I logged over 3,000 attempts to login to my WordPress sites on May 16th. Luckily, they were mostly immediately blocked, added to my firewall. The list of 1,501 different attacking IP addresses can be found here.
So far today (Friday the 17th) I have logged over 1,800 attempts to log into my sites via wp-login.php.
Yesterday I logged over 2,200 attempts to login to my WordPress sites. Luckily, they were mostly immediately blocked, added to my firewall. The list of 1,473 different attacking IP addresses can be found here.
So far today (Thursday the 16th) I have logged over 1,000 attempts to log into my sites via wp-login.php.
Yesterday I logged over 4,500 attempts to login to my WordPress sites. Luckily, they were mostly immediately blocked, added to my firewall. The list of 3,340 different attacking IP addresses can be found here.
So far today (Wednesday the 15th) I have logged over 800 attempts to log into my sites via wp-login.php.
Yesterday I logged over 7,000 attempts to login to my WordPress sites. Luckily, they were mostly immediately blocked, added to my firewall. The list of 4,033 different attacking IP addresses can be found here. The attack started at 2:50 in the afternoon on Monday the 13th. Sunday I received only six attempts, so classifying this as an attack is definitely appropriate.
So far today (Tuesday the 14th) I have logged over 2,800 attempts to log into my sites via wp-login.php. And that number has increased by 25 in the time it’s taken me to type these few sentences.
Since November 30th, I’ve been getting hammered by spam coming from many different places, but based on the message headers, it’s all part of the same spam network.
91.92.0.0 - 91.92.255.255 Bulgaria fortunebanker.com [91.92.98.57] mx1.fortunebanker.com [91.92.98.58] mx2.fortunebanker.com [91.92.98.59] mx3.fortunebanker.com [91.92.98.60] dollarstools.com [91.92.98.73] mx1.dollarstools.com [91.92.98.74] mx2.dollarstools.com [91.92.98.75] mx3.dollarstools.com [91.92.98.76] 5.135.71.64 - 5.135.71.95 Portugal norbertwst.com [5.135.71.67] mx1.norbertwst.com [5.135.71.68] mx2.norbertwst.com [5.135.71.69] 5.135.246.64 - 5.135.246.95 Czech Republic goodnewsclicks.com [5.135.246.76] mx1.goodnewsclicks.com [5.135.246.77] mx2.goodnewsclicks.com [5.135.246.78] 178.33.212.192 - 178.33.212.223 Netherlands livecashgenerator.com [178.33.212.210] mx1.livecashgenerator.com [178.33.212.211] mx2.livecashgenerator.com [178.33.212.212]
I recommend you block/firewall all of these IP addresses and domain names.
While checking out my apache server logs last week, I noticed that one of my older sites was getting a fair amount of login attempts to wp-login.php from all over the world. So I started grabbing the login information to see what they were trying. The next batch of attacks lasted 23 minutes. The username was always “admin” and the testcookie was always “1″. Here are the passwords:
I replaced the actual domain name with “example” in the above list. If you are using any of those passwords, you may want to consider changing it.
The user-agent doing the probe was always “Mozilla/3.0 (compatible; Indy Library)”. The attacks came from these IP addresses. I assume they were running some form of infected Windows operating system.
I have started receiving email spam from a company called “Reach Marketing” via a product known as ReachBase. I wonder why they think it is ok to send out spam on behalf of other companies? If a person did not opt-in to getting marketing messages, that means you don’t send that person your marketing message. Why is that so difficult for companies to understand? People shouldn’t have to opt-out of something they’ve never asked for in the first place.
This evening I submitted to them this message:
Why are you selling my email address to companies without my permission? When did I opt-in to your system? Show me the proof, the email I sent, or the IP address that was used to sign up on your web site. Thanks for your help. I’m sorry I had to use fake info in all fields above other than my email address, but I don’t trust you to not start sending me junk mail and telemarketing.
That is, I think I submitted the message to them. Their idiotic comment system kept throwing out errors. Eventually the errors stopped, but no confirmation appeared that the message was sent.
So far, I’ve received spam from Fred Pryor Seminars, the New York Times and Intel. I find it amazing that huge, well-known companies like The NYT and Intel would resort to sending spam.
If you want to block this stuff, block all of the domains from clk20.com to clk70.com. Yes, that is 51 domain names. Here is a text file you can copy and paste to your mail server’s access file. I’ll update this if I discover other domain names Reach Marketing is using to send out their drivel.
Here’s a new attack that occurred this afternoon: bot networks are searching for backup copies of wp-config.php. They searched for these four files on the root level of one of my web sites.
The probes came from these four IP addresses, all within one minute of one another:
You should do two things:
Followup: September 30th, 2012: Just had a few new probes for wp-config.txt from 88.74.117.9, dslb-088-074-117-009.pools.arcor-ip.net, Germany.
I’m getting many many 404 errors on my web sites where someone is requesting the url of http://www.example.com/?feed=rss2&p=199999 Any idea what the attack is?
What the heck is wrong with the idiots out there that may think I want to run advertising on this web site? Do you see any advertising on the site already? I realize they’re just sending spam, and are just mass-mailing everyone online in the hopes of getting their drivel out there. But geesh, people are idiots. Both the spammers, and the fools that fall for it.
A real advertising offer will have a web site included in the message. The return address will not be a disposable domain name, like gmail.com, hotmail.com, or yahoo.com. The message will also follow the CAN-SPAM law. There will be a postal mailing address in the message. There will be an opt-out link. (Although you should never opt-out of spam in the first place since all that does is confirm your email address is being read).
So in case you’re not clear: I am not interested in running your text ad, or banner ad, or other wonderful advertising solution on this site. Go away.
There. I feel better now. I just wanted to get that off my chest.
