Weird IP address reported in File Guard report

  • Resolved jackelliott

    (@jackelliott)


    7 years, 7 months ago

    Hi, I’ve received this notification this morning:

    Someone accessed a script that was modified or created less than 10 hour(s) ago:

    SERVER_NAME : xxxxxxxxx.com < obfuscated by jackelliott, OP
    USER IP : 184.154.76.10
    SCRIPT_FILENAME: /var/chroot/home/content/23/xxxxxxx/html/sitelock_find_11294533.php
    REQUEST_URI : /sitelock_find_11294533.php
    Last changed on: April 10, 2017 @ 09:55:49 (UTC -0700)

    NinjaFirewall (WP Edition) – https://ninjafirewall.com/
    Support forum: https://www.ads-software.com/support/plugin/ninjafirewall

    I called my hosting company and they found that sitelock did a scan at that time, which lines up with the name of the file. When finished, sitelock probably removed the file. NinjaFirewall caught the event and mailed a notification, which is the behavior I like.

    But the IP address is worrying: Sitelock is headquartered in Scottsdale, AZ, USA, and 184.154.76.10 is assigned to SingleHop, an ISP in Chicago that has been noted as a source of spam and malware. And the Sucuri plugin sends daily reports of failed logins, all using usernames that we don’t have as FTP accounts — and most of them come from that same Chicago IP in the 184.154.0.0 – 184.154.255.255 netrange.

      So either Sitelock is using Singlehop, an ISP that is also rattling the site’s doorknob, to host its scanner, or NinjaFirewall is getting the source IP wrong.

    Maybe other options I’m not aware of.

    I have changed the ftp login password for sitelock in case someone has the credentials and is accessing the site through ftp.

Viewing 4 replies - 1 through 4 (of 4 total)

  • @jackelliot,

    I’m with SiteLock. We do have a large number of scans that originate from the Chicago data center you’ve mentioned. The same net range may be responsible for both placing/removing the file, as well as testing forms for XSS/SQLi which can sometimes be interpreted as failed logins if the form in question is a login form. All of the behavior mentioned is a part of the scanner’s regular operation. Please let me know if you have any additional questions, and feel free to reach out to us using the phone number on the main SiteLock website. Thanks!

    Thread Starter jackelliott

    (@jackelliott)

    Thank you, Logan. Good to hear that this is expected behavior.

    The suspicious attempts from that netrange triggers iThemes Security which sends out a few of these notifications a week:

    Site Lockout Notification
Host/User 	Lockout in Effect Until 	Reason
Host: 184.154.139.52 	Permanently 	too many attempts to access a file that does not exist

    Is that also you guys?

    @jackelliot,

    It is indeed. One of the easier ways to tell if the IP is owned by us is through a quick lookup. We typically use a name like “placeholder.sitelock.com” or another subdomain from SiteLock.com.

    On Windows, open command prompt and type “nslookup 184.154.139.52” (without the quotes) and hit enter. It should return:

    Server:  UnKnown
Address:  (removed)

Name:    placeholder.sitelock.com
Address:  184.154.139.52

    On Linux or a Mac, you can use “host 184.154.139.52” instead, which should return:
    52.139.154.184.in-addr.arpa domain name pointer placeholder.sitelock.com.

    • This reply was modified 7 years, 7 months ago by Logan Kipp.
    • This reply was modified 7 years, 7 months ago by Logan Kipp.
    • This reply was modified 7 years, 7 months ago by bdbrown.
    Thread Starter jackelliott

    (@jackelliott)

    Excellent — thank you.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Weird IP address reported in File Guard report’ is closed to new replies.