at first site a legitimate company, on their website:
HostMetric operates a closed hosting network. Capacity is committed to existing operators, and intake is paused — there is no public tier, no waitlist, and no sales channel.
right, but is that true?
funny things can come up when we investigate after an incident, certainly the whole internet seems to be crook business nowadays …
seems everybody is abusing legislation’s incapacity and just goes after some bucks without any concerns about how, no moral standards, no ethics, just money …
and Hostmetric is just another pig in that huge list
is registered as BAHIA VISTA SOLUTIONS LLC, with a contact name of Sandra Aliaga and an address in the United States. Their contact email is support@hostmetric.org, and the abuse reporting address is abuse@hostmetric.org
here is how they called our attention
22/06/2026 03:35:36 | IP: 193.187.115.55 | T: wpHakka | Req: /wp-login.php
22/06/2026 03:35:44 | IP: 193.187.115.55 | T: FAKED | Req: unknown
how to read it?
the first line is an attempt on our supposed login page, our Metro CIO Wall detected it instantly and redirected the attempt to a collector script
seconds later the attacker copied the redirect url from his browser, probably cleaned some arguments and tried direct access to the collector script, since he wasn’t redirected it results in Request: unknown (was removed) and Target: FAKED (direct access)
what does that mean?
we caught the pig with his fingers in the cookie jar
while the network is registered to
inetnum: 193.187.114.0 – 193.187.115.255
netname: HOSTMETRIC-MY-CLIENTS-2
country: LT
admin-c: GP18722-RIPE
tech-c: GP18722-RIPE
status: ASSIGNED PA
mnt-by: mnt-us-bahia-1
created: 2019-01-04T14:04:39Z
last-modified: 2025-10-31T17:55:02Z
the AS record is different
address: Sos. Fabrica de Glucoza, Nr 11B
address: etaj 1, Sector 2, Bucuresti Romania
admin-c: PP13161-RIPE
tech-c: MP26073-RIPE
abuse-mailbox: abuse@m247.ro
nic-hdl: ME5262-RIPE
mnt-by: M247-EU-MNT
created: 2014-01-13T12:11:34Z
last-modified: 2014-12-08T16:22:40Z
resuming the hidden and camouflaged data suggest a high number of HostMetric’s IP addresses are used for operating anonymizing VPNs. This is significant because attackers often use VPNs and proxy networks to obscure their true location and identity when launching automated attacks.
we also found several incident reports from IPs in HostMetric’s network have been flagged for “Exploit probing” and “Malicious Web Traffic” on platforms like AbuseIPDB. The abuse reports on HostMetric IPs frequently categorize activity as “Web App Attack”
the attack on our site wasn’t a simple kiddy bot crawler, it was a clear intend and it wasn’t a bot, proved by the second attempt with manipulated arguments
hostmetric classified itself as an operator of illicit network operations targeting websites worldwide
but we are polite people and before publishing this, we contacted their abuse address and so they had a chance to act, the “answer” came today:
This message was created automatically by mail delivery software.
A message that you sent has not yet been delivered to one or more of its recipients after more than 24 hours on the queue on host50-16.matik.com.br.
The message identifier is: 1wbbeH-00000002T01-2RBn
The date of the message is: Mon, 22 Jun 2026 07:12:56 -0300
The subject of the message is: nice introduction
The address to which the message has not yet been delivered is: abuse@hostmetric.com
No action is required on your part.
Delivery attempts will continue for some time, and this warning may be repeated at intervals if the message remains undelivered. Eventually the mail delivery software will give up, and when that happens, the message will be returned to you.
so it is a dead end, a full mailbox or abandoned, the owners have no interest in responding abuse reports
ok, then, their choice, as we have our and who reads this also has his own
SAY NO to pigs like hostmetric – block that crap before they find you, you lose nothing
Leave a Reply