MALWARE in ALIDROPSHIP FILES? Malicious activities in my site! -- NEW UPDATE: Website CAN NOT Be accessed on MOST COUNTRIES!

Victoria Kudryashova

Administrator
so should we block the ip address as advised by @Jefri? Please advise us asap as it's really very suspicious...
@ZAPPY : No i haven't. I just read it. Thanks!
by the way, in that article, do you see that suspicious IP address came from Russia IP ( .ru)



@wahmmo : wp cerber is a plugin to protect our site, and now he/she (wp cerber) has become a suspect! LOL



@aminech : i don't use social rabbit. but another auto poster plugin


Well, it seems "someone" is watching our sites.
I don't know for what, but i am sure it's for criminal work!
When i noticed this suspicious activities, i changed my custom login url on WP Cerber and other setting to make it more harder. But this "unknown thing" still can connect to my site.

Maybe i am wrong, but i think there is a MALWARE CODE inside Alidropship plugin.
As i know, Alidropship plugins is build by Alidropship official team with others 3th party Developers.
And of course, it is very hard for Yaros and his trusted team to check one by one of files each time an update was released!

So, What will happen for this issue?
* Very bad for our SEO Rank on Google. Google will blacklist our site if a malware found in our site.
* Very bad for our buyers. Their PayPal email address will be used for criminal.
Add your server IP to the white list of WP Cerber to prevent blocking of your site:

Cerber Dashboard ‹ Best Brooch — WordPress - Google Chrome 2018-04-19 14.20.20.png
 

wahmmo

New Member
Add your server IP to the white list of WP Cerber to prevent blocking of your site:

View attachment 3900

The problem is coming from alidropship server/ip address, what does our ip address have to do with it? What do we do about the suspicious activity logged as coming from alidropship server/ip addresses? please give a more detailed and clear explanation about what is happening and how we can solve it.
 

Victoria Kudryashova

Administrator
The problem is coming from alidropship server/ip address, what does our ip address have to do with it? What do we do about the suspicious activity logged as coming from alidropship server/ip addresses? please give a more detailed and clear explanation about what is happening and how we can solve it.
We make product images import In background with short intervals, Cerber has its own security policy rules and it takes these actions in background as suspicious and it blocks server where your site is located. To prevent this add your server IP in white list as described above.
 

wahmmo

New Member
We make product images import In background with short intervals, Cerber has its own security policy rules and it takes these actions in background as suspicious and it blocks server where your site is located. To prevent this add your server IP in white list as described above.
ok, so instead of adding the server ip address shown as suspicious in blacklist to block it as suggested by Jefri, you are saying to do the exact opposite and add it to white list instead to grant it access, is that correct?
 

Jefri

Active Member
Ooh.. i use WI FI for internet connection. And i see each time i login to my admin, my IP address is change.
I think my IP changes everyday

for example:
Yesterday, my IP is: 33.123.755.94
But Today, my IP is: 33.123.757.12
 
Last edited:
E

Ekaterina Sayapina

Guest
Ooh.. i use WI FI for internet connection. And i see each time i login to my admin, my IP address is change.
I think my IP changes everyday

for example:
Yesterday, my IP is: 33.123.755.94
But Today, my IP is: 33.123.757.12
Some Internet providers change their IP addresses every few hours and some of them have permanent addresses. So, yours doesn't seem to have a permanent IP address.
 

Victoria Kudryashova

Administrator
ok, so instead of adding the server ip address shown as suspicious in blacklist to block it as suggested by Jefri, you are saying to do the exact opposite and add it to white list instead to grant it access, is that correct?
I've described why this was happening and give our recommendations.
 

Jefri

Active Member
Some Internet providers change their IP addresses every few hours and some of them have permanent addresses. So, yours doesn't seem to have a permanent IP address.
Yes, my IP changes everytime i login. Should i whitelist every new IP addresses?

Yesterday i blacklist IP address: 5.45.73.48 from srv24.alidropship.com and now i remove it from blacklist. I just want to know what will happen. Because since i follow recommendation to whitelist my IP, no suspicious detected.
 

