Amazon hammering WP REST API

  • Resolved Wendihihihi

    (@wendihihihi)


    8 years, 2 months ago

    I’m getting lots of blocked access to WP REST API in the WP Edition log files with Amazon’s IP address. Should I just whitelist this IP address or is there a chance that someone’s using Amazon’s IP address trying to get in?

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author nintechnet

    (@nintechnet)

    8 years, 2 months ago

    Do you have any plugins that could be using the API? Jetpack or similar plugins? Is it always the same IP (you can try to check it reverse DNS to get its hostname)?

    Okoth1

    (@okoth1)

    8 years, 2 months ago

    • This reply was modified 8 years, 2 months ago by Okoth1. Reason: not related
    Thread Starter Wendihihihi

    (@wendihihihi)

    8 years, 2 months ago

    It’s not always the same IP.

    01/Apr/18 08:51:50 #1385181 HIGH – 35.168.8.49
    31/Mar/18 04:00:52 #1810593 HIGH – 52.91.121.213
    31/Mar/18 05:03:02 #1638348 HIGH – 34.237.91.130
    27/Mar/18 02:56:29 #7903347 HIGH – 34.232.66.130
    24/Mar/18 05:53:42 #3610245 HIGH – 52.86.163.5
    23/Mar/18 11:18:56 #1773979 HIGH – 54.165.6.113
    18/Mar/18 23:56:57 #4059187 HIGH – 34.224.6.191

    All are Amazon Technologies.

    Active plugins

    akismet
    all-in-one-seo-pack
    allow-php-in-posts-and-pages
    autoptimize
    banhammer
    catch-ids
    easy-noindex-and-nofollow
    lightbox-gallery
    mail-on-update
    map-categories-to-pages
    ninjafirewall
    reduce-bounce-rate
    responsive-video-embeds
    si-contact-form
    simple-wp-sitemap
    stops-core-theme-and-plugin-updates
    tablepress
    user-role-editor
    wp-youtube-lyte

    No Jetpack installed.

    Plugin Author nintechnet

    (@nintechnet)

    8 years, 2 months ago

    Keep blocking them, I don’t see anything good in that list of IPs. There are plenty of Amazon IPs used by hackers. See this NinjaFirewall’s log sample:

    12/Mar/18 19:44:11  #8861828  CRITICAL  1383  34.233.71.75     GET /wp-admin/admin-ajax.php - Unrestricted file upload - [GET:client_action = get_captions_css]
13/Mar/18 09:41:17  #3882688  CRITICAL  1383  52.79.48.26      GET /wp-admin/admin-ajax.php - Unrestricted file upload - [GET:client_action = get_captions_css] 
13/Mar/18 10:37:57  #3922335  MEDIUM     306  52.79.48.26      GET /index.php - Bogus user-agent signature - [SERVER:HTTP_USER_AGENT = Mozilla/5.0 (compatible; MSIE 5.0; Windows NT 5.01; Trident/4.1)]
17/Mar/18 22:51:42  #8079525  MEDIUM       -  54.204.235.162   GET /wp-login.php - Blocked access to the login page - [bot detection is enabled]
    Thread Starter Wendihihihi

    (@wendihihihi)

    8 years, 2 months ago

    Yes, I didn’t have a good feeling about it. Thanks for the reply.

    Thread Starter Wendihihihi

    (@wendihihihi)

    8 years, 2 months ago

    Think you are right. They start using Google’s IP addresses as well.

    07/Apr/18 09:59:57 #3482182 CRITICAL 1 35.185.112.111 GET /index.php – Directory traversal – [GET:files = ../../../../wp-config.php]
    07/Apr/18 09:59:59 #8840135 CRITICAL 3 35.185.112.111 GET /index.php – Local file inclusion – [GET:file_link = /etc/passwd]
    07/Apr/18 10:00:01 #1602006 CRITICAL 3 35.185.112.111 GET /index.php – Local file inclusion – [GET:url = /etc/passwd]
    07/Apr/18 10:00:07 #8718888 CRITICAL 3 35.185.112.111 GET /index.php – Local file inclusion – [GET:filepath = /etc/passwd]
    07/Apr/18 10:00:08 #6950473 CRITICAL 1 35.185.112.111 GET /index.php – Directory traversal – [GET:fileName = ../../../../../../../../../../etc/passwd]
    07/Apr/18 10:00:09 #8196319 CRITICAL 1 35.185.112.111 GET /index.php – Directory traversal – [GET:filename = ../../../../../../../../../etc/passwd]
    07/Apr/18 10:00:27 #6978542 CRITICAL 1369 35.185.112.111 POST /index.php – Remote command execution – [POST:execute = wp_insert_user]

    • This reply was modified 8 years, 2 months ago by Wendihihihi. Reason: typo
Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Amazon hammering WP REST API’ is closed to new replies.