Totally fed up with wordpress and now sql hackers

I reached my limit today :onfire: It’s bad enough checking my logfiles each day and seeing hundreds of hits on wordpress (never have used it, and never would use it) but now I’m also seeing hundreds of hits on sql files (never used that either), oh, and hidden in there, a few legitimate hits mainly related to this forum.

My hosting is due for renewal March 1st, and I’m just tired of paying good money to put up targets for parasites (the hackers, not you guys :slight_smile: ) so that’s it, after many years the plug will be pulled. I’ll put my weather site on my own network for our local use.

That does mean this forum will lose a lot of linked images. Sorry folks, there’s nothing I can do about that :frowning:

:frowning: :frowning: :frowning:

Niko Im just wondering, I know quite a few providers who have relatively cheap plans and unlimited bandwidth, I have unlimited bandwidth and I stopped checking the access logs yrs ago, it is a waste of time trying to block everything, but I dont have problems at all given there is no limit.

Really sorry to see this happening :frowning: I was one of your regular visitors.

There’s always me Niko :wink:

I don’t have either a $ problem, or a bandwidth problem, I have a “get off my lawn” problem :slight_smile:

If you move though, you will get. A new ip or you could ask your provider if they will swap out your IP?

I don’t have SQL on my weather sites either, and I see the daily rain of IP addresses trying wp-login.php, wp-admin/index.php, etc and the occassional URL encoded SQL compromise string … no harm, no foul. the obnoxious ones, I block their CIDR in .htaccess and convert their requests from 404s to 403s… they still try.

After the Marai botnet software was open-sourced, a LOT of new botnets sprang up looking for IoT to compromise, and looking for servers to bend to spam hosts/phishing sites/ransomware distribution sites.

The net is now a noisy (and hostile) place… good to keep the defenses up and sites with minimal exposures to the miscreants. I don’t like them ‘walking across my lawn/rattling my doorknob’ either, but… I choose to continue publishing stuff that others may find useful on my sites and keep the defenses in depth.

Here’s a count, host, HTTP-return code analysis of yesterday on my WX sites

   1642 eastcoastweather.net   200
    298 eastcoastweather.net   301
    266 eastcoastweather.net   404
     32 eastcoastweather.net   500
   1521 midatlanticweather.net   200
   1201 midsouthweather.net   200
    330 midsouthweather.net   301
    170 midsouthweather.net   304
    264 midsouthweather.net   404
     18 midsouthweather.net   500
   2566 northeasternweather.net   200
   3595 northwesternweather.net   200
   1005 plainsweather.net   200
     26 plainsweather.net   301
    167 plainsweather.net   404
     16 plainsweather.net   500
 294995 saratoga-weather.org   200
  49145 saratoga-weather.org   301
    904 saratoga-weather.org   403
    206 saratoga-weather.org   500
   1068 sk.westerncanadawx.net   200
   1250 westerncanadawx.net   200
     16 westerncanadawx.net   301
      2 westerncanadawx.net   304
    404 westerncanadawx.net   404
     31 westerncanadawx.net   500

