effethemes.com silently pestering your server like a slithering Brazilian twat

Posted on by

Trojan Alert: effethemes.com (Brazilian Server) WordPress themes contain a trojan. Definition of a trojan is a piece of code that does something malicious. The theme links your site to thousands of BR hacker scanner sites that scan/probe your server thousands of times an hour. Form of mentally challenged Brazilian DOS attack, low grade attack.

With any claim, just like reporting a bug I need to provide data that enables anyone to replicate my findings.

If you’re using Ubuntu you will need iftop. If you don’t have than apt install iftop

  1. First run iftop
  2. while running press “p” for ports display and than “l” < lowercase L and type http and press enter
  3. Monitor who’s connecting to https
  4. Install wordpress theme. Zummo Prime By Effe Themes
  5. Activate it, if you dare!
  6. While using iftop monitor what’s happening to your https connections

Within 24hrs you will find from multiple connections to your https from one of the following IP ranges all of which come from BR (Brazil) and, you will notice, the creator of Zummo Prim By Effe Themes is also Brazilian (BR)

Note. Apache will not log anything in the logs, even with debug activated (I find Apache is lacking in log data making it very hard for webmaster to monitor suspicious activity)

The list of Brazilian IP ranges that started hitting my my web server none stop with 160 to 240 hits per hour. They will come multiple ip addresses spread over a number ranges and after you block them, the next day, come in with new IP addresses.

I’ve made it easy for you and listed all of the addresses collected so far in 2 sections. section 1 bare format and section 2, nice and easy copy and past already formatted to go into your UFW firewall.

The list is updated daily. (Last update January 6th 2025 Australian EST) For obvious reasons I can’t disclose how they are auto detected by my servers and immediately blocked via firewall. For now lets say, they’re not a smart bunch.

Section 1 – Bare listing of BR IP addresses (Brazil)

103.77.224.0/24
104.234.224.0/24
131.255.228.0/24
131.255.229.0/24
131.255.230.0/24
131.255.231.0/24
138.99.48.0/24
138.99.49.0/24
138.99.50.0/24
138.99.51.0/24
170.231.28.0/24
170.231.29.0/24
170.231.30.0/24
170.231.31.0/24
177.38.41.0/24
177.40.203.0/24
179.108.31.0/24
179.51.178.0/24
179.51.179.0/24
179.51.180.0/24
179.51.181.0/24
186.227.20.0/24
186.227.21.0/24
186.227.22.0/24
186.227.23.0/24
189.127.187.0/24
191.242.220.0/24
191.242.221.0/24
191.242.222.0/24
191.242.223.0/24
31.255.228.0/24
45.152.46.179
45.164.202.0/24
45.164.203.0/24
45.174.0.0/24
45.174.1.0/24
45.174.16.0/24
45.174.17.0/24
45.174.18.0/24
45.174.19.0/24
45.174.2.0/24
45.174.3.0/24
45.176.36.0/24
45.176.37.0/24
45.176.38.0/24
45.176.39.0/24
45.179.108.0/24
45.179.109.0/24
45.179.110.0/24
45.179.111.0/24
45.179.48.0/24
45.179.49.0/24
45.179.50.0/24
45.190.160.0/24
45.190.252.0/24
45.190.253.0/24
45.190.254.0/24
45.190.255.0/24
45.233.107.0/24
45.89.30.0/24
216.98.208.0/24
216.98.209.0/24
216.98.210.0/24
216.98.211.0/24
179.108.31.206
177.23.109.0/24
177.23.108.0/24
177.23.111.0/24
177.23.110.0/24
45.227.44.0/24
45.227.46.0/24
45.227.45.0/24
45.227.47.0/24
168.232.222.0/24
168.232.221.0/24
168.232.223.0/24
168.232.220.0/24
45.177.133.0/24
45.177.134.0/24
45.177.132.0/24
45.177.135.0/24
191.96.81.0/24
177.10.172.0/24
177.10.174.0/24
177.10.175.0/24
177.10.173.0/24
205.210.31.177

