Drastic Measures - Blocking all Chinese requests
-
Ever since that dreadful morning when I discovered the invisible iframes attached to most of the static web pages at both my web host, and an internal web/ftp server, I have been keeping close tabs on the ftp server logs, especially the internal server. The evidence is in the logs...relentless, brute force attacks and dictionary attacks, often lasting for half an hour or more. After a month and a half of tracing the offending IPs, I can report that about %80 trace back to China. I just retrieved a list of all (99.5% stated) Chinese IP addresses. A quick conversion to IP and subnet that IIS 7.5 can understand, paste into the ipsecurity section and they can go elephant off! :mad:
"Go forth into the source" - Neal Morse
-
Ever since that dreadful morning when I discovered the invisible iframes attached to most of the static web pages at both my web host, and an internal web/ftp server, I have been keeping close tabs on the ftp server logs, especially the internal server. The evidence is in the logs...relentless, brute force attacks and dictionary attacks, often lasting for half an hour or more. After a month and a half of tracing the offending IPs, I can report that about %80 trace back to China. I just retrieved a list of all (99.5% stated) Chinese IP addresses. A quick conversion to IP and subnet that IIS 7.5 can understand, paste into the ipsecurity section and they can go elephant off! :mad:
"Go forth into the source" - Neal Morse
:thumbsup: Sometimes the most drastic measures are the only ones that work!
Gryphons Are Awesome! Gryphons Are Awesome!
-
Ever since that dreadful morning when I discovered the invisible iframes attached to most of the static web pages at both my web host, and an internal web/ftp server, I have been keeping close tabs on the ftp server logs, especially the internal server. The evidence is in the logs...relentless, brute force attacks and dictionary attacks, often lasting for half an hour or more. After a month and a half of tracing the offending IPs, I can report that about %80 trace back to China. I just retrieved a list of all (99.5% stated) Chinese IP addresses. A quick conversion to IP and subnet that IIS 7.5 can understand, paste into the ipsecurity section and they can go elephant off! :mad:
"Go forth into the source" - Neal Morse
i've blocked huge IP ranges, all from China. they were downloading all of the large ZIP files on my site, every 30 minutes. and blocking one IP just made them switch to another. so now i'm blocking all of 220.181.*, 124.238.*, etc.. server logs say they keep trying anyway. hope they're enjoying their 403s.
-
Ever since that dreadful morning when I discovered the invisible iframes attached to most of the static web pages at both my web host, and an internal web/ftp server, I have been keeping close tabs on the ftp server logs, especially the internal server. The evidence is in the logs...relentless, brute force attacks and dictionary attacks, often lasting for half an hour or more. After a month and a half of tracing the offending IPs, I can report that about %80 trace back to China. I just retrieved a list of all (99.5% stated) Chinese IP addresses. A quick conversion to IP and subnet that IIS 7.5 can understand, paste into the ipsecurity section and they can go elephant off! :mad:
"Go forth into the source" - Neal Morse
I too receive a bunch a crap like below through my Zopim plugin: > From: 1 > > URL: <> > > 13243242 The posting IP Addresses belong to the same family. One of them is: (IP information courtesy: http://www.ip2location.com/[^]) LOCATION Hanoi, Dac Lac, Vietnam BROWSER Firefox 12.0 PLATFORM Windows 7 DEVICE - IP ADDRESS 42.113.104.197 USER AGENT Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
Vasudevan Deepak Kumar Personal Homepage BRAINWAVE/1.0 Status-Code: 404 Status-Text: The requested brain could not be found. It may have been deleted or never installed.
--Brisingr Aerowing -
Ever since that dreadful morning when I discovered the invisible iframes attached to most of the static web pages at both my web host, and an internal web/ftp server, I have been keeping close tabs on the ftp server logs, especially the internal server. The evidence is in the logs...relentless, brute force attacks and dictionary attacks, often lasting for half an hour or more. After a month and a half of tracing the offending IPs, I can report that about %80 trace back to China. I just retrieved a list of all (99.5% stated) Chinese IP addresses. A quick conversion to IP and subnet that IIS 7.5 can understand, paste into the ipsecurity section and they can go elephant off! :mad:
"Go forth into the source" - Neal Morse
-
that would be a good one :laugh:
Treat stressful situations like a dog, if you can't eat it, play with it or screw it, then just piss on it and walk away. Be careful which toes you step on today, they might be connected to the foot that kicks your butt tomorrow.
-
that would be a good one :laugh:
Treat stressful situations like a dog, if you can't eat it, play with it or screw it, then just piss on it and walk away. Be careful which toes you step on today, they might be connected to the foot that kicks your butt tomorrow.
...either that or it is the chinese government, and you get get even more attention from them...
The universe is composed of electrons, neutrons, protons and......morons. (ThePhantomUpvoter)
-
...either that or it is the chinese government, and you get get even more attention from them...
The universe is composed of electrons, neutrons, protons and......morons. (ThePhantomUpvoter)
-
I like this idea. :thumbsup: Unfortunately, my IP address would be involved and homeland security might come knocking on my door! No thanks! I'd rather redirect them back to one of their own ghastly web sites. :laugh:
"Go forth into the source" - Neal Morse
-
Ever since that dreadful morning when I discovered the invisible iframes attached to most of the static web pages at both my web host, and an internal web/ftp server, I have been keeping close tabs on the ftp server logs, especially the internal server. The evidence is in the logs...relentless, brute force attacks and dictionary attacks, often lasting for half an hour or more. After a month and a half of tracing the offending IPs, I can report that about %80 trace back to China. I just retrieved a list of all (99.5% stated) Chinese IP addresses. A quick conversion to IP and subnet that IIS 7.5 can understand, paste into the ipsecurity section and they can go elephant off! :mad:
"Go forth into the source" - Neal Morse
I seem to get a fair bit of suspicious activity from Russia (and, strangely, Florida), though I haven't resorted to blocking large IP ranges yet.
