As part of our security practice, whenever we see an attack on one of our hosted sites, we will raise an alert and send it to the network block owners.
We need to first figure out the source of the attack. Fortunately, most attacks can be traced to a specific IP (internet protocol) address.
The IP address is like your car’s license plate. It is unique. It is registered. And we can lookup the owner’s information. In our case, DNS registries will contain the needed information. We use IPinfo.io.
Of course, this source is likely from a compromised account/device/server. So we need to alert the system administrators as well. We locate the Network Owner and email an alert. This is one such email:
Of course, I wondered why Yandex (Russia’s Google Search engine equivalent) would be seen as attacking one of our hosted sites? I got the answer when Yandex admin replied :
In other words, Yandex search engine robots just blindly follows whatever links it sees on the internet. It is its job. So, this warranted a second look at our logs more closely, there is a “GET” (not POST) operation which had a sql injection type attack (note the UNION keyword) :
And indeed the links were published online. I googled for the links to find where these links were posted, and it led to this Facebook group:
Reading and sending abuse emails and alerts can start conversations that lead to new insights which improves your security.