I told a nigerian no, and now he is using a botnet

Ok, so a nigerian scammer tried getting me to send him money and I told him no and if he ever contacted me I would contact the FBI. I didn't realize until after the email it attached my signature to it so he saw my site address. I know its him because the first IP was the same as where his email came from. I crashed the site intentionally hoping it would stop. The second I brought it back up it started again. Although I know he won't get in because he isn't using the right username, its really annoying because I have received 800 emails today and he is about to use up my daily email quota. I can't just ban the IP either because it is multiple. What should I do?

  • Vaughan
    • Support/SLS MockingJay

    hiya

    contact your host immediately and see if they can do something. tell them what you told us.

    turn your site offline. try waiting it out.

    but your host will understand and can probably extend your quotas. if it's ddos there isn't much you can do other than wait. your host will probably already be aware of the attack, but i would speak to the quickly to be sure.

    hope this helps.

  • Mike
    • New Recruit

    Hi @Brashell

    Wow that's a bit crazy!

    I run a small VPS server and have experienced an attack once, since then I use CloudFlare. It might be difficult to get it set up now, but once you do you can set CloudFlare to high security mode and they should filter out most of the attackers and keep your site online.

    https://www.cloudflare.com/

    I hope this helps!

    Cheers,
    Mike

  • Brashell
    • The Bug Hunter

    I turned my site off myself, for about 5hours, the last bonnet attack stopped after that. This one keeps going though. I don't have an admin user so I am not to worried about him getting in, with cloud flare, will it be expensive if I have lots of data in the long run like a few terabytes, because its going to be there soon. Does it work with multisite as well? Thanks.

  • Imperative Ideas
    • HummingBird

    This is just something you deal with when you host sites man.
    http://imperativeideas.com/brute-force-attack-looks-like-bandwidth/

    You can take a few steps that will help. I don't know what your site is so I can't run a WPScan against it in Backbox but if he's just slamming admin you have to let it run its course.

    Actually... back up your site before doing this. Install Better WP Security and move the admin and login areas to custom URLs. If this guy is enough of an idiot to slam "admin" then he probably won't figure out it's been moved.

  • Brashell
    • The Bug Hunter

    @Imperative Ideas Yeah I know this is what happens, I have pretty good security. I know this happens as well, I will also be removing the wp- from the files, the site is in development though so I wasn't going to until then, but looks like that is going to happen now. Gonna be some major security updating this week. Also "WPScan against it in Backbox" Whats that? Can I get a link for future reference.

  • Imperative Ideas
    • HummingBird

    If your Nigerian was smart, he'd be using it against you.
    http://wpscan.org/

    Basically it's a gray-hat hacker/security tool that probes a WP site using a Linux command line setup. It enumerates usernames, plugins, versions, etc - and points out any obvious holes. It will then happily run a brute force attack if you want it to.

    While it's not all that hard to set up wpscan in Ubuntu, it's much easier just do download the Backbox distro linked from the WPScan page. The idea here is that if you want to be as safe as possible, you should use the same tools against your site that someone else will and see what happens. Just bear in mind that if you don't have a VPS, a shared host may get a little testy if you repeatedly throw up a hacker profile against their servers. Nothing says "I'm having a bad day" like having to call your host and explain why your IP was banned so that you can access your own setup again (though the flags expire pretty fast and most hosts don't ever do anything no matter what you throw their way).

  • lol
    • The Incredible Code Injector

    Hi Brashell,
    Backtrack is full of usefull tools to audit your WP.

    If you liked wpscan, you'll enjoy this too: w3af
    http://w3af.org/download

    It is much more powerful than wpscan which only list weaknesses he knows.
    w3af is more general and tried all known methods for finding problems in Web applications.

    Obviously, the scans are much long and deep ... and more complicated to use ...

    Laurent.

  • Imperative Ideas
    • HummingBird

    Yeah we've talked in the WPScan repo about the fact you can't effectively scan private distributions. Well you sort of can, but many of them don't report version numbers so it's hard to ping off the API.

    That works both ways though, security by obscurity just means bigger zero day threats.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.