1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Traffic and Clicks from Ann Arbor, Michigan, United States, Merit Network - what are they?

Discussion in 'White Hat SEO' started by darulez, Jun 28, 2017.

  1. darulez

    darulez Jr. VIP Jr. VIP

    Joined:
    Mar 12, 2013
    Messages:
    2,302
    Likes Received:
    725
    Gender:
    Female
    Occupation:
    Waiting 36 days till I can stick it in
    Location:
    Walhalla
    For quite some time I get clicks in statcounter from IPs from this sites and range:

    Ann Arbor, Michigan, United States, Merit Network

    IPs like 35.189.230.185 and simiilar 35.x.x.x.x

    however, it is only affecting one site of my projects and only /.

    ANY ideas what that is? its approx 10-20 visits / clicks a day. doesnt seem like any DDOS or wp-admin hack or sth...
     
  2. Ralf1212

    Ralf1212 Newbie

    Joined:
    Jun 10, 2017
    Messages:
    16
    Likes Received:
    1
    What's the visit durations?
    I once had a bot visit all my pages one time, turned out the location was a Amazon data center (also Ann Arbor I believe).
     
  3. NoDice

    NoDice Newbie

    Joined:
    Nov 13, 2012
    Messages:
    21
    Likes Received:
    7
    Bots hit sites all the time looking for things to exploit. It's possible you have something on that site that identifies the possibility of something someone wants to get in and exploit.

    Could be a competitor as well.

    If you see UserAgent rotation from that IP address range you know it's a bot. Another thing to do is Port Scan the entire IP address range to see if something interesting comes up. You never know there might be a nice web server in that range.
     
  4. darulez

    darulez Jr. VIP Jr. VIP

    Joined:
    Mar 12, 2013
    Messages:
    2,302
    Likes Received:
    725
    Gender:
    Female
    Occupation:
    Waiting 36 days till I can stick it in
    Location:
    Walhalla
    it is always this stuff as example

    Referring URL:
    (No referring link)
    Host Name: x.x.x..x.bc.googleusercontent.com Browser: Phantom
    IP Address: 35.x.1x.x — Label IP Address OS/Platform: Win8/Desktop
    Location: Ann Arbor, Michigan, United States Resolution: 1024x768
    Returning Visits: 0 Javascript: Enabled
    Visit Length: 10 hours 41 mins 7 secs ISP: Merit Network

    host name changes with different ips.but IP adress is always from this 35.x class a network...

    rest stays the same..
     
  5. NoDice

    NoDice Newbie

    Joined:
    Nov 13, 2012
    Messages:
    21
    Likes Received:
    7
    I searched my visits for hosts with googleusercontent.com and are mostly all coming up with Appengine or identifying as Bots.

    These are services hosted in Googles Cloud services.
     
  6. darulez

    darulez Jr. VIP Jr. VIP

    Joined:
    Mar 12, 2013
    Messages:
    2,302
    Likes Received:
    725
    Gender:
    Female
    Occupation:
    Waiting 36 days till I can stick it in
    Location:
    Walhalla
    so thereare brute forcing wp admin? looking for exploits? old plugins? etc ?
     
  7. darulez

    darulez Jr. VIP Jr. VIP

    Joined:
    Mar 12, 2013
    Messages:
    2,302
    Likes Received:
    725
    Gender:
    Female
    Occupation:
    Waiting 36 days till I can stick it in
    Location:
    Walhalla
    I upped the wp-admin pass.
    checked plugins /update /
    and put sucuri on it..

    only missing is 4.8 - but as it is non-critial, I will wait til the usual 4.8.1 comes.
     
  8. darulez

    darulez Jr. VIP Jr. VIP

    Joined:
    Mar 12, 2013
    Messages:
    2,302
    Likes Received:
    725
    Gender:
    Female
    Occupation:
    Waiting 36 days till I can stick it in
    Location:
    Walhalla
    it's password brute force..

    however I put htpasswd on the wp-login.php and I still get those attemps from sucuri plugin.

    any idea if there is perhaps some other way to "login" to wordpress which also should be protected by httpasswd?
     
  9. vilto

    vilto Jr. VIP Jr. VIP

    Joined:
    Dec 4, 2016
    Messages:
    229
    Likes Received:
    39
    Gender:
    Male
    You can use a tricky ip restriction which consist to block all the IPs adress to login to your admin except yours (works only if your IP address is static) :

    <Files wp-login.php>
    order deny,allow
    Deny from all
    # whitelist West Palm Beach IP address
    allow from xx.xxx.xx.xx
    #whitelist Gainesvile IP Address
    allow from xx.xxx.xx.xx
    </Files>

    You need to edit your htaccess file and replace the xx with your IPs.
     
    • Thanks Thanks x 1
  10. darulez

    darulez Jr. VIP Jr. VIP

    Joined:
    Mar 12, 2013
    Messages:
    2,302
    Likes Received:
    725
    Gender:
    Female
    Occupation:
    Waiting 36 days till I can stick it in
    Location:
    Walhalla
    as I got dynamic dsl, that would not be the best idea.

    hoever, I did this plugin:

    WPS Hide Login



    dont like that "security through obscurity". but

    after setting the url, there were NO MORE login attempts.

    I still get "bot traffic" to the site however.
     
  11. aidenhera

    aidenhera Elite Member

    Joined:
    Nov 30, 2016
    Messages:
    1,628
    Likes Received:
    285
    Gender:
    Male
    that could be fbi heckers my freind. you shud better be careful and add a double vpn to your site hosting vps or they might get you.