we are under attack!

alantani · October 23, 2012, 10:56:18 PM

i figured out the reason that things here are so slow. some idiot has an ip address of ***.178.26.99 and he is attempting to log in. he is trying at a rate of once a second. THAT is what is slowing things down.

Quote

ID deleted. thanks, guys, for the advise.

Ron Jones · October 23, 2012, 11:31:32 PM

Allan,

If you have acess to your hosts ACL, blocking that IP will fix it, this sort of stuff is basically my job.

Ron

alantani · October 24, 2012, 12:31:35 AM

i don't know how to do that, but i will check. this guy really is an idiot.... $:-\$

alantani · October 24, 2012, 01:15:42 AM

he stopped trying to log in. things have sped up for me. what about you guys?

Ron Jones · October 24, 2012, 02:39:26 AM

Seems better,

But I switched computers so it's impossible to give a definitive answer.

Ron

saltydog · October 24, 2012, 02:44:11 AM

It does seem a little faster.Waswondering what was up.

Dave Bentley · October 24, 2012, 03:57:30 AM

This should be a hanging offence

Ron Jones · October 24, 2012, 04:03:27 AM

This is why some forum registrations require squiggly letters. By the script he was performing a brute force attack. If you want you r ego stroked a little Alan, this normally happens when a sight gets big enough to warrant the attention.

Ron

Dr. Jekyll - AKA MeL B · October 24, 2012, 12:29:00 PM

Quote from: alantani on October 24, 2012, 12:31:35 AM
this guy really is an idiot.... $:-\$

x2

George4741 · October 24, 2012, 03:08:33 PM

Spotty performance this morning, again. $:-\$

alantani · October 24, 2012, 04:14:46 PM

it's sped up quite a bit for me.

reefmonsta · October 25, 2012, 04:41:08 AM

Quote from: noyb72 on October 23, 2012, 11:31:32 PM
Allan,

If you have acess to your hosts ACL, blocking that IP will fix it, this sort of stuff is basically my job.

Ron

Blocking an IP via ACL or any other means for that matter will not necessarily resolve the real issue. Even if the attack is coming from a static IP, its simple to change IPs, tap off another IP, or even obfuscate your source IP. Understanding/becoming the attacker as well as protecting against it is basically my job

Posting the source IP of the attack may not always be the best thing to do. The owner of the IP may not even be aware that their system has been compromised, which is the case in the good majority of instances. Furthermore, posting the IP may cause curiosity on behