= Malicious EC2's attempting to login to our WordPress site (also hosted on AWS) Any point reporting? =
We use the WordFence plugin on our Wordpress site and used to get about 1 or 2 'User locked out from signing in' emails a week regarding attempts to login to our WordPress admin panel, these are triggered when the plugin blocks more than 20 login failed attempts from that IP. In the last few days, this has spiked to about 50 of these emails a day where it seems like the same bad actor is really stepping up their attempts to gain access to our site and jumping between different EC2s as soon as our site blocks attempts from that IP.
The IP address and hostname are always EC2 instances and I've started reporting these to [email protected]. However, the AWS Trust and Safety team have already got confused and thought I was reporting our own EC2 instance and multiple times emailed our CTO telling him there have been reports of malicious use of our EC2, when in fact the EC2 and IP address I'm reporting are most definitely not ours (for example an EC2 in Tokyo, Colombus etc.) I think the confusion is that they ask for what the EC2 is trying to access and as we are also hosted in AWS they are searching and finding us rather than the culprit. It's becoming quite painful to explain that I'm reporting intrusions to my site rather than reporting the site itself and worried I even get our own AWS frozen in an attempt of mistaken identity trying to report these login attempts.
Had anybody got experience of reporting these situations, is it worth the effort?
It sounds like the source IP addresses were not made clear to them.
Provide them web server logs showing the source IP with the date and time stamps and the URLs that are being hit for the login.
They will contact the owner of the instances in almost every situation. Most likely someone is hosting a site that became compromised and they are unaware of it.
Reddit
