Our log for yesterday 30 May was 390,000 lines so I took a 3 hour period and checked comment postings with the relevant entry in the access log. These are the IP addresses noted in that time. It looks to me as if the person is using proxies as the log from the 29th is using a different list of IP's.
To those who run sites aimed at family audiences I suggest you dump the database and delete the messages
from there (if you feel confident) as the items that list in the 'What's New' only show some of the postings.
When examining my database I found many porno, iffy postings, some with code and so on. Luckily we do have a custom script and can delete field content.
My concern is all these items seem to have been poted with uid 2.
With the speed that multiple items are posted to 4 domains within 2 seconds of each other it does seem like there is a script out there that can do this for them.
I have also found that the items choosen have all been listed by Google.
It is a very worrying situation.
I find that 3 of our sites are running 1.3.9 and 1 1.3.8, stangely the 1.3.8 site has had the least attacks - I have updated the comment.php in each as suggested by Dirk.
I will not waiting and see what happens.
220.127.116.11 epocketworks.com - 41 postings
dsl81-215-3442.adsl.ttnet.net.tr a IIS site under construction - 21 postings
117_pc6.ntcb.edu.tw - 18 postings
18.104.22.168.proxycache.rima-tde.net - 112 postings
22.214.171.124 - 6 postings
alfaproxy.pai.net.pl - 11 postings
126.96.36.199 - 3 postings
188.8.131.52 - 86 postings
host194-206.pool8016.interbusiness.it - 41 postings
184.108.40.206 - 12 postings
220.127.116.11 - 2 postings
18.104.22.168 - 61 postings
22.214.171.124.isp.tfn.net.tw - 91 postings
126.96.36.199 - 7 postings