In the last two weeks I’ve seen a steady increase of bots trying to exploit a remote command execution flaw on D-Link routers. The majority of the attacks are originating from IP blocks belonging to Telecom Egypt Data.
So today I’ve experienced a more significant than usual attack against WordPress installations hosted on one of our company servers. So far I’ve blocked more than 17000 21000 unique IP addresses, but the attackers seem to have an endless supply and they’re not slowing down. Note: This article was updated on January 27, 2018.
I’ve received a few hundred requests originating from bots setting site.ru as their referrer. These attacks are scanning for compromised WordPress installations and PHP based shells and backdoors. The attacking IP’s belong to compromised hosts and websites from service providers around the world.
About one and a half months ago I experienced a lot of botnet traffic originating from major cloud providers including Microsoft Azure. Against my better judgment I decided to see if reporting a few bad IP’s to the MS CERT team would make a difference.
‘Tis the season to be cracking.
In the webhosting business we’re used to seeing an increase in attacks during the holidays, as most people by then are busy with real life. If you’re a cracker though, this is your favorite time of the year.
By working in the “web business” I do get my hands on a fair share of malware kits as attackers continuously try to infect any website available with their automated scripts.