It's Jungle Out there (Internet Division)

Gord_in_Toronto · Apr 20, 2024

Police take down $249-a-month global phishing service used by 2,000 hackers

Law enforcement officials in 19 countries have shut down an online platform that earned at least $1 million by selling phishing kits to cybercriminals, helping them launch attacks on tens of thousands of people worldwide.

The operation, led by the Metropolitan Police in the United Kingdom, targeted LabHost, which officials said was set up in 2021 to make it easier for hackers to create fake websites aimed at tricking people into revealing email addresses, passwords and bank details.

. . .

Among the services offered, Europol said, was a campaign management tool called LabRat, which allowed criminals to monitor and control phishing attacks in real time, and was designed to bypass enhanced security measures such as two-factor authentication.

Monetize your fraud services.

alfaniner · Apr 20, 2024

After several years of no problems, suddenly in the last few days I've had dozens of attempts to log in to the admin portion of one of my web sites. I don't understand why, there's nothing there except links to my apps on Google Play, my book on Amazon, and some videos. I don't even get any traffic to speak of, normally.

I've decreased the Limit Logon Attempts to 2 x3 (block for two hours after 2 attempts, lockout for 240 hours after 3 blocks). It shows me the IP addresses trying to get in. I don't think I need to do anything else.

Gord_in_Toronto · Apr 21, 2024

alfaniner said:
After several years of no problems, suddenly in the last few days I've had dozens of attempts to log in to the admin portion of one of my web sites. I don't understand why, there's nothing there except links to my apps on Google Play, my book on Amazon, and some videos. I don't even get any traffic to speak of, normally.

I've decreased the Limit Logon Attempts to 2 x3 (block for two hours after 2 attempts, lockout for 240 hours after 3 blocks). It shows me the IP addresses trying to get in. I don't think I need to do anything else.

Have you tried a reverse IP look up?

alfaniner · Apr 21, 2024

Gord_in_Toronto said:
Have you tried a reverse IP look up?

I wouldn't know what to do with it if I did. I reduced the lockout time and number of attempts yet again, so it should be blocking those a lot quicker. Here's hoping I can get my right password entered in two tries!

rjh01 · Apr 21, 2024

Gord_in_Toronto said:
Have you tried a reverse IP look up?

alfaniner said:
I wouldn't know what to do with it if I did. I reduced the lockout time and number of attempts yet again, so it should be blocking those a lot quicker. Here's hoping I can get my right password entered in two tries!

Here is one of the URLs you can use to lookup IP addresses. https://www.whatismyip.com/ip-whois-lookup/

If you are lucky it will tell you who owns the IP address and an email address you can complain to for the abuse. Other than that I would not know what to do with the information either.

You can also block the IP addresses permanently. Also make a note of the IP address to see if there is a specific pattern to them.

alfaniner · Apr 21, 2024

rjh01 said:
Here is one of the URLs you can use to lookup IP addresses. https://www.whatismyip.com/ip-whois-lookup/

If you are lucky it will tell you who owns the IP address and an email address you can complain to for the abuse. Other than that I would not know what to do with the information either.

You can also block the IP addresses permanently. Also make a note of the IP address to see if there is a specific pattern to them.

Every IP listed is substantially different so I can't even look into blocking a range. I did a WHOIS search on a few and some are coming from Germany.

Gord_in_Toronto · Apr 21, 2024

alfaniner said:
I wouldn't know what to do with it if I did. I reduced the lockout time and number of attempts yet again, so it should be blocking those a lot quicker. Here's hoping I can get my right password entered in two tries!

rjh01 said:
Here is one of the URLs you can use to lookup IP addresses. https://www.whatismyip.com/ip-whois-lookup/

If you are lucky it will tell you who owns the IP address and an email address you can complain to for the abuse. Other than that I would not know what to do with the information either.

You can also block the IP addresses permanently. Also make a note of the IP address to see if there is a specific pattern to them.

There is really not much you can "do" with the information. But it is always interesting to see where the crap is coming from. Once upon a time it was possibly useful to report such things to one of the spam blocker sites but as I said - It's A jungle Out there. There is No One to complain to. :sigh:

Donal · Apr 22, 2024

alfaniner said:
After several years of no problems, suddenly in the last few days I've had dozens of attempts to log in to the admin portion of one of my web sites. I don't understand why, there's nothing there except links to my apps on Google Play, my book on Amazon, and some videos. I don't even get any traffic to speak of, normally.

I've decreased the Limit Logon Attempts to 2 x3 (block for two hours after 2 attempts, lockout for 240 hours after 3 blocks). It shows me the IP addresses trying to get in. I don't think I need to do anything else.

Can/did you enable MFA?

alfaniner · Apr 22, 2024

They're trying to get into my Wordpress Admin page, not a login I've set up on the site. I'm wondering if I can change the name of the wp-login.php to something else (that I have to remember!) so the default they are trying won't work.

I don't know if that filename is called from somewhere else so I'll have to look into that too.

Wudang · Apr 22, 2024

Can you do a $_SERVER['REMOTE_ADDR'] and check if the ip returned is in the range allocated to your ISP?

Donal · Apr 22, 2024

alfaniner said:
They're trying to get into my Wordpress Admin page, not a login I've set up on the site. I'm wondering if I can change the name of the wp-login.php to something else (that I have to remember!) so the default they are trying won't work.

I don't know if that filename is called from somewhere else so I'll have to look into that too.

You'd have to go into the database, I think

Wudang · Apr 22, 2024

https://wordpress.stackexchange.com/questions/42297/where-is-the-query-in-wp-login-php

Accepted answer is

Look in wp-includes/general-template.php at the function wp_login_form(). Follow the functions called there. I’d say: just use wp_login_form(). It does probably everything you need, and you can customize it.

Donal · Apr 22, 2024

see, when I break my self hosted stuff, I jsut re-install and restore the last good back up

alfaniner · Apr 22, 2024

I made a copy of my wp-login.php file and renamed the new one. That didn't work, so I edited that file to change all occurences of "wp-login.php" to "wp-login-new.php", and it worked! (Now I just have to make a note of that if I want to log in.)

a_unique_person · Apr 23, 2024

War. War never changes.

Gord_in_Toronto · Apr 23, 2024

a_unique_person said:
War. War never changes.

Oceania has always been at war with Eurasia.

Donal · Apr 23, 2024

Life is like a box of chocolates. You never know what you're going to get.

Gord_in_Toronto · Apr 23, 2024

Donal said:
Life is like a box of chocolates. You never know what you're going to get.

Unless, of course, you look at the label on the top of e box (or the insert inside) that lists all the contents with a description of each one,

It's Jungle Out there (Internet Division)

Gord_in_Toronto

Penultimate Amazing

alfaniner

Penultimate Amazing

Gord_in_Toronto

Penultimate Amazing

alfaniner

Penultimate Amazing

rjh01

Gentleman of leisure

alfaniner

Penultimate Amazing

Gord_in_Toronto

Penultimate Amazing

Donal

Philosopher

alfaniner

Penultimate Amazing

Wudang

BOFH

Donal

Philosopher

Wudang

BOFH

Donal

Philosopher

alfaniner

Penultimate Amazing

a_unique_person

Director of Hatcheries and Conditioning

Gord_in_Toronto

Penultimate Amazing

Donal

Philosopher

Gord_in_Toronto

Penultimate Amazing