Internet Attack Categories
This site uses a low-threshold, ephemeral approach to deciding whether to list an IP address. In other words, it doesn't take many attempts to make it to my blocklists, which is why they contain many IP's not on other lists. But IP's are also quickly and automatically removed once they stop acting maliciously.
At present, these are the kinds of attacks the servers in the group generating my blocklists record and report.
Port Scanning / Sniffing
Port scanning, or "sniffing," is when a potential attacker scans a server for open ports, especially those associated with services that may enable them to compromise the machine. These service ports include (but are not limited to) the default ports associated with SSH, RD, Plesk, Webmin, and Dropbox.
The servers in the group from which the blocklists on this site are compiled do not use the default ports for these services. That makes them convenient honeypots for would-be hackers, crackers, and miscreants. Once the firewall detects a port scan attempt against these or other commonly-used default ports, the IP address is blocked and added to the database.
This is a simultaneous, brute-force attack by a number of different IP addresses against vulnerable services of a particular server. Because server firewalls typically block IP addresses after a certain number of failed logins, the attacker uses a large number of IP addresses in the hope of having more opportunities to guess the password. Services attacked typically include those that must be exposed to the Internet such as SSH, FTP, SMTP, and mail services.
Hits on HTTP Hacker Honeypot
Every blog script, forum script, and other content-management system has certain default pages that the legitimate site owner can use to log into and manage the site. For example, two of the most common default login pages are /wp-login.php and /xmlrpc.php, both of which are used by WordPress.
If a site doesn't use the CMS software associated with a default login page (or if they've changed the location of that page), then the default pages make handy places to plant honeypots to trap Internet miscreants looking for sites to hack, deface, or otherwise compromise.
Honeypots can also be planted on URL's besides login pages if those pages are known to have security vulnerabilities. As with login traps, the purpose of these honeypots is to trap would-be hackers trying to access them.
Web Contact Form Spam
These are failed attempts to send mail through a Web-based contact form by IP addresses that managed to get past all the other safeguards. In order to be included on these lists, an attacker had to get as far as trying to send the mail, which was then detected as spam and rejected.
Multiple Failed Logins
These IP addresses actually attempted, but failed, to log into SSH, FTP, cPanel, SMTP, or other services. After a certain number of failures, they are blocked by the firewall and added to the blocklists.
It's important to note that the vast majority of these attacks are carried out by robots using IP addresses of computers that have been compromised in some way, such as by a virus. If you use the lists on this site, make sure to update or purge them regularly, or else you eventually will start blocking legitimate traffic.
This page will be updated as new categories are added.