Since December 18, I have noticed strange behaviors in my blog’s stastistics:
debian-economist.eu statistics
The blue line is the number of hits per day and the orange line is the number of visitors. As you can see, the number of visitors is quite stable (around 40). However, the blue line exhibits heavy pikes:
| date | December 18 | December 25 | December 26 | December 27 | December 31 |
|---|---|---|---|---|---|
| hits | 3511 | 3502 | 3483 | 3521 | 3472 |
The number of hits is quite stable. An other noticeable fact is that every time the ip has an Ukrainian origin with the exact same number of hits:
| date | December 18 | December 25 | December 26 | December 27 | December 31 |
|---|---|---|---|---|---|
| IP | 91.200.12.114 | 91.200.12.113 | 91.200.12.115 | 91.200.12.115 | 91.200.12.92 |
| Hostname | a170786571.example.com | sv1.shenmiren.net | a17078657.example.com | a17078657.example.com | kehu1101.com |
| hits | 3422 | 3422 | 3422 | 3422 | 3422 |
Well, it looks very strange definitely. I was wondering what the heck was that. Then, I found this article of a cybersecurity company, WordFence, which is monitoring the traffic on the websites with a wordpress template:
At Wordfence we constantly monitor the WordPress attack landscape in real-time. Three weeks ago, on November 24th, we started seeing a rise in brute force attacks. As a reminder, a brute force attack is one that tries to guess your username and password to sign into your WordPress website.
Wordfence adds that most of the brute force attacks come from Ukraine and in particular a small set of 8 IPs. It includes 91.200.12.114 and 91.200.12.92 which are at the origin of the shady hits of December 18 and December 31. Interesting detail of the Wordfence article:
These IPs all belong to the same organization and are on the same network. Doing a Google search on the top IP brings back many reports of abuse around the Internet. They belong to a hosting company in Ukraine called “Pp Sks-lugan“. The servers are a mix. Some aren’t running any services. Others appear to be running Windows IIS web server.
These IPs are using brute force attacks exclusively. They don’t launch any sophisticated attacks. They are hammering away at WordPress sites at a rate of over a quarter million login attempts each, in some cases, during a 24 hour period.
Pp Sks-lugan is a tiny company but a huge number of attacks come from its servers. According to an update of Wordfence, this company is located in Alchevs’k in eastern Ukraine. The city is now under separatists control. Moreover, the IP range of this company involved in the brute force attack is known for criminal activities. Mark Maunder, the CEO of Wordfence, wrote a major point:
In cyber security, attributing attacks to an individual or state is very difficult, sometimes impossible. Attackers on the Internet can route their traffic through as many servers in as many countries as they like before they reach their target.
The Russian intervention in Ukraine makes attribution of attacks even more complex. Using a Ukrainian Internet service provider gives Russia the ability to launch attacks globally with plausible deniability.
It makes sense that disputed areas like eastern Ukraine and Syria are a hotbed of malicious activity because they provide attackers with means, motive and opportunity. Occupying forces have the means to launch their attacks by using local ISP’s. They have several motives: They want to benefit from the attack itself and also discredit local businesses or government. And they have plenty of opportunity as these regions are usually occupied for years.
This statement was attacked by Pro-Putin trolls because they said it was a political claim of the CEO. Well, it is just fact.
If you looked at the Wordfence statistics, as Reynald Flécheaux of the French technology magazine silicon, you may have noticed that France is the second origin for brute force attacks on wordpress websites. Indeed, online (the host for debian-economist.eu) and OVH weight for more than 11% of the attacks. Nonetheless, they are far bigger hosts than Pp Sks-lugan.
To conclude, I changed my password for a stronger one to be safe and I will install a firewall very soon to ban these bad IPs.