gvectors.com IP seems to be part of Bruteforce Login botnet.

Hello all,

it seems that IP  37.187.143.17 (tha same ip used for gvectors.com) is part of a brute force login botnet : https://bitninja.io/bnvl-2018-0009

there are many examples like the following proving that actually there was posts on wp-login.php from 37.187.143.17 :

Date: 2019-03-14 13:03:34

Url: [sa###no.com/wp-login.php]
Remote connection: [37.187.143.17:50003]
Headers: [array (
  'Host' => 'sa###no.com',
  'User-Agent' => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0',
  'Content-Length' => '101',
  'Content-Type' => 'application/x-www-form-urlencoded',
  'Accept-Encoding' => 'gzip',
  'Connection' => 'close',
)]
Post data: [Array
(
    [log] => admin
    [pwd] =>comj###u4a8
[wp-submit] => Log In [redirect_to] =>  http://sa###no.com/wp-admin/  [testcookie] => 1 ) ] 


Date: 2019-03-23 10:51:25 

37.187.143.17 - - [23/Mar/2019:08:50:09  0000] "GET /wp-login.php HTTP/1.1" 200 11868 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:11  0000] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:11  0000] "GET /wp-login.php HTTP/1.1" 200 11868 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:13  0000] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:13  0000] "GET /wp-login.php HTTP/1.1" 200 11868 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:15  0000] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:15  0000] "GET /wp-login.php HTTP/1.1" 200 11868 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:17  0000] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:17  0000] "GET /wp-login.php HTTP/1.1" 200 11868 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:19  0000] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:19  0000] "GET /wp-login.php HTTP/1.1" 200 11868 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:21  0000] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"

Many WAF have already blocked your IP. I don't think this is a legit  behavior,  part of your plugin  ( false possitve on WAFs) but something potentially dangerous; maybe a malware on your server. 

Could you please give us more information about this issue?