Quote Originally Posted by AplusWebMaster View Post
FYI...

Brute force attacks - WordPress sites...
- http://blog.sucuri.net/2012/03/brute...ess-sites.html
Mar 15, 2012 - "... Lately we have been seeing many WordPress sites being attacked and hacked through the use of brute force. The administrator leaves the default “admin” user name and chooses a simple password, and -never- changes it... There is a technique known as brute-force attack... access is gained to your environment through brute force. Often conducted by bots, these attacks will run through a compiled list of common passwords and their permutations (i.e., password, Pa$$w0rd, p@ssw0rd, etc..)... the attackers know that you substitute ‘A’ for an ‘@’ and ‘S’ for a ‘$’. Using this method the attackers are gaining access to your wp-admin, this then allows them to serve spam via your posts, deface your home page like we recently saw with ServerPro, and inject any one of the other types of malware... in the last few days we detected more than 30 IP addresses trying to guess the admin password on our test WordPress sites (wp-login.php). Each one of those tried from 30 to 300 password combinations at each time. Sometimes they would mix that with a few spam comments as well. Example:
146.0.74.234 – 32 attempts
212.67.25.66 – 47 attempts
176.31.253.139 – 211 attempts
91.226.165.164 – 39 attempts
95.79.221.169 – 105 attempts
91.217.178.235 – 40 attempts
And many more IP addresses. We will adding all of them to our IP blacklist* and Global Malware view**..."
* http://sucuri.net/sucuri-blacklist

** http://sucuri.net/global
___

WordPress Page is Loading... an Exploit
- https://www.f-secure.com/weblog/archives/00002328.html
March 15, 2012 - "... Spam appears to be the driver of these campaigns. Various websites have already been identified to be redirecting to Blackhole exploit kit... Currently, these sites redirect to the following domains that host Blackhole exploit kit:
• georgekinsman.net
• icemed.net
• mynourigen.net
• synergyledlighting.net
• themeparkoupons.net ..."

I was getting a lot of attempts from the 176 IP as well, but when you look it up it doesn't show as being listed in any DNSBLs, how does that make any sense?