Looking at the WordPress ‘tries’ shows

     55 104.218.219.24	Karib Cable, KARIB-CABLE-KELCOM-INTERNATIONAL, Kingstown, VC (Frenches Gate)
     33 198.204.253.58	Data Shack[htaccess]
     19 94.67.235.208	OTENET, OTEnet, GR (Greece)
     19 92.160.70.53	FR-TELECOM-20070712, Orange S.A., FR (69214 LYON CEDEX 02)
     19 77.242.29.225	Abissnet sh.a., Albania
     19 75.68.234.22	Comcast Cable Communications Holdings, Inc
     19 62.212.55.48	GE-EGRISI-ADSL7, GE-EGRISI-20131707, GE (Tbilisi, Georgia)
     19 49.206.157.240	Route object for 49.204.64.0/18, BEAMTELE-IN, IN (India)
     19 39.55.161.15	PTCLBB-PK, PK (Islamabad, Pakistan)
     19 31.10.147.17	UPC Cablecom GmbH, Switzerland
     19 190.246.254.107	CABLEVISION S.A., AR (1605 - Munro - BA)
     19 178.233.241.76	TURKSAT-NET, Turksat Internet Services, TR (Konya Yolu 40. Km. Golbasi Ankara/TURKEY)
     19 167.249.40.82		-------- Colombia, Cundinamarca, Cota
     19 139.218.185.247	M2-DODO-AU, AU (Sydney NSW 2000)
     18 81.234.253.156	TeliaSonera AB, Sweden
     18 185.104.192.93	IR-EGRK-20150615, EGRK-Route, IR (4th floor - No 141 - between 4th & 5th Negarestan - Pasdaran avenue - Tehran - Iran)
     17 89.73.176.210	UPC Polska Sp. z o.o.
     17 83.132.134.1	NOS, NOS COMUNICACOES S.A., PT (1069-203 Lisboa)
     17 82.155.14.197	PT Comunicacoes S.A., Portugal
     17 5.198.33.253	STATICPOOL-KCOM, KCOM-NET010-20120824, GB (HU1 3RE)
     17 46.193.0.82	WIFIRST-NET, WIFIRST SAS Network, FR (France)
     17 41.225.72.149	Agence Tunisienne Internet - ATI, Tunisia
     17 24.45.118.106	Optimum Online, United States
     17 175.100.133.119	YOU Broadband & Cable India Ltd., YOUTELE, IN (India)
     17 161.0.255.17	Columbus Communications Trinidad Limited., TT (- - Port Of Spain - -)
     17 144.48.225.94	COSMOS-IN, IN (49/1, Mitra Para Road, P.O- Naihati, Dist.- North 24 Parganas, Naihati West bengal 743165)
     17 124.190.72.168	ACT 2601, TELSTRAINTERNET44-AU, AU (ACT 2601)
     17 115.133.57.27	TMNST, ADSL-STREAMYX, MY (Jalan Pantai Baru, Kuala Lumpur.)
     17 105.103.169.166	TA23-new, DZ (Alger)

… the background ‘noise’

Running a dedicated server one just learn to ignore those and let Fail2ban and the Brute force protection do their jobs…
If i had runned after every who “runned over the lawn” had i blocked the whole globe with “csf -d 0.0.0.0/0 “block all connections”” at this stage :lol:

I have unlimited bandwidth and I stopped checking the access logs yrs ago, it is a waste of time trying to block everything, but I dont have problems at all given there is no limit.

btw. There are nothing like unlimited bandwidth. Try to push 100+ Mbit/s 24/7 for a month on a shared server and you will for sure be banned or kicked out…

Yeah, it’s crazy now when you see the same new filelist attack suddenly show up from IP’s on 6 continents. I don’t think I’ve ever seen anything from Antarctica (yet). 403’ing just serves 'em a different page, and trying to keep .htaccess updated is playing whack a mole.

The net is now a noisy (and hostile) place.. good to keep the defenses up and sites with minimal exposures to the miscreants. I don't like them 'walking across my lawn/rattling my doorknob' either, but... I choose to continue publishing stuff that others may find useful on my sites and keep the defenses in depth.

I never promoted mine as anything more than my private site. I’ve learned a whole new set of skills thanks to you and others, and I’m sure I’ll have fun getting my intranet site running. Unlike your site nothing of value will be lost by closing down mine. (I’m making arrangements for the forum images.)

Been seeing a lot of this crap the last several days myself. Been soooooo bad with the requests that ive added some code to my site in the main includes file that blocks & bans them. As a result it has told me I need to do some modifications to my site logging system to be much more capable and easier to manage.

