Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: craig stewart
craig stewart Author
User level: Level 2
410 points

What could cause 1000's of failed login attempts from my IP address

Hi Sorry not sure where to even post this.


I have been having a persistent issue where by my own IP address is being blocked by my overseas web host (not the ISP that provides the IP) resulting in me being unable to connect to my own website. Anyone else can, including if I try from my phone, through my Phone service provider (thus a different IP)


I have been in contact with the web host and they tell me that I am being blocked because there are many thousands of failed login attempts from my IP address (at a rate of 1 per second) , and so it gets blocked. Fair enough.


My first thought was a virus. I have ClamXav and ran that and it did find a suspicious file called called hide.php It has been quarantined though and the problem persists.


Lastnight we had thunderstorms and so I physically unplugged all my machines. According to the Webhost (DreamHost) there were still failed login attempts during that time. So really I fail to see how it could be my machines.


So my next thought is that someone has hacked my wifi and is using my connection. I have reset my router password and rebooted it to disconnect anything that was connected - I am waiting to chat with Dreamhost to see if the attacks are continuing


I have also contacted my Local ISP, to see if they can shed any light on this, but the team that can help don't work on the weekend…


I am running mix of machines everything from 10.5 to 10.9, though I believe the issue is related to my main machine that is running 10.7.5


Just hoping that someone out there can suggest something that I have missed.


Cheers


Craig

DualCore 2.3 G5, G5 iMac G4 933 x2 + G3 300 + iMac 500 + iMac 600 + 15 PB 1.67, Mac OS X (10.4.8)

Posted on Oct 18, 2014 9:26 PM

Reply
6 replies
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,221 points

Oct 19, 2014 1:12 AM in response to craig stewart

craig stewart wrote:


I have ClamXav and ran that and it did find a suspicious file called called hide.php It has been quarantined though and the problem persists.

I'm not familiar with that being any sort of known OS X malware. What was the infection name and original location of the file?

my next thought is that someone has hacked my wifi and is using my connection. I have reset my router password and rebooted it to disconnect anything that was connected

You need to be using WPA2 security on your WiFi network with a strong password. Anything less than that can be hacked with readily available software in a matter of minutes.

Reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,221 points

Oct 19, 2014 3:33 AM in response to craig stewart

craig stewart wrote:


Hi


I don't have the original location of the file unfortunately, but the infection name was hide.php and the file name was 59955ff59e7d5908a2b24eaafa5f3909.php

Took me awhile, but I found three that are PHP.Hide, PHP.Hide-1 and PHP.Hide-2. If any of those are correct I can tell you what signature it's looking for. They are fairly old, added to the database in 2010-05-29, so it's doubtful that it's a false positive. In any case, since the infection name does not contain the letters "OSX" it's not likely to have affected your computer.


You can check the scan log and probably find out where it originated from:


  • In ClamXav open the Scan Log by clicking the icon on the tool bar
  • When the "clamXav-scan.log" window opens, you will only be looking at the only the most recent results
  • Select Find->Find from the Edit menu or type Command-F
  • Type "FOUND" in all caps and without the quotes in the Find box
  • Uncheck the "Ignore case" box and hit enter
  • Click the "Next" button or type Command-G until you find what you are looking for
  • If it doesn't show up in the most recent results, use the "▲ Earlier|" button in the lower right corner of the window to move back through the log.


There is a faster way to do this with a Terminal command, but I would need to know if you were using ClamXav from the App Store or a web site and if the latter whether the ClamXav application found it during a manual scan or if it was Sentry that located it.


It's way past my bed time here, so I'll have to get back to you tomorrow on this.

Reply
User profile for user: craig stewart
craig stewart Author
User level: Level 2
410 points

Oct 26, 2014 11:57 PM in response to MadMacs0

Hi


Sorry I have not replied back to you sooner, I have been meaning to - but we've just hit our busy period with our business. I did try what you said above and after scrolling through zillions of lines I never did find anything related specifically to that file. I must have missed it and have not had the opportunity to look a second time.


In the meantime, my host has whitelisted my IP so that I do not get knocked off anymore, and the last time I checked with them the attacks had stopped - the only thing that I can see made a difference was that I changed the password to my router and wifi, and after that I believe is when the attacks stopped.


Cheers


Craig

Reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,221 points

Oct 27, 2014 1:16 AM in response to craig stewart

Glad everything is back to normal and I strongly suspect your router had been compromised. Check with the manufacturer to see if there is a firmware update when you get a chance.


Again, I can give you a much faster way of locating what was found if you can let me know either the exact title of the Scan Log window or what version of ClamXav found it (App Store or web site and if the latter was it the app itself or Sentry).


Otherwise I'll leave you to your busy time.

Reply

What could cause 1000's of failed login attempts from my IP address

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up