I have the same thing, an email saying someone tried to log in 87 times using my username now I keep re-setting the password then asked to re-set again as I try to log-in.
One of my clients is now telling me that they can’t log-in either, they have a completely different login (something any hacker is unlikely to guess as it’s not admin)
Jason and Dom:
Can you please email me or provide access to your <prefix>login_security_solution_fail tables?
[email protected]
Thanks,
–Dan
Hi Daniel,
I went out for a few hours and now I can login, but haven’t heard from my client yet.
A one suggestion on another issue (thanks for the great software even though it’s a pain every now and then 🙂 is why not auto generate and email passwords in the way that wordpress.com does, people can be very web illiterate so generating and sending them a password means they don’t have to figure out what a safe password is.
Fixing this issue would be good, this would become one of the best used plugins for wordpress if it worked like a dream 🙂
Thanks again
Dom (and Jason too):
I’m still curious why y’all are running into this in the first place. Can you run the following query for me (edit the <prefix> first, of course):
SELECT COUNT(*), ip, MAX(date_failed) FROM <prefix>login_security_solution_fail GROUP BY ip ORDER BY COUNT(*);
Thanks,
–Dan
COUNT(*)
ip
MAX(date_failed)
1
82.8.218.136
2012-09-11 02:36:59
1
82.3.42.73
2012-09-05 06:08:58
1
86.178.50.81
2012-08-30 07:27:05
1
220.200.61.34
2012-09-06 07:22:21
1
213.220.217.59
2012-08-27 01:30:07
1
61.241.203.128
2012-09-06 08:26:51
1
109.111.197.130
2012-09-11 01:07:17
2
89.194.26.196
2012-08-29 08:22:40
2
130.43.54.242
2012-09-10 17:09:04
2
176.8.22.77
2012-09-04 02:29:19
3
83.167.166.135
2012-09-11 02:04:58
4
125.255.84.98
2012-08-24 10:32:50
5
203.59.233.238
2012-08-29 09:30:20
5
83.37.13.187
2012-08-26 20:54:47
6
178.137.70.205
2012-09-04 16:02:06
24
178.137.160.246
2012-08-28 06:40:32
27
46.118.122.205
2012-09-06 16:09:28
36
91.203.166.210
2012-09-02 00:39:47
151
200.76.90.5
2012-09-04 08:40:08
273
46.119.120.233
2012-09-11 08:06:11
311
46.119.121.35
2012-09-11 08:04:45
Someone from the Ukraine really wants to login to my website!
Dom:
Okay, I was just checking if your server is behind a proxy or something. It’s not.
Which version of LSS was in use when you and your user got locked out?
Yeah, email me a dump of the fail table if you can, please. And let me know your and your user’s user names.
Thanks,
–Dan
It’s just happened again! Where is the fail table and how do I get a dump of it?
If you have access to a shell:
mysqldump -u <mysql_user_name> -p <db_name> <prefix>login_security_solution_fail > lss.dom.sql
If you don’t have access to a shell, you’ll have to ask your ISP.
Hi Daniel,
I just emailed the dump of the table to you.
Hope that helps,
Jason
I seem to be having trouble getting a simple dump out of the database, so sorry about that – I tried the above oviously with the real names included, I even tried using a password after the -p, but nothing is working (1064 – You have an error in your SQL syntax)
Dom: The mysqldump command is to be run from a login shell, not an SQL command line. –Dan
Jason:
There are large number of login failures for most of your user names. Run this query to see what I mean:
select count(*) as ct, user_login, min(date_failed), max(date_failed)
from wp_login_security_solution_fail
group by user_login;
To examine what’s happening to a specific user, execute this:
select count(*) as ct, user_login, ip, min(date_failed), max(date_failed)
from wp_login_security_solution_fail
where user_login = '<USER>'
group by user_login, ip
order by min(date_failed);
If you run the above query for a few users you’ll see there’s a pattern to the IP addresses, times and quantities. If admin isn’t a legitimate account on your site, you can use that as a reference to IP’s that are attackers.
Hi Daniel,
I think the attacker grabs the user names from the posts on the blog and uses them to narrow his brute force attack.
It’s unfortunate that one of the themese we use puts a line like “posted by XYZ” after the post, where XYZ is the login name of the user.
Jason
I just also did a count on failed attempts by ip. very interesting. 3 IP addresses seem to be the culprits, with over 2000 failed attempts each.
What do you think about blanket blocking abusive IP addresses?
