Our log for yesterday 30 May was 390,000 lines so I took a 3 hour period and checked comment postings with the relevant entry in the access log. These are the IP addresses noted in that time. It looks to me as if the person is using proxies as the log from the 29th is using a different list of IP's.
To those who run sites aimed at family audiences I suggest you dump the database and delete the messages
from there (if you feel confident) as the items that list in the 'What's New' only show some of the postings.
When examining my database I found many porno, iffy postings, some with code and so on. Luckily we do have a custom script and can delete field content.
My concern is all these items seem to have been poted with uid 2.
With the speed that multiple items are posted to 4 domains within 2 seconds of each other it does seem like there is a script out there that can do this for them.
I have also found that the items choosen have all been listed by Google.
It is a very worrying situation.
I find that 3 of our sites are running 1.3.9 and 1 1.3.8, stangely the 1.3.8 site has had the least attacks - I have updated the comment.php in each as suggested by Dirk.
I will not waiting and see what happens.
Tess
69.5.72.104 epocketworks.com - 41 postings
dsl81-215-3442.adsl.ttnet.net.tr a IIS site under construction - 21 postings
117_pc6.ntcb.edu.tw - 18 postings
80.58.9.44.proxycache.rima-tde.net - 112 postings
200.48.218.178 - 6 postings
alfaproxy.pai.net.pl - 11 postings
216.157.225.37 - 3 postings
207.230.66.18 - 86 postings
host194-206.pool8016.interbusiness.it - 41 postings
203.162.3.146 - 12 postings
194.27.49.2 - 2 postings
12.36.104.2 - 61 postings
22.47.30.61.isp.tfn.net.tw - 91 postings
68.152.252.74 - 7 postings