Victoria Kudryashova

Administrator
Yes, my IP changes everytime i login. Should i whitelist every new IP addresses?

Yesterday i blacklist IP address: 5.45.73.48 from srv24.alidropship.com and now i remove it from blacklist. I just want to know what will happen. Because since i follow recommendation to whitelist my IP, no suspicious detected.
The latest Cerber update caused this issue , we need more time to investigate this and understand do we need to make this compatibility or not, because there are too many restrictions now from Cerber side which lead to inconvenience but not to more safety. Cerber protects only admin area of your site - log in . It doesn't provide the whole security.
Now as a temporary solution you can add IP address to the white list or use similar plugins for additional protection.
 

Jefri

Active Member
3NT Solutions is one of the most popular and trusted provider of IT-solutions. We use them as a provider of IP address subnet , that's it. Our servers are totally set up and supported by AliDropship technicians. No 3rd parties developers are not involved neither here nor in AliDropship plugin development process.

That's the IP of srv24.alidropship.com.
Alidropship are hosting their contents at 3NT Solutions, I have checked google, 3NT Solutions has a bad reputation and some shady activities.

@aminech I think you're right about bad reputation of 3NT.
Sometimes i could not access my website. I need to visit google.com or facebook.com or my other sites then i can access my store site.

An hour ago, i make some test to my site, and get very bad result.
My site can not be accessed at most countries, including: USA !!!
Special NOTE to: @Yaros


Here are some of my test:

(1) My first test is using GtMetrix.com
On first test i got error like picture below. Re-test again, it work.. Re-test again, do not work. It means: my site is unstable!

site error.png

(2) Tested using Testomato (I found this tool by searching Google).
Interesting thing is this tools tell me that my site get error every 8 seconds!

test-error1.png




(3) Using UpTrends tools. This tools is very interesting!
It show us which countries can access or can't access our website.


test-error2.png



(4) Using Site24x7 tools. This tool has the same result!

test-error3.png


@ZAPPY @wahmmo @aminech @Shahin09 @Jess @yes -- Check your website too!
 

Attachments

  • test-error2.png
    test-error2.png
    101.9 KB · Views: 4

ZAPPY

Active Member
@Jefri

Didnt get the same interesting results as you and also hosting on AliDropship

GtMetrix.com

01.JPG

Testomato

02.JPG

UpTrends

03.JPG


Site24x7 (not paying so no result to show here)

04.JPG
 

Jefri

Active Member
Last edited:

Jefri

Active Member
Yesterday i blacklist IP address: 5.45.73.48 from srv24.alidropship.com and now i remove it from blacklist. I just want to know what will happen. Because since i follow recommendation to whitelist my IP, no suspicious detected.

I think, we still need to BLACKLIST that IP .
Suspicious activities come again after i remove that IP from blacklist yesterday


unknown activity5.png
 

Jefri

Active Member
Why would I need to?
You don't need it if you don't want it.

But i tested it 2-3 times (using uptrend tools), and it shows:
* Yesterday: as result above
* Today:
- test 1: all fine
- test 2: about 6-8 checkpoint can not open my site
- test 3: same as test 2
 

Jefri

Active Member
Did you read Victoria's explaination and temporary suggestion?


Why choosing not to follow it?

Victoria mention to "whitelist" not to blacklist.
I tested it by removing IP from blacklist, and that suspicious activities appear again.
So you need to do 2 actions: whitelist your IP and also blacklist that IP
 

Jefri

Active Member
@Victoria Kudryashova your solution to whitelist my own IP do not work. It's become more crazy LOL
I also blacklist that IP but nothing better. I have not checked it yet if it's only from srv24.alidropship.com or another attackers has joined too :D I will enjoy this show...


unknown activity6.png
 

Jefri

Active Member
2 Main issue now:
(1) MALICIOUS activities from Alidropship server with WP CERBER as Suspect.
(2) Little hard to access my site on my country and other countries.
My experience, when i got "Fail connection", i should REFRESH browser several times or visit another website then i can access my store site.
IF I am a Buyer, i will leave a store like this :( :( :(

Is issue no. 2 has correlation with issue no.1 ???
 
Top