Notifications
Clear all
Topic starter
Hello all,
it seems that IP 37.187.143.17 (tha same ip used for gvectors.com) is part of a brute force login botnet : https://bitninja.io/bnvl-2018-0009
there are many examples like the following proving that actually there was posts on wp-login.php from 37.187.143.17 :
Date: 2019-03-14 13:03:34
Url: [sa###no.com/wp-login.php] Remote connection: [37.187.143.17:50003] Headers: [array ( 'Host' => 'sa###no.com', 'User-Agent' => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0', 'Content-Length' => '101', 'Content-Type' => 'application/x-www-form-urlencoded', 'Accept-Encoding' => 'gzip', 'Connection' => 'close', )] Post data: [Array ( [log] => admin [pwd] =>comj###u4a8[wp-submit] => Log In [redirect_to] => http://sa###no.com/wp-admin/ [testcookie] => 1 ) ]
Date: 2019-03-23 10:51:25
37.187.143.17 - - [23/Mar/2019:08:50:09 0000] "GET /wp-login.php HTTP/1.1" 200 11868 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:11 0000] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:11 0000] "GET /wp-login.php HTTP/1.1" 200 11868 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:13 0000] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:13 0000] "GET /wp-login.php HTTP/1.1" 200 11868 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:15 0000] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:15 0000] "GET /wp-login.php HTTP/1.1" 200 11868 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:17 0000] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:17 0000] "GET /wp-login.php HTTP/1.1" 200 11868 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:19 0000] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:19 0000] "GET /wp-login.php HTTP/1.1" 200 11868 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:21 0000] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
Many WAF have already blocked your IP. I don't think this is a legit behavior, part of your plugin ( false possitve on WAFs) but something potentially dangerous; maybe a malware on your server.
Could you please give us more information about this issue?
Posted : 05/04/2019 4:15 pm
Hi @brainlag,
Thank you for letting us know. There are many resources on our server. Most of those are not related to gVectors Team and our product websites. there are different websites from different companies. It seems one of those websites was hacked and used for Bruteforce attack. And the issue is resolved. There should not be such cases in current days. We'll contact to main WAFs and ask them remove our IP address.
Posted : 05/04/2019 6:02 pm