What’s up with the computer malware in Italy?
Since December 11 there have been 574 attacks on my server from machines in Italy. Of those 574 machines 561 (98%) have attempted to hack my WordPress blog via the /wp-login.php URI, 12 have attempted to hack my SSH server, and one was an attempt to exploit a router bug (the “GET /tmUnblock.cgi” exploit). To put this in perspective during the same period there were a total of 54 attacks of /wp-login.php from countries other than Italy. Fully 91% of the WordPress login attacks have originated from Italy rather than China or the USA.
Ignoring the first two days of the attack (when it was ramping up) I’ve seen an average of 72 new computers in Italy try to hack into my WordPress blog each day.
Update 2014-12-28: I continue to see many computers from IP addresses in Italy attempt to probe my WordPress blog for vulnerable account data. Italy now has 1199 addresses blacklisted which is more than the USA and China combined (474 and 603 respectively). I’d love to know what evil piece of malware has managed to turn so many computers in Italy into a force for evil.
Update 2015-04-20: The attacks from Italy continue unabated with 2415 IP addresses blocked — ten times the second-place country. See my article about [“Configuring WordPress to reject bogus wp-login.php requests”](/2015/04/configuring-wordpress-to-reject-bogus-wp-login-php-requests/) for a simple way to reject these requests via your `.htaccess` file.
Update 2015-05-18: The attack from Italy abated a couple of weeks ago. It seems unlikely the approximately 3,000 computers located in Italy that I saw make this specific attack in the past six months have been cleansed of malware. More likely is whomever owns that particular botnet has told those computers to focus their attacks elsewhere.