Repeated attempts to log in to admin

From what I have learned about login attacks, the IP or the infected site doesn’t necessarily mean that’s exactly where the hacker is coming from. The infected site/IP could be part of a botnet or a compromised network that a hacker is taking advantage of from somewhere far, far away.

My hits come from all over the planet. Beijing was one of the biggest sources until I blocked the IP range some of the hits were coming from.

These IP addresses could be spoofed, but as far as I know, that would make the login attempts only useful as a way to generate traffic. I can’t see how the ‘attacker’ could obtain any useful information, since any information returning from the site would not go to the actual attacking system. Or, you know, I may be wrong.

I pointed my web browser at a few of these IPs, and was rather alarmed to be (for all IPS I tested) presented with the login screen for a particular network device: the Aethra BG1242W. It’s generally not a good idea for the admin interface of Internet-connected devices to be accessible from the Internet. Is this evidence of ISP incompetence?

I can’t determine whether the login traffic is coming from the Aethra network devices or – more likely – from devices connected to the LAN side of these devices. Either way, these IPs appear to be associated with systems that have been compromised and are being used as zombies in attacks against my (and presumably other) web sites.

The BG1242W may have a known vulnerability that is being used by the attackers. In any case, I’ve heard nothing at all from Albacom or BT Italy.

I have hundreds every day even though I have blocked specific countries, blocked IP networks and blocked specific IP’s. They should never make it to my log in page, so why are they?

It appears that all the blocking settings on WF are of no real help. Fortunately I have Rublon also installed which required a secondary confirmation via cell phone app or email, so I am sure they are not getting in, however, my in box in inundated with these alerts.

The Aethra BG1242W looks like a residential or small business router with Internet and Voice Over IP phone capability. I’m not finding any with a login screen.

253david, these all give me login screens:
78.5.68.234
78.4.210.202
78.5.41.50
I’m starting to think these devices are the problem. I was able to log into one using a rather obvious username/password. Presumably I’m not the first person to learn this, and they may all be compromised.

I feel your pain y’all. I have been dealing with these hacking attempts since the beginning of Dec. Wordfence is blocking them; however, the email notifications keep coming from the login attempts to admin and other usernames that don’t exist.

I have blocked IP’s, entire IP Networks with the Whois Tool (Time consuming) and still get a ton of hacking attempts. I’ve received over 600 hacking attempts since the 1st of the year to just 3 of the websites I manage for clients.

I just implemented an .htaccess block on these domains in both the public directory and the admin directory. As some of you noticed, the majority of these hacking attempts appear to be coming out of Italy.

Here’s a tool that I found for the code to place into my .htaccess file…

https://www.toshop.com/htaccess-generator.cfm

Don’t know if it helps or not, but here is what I put in my file to attempt to block these hackers…

# BAN USER BY IP
<Limit GET POST>
order allow,deny
allow from all
deny from 212.*.*.*
deny from 78.*.*.*
deny from 93.*.*.*
deny from 37.34.*.*
deny from 89.*.*.*
deny from 83.*.*.*
deny from 62.*.*.*
deny from 194.*.*.*
deny from 195.62.*.*
deny from 5.133.*.*
deny from 97.68.*.*
deny from 107.144.*.*
</Limit>

We’ll see if this helps…I’m sick of my email being filled with hacking notifications from Wordfence.

Good luck everyone.

Just thought I’d let ya know my .htaccess block isn’t working…I’m still receiving hacking attempts from IP’s within the range :(…Aaaargh…Any solutions???

I’ve reported this to SANS. I’m also continuing to try reporting to the Albacom (BT Italy) abuse email.

Meanwhile, the attacks continue unabated. If nothing changes soon, I plan to block all IP ranges originating in Italy at my router.

@conquest97

The allow from all rule usually comes at the end of the list, after the final blocked IP address. You might want to try:

# MALICIOUS IP BLOCKING #
order allow,deny
deny from 212.*.*.*
deny from 78.*.*.*
deny from 93.*.*.*
deny from 37.34.*.*
deny from 89.*.*.*
deny from 83.*.*.*
deny from 62.*.*.*
deny from 194.*.*.*
deny from 195.62.*.*
deny from 5.133.*.*
deny from 97.68.*.*
deny from 107.144.*.*
allow from all

There is also an option in Wordfence -> Advance blocking -> IP address range

Thanks Barnez…I’ll give it a shot…

I spent a number of hours about a week ago looking up IP’s and blocking IP ranges and that didn’t do a thing. These hackers seem to have entire networks of IP addresses at their disposal to use for their hacking attempts.

I’m certainly getting tired of dealing with them…Will give your .htaccess suggestion a try.

Thanks again.

That can be the problem, you block one IP range and the attacks start from another, so it becomes like “wack-a-mole”.

My policy is:

1. to have strong usernames and passwords that are changed regularly
2. to make sure all plugins/themes/wordpress core are up to date
3. only use plugins that are regularly maintained
4. to follow all the steps in hardening WordPress codex
5. to turn off alerts for attempted logins in Wordfence, but to monitor login attempts through live traffic feedback and see if any are even close to using the correct username (99% of the time they are “www” “mysitename” “admin”), and then permanently block repeated offenders
6. to turn on Wordfence alerts for successful logins
7. to disable theme/plugin editing from the dashboard, and restrict file editing to FTP only

This gives me peace of mind and stops me from getting paranoid when I hear that someone is again unsuccessfully trying to login into a site ??

Thanks for the tips Barnez…I too implement a lot of these…

So, to follow up on this, I actually contacted the hosting provider for the ip’s listed in jrivett’s post. I listed out what the issue was and the concerns about having those public facing with default passwords. I pointed them to this thread and let them know what the ip’s seemed to be doing. I got back an email apologizing for “the trouble I was having with my router” and explaining steps about resetting it.” SMH. I said that I thought the responder hadn’t read my email at all and requested a supervisor or someone more well versed in technical things look at it and get back to me. No response as of yet.

tim

Wow. I’ve had some bad support experiences, but that’s just terrible. I mean, especially given the potential seriousness of the problem from their perspective. It seems like they’re probably in transition from Albacom to BT Italy, so maybe things are a bit chaotic, but it’s still no excuse. Did you talk to BT or Albacom?

That’s not usually the norm, but we have had it happen before. I actually started using the business class service at home because I was so tired of “reset your modem” every time I had an issue.

I believe I spoke with BT as it redirected me. I got much a better response from the servers at Psyche.net (I think) when they had repeated attempts from their ip address. Those guys were awesome.

tim