Visit Data Security Note: Its Okay To Snitch. for the whole story
Someone asked me if calling out a “hacker” makes you a snitch? I smiled and told them, being a snitch is decent. People who don’t like snitches are doing things they are ashamed of and know it. In IT we need to be snitches a lot more and loudly.
Its pretty fun being your own web host, maintaining your own cloud resources and setting up the security protocols and so forth. We’ve hosted about 300 sites at various points and presently maintain 120. All of which are internal projects and resources. This volume creates a lab for SEO experiments and … incidentally security lessons.
I’d say the single biggest threat to a web site I’ve learned is inactivity. Simply leaving it to its own devices leads to returning and finding someone else has been there..these exercises are great opportunities to learn from. I started creating pages titled with the IP address of bad actors … because its important to share information.
I’m looking closely at
The .de suggests Germany and .eu supports that with European Union. Also .ru email addresses are red flags in the sites subscribers and users. Russians….cute, but uncivil.
The ultimateseo.wtf site bandwidth maxed out alarmingly early this past month. I set relatively low bandwidth limits on test sites to alert me if there is an unusual level of attention being earned but a site with nothing unusual on it. That brought ultimateseo.wtf to my desk today and according to the logs it was via the FAQ section, which makes no sense…why the FAQs of a test site might bring 10gb of data transfer attention suggests a malicious event. Primarily that attention came from those ips above.
What is known of this identity?
% This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '220.127.116.11 - 18.104.22.168' % Abuse contact for '22.214.171.124 - 126.96.36.199' is '[email protected]' inetnum: 188.8.131.52 - 184.108.40.206 netname: AlkonavtNetwork descr: Dedicated Servers & Hosting remarks: abuse contact: [email protected]  country: RU admin-c: BJA12-RIPE org: ORG-BJA2-RIPE tech-c: BJA12-RIPE status: SUB-ALLOCATED PA mnt-by: MNT-PINSUPPORT created: 2018-07-22T18:47:38Z last-modified: 2018-07-22T18:47:38Z source: RIPE organisation: ORG-BJA2-RIPE org-name: Bashilov Jurij Alekseevich org-type: OTHER address: Data center: Russia, Saint-Petersburg, Sedova str. 80. PIN Co. LTD (ru.pin) abuse-c: BJA13-RIPE mnt-ref: MNT-PINSUPPORT mnt-by: MNT-PINSUPPORT created: 2015-12-17T21:42:47Z last-modified: 2018-07-22T18:50:42Z source: RIPE # Filtered person: Bashilov Jurij Alekseevich address: 111398, Russia, Moscow, Plehanova str. 29/1-90 phone: +79778635845 nic-hdl: BJA12-RIPE mnt-by: MNT-PINSUPPORT created: 2015-12-16T04:19:25Z last-modified: 2018-07-22T18:58:31Z source: RIPE % Information related to '220.127.116.11/24AS34665' route: 18.104.22.168/24 descr: PIN DC origin: AS34665 mnt-by: MNT-PIN mnt-by: MNT-PINSUPPORT created: 2019-11-11T07:41:06Z last-modified: 2019-11-11T07:41:06Z source: RIPE % This query was served by the RIPE Database Query Service version 1.96 (WAGYU)
I’ll continue to review the data and assess the test site’s likely compromised files. Incidentally the site didn’t have our recommended security plugins in place but different security plugins. WP-Cerber remains our recommended plugin and has been added now to replace the apparently defeated plugin that I wont name.
If your a webmaster, I encourage you to share the IPs of problem connections. I never call these folks hackers, cause thats not what they are … they’re opportunist. “They exploit an opportunity, such as an inactive site, or one that doesn’t use updated software.
Updating your site is the second biggest thing after activity that plays a role in security wins vs defeats.
This feed was provided by Ultimate SEO