Another Wordpress Attack

by Michael71 7 replies
Hey all.

Another attack on one of my blogs. This time I want to show some IP's/domain names... some "well known" hosts are attacking my blog.

Code:
User IP: 142.4.22.252
User hostname: pen.pengjoon.com

User IP: 69.163.183.221
User hostname: yerevan.dreamhost.com

User IP: 69.174.254.88
User hostname: host.cornerspacehost.com

User IP: 207.58.129.221
User hostname: admin.freethought.ca

User IP: 209.51.142.178
User hostname: server.scojadns.com

User IP: 74.117.61.88
User hostname: unassigned.psychz.net

User IP: 69.163.164.44
User hostname: pirates.dreamhost.com

User IP: 93.170.50.174
User hostname: s3.upgradehost.ru

User IP: 180.188.194.54
User hostname: mail.karmatechnologies.com.hk

User IP: 96.127.139.170
User hostname: server.rmmhost.net

User IP: 69.163.180.254
User hostname: kabul.dreamhost.com

User IP: 178.79.140.94
User hostname: yunoshev.ru

User IP: 89.44.200.154
User hostname: srv.bestconstruct.ro

User IP: 168.144.196.233
User hostname: vps-1037901-2775.manage.myhosting.com

User IP: 74.53.124.214
User hostname: dat.datingsites247.com

User IP: 66.135.37.211
User hostname: main.blaremedia.net

User IP: 67.205.45.170
User hostname: greene.dreamhost.com

User IP: 173.44.39.10
User hostname: server25.01domain.net

User IP: 194.247.30.126
User hostname: hosted-by.deziweb.com

User IP: 208.113.168.4
User hostname: washington.dreamhost.com

User IP: 95.154.234.101
User hostname: server2.dukemedia.net

User IP: 74.200.224.226
User hostname: server.livejobsites.com

User IP: 69.174.241.113
User hostname: server.vantagemediamarketing.com

User IP: 208.113.184.22
User hostname: franklin.dreamhost.com

User IP: 67.23.226.189
User hostname: power.nsjet.com

User IP: 85.95.238.76
User hostname: dns1.1ve.net

User IP: 77.235.47.247
User hostname: tosomono.com

User IP: 208.115.125.60
User hostname: sea.xpresservers.com

User IP: 87.253.162.6
User hostname: server6.configcenter.info

User IP: 37.247.99.82
User hostname: destek.hostyurdu.net

User IP: 208.113.184.10
User hostname: cook.dreamhost.com

User IP: 69.163.221.149
User hostname: vilnius.dreamhost.com

User IP: 67.215.243.250
User hostname: 67.215.243.250.static.quadranet.com

User IP: 178.208.91.196
User hostname: mojodist.ru

User IP: 67.205.46.10
User hostname: spilotro.dreamhost.com

User IP: 173.230.146.27
User hostname: li156-27.members.linode.com

User IP: 207.58.185.126
User hostname: vps.asthmatkitty.com

User IP: 184.107.150.58
User hostname: server.ideon.net.br

User IP: 208.113.198.153
User hostname: jenkins.dreamhost.com

User IP: 65.60.29.133
User hostname: vpsnode3.hostthename.com

User IP: 208.113.198.170
User hostname: paulding.dreamhost.com

User IP: 64.202.240.136
User hostname: cp1.belayhost.com

User IP: 72.32.68.101
User hostname: 101215-www1.jobsourcing.com

User IP: 207.58.139.238
User hostname: server.bonfiretides.com

User IP: 64.111.124.4
User hostname: gantzrp.com

User IP: 67.205.39.2
User hostname: bonanno.dreamhost.com

User IP: 216.15.166.5
User hostname: simon.genwebserver.com

User IP: 92.114.86.81
User hostname: host.digiland.ro

User IP: 216.224.169.123
User hostname: server.ceetus.com

User IP: 208.113.170.83
User hostname: apache2-blow.culligan.dreamhost.com
Dreamhost is the leader...

Message:

A user with IP address 208.113.170.83 has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username 'admin' to try to sign in.

Wordfence FTW!
#programming #attack #wordpress
Avatar of Unregistered
  • Profile picture of the author SteveJohnson
    And the point of the post is...?

    I have hundreds of login attempts daily on my sites. That's just the way things are nowadays.
    Signature

    The 2nd Amendment, 1789 - The Original Homeland Security.

    Gun control means never having to say, "I missed you."

