We are being hacked????

On the 29th of June, a user registered on our site using the name 'amythomlinso' and the email address lollyentwhistle@hironakamuraa.com. This user claimed to be from Belarus.

This user was quickly blocked for posting inappropriate (spam) comments and posts on our site. We recently deleted the account completely as part of a site upgrade.

It is now 14 weeks later, and we are being hit with multiple failed login attempts using this user name. In the past 24 hours we have blocked access to over 700 ip addresses from all over the world to try to stop this attack, but the login attempts keep coming. During the same period we have seen an alarming number of injection and scripting attacks on our site.

Resources of this magnitude are only available to organizations with control over large networks of infected computers. I am at a loss to understand the motivation behind such attacks, and the result is nothing more than a Denial of Service to our visitors when the malicious requests overload our servers. We do not store personal information, and anything that is available to our users is also available to our visitors, except that you have to log in to post.

A little investigation reveled that the domain hironakamuraa.com has been suspended for 'terms of use' violations. The screen stating this used to be displayed only for eastern European sites, and is commonly associated with the so-called Russsian Mafia. The domain is registered by a Uruguayan (?) company called Uruguayan International Hosting (urguayaninternationhosting.com - notice the spelling error!) which does not exist. Their registered nameservers are at afraid.org in California, an organization that caters to fly-by-night operations. When hironakamuraa.com is pinged, the ip returned is which is allocated to TeliaSonera, a major Swedish telecom provider with market penetration throughout Scandinavia, the Baltics, eastern Europe and Russia (Check out teliasonera.com/en.). The logical assumption here is that the Russian Mafia is phishing for identities.


They keep coming, in spite of their lack of success. Another 400 IP's blacklisted.



Someone just came into our site to check if the user name 'amythomlinso' existed, and received a '404 Page Not Found' message. I hope this was the C&C for the botnet that has been harassing us. Their IP,, is out of Kiev, Urkraine (of course) and has been added to the nearly 3,000 IPs we have blocked so far.



Link to This Page

To link to this page or share it with a friend, copy and paste this code into your page, blog, text or email.