I logged over 3,000 attempts to login to my WordPress sites on May 16th. Luckily, they were mostly immediately blocked, added to my firewall. The list of 1,501 different attacking IP addresses can be found here.
So far today (Friday the 17th) I have logged over 1,800 attempts to log into my sites via wp-login.php.
Yesterday I logged over 2,200 attempts to login to my WordPress sites. Luckily, they were mostly immediately blocked, added to my firewall. The list of 1,473 different attacking IP addresses can be found here.
So far today (Thursday the 16th) I have logged over 1,000 attempts to log into my sites via wp-login.php.
Yesterday I logged over 4,500 attempts to login to my WordPress sites. Luckily, they were mostly immediately blocked, added to my firewall. The list of 3,340 different attacking IP addresses can be found here.
So far today (Wednesday the 15th) I have logged over 800 attempts to log into my sites via wp-login.php.
Yesterday I logged over 7,000 attempts to login to my WordPress sites. Luckily, they were mostly immediately blocked, added to my firewall. The list of 4,033 different attacking IP addresses can be found here. The attack started at 2:50 in the afternoon on Monday the 13th. Sunday I received only six attempts, so classifying this as an attack is definitely appropriate.
So far today (Tuesday the 14th) I have logged over 2,800 attempts to log into my sites via wp-login.php. And that number has increased by 25 in the time it’s taken me to type these few sentences.
Since November 30th, I’ve been getting hammered by spam coming from many different places, but based on the message headers, it’s all part of the same spam network.
18.104.22.168 - 22.214.171.124 Bulgaria
126.96.36.199 - 188.8.131.52 Portugal
184.108.40.206 - 220.127.116.11 Czech Republic
18.104.22.168 - 22.214.171.124 Netherlands
I recommend you block/firewall all of these IP addresses and domain names.
While checking out my apache server logs last week, I noticed that one of my older sites was getting a fair amount of login attempts to wp-login.php from all over the world. So I started grabbing the login information to see what they were trying. The next batch of attacks lasted 23 minutes. The username was always “admin” and the testcookie was always “1″. Here are the passwords:
I replaced the actual domain name with “example” in the above list. If you are using any of those passwords, you may want to consider changing it.
The user-agent doing the probe was always “Mozilla/3.0 (compatible; Indy Library)”. The attacks came from these IP addresses. I assume they were running some form of infected Windows operating system.
- 126.96.36.199: Host 250.9.153.110.in-addr.arpa. not found: 3(NXDOMAIN) (China)
- 188.8.131.52: 184.108.40.206.in-addr.arpa domain name pointer ws4-tunghai-grp-telnet.com.bd. (Bangladesh, not assigned?)
- 220.127.116.11: Host 18.104.22.168.in-addr.arpa. not found: 3(NXDOMAIN) (Indonesia)
- 22.214.171.124: 126.96.36.199.in-addr.arpa domain name pointer 188.8.131.52-Draper.hfc.comcastbusiness.net. (Comcast, USA)
- 184.108.40.206: Host 220.127.116.11.in-addr.arpa. not found: 3(NXDOMAIN) (China, not assigned?)