Section 2 – Ready to go formatted for UFW firewall of BR IP addresses

Brazilian hacker dumb enough to walk off a cliff
Brazilian hacker dumb enough to walk off a cliff

Best to use DENY. The Brazilian’s are not the full quid. Even while blocked they still come for several hours. A smart hackers code knows its blocked and moves on to another target. I think these Brazilians would drive off a cliff even when there is a road block! (Maybe these hackers are government employees and if so, explains the lack of intelligence)

ufw insert 1 deny from 103.77.224.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 104.234.224.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 131.255.228.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 131.255.229.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 131.255.230.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 131.255.231.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 138.99.48.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 138.99.49.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 138.99.50.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 138.99.51.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 170.231.28.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 170.231.29.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 170.231.30.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 170.231.31.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 177.38.41.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 177.40.203.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 179.108.31.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 179.51.178.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 179.51.179.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 179.51.180.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 179.51.181.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 186.227.20.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 186.227.21.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 186.227.22.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 186.227.23.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 189.127.187.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 191.242.220.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 191.242.221.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 191.242.222.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 191.242.223.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 31.255.228.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.152.46.179 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.164.202.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.164.203.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.174.0.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.174.1.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.174.16.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.174.17.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.174.18.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.174.19.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.174.2.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.174.3.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.176.36.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.176.37.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.176.38.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.176.39.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.179.108.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.179.109.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.179.110.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.179.111.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.179.48.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.179.49.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.179.50.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.190.160.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.190.252.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.190.253.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.190.254.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.190.255.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.233.107.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.89.30.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 216.98.209.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 216.98.210.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 216.98.211.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 179.108.31.206 comment "Wordpress Brazil secret service IP address"
ufw insert 1 deny from 177.23.109.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 177.23.108.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 177.23.111.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 177.23.110.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 45.227.44.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 45.227.46.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 45.227.45.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 45.227.47.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 168.232.222.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 168.232.221.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 168.232.223.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 168.232.220.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 45.177.133.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 45.177.134.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 45.177.132.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 45.177.135.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 191.96.81.0/24 comment "Wordpress Brazil president private IP address"
ufw insert 1 deny from 177.10.172.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 177.10.174.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 177.10.175.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 177.10.173.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 205.210.31.177 comment "Wordpress Brazil"

I contacted the creator of the WordPress theme and received no response. When you don’t respond to me, that’s admission of guilt and grants me permission to go public. If he had of responded with an acceptable response you would not be seeing this.

Summing up, I like giving people the benefit of doubt and he maybe unaware this is happening. It’s probable the server where he develops the theme has been hacked and his development code has been modified, unknown to him by hackers. Hence, he is uploading to WordPress for distribution. Should this be the case, it strongly suggest WordPress do not filter themes for malicious code!

Are you concerned about Edison Mail with what is being done with your password?

Is Edison mail sharing my password and email address? Yes
Who are Edison mail sharing my password with? I’ll show you further down!
I’ve noticed someone logging into my email account and don’t know who. Are you using Edison mail (email)?
There are dozens of unauthorised logins to my mail server, email hosting provider. Have you installed Edison mail?
I’ve noticed strange login to multiple accounts? Do you use Edison Mail?

After installing Edison mail onto my Android it soon became evident something isn’t quit right.

When you use an app or desktop software for email you, provide your email hosting details, password, email address and access and send emails without any issues. The email app stores your login information on your device or computer. You don’t expect the app to steal your password, login details and store on a foreign country and use it themselves.

After installing and configuring Edison mail it didn’t take long to know something mysterious and unlawful was taking place with my email account and password. Edison, sent a copy of my password and email and contacts to their server and shared with dozens of other servers based on AWS (Amazon servers) leased to anyone. How do I know that happened? Read on.

Within a day multiple people from America were using my password to login to my email account and sifting through my inbox and sorting through who sent me the messages, who I sent messages to and so on.

As Edison mail was the only app/software I gave my password to, I immediately stopped using and removed the Edison mail app. I changed the password on my email account.

