MALWARE in ALIDROPSHIP FILES? Malicious activities in my site! -- NEW UPDATE: Website CAN NOT Be accessed on MOST COUNTRIES!

[Victoria Kudryashova]

so should we block the ip address as advised by @Jefri? Please advise us asap as it's really very suspicious...

@ZAPPY : No i haven't. I just read it. Thanks!
by the way, in that article, do you see that suspicious IP address came from Russia IP ( .ru)



@wahmmo : wp cerber is a plugin to protect our site, and now he/she (wp cerber) has become a suspect! LOL



@aminech : i don't use social rabbit. but another auto poster plugin


Well, it seems "someone" is watching our sites.
I don't know for what, but i am sure it's for criminal work!
When i noticed this suspicious activities, i changed my custom login url on WP Cerber and other setting to make it more harder. But this "unknown thing" still can connect to my site.

Maybe i am wrong, but i think there is a MALWARE CODE inside Alidropship plugin.
As i know, Alidropship plugins is build by Alidropship official team with others 3th party Developers.
And of course, it is very hard for Yaros and his trusted team to check one by one of files each time an update was released!

So, What will happen for this issue?
* Very bad for our SEO Rank on Google. Google will blacklist our site if a malware found in our site.
* Very bad for our buyers. Their PayPal email address will be used for criminal.

Add your server IP to the white list of WP Cerber to prevent blocking of your site:

 

[wahmmo]

Add your server IP to the white list of WP Cerber to prevent blocking of your site:

View attachment 3900

The problem is coming from alidropship server/ip address, what does our ip address have to do with it? What do we do about the suspicious activity logged as coming from alidropship server/ip addresses? please give a more detailed and clear explanation about what is happening and how we can solve it.

 

[Victoria Kudryashova]

The problem is coming from alidropship server/ip address, what does our ip address have to do with it? What do we do about the suspicious activity logged as coming from alidropship server/ip addresses? please give a more detailed and clear explanation about what is happening and how we can solve it.

We make product images import In background with short intervals, Cerber has its own security policy rules and it takes these actions in background as suspicious and it blocks server where your site is located. To prevent this add your server IP in white list as described above.

 

[wahmmo]

We make product images import In background with short intervals, Cerber has its own security policy rules and it takes these actions in background as suspicious and it blocks server where your site is located. To prevent this add your server IP in white list as described above.

ok, so instead of adding the server ip address shown as suspicious in blacklist to block it as suggested by Jefri, you are saying to do the exact opposite and add it to white list instead to grant it access, is that correct?

 

[Jefri]

Okay, i have added my IP address to whitelist. Let's see what happen next.

 

[Jefri]

Ooh.. i use WI FI for internet connection. And i see each time i login to my admin, my IP address is change.
I think my IP changes everyday

for example:
Yesterday, my IP is: 33.123.755.94
But Today, my IP is: 33.123.757.12

 

[Ekaterina Sayapina]

Ooh.. i use WI FI for internet connection. And i see each time i login to my admin, my IP address is change.
I think my IP changes everyday

for example:
Yesterday, my IP is: 33.123.755.94
But Today, my IP is: 33.123.757.12

Some Internet providers change their IP addresses every few hours and some of them have permanent addresses. So, yours doesn't seem to have a permanent IP address.

 

[Victoria Kudryashova]

ok, so instead of adding the server ip address shown as suspicious in blacklist to block it as suggested by Jefri, you are saying to do the exact opposite and add it to white list instead to grant it access, is that correct?

I've described why this was happening and give our recommendations.

 

[Jefri]

Some Internet providers change their IP addresses every few hours and some of them have permanent addresses. So, yours doesn't seem to have a permanent IP address.

Yes, my IP changes everytime i login. Should i whitelist every new IP addresses?

Yesterday i blacklist IP address: 5.45.73.48 from srv24.alidropship.com and now i remove it from blacklist. I just want to know what will happen. Because since i follow recommendation to whitelist my IP, no suspicious detected.

 

[Victoria Kudryashova]

Yes, my IP changes everytime i login. Should i whitelist every new IP addresses?

Yesterday i blacklist IP address: 5.45.73.48 from srv24.alidropship.com and now i remove it from blacklist. I just want to know what will happen. Because since i follow recommendation to whitelist my IP, no suspicious detected.

