<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>Hi Mik,</p>
    <p>I don't host others' sites these days but I do keep a close eye
      on suspicious requests to my pastebin site (dpaste.com) and
      maintain a blocklist. Out of curiosity I looked for the IPs you
      shared;  none of them are currently on my list. No SQL injection
      attempts either (though lots of 404s looking for wp-login.php).<br>
    </p>
    <p>Because of the whack-a-mole syndrome you identify, last year I
      moved to a dynamic blocking setup. I have automation to detect and
      block bad-behaving IPs; then I age them out if they go three days
      without reoffending.</p>
    <p>The list is typically 1000 to 2000 IPs long.<br>
    </p>
    <p>I've had good results from this, and zero complaints from users
      whose IP happened to have been previously used by a
      botnet/spammer.<br>
    </p>
    <p></p>
    <p>Good luck!</p>
    <p>P<br>
    </p>
    <p> </p>
    <div class="moz-cite-prefix">On 2/15/21 2:53 PM, Michael Muller via
      Hidden-discuss wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:26c6a1fb-cc9b-2115-1692-059518fc497a@montaguewebworks.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <p><font face="Calibri">Hey HT web hosts out there,</font></p>
      <p><font face="Calibri">Due to recent hacking attempts against our
          servers, I have installed an IP Tracker that tracks and blocks
          any aggressive activity.</font></p>
      <p><font face="Calibri">Starting late last week we've found a
          growing number of IP numbers that appear to be attempting SQL
          Injection attacks. I've pasted a few snippets from our logs,
          below.</font></p>
      <p><font face="Calibri">Anyone else seeing this kind of activity
          on their servers? Every time I block an IP number they move to
          another IP number. The list of IPs hitting us is growing, and
          moving across multiple hosts.<br>
        </font></p>
      <p><font face="Calibri">So far, I've contacted four different
          server hosts about the traffic coming from their servers. By
          far the most "infected" appears to be the Unified Layer family
          of hosting companies, which includes HostGator Mexico,
          webhostbox Bigrock India, and a number of others. Additional
          sources of the attacks are Hetzner.com from Germany; Ozkula
          from Turkey; and ColoCrossing from Buffalo NY. I'm sure more
          will be added as the days go on.<br>
        </font></p>
      <p><font face="Calibri">Stay safe.</font></p>
      <p><font face="Calibri">Mik<br>
        </font></p>
      <pre class="moz-signature" cols="72"><font size="-2"><font face="Courier New, Courier, monospace">94.130.76.249         13:38:44        fitzgerald-realestate.com       term=0 /%2f**%2fcOnVeRt(int%2c(char(33)%2bchar(126)%2bchar(33)%2b(char(65)%2bchar(66)%2bchar(67)%2bchar(49)%2bchar(52)%2bchar(53)%2bchar(90)%2bchar(81)%2bchar(54)%2bchar(50)%2bchar(68)%2bchar(87)%2bchar(81)%2bchar(65)%2bchar(70)%2bchar(80)%2bchar(79)%2bchar(73)%2bchar(89)%2bchar(67)%2bchar(70)%2bchar(68))%2bchar(33)%2bchar(126)%2bchar(33)))
94.130.76.249   13:38:45        fitzgerald-realestate.com       term=0' /z'0=A
94.130.76.249   13:38:47        fitzgerald-realestate.com       /z term=%2f**%2fcOnVeRt(int%2c(char(33)%2bchar(126)%2bchar(33)%2b(char(65)%2bchar(66)%2bchar(67)%2bchar(49)%2bchar(52)%2bchar(53)%2bchar(90)%2bchar(81)%2bchar(54)%2bchar(50)%2bchar(68)%2bchar(87)%2bchar(81)%2bchar(65)%2bchar(70)%2bchar(80)%2bchar(79)%2bchar(73)%2bchar(89)%2bchar(67)%2bchar(70)%2bchar(68))%2bchar(33)%2bchar(126)%2bchar(33)))
94.130.76.249   13:38:59        fitzgerald-realestate.com       /z term=0%20AND%201=1
94.130.76.249   13:39:01        fitzgerald-realestate.com       /z term=0999999/1%20union%20select%20unhex(hex(version()))%20--%20and%201%3D1
94.130.76.249   13:39:03        fitzgerald-realestate.com       /z term=099999%27%20union%20select%20unhex(hex(version()))%20--%20%27x%27=%27x
94.130.76.249   13:39:04        fitzgerald-realestate.com       /z term=099999%22%20union%20select%20unhex(hex(version()))%20--%20%22x%22=%22x
94.130.76.249   13:39:06        fitzgerald-realestate.com       /z term=0%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20and%201%3D1
94.130.76.249   13:39:07        fitzgerald-realestate.com       /z term=0%27%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20%27x%27=%27x
94.130.76.249   13:39:09        fitzgerald-realestate.com       /z term=0%22%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20%22x%22=%22x
</font></font></pre>
      <pre class="moz-signature" cols="72"><font size="-2"><font face="Courier New, Courier, monospace">37.247.110.108        08:14:38        Greenfield-MA.gov                       /z term=Licensing%20AND%201=1
37.247.110.108  08:14:42        Greenfield-MA.gov                       /z term=Licensing999999/1%20union%20select%20unhex(hex(version()))%20--%20and%201%3D1
37.247.110.108  08:14:44        Greenfield-MA.gov                       /z term=Licensing99999%27%20union%20select%20unhex(hex(version()))%20--%20%27x%27=%27x
37.247.110.108  08:14:46        Greenfield-MA.gov                       /z term=Licensing99999%22%20union%20select%20unhex(hex(version()))%20--%20%22x%22=%22x
</font></font></pre>
      <pre class="moz-signature" cols="72"><font face="Courier New, Courier, monospace"><font size="-1">192.3.204.226         14:58:55        Greenfield-MA.gov                       /z term=Licensing
192.3.204.226   14:58:56        Greenfield-MA.gov                       /z term=Licensing2121121121212/1
192.3.204.226   14:58:57        Greenfield-MA.gov                       /z term=Licensing%20AND%201=1
192.3.204.226   14:58:59        Greenfield-MA.gov                       /z term=Licensing999999/1%20union%20select%20unhex(hex(version()))%20--%20and%201%3D1
192.3.204.226   14:59:00        Greenfield-MA.gov                       /z term=Licensing99999%27%20union%20select%20unhex(hex(version()))%20--%20%27x%27=%27x</font></font>
</pre>
      <pre class="moz-signature" cols="72">---
Mik Muller, president
Montague WebWorks
239-R Main Street, Greenfield, MA
413-320-5336
<a class="moz-txt-link-freetext" href="http://MontagueWebWorks.com" moz-do-not-send="true">http://MontagueWebWorks.com</a>
Powered by ROCKETFUSION</pre>
    </blockquote>
    <pre class="moz-signature" cols="72">-- 
Paul Bissex, software engineer
<a class="moz-txt-link-freetext" href="http://paulbissex.com/">http://paulbissex.com/</a>
Greenfield MA 01301 USA
413-230-9451</pre>
  </body>
</html>