Comments on: Blatant dewlance.com SEO, thrustvps, and HEAD attacks

By: Bogdan

Bogdan — Thu, 11 Nov 2010 10:59:27 +0000

Ok, I’ve read your personal email to me and will update the post text to reflect your position.

By: Kunnu Singh

Kunnu Singh — Thu, 11 Nov 2010 05:49:38 +0000

I don’t know why its use my domain name in referrer but this client is trying hack my server.

I get a lots of failed login alert on my WHM and Gmail(password reset email)

I have a some old log entries
Log entries:

IP REMOVED – root [07/11/2010:03:26:19 -0000] “POST /login/ HTTP/1.1″ FAILED LOGIN whostmgrd: user password incorrect
IP REMOVED – [07/11/2010:03:26:37 -0000] “POST /login/ HTTP/1.1″ FAILED LOGIN whostmgrd: user name not specified or invalid user
IP REMOVED – root [07/11/2010:03:27:09 -0000] “POST /login/ HTTP/1.1″ FAILED LOGIN whostmgrd: user password incorrect
IP REMOVED – root [07/11/2010:03:27:25 -0000] “POST /login/ HTTP/1.1″ FAILED LOGIN whostmgrd: user password incorrect
IP REMOVED – root [07/11/2010:03:27:34 -0000] “POST /login/ HTTP/1.1″ FAILED LOGIN whostmgrd: user password incorrect

This person is Trying to reset my Gmail password:
I get this email on my personal email account: “Google Password Assistance”

By: Bogdan

Bogdan — Wed, 10 Nov 2010 23:18:41 +0000

Dear Kunnu Singh, I know it’s hard to monitor for outgoing attacks, and I am inclined to believe that it was just a malicious client.

There is one thing I do not understand, though: is that referrer string added automatically to all outgoing HTTP requests? How is that possible?

By: Kunnu Singh

Kunnu Singh — Wed, 10 Nov 2010 05:55:08 +0000

Sorry for Inconvenience, Also I get attacks from some IPs but all area blocked by my Firewall(CSF)

Please Install this software on your VPS:
1. CSF
2. Mod Security
and use suPHP

Install Instruction: http://configserver.com/free/csf/install.txt

MOD Security: http://www.modsecurity.org/

CSF inform me if someone try to send lots of comments on my blog, try to login, etc.

We’re not doing any illegal works for getting visitors.
I spend money on Advertisements then why I want to block my Site in search engine for spamming.

If you need any help then please contact me

By: Kunnu Singh

Kunnu Singh — Wed, 10 Nov 2010 05:45:30 +0000

I can’t monitor my client accounts because of Windows not provide any monitor software or tool.

But Client account has been removed.

By: Bogdan

Bogdan — Tue, 09 Nov 2010 17:20:33 +0000

Bob – I’ve posted fail2ban rules, if you still see those spikes.

By: Bogdan

Bogdan — Sun, 07 Nov 2010 19:44:04 +0000

I have just sent a complaint to ThrustVPS abuse address, including 1.7MB log file of all these requests since November 4.

While waiting for their response I’ll write a fail2ban rule with a day-long bantime against this type of requests. I think limiting to 10 HEAD requests every 10 seconds from a single IP is OK.

When/if those fail2ban rules are ready, I may as well post them here.

By: Bob Meetin

Bob Meetin — Sun, 07 Nov 2010 14:43:45 +0000

I have been investigating similar load average spikes which have become regular this week, several times a day. I implemented a simple monitoring script a week back that sends me an email if the load average spikes above a defined threshhold. Yesterday I got the provider to install a snapshot utility. It took the combination of both to identify the same offender as you found.

Undoubtedly I can add the IP to a no access list. I’m just curious what action you took, aside from filing a complaint?