Report of Malicious Activity & Attack Attempts on Account: almhdy.sd

[almahdi]

Dear HelioHost Support,

 

I am writing to report sustained and aggressive malicious activity targeting my website almhdy.sd. My site is a simple static page (only index.html), but the server is receiving a high volume of automated attack attempts, which may be consuming shared server resources.

 

Executive Summary

 

My server logs show a continuous stream of automated attacks from multiple IP addresses, primarily focused on finding and exploiting vulnerabilities in WordPress and other CMS platforms. While these attacks are failing (returning 404 errors), the volume is significant.

 

Key Findings from Log Analysis

 

1. Sustained Reconnaissance & Exploitation Attempts:

   · My domain is being scanned by botnets for common web vulnerabilities.

   · Attackers are systematically probing for hundreds of different PHP shells, backdoors, and admin panels (e.g., shell.php, wp-filemanager.php, admin-ajax.php).

2. Primary Attacker IP Addresses:

   The most aggressive sources include:

   · 20.243.237.134 (Microsoft Azure) - Initial scanning wave

   · 4.217.198.31 (The Constant Company, LLC) - Massive, sustained attack with 200+ unique file requests

   · 20.222.117.51 (Microsoft Azure) - Continued high-volume attacks

   · 172.207.123.72 (OVH SAS) - WordPress-specific exploits

   · 2602:fa59:9:fb6::1 (Comcast) - Persistent probing

3. Types of Attacks Observed:

   · Web Shell Uploads: Attempts to access known malicious file managers.

   · WordPress Exploits: Targeting themes, plugins, and core files.

   · Information Disclosure: Attempts to access .env, .git/config, and wp-config.php files.

   · Directory Traversal: Attempts to browse restricted directories.

 

Evidence of Impact

 

· Resource Consumption: While the attacks are unsuccessful, the constant processing of these malicious requests consumes CPU cycles and bandwidth.

· Nginx Errors: The logs show numerous nginx error messages like connect() failed (111: Connection refused) while connecting to upstream, which may be related to the high load or misconfiguration attempts from the attacks.

· ModSecurity Activity: Your WAF (ModSecurity) is correctly blocking some requests (e.g., for .git/config), confirming the malicious nature of this traffic.

 

My Configuration

 

I would like to emphasize that my website is extremely simple and not vulnerable to these attacks. It consists of a single index.html file with no PHP, WordPress, or database backend. The attacks are therefore harmless to my content but are an unnecessary load on the server.

 

Request for Assistance

 

Could you please investigate this activity from your side? Specifically:

 

1. Is this level of malicious traffic affecting other users on the shared server?

2. Are there any server-wide firewall rules or rate-limiting policies that can be adjusted to mitigate such automated attacks?

3. Can you monitor or consider blocking the most aggressive IP addresses listed above at the network level?

 

Thank you for your time and for providing a great hosting service.

 

Best regards,

 

almhdy24

[wolstech]

This sort of traffic is basically normal for any website that's been around for more than a few weeks. It's almost entirely malicious bots that are searching for things like a vulnerable Wordpress installation to break into or configuration files with database credentials so they can steal your data. 

The nginx errors are usually because the server is overloaded. That's pretty normal for Johnny when server load is up. Apache restarts can also cause these. They're less of an issue on Tommy and nonexistent on Morty.

We generally just advise users to block unwanted traffic like this in .htaccess if they are causing load issues, though in your case you said they're hitting nonexistent files and getting 404 errors, which cause so little load that you likely won't even see it register on the load chart. We do not have an edge firewall or similar (we can't afford one due to our funding structure), though the server itself has a software firewall that we've used in severe cases to address an account under attack.

If you're would like, you can also file an abuse report with the owners of the incoming IP addresses in question. You'll need to find the company that owns the IP (pretty easy to do by googling it), then follow whatever that company provides for an abuse complaint. I've had success reporting addresses that are based in the US and EU, but you're unlikely to receive responses from hosting companies in countries like Russia and China (if they even accept abuse reports), where this sort of activity is tolerated (if not legal).