Casual and open discussion about how certain addresses are targeted for hacking.
-
One of our servers has about 380 wordpress sites on it and the latest site added is under tremendous stress with Wordpress login attempts.
I am curious how it has come to be that the other 379 sites have not experienced any noticeable hacking activity, but this one in particular is getting hammered.
It's a sustained attack against the domain name and not the IP.
This little, and brand new site has burned through 20GB of bandwidth in 22 days. It sure got our attention.
The problem appears to be resolved with some custom regex rules in our firewall, so now it is a matter of time before the load drops.
I'm just curious about what captures the attention of bots? Or was it just luck of the draw?
-
You assume it is bots. It easily is not. But there are tons of reasons...
- Who registered the domain.
- The domain name.
- The domain subject matter.
- The IP used by the domain.
- Previous owners or uses of the domain.
- Happenstance.
- Technology or settings on the site.
- Look and feel of the site.
Just as examples.
-
Think about a domain like expertsexchange. At first you are like "why would a bot care about IT experts talking to each other". But then you realize that it has sex change hidden in the URL by accident. Now it's obvious why it is a target.
Something as simple as that, that no human picks up on, might be seen by a bot and chose one site as a target over another.
-
Is the site fleshed out with SEO terms?
-
@Grey said in Casual and open discussion about how certain addresses are targeted for hacking.:
Is the site fleshed out with SEO terms?
No. It's a brand new Wordpress site at a new server for a domain that has been active for 20 years.
The problem has been resolved with rules.
I really just wanted to discuss how it is that bots (or others) decide to attack a site.......
-
@JasGot said in Casual and open discussion about how certain addresses are targeted for hacking.:
I really just wanted to discuss how it is that bots (or others) decide to attack a site.......
He is. SEO can be a trigger for it.
-
@scottalanmiller said in Casual and open discussion about how certain addresses are targeted for hacking.:
He is. SEO can be a trigger for it.
I really didn't want the discussion to revolve around the site I had an issue with.
That would pigeon hole the conversation to the specifics of that site.
I really wanted to discuss how sites are are chosen for attack. I find all the different reasons to go after one site over another to be very interesting. -
@JasGot said in Casual and open discussion about how certain addresses are targeted for hacking.:
I really wanted to discuss how sites are are chosen for attack. I find all the different reasons to go after one site over another to be very interesting.
Well sure, so he was asking about that site specifically, but make it general. SEO can be a reason why a site is attacked. Good SEO, bad SEO, or just weird SEO artefacts.
-
I'm assuming the site was also under attack prior to moving hosts. Have you confirmed that with the site owner?
-
@Danp said in Casual and open discussion about how certain addresses are targeted for hacking.:
I'm assuming the site was also under attack prior to moving hosts. Have you confirmed that with the site owner?
Yes, it was not. Which is why it is so weird (to me).
-
@JasGot said in Casual and open discussion about how certain addresses are targeted for hacking.:
@Danp said in Casual and open discussion about how certain addresses are targeted for hacking.:
I'm assuming the site was also under attack prior to moving hosts. Have you confirmed that with the site owner?
Yes, it was not. Which is why it is so weird (to me).
It's why I'm guessing that the most likely thing is something about the name of the URL.
-
@JasGot said in Casual and open discussion about how certain addresses are targeted for hacking.:
es, it was not. Which is why it is so weird (to me).
Or maybe it was being attacked and the other hosting company had previously blocked the requests like you did.
-
@Danp said in Casual and open discussion about how certain addresses are targeted for hacking.:
@JasGot said in Casual and open discussion about how certain addresses are targeted for hacking.:
es, it was not. Which is why it is so weird (to me).
Or maybe it was being attacked and the other hosting company had previously blocked the requests like you did.
It was not. It is brand new.
-
@scottalanmiller Oh... I guess I misunderstood when the OP stated
No. It's a brand new Wordpress site at a new server for a domain that has been active for 20 years.
So the WP site is brand new, but is associated with a long existing domain.
-
@Danp said in Casual and open discussion about how certain addresses are targeted for hacking.:
@scottalanmiller Oh... I guess I misunderstood when the OP stated
No. It's a brand new Wordpress site at a new server for a domain that has been active for 20 years.
So the WP site is brand new, but is associated with a long existing domain.
I thought both were new.
-
@JasGot said in Casual and open discussion about how certain addresses are targeted for hacking.:
This little, and brand new site
Brand new site was in the OP. I assumed all aspects of it were new.
-
@JasGot said in Casual and open discussion about how certain addresses are targeted for hacking.:
It's a brand new Wordpress site at a new server for a domain that has been active for 20 years.
But only the site is new, the URL is old.
