Someone asked me if calling out a “hacker” makes you a snitch? I smiled and told them, being a snitch is decent. People who don’t like snitches are doing things they are ashamed of and know it. In IT we need to be snitches a lot more and loudly.
Its pretty fun being your own web host, maintaining your own cloud resources and setting up the security protocols and so forth. We’ve hosted about 300 sites at various points and presently maintain 120. All of which are internal projects and resources. This volume creates a lab for SEO experiments and … incidentally security lessons.
I’d say the single biggest threat to a web site I’ve learned is inactivity. Simply leaving it to its own devices leads to returning and finding someone else has been there..these exercises are great opportunities to learn from. I started creating pages titled with the IP address of bad actors … because its important to share information.
I’m looking closely at
The .de suggests Germany and .eu supports that with European Union. Also .ru email addresses are red flags in the sites subscribers and users. Russians….cute, but uncivil.
The ultimateseo.org site bandwidth maxed out alarmingly early this past month. I set relatively low bandwidth limits on test sites to alert me if there is an unusual level of attention being earned but a site with nothing unusual on it. That brought ultimateseo.org to my desk today and according to the logs it was via the FAQ section, which makes no sense…why the FAQs of a test site might bring 10gb of data transfer attention suggests a malicious event. Primarily that attention came from those ips above.
What is known of this identity?
% The objects are in RPSL format.
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf% Note: this output has been filtered.
% To receive output for a database update, use the “-B” flag.% Information related to ‘18.104.22.168 – 22.214.171.124’
% Abuse contact for ‘126.96.36.199 – 188.8.131.52’ is ‘firstname.lastname@example.org’
inetnum: 184.108.40.206 – 220.127.116.11
descr: Dedicated Servers & Hosting
remarks: abuse contact: email@example.com 
status: SUB-ALLOCATED PA
org-name: Bashilov Jurij Alekseevich
address: Data center: Russia, Saint-Petersburg, Sedova str. 80. PIN Co. LTD (ru.pin)
source: RIPE # Filtered
person: Bashilov Jurij Alekseevich
address: 111398, Russia, Moscow, Plehanova str. 29/1-90
% Information related to ‘18.104.22.168/24AS34665’
descr: PIN DC
% This query was served by the RIPE Database Query Service version 1.96 (WAGYU)
Now notice oddly the use of a proxy isn’t utilized or is it being utilized? A web search of the person’s name shows a forum noting that this network IS a proxy. So anything from here is likely the end of my trace, but its good enough. This network is in league with them.
22.214.171.124 is blacklisted by 28 websites using IP Blacklist Cloud Plugin.
126.96.36.199 Details from APNIC
|inetnum:||188.8.131.52 – 184.108.40.206|
|Descr:||Dedicated Servers & Hosting|
|Person:||Bashilov Jurij Alekseevich|
|Address:||111398, Russia, Moscow, Plehanova str. 29/1-90|
So the next obvious thing is not to block the ips but the whole block of it since we see several ips in the same range. CIDR 220.127.116.11/24 basically means 18.104.22.168 thru 22.214.171.124. Now we can block it in the site but thats the least we can do. Networking of course comes down to 7 layers as you may recall and we can take this block to a higher layer…the server level would block communication on the whole server but I still feel thats too close to the target. Digital Ocean’s firewall would be my preferred place to block communication. But to my knowledge you are unable to specifically block communication on a certain port to a specific ip. You can block every one and list everyone allowed, but the reverse isnt available. Correct me if Im wrong in the comments.
So server level it is … now … for added distance we could put a server with the firewall on it between the world and the webserver but at this point that may be overboard. There’s already a Cloudflare layer of security on most sites, incidentally this site was not using Cloudflare, normally they do but I just wanted to shake things up. Then a firewall in the cloud, then a firewall and ModSecurity on the server. The on the site a firewall and security scanning. To add another server with a firewall to just block one pussy on a test site isn’t worth the time.
I’ll continue to review the data and assess the test site’s likely compromised files. Incidentally the site didn’t have our recommended security plugins in place but different security plugins. WP-Cerber remains our recommended plugin and has been added now to replace the apparently defeated plugin that I wont name.
If your a webmaster, I encourage you to share the IPs of problem connections. I never call these folks hackers, cause thats not what they are … they’re opportunist. “They exploit an opportunity, such as an inactive site, or one that doesn’t use updated software.
Updating your site is the second biggest thing after activity that plays a role in security wins vs defeats.