To the hacker trying to log into my WP blog

Please, just stop.

Let’s talk about what you want in the comments section?

 

Update: The hacker has been using an IP – 74.91.20.14 from Kansas City which has been blocked.

Update 2: The hacker has now started using an IP –  94.185.85.42 from Sweden which has now been blocked too. Good luck idiot.

Update 3: My hacker has turned into a spammer. Apart from using the following IPs to try to log into my blog,

91.217.101.247, 78.130.226.69, 109.175.6.137, 94.50.173.99, 95.56.146.170,

95.239.168.196, 217.118.81.13, 217.9.237.26, 176.102.32.47,  200.29.112.243,

92.60.234.183, 189.195.192.33, 77.66.236.145, 189.72.213.165, 203.77.43.96,

94.29.189.206, 60.249.130.169, 46.172.200.79, 178.234.219.188, 182.178.58.119,

88.206.117.39,  85.217.201.124, 95.82.248.125 (and a lot others)

(use geoiptool and whois to see where these IPs are from and who they belong to)

I am also being bombarded by spam comments and link backs on my blog. Boy am I glad to be running Disqus instead of the default comments right now!

In other news, I found out that Cloudflare only allows blocking of 2 IPs for a free account. That means I’m left to my own devices to reduce this threat. Thank Johanee for the wonderful Limit Login Attempts plugin for WordPress.

 

Update 4: Ok, I’m kind of liveblogging this. But it’s turning into an interesting nightmare. The more I heckle this hacker, the more I’m being bombarded with spam and the more IPs he’s using to try to log into my account (to avoid the login attempts limit). Here’s a nice map showing the IPs I’ve logged (Shows the number of machines under his control) –

IPs around the world. Most of these are showing as Windows hosts, but some are registering as Mac. That doesn’t look good!

Attribution: The above map is from http://www.phpace.com/tools/network-tools/ip-to-location/ which seems to be using Google Maps and the MaxMind GeoIP service.

 

Update 5: It seems that the dictionary attack has come to an end for the day. The hacker used an intelligent list of commonly used passwords instead of just bombarding me with all possible words from a-z. Thanks to the ThreeWP Activity Monitor plugin, I’ve been able to compile a list of IPs, browsers associated and passwords used by the hacker. I’ve created a nice Google Map to pinpoint all the locations of the possibly infected computers used by the hacker. That map is more comprehensive than the image above. I’ve also attached a nice python list of all the IPs, if someone wants to do something with them (for example, if someone from CloudFlare wants to include said IPs in their network).

Google Map

Combined Info on passwords, IPs, user agent info of infected computers.

python IP list

Attribution: Google Maps for the map, Maxmind for the GeoIP API, pygmaps for the library. If anyone’s interested, I’ll upload the python code I used to create the map (though it’s pretty simple).

 

Update 6: You would have thought this person would have given up after a week of hitting on my blog, but that doesn’t seem to be the case. I receive about 7-8 spam comments a day and 30-50 login attempts a day. I’ve started to hit back. I’m recognizing frequently used IPs and reporting them for abuse to their owner companies. I’ve sent a list of IPs to Cloudflare and asked them to put those IPs in their block lists. I’ve found something called RBLs (Realtime Blackhole Lists) which list IPs used by spammers. Many of these lists already have the IPs that I’m getting hit with listed in their files. Most of these lists do not accept user contribution but some of them do. I’m finding the ones that do and systematically reporting every IP used by the hacker.

Also, I’ve downgraded his level from hacker to spammer and from spammer to script kiddie. From here on out I’ll be referring to this person only as a script kiddie.