gvectors.com IP seems to be part of Bruteforce Login botnet.  

  RSS
brainlag
(@brainlag)
New Member

Hello all,

it seems that IP  37.187.143.17 (tha same ip used for gvectors.com) is part of a brute force login botnet : https://bitninja.io/bnvl-2018-0009

there are many examples like the following proving that actually there was posts on wp-login.php from 37.187.143.17 :

Date: 2019-03-14 13:03:34

Url: [sa###no.com/wp-login.php]
Remote connection: [37.187.143.17:50003]
Headers: [array (
  'Host' => 'sa###no.com',
  'User-Agent' => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0',
  'Content-Length' => '101',
  'Content-Type' => 'application/x-www-form-urlencoded',
  'Accept-Encoding' => 'gzip',
  'Connection' => 'close',
)]
Post data: [Array
(
    [log] => admin
    [pwd] =>comj###u4a8
[wp-submit] => Log In [redirect_to] => http://sa###no.com/wp-admin/ [testcookie] => 1 ) ]


Date: 2019-03-23 10:51:25

 

37.187.143.17 - - [23/Mar/2019:08:50:09  0000] "GET /wp-login.php HTTP/1.1" 200 11868 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:11  0000] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:11  0000] "GET /wp-login.php HTTP/1.1" 200 11868 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:13  0000] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:13  0000] "GET /wp-login.php HTTP/1.1" 200 11868 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:15  0000] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:15  0000] "GET /wp-login.php HTTP/1.1" 200 11868 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:17  0000] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:17  0000] "GET /wp-login.php HTTP/1.1" 200 11868 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:19  0000] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:19  0000] "GET /wp-login.php HTTP/1.1" 200 11868 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.187.143.17 - - [23/Mar/2019:08:50:21  0000] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"

Many WAF have already blocked your IP. I don't think this is a legit  behavior,  part of your plugin  ( false possitve on WAFs) but something potentially dangerous; maybe a malware on your server. 

Could you please give us more information about this issue?

Quote
Posted : 05/04/2019 4:15 pm
Tom
 Tom
(@tomson)
Support Team Admin

Hi @brainlag,

Thank you for letting us know. There are many resources on our server. Most of those are not related to gVectors Team and our product websites. there are different websites from different companies. It seems one of those websites was hacked and used for Bruteforce attack. And the issue is resolved. There should not be such cases in current days. We'll contact to main WAFs and ask them remove our IP address.

ReplyQuote
Posted : 05/04/2019 6:02 pm
Share:
Green
Default
Pear
Black Emo
{green}:grinning:
{green}:wink:
{green}:face:
{green}:inlove:
{green}:sweaty:
{green}:surprised:
{green}:lovekiss:
{green}:laugh:
{green}:formalsmile:
{green}:displeased:
{green}:cool:
{green}:resent:
{green}:nerd:
{green}:screaming:
{green}:amazed:
{green}:sad:
{green}:deceitful:
{green}:starryeyes:
{green}:evil:
{green}:shocked:
{green}:tears:
{green}:sulky:
{green}:smile:
{green}:vomited:
{green}:hi:
{green}:afraid:
{green}:crazy:
{green}:rabid:
{green}:fighting:
{green}:nonoise:
{green}:blushed:
{green}:idontknow:
{green}:scared:
{green}:razz:
{green}:kiss:
{green}:eat:
{green}:shutmouth:
{green}:gape:
{green}:suspicious:
{green}:laughingoutloud:
{green}:bruise:
{green}:crying:
{green}:pray:
{green}:serious:
{green}:excitement:
:)
:d
:wink:
:mrgreen:
:neutral:
:twisted:
:arrow:
:shock:
:???:
:cool:
:evil:
:oops:
:razz:
:roll:
:cry:
:eek:
:lol:
:mad:
:sad:
:!:
:?:
:idea:
:hmm:
:beg:
:whew:
:chuckle:
:silly:
:envy:
:shutmouth:
{pear}:happy:
{pear}:smile:
{pear}:laugh:
{pear}:laughingoutloud:
{pear}:crying:
{pear}:exhausted:
{pear}:nerd:
{pear}:surprised:
{pear}:veryhungry:
{pear}:wink:
{blackemo}:laughtertotears:
{blackemo}:gift:
{blackemo}:love:
{blackemo}:inlove:
{blackemo}:shamefaced:
{blackemo}:heart:
{blackemo}:crazy:
{blackemo}:anguished:
{blackemo}:bruise:
{blackemo}:easymoney:
{blackemo}:exhausted:
{blackemo}:vampire:
{blackemo}:shutmouth:
{blackemo}:wink:
{blackemo}:carnival:
{blackemo}:flowers:
{blackemo}:hotdrink:
{blackemo}:party: