Login Form – POST Request Logged

Home Forums BulletProof Security Free Login Form – POST Request Logged

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • November 1, 2016 at 11:29 am #31295
    Immerse
    Participant

    On two sites I use bps on, I’m getting around 500 hits similar to shown below. I’m having to reduce the number of email notifications I get now because it’s getting silly. This has been going on for 2 weeks so far. The IP changes every 2 or 3 hits. However, am I right in thinking that if I see the message below, it means that whoever is behind it didn’t even get to try a username/password? I mean, if it’s a brute force attack that doesn’t even get as far as trying a password, then I can see it’s not a critical thing.

    [Login Form - POST Request Logged: November 1, 2016 - 5:40 pm]
CAPTCHA Entered:
BOT/HUMAN: Most Likely a SpamBot
REMOTE_ADDR: 94.180.207.73
Host Name: dynamicip-94-180-207-73.pppoe.kzn.ertelecom.ru
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: POST
HTTP_REFERER: http://mysite.com/wp-login.php
REQUEST_URI: /wp-login.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0

    On one of the two domains, I spoke to my hosting folks and they said it was undergoing an xmlrpc attack and they blocked access to it.

    November 1, 2016 at 12:05 pm #31296
    AITpro Admin
    Keymaster

    The IP address is a Russian IP address, but there is not any information on whether or not this is a known spambot or hackerbot IP address:  http://geoiplookup.net/ip/94.180.207.73  When I do a search for the hostname:  ertelecom.ru I found this information:  “Ertelecom.ru is a website that engages in a shameless blackhat SEO tactic known as referrer spam indexing.”  http://botcrawl.com/block-ertelecom-ru-referrer-spam/

    In any case, since the spambot or hackerbot was blocked then you don’t need to do anything else.  Regarding automated emails you can just choose delete Security log files instead of having them zipped and emailed to you.  Security Log: Email|Delete Security Log File When… > select Delete Log File.  You really don’t need to have your Security Log files zipped and emailed to you unless you are doing something with that Security Log data.  We analyze our Security Log data so on average we get about 5 zipped Security Log files per day per website, which is probably about 50,000 blocked attacks per day.

    November 1, 2016 at 12:32 pm #31297
    Immerse
    Participant

    That’s fine, thank you. The IP was just one of around 200-250 used today. I think they’ve clocked up about 600 hits so far today. Quite a few are from Russia, but not all. I was looking at the logs a few minutes ago and they’re currently hitting the site about once a minute, alternating IPs every couple of tries.

    I just wanted to be sure I was right in thinking they were getting nowhere with this sort of thing.

    Thanks

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.