I had an interesting day yesterday. I opened up my hobby site sign up page again and got hit by the bots in waiting creating new users.
I run phpnuke with approve member mod so they can't get in. I modified the module and started sending applicants a false activate link.
This led to a hit from the control server... berman.com
http://website.informer.com/Berman+Tech ... s+Ltd..htmAnd in the top sites Berman hosts these two.
http://website.informer.com/visit?domain=kafserver.comhttp://website.informer.com/visit?domain=norfolkseo.netFrom reading the kafserver site I now gather that these account creation attempts are so they can index member content otherwise unavailable to non members.
Here is a short list of logins/from ip's which contains the usual bad actors hitting my server.
Login name, Email, Date, From IP
GlendaQ09
[email protected] Jul 29, 201 35.135.192.4
Jerrod20H
[email protected] Jul 29, 2013 64.145.83.176
JerriGlea
[email protected] Jul 29, 2013 5.135.192.4
CharissaM
[email protected] Jul 29, 2013 216.152.243.246
IngeborgG
[email protected] Jul 29, 2013 193.105.154.9
PerryLecl
[email protected] Jul 29, 2013 23.19.132.20
RemonaPar
[email protected] Jul 29, 2013 87.51.163.199
RonaldMac
[email protected] Jul 29, 2013 46.105.133.33
JLQMckinl
[email protected] Jul 29, 2013 151.237.190.174
ErwinSali
[email protected] Jul 29, 2013 108.163.197.58
ChaseColwscott
[email protected] Jul 29, 2013 114.80.142.20
MarkoBowl
[email protected] Jul 29, 2013 91.212.124.153
RoxanaSch
[email protected] Jul 29, 2013 177.99.236.217
LemuelRancon
[email protected] Jul 29, 2013 89.44.21.204
Charlotte
[email protected] Jul 29, 2013 219.159.198.8
EmilioNul
[email protected] Jul 29, 2013 41.203.95.23
AngelicaN
[email protected] Jul 29, 2013 142.234.104.44
Frederick
[email protected] Jul 29, 2013 50.118.212.91
LynwoodTu
[email protected] Jul 29, 2013 173.208.2.243
NikiMorri
[email protected] Jul 29, 2013 50.118.211.60
Hits to the false activation link
ks4004076.ip-142-4-213.net - - [29/Jul/2013:13:07:38 +1200] "GET zlham.geek.nz/activate/?2hdmzZg934heqwds" 403 232 "http://www.zlham.geek.nz/" "Opera/9.80 (Windows NT 6.2; Win64; x64) Presto/2.12.388 Version/12.15" 404 480
bermantech.com - - [29/Jul/2013:18:53:56 +1200] "GET zlham.geek.nz/activate?2hdmzZg934heqwds" 404 228 "http://www.zlham.geek.nz/" "Opera/9.80 (Windows NT 6.2; Win64; x64) Presto/2.12.388 Version/12.15" 403 476
192.95.22.82 - - [29/Jul/2013:21:59:43 +1200] "GET zlham.geek.nz/activate?user=EmilioNul&2hdmzZg934heqwds" 404 228 "http://www.zlham.geek.nz/" "Opera/9.80 (Windows NT 6.2; Win64; x64) Presto/2.12.388 Version/12.15" 418 476
142.234.104.116.rdns.ubiquity.io - - [29/Jul/2013:22:16:16 +1200] "GET zlham.geek.nz/activate?user=AngelicaN&2hdmzZg934heqwds" 403 232 "http://www.zlham.geek.nz/" "Opera/9.80 (Windows NT 6.2; Win64; x64) Presto/2.12.388 Version/12.15" 418 480
Mod note: topic split as this is actually an independent topic
Posted: Mon Jul 29, 2013 11:42 pm 
