In reviewing a website log this morning I came across this string of hits. The of this traffic is about 1 hit every 3 seconds, or 20 hits per minute. This is clearly from a bot at IP 184.108.40.206, in Sakarya, Turkey. This log includes the Referrer (where the traffic was came from) which I know is fake because none to these folders are listed in Google Search. This is a hacker. He or she is probing the site for old copies. None of the directories exist, so each hit was logged as a 404.
What Is This From?
The log file is from a website. None of the folders exist so the system records the interactions as 404 file-not-found errors. This is a hacker, scanning the site for vulnerabilities:
- old staging copy of WordPress. If the CRM is not up-to-date this could be an easy target to break into.
- backup or ZIP file of the site. A backup or ZIP file may include the database password and connection details. Like handing the hacker your keys.
AbuseIPDB.com – IP Abuse Report For 220.127.116.11
IP address 18.104.22.168 has been reported for abuse 42 times over the last 7 month. This IP was first reported on January 31st 2022.
|Date||Website Administrator Comments|
|27 Jul 2022||Bot scanning for vulnerabilities|
|24 Jul 2022||Backdrop CMS module – Request: /backup-core|
|22 Jul 2022||Brute-force WordPress attack.|
|21 Jul 2022||Repeated Apache mod_security rule triggers|
|04 Jul 2022||22.214.171.124 – – [05/Jul/2022:02:52:54 +0200] “GET / HTTP/2.0” 444 0 “www.google.com”|
|02 Jul 2022||https crap|
|01 Jul 2022||Too many 4xx responses in a short time|
|01 Jul 2022||Fail2Ban Ban Triggered|
HTTP Exploit Attempt
|29 Jun 2022||/wp|
|25 Jun 2022||Too many 4xx responses in a short time|
|25 Jun 2022||blocked by firewall for Known malicious User-Agents|
|20 Jun 2022||126.96.36.199 – – [21/Jun/2022:04:23:36 +0100] 443 “GET /wp HTTP/1.1” 404 6104 “www.google.com”|
|17 Jun 2022||[nut] – trolling for installation vulnerabilities [17/Jun/2022:06:53:15 “GET /WordPress”]|
|15 Jun 2022||fail2ban apache-modsecurity [msg “Inbound Anomaly Score Exceeded (Total Score: 5)”] [uri “/”]|
|14 Jun 2022||Blocked by firewall for Known malicious User-Agents 13/06/2022 23:01:27 (10 hours 15 mins ago|
So, What Should You Do?
To ensure a hacker like this one is not successful in breaking into your website, here are 3 simple steps you should take:
- Do not leave backup files accessible on your domain.
- Remove staging copies of the site when you no longer need them.
- Have a Pro review your website for security risks.