Repeated attempts to log in to admin

@jrivet I knew that it was a form mail when I read this:
“I’m sorry that you’re experiencing problems with your BT Internet wireless connection.”

*sigh*

tim

@jrivett

Yes, I have been able to find login screens. For example at 89-97-143-189.ip17.fastwebnet.it.

It seems that most likely the embedded web servers on the routers/modems have been exploited.

They need to keep hearing from us.

Any update from Italy’s fastweb or albacom? I’ve had attempts from over 1500 different IP’s in Italy on one small site in the past month. I’m also starting to see them from interact.it & eutelia.it.

Thank goodness for Wordfence and the ability to block based on usernames! Still, it worries me to see so many attempts.

I haven’t heard anything back from my contact requests. That BT abuse email account is still full. Hell of a way to run an ISP.

This post makes me think that what we are seeing is a wide scale exploitation of routers.

https://blog.emsisoft.com/2015/01/10/hacker-group-lizardsquad-used-home-routers-to-attack-xbox-and-playstation-game-servers/

Here is your solution if you run wordpress for a business website not a blogging website that allows users to create an account.

In your WP-ADMIN folder place an .htaccess file where you can ALLOW only the IP Addresses that you know are from trusted sources.

For my site, I run a computer repair business (a local service) so it is just me on the website so it is fairly simple and My .htaccess file allows only my IP Address to access the WP ADMIN LOGIN PAGE.

Here is an example of my wp-admin .htaccess file which allows only my ip address and YOU “WILL” Need to clear the IP Range for the WordFence Server as well in order to execute the scanning function of the plugin.

NOTE: All of the IP Addresses below the first (2) represent the WordFence Server IP Range which can usually be added with short hand expression like this (allow from 69.46.36.0/32) however, for some reason my server on Site5 hosting does not like that and I was forced to enter the whole IP Range manually one address at a time on its own line as you see below!

<Limit GET POST>
order deny,allow
deny from all
allow from 173.239.43.221
allow from 75.191.306.123
allow from 69.46.36.0
allow from 69.46.36.1
allow from 69.46.36.2
allow from 69.46.36.3
allow from 69.46.36.4
allow from 69.46.36.5
allow from 69.46.36.6
allow from 69.46.36.7
allow from 69.46.36.8
allow from 69.46.36.9
allow from 69.46.36.10
allow from 69.46.36.11
allow from 69.46.36.12
allow from 69.46.36.13
allow from 69.46.36.14
allow from 69.46.36.15
allow from 69.46.36.16
allow from 69.46.36.17
allow from 69.46.36.18
allow from 69.46.36.19
allow from 69.46.36.20
allow from 69.46.36.21
allow from 69.46.36.22
allow from 69.46.36.23
allow from 69.46.36.24
allow from 69.46.36.25
allow from 69.46.36.26
allow from 69.46.36.27
allow from 69.46.36.28
allow from 69.46.36.29
allow from 69.46.36.30
allow from 69.46.36.31
allow from 69.46.36.32
</Limit>

So, what this does exactly is, it will dissalow the wp-admin url from resolving for any IP Address that is not cleared through the WP-ADMIN .htaccess rules.

P.S…In case you want to see an example of a standard business website that I am referring to that is developed using wordpress (not a blog site) this is my website https://www.pcmedicsoncall.com/

ENJOY!

Cam ??

I’m having the very same problem. My site is actually going down for a brief period (usually 5-15 minutes) each day. I get the report in an email from JetPack. This seems to be when they are all trying to login. I’ve tried blocking each of the hosts and as a source site without success. But I’m getting the attempts from:

fastwebnet.it
eutelia.it
static.albacom.net
interac.it

If anyone finds out how to shut this down it would be great.

I am glad to see this problem being discussed here, we have numerous websites with the same problem. Non-stop daily login attempts from Italian IP’s (albacom.net). We will be implementing these suggestions and subscribing to the updates on this thread. Thanks!

I’ve resorted to public (Twitter) shaming of BT Italy (via @btletstalk). Gotta get their attention somehow.

Good idea jrivett, I’ll join you on that. Twitter is good for that..

The hits continue unabated. So, I just blocked whole ranges of addresses for fastwebnet.it and albacore.net.
89.96.0.0 – 98.97.255.255 (fastwebnet.it)
93.32.0.0 – 93.62.236.159 (fastwebnet.it)
78.4.0.0 – 78.7.255.255 (albacom.net)
I see a few hits now from tiscali.it and momax.it. Anyone else seeing them?
When I counted the hits before, I missed counting those that were trying again even but already blocked for 30 days based on my optional setting. (Not worth bothering to count now.) There may be 1 person in Italy legitimately trying to access our site. I’m sorry for them.

Yes, I’m getting hit from tiscali.it and momax.it now too, as well as eutelia.it. WTF is going on in Italy?

BonJon9 The range 89.96.0.0 – 98.97.255.255 includes my ip, I’m located in NC,USA (thought you might find that interesting to note.)

I decided to change Wordfence options to automatically ban anyone who uses the username admin, because that is exactly what these Italian ips are using.

Thanks. I meant 89.96.0.0 – 89.97.255.255 Does that include you? I definitely don’t want to block NC addresses!

Bonjon9, that range doesn’t include me.
Thanks for sharing your findings.