Attacks Every Weekend from Usual IPs & Networks
For the past couple of months, we have been experiencing coordinated attacks every weekend. These attacks are not rapid; instead, they appear to originate from the same networks and IP addresses, albeit from different countries, suggesting the use of a VPN. The duration of these attacks can be quite extensive, sometimes lasting a day or more.
These attacks typically commence late on Saturday nights and continue until Monday mornings. They involve probing and searching for system files, backups, stray PHP files, and WordPress plugins and themes.
Interestingly, despite most (if not all) of the attacks being successfully blocked, it’s noteworthy that the same networks are consistently involved.
Here they are, listed in no particular order:
IPs (CIDR) | Network/Company | ASN |
---|---|---|
194.32.120.0/24 | UK Dedicated Servers Limited / VPN-Consumer-GB | AS42831 |
188.212.135.0/24 | IPXO LIMITED / Legaco Networks B.V. | AS206092 |
85.203.15.0/24 | Clouvider | AS62240 |
98.159.226.0/24 | UK-2 Limited | AS13213 |
45.92.228.0/24 | M247 Europe SRL / Panq B.V. | AS9009 |
185.221.132.0/24 | EstNOC-Global | AS206804 |
45.86.201.0/24 | EstNOC OY / Panq B.V. | AS206804 |
45.130.202.0/23 | GSL Networks Pty LTD / Legaco Networks B.V. | AS137409 |
94.46.160.0/20 | ALMOUROLTEC SERVICOS | AS24768 |
2.57.170.0/24 | IPXO LIMITED | AS206092 |
212.30.33.0/24 | IPXO LIMITED / M Nets SAL | AS206092 |