The latest Cerber update caused this issue , we need more time to investigate this and understand do we need to make this compatibility or not, because there are too many restrictions now from Cerber side which lead to inconvenience but not to more safety. Cerber protects only admin area of your site - log in . It doesn't provide the whole security.
Now as a temporary solution you can add IP address to the white list or use similar plugins for additional protection.

 

[Jefri]

3NT Solutions is one of the most popular and trusted provider of IT-solutions. We use them as a provider of IP address subnet , that's it. Our servers are totally set up and supported by AliDropship technicians. No 3rd parties developers are not involved neither here nor in AliDropship plugin development process.

That's the IP of srv24.alidropship.com.
Alidropship are hosting their contents at 3NT Solutions, I have checked google, 3NT Solutions has a bad reputation and some shady activities.

@aminech I think you're right about bad reputation of 3NT.
Sometimes i could not access my website. I need to visit google.com or facebook.com or my other sites then i can access my store site.

An hour ago, i make some test to my site, and get very bad result.
My site can not be accessed at most countries, including: USA !!!
Special NOTE to: @Yaros


Here are some of my test:

(1) My first test is using GtMetrix.com
On first test i got error like picture below. Re-test again, it work.. Re-test again, do not work. It means: my site is unstable!



(2) Tested using Testomato (I found this tool by searching Google).
Interesting thing is this tools tell me that my site get error every 8 seconds!






(3) Using UpTrends tools. This tools is very interesting!
It show us which countries can access or can't access our website.






(4) Using Site24x7 tools. This tool has the same result!




@ZAPPY @wahmmo @aminech @Shahin09 @Jess @yes -- Check your website too!

 

[ZAPPY]

@Jefri

Didnt get the same interesting results as you and also hosting on AliDropship

GtMetrix.com



Testomato



UpTrends




Site24x7 (not paying so no result to show here)

 

[Jefri]

@Jefri

Didnt get the same interesting results as you and also hosting on AliDropship

GtMetrix.com

View attachment 3925

Testomato

View attachment 3926

UpTrends

View attachment 3927


Site24x7 (not paying so no result to show here)

View attachment 3928

I just re-test it again, (21 April 2018. 09:20) and it work perfectly now. No change anything.
Very strange, but i think it has unstable performance

By the way, @ZAPPY have you re-test it?

 

[Jefri]

Yesterday i blacklist IP address: 5.45.73.48 from srv24.alidropship.com and now i remove it from blacklist. I just want to know what will happen. Because since i follow recommendation to whitelist my IP, no suspicious detected.

I think, we still need to BLACKLIST that IP .
Suspicious activities come again after i remove that IP from blacklist yesterday

 

[ZAPPY]

[...] have you re-test it?

Why would I need to?

Did you view my screencaptures?

 

[ZAPPY]

I think, we still need to BLACKLIST that IP

Did you read Victoria's explaination and temporary suggestion?

{...} as a temporary solution you can add IP address to the white list or use similar plugins for additional protection.

Why choosing not to follow it?

 

[Jefri]

Why would I need to?

You don't need it if you don't want it.

But i tested it 2-3 times (using uptrend tools), and it shows:
* Yesterday: as result above
* Today:
- test 1: all fine
- test 2: about 6-8 checkpoint can not open my site
- test 3: same as test 2

 

[Jefri]

Did you read Victoria's explaination and temporary suggestion?


Why choosing not to follow it?

Victoria mention to "whitelist" not to blacklist.
I tested it by removing IP from blacklist, and that suspicious activities appear again.
So you need to do 2 actions: whitelist your IP and also blacklist that IP

 

[Jefri]

@Victoria Kudryashova your solution to whitelist my own IP do not work. It's become more crazy LOL
I also blacklist that IP but nothing better. I have not checked it yet if it's only from srv24.alidropship.com or another attackers has joined too I will enjoy this show...

 

[Jefri]

2 Main issue now:
(1) MALICIOUS activities from Alidropship server with WP CERBER as Suspect.
(2) Little hard to access my site on my country and other countries.
My experience, when i got "Fail connection", i should REFRESH browser several times or visit another website then i can access my store site.
IF I am a Buyer, i will leave a store like this

Is issue no. 2 has correlation with issue no.1 ???