    {{ DiscussionBoard.errors[8090567].message }}
    • Profile picture of the author Michael71
      Originally Posted by SteveJohnson View Post

      And the point of the post is...?

      I have hundreds of login attempts daily on my sites. That's just the way things are nowadays.
      Steve

      The point is that tons of blogs of known hosters are vulnerable and unsecured.
      Signature

      HTML/CSS/jQuery/ZURB Foundation/Twitter Bootstrap/Wordpress/Frontend Performance Optimizing
      ---
      Need HTML/CSS help? Skype: microcosmic - Test Your Responsive Design - InternetCookies.eu

      {{ DiscussionBoard.errors[8091942].message }}
  • Profile picture of the author HomeBizNizz
    I use this in my wp-admin folder bacause I have static IP-address.

    Make a empty .htaccess file in your wp-admin folder.
    Add the code below.
    Save the file.
    Test with a different IP-address than your own.
    Code:
    AuthName "Access only for Webmaster..."
    AuthType Basic
    <Limit GET POST>
    order deny,allow
    deny from all
    allow from 11.222.333.44
    </Limit>
    Change 11.222.333.44 with your IP-address

    Code:
    # 403 Forbidden:
    ErrorDocument 403 "<br /><br /><br /><br /><center><b>Get lost, hackers...</b></center>"
    Gives the bad users a message they understand...
    {{ DiscussionBoard.errors[8090759].message }}
    • Profile picture of the author Kingfish85
      Originally Posted by HomeBizNizz View Post

      I use this in my wp-admin folder bacause I have static IP-address.

      Make a empty .htaccess file in your wp-admin folder.
      Add the code below.
      Save the file.
      Test with a different IP-address than your own.
      Code:
      AuthName "Access only for Webmaster..."
      AuthType Basic
      <Limit GET POST>
      order deny,allow
      deny from all
      allow from 11.222.333.44
      </Limit>
      Change 11.222.333.44 with your IP-address

      Code:
      # 403 Forbidden:
      ErrorDocument 403 "<br /><br /><br /><br /><center><b>Get lost, hackers...</b></center>"
      Gives the bad users a message they understand...
      That's all well and good until you need to access from a different location.

      Password protect the directory at the server level - problem solved.
      {{ DiscussionBoard.errors[8091165].message }}
  • Profile picture of the author David Beroff
    Originally Posted by Michael71 View Post

    This time I want to show some IP's/domain names... some "well known" hosts are attacking my blog.
    It's pretty unlikely that the true owners of these domain names, e.g., Dreamhost, et. al., are the ones behind these attempts. What's happening here is that a hosting customer, or even more likely, someone pretending to be a hosting customer, (i.e., a hacker who previously gained access to someone else's hosting account), is running an automated script which is now attempting to hack into your blog.

    Y'see, website server-side software such as your blog's admin area are intended to respond to requests from browsers that sit in front of nice humans such as yourself. However, a web server is also a computer that can run a browser, one controlled by an automated script, so that it seems like there's a person there making (many, many) attempts to access your blog. Servers are typically much more powerful than desktops, allowing many more attempts per hour, plus they're already busy running legit websites, so that the web hosting companies are less likely to sense that there's something peculiar happening.
    Signature
    Put MY voice on YOUR video: AwesomeAmericanAudio.com
    {{ DiscussionBoard.errors[8091007].message }}
  • Profile picture of the author RenardNET
    Originally Posted by Michael71 View Post

    Wordfence FTW!
    Hey Michael,

    I installed also not so long ago Wordfence plugin on my high traffic blog and thinking about usage of real-time view of all traffic. For now I am disabled this function because I am not sure what a perfomance impact this will have on my blog.

    Do you know maybe how this works? Can it consume many resources? Do you have it enabled maybe on some blog with high traffic?

    Tom
    {{ DiscussionBoard.errors[8092060].message }}
  • Profile picture of the author Michael71
    No, I am not using any real-time traffic functions.

    Wordfence does only the security functions.

    If you want to see "real-time" stats, use Google Analytics. Won't take any resources of your webserver.
    Signature

    HTML/CSS/jQuery/ZURB Foundation/Twitter Bootstrap/Wordpress/Frontend Performance Optimizing
    ---
    Need HTML/CSS help? Skype: microcosmic - Test Your Responsive Design - InternetCookies.eu

    {{ DiscussionBoard.errors[8092103].message }}
Avatar of Unregistered

Trending Topics