Question
Digital Ocean Ips hacking my site searching for wp-login from a various ip list of digital ocean
- Posted on September 1, 2017
- System ToolsDigitalOceanCentOS
Asked by webom
Hello Digital Ocean,
From last several days a list of various digital ocean ips are giving hits on my dedicated server on page wp-login.php, xmlrpc.php & other pages and the site is not using wordpress at all. Ips: 162.243.162.24 46.101.18.90
165.227.56.183 # Manually denied: 165.227.56.183 (US/United States/zig-crw-1504255563.1212) - Fri Sep 1 09:00:26 2017
67.207.92.28 # Manually denied: 67.207.92.28 (US/United States/zig-crw-1504245325.2423) - Fri Sep 1 06:48:23 2017
107.170.192.92 # Manually denied: 107.170.192.92 (US/United States/zig-crw-1504248742.2716) - Fri Sep 1 07:04:40 2017
165.227.92.100 # Manually denied: 165.227.92.100 (US/United States/zig-crw-1504248723.4785) - Fri Sep 1 07:05:11 2017
46.101.14.54 # Manually denied: 46.101.14.54 (GB/United Kingdom/zig-crw-1504241902.2201) - Fri Sep 1 05:06:38 2017
139.59.7.252 # Manually denied: 139.59.7.252 (IN/India/zig-crw-1504118782.3618) - Wed Aug 30 19:40:31 2017
165.227.22.75 # lfd: (CT) IP 165.227.22.75 (US/United States/zig-crw-1503821044.0411) found to have 116 connections - Sun Aug 27 08:06:52 2017
139.59.187.99 # lfd: (CT) IP 139.59.187.99 (GB/United Kingdom/zig-crw-1503821222.4455) found to have 136 connections - Sun Aug 27 08:09:51 2017
162.243.158.65 # lfd: (CT) IP 162.243.158.65 (US/United States/zig-crw-1503763082.6025) found to have 161 connections - Sat Aug 26 16:00:52 2017
192.241.198.212 # lfd: (CT) IP 192.241.198.212 (US/United States/zig-crw-1503687843.4358) found to have 108 connections - Fri Aug 25 19:08:11 2017
165.227.82.201 # lfd: (CT) IP 165.227.82.201 (US/United States/zig-crw-1503667083.6006) found to have 110 connections - Fri Aug 25 13:20:38 2017 165.227.107.27 # lfd: (CT) IP 165.227.107.27 (US/United States/zig-crw-1503673923.1553) found to have 140 connections - Fri Aug 25 15:15:48 2017 165.227.63.223 # lfd: (CT) IP 165.227.63.223 (US/United States/zig-crw-1503674163.4507) found to have 130 connections - Fri Aug 25 15:20:47 2017
138.68.176.30 # lfd: (CT) IP 138.68.176.30 (GB/United Kingdom/zig-crw-1503656823.1317) found to have 150 connections - Fri Aug 25 10:31:32 2017 139.59.84.110 # lfd: (CT) IP 139.59.84.110 (IN/India/zig-crw-1503657063.4773) found to have 130 connections - Fri Aug 25 10:36:04 2017 139.59.125.16 # Manually denied: 139.59.125.16 (SG/Singapore/zig-crw-1503660483.0719) - Fri Aug 25 11:35:44 2017
107.170.250.139 # lfd: (CT) IP 107.170.250.139 (US/United States/zig-crw-1503653404.3782) found to have 140 connections - Fri Aug 25 09:31:59 2017
and more…
This is making site to go offline and a huge load on server and every time a new ip attacks and all these ips belongs to you.
Please have a look into this.
Thanks & Regards.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Want to learn more? Join the DigitalOcean Community!
Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.
Hi there,
Regarding the IPs, you can send the list to DigitalOcean’s support team so they can handle this.
You can install malware detection software like Linux Malware Detect, also known as Maldet or LMD. It will help you to locate any malicious files on your droplet.
If you’re interested in securing your droplet (everyone should be in general) you can double-check our tutorial - An Introduction to Securing your Linux VPS.
The article will cover the basic and some more advanced steps in website and server security.
You can check the article here:
https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps
Hope that this helps!
Wordfence is pretty good as a plugin it will block the ip after 3 attempts. There is an option for permanent ip block as well, it might be more user friendly than fail2ban, I actually think the plugin version of it is much less friendly than using it on a plain ubuntu server with nano. But that is just me I guess.
Harden the servers, definitely remove the version of apache you are using and any other server information you can hide as well as the version of word press you are using. Run wp scan over your website or nikkto I think its called nikkto, but wp scan is good enough this will help tell you about the health of your plugins and if they have any known serious flaws, 90% of your hackers are script kiddies just wanting to learn how to use kali linux they are not a real threat and if you can stop them from using a lot of your sites resources then really they are not a problem more of a pest. Anyways good luck. wp scan is your friend!
Wordpress hackers are everywhere. I don’t run wordpress and get the same nonsense, and very little from Digital Ocean. Basically you will need to harden your web server to give the wordpress hackers a time out. Fail2ban for instance.
I have code in my webserver not to reply to any of the typical wordpress hacker requests. Unfortunately the hacker code is written so poorly that even if you do not reply, they keep requesting. Now the first step in fail2ban is to trap these wordpress hackers. Once you have them clearly delineated in the web server log, you can use fail2ban to filter them IP.