Happy Valentine’s Day, and someone loves me out there on the Internet, because they used a botnet to try to break into my site. You are very welcome, whomever you are, but I am trying to find out who is my secret admirer.
There are 12 IPs involved. The each try 2 times.
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36
We Canadians are always overshadowed by the 10 larger in population US. If at all possible I like to highlight our accomplishments, or in this case, sophisticated comment spamming from Canada. Bad, Canada.
Comment spammers on my site usually use a single IP to first read the post, determine if they can submit spam, then submit the spam comment. This shows up in my Akismet spam comments. They are simple to identify and ban.
It is always good to see international cooperation amongst different nations in this great world. However, when China, India and Russia cooperate to try to break into my site, forgive me when I get a little upset. While I usually file complaints to internet host providers, in this case the complaint would fall on deaf ears: hosts in China, India and Russia ignore abuse emails. Then most hosts from all over the world ignore abuse emails.
Number of login attempts: 417
All the user agent names are the same: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:40.0) Gecko/20100101 Firefox/40.0
Moved, I did, from Site5, to A2. The last 21 hrs was a wet and wild ride all without the protection of my trusty .htaccess file, the one with my Ip ban list. Within that time, 21 hrs, I received a total of 33 spam comments. Usually I receive only one or two. It is clear that without protection I would be inundated by comment spam.
Of course these IPs are only the ones that comment spammed me. There are many more that use their bots to do content scraping, trying to break into my site, trick my host provider, etc. There are too many to list.
Domain Crawler hit my server a 500 transaction attack today, using 5 IP addresses, all from Sweden. They scraped me hard! Their user agent is “DomainCrawler/3.0 (info@domaincrawler.com; http://www.domaincrawler.com/dontai.com)”. I have banned all these IP addresses with their last octet. Good riddance.
80.248.225.142 Internetbolaget Se domaincrawler
80.248.227.107 Internetbolaget Se domaincrawler
176.74.192.36 Tralex Se domaincrawler
193.183.102.178 Internetbolaget Se domaincrawler
Why is today so special? It looks like two separate groups tried their own brute force login attacks on my site, each using a different technique. There were a total of 510 login attempts today on my site.
The first technique is to use a low number of IPs, but try numerous times. UA: “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:40.0) Gecko/20100101 Firefox/40.0”
Puzzled, I am, when Microsoft spams me, and they are pretty regular visitors. After all, Microsoft owns the Bing search engine, and I let Bing freely crawl my site. So why would they want to spam me, and do it so often, using multiple ways? inquiring minds want to know.
Usually I see Microsoft come in using a missing user agent, pretty stealthily, and as I want all visitors to be identifiable, I ban them. They change IPs and do this regularly. Then there are the tor exit servers owned by Microsoft. I suppose that having Tor exit servers is Ok, as they are used by everyone.
Strong, WordPress is, otherwise it would have been breached long ago. These three attackers did a brute force login attack on me today. This is not the first and will certainly not be the last. While I can track down the IP and ISP, and ban them, their origins I will never know. This is the murky world of the internet, and it is worldwide.
41.76.123.243: 41.76.123.0 – 41.76.123.255 WIFLY GA GABON has tried security hacks on my site before, 6 attempts