1. This website uses cookies to improve service and provide a tailored user experience. By using this site, you agree to this use. See our Cookie Policy.
    Dismiss Notice

IPs You should block rightaway if you are using wordpress.

Discussion in 'Blogging' started by mani.dxb007, Jun 10, 2019.

  1. mani.dxb007

    mani.dxb007 Regular Member Marketplace seller

    Joined:
    Jan 24, 2019
    Messages:
    222
    Likes Received:
    87
    I have multiple wordpress websites and i have couple of paid security softwares protecting my sites, they provide me a list of I/P addesses from where my site was attacked and i have noticed these are the same I/Ps which are attacking my other sites as well. Believe me my sites are not at all related to each other nor do they have any obvious footprint which means these are the I/Ps used by bad acotors and they must be attacking all the random wordpress websites. I have blocked/blacklisted these I/Ps on all my sites and i thought that i should let others know as well so i am putting a list here and i will try to update this list every couple of days so we can maintain an updated list. Please do let me know if you guys will be interested in the updated list so i can put some efforts daily to maintain the bad I/Ps list, Here is the list anyhow:-


    IP Country
    182.61.167.11 China
    209.45.61.98 Peru
    85.108.27.251 Turkey
    78.169.166.59 Turkey
    218.157.166.40 Korea, Republic of
    85.214.24.93 Germany
    160.153.154.8 United States
    5.9.123.21 Germany
    156.67.210.51 Singapore
    23.238.18.46 United States
    50.62.176.65 United States
    136.243.2.7 Germany
    89.46.105.177 Italy
    83.136.216.101 Germany
     
    • Thanks Thanks x 9
  2. Lamuks

    Lamuks Jr. VIP Jr. VIP

    Joined:
    Mar 10, 2014
    Messages:
    548
    Likes Received:
    132
    How are they attacking you? Spam, ddos?
     
  3. mendes

    mendes Jr. VIP Jr. VIP

    Joined:
    May 29, 2013
    Messages:
    131
    Likes Received:
    51
    Gender:
    Male
    That is interesting... what security software do you recommend?
     
  4. Nut-Nights

    Nut-Nights Jr. VIP Jr. VIP

    Joined:
    Jun 20, 2013
    Messages:
    8,782
    Likes Received:
    5,399
    Occupation:
    Plumber
    Location:
    Hell
    Home Page:
    I am going to block them, no matter what.
     
    • Thanks Thanks x 1
  5. mani.dxb007

    mani.dxb007 Regular Member Marketplace seller

    Joined:
    Jan 24, 2019
    Messages:
    222
    Likes Received:
    87
    i have wordfence security installed,, they were successfull in clickjacking my website,, one of them... so all the clicks from search engines were going to porn and other hacked websites... i even got penalized for that by google...
     
    • Thanks Thanks x 1
  6. mani.dxb007

    mani.dxb007 Regular Member Marketplace seller

    Joined:
    Jan 24, 2019
    Messages:
    222
    Likes Received:
    87
    We found site log files starting in May 2019. Based on our review of the logs and the malware we found, your site was compromised on May 13, 2019 through a compromised WordPress user account, specifically the user ********. We found a successful login attempt in your log files on the 13th of May which was followed by the upload of a plugin titled “linklove.” Unfortunately, the plugin “linklove” was no longer on the account when we conducted our clean-up, however, after doing some research, we discovered that “linklove” is a plugin typically used by attackers containing malicious code used to obtain remote access to your server and be able to run commands such as uploading and modifying files. After the attacker logged in and installed the plugin, they uploaded webshells and backdoors to maintain access to your site and to be able to run remote commands that could further the infection. Please see the detailed log analysis below.

    In these first four requests, we can see the attacker accessing the /wp-login.php page, successfully authenticating, and being redirected to the /wp-admin dashboard. 46.105.107.231 - - [13/May/2019:14:20:39 -0700] "GET /wp-login.php HTTP/1.1" 200 1716 "-"

    46.105.107.231 - - [13/May/2019:14:20:40 -0700] "POST /wp-login.php HTTP/1.1" 302 - "-"

    46.105.107.231 - - [13/May/2019:14:20:41 -0700] "GET /wp-admin/ HTTP/1.1" 200 41120 "-"

    46.105.107.231 - - [13/May/2019:14:20:48 -0700] "GET / HTTP/1.1" 200 22489 "-"

