not2easy - 7:16 pm on Jan 29, 2013 (gmt 0)
I couldn't find anything on INTERBUSINESS less than 10 years old so I thought I would add these here. Please move them if there is somewhere else for this.
I am seeing more activity from INTERBUSINESS, TDENET and RIMA - yes, Rima and TDEnet are telecommunications networks in Spain with legitimate users. The sites they are hitting don't do anything intl so they are blocked:
220.127.116.11 - 18.104.22.168 TELECOM-INTERBUSINESS (IT) 22.214.171.124/16
126.96.36.199 - 188.8.131.52 TELECOM-INTERBUSINESS (IT) 184.108.40.206/16
220.127.116.11 - 18.104.22.168 TELECOM-INTERBUSINESS (IT) 22.214.171.124/16
126.96.36.199 - 188.8.131.52 TDENET (ES) 184.108.40.206/16
220.127.116.11 - 18.104.22.168 RIMA (ES) 22.214.171.124/16
126.96.36.199 - 188.8.131.52 RIMA (ES) 184.108.40.206/16
All of these all well as a few others I'm still checking on are from the past two weeks' access logs for one relatively new WP install and they ALL had the same UA:
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1"
..and they were all programmed hack attacks: POST /wp-login.php