Jump to content

Word Press: Brute force hacks increasing with Fiverr use


ukmarcus
 Share

Recommended Posts

Weird thing, but nearly every time I use Fiverr to find someone to fix something on my wordpress sites, I see an immediate and massive surge of brute force attacks to my site. Co-incidence? How does this keep happening? Support staff act like they have no idea it’s going on.

Link to comment
Share on other sites

  • 2 weeks later...

Thanks for the response. Well, I’ve had one site completely compromised and taken down, but now that I use the Cerber plugin to limit logins, I just get emails when I wake up that i have 900 attempts to login that have been successfully blocked. But it ALWAYS co-incides with using a fiver tech. i dread asking for help because I know I’m going to attract immediate attention to my site - and nobody seems to know how this is happening. I can’t be the only one that has noticed this though - or suffers from it? How does the opening ports idea you suggested work?
Thanks again,

Link to comment
Share on other sites

  • 1 year later...

Nope. A year has gone by… using a new guy right now for the first time since I last wrote… just got a message from my system admin that I already have 102 lockouts. This is from ZERO yesterday. This is a fiverr thing at a deep level. Every time I use a guy, any guy, from Fiverr the same thing happens… unauthorized attempts go through the roof. Here’s the email I just got. I would be very very careful.

Number of active lockouts: 102

Last lockout was added: January 23, 2018, 10:08 pm for IP 150.107.****

Reason: Attempt to log in with prohibited username: admin

Link to comment
Share on other sites

Nope. A year has gone by… using a new guy right now for the first time since I last wrote… just got a message from my system admin that I already have 102 lockouts. This is from ZERO yesterday. This is a fiverr thing at a deep level. Every time I use a guy, any guy, from Fiverr the same thing happens… unauthorized attempts go through the roof. Here’s the email I just got. I would be very very careful.

Number of active lockouts: 102

Last lockout was added: January 23, 2018, 10:08 pm for IP 150.107.****

Reason: Attempt to log in with prohibited username: admin

It might be a coincidence. Something similar recently happened to a friend of mine (an insane number of unauthorized attempts), and he’s never been on Fiverr. Another friend advised him to install WP Cerber plugin, change the login URL, and set it so that every unauthorized attempt automatically blacklists the subdomain.

  • Like 2
Link to comment
Share on other sites

It might be a coincidence. Something similar recently happened to a friend of mine (an insane number of unauthorized attempts), and he’s never been on Fiverr. Another friend advised him to install WP Cerber plugin, change the login URL, and set it so that every unauthorized attempt automatically blacklists the subdomain.

I already use Cerber… that’s how I know all of this is going on. It sends me reports. And def. not a co-incidence. I’ve been using Fiverr for many years and this happens every time I use them for a service that involves anything to do with my websites.

Link to comment
Share on other sites

I already use Cerber… that’s how I know all of this is going on. It sends me reports. And def. not a co-incidence. I’ve been using Fiverr for many years and this happens every time I use them for a service that involves anything to do with my websites.

this happens every time I use them

But you’re not using ‘Fiverr’, you’re using the services of individual sellers whom you happen to have found on Fiverr.

Fiverr itself isn’t doing anything to your websites.

  • Like 2
Link to comment
Share on other sites

That’s weird. But as long as your passwords are safe, you shouldn’t be worried. You can secure the website further by adding the “limit login attempt” plugin and also password protect your wp-admin folder

Yes, I do all of that of course. I’m worried not because anyone has succeeded yet, but because of the constancy of the attacks.

  • Like 2
Link to comment
Share on other sites

this happens every time I use them

But you’re not using ‘Fiverr’, you’re using the services of individual sellers whom you happen to have found on Fiverr.

Fiverr itself isn’t doing anything to your websites.

Exactly. But somehow, somewhere, the fact that my site exists is being flagged somewhere via the fiverr platform. It’s like when you you give your email address to someone… they may not know your password, but they know you have a current email, and then they have something to hack.

Link to comment
Share on other sites

Nope. A year has gone by… using a new guy right now for the first time since I last wrote… just got a message from my system admin that I already have 102 lockouts. This is from ZERO yesterday. This is a fiverr thing at a deep level. Every time I use a guy, any guy, from Fiverr the same thing happens… unauthorized attempts go through the roof. Here’s the email I just got. I would be very very careful.

