powered by wpmu

POP3 bruteforce hacking scans IP 64.233.145.246

Nov 21 06:12:21 isis dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=chris rhost=64.233.145.246
Nov 21 06:12:21 isis dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=cherokee rhost=64.233.145.246
Nov 21 06:12:23 isis dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=chat rhost=64.233.145.246

# cat /var/log/auth.log|grep 64.233.145.246|grep -c failure
20293

Over 20000 tries to guess passwords on this system what a retard.

wordpress multiuser abuse IP 180.180.34.80

Country Thailand, Thailand does not care about abusive users. Best is to block the entire provider in .htaccess

Deny from 180.180

And you are done, unless you have legitimate business with this provider.

What did this user do? Manual signup bypassing the captcha and humanity check to create a spam casino blog which is cleary agains our TOS. Removed retarded user without any compassion.

IP 87.126.64.28

ip 91.196.159.119 / ip 223.205.35.64

Blacklist these IP’s because they are WordPress MU spam bloggers for IP 223.205.35.64 it is best to block the whole 223.205.0.0 – 223.205.255.255 network. It is an ISP from Thailand a spammers heaven.I would personally block the entire APNIC range 223.x.x.x I have no business with the whole Pacific region. 91.196.159.119 / ip 223.205.35.64 did signups without confirmation by using a hacking technique.

IP 69.117.22.240 – abuse of wordpress multiuser multiple signups

Block IP  69.117.22.240 on your blacklists. This abuser does multiple signups on different wordpress multiusers platforms using the following e-mail domains. You might block these domains too:

supermailpro.com
homemailpro.com
junklessmail.com
stampfreemail.com
bestmailonline.com

IP 74.86.100.34 splogs abuse

multiple signups detected from IP 74.86.100.34 on honeypot wpmu installations

“POST /wp-signup.php HTTP/1.1″ 200 5458 “-” “curl/7.18.2 (i386-pc-win32) libcurl/7.18.2 zlib/1.2.3″

Abusive IP’s 23 May 25 May 2009

114.108.192.50
142.177.235.5
173.134.37.103
173.134.82.52
205.233.124.198
206.71.54.61
218.186.14.10
24.159.246.162
67.244.107.48
67.84.52.238
68.114.162.153
68.240.187.73
69.207.72.22
71.241.118.77
72.196.12.242
75.194.110.171
75.220.151.99
76.71.152.169
80.202.28.198
81.147.80.76
89.164.250.242
89.164.251.249
98.122.21.214

IP 174.139.6.58

WordPress WPMU and forum spammer

multiple user signups into several wpmu honeypots.

New User: zhanglingjuan111
Remote IP: 174.139.6.58

New User: zhanglingjuan112
Remote IP: 174.139.6.58

New User: zhanglingjuan113
Remote IP: 174.139.6.58

New User: zhanglingjuan114
Remote IP: 174.139.6.58

New User: zhanglingjuan115
Remote IP: 174.139.6.58

Libcurl http POST abuse

You can spot libcurl bots trying to abuse your WPMU server easily. Look in your logfiles for the following signs:

An entry with a GET request for your “/wp-signup.php” page from a  client claiming its Mozilla.

76.105.13.208 - - [10/May/2009:06:19:58 +0200] "GET /wp-signup.php HTTP/1.1" 200 4488 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows
NT 5.0)"
Right after this initial GET request there will be an automated POST request from the same IP address to your wp-signup.php. Sometimes bots work in cluster so that the one performing the GET can give another client the command to try to signup.

76.105.13.208 - - [10/May/2009:06:19:59 +0200] "POST /wp-signup.php HTTP/1.1" 200 4614 "-" "curl/7.18.2 (i386-pc-win32) libcurl/7.18.2
zlib/1.2.3"

If you are wondering why people seem to keep adding accounts without confirmation to your WPMU installation. Even if you have the captcha plugin activated. This is because you are using an vulnerable WPMU installation.

You will have to upgrade to correct this issue. These bots can register a blog directly into your WPMU installation bypassing the captcha security system and e-mail confirmation.

To keep these bots out permantly its better to block them using iptables or .htaccess.

I have compiled a blacklist of very annoying ip addresses that kept bashing my wp-signup.php page with their libcurl bots to a point it became very annoying.

WPMU sign-up http post abuse ip blacklist

115.64.153.40
119.234.19.13
124.120.138.28
142.177.235.30
173.58.103.160
173.58.60.175
173.65.164.95
174.34.170.2
174.34.171.116
174.34.171.118
174.34.171.119
187.155.3.159
202.156.9.228
202.156.9.239
204.80.187.1
207.236.124.147
208.4.187.214
209.112.6.250
216.46.141.14
216.54.15.55
218.186.9.239
24.151.199.49
24.22.135.208
64.32.227.198
64.72.210.114
66.158.156.170
66.158.159.29
66.168.16.96
66.48.64.98
68.111.68.76
68.206.136.86
68.33.15.14
68.37.46.96
68.5.132.13
69.242.205.122
70.112.124.37
70.208.132.48
70.211.212.173
70.211.70.203
70.31.33.231
71.177.75.147
71.241.100.2
71.241.76.97
72.10.130.106
72.167.54.188
72.188.149.188
74.166.126.4
75.197.88.79
75.199.110.147
75.73.176.157
76.105.13.208
76.74.250.86
78.72.88.19
81.147.80.208
81.147.88.218
86.164.12.160
86.164.171.63
86.164.172.237
86.164.175.241
86.166.135.144
89.101.78.8
90.218.57.183
98.228.208.111
98.246.114.229
98.247.52.187
99.230.151.15

adsense revenue sharing wordpress

powered by wpmu

WPMU blogs with AdSense Revenue Sharing have a wordpress plugin installed which allows you to easy display ads in your posts on your blog with your own google adsense publisher code.

With WPMU blog sites you can easy build a ring of content blogs and start blogging for cash.

Read More