- 18.104.22.168: Host 22.214.171.124.in-addr.arpa. not found: 3(NXDOMAIN) (China)
- 126.96.36.199: Host 188.8.131.52.in-addr.arpa. not found: 3(NXDOMAIN) (Indonesia)
- 184.108.40.206: Host 220.127.116.11.in-addr.arpa. not found: 3(NXDOMAIN) (China)
- 18.104.22.168: 22.214.171.124.in-addr.arpa domain name pointer Wimax-Cali-190-0-9-202.orbitel.net.co. (Brazil)
- 126.96.36.199: Host 188.8.131.52.in-addr.arpa. not found: 3(NXDOMAIN) (China)
- 184.108.40.206: Host 220.127.116.11.in-addr.arpa. not found: 3(NXDOMAIN) (Iran)
- 18.104.22.168: Host 22.214.171.124.in-addr.arpa. not found: 3(NXDOMAIN) (Brazil)
- 126.96.36.199: 188.8.131.52.in-addr.arpa domain name pointer host-181-225.dialog-k.ru. (Russia)
- 184.108.40.206: Host 220.127.116.11.in-addr.arpa. not found: 3(NXDOMAIN) (China)
- 18.104.22.168: 22.214.171.124.in-addr.arpa domain name pointer 217.subnet110-139-173.speedy.telkom.net.id. (Indonesia)
- 126.96.36.199: Host 188.8.131.52.in-addr.arpa. not found: 3(NXDOMAIN) (China)
- 184.108.40.206: Host 220.127.116.11.in-addr.arpa. not found: 3(NXDOMAIN) (China)
- 18.104.22.168: 22.214.171.124.in-addr.arpa domain name pointer adsl5p5.access.maltanet.net. (Malta)
- 126.96.36.199: 188.8.131.52.in-addr.arpa domain name pointer st-217-129-77-17.netvisao.pt. (Portugal)
I have started receiving email spam from a company called “Reach Marketing” via a product known as ReachBase. I wonder why they think it is ok to send out spam on behalf of other companies? If a person did not opt-in to getting marketing messages, that means you don’t send that person your marketing message. Why is that so difficult for companies to understand? People shouldn’t have to opt-out of something they’ve never asked for in the first place.
This evening I submitted to them this message:
Why are you selling my email address to companies without my permission? When did I opt-in to your system? Show me the proof, the email I sent, or the IP address that was used to sign up on your web site. Thanks for your help. I’m sorry I had to use fake info in all fields above other than my email address, but I don’t trust you to not start sending me junk mail and telemarketing. That is, I think I submitted the message to them. Their idiotic comment system kept throwing out errors. Eventually the errors stopped, but no confirmation appeared that the message was sent.
So far, I’ve received spam from Fred Pryor Seminars, the New York Times and Intel. I find it amazing that huge, well-known companies like The NYT and Intel would resort to sending spam.
If you want to block this stuff, block all of the domains from clk20.com to clk70.com. Yes, that is 51 domain names. Here is a text file you can copy and paste to your mail server’s access file. I’ll update this if I discover other domain names Reach Marketing is using to send out their drivel.
Here’s a new attack that occurred this afternoon: bot networks are searching for backup copies of wp-config.php. They searched for these four files on the root level of one of my web sites.
The probes came from these four IP addresses, all within one minute of one another:
- 184.108.40.206 – Ukraine, no rDNS
- 220.127.116.11 – Ukraine, no rDNS
- 18.104.22.168 – Ukraine, 193-106-65-146.vega-tv.com.ua.
- 22.214.171.124 – Turkey, no rDNS
You should do two things:
- Search your site’s root directories for old “backup” copies of your site’s configuration files. And if you find any, you need to remove them. You may want to consider removing wp-config-sample.php if it exists as well. Heck, remove readme.html and license.html too. There is no reason for those files to be available on your web site.
- If your web server and host supports it, move your wp-config.php file up one directory out of your public web site. So if your WordPress installation is installed in /var/www/html/example.com/ , move wp-config.php to be in the html directory, not the com directory. This should remove the configuration file from the public.
Followup: September 30th, 2012: Just had a few new probes for wp-config.txt from 126.96.36.199, dslb-088-074-117-009.pools.arcor-ip.net, Germany.
I’m getting many many 404 errors on my web sites where someone is requesting the url of http://www.example.com/?feed=rss2&p=199999 Any idea what the attack is?
What the heck is wrong with the idiots out there that may think I want to run advertising on this web site? Do you see any advertising on the site already? I realize they’re just sending spam, and are just mass-mailing everyone online in the hopes of getting their drivel out there. But geesh, people are idiots. Both the spammers, and the fools that fall for it.
A real advertising offer will have a web site included in the message. The return address will not be a disposable domain name, like gmail.com, hotmail.com, or yahoo.com. The message will also follow the CAN-SPAM law. There will be a postal mailing address in the message. There will be an opt-out link. (Although you should never opt-out of spam in the first place since all that does is confirm your email address is being read).
So in case you’re not clear: I am not interested in running your text ad, or banner ad, or other wonderful advertising solution on this site. Go away.
There. I feel better now. I just wanted to get that off my chest.