    Here is evidence from the database confirming that it was the user ********** that logged in. [user_nicename] => ********* [user_id] => 22 [login] => Mon May 13 21:20:41 2019 [ip] => 46.105.107.231

    Now in the next five requests, we see the attacker accessing the plugin installation page, navigating to the upload option, and successfully uploading the plugin “linklove” that would provide them with the remote access they needed. 46.105.107.231 - - [13/May/2019:14:32:06 -0700] "GET /wp-admin/plugin-install.php?tab=upload HTTP/1.1" 200 31726 "-"

    46.105.107.231 - - [13/May/2019:14:32:08 -0700] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.1" 200 29056 "-"

    46.105.107.231 - - [13/May/2019:14:32:18 -0700] "GET

    PRIVATE & CONFIDENTIAL 23 May 2019 5 of 10

    /wp-admin/plugins.php?action=activate&plugin=linklove%2Flinklove.php&_wpnonce=56bf29943 d HTTP/1.1" 302 - "-"

    46.105.107.231 - - [13/May/2019:14:32:25 -0700] "GET /wp-admin/plugins.php?activate=true&plugin_status=all&paged=1&s= HTTP/1.1" 200 26 "-"

    46.105.107.231 - - [13/May/2019:14:32:26 -0700] "GET /wp-content/plugins/linklove/linklove.php?s=id HTTP/1.1" 200 26 "-"

    Finally, in the next four requests we see the attacker retrieving the malicious files from the “linklove’ plugin and POST-ing to the files which is when the attacker started running commands through the plugin to inject additional malicious files to your account. At this time, two malicious files were uploaded, apigen.php and iconclass.php.

    86.105.25.218 - - [13/May/2019:17:19:44 -0700] "GET /wp-content/plugins/linklove/ini_xml_rpc.class.php?bamdkda=a HTTP/1.1" 200 22 "-"

    86.105.25.218 - - [14/May/2019:06:10:48 -0700] "POST /wp-content/plugins/linklove/linklove.php?s=id HTTP/1.1" 200 26 "-"

    86.105.25.218 - - [14/May/2019:06:10:55 -0700] "GET /wp-content/plugins/linklove/ini_user-info.php?bamdkda=a HTTP/1.1" 200 22 "-"

    45.227.252.251 - - [14/May/2019:06:44:58 -0700] "POST /wp-content/plugins/linklove/ini_user-info.php HTTP/1.1" 200 12675 "-"

    public_html/wp-content/blogs.dir/apigen.php 2019-05-14 public_html/wp-content/plugins/w3-total-cache/ini/iconclass.php 2019-05-14

    The attacker then used the malicious webshells they uploaded to further infect your site over the next few days. As a result, we have reset all administrative user account passwords and ask that you reset them to new stronger passwords.
     
  7. mani.dxb007

    mani.dxb007 Regular Member Marketplace seller

    Joined:
    Jan 24, 2019
    Messages:
    222
    Likes Received:
    87
    Here is a part of clean up i had to do where they provided me details,, so yeah... you should just block them no matter what,, i will keep updating the list though ,,, every couple of days
     
  8. HustleTong

    HustleTong Jr. VIP Jr. VIP

    Joined:
    May 30, 2019
    Messages:
    1,085
    Likes Received:
    241
    Gender:
    Male
    Occupation:
    IM
    Location:
    Old Town Road
    That's a good share from your part. Really appreciate your effort, keep the list updated
     
  9. Visual Eagle

    Visual Eagle Jr. VIP Jr. VIP

    Joined:
    Dec 11, 2008
    Messages:
    2,194
    Likes Received:
    1,760
    Gender:
    Male
    Occupation:
    Graphic Designer
    Location:
    Slovenija
    Home Page:
    Am also sharing some IPs that breached my VPS and did email spam :p

    89.248.162.159
    89.248.172.85
    89.248.172.208
    37.187.114.79
    145.249.106.13
    123.24.185.161
    134.19.230.71
    115.167.127.156
    191.96.249.23
    191.96.249.43
    185.228.80.63
    191.96.249.23
    191.96.249.43
    134.249.141.24
    45.125.66.0/24 (whole subnet)
    93.157.63.0/24 (whole subnet)
    185.228.80.0/24 (whole subnet)
    103.231.139.0/24 (whole subnet)
    141.98.10.0/24 (whole subnet)
    185.36.81.0/24 (whole subnet)
    193.169.254.0/24 (whole subnet)
    185.234.218.0/24 (whole subnet)
    193.201.224.0/24 (whole subnet)
     
