253david

I got this email this morning from BT

Hello David,

Apologies for not getting back to you for some time now.

We have identified the culprit as a 3rd party customer/user located in Italy. We have been in contact with our Italian BT teams and they have assured us that controls/restrictions have been put into place on this user as a result of these attacks on your website.

Please come back to us if there is a reoccurrence of this again.

Regards,

—————————–

All the attacks on my site have come to an end. At least for now.

I think this makes my point. Don’t be passive about attacks. Report them! It may take a while to get results like it did in this case but next time it shouldn’t take BT nearly as long to track the source down.

I see it with browser based gmail too.

<p>This email was sent from your website “—–” by the Wordfence plugin at Monday 19th of January 2015 at 06:14:45 AM</p>

<p>The Wordfence administrative URL for this site is: http://—-/wp-admin/admin.php?page=Wordfence</p&gt;

<p>A user with IP address 154.58.193.208 has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username ‘admin’ to try to sign in.</p>

<p>User IP: 154.58.193.208
</p>

While I am on this subject. I try to report most of the login attempts to the source ISP. Sometimes they want time zone and destination IP information. I don’t suppose you could add that to the report so I could just cut and paste or forward the email?

I am finding a great many of the IP addresses of my Bot attacks on one of my sites end up showing Air OS router login screens. I’m wondering if the embedded Linux on the Air OS routers is being exploited?

The Aethra BG1242W looks like a residential or small business router with Internet and Voice Over IP phone capability. I’m not finding any with a login screen.

I just did a count of the hits from static.albacom.net and there were over 400 static.albacom.net IP addresses involved since 12/10/2014. I am sure it is about the same for fastwebnet.it. There were a few from other ISPs including Comcast Business but most of the other ones were also Italian ISPs.

This has been the most persistent attack I have seen since installing Wordfence. This is also by far the most bot IP addresses on two ISPs that I have ever seen. I am assuming it keeps rotating targets and gets back to me about every four hours.

I have been seeing the same thing for about a week. I immediately block login attempts with the username “admin” and I have the lockout set for 60 days. I am also using advanced blocking to block ranges of IP addresses. They try with 12 to 16 IPs about every four hours. I’m not sure why they continue to waste their time.

Please take the time to report the problem to the ISP. If they hear from enough of use maybe they will do something.

[ redacted ]

fastwebnet.it is FASTWEB-POP-INTERNET their abuse contact is abuse@fastweb.it

They are going to want as much of a log as you can provide. It should include dates, times, type of attack, their IP numbers and the IP and domain name of your wordpress site.

If anyone knows the full range of IP addresses for either one of these ISPs please share it. I’d much rather see this bot network shut down than blocked. I almost always report this type of thing. If it is a bot on a US web hosting provider they almost always find and remove it.

Getting an email when someone gets locked out became an issue for me. Especially one day when my site was being hammered by a brute force dictionary attack from multiple IP addresses. I unchecked that box.

I did however choose to continue emails when people tried to logon to a nonexistent account. The other day even that became annoying. Rather than uncheck that box too I decided to try putting a roadblock in the way of those pesky bots.

I added a Google Authenticator app. The bots don’t know what to make of having third box to fill out. These days 2 factor authentication is a must on administrator accounts anyway.