Traffic and Clicks from Ann Arbor, Michigan, United States, Merit Network - what are they?

darulez

Elite Member
Joined
Mar 12, 2013
Messages
3,311
Reaction score
1,189
For quite some time I get clicks in statcounter from IPs from this sites and range:

Ann Arbor, Michigan, United States, Merit Network

IPs like 35.189.230.185 and simiilar 35.x.x.x.x

however, it is only affecting one site of my projects and only /.

ANY ideas what that is? its approx 10-20 visits / clicks a day. doesnt seem like any DDOS or wp-admin hack or sth...
 
What's the visit durations?
I once had a bot visit all my pages one time, turned out the location was a Amazon data center (also Ann Arbor I believe).
 
Bots hit sites all the time looking for things to exploit. It's possible you have something on that site that identifies the possibility of something someone wants to get in and exploit.

Could be a competitor as well.

If you see UserAgent rotation from that IP address range you know it's a bot. Another thing to do is Port Scan the entire IP address range to see if something interesting comes up. You never know there might be a nice web server in that range.
 
it is always this stuff as example

Referring URL:
(No referring link)
Host Name: x.x.x..x.bc.googleusercontent.com Browser: Phantom
IP Address: 35.x.1x.x — Label IP Address OS/Platform: Win8/Desktop
Location: Ann Arbor, Michigan, United States Resolution: 1024x768
Returning Visits: 0 Javascript: Enabled
Visit Length: 10 hours 41 mins 7 secs ISP: Merit Network

host name changes with different ips.but IP adress is always from this 35.x class a network...

rest stays the same..
 
I searched my visits for hosts with googleusercontent.com and are mostly all coming up with Appengine or identifying as Bots.

These are services hosted in Googles Cloud services.
 
so thereare brute forcing wp admin? looking for exploits? old plugins? etc ?
 
I upped the wp-admin pass.
checked plugins /update /
and put sucuri on it..

only missing is 4.8 - but as it is non-critial, I will wait til the usual 4.8.1 comes.
 
it's password brute force..

however I put htpasswd on the wp-login.php and I still get those attemps from sucuri plugin.

any idea if there is perhaps some other way to "login" to wordpress which also should be protected by httpasswd?
 
You can use a tricky ip restriction which consist to block all the IPs adress to login to your admin except yours (works only if your IP address is static) :

<Files wp-login.php>
order deny,allow
Deny from all
# whitelist West Palm Beach IP address
allow from xx.xxx.xx.xx
#whitelist Gainesvile IP Address
allow from xx.xxx.xx.xx
</Files>

You need to edit your htaccess file and replace the xx with your IPs.
 
You can use a tricky ip restriction which consist to block all the IPs adress to login to your admin except yours (works only if your IP address is static) :

<Files wp-login.php>
order deny,allow
Deny from all
# whitelist West Palm Beach IP address
allow from xx.xxx.xx.xx
#whitelist Gainesvile IP Address
allow from xx.xxx.xx.xx
</Files>

You need to edit your htaccess file and replace the xx with your IPs.

as I got dynamic dsl, that would not be the best idea.

hoever, I did this plugin:

WPS Hide Login



dont like that "security through obscurity". but

after setting the url, there were NO MORE login attempts.

I still get "bot traffic" to the site however.
 
that could be fbi heckers my freind. you shud better be careful and add a double vpn to your site hosting vps or they might get you.
 
Back
Top