    • Thanks Thanks x 2
  10. Mr Positive

    Mr Positive Jr. VIP Jr. VIP

    Joined:
    Mar 30, 2018
    Messages:
    1,422
    Likes Received:
    514
    Gender:
    Male
    Home Page:
  11. Visual Eagle

    Visual Eagle Jr. VIP Jr. VIP

    Joined:
    Dec 11, 2008
    Messages:
    2,194
    Likes Received:
    1,760
    Gender:
    Male
    Occupation:
    Graphic Designer
    Location:
    Slovenija
    Home Page:
    If you gonna block these on VPS than do the following via SSH:

    iptables -A INPUT -s 134.249.141.24 -j DROP (single)

    iptables -A INPUT -s 185.228.80.0/24 -j DROP (subnet last ip)

    netfilter-persistent save iptables (its good to download Netfilter persistent to save the changes).
     
    • Thanks Thanks x 1
  12. RufusShinra

    RufusShinra Newbie

    Joined:
    Jul 15, 2015
    Messages:
    13
    Likes Received:
    0
    I don't see any ukrainian ip!
     
  13. C45HC0W

    C45HC0W Registered Member

    Joined:
    Jan 30, 2019
    Messages:
    55
    Likes Received:
    5
    85.214.24.93 ? thats weird its the ip of a german internet hosting service provider
     
  14. Goodi OG

    Goodi OG Regular Member

    Joined:
    May 29, 2019
    Messages:
    331
    Likes Received:
    106
    Gender:
    Male
    Occupation:
    Crawler
    Location:
    Paradise
    Home Page:
    blocking them right away.
     
  15. davids355

    davids355 Moderator Staff Member Moderator Jr. VIP

    Joined:
    Apr 25, 2011
    Messages:
    14,952
    Likes Received:
    13,610
    Home Page:
    You’ll probably find that a lot of these spammers first compromise an existing server, then from there, attack other servers. That explains why you might get spammed from what looks like a consumer hosting account.
     
    • Thanks Thanks x 1
  16. volkswagon1143

    volkswagon1143 BANNED BANNED

    Joined:
    May 28, 2019
    Messages:
    100
    Likes Received:
    17
    Gender:
    Female
    Great! thanks for sharing this, will block them once I saw them in my wordpress.
     
  17. Renfield-Files

    Renfield-Files Regular Member

    Joined:
    Feb 13, 2017
    Messages:
    413
    Likes Received:
    202
    Gender:
    Male
    Occupation:
    IT Manager
    Location:
    Sao Paulo
    Great share my friend! I had this list 2 months ago and I was testing them. Really harmful. All people running WP please block them. They also cause a lot of trouble.
     
  18. mani.dxb007

    mani.dxb007 Regular Member Marketplace seller

    Joined:
    Jan 24, 2019
    Messages:
    222
    Likes Received:
    87
    Top IPs Blocked
    IP Country Block Count
    206.189.36.106 Singapore 8
    202.38.128.103 China 8
    77.234.46.201 United States 7
    159.203.124.92 United States 7
    134.209.196.169 Netherlands 4
    212.154.74.150 Turkey 4
    40.70.218.165 United States 4
    45.40.166.149 United States 4
     
  19. TheVigilante

    TheVigilante Jr. VIP Jr. VIP

    Joined:
    Aug 31, 2010
    Messages:
    8,386
    Likes Received:
    5,521
    Occupation:
    ↓ USA-Native Author↓
    Location:
    ↓ Money-site Quality↓
    Home Page:
    Going to block these right away!
     
  20. Renfield-Files

    Renfield-Files Regular Member

    Joined:
    Feb 13, 2017
    Messages:
    413
    Likes Received:
    202
    Gender:
    Male
    Occupation:
    IT Manager
    Location:
    Sao Paulo
    68.183.164.2
    216.224.225.7
    46.101.103.184
    185.86.13.213

    Block these ones NOW! DDoS and they are using bots to link your websites back to rotten domains. I have Wordfence PRO and for one of my websites WF had me bitting my nails because these ones are handle by pros. It's important to say to all WP owners: please rename your wp-admin... Be extra careful to your search boxes as well... SQL Injections are quite easy even for newbies.