Non-Stop Hacker in BPS Log – How to stop?

  • Resolved gr33nman

    (@gr33nman)


    9 years, 7 months ago

    Below is a sample of code I’m getting from BPS.
    It looks like BPS is properly deflecting this hacker.
    I’d appreciate suggestions about how to get this guy to stop filling up my security log every day.

    I’ve got the suggested Brute Force Login Protection installed on .htaccess thus:

    # BRUTE FORCE LOGIN PAGE PROTECTION
# Protects the Login page from SpamBots, HackerBots & Proxies
# that use Server Protocol HTTP/1.0 or a blank User Agent
RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*)$
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
RewriteRule ^(.*)$ - [F,L]

    I also added this:

    # DENY BROWSER ACCESS TO LOGIN FOR UKRAINIAN HACKERS TRYING TO GET IN
# wp-login.php
<FilesMatch "^(/wp-login\.php|.*wp-login\.php.*)$">
Order Allow,Deny
Deny from 5.248.0.0/16
Deny from 37.115.0.0/16
Deny from 37.229.0.0/16
Deny from 46.118.0.0/15
Deny from 46.118.0.0/16
Deny from 46.119.0.0/16
Deny from 46.185.0.0/17
Deny from 46.185.0.0/18
Deny from 46.185.64.0/18
Deny from 46.211.0.0/16
Deny from 46.211.0.0/17
Deny from 46.211.128.0/17
Deny from 81.23.16.0/20
Deny from 94.153.0.0/16
Deny from 109.162.0.0/17
Deny from 109.162.0.0/18
Deny from 109.162.64.0/18
Deny from 134.249.0.0/16
Deny from 176.8.0.0/16
Deny from 178.137.0.0/16
Deny from 178.137.0.0/17
Deny from 178.137.128.0/17
Deny from 188.163.0.0/17
Deny from 188.163.64.0/18
Deny from 193.41.60.0/22
Allow from all
</FilesMatch>

    So why is this guy still trying to hack my website if he’s not able to get in?

    I thought about putting this into .htaccess at the bottom, but I’m not sure it will actually stop him from daily filling up my log.

    # BAN USER BY IP
<Limit GET POST>
 order allow,deny
 allow from all
 deny from 5.248.87.146
</Limit>

    Last week the same hacker had a different IP, same ISP.

    I have sent a request to the hacker’s ISP and a second request copied to the ISP and the ISP’s direct upstream provider asking them to stop the hacker. I’m really not sure what else to do.

    BPS SECURITY LOG
=================
=================

...

[403 GET / HEAD Request: September 12, 2014 4:57 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 5.248.87.146
Host Name: 5-248-87-146-broadband.kyivstar.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: http://nypsc.org/wp-login.php
QUERY_STRING:
HTTP_USER_AGENT: 

[403 GET / HEAD Request: September 12, 2014 4:57 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 5.248.87.146
Host Name: 5-248-87-146-broadband.kyivstar.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: http://nypsc.org/wp-login.php
QUERY_STRING:
HTTP_USER_AGENT: 

[403 GET / HEAD Request: September 12, 2014 4:58 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 5.248.87.146
Host Name: 5-248-87-146-broadband.kyivstar.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: http://nypsc.org/wp-login.php
QUERY_STRING:
HTTP_USER_AGENT: 

[403 GET / HEAD Request: September 12, 2014 4:58 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 5.248.87.146
Host Name: 5-248-87-146-broadband.kyivstar.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: http://nypsc.org/wp-login.php
QUERY_STRING:
HTTP_USER_AGENT: 

[403 GET / HEAD Request: September 12, 2014 4:59 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 5.248.87.146
Host Name: 5-248-87-146-broadband.kyivstar.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: http://nypsc.org/wp-login.php
QUERY_STRING:
HTTP_USER_AGENT:

    https://wordpress.org/plugins/bulletproof-security/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author AITpro

    (@aitpro)

    9 years, 7 months ago

    I’d appreciate suggestions about how to get this guy to stop filling up my security log every day.

    The Security Log is a lightweight static text file so that logging blocked hackers/spammers, etc. uses minimal resources. The Security Log automation will automatically email your Security Log to you and replace it with a new blank Security Log file when it reaches the max file size that you have chosen. Basically you do not need to do anything since everything is automated. If you do not want to see logged events then you can try to use the ignore user agent tools, but that is completely unnecessary. Typically automated spambots and hackerbots use standard/general user agents so there is nothing that is unique to ignore. Or of course you can turn off Security Logging. hackers and spammers will still be blocked, but that information will not be logged.

    So why is this guy still trying to hack my website if he’s not able to get in?

    We get between 300,000 to 500,000 automated spambot and hackerbot attacks and Security Log entries per month. These are automated attacks that a human hacker or spammer initiated, but they are completely automated using hackerbots and spambots. Since the process of hacking and spamming websites is completely automated then there is no “him” or “her” only bots that do what they do all day long every day – 24x7x365.

    I have sent a request to the hacker’s ISP and a second request copied to the ISP and the ISP’s direct upstream provider asking them to stop the hacker. I’m really not sure what else to do.

    You do not need to do anything. Automated hacking and spamming goes on 24x7x365 so as long as your site is protected from them then you do not need to do anything else.

    Plugin Author AITpro

    (@aitpro)

    9 years, 7 months ago

    Assuming that all questions were answered – thread has been resolved.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Non-Stop Hacker in BPS Log – How to stop?’ is closed to new replies.