Attacks Every Weekend from Usual IPs & Networks

For the past couple of months, we have been experiencing coordinated attacks every weekend. These attacks are not rapid; instead, they appear to originate from the same networks and IP addresses, albeit from different countries, suggesting the use of a VPN. The duration of these attacks can be quite extensive, sometimes lasting a day or more.

These attacks typically commence late on Saturday nights and continue until Monday mornings. They involve probing and searching for system files, backups, stray PHP files, and WordPress plugins and themes.

Interestingly, despite most (if not all) of the attacks being successfully blocked, it’s noteworthy that the same networks are consistently involved.

Here they are, listed in no particular order:

IPs (CIDR)Network/CompanyASN
194.32.120.0/24UK Dedicated Servers Limited / VPN-Consumer-GBAS42831
188.212.135.0/24IPXO LIMITED / Legaco Networks B.V.AS206092
85.203.15.0/24Clouvider AS62240
98.159.226.0/24UK-2 LimitedAS13213
45.92.228.0/24M247 Europe SRL / Panq B.V.AS9009
185.221.132.0/24EstNOC-GlobalAS206804
45.86.201.0/24EstNOC OY / Panq B.V.AS206804
45.130.202.0/23GSL Networks Pty LTD / Legaco Networks B.V.AS137409
94.46.160.0/20ALMOUROLTEC SERVICOSAS24768
2.57.170.0/24IPXO LIMITEDAS206092
212.30.33.0/24IPXO LIMITED / M Nets SALAS206092
Data from https://ipinfo.io