I logged over 3,000 attempts to login to my WordPress sites on May 16th. Luckily, they were mostly immediately blocked, added to my firewall. The list of 1,501 different attacking IP addresses can be found here.
So far today (Friday the 17th) I have logged over 1,800 attempts to log into my sites via wp-login.php.
Yesterday I logged over 2,200 attempts to login to my WordPress sites. Luckily, they were mostly immediately blocked, added to my firewall. The list of 1,473 different attacking IP addresses can be found here.
So far today (Thursday the 16th) I have logged over 1,000 attempts to log into my sites via wp-login.php.
Yesterday I logged over 4,500 attempts to login to my WordPress sites. Luckily, they were mostly immediately blocked, added to my firewall. The list of 3,340 different attacking IP addresses can be found here.
So far today (Wednesday the 15th) I have logged over 800 attempts to log into my sites via wp-login.php.
Yesterday I logged over 7,000 attempts to login to my WordPress sites. Luckily, they were mostly immediately blocked, added to my firewall. The list of 4,033 different attacking IP addresses can be found here. The attack started at 2:50 in the afternoon on Monday the 13th. Sunday I received only six attempts, so classifying this as an attack is definitely appropriate.
So far today (Tuesday the 14th) I have logged over 2,800 attempts to log into my sites via wp-login.php. And that number has increased by 25 in the time it’s taken me to type these few sentences.
eHealthInc Your email database has been compromised. I just received two spam messages at the email addresses I gave to only you.
1,578 words in one letterpressapp game (And the LetterPress archive site is gone. Sigh. I removed the link).
Quantcast: You’ve got a privacy breach, I’m getting spam at the email address I created specifically for my quantcast account! Just got spam from a tagged email address I gave to a large web traffic measurement firm. It’s been reported to them.
Since November 30th, I’ve been getting hammered by spam coming from many different places, but based on the message headers, it’s all part of the same spam network.
91.92.0.0 - 91.92.255.255 Bulgaria fortunebanker.com [91.92.98.57] mx1.fortunebanker.com [91.92.98.58] mx2.fortunebanker.com [91.92.98.59] mx3.fortunebanker.com [91.92.98.60] dollarstools.com [91.92.98.73] mx1.dollarstools.com [91.92.98.74] mx2.dollarstools.com [91.92.98.75] mx3.dollarstools.com [91.92.98.76] 5.135.71.64 - 5.135.71.95 Portugal norbertwst.com [5.135.71.67] mx1.norbertwst.com [5.135.71.68] mx2.norbertwst.com [5.135.71.69] 5.135.246.64 - 5.135.246.95 Czech Republic goodnewsclicks.com [5.135.246.76] mx1.goodnewsclicks.com [5.135.246.77] mx2.goodnewsclicks.com [5.135.246.78] 178.33.212.192 - 178.33.212.223 Netherlands livecashgenerator.com [178.33.212.210] mx1.livecashgenerator.com [178.33.212.211] mx2.livecashgenerator.com [178.33.212.212]
I recommend you block/firewall all of these IP addresses and domain names.
While checking out my apache server logs last week, I noticed that one of my older sites was getting a fair amount of login attempts to wp-login.php from all over the world. So I started grabbing the login information to see what they were trying. The next batch of attacks lasted 23 minutes. The username was always “admin” and the testcookie was always “1”. Here are the passwords:
I replaced the actual domain name with “example” in the above list. If you are using any of those passwords, you may want to consider changing it.
The user-agent doing the probe was always “Mozilla/3.0 (compatible; Indy Library)”. The attacks came from these IP addresses. I assume they were running some form of infected Windows operating system.
I have started receiving email spam from a company called “Reach Marketing” via a product known as ReachBase. I wonder why they think it is ok to send out spam on behalf of other companies? If a person did not opt-in to getting marketing messages, that means you don’t send that person your marketing message. Why is that so difficult for companies to understand? People shouldn’t have to opt-out of something they’ve never asked for in the first place.
This evening I submitted to them this message:
Why are you selling my email address to companies without my permission? When did I opt-in to your system? Show me the proof, the email I sent, or the IP address that was used to sign up on your web site. Thanks for your help. I’m sorry I had to use fake info in all fields above other than my email address, but I don’t trust you to not start sending me junk mail and telemarketing.
That is, I think I submitted the message to them. Their idiotic comment system kept throwing out errors. Eventually the errors stopped, but no confirmation appeared that the message was sent.
So far, I’ve received spam from Fred Pryor Seminars, the New York Times and Intel. I find it amazing that huge, well-known companies like The NYT and Intel would resort to sending spam.
If you want to block this stuff, block all of the domains from clk20.com to clk70.com. Yes, that is 51 domain names. Here is a text file you can copy and paste to your mail server’s access file. I’ll update this if I discover other domain names Reach Marketing is using to send out their drivel.