#1 2017-02-20 4:22 am

Victor M

Member

Registered: 2017-02-20

Posts: 3

Advice&help needed: extremely persistent site intruder

Hello,

Since February 1, 2017 my site is under attack:

1. Initial event

----- Forwarded Message -----

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  *********@yahoo.com
    host smtp.mailchannels.net [***********]
    SMTP error from remote mail server after end of data:
    550 5.7.1 [BFD] Sender prohibited by SPF
Dear Site Admin,
A host, 178.210.167.198, has been locked out of the WordPress site at http:********** due to too many bad login
attempts.
The host has been locked out until 2017-02-03 01:31:16 .

Looks like someone was trying to use feedback form for sending his e-mails from my e-mail address.

2. Since then, every day at least 2-3- dozens of messages arrive: Site lockout Notification. Too many unsuccessful attempts to log in.

3. Message came to my e-mail: Get a Custom Website Designed by Industry Specific Designers at up to 70% Discount. Click here (link provided) and submit your details. I sure ignored suspicious link.

I have no idea who is 178.210.167.198 and why he is so persistent. But I definitely need something to be done.

Thank you in advance for your consideration.

Last edited by Victor M (2017-02-20 4:23 am)

Maikuolan

Member

From: Perth, Western Australia

Registered: 2011-08-09

Posts: 799

Website

Re: Advice&help needed: extremely persistent site intruder

If you wanted, you could give CIDRAM a try. CIDRAM is intended for blocking unwanted/malicious IPs/CIDRs from your website, and there's a Wordpress plugin available for it, here. That may help a bit for your purposes here.

If you wanted to do so, it's also possible to leverage the downloadable CSVs from Stop Forum Spam (available here) with CIDRAM, to block out any IPs listed at Stop Forum Spam.

That all said though, the IP in question in this particular case (178.210.167.198) is not currently listed on the Stop Forum Spam database at all. Based on the message snippet you've provided to us ("Get a Custom Website Designed by Industry Specific Designers at up ..."), if you have an API key here, and if you've verified an email address for that message (ie, if your Wordpress installation requires email verification before messages are able to be sent), you might be able to submit a report about it to the Stop Forum Spam database yourself. Unfortunately though, without a username and a verified email address for the offender, policy dictates at this time that a report can't be submitted.

If you adopt the suggestion I've provided above (about CIDRAM), you may need to make some small customisations, due to that 178.210.167.198 belongs to AS42910 ("Equinix Turkey Internet Hizmetleri Anonim Sirketi"), a Turkish internet provider which isn't currently being blocked. If you don't need to provide any access for Turkey to your website at all, there are some downloadable country-wide blocklists provided by Macmathan which can block out the entire country, but otherwise, if you wanted to block out just that one provider, or even just that one specific IP, if you needed any help in doing so, let me know, and I'd be happy to help you out with it. :-)

There are additional measures you could take to try to reduce this type of unwanted activity in your website, too:
- Adopt a CAPTCHA solution for all your contact forms (reCAPTCHA, although not perfect, is one of the most highly recommended CAPTCHA solutions to use nowadays, and there are numerous free plugins for it available on the Wordpress plugins database; if you just search for "reCAPTCHA" when searching for new plugins on the plugins database, you'll likely find quite a few there).
- Adopt some other simple anti-spam plugins for dealing with spam posted to comments on Wordpress. "Anti-spam" and "WP-SpamShield are quite a well-known plugins for this purpose, and quite well-endorsed, with 714,000+ and 2,494,000+ total downloads to-date for each of them, respectively. Worth checking out.
- Block this specific IP via .htaccess, if you have access to that.

Regarding why this specific IP is being so persistent: More than likely, these requests are originating from a spambot, designed to continually hammer any potential targets they can find, regardless of whether or not they ultimately have any actual success. Spambots don't sleep (unless their operator decides to turn them off, or turn off the machine from where they're operating), don't rest, and don't stop: Rarely designed with any sense to cease hammering after any particular period time or to cease after some determination of their tasks being either successful or unsuccessful, if you see one once, it's reasonable to assume you'll see it again. There's quite rightly, very little love or respect for them or their operators from anyone here at Stop Forum Spam (see: "The Official Stupid Spammer Tricks Thread"), and most of us here take a pretty hard-line approach to dealing with them.

Last edited by Maikuolan (2017-02-20 10:35 am)

Victor M

Member

Registered: 2017-02-20

Posts: 3

Re: Advice&help needed: extremely persistent site intruder

Thank you very much, Maikuolan.

1.I will try to use all of your suggestions. It will take some time and I will let you know with further updates.
2. I found one more message in spam folder with another IP and suspicious link, and I sent screenshot to you via PM. Might be of use.

Thanks again,

Victor