syndicaterss
Comments Off on Data Security Note: Its Okay To Snitch.

Visit Data Security Note: Its Okay To Snitch. for the whole story

Someone asked me if calling out a “hacker” makes you a snitch?  I smiled and told them, being a snitch is decent.  People who don’t like snitches are doing things they are ashamed of and know it.  In IT we need to be snitches a lot more and loudly.

Its pretty fun being your own web host, maintaining your own cloud resources and setting up the security protocols and so forth.  We’ve hosted about 300 sites at various points and presently maintain 120.  All of which are internal projects and resources.  This volume creates a lab for SEO experiments and … incidentally security lessons.

I’d say the single biggest threat to a web site I’ve learned is inactivity.  Simply leaving it to its own devices leads to returning and finding someone else has been there..these exercises are great opportunities to learn from.  I started creating pages titled with the IP address of bad actors … because its important to share information.

I’m looking closely at

3 1055 3.25% 573 2.73% 1394347 13.27% 261 3.53% 5.188.210.89
4 995 3.07% 865 4.13% 28421 0.27% 1 0.01% static.17.137.9.176.clients.your-server.de
5 981 3.03% 533 2.54% 1462595 13.92% 242 3.27% 5.188.210.84
6 859 2.65% 466 2.22% 1158921 11.03% 221 2.99% 5.188.210.83
7 789 2.43% 486 2.32% 1226681 11.68% 180 2.43% 5.188.210.85
8 512 1.58% 155 0.74% 520837 4.96% 102 1.38% 195-154-183-75.rev.poneytelecom.eu

The .de suggests Germany and .eu supports that with European Union.  Also .ru email addresses are red flags in the sites subscribers and users.  Russians….cute, but uncivil.

The ultimateseo.wtf site bandwidth maxed out alarmingly early this past month.  I set relatively low bandwidth limits on test sites to alert me if there is an unusual level of attention being earned but a site with nothing unusual on it.   That brought ultimateseo.wtf to my desk today and according to the logs it was via the FAQ section, which makes no sense…why the FAQs of a test site might bring 10gb of data transfer attention suggests a malicious event.  Primarily that attention came from those ips above.

5.188.210.x

What is known of this identity?

Source: whois.ripe.net
IP Address: 5.188.210.84
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf% Note: this output has been filtered.
% To receive output for a database update, use the “-B” flag.% Information related to ‘5.188.210.0 – 5.188.210.255’

% Abuse contact for ‘5.188.210.0 – 5.188.210.255’ is ‘[email protected]

inetnum: 5.188.210.0 – 5.188.210.255
netname: AlkonavtNetwork
descr: Dedicated Servers & Hosting
remarks: abuse contact: [email protected] [1]
country: RU
admin-c: BJA12-RIPE
org: ORG-BJA2-RIPE
tech-c: BJA12-RIPE
status: SUB-ALLOCATED PA
mnt-by: MNT-PINSUPPORT
created: 2018-07-22T18:47:38Z
last-modified: 2018-07-22T18:47:38Z
source: RIPE

organisation: ORG-BJA2-RIPE
org-name: Bashilov Jurij Alekseevich
org-type: OTHER
address: Data center: Russia, Saint-Petersburg, Sedova str. 80. PIN Co. LTD (ru.pin)
abuse-c: BJA13-RIPE
mnt-ref: MNT-PINSUPPORT
mnt-by: MNT-PINSUPPORT
created: 2015-12-17T21:42:47Z
last-modified: 2018-07-22T18:50:42Z
source: RIPE # Filtered

person: Bashilov Jurij Alekseevich
address: 111398, Russia, Moscow, Plehanova str. 29/1-90
phone: +79778635845
nic-hdl: BJA12-RIPE
mnt-by: MNT-PINSUPPORT
created: 2015-12-16T04:19:25Z
last-modified: 2018-07-22T18:58:31Z
source: RIPE

% Information related to ‘5.188.210.0/24AS34665’

route: 5.188.210.0/24
descr: PIN DC
origin: AS34665
mnt-by: MNT-PIN
mnt-by: MNT-PINSUPPORT
created: 2019-11-11T07:41:06Z
last-modified: 2019-11-11T07:41:06Z
source: RIPE

% This query was served by the RIPE Database Query Service version 1.96 (WAGYU)

Now notice oddly the use of a proxy isn’t utilized or is it being utilized? A web search of the person’s name shows a forum noting that this network IS a proxy.  So anything from here is likely the end of my trace, but its good enough.   This network is in league with them.

5.188.210.8 is blacklisted by 28 websites using IP Blacklist Cloud Plugin.

5.188.210.8 Details from APNIC

Object Value
inetnum: 5.188.210.0 – 5.188.210.255
Netname: AlkonavtNetwork
Descr: Dedicated Servers & Hosting
Country Code: RU
Country: Russian Federation
Person: Bashilov Jurij Alekseevich
Address: 111398, Russia, Moscow, Plehanova str. 29/1-90
Phone: +79778635845
Hostname: PIN DC
Source: APNIC
Object Value
You see they have been listed for a while on IP Blacklists.  Normally this is a nonissue as I block traffic to many trouble countries.  But this test site was a test.  Things were different and thats alright because we learn from it.  Primarily that Bashilov Alekseevich isn’t worth allowing access to your or anyone’s network.  He’s a pussy and he serves as the front of people wasting my time.

5.188.210.0/24 CIDR

So the next obvious thing is not to block the ips but the whole block of it since we see several ips in the same range.  CIDR 5.188.210.0/24 basically means 5.188.210.0 thru 5.188.210.255. Now we can block it in the site but thats the least we can do.  Networking of course comes down to 7 layers as you may recall and we can take this block to a higher layer…the server level would block communication on the whole server but I still feel thats too close to the target.  Digital Ocean’s firewall would be my preferred place to block communication.  But to my knowledge you are unable to specifically block communication on a certain port to a specific ip.  You can block every one and list everyone allowed, but the reverse isnt available.  Correct me if Im wrong in the comments.

So server level it is … now … for added distance we could put a server with the firewall on it between the world and the webserver but at this point that may be overboard.  There’s already a Cloudflare layer of security on most sites, incidentally this site was not using Cloudflare, normally they do but I just wanted to shake things up.  Then a firewall in the cloud, then a firewall and ModSecurity on the server. The on the site a firewall and security scanning.  To add another server with a firewall to just block one pussy on a test site isn’t worth the time.

I’ll continue to review the data and assess the test site’s likely compromised files.  Incidentally the site didn’t have our recommended security plugins in place but different security plugins.  WP-Cerber remains our recommended plugin and has been added now to replace the apparently defeated plugin that I wont name.

If your a webmaster, I encourage you to share the IPs of problem connections.  I never call these folks hackers, cause thats not what they are … they’re opportunist.   “They exploit an opportunity, such as an inactive site, or one that doesn’t use updated software.

Updating your site is the second biggest thing after activity that plays a role in security wins vs defeats.

Hits: 2

The post Data Security Note: Its Okay To Snitch. appeared first on Ultimate SEO | Backlinks, Audits & More.

Ultimate SEO Articles

Comments are closed.