The other day I got an automated alert from our managed WordPress hosting service, notifying me of an issue with resource exhaustion for a virtual site. Upon closer inspection, I discovered that the adversary was not your everyday aimless botnet, but something darker, and far more sinister.
For the last few weeks, my feeds and federated timelines have been filled with absolutely brilliant marketing campaigns for Plausible Analytics, the new open-source privacy-focused website analytics tool. Plausible Analytics has enjoyed exponential growth and is frequently recommended by privacy-conscious voices in the FOSS community.
Last month we had an issue with a multitude of unwanted connections against our mail servers from a specific netblock in Argentina. In my experience, coordinated attacks from IP addresses originating from the same netblock usually indicates an issue on the ISP side.
Earlier this week I discovered an interesting Outlook.com phishing mail that had been caught by the anti-spam measures we deploy for our e-mail customers. Well, to be fair, the phishing attack itself was not anything new or sophisticated, but the choice of hosting provider was rather interesting.
Last week I noticed yet another ongoing brute-force attack against our managed WordPress hosting. The botnet is very low key and each bot connects on average only once per day. Up until now, I’ve collected in the ballpark of 3100 unique bots.
Like everyone else with an email address, I’ve been receiving these bitcoin extortion messages for months. I’ve also observed with ever greater dissatisfaction as scammers raked in tens of bitcoins within a week. What especially annoys me is not so much that people are falling for this scam, but that email service providers are simply looking the other way.
After the GhostProject started offering access to 1.4 billion credentials in the form of usernames with clear text passwords, I’ve seen an expected increase in attacks against customers e-mail accounts.
In the last two weeks I’ve seen a steady increase of bots trying to exploit a remote command execution flaw on D-Link routers. The majority of the attacks are originating from IP blocks belonging to Telecom Egypt Data.
So today I’ve experienced a more significant than usual attack against WordPress installations hosted on one of our company servers. So far I’ve blocked more than
17000 21000 unique IP addresses, but the attackers seem to have an endless supply and they’re not slowing down. Note: This article was updated on January 27, 2018.