The quote below is the last thing I wrote to the thread linked above … and the site there is broken, so I can’t post it.
Another thing to add, the last piece of SPAM commenting I got was an Online Poker piece of crap … I have gotten little of any junk the last couple of days, miraculously or due to efforts at adding stuff to filters here and there. This new one got through to moderation on March 10 in the afternoon, … not tagged as SPAM, it used a different URL this time. One that is listed in google as Online Poker, of course. “genaholincorporated” dot com is only an online poker site, a new spammer for this blog. Since they had “Online” and “Poker” as the “user name” for the comment, it got flagged for moderation.
Don’t y’all just hate the Online Poker gouger? I also hate the smut spammer too. They started hitting this blog after I upgraded to 1.5, with a vengence. But one reason or another, due to my efforts or not, they have stopped for now. This last trickle was one drop, mr. online poker yesterday. Was it therefore this being that has caused the problem I had this morning, and the curious emails of password changes …
All because I have secretly joined the efforts at getting wikipedia’s online poker entry at the top of the google ranks, by linking to it on my blog? Maybe that’s it. Maybe it’s not.
I’m only speculating from snitches of data I’ve browsed through today.
That was the referring url on the wp-login.php junk above, for the #4 hit on the site.
The first hit was at 05:59:33, the next 5 seconds later, the next 18 seconds later … then a lull of four minutes and 20 seconds.
That lull is when the next hit had the above url as the referring url.
What were they doing meantime? There is nothing in my referrers to show … did they get in and do something in my link manager?
I’m going to look right now.
The suspect thing to me is that they hit the site on my .us domain, which only points to my .com where the real content is.
So they somehow have my .us/weblog/ as the referrer on their first vist to /weblog/wp-login.php –without having logged a visit in on my index.php previously … but …
earlier there was visitor with an msn.search page referrer with a different IP listed, that came from a page listing LINKS to the wiki encyclopeia for “online poker”.
My site shows up in that search, I have that link in my sidebar and it’s not visible on my page due to CSS styling. I added it there to help the effort at stopping that durn poker spam.
Why do I think this has something to do with the other … that same IP that came in from the referrer msn.search … next logged in my referer going to` .us/./` with `.us` as the referrer.
That’s weird, at least in my referrers it is, as nothing shows up like that from my “normal lookings.”
That all happened at 05:01:44 and 05:03:01.
I say this all since it’s dealing with Online Poker and that early this morning:
1. An IP showed up from an msn.search page referral that was showing pages linking to the wiki-encyclopedia about Online Poker.
2. A little more than a minute later that same IP showed up as trying to load a `.us` domain page on my site.
3. About 56 minutes later a different IP came in and tried to load wp-login.php, tried to change my password for admin, somehow sent weird emails to me saying password was changed, and actually did change my password, and meanwhile after trying to load pages a couple of times came back after a 4 minute lull with this as the referal url `http://www.pastoralfarms.com/weblog/wp-login.php?redirect_to=%2Fweblog%2Fwp-admin%2Flink-manager.php`
and then began hitting wp-login.php again with just `wp-login.php` as the referring url for the rest of them.
Everything in my LINKS manager looks fine.
I have no idea if they got into my WP install or not. I can’t tell anything is changed. But I just wouldn’t know that easily, if it wasn’t super obvious.
In any case, I reported the initial weird issue on the mosquito site.
It’s just bizarre what happened, and that it would seem to be maybe, maybenot, maybeso connected to Online Poker.
I hope that’s coherent enough to make a bit of sense.
It’s obvioius that whomever it is/was is familiar with WP and wanted to get in or do something to my WP install at least. That url above will take someone to the Link Manager page once they successfully login. So was that the goal of the “attack” … and they miserably failed? I don’t know how they changed the password without having access to my email … how they spoofed or used some sort of something to send me weird password change emails, and that it totally bypassed the “normal WP” lost password schematics. So they DID change my password, but did they get in with it, that is the question.