The OEMR.org website has been under attack for days now. We have tools that are stopping it, but I find it interesting that the attacker is using actual user names. I'm inclined to flush all users and set up new ones as needed.
I have included just what as been logged in the last few minutes as an example..
I run CloudFlare, Fail2Ban and Securi in front of all the websites I host. So we are as safe as can be made possible. As to the OEMR attacked I basically turn the screws very tight right after that post and blacklisted the IP that seemed to have shut it down.
I do still think cleaning the users out and starting with users that actually want to work on the site would be a good thing ...
Art: big box is the easiest to find people that can use the site, do something obsure and only us geeks can help and we are busy already ...
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
It is unsettling they were using actual usernames: I like the idea of flushing and resetting. This is a prime oppourtinity to acknowledge that passwords should be rotated at minimum annually.
I agree that WP sites are prime targets, but I also agree that a CMS is the easiest thing for people to work on who are not technically inclined.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The OEMR.org website has been under attack for days now. We have tools that are stopping it, but I find it interesting that the attacker is using actual user names. I'm inclined to flush all users and set up new ones as needed.
I have included just what as been logged in the last few minutes as an example..
Subject: Bruteforce Attack
Login Info:
Time: March 12, 2016 7:58 pm
Website Info:
Site: http://www.oemr.org
IP Address: 192.166.219.45
Notification:
Username: yehster
Password: froggy
IP Address: 192.166.219.45
Attempt Timestamp: 1457830681
Attempt Date/Time: Sun, 13 Mar 2016 00:58:01 +0000
Username: yehster
Password: froggy
IP Address: 192.166.219.45
Attempt Timestamp: 1457830678
Attempt Date/Time: Sun, 13 Mar 2016 00:57:58 +0000
Username: Sara
Password: froggy
IP Address: 192.166.219.45
Attempt Timestamp: 1457830672
Attempt Date/Time: Sun, 13 Mar 2016 00:57:52 +0000
Username: Sara
Password: froggy
IP Address: 192.166.219.45
Attempt Timestamp: 1457830669
Attempt Date/Time: Sun, 13 Mar 2016 00:57:49 +0000
Username: Shameem
Password: vincent
IP Address: 192.166.219.45
Attempt Timestamp: 1457829312
Attempt Date/Time: Sun, 13 Mar 2016 00:35:12 +0000
Username: Shameem
Password: vincent
IP Address: 192.166.219.45
Attempt Timestamp: 1457829306
Attempt Date/Time: Sun, 13 Mar 2016 00:35:06 +0000
Username: Jack
Password: vincent
IP Address: 192.166.219.45
Attempt Timestamp: 1457829300
Attempt Date/Time: Sun, 13 Mar 2016 00:35:00 +0000
Username: Jack
Password: vincent
IP Address: 192.166.219.45
Attempt Timestamp: 1457829297
Attempt Date/Time: Sun, 13 Mar 2016 00:34:57 +0000
Username: yehster
Password: vincent
IP Address: 192.166.219.45
Attempt Timestamp: 1457829296
Attempt Date/Time: Sun, 13 Mar 2016 00:34:56 +0000
Username: yehster
Password: vincent
IP Address: 192.166.219.45
Attempt Timestamp: 1457829291
Attempt Date/Time: Sun, 13 Mar 2016 00:34:51 +0000
Username: Sara
Password: vincent
IP Address: 192.166.219.45
Attempt Timestamp: 1457829289
Attempt Date/Time: Sun, 13 Mar 2016 00:34:49 +0000
Username: Sara
Password: vincent
IP Address: 192.166.219.45
Attempt Timestamp: 1457829283
Attempt Date/Time: Sun, 13 Mar 2016 00:34:43 +0000
Username: uzeitlers@163.com
Password: jvy6VFCOC81p
IP Address: 208.180.251.57
Attempt Timestamp: 1457829246
Attempt Date/Time: Sun, 13 Mar 2016 00:34:06 +0000
Username: nsrickeneven
Password: jvy6VFCOC81p
IP Address: 208.180.251.57
Attempt Timestamp: 1457829244
Attempt Date/Time: Sun, 13 Mar 2016 00:34:04 +0000
Username: nsrickeneven
Password: jvy6VFCOC81p
IP Address: 208.180.251.57
Attempt Timestamp: 1457829240
Attempt Date/Time: Sun, 13 Mar 2016 00:34:00 +0000
