www.google.com | Sakarya, Turkey |
| 04:59 | 185.16.237.59 | /web_old | www.google.com | Sakarya, Turkey |
| 04:59 | 185.16.237.59 | /****** | www.google.com | Sakarya, Turkey |
| 04:59 | 185.16.237.59 | /devs | www.google.com | Sakarya, Turkey |
| 04:59 | 185.16.237.59 | /beta | www.google.com | Sakarya, Turkey |
| 04:59 | 185.16.237.59 | /BACKUP2 | www.google.com | Sakarya, Turkey |
| 04:59 | 185.16.237.59 | /staging | www.google.com | Sakarya, Turkey |
| 04:59 | 185.16.237.59 | /landing | www.google.com | Sakarya, Turkey |
| 04:59 | 185.16.237.59 | /Oldfiles | www.google.com | Sakarya, Turkey |
| 04:59 | 185.16.237.59 | /wp2 | www.google.com | Sakarya, Turkey |
| 04:59 | 185.16.237.59 | /BKP | www.google.com | Sakarya, Turkey |
| 04:59 | 185.16.237.59 | /old-site | www.google.com | Sakarya, Turkey |
| 04:59 | 185.16.237.59 | /123 | www.google.com | Sakarya, Turkey |
| 04:59 | 185.16.237.59 | /oldwebsite | www.google.com | Sakarya, Turkey |
| 04:59 | 185.16.237.59 | /old | www.google.com | Sakarya, Turkey |
| 04:59 | 185.16.237.59 | /blog | www.google.com | Sakarya, Turkey |
| 04:59 | 185.16.237.59 | /dev | www.google.com | Sakarya, Turkey |
| 05:00 | 185.16.237.59 | /newsite | www.google.com | Sakarya, Turkey |
| 05:00 | 185.16.237.59 | /bkp | www.google.com | Sakarya, Turkey |
| 05:00 | 185.16.237.59 | /test | www.google.com | Sakarya, Turkey |
| 05:00 | 185.16.237.59 | /home | www.google.com | Sakarya, Turkey |
| 05:00 | 185.16.237.59 | /BACKUP | www.google.com | Sakarya, Turkey |
| 05:00 | 185.16.237.59 | /backup | www.google.com | Sakarya, Turkey |
| 05:00 | 185.16.237.59 | /old_files | www.google.com | Sakarya, Turkey |
| 05:00 | 185.16.237.59 | /new1 | www.google.com | Sakarya, Turkey |
| 05:00 | 185.16.237.59 | /Old | www.google.com | Sakarya, Turkey |
| 05:00 | 185.16.237.59 | /demo | www.google.com | Sakarya, Turkey |
| 05:00 | 185.16.237.59 | /site | www.google.com | Sakarya, Turkey |
| 05:00 | 185.16.237.59 | /wordpress-old | www.google.com | Sakarya, Turkey |
What Is This From?
The log file is from a website. None of the folders exist so the system records the interactions as 404 file-not-found errors. This is a hacker, scanning the site for vulnerabilities:
- old staging copy of WordPress. If the CRM is not up-to-date this could be an easy target to break into.
- backup or ZIP file of the site. A backup or ZIP file may include the database password and connection details. Like handing the hacker your keys.
AbuseIPDB.com – IP Abuse Report For 185.16.237.59
IP address 185.16.237.59 has been reported for abuse 42 times over the last 7 month. This IP was first reported on January 31st 2022.
| Date | Website Administrator Comments |
|---|---|
| 27 Jul 2022 | Bot scanning for vulnerabilities |
| 24 Jul 2022 | Backdrop CMS module – Request: /backup-core |
| 22 Jul 2022 | Brute-force WordPress attack. |
| 21 Jul 2022 | Repeated Apache mod_security rule triggers |
| 04 Jul 2022 | 185.16.237.59 – – [05/Jul/2022:02:52:54 +0200] “GET / HTTP/2.0” 444 0 “www.google.com” |
| 02 Jul 2022 | https crap |
| 01 Jul 2022 | Too many 4xx responses in a short time |
| 01 Jul 2022 | Fail2Ban Ban Triggered HTTP Exploit Attempt |
| 29 Jun 2022 | /wp |
| 25 Jun 2022 | Too many 4xx responses in a short time |
| 25 Jun 2022 | blocked by firewall for Known malicious User-Agents |
| 20 Jun 2022 | 185.16.237.59 – – [21/Jun/2022:04:23:36 +0100] 443 “GET /wp HTTP/1.1” 404 6104 “www.google.com” |
| 17 Jun 2022 | [nut] – trolling for installation vulnerabilities [17/Jun/2022:06:53:15 “GET /WordPress”] |
| 15 Jun 2022 | fail2ban apache-modsecurity [msg “Inbound Anomaly Score Exceeded (Total Score: 5)”] [uri “/”] |
| 14 Jun 2022 | Blocked by firewall for Known malicious User-Agents 13/06/2022 23:01:27 (10 hours 15 mins ago |
Reference: https://www.abuseipdb.com/check/185.16.237.59
So, What Should You Do?
To ensure a hacker like this one is not successful in breaking into your website, here are 3 simple steps you should take:
- Do not leave backup files accessible on your domain.
- Remove staging copies of the site when you no longer need them.
- Have a Pro review your website for security risks.
