Re: [bitfolk] Being hacked

Sindre Smistad said: SSH. I have - infamously :) - a fail2ban filter for wp-login. It's possible that the attacker previously tried with other IP addresses against WordPress, but if they had been successful, I would expect them to have exploited that directly. I've looked at the various PCs etc here without finding anything. That doesn't mean it's not there - a scanning service I used to look at the payload being sent out reckoned that ClamAV didn't detect it as being nasty. I notice the common form of infection is via MS Office document macros - it's LibreOffice here, with untrusted macros disabled.. and no sources trusted. Rodrigo Campos said: https://blog.cloudflare.com/a-look-at-the-new-wordpress-brute-force-amplifi… I had not disabled it - the WordPress Android program needs it - but I do have a fail2ban on accessing it more than a handful of times. There were only about 16 accesses to xmlrpc.php on the Wednesday (an otherwise typical day) spread across about that many sites. The attacks on WordPress are getting more sophisticated - I can see IP addresses using xmlrpc to find out what usernames actually exist before trying to hack them. At one point, the vast majority would just (usually correctly) assume that there was one called 'admin'.. .. so I've just disabled it on a couple of servers, even if that does annoy a couple of people. account *might* be a Debian Wheezy. I'll have a look at that. Ian