Number of active lockouts: 102

Last lockout was added: January 23, 2018, 10:08 pm for IP 150.107.****

Reason: Attempt to log in with prohibited username: admin

Not to nitpick, but in your first post you wrote “nearly every time”, here you wrote “every time”. We, as human beings, tend to see patterns everywhere, even if there are none in reality, because it´s how we are wired.

Anyhow, I agree that it´s certainly worrying and something to look into. Perhaps ask on a WordPress forum, to see if people have another idea of how this may come to pass? Perhaps it´s nothing to do with who does it but with what is being done that somehow attracts those login attempts.

Just thinking out loud, I´m no professional in that sphere but I had/have WP blogs myself. I never used Fiverr for them and they weren´t even commercial, but I had spikes in such unauthorized login activities too at times. Hackers may simply use programs that try out all blog addresses they can grab periodically etc.

  • Like 3
Link to comment
Share on other sites

You should at least know the IP address of the attacker.

If you are that you are on a VPS or a shared hosting, i.e. in a multi-tenant environment, it’s extremely easy for a neighbor of yours intercept the traffic coming to your server and see who is poking at your ports. Among these lurkers there could be a pentester.

Among the most effective tools to stop brute force attacks, at server level, there is Fail2ban.

  • Like 2
Link to comment
Share on other sites

Not to nitpick, but in your first post you wrote “nearly every time”, here you wrote “every time”. We, as human beings, tend to see patterns everywhere, even if there are none in reality, because it´s how we are wired.

Anyhow, I agree that it´s certainly worrying and something to look into. Perhaps ask on a WordPress forum, to see if people have another idea of how this may come to pass? Perhaps it´s nothing to do with who does it but with what is being done that somehow attracts those login attempts.

Just thinking out loud, I´m no professional in that sphere but I had/have WP blogs myself. I never used Fiverr for them and they weren´t even commercial, but I had spikes in such unauthorized login activities too at times. Hackers may simply use programs that try out all blog addresses they can grab periodically etc.

Yes, I agree, it’s not the person on Fiverr that’s doing it. I don’t blame them. It’s not like they’re selling my info. But somehow, these gigs attract attention from hackers and I don’t know how. Somehow they see that these sites are live and they go after them. I’m just not clear how they are seeing them on the platform.

  • Like 1
Link to comment
Share on other sites

You should at least know the IP address of the attacker.

If you are that you are on a VPS or a shared hosting, i.e. in a multi-tenant environment, it’s extremely easy for a neighbor of yours intercept the traffic coming to your server and see who is poking at your ports. Among these lurkers there could be a pentester.

Among the most effective tools to stop brute force attacks, at server level, there is Fail2ban.

Yes all the ip addresses are logged - and blocked. It’s not like anyone is actually getting in. It’s just annoying that whenever I use Fiverr, this shit starts up again. It’s no co-incidence, I’ve been using fiverr for years and this happens with incredible regularity.

  • Like 1
Link to comment
Share on other sites

Does it also happen when you hire someone outside of Fiverr to fix your site, or when you try to fix it yourself?

Nope. Only happens when i use Fiverr. It’s a pattern I’ve noticed over the last 5 years or so. It doesn’t happen when I use Fiverr services like logo production etc., only when I use someone to fix a wordpress problem.

Link to comment
Share on other sites

Nope. Only happens when i use Fiverr. It’s a pattern I’ve noticed over the last 5 years or so. It doesn’t happen when I use Fiverr services like logo production etc., only when I use someone to fix a wordpress problem.

Presumably because having a logo designed doesn’t require access to your Wordpress sites?

Are you sure it’s not just the sellers you’ve hired accessing your websites to do the gig you’ve ordered from them? They can’t fix Wordpress problems without logging in, or attempting to login to Wordpress.

Sorry if that sounds like I’m stating the obvious BTW. ☀️

  • Like 1
Link to comment
Share on other sites

Presumably because having a logo designed doesn’t require access to your Wordpress sites?

Are you sure it’s not just the sellers you’ve hired accessing your websites to do the gig you’ve ordered from them? They can’t fix Wordpress problems without logging in, or attempting to login to Wordpress.

Sorry if that sounds like I’m stating the obvious BTW. ☀️

Exactly. Logo design etc. doesn’t require me to give any login credentials. Yes, I have to give these to my fiverr gig workers, but I don’t think they are the problem, because they already have the password and login, they don’t need to hack me. What I think is happening is that somehow, hackers are able to see the URLs of sites that are being worked on through fiverr, realize they are live, and ripe for picking and go after them. I just don’t know how they see them. Unless they can see the URL of your ‘live’ gigs with fiverr vendors.

Link to comment
Share on other sites

Exactly. Logo design etc. doesn’t require me to give any login credentials. Yes, I have to give these to my fiverr gig workers, but I don’t think they are the problem, because they already have the password and login, they don’t need to hack me. What I think is happening is that somehow, hackers are able to see the URLs of sites that are being worked on through fiverr, realize they are live, and ripe for picking and go after them. I just don’t know how they see them. Unless they can see the URL of your ‘live’ gigs with fiverr vendors.

but I don’t think they are the problem

And did you ask them? Depending on what they are doing for you, like working on the site´s security, the log-in attempts might just be them checking something?

Hope you´ll update your topic if and when you find out what it is. Feels a bit weird to say it´s interesting, but I hope you know how I mean it. 🙂

  • Like 2
Link to comment
Share on other sites

but I don’t think they are the problem

And did you ask them? Depending on what they are doing for you, like working on the site´s security, the log-in attempts might just be them checking something?

Hope you´ll update your topic if and when you find out what it is. Feels a bit weird to say it´s interesting, but I hope you know how I mean it. 🙂

They wouldn’t be checking 200 times… lol… I can see from the IP addresses that most of the attacks come from Russia or Bulgaria, usually not the country associated with the fiverr guy I’m using. These are hacking attempts. Happens to most of you every day, but unless you have a plugin that tells you about it, you’re probably blissfully unaware - unless someone succeeds in getting in!~

Tip: Use the Cerber security plugin - and never use ‘admin’ as your user name, nor the name of your website.

Link to comment
Share on other sites

They wouldn’t be checking 200 times… lol… I can see from the IP addresses that most of the attacks come from Russia or Bulgaria, usually not the country associated with the fiverr guy I’m using. These are hacking attempts. Happens to most of you every day, but unless you have a plugin that tells you about it, you’re probably blissfully unaware - unless someone succeeds in getting in!~

Tip: Use the Cerber security plugin - and never use ‘admin’ as your user name, nor the name of your website.

They wouldn’t be checking 200 times… lol

Don´t be so sure lol when I work on clients´ stuff, there are things I do check and do a lot, even when I´m sure it should be okay - you wouldn´t, for instance, believe how many copies of some longer files I end up with until done just because Office programs like to crash and I like to make sure I won´t end up with an unusable file. And all the more if your checking is done by programs, you don´t really need time if you have a brute force program, you just click once and it does the rest.

No worries, I don´t use “admin”, either “123456” as password 😉 even if I hadn´t known that already back in school, I translate a lot of computer-related texts since years.

Well, you didn´t say you know the IP addresses are all from the same places before, neither what exactly they (Fiverr guys) are doing for you, so it´s a bit hard to guess. I was just wondering why you just are thinking they are not “the problem” - if they indeed were checking as part of their job they´d not be the problem actually, but there would be no problem, so it wouldn´t be weird to bluntly ask them if they know what´s up with your problem - instead of simply asking them, perhaps there´s an easy answer and they outsource their testing to Russia or Bulgaria? 😉

Anyhow, I´ll go back to translating my clients´ WP articles about data security now and hope to soon read that you got this sorted out! 🍀

  • Like 4
Link to comment
Share on other sites

The buyers request page is not indexed so it’s not like your request is searchable.
(rel=“noindex, nofollow”)

However, it might be interesting to test if it happens with other sites. If I get bored I might give it a try and post a job with my address 🙂

If you include address in the buyers request then remove that. Send it only over a message once you’ve found a seller you like.

  • Like 5
Link to comment
Share on other sites

The buyers request page is not indexed so it’s not like your request is searchable.

(rel=“noindex, nofollow”)

However, it might be interesting to test if it happens with other sites. If I get bored I might give it a try and post a job with my address 🙂

If you include address in the buyers request then remove that. Send it only over a message once you’ve found a seller you like.

If you include address in the buyers request then remove that.

Now that would explain a lot - hadn’t thought of that! ☀️

  • Like 4
Link to comment
Share on other sites

The buyers request page is not indexed so it’s not like your request is searchable.

(rel=“noindex, nofollow”)

However, it might be interesting to test if it happens with other sites. If I get bored I might give it a try and post a job with my address 🙂

If you include address in the buyers request then remove that. Send it only over a message once you’ve found a seller you like.

Yes, I only give my login details to the guys I actually work with. 🙂

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...