-
Ever since that dreadful morning when I discovered the invisible iframes attached to most of the static web pages at both my web host, and an internal web/ftp server, I have been keeping close tabs on the ftp server logs, especially the internal server. The evidence is in the logs...relentless, brute force attacks and dictionary attacks, often lasting for half an hour or more. After a month and a half of tracing the offending IPs, I can report that about %80 trace back to China. I just retrieved a list of all (99.5% stated) Chinese IP addresses. A quick conversion to IP and subnet that IIS 7.5 can understand, paste into the ipsecurity section and they can go elephant off! :mad:
"Go forth into the source" - Neal Morse
Nasty. On a related note, my router shut down my Internet connection last night. I was doing completely legitimate stuff on a website, but I had manually opened up a a lot of tabs with pages on the site. Bam!!! Hold the phone, my router said. You might be experiencing an attack. :~ There was no harm done, but nice to know it works in case something like that should happen some day. :) Soren Madsen
"When you don't know what you're doing it's best to do it quickly" - Jase #DuckDynasty
-
Ever since that dreadful morning when I discovered the invisible iframes attached to most of the static web pages at both my web host, and an internal web/ftp server, I have been keeping close tabs on the ftp server logs, especially the internal server. The evidence is in the logs...relentless, brute force attacks and dictionary attacks, often lasting for half an hour or more. After a month and a half of tracing the offending IPs, I can report that about %80 trace back to China. I just retrieved a list of all (99.5% stated) Chinese IP addresses. A quick conversion to IP and subnet that IIS 7.5 can understand, paste into the ipsecurity section and they can go elephant off! :mad:
"Go forth into the source" - Neal Morse
-
Nasty. On a related note, my router shut down my Internet connection last night. I was doing completely legitimate stuff on a website, but I had manually opened up a a lot of tabs with pages on the site. Bam!!! Hold the phone, my router said. You might be experiencing an attack. :~ There was no harm done, but nice to know it works in case something like that should happen some day. :) Soren Madsen
"When you don't know what you're doing it's best to do it quickly" - Jase #DuckDynasty
-
It had ocurred to me to try and block the attacks at the router, but my device has no 'blacklist' config available. Where do you get such a 'smart' router?
"Go forth into the source" - Neal Morse
-
Or a real juicy russian porn site...
If your neighbours don't listen to The Ramones, turn it up real loud so they can. “We didn't have a positive song until we wrote 'Now I Wanna Sniff Some Glue!'” ― Dee Dee Ramone "The Democrats want my guns and the Republicans want my porno mags and I ain't giving up either" - Joey Ramone
-
Ever since that dreadful morning when I discovered the invisible iframes attached to most of the static web pages at both my web host, and an internal web/ftp server, I have been keeping close tabs on the ftp server logs, especially the internal server. The evidence is in the logs...relentless, brute force attacks and dictionary attacks, often lasting for half an hour or more. After a month and a half of tracing the offending IPs, I can report that about %80 trace back to China. I just retrieved a list of all (99.5% stated) Chinese IP addresses. A quick conversion to IP and subnet that IIS 7.5 can understand, paste into the ipsecurity section and they can go elephant off! :mad:
"Go forth into the source" - Neal Morse
Way to lose 1.3 billion customers, who, apparently, were happy.
I wanna be a eunuchs developer! Pass me a bread knife!
-
Ever since that dreadful morning when I discovered the invisible iframes attached to most of the static web pages at both my web host, and an internal web/ftp server, I have been keeping close tabs on the ftp server logs, especially the internal server. The evidence is in the logs...relentless, brute force attacks and dictionary attacks, often lasting for half an hour or more. After a month and a half of tracing the offending IPs, I can report that about %80 trace back to China. I just retrieved a list of all (99.5% stated) Chinese IP addresses. A quick conversion to IP and subnet that IIS 7.5 can understand, paste into the ipsecurity section and they can go elephant off! :mad:
"Go forth into the source" - Neal Morse
Ok, now you guys have me worried. I am not that familiar with all these techniques used to gain access. I have a Small Business Server in the home office open for remote access (File Sharing and RDP) and ports on my main machine open for RDP. What should I be monitoring to catch anyone trying to hack in? Can you point me to a good thread or resource with more information so I can rest a little easier? Thanks!
--- What I need is a really cool signature here! ---
-
Ok, now you guys have me worried. I am not that familiar with all these techniques used to gain access. I have a Small Business Server in the home office open for remote access (File Sharing and RDP) and ports on my main machine open for RDP. What should I be monitoring to catch anyone trying to hack in? Can you point me to a good thread or resource with more information so I can rest a little easier? Thanks!
--- What I need is a really cool signature here! ---
The server logs are the biggest hint. Get into the habit of checking the FTP logs. You can tell by the size if it's been under attack. Best practices depend on the type of FTP server and version you are running, but definitely rename/disable the Administrator account on the server, and use strong passwords. (common sense) I noticed several times in my logs that they also try to use the 'Administrateur' account. :laugh:
"Go forth into the source" - Neal Morse
