locked out but back in through VPN

  • Resolved itnc10001

    (@itnc10001)


    5 years, 7 months ago

    however, what I find disturbing: unable to remove app’s settings entirely. I deleted Defender plugin folder entirely, I also deleted the database options for app, but app was restored with same exact original settings after reinstall, but I had to recreate two tables for Defender before any log activity or lockouts allowed. why can’t the plugin be reinstalled as “new”? or can it be? it seems to hard writing some sort of data elsewhere.

    there should also be a verification method for valid site owners to get back in — via the email registered to Defender creator/site owner. my internet modem had to be rebooted because of construction in area, so my IP changed. my IP is associated w/ my local/direct fingerprint to access admin area. this happened one other time before, w/ another plugin, but in their case, I was simply able to remove the blacklisted IP, login and whitelist IP. with defender, removing the blacklisted entry from database, didn’t suffice, I was blacklisted for the duration of my settings: PERMANENT.

    all I did was mistype 2 letters (one before other), clicked enter too fast before correcting, cringed and locked out because option for Defender Login lockout is 1 attempt — yes that serious because of all of these login attempts since 2016 w/ thousands of new attempts not added to this list: Amazon, Digital Ocean, Serbia https://docs.google.com/spreadsheets/d/17hYtvOUkRPHBxofXaxNXQyokwVzthYlVAWf_BBk1RV4/edit?usp=sharing
    Digital Ocean https://docs.google.com/spreadsheets/d/1ezlYSRRu9bV5Ep4PB4Q9fzrnjuiABm3GfHOpVVf6_18/edit?usp=sharing

    for me, I can only access admin area by validating “fingerprint”, which is why I installed this app because we don’t allow signups, just comments on posts. so when locked out, I had to login to entire server, give VPN info to verify it’s me trying to login to admin area, keep fingers crossed that connection not dropped, else, I’d have to start over, then paste that info into admin area, then login, then whitelist my ip that was locked, then disconnect from VPN, then login with my actual IP.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter itnc10001

    (@itnc10001)

    and all of of the IPs on above Google Docs spreadsheet were running same script as these persons recently reported. persons are literally sitting and guessing passwords for usernames obtained via post or some other script. example (consistently via a hosted cloud site, especially Amazon and DigitalOcean):
    164 159.65.104.178 1 Apr 16, 2019 “log => [site-username-redacted]
    pwd => 1234567
    wp-submit => Log In
    redirect_to => https://[domain].com/wp-admin/
    testcookie => 1
    —————————”

    we’ve set up username for blog posts (author), but no admin privs, set original admin name to have no role and created an admin account separately, and that admin can only login w/ fingerprint. so anyone logging auto-triggers a login attempt, which was happening with IP Blacklist (where above is from, but plugin is no longer being updated as of 2-years ago)

    but I like what I see w/ Defender. Defender is gathering way more details than IP Blacklist and its kicking a** automatically. but the admin locked out needs to be fixed via a validation page w/ registered notification email address, kind of like 2-factor, but exclusively to allow admins inadvertently locked out.

    part of a coordinated cyber attack ring (below), and yes, that is Amazon and DigitalOcean. DigitalOcean, which has fake contact information, never responds to problem. after blocking entire range, persons simply use another IP from a non-blocked range. and Amazon’s response is horrific, even w/ server log files: we have no way of knowing who did this on our network. yup, that’s BILLIONAIRE Amazon’s cyber security: shruggin’, we-don’t-know, oh well. ??

    and even scarier: Norton/Symantec has partnered with DigitalOcean ??for its new VPN service, while there were so many other credible services out there to use.

    159.65.104.178 – – [16/Apr/2019:00:12:31 -0400] “GET /wp-login.php HTTP/1.1” 200 5718 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”
    159.65.104.178 – – [16/Apr/2019:00:12:32 -0400] “POST /wp-login.php HTTP/1.1” 200 6599 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”
    159.65.104.178 – – [16/Apr/2019:00:12:34 -0400] “GET /wp-login.php HTTP/1.1” 404 369 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”
    159.65.104.178 – – [16/Apr/2019:00:12:36 -0400] “POST /wp-login.php HTTP/1.1” 404 369 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”
    159.65.104.178 – – [16/Apr/2019:00:12:42 -0400] “POST /xmlrpc.php HTTP/1.1” 403 489 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”

