Tag: login

Attempted Login Attack from Webmaster Agency Ltd REALTY.RU RU 434 times

194.190.169.83 24/Aug/2018:21:04:47 to 24/Aug/2018:21:21:05 You attempted 434 login attempts. I see you. I know when you visited and that you are trying to break into my site. You have been logged and sent packing with 403s. I have 2,425 of your header logs. Do not do this again.

194.190.169.0 – 194.190.169.255
org-name: Webmaster Agency Ltd
person: Dmitry V. Volkov
address: REALTY.RU LTD
address: 1, Kurchatov Sq.
address: 107005, Moscow
address: Russia
org-type: OTHER
phone: +74957724216

Request Header:

2018-08-24:21:04:47
URL: /wp-login.php
IP: 194.190.169.83
Content-Length: 22
Content-Type: application/x-www-form-urlencoded
Host: dontai.com

Permanent link to this post (89 words, 0 images, estimated 21 secs reading time)

Pan China Brute Force Login Attack

It is always warming to see the two Chinas, the PRC and Taiwan, getting along. Today they ganged up and tried to break into my site.

60.217.64.210 s China Unicom Shandong, level 10 risk, malware Spam Zero-Day
60.248.0.230 s Hinet Chunghwa Tel Taiwan, known for bots and infected zombie computers
183.167.228.134 s Chinanet Anhui, level 10 risk, malware Spam Zero-Day
218.21.43.238 s Dou shi-BAR Yin chuan Ningxia, level 10 risk, malware Spam Zero-Day

The last one, from Ningxia, looks surprisingly small as compared to the usually huge number of IP addresses for Chinanet or China Unicom, but they are part of Chinanet Ningxia, which is large.

This is a preview of Pan China Brute Force Login Attack. Read the full post (146 words, 0 images, estimated 35 secs reading time)

Brute Force Login Attack: 2016 Dec 19

Again, they come, but this time with individual IPs. Huh? Not so funny anymore. 18 individual IP, all timed differently.

UA: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36

103.1.173.103 [19/Dec/2016:05:57:06
103.18.5.22 [19/Dec/2016:04:57:30
139.59.1.139 [19/Dec/2016:05:47:03
144.208.66.8 [19/Dec/2016:06:26:51
162.220.58.205 [19/Dec/2016:02:47:14
173.188.123.130 [19/Dec/2016:06:24:53
185.103.197.198 [19/Dec/2016:05:00:34
189.1.168.10 [19/Dec/2016:06:09:05
198.1.91.13 [19/Dec/2016:05:06:45
200.34.204.5 [19/Dec/2016:01:26:45
201.160.106.35 [19/Dec/2016:03:27:25
216.157.108.17 [19/Dec/2016:04:17:17
31.210.61.34 [19/Dec/2016:02:58:33
37.187.240.112 [19/Dec/2016:06:34:02
64.37.49.155 [19/Dec/2016:05:33:19
71.92.251.210 [19/Dec/2016:03:28:52
92.243.29.161 [19/Dec/2016:06:24:52
96.30.62.52 [19/Dec/2016:04:44:31

96.30.62.52

Permanent link to this post (71 words, 0 images, estimated 17 secs reading time)

Brute Force Login Attack on WordPress: Case Study

Strong, WordPress is, otherwise it would have been breached long ago. These three attackers did a brute force login attack on me today. This is not the first and will certainly not be the last. While I can track down the IP and ISP, and ban them, their origins I will never know. This is the murky world of the internet, and it is worldwide.

41.76.123.243: 41.76.123.0 – 41.76.123.255 WIFLY GA GABON has tried security hacks on my site before, 6 attempts
171.25.194.89 mes.megion.ru 171.25.194.0 – 171.25.195.255 Lider Telecom Ru, 52 attempts
117.255.233.117 117.255.224.0 – 117.255.255.255 Wimax New Delhi IN, 8 attempts
117.253.234.15

Three hackers, one from Africa, one from Russia, one from India. This is the global entity called the Internet.

This is a preview of Brute Force Login Attack on WordPress: Case Study. Read the full post (602 words, 0 images, estimated 2:24 mins reading time)

bredbandsbolaget.se: Research, Ban

Kik content scraper bots sent me this IP from bredbandsbolaget.se. Kik uses single IPs from all over North American ISPs, and they’re now expanding globally. Kik content scrapes my site daily, so it is in my best interest to stop them.

Just for fun I translated from Swedish to English, “bredbandsbolaget” translates to “broadband company”! LOL! bredbandsbolaget.se provides TV, internet and telephone in Sweden. They have a web site. After the ip address the next set of numbers before the “cust” might be the Swedish telephone number, starting with the area code. Then again maybe not, as some have hex

This is a preview of bredbandsbolaget.se: Research, Ban. Read the full post (290 words, 0 images, estimated 1:10 mins reading time)

vultr.com Comment Scraper: Research, Ban

vultr.com is a content scraper that I would like to remove from my site. They are persistent. Vultr.com seems to be the cloud offering from Choopa.

Observations:
45.63.123.232.vultr.com 45.63.0.0 – 45.63.127.255 45.63.0.0/17
45.63.127.61.vultr.com
45.63.123.116.vultr.com

108.61.166.139.vultr.com 108.61.164.0 – 108.61.167.255 108.61.164.0/22
108.61.165.1.vultr.com

108.61.209.0 108.61.208.0 – 108.61.209.255 108.61.208.0/23

45.32.77.194.vultr.com 45.32.0.0 – 45.32.255.255 45.32.0.0/16
45.32.129.200.vultr.com
45.32.15.1.vultr.com
45.32.128.51.Vultr.com
45.32.128.18.vultr.com
45.32.50.58.vultr.com
45.32.6.220.vultr.com

108.61.218.239.vultr.com 108.61.218.0/24
108.61.218.0 108.61.218.0/24

104.238.156.96.vultr.com 104.238.128.0 – 104.238.191.255 104.238.128.0/18
104.238.183.179.vultr.com
104.238.187.1.vultr.com
104.238.156.0/24

104.156.230.231.vultr.com 104.156.230.231 104.156.224.0 – 104.156.255.255

108.61.157.0 108.61.157.0 – 108.61.157.127 108.61.157.0/25

Research:
104.156.239.1.vultr.com. 104.156.224.0 – 104.156.255.255 104.156.224.0/19
104.156.230.231.vultr.com

108.61.213.1.vultr.com 108.61.212.0 – 108.61.213.255 108.61.212.0/23

This is a preview of vultr.com Comment Scraper: Research, Ban. Read the full post (121 words, 0 images, estimated 29 secs reading time)

fregat.ua: Research, Ban

fregat.ua is a bot from Russia. It was logged for ransomware, so you really don’t want them to try to break into your site. Quite bold, they are, trying to get my login and admin pages, so they are a definite security threat for trying to break into my site. Fregat.ua is an ISP with a web page.

Lead: 128.146.dynamic.pppoe.fregat.ua

Research:
182.43.PPPoE.fregat.ua 46.98.43.182 46.98.0.0 – 46.98.127.255 46.98.0.0/16
9.7.pppoe.fregat.ua 46.98.7.9
16.33.PPPoE.fregat.ua 46.98.33.16
221.54.PPPoE.fregat.ua 46.98.54.221
62.30.PPPoE.fregat.ua, IP Address, 46.98.30.62
234.66.PPPoE.fregat.ua 46.98.66.234
66.41.PPPoE.fregat.ua 46.98.41.66
26.30.PPPoE.fregat.ua 46.98.30.26
233.3.pppoe.fregat.ua 46.98.3.233

54.146.dynamic.PPPoE.fregat.ua 91.210.146.54 91.210.144.0 – 91.210.147.255 91.210.144.0/22
108.147.dynamic.PPPoE.fregat.ua 91.210.147.108
103.146.dynamic.PPPoE.fregat.ua 91.210.146.103
140.146.dynamic.PPPoE.fregat.ua 91.210.146.140
156.146.dynamic.PPPoE.fregat.ua 91.210.146.156
179.145.dynamic.PPPoE.fregat.ua 91.210.145.179
160.146.dynamic.PPPoE.fregat.ua 91.210.146.160
39.145.dynamic.pppoe.fregat.ua 91.210.145.39
202.147.dynamic.pppoe.fregat.ua 91.210.147.202
1.147.dynamic.pppoe.fregat.ua 91.210.147.1

This is a preview of fregat.ua: Research, Ban. Read the full post (151 words, 0 images, estimated 36 secs reading time)

Monster.ca’s New Widgets: Cool but Unusable

I continue to search for work, and Monster.ca is one of many sites I visit. Lately I have noticed that almost all of the jobs posted on Monster are from headhunters. It’s not that headhunters are bad per se, but that some of their advertised job descriptions are close to: “Wanted: Live animal. Able to stand up and breath without keeling over. Please send your resume to ima @ headhunter.com”. Would it kill the recruiter to provide a little more position-related information? Often times there are three headhunters from the same agency posting essentially the same cut and paste effort to the same job board. Do you think that possible candidates do not notice this?

This is a preview of Monster.ca’s New Widgets: Cool but Unusable. Read the full post (944 words, 0 images, estimated 3:47 mins reading time)