Username: uxlaverejuce@163.com
Password: ll4rUJno6Ysb
IP Address: 197.211.45.3
Attempt Timestamp: 1457828393
Attempt Date/Time: Sun, 13 Mar 2016 00:19:53 +0000
Username: stevalegenrege
Password: ll4rUJno6Ysb
IP Address: 197.211.45.3
Attempt Timestamp: 1457828388
Attempt Date/Time: Sun, 13 Mar 2016 00:19:48 +0000
Username: stevalegenrege
Password: ll4rUJno6Ysb
IP Address: 197.211.45.3
Attempt Timestamp: 1457828379
Attempt Date/Time: Sun, 13 Mar 2016 00:19:39 +0000
Username: xfendlerg@163.com
Password: 8J0n3HPMC5KW
IP Address: 73.137.103.187
Attempt Timestamp: 1457828046
Attempt Date/Time: Sun, 13 Mar 2016 00:14:06 +0000
Username: xfendlerg@163.com
Password: 8J0n3HPMC5KW
IP Address: 73.137.103.187
Attempt Timestamp: 1457828037
Attempt Date/Time: Sun, 13 Mar 2016 00:13:57 +0000
Username: lfancyyaroya
Password: 8J0n3HPMC5KW
IP Address: 73.137.103.187
Attempt Timestamp: 1457827954
Attempt Date/Time: Sun, 13 Mar 2016 00:12:34 +0000
Username: lfancyyaroya
Password: 8J0n3HPMC5KW
IP Address: 73.137.103.187
Attempt Timestamp: 1457827909
Attempt Date/Time: Sun, 13 Mar 2016 00:11:49 +0000
Username: Shameem
Password: jordyn
IP Address: 192.166.219.45
Attempt Timestamp: 1457827904
Attempt Date/Time: Sun, 13 Mar 2016 00:11:44 +0000
Username: Shameem
Password: jordyn
IP Address: 192.166.219.45
Attempt Timestamp: 1457827902
Attempt Date/Time: Sun, 13 Mar 2016 00:11:42 +0000
Username: Jack
Password: jordyn
IP Address: 192.166.219.45
Attempt Timestamp: 1457827900
Attempt Date/Time: Sun, 13 Mar 2016 00:11:40 +0000
Username: Jack
Password: jordyn
IP Address: 192.166.219.45
Attempt Timestamp: 1457827894
Attempt Date/Time: Sun, 13 Mar 2016 00:11:34 +0000
Username: yehster
Password: jordyn
IP Address: 192.166.219.45
Attempt Timestamp: 1457827891
Attempt Date/Time: Sun, 13 Mar 2016 00:11:31 +0000
Username: yehster
Password: jordyn
IP Address: 192.166.219.45
Attempt Timestamp: 1457827888
Attempt Date/Time: Sun, 13 Mar 2016 00:11:28 +0000
Username: Sara
Password: jordyn
IP Address: 192.166.219.45
Attempt Timestamp: 1457827886
Attempt Date/Time: Sun, 13 Mar 2016 00:11:26 +0000
Username: Sara
Password:
IP Address: 192.166.219.45
Attempt Timestamp: 1457827884
Attempt Date/Time: Sun, 13 Mar 2016 00:11:24 +0000
Wordpress sites are prime targets, which is one reason I wil not recommend using the wordpress based CMS portal to my customers.
What's disturbing is they have real login names. Perhaps this would apply?
http://www.tech-evangelist.com/2013/02/19/simple-wordpress-hack-reveals-admin-login-name/
I just tried that but got "Forbidden" so perhaps you already did something about it?
Also see:
http://codex.wordpress.org/Hardening_WordPress
http://codex.wordpress.org/Brute_Force_Attacks
Rod
I am not a big fan of big-box content management packages at all.
I run CloudFlare, Fail2Ban and Securi in front of all the websites I host. So we are as safe as can be made possible. As to the OEMR attacked I basically turn the screws very tight right after that post and blacklisted the IP that seemed to have shut it down.
I do still think cleaning the users out and starting with users that actually want to work on the site would be a good thing ...
Art: big box is the easiest to find people that can use the site, do something obsure and only us geeks can help and we are busy already ...
It is unsettling they were using actual usernames: I like the idea of flushing and resetting. This is a prime oppourtinity to acknowledge that passwords should be rotated at minimum annually.
I agree that WP sites are prime targets, but I also agree that a CMS is the easiest thing for people to work on who are not technically inclined.
I would notte that, perhaps, CMS is too easily confused with Center for Medicare Services ... which is decidedly NOT easy to work with :-)
A duly noted, note!
Hm... I find that using custom software is the best solution for dealing with all three CMS flavors (third one being Classified Materials System)