My php code, its quite aggressive, but i don’t care at the moment:


if(stristr($_SERVER['REQUEST_URI'], 'db_') OR
    stristr($_SERVER['REQUEST_URI'], 'N0W') OR
    stristr($_SERVER['REQUEST_URI'], 'dump.')
) {
    $ip = explode('.', $_SERVER['REMOTE_ADDR']);
    $text = "DENY FROM ".$ip[0].".".$ip[1]." #Excessive\n";
    file_put_contents('./.htaccess', $text, FILE_APPEND);
    exit;
}

Oooh… taking out a /16 network at a time based on one transgression … very aggressive (as you said).

Maybe using something like zBlock would fight the miscreants with a more nuanced approach … several members have done that.
I do the analysis of the logs daily and look for multiple 404s before I add a CIDR to the .htaccess, and some CIDRs have been in the block list for a long time. (Much of China, Ukraine, Russia and multiple CoLo hosters).

Good that my provider does not give me access to the access log… (I can see it only for 1 day/month, otherwise I would have to pay extra so I activate it for 24h only when I suspect a problem)

Used to be the problem was fairly well geographically defined and drastic blocking was good, but lately I’ve seen more and more US and EU IP’s that I would think twice about blocking (and Amazon’s cloud :roll: ).

Phew! It’s been a busy day. Shut everything down this morning. After all this time I felt like Dave deactivating Hal 9000 :lol: Thanks to Bashy the images I’ve posted here are now moved to his server, so there shouldn’t be many broken links :slight_smile: Totally failed at getting an intranet site running on my win 10 server. Now have the basic WD site running on Linux Mint. Aside from some permissions it was really easy. Only downside is that I was forced to php7 which seems to have broken a bunch of the more exciting stuff :frowning:

I agree on that. When look at own logs by the Brute force software and CSF are the most IP’s in US and EU and not that many att all from China, Russia etc…

EDIT: Blocks by country on my server last 12 months made by Lfd. Russia nad China do not fit even in top 30 here. Instead in top 7 do we have Bulgaria, Poland, USA and Sweden…


Know how you feel, niko. I get well in excess of 75 tries to wp-login (plus more tries to various other wp components) every day and I’m not even running WP. More and more of the spiders don’t even bother looking at robots.txt any more, and a huge number of idiots just camp on pages on my site which eats up resources (they get hit with an automatic timeout and then a nasty 403 if they keep it up). After 10+ years of increasing garbage I’m very close to just quitting.

I have set my csf, server wide, to perm block any fails after 3 attempts, if its legit (client), they will ask me to sort it :slight_smile:
PS been blocked myself on many occasion too :lol: :lol: :lol: my IP changes each time i reboot my router :frowning: :roll:

Yup. When you get sick of all the buzzing mosquitoes, you break out the napalm. :evil: I have them commented as “excessive” so at some point I can go in and remove them by hand.

This is actually a very temporary solution to stop them from pounding at the gates once they start whoring their attempts. I do plan on updating my security script to prevent hammering the site, and that would definitely stop the 106 or 206 requests within 4 seconds. It will also have other features that will redirect visitors who have far too many 404s to a page and they will be stuck seeing that page for 24 hours (unless IP change). Then again googlebot, bing, etc (the real ones) are still looking for files that I haven’t had online in 16+ years, and I don’t know of any users who will try more than 20 non-existant pages, unless if you have a witty, random not found page/text (I don’t, and never have).

But that is on the back burner because there is a lot of other stuff I want and need to get finished.

I also have a large list of country IP allocations in my block list, and that has helped immensely. The block list I have on my weather site is also highly aggressive because its for local events. Somebody in Belarus definitely wont care about the weather in a small town in Ohio.

Your choise of course but are you sure about that? Our wx-sites may also work as “preview-pages” for travellers who looks around for what the conditions are, just as one example.

Anyway, i would say the (real) bots like GBot are a way bigger problem than random kiddies or mistakes by users using old IP’s. I had not long time ago Gbot hammering a sql-intensive page at a rate of 10 times per second. As result, the dedicated server crashed and keeped crashing until i did a temporal block of whole Gbot until their rate-limiter got the limits updated. Sad thing is that Gbot’s rate-limit lasts only 3 months at time so it need to updated every now and then.