I monitored the mail server logs after changing the password to see if the logs would then start displaying: Password error. The logs began showing that from Edison servers there is indeed a password failure during login. I than configured the server for debug mode. In debug mode, when a person enters wrong password the mail server records the password in the logs that was provided. Sure enough, the Edison servers were issuing the password I gave them during the setup process. Obviously the app needs the password so that the “App” can sign into my email account. The App didn’t say it would share my password for others to login to my account.

It is a breach of a persons email provider terms to share and allow a third party to use your details to login to your email account! You need to give the app your password, but, you didn’t know, the app was sharing your password with dozens of servers that in effect, placing you in the position of breaching your email providers terms of use.

Edison mail has made you breach the terms of service with your email service provider! Your TOS clearly state you are not allowed to share your details with a third party. Edison has transferred a copy of your password, without your knowledge, without your consent, to his servers and is using those details to login to your email provider or worse, could be trying to login to other accounts you have that use your email address as login. Hopefully, you use a different password with all of your accounts.

I immediately blocked all IP addresses associated with Edison mail and gone back to using webmail.

I contacted Edison mail about my concerns demanding to know why they have my password and why they are logging into my email account sifting through my personal correspondence. His response, it is needed for push notifications. What a load of bullshit. Logging into my account without my express permission did not aid push notifications any better than any other app. In-fact, it was slower. An email app or any app does not require to logging from dozens of servers throughout the day from America, into your email account for the purpose of push notifications. Perhaps, Edison is a front for the US government to spy on your email communications or, used by organised crime1

If you notice security breaches on any web accounts you use your email address as login details, and, not prudent to use multiple passwords, and have Edison mail on your PC or phone, you might want to consider changing all of your passwords.

If you find in your mail server logs the following connections from the list of IP addresses below, you will find they belong to Edison mail. This business, is logging into your email account, dozens of times a day sifting through your emails.

If you work for the military or a government department, or use email to communicate sensitive information I strongly urge you to stop using Edison mail and any mobile phone app for email communications. Ask yourself, would you give Edison mail, a total stranger the key to your home? Would you feel comfortable he is going though your personal belongings without your consent and knowledge? You’re allowing them to login to your email 24/7 going through your private mail, images, videos sent and received…

List of the Edison Mail IP addresses logging into your email account

These are the known IP addresses of servers based in the United States where strangers to you are logging into your email provider sifting through your private correspondence.

ufw insert 1 deny from 3.80.29.130 to any comment "Edison mail"
ufw insert 1 deny from 3.85.137.46 to any comment "Edison mail"
ufw insert 1 deny from 3.87.152.254 to any comment "Edison mail"
ufw insert 1 deny from 3.95.241.244 to any comment "Edison mail"
ufw insert 1 deny from 18.209.13.98 to any comment "Edison mail"
ufw insert 1 deny from 18.234.60.129 to any comment "Edison mail"
ufw insert 1 deny from 34.224.99.135 to any comment "Edison mail"
ufw insert 1 deny from 34.236.150.165 to any comment "Edison mail"
ufw insert 1 deny from 35.175.179.43 to any comment "Edison mail"
ufw insert 1 deny from 44.220.144.156 to any comment "Edison mail"
ufw insert 1 deny from 44.222.212.145 to any comment "Edison mail"
ufw insert 1 deny from 34.230.86.97 to any comment "Edison mail"
ufw insert 1 deny from 52.201.240.190 to any comment "Edison mail"
ufw insert 1 deny from 54.91.110.78 to any comment "Edison mail"
ufw insert 1 deny from 54.91.216.244 to any comment "Edison mail"
ufw insert 1 deny from 54.163.55.72 to any comment "Edison mail"
ufw insert 1 deny from 54.174.130.20 to any comment "Edison mail"
ufw insert 1 deny from 54.196.148.146 to any comment "Edison mail"
ufw insert 1 deny from 54.226.231.255 to any comment "Edison mail"
ufw insert 1 deny from 98.81.77.124 to any comment "Edison mail"
ufw insert 1 deny from 107.20.85.9 to any comment "Edison mail"

Leave a Reply

Your email address will not be published. Required fields are marked *