Recently, I noticed a comment on a friends Facebook page regarding the number of attempts at accessing the back end of his website which originated from China. I know malcontents hit my site all day long, but why not take a peek?
I jumped into my logs, just to see what the “China threatcon level” is currently. I kept it simple, and only targeted the last 1000 suspicious unique visits. A suspicious visit is one that either attempts an access through a vulnerability (SQL injection, PHP or server vulnerability, etc), or attempts forum/comment spam. I’ve built some scripts to detect this stuff, and store it in a tracking database for later use, like this reporting.
Of the 1000 visits, 687 hits came from China, with Ukraine coming behind at a distant second place with 95 attempts. Russia is in third place, with only 11 forum spam attempts.
Of note, it’s not the entire country of China that is burning up the interwebs. In going through the log files, I’ve found that there a few Class A netblocks, and a couple Class Bs where the majority of Chinese spam and break-in attempts come from:
- 27.x.x.x
- 110.x.x.x
- 117.26.x.x
- 125.78.x.x
- 72.46.x.x
Just to name a few.
Let’s be safe out there, people.
Here is a pie chart, if you’re hungry: