Digital Ocean Ips hacking my site searching for wp-login from a various ip list of digital ocean

September 1, 2017 1.7k views
System Tools CentOS DigitalOcean

Hello Digital Ocean,

From last several days a list of various digital ocean ips are giving hits on my dedicated server on page wp-login.php, xmlrpc.php & other pages and the site is not using wordpress at all.
Ips:
162.243.162.24
46.101.18.90

165.227.56.183 # Manually denied: 165.227.56.183 (US/United States/zig-crw-1504255563.1212) - Fri Sep 1 09:00:26 2017

67.207.92.28 # Manually denied: 67.207.92.28 (US/United States/zig-crw-1504245325.2423) - Fri Sep 1 06:48:23 2017

107.170.192.92 # Manually denied: 107.170.192.92 (US/United States/zig-crw-1504248742.2716) - Fri Sep 1 07:04:40 2017

165.227.92.100 # Manually denied: 165.227.92.100 (US/United States/zig-crw-1504248723.4785) - Fri Sep 1 07:05:11 2017

46.101.14.54 # Manually denied: 46.101.14.54 (GB/United Kingdom/zig-crw-1504241902.2201) - Fri Sep 1 05:06:38 2017

139.59.7.252 # Manually denied: 139.59.7.252 (IN/India/zig-crw-1504118782.3618) - Wed Aug 30 19:40:31 2017

165.227.22.75 # lfd: (CT) IP 165.227.22.75 (US/United States/zig-crw-1503821044.0411) found to have 116 connections - Sun Aug 27 08:06:52 2017

139.59.187.99 # lfd: (CT) IP 139.59.187.99 (GB/United Kingdom/zig-crw-1503821222.4455) found to have 136 connections - Sun Aug 27 08:09:51 2017

162.243.158.65 # lfd: (CT) IP 162.243.158.65 (US/United States/zig-crw-1503763082.6025) found to have 161 connections - Sat Aug 26 16:00:52 2017

192.241.198.212 # lfd: (CT) IP 192.241.198.212 (US/United States/zig-crw-1503687843.4358) found to have 108 connections - Fri Aug 25 19:08:11 2017

165.227.82.201 # lfd: (CT) IP 165.227.82.201 (US/United States/zig-crw-1503667083.6006) found to have 110 connections - Fri Aug 25 13:20:38 2017
165.227.107.27 # lfd: (CT) IP 165.227.107.27 (US/United States/zig-crw-1503673923.1553) found to have 140 connections - Fri Aug 25 15:15:48 2017
165.227.63.223 # lfd: (CT) IP 165.227.63.223 (US/United States/zig-crw-1503674163.4507) found to have 130 connections - Fri Aug 25 15:20:47 2017

138.68.176.30 # lfd: (CT) IP 138.68.176.30 (GB/United Kingdom/zig-crw-1503656823.1317) found to have 150 connections - Fri Aug 25 10:31:32 2017
139.59.84.110 # lfd: (CT) IP 139.59.84.110 (IN/India/zig-crw-1503657063.4773) found to have 130 connections - Fri Aug 25 10:36:04 2017
139.59.125.16 # Manually denied: 139.59.125.16 (SG/Singapore/zig-crw-1503660483.0719) - Fri Aug 25 11:35:44 2017

107.170.250.139 # lfd: (CT) IP 107.170.250.139 (US/United States/zig-crw-1503653404.3782) found to have 140 connections - Fri Aug 25 09:31:59 2017

and more..

This is making site to go offline and a huge load on server and every time a new ip attacks and all these ips belongs to you.

Please have a look into this.

Thanks & Regards.

3 Answers

Pretty pointless posting it here, this is the community not your abuse/technical support.
Create a support ticket or email abuse@digitalocean.com.

Wordpress hackers are everywhere. I don’t run wordpress and get the same nonsense, and very little from Digital Ocean. Basically you will need to harden your web server to give the wordpress hackers a time out. Fail2ban for instance.

I have code in my webserver not to reply to any of the typical wordpress hacker requests. Unfortunately the hacker code is written so poorly that even if you do not reply, they keep requesting. Now the first step in fail2ban is to trap these wordpress hackers. Once you have them clearly delineated in the web server log, you can use fail2ban to filter them IP.

Wordfence is pretty good as a plugin it will block the ip after 3 attempts. There is an option for permanent ip block as well, it might be more user friendly than fail2ban, I actually think the plugin version of it is much less friendly than using it on a plain ubuntu server with nano. But that is just me I guess.

Harden the servers, definitely remove the version of apache you are using and any other server information you can hide as well as the version of word press you are using.
Run wp scan over your website or nikkto I think its called nikkto, but wp scan is good enough this will help tell you about the health of your plugins and if they have any known serious flaws, 90% of your hackers are script kiddies just wanting to learn how to use kali linux they are not a real threat and if you can stop them from using a lot of your sites resources then really they are not a problem more of a pest. Anyways good luck. wp scan is your friend!

Have another answer? Share your knowledge.