    206.189.237.175 – – [13/Apr/2019:17:02:32 -0400] “GET /wordpress/wp-login.php HTTP/1.1” 404 30105 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”
    206.189.237.175 – – [15/Apr/2019:21:24:40 -0400] “GET /wp-login.php HTTP/1.1” 200 5717 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”
    206.189.237.175 – – [15/Apr/2019:21:24:42 -0400] “POST /wp-login.php HTTP/1.1” 200 6600 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”
    206.189.237.175 – – [15/Apr/2019:21:24:45 -0400] “GET /wp-login.php HTTP/1.1” 404 370 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”
    206.189.237.175 – – [15/Apr/2019:21:24:46 -0400] “POST /wp-login.php HTTP/1.1” 404 370 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”
    206.189.237.175 – – [15/Apr/2019:21:24:47 -0400] “POST /xmlrpc.php HTTP/1.1” 403 490 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”

    ec2-3-16-108-24.us-east-2.compute.amazonaws.com – – [14/Apr/2019:06:51:40 -0400] “GET /wp2/wp-login.php HTTP/1.1” 404 30105 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”
    ec2-3-16-108-24.us-east-2.compute.amazonaws.com – – [15/Apr/2019:19:15:33 -0400] “GET /wp-login.php HTTP/1.1” 200 5717 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”
    ec2-3-16-108-24.us-east-2.compute.amazonaws.com – – [15/Apr/2019:19:15:34 -0400] “POST /wp-login.php HTTP/1.1” 200 6600 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”
    ec2-3-16-108-24.us-east-2.compute.amazonaws.com – – [15/Apr/2019:19:15:36 -0400] “GET /wp-login.php HTTP/1.1” 404 366 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”
    ec2-3-16-108-24.us-east-2.compute.amazonaws.com – – [15/Apr/2019:19:15:37 -0400] “POST /wp-login.php HTTP/1.1” 404 366 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”
    ec2-3-16-108-24.us-east-2.compute.amazonaws.com – – [15/Apr/2019:19:15:37 -0400] “POST /xmlrpc.php HTTP/1.1” 403 486 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”

    ec2-3-123-4-218.eu-central-1.compute.amazonaws.com – – [15/Apr/2019:02:27:54 -0400] “GET /wp-login.php HTTP/1.1” 200 5715 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”
    ec2-3-123-4-218.eu-central-1.compute.amazonaws.com – – [15/Apr/2019:02:27:55 -0400] “POST /wp-login.php HTTP/1.1” 200 6599 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”
    ec2-3-123-4-218.eu-central-1.compute.amazonaws.com – – [15/Apr/2019:02:27:56 -0400] “GET /wp-login.php HTTP/1.1” 404 366 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”
    ec2-3-123-4-218.eu-central-1.compute.amazonaws.com – – [15/Apr/2019:02:27:57 -0400] “POST /wp-login.php HTTP/1.1” 404 366 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”
    ec2-3-123-4-218.eu-central-1.compute.amazonaws.com – – [15/Apr/2019:02:27:58 -0400] “POST /xmlrpc.php HTTP/1.1” 403 486 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0”

    • This reply was modified 5 years, 7 months ago by itnc10001.
    • This reply was modified 5 years, 7 months ago by itnc10001. Reason: typos

    Hello @itnc10001

    Hope you are doing well!

    unable to remove app’s settings entirely

    Please make sure the plugin is deleted from Plugins > Installed Plugins, this way all previous settings should be removed. I’ve tested it on my end and it works. However, the Defender database tables are not removed yet.

    Factory Reset option in settings, will be added in the next feature version that will be released soon. Please, keep an eye on a new update.

    there should also be a verification method for valid site owners to get back in — via the email registered to Defender creator/site owner.

    I understand how frustrating it is, getting blocked and going through the process to unblock the IP. Email user validation, it is a great suggestion, thank you. I’ve forwarded it to our developers.

    Have a good day and take care!

    Cheers,
    Nastia

    Hello @itnc10001

    Hope all is well!

    We’ve not heard from you in a while. I’ve marked this ticket as resolved for now, but if you need anything else at all, we’re here for you, please just reopen the ticket or create a new one.

    Have a great day and take care!

    Cheers,
    Nastia

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘locked out but back in through VPN’ is closed to new replies.