white listed countries login attacks all from github?

  • Resolved Mark Housel

    (@mark-housel)


    7 years, 5 months ago

    I receive endless login attacks from US (white listed) IP addresses, almost all from the same ISP and EVERY one from something related to “github mechanize”.
    Is this some sort of automated virus factory designed to attack web sites?

    Below is a typical log entry. Different IP addresses but all associated with the same ISP [Enzu] and this github mechanize BS?
    Yes, so far they always fail but is there a way to block them such that they don’t even get a chance to succeed?
    Can someone explain what the log entry is telling me? I am ignorant of such things (I’m a machinist by trade) but am trying to protect my website as best I can.

    I have only my Admin account and a couple of “customer” accounts for testing purposes and no one but me should EVER be logging in to my web site.

    Thanks,
    Mark

    Date IP address Code Result Request

    2017-06-08 20:43:29 199.193.251.45 US failed POST[443]:/login/
    User agent:
    Mechanize/2.7.3 Ruby/1.9.3p551 (https://github.com/sparklemotion/mechanize/)
    HTTP headers:
    HTTP_KEEP_ALIVE=300,HTTP_REFERER=https://www.landmprecisiongunworks.com/login/?redirect_to=https%3A%2F%2Fwww.landmprecisiongunworks.com%2Fwordpress%2Fwp-admin%2F&reauth=1
    $_POST data:
    action=login,log=admin,pwd=123123,_wp_original_http_referer,redirect_to,instance

Viewing 7 replies - 1 through 7 (of 7 total)
  • Thread Starter Mark Housel

    (@mark-housel)

    FWIW, and somewhat ironically, I just received a response from an email I sent to Enzu 3 or 4 days ago (but no reply possible of course) saying something about contacting the owner of ONE of the IP addresses that continually attack my login from that ISP.

    Plugin Author tokkonopapa

    (@tokkonopapa)

    Hi Mark,

    Had Enzu already suspend or freeze the attacker’s account?

    The attacks did not come from github but from Enzu server.

    User agent:
    Mechanize/2.7.3 Ruby/1.9.3p551 (https://github.com/sparklemotion/mechanize/)

    The user agent string is just like a name of browser. In this case, it is “Mechanize” which is a library to crawl the web sites. So someone put an attacking tool using “Mechanize” library on Enzu server.

    I am ignorant of such things (I’m a machinist by trade) but am trying to protect my website as best I can.

    I can understand your feelings.

    I have only my Admin account and a couple of “customer” accounts for testing purposes and no one but me should EVER be logging in to my web site.

    If you know about the range of your IP addresses, then you can put them into the “Blacklist of extra IP addresses prior to country code“.

    Or if your IP addresses can be converted to the host name, you can use IP Geo Allow which is an extension of IP Geo Block. It makes admin screens strictly private with more flexible way than specifying IP addresses.

    Hope this can help you.

    • This reply was modified 7 years, 5 months ago by tokkonopapa.
    Thread Starter Mark Housel

    (@mark-housel)

    Thank you.
    I have contacted Enzu about probably half a dozen different IP addresses but I am not clear on what they have actually don on their end.

    I will try those mechanisms to block those IP addresses as they appear. I was trying not to just put them in the .htaccess DENY list.

    Plugin Author tokkonopapa

    (@tokkonopapa)

    Hi Mark,

    I was trying not to just put them in the .htaccess DENY list.

    If you can do it by yourself, that’s good. And when you have something to propose for this plugin, please let me know.

    Thanks.

    I have a similar problem. I see in WF live traffic that blacklisted countries are trying to login. I have this problem for a few weeks. I thought it would be fixed with last updates. But today it is the same.

    I think many of those that look like hackers aint hackers. That happens because the login form can be shown, so the login form need redesign, with more user information and block of specific country (not a part of this plugin).

    Moving the login page dosent solve that problen, as China and Russian searchmachines search everything, and dont care about htacess, they gives result anyway.

    Plugin Author tokkonopapa

    (@tokkonopapa)

    Hi @vedsegaard,

    Moving the login page dosent solve that problen

    I agree. XML-RPC also can be used as login attempts.

    7 Popular WordPress Security Myths

    https://www.ipgeoblock.com/changelog/release-2.2.3.html#xml-rpc-systemmulticall

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘white listed countries login attacks all from github?’ is closed to new replies.