I think someone is trying to force his way into my CMS. The method they are using is described here, they are just trying to generate the same random number as my server did. On August 7th I had 3600 login attempts in 6 hours. They also applied for a user-account in the normal way, but because I run the Approve Membership module, I stopped handing out accounts after the first 5. In my articles they had posted some weird comments, that triggered the first investigation.
To stop them I did the following:
- deleted the users
- deleted the sessions
- deleted the comments
- kept the approved users, I now have valid email-accounts, requested usernames and requested passwords.
because I also run the IP Tracking module and Snort, I have the ip-addresses also, the ip-tracking module matches those with the requested accounts. All ip-addresses seem to be compromized other machines, I blocked those in my firewall. Current blocked addresses are (order of appearance):
- 188.8.131.52 through 176
- 184.108.40.206 (close, same ISP !)
My tracking module shows one user switching ip-address within 4 minutes. At first, all e-mail-addresses pointed at mail.ru, but now they've changed it to Oneoff mail. Requested user-id's are names like Gothambergson, interesting to see is that all requested password end in 'pbp'. In my referrer-list (CMS and Awstats) are some compromised other machines, all referrers are http://some-machine/modules.php?name=Your_Account
Conclusion ? Change your $sitekey immediately from the default value, and change it often.
I'm still thinking about what to do next, writing this article is the first step. Next I could reveal e-mail-addresses or detailed info on the attack. For now, this will do.
blocked new address: 220.127.116.11
blocked new address: 18.104.22.168