massive increase in IPs passing

Same here…

My sites haven’t seen it yet, but I am nearing the end of Version 6.0 of the plugin that will have much tighter control over spam and logins/registrations.

I have an htaccess file on my site that may help

https://www.kpgraham.com/htaccess.txt

Add this (855K) file to your htaccess and it stops a lot of spam if you don’t mind keeping out much of Russia and China.

This file is very very unforgiving so test it first. Make sure you delete any lines for your own hosting company.

Keith

Keith

It seems to have stopped…….

It looks like there was a way to do an SQL injection that gave a list of valid user IDs, but not passwords. Blogs were getting dictionary attacks on valid user ids. The plugin lets a valid user id through so as not to lock out registered users, even if the password is wrong.

I was not all WP installs, just a few, which means that it is probably a vulnerability in a plugin that you have. I hope it is not one of mine.

These are some recently discovered problem plugins:
HDW Player Plugin
WP Symposium Plugin
Photo Gallery plugin 1.2.7
Welcart e-Commerce plugin 1.3.12
Another WordPress Classifieds Plugin
Cart66 Lite
Smarty Pants Plugins SP Project & Document Manager
wpDataTables plugin 1.5.3
Google Doc Embedder plugin before 2.5.15
Apptha WordPress Video Gallery (contus-video-gallery) plugin 2.5
CP Multi View Event Calendar plugin 1.01
GB Gallery Slideshow plugin 1.5
WordPress Spreadsheet (wpSS) plugin 0.62
BulletProof Security plugin before .51.1
Huge-IT Image Gallery plugin 1.0.1

Keith

Thanks for the update. I also noticed that the flood of attacks is slowing but not quite stopped.

The SQL injection attack is somewhat concerning though. I don’t have any of those plugins on any of my sites but that means the problem is more wide-spread.

-Allan

I have noticed a massive increase also, since downloading 5.9.3. We have previously blocked a number of Class B and C IPs, using the form nn.mm.*, as in a previous support issue here. These appear not to be working any longer. Addresses from nn.mm.kk.ll are passing.

I have an alpha test of Stop Spammers on https://www.blogseye.com. It is stable, finally, but there are lots of little things not implemented. It does not work for MU networked blogs and will crash on MU sites. Select Beta Test Plugins in the menu at the top.

Download and unzip to the plugins directory, Disable the current Stop Spammers but do not delete it. The new plugin can then be activated and will use the old plugin’s settings.

There are a variety of testing options to see why you are having problems. The messages are more detailed.

Run it for a while and let me know if it was helpful. When you are done you can put the previous plugin back into production.

Keith

Unfortunately, I cannot modify our production site so easily (policy). It requires scheduling. However, from all indications, the rather long blacklist is currently being partially ignored. We have had more attacks get through since the upgrade than in the past two years combined.

In the new plugin I have completely rewritten black list processing.

However there could be other factors.

If you are using cloudflare or some other proxy server to protect your site, the ip address could be the ip of the proxy and not the actual incoming ip.

Proxy servers and Fire Walls have to be configured to pass through the original IP address so that the plugin can check it. If it does not the plugin will pass because it sees the proxy’s IP.

If you are using CloudFlare, the plugin sees CloudFlare’s IP as the incoming IP. CloudFlare has a plugin that corrects this and it must be installed if you are using CloudFlare with Stop Spammers.

Keith

We do see the originating IP addresses – no CloudFlare. There are three Class A’s coming from one region that are presenting a problem. What we do see is that the SFS and HoneyPot addresses are correctly blocked, and individual black list entries are blocked successfully, but blocking something like 111.* (fake example) is not working. I have contacted our ISP in the mean time, but the attacks are getting worse and the situation is more urgent.

Bug in 5.9.3

I am very sorry.

Line 265

change
$n1=strtolower(substr($val,0,strpos($val,’*’)));

to
$n1=strtolower(substr($val,0,strpos($val,’*’)-1));

Thanks! I’ve pushed the patch and will report back on its effectiveness.

Significant reduction! Thank you. We had another 2 top level attacks in the interim 3 hours, but most were nicely fended off.

Wonderful.

Thanks for being persistent. I had a couple of reports on the bug before, but when I could not reproduce it I thought it was user error.

Keith

I want to be nothing if not persistent ;). Thanks for the rapid turnaround.