Moved, I did, from Site5, to A2. The last 21 hrs was a wet and wild ride all without the protection of my trusty .htaccess file, the one with my Ip ban list. Within that time, 21 hrs, I received a total of 33 spam comments. Usually I receive only one or two. It is clear that without protection I would be inundated by comment spam.
Of course these IPs are only the ones that comment spammed me. There are many more that use their bots to do content scraping, trying to break into my site, trick my host provider, etc. There are too many to list.
Domain Crawler hit my server a 500 transaction attack today, using 5 IP addresses, all from Sweden. They scraped me hard! Their user agent is “DomainCrawler/3.0 (info@domaincrawler.com; http://www.domaincrawler.com/dontai.com)”. I have banned all these IP addresses with their last octet. Good riddance.
80.248.225.142 Internetbolaget Se domaincrawler
80.248.227.107 Internetbolaget Se domaincrawler
176.74.192.36 Tralex Se domaincrawler
193.183.102.178 Internetbolaget Se domaincrawler
Why is today so special? It looks like two separate groups tried their own brute force login attacks on my site, each using a different technique. There were a total of 510 login attempts today on my site.
The first technique is to use a low number of IPs, but try numerous times. UA: “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:40.0) Gecko/20100101 Firefox/40.0”
Puzzled, I am, when Microsoft spams me, and they are pretty regular visitors. After all, Microsoft owns the Bing search engine, and I let Bing freely crawl my site. So why would they want to spam me, and do it so often, using multiple ways? inquiring minds want to know.
Usually I see Microsoft come in using a missing user agent, pretty stealthily, and as I want all visitors to be identifiable, I ban them. They change IPs and do this regularly. Then there are the tor exit servers owned by Microsoft. I suppose that having Tor exit servers is Ok, as they are used by everyone.
Got it by a small referrer spam campaign today, for some website called “hetmanship”. I’ll not mention the extent, as if you look them up you might download some malware. That would be bad.
As is typical, multiple IPs from around the world: Indonesia, China (8), Russia/UA (5), Mexico, Columbia, Peru, Germany, US. They are indeed difficult to track.
Referrer: http://hetmanship.(will not publish)
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Strong, WordPress is, otherwise it would have been breached long ago. These three attackers did a brute force login attack on me today. This is not the first and will certainly not be the last. While I can track down the IP and ISP, and ban them, their origins I will never know. This is the murky world of the internet, and it is worldwide.
41.76.123.243: 41.76.123.0 – 41.76.123.255 WIFLY GA GABON has tried security hacks on my site before, 6 attempts
Brute force attacked, I was, for the xmlrpc.php API in WordPress. Thankfully WordPress was strong enough to ward off this attack. I’ve had random attacks on xmlrpc.php before, but nothing this organized. I thought I’d document a case of 57 xmlrpc.php POST attempts here for all to see. Maybe someone can identify the culprit, as I could not.
I had 57 POSTs to xmlrpc.php on WordPress. They are randomly spaced apart throughout the day, use different IP addresses and hosts, but use the same POST (POST /wp/xmlrpc.php HTTP/1.0), referrer (http://dontai.com/wp/xmlrpc.php) and user agent (Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko)
These five lot came on my site with a innocent but fake User Agent name of “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”, scraped some documents, and then proceeded to try to break into my site’s security. Cheeky bastards.
Seven attempts at document scraping, followed by 9 attempted logins. The interesting thing is that when you use a computer to do these campaigns, if you are not clever they really do look like a computer generated attempt and are thus easy to identify. Which user would have this behaviour? Of course they have all been banned.
Get, I do, a lot of referrer spam on my site. I’m pretty sure that every site gets referrer spam, they are ubiquitous. Usually I have already banned them and they are usually from Russia, such as xrus, dealing with lovely, nubile, young Russian women. These I treat like background noise: I glance at the error 403 and move on. Then occasionally, about once a month, I get a bona fide referrer spam marketing campaign, where someone really wants to make a negative impression on both my Google Analytics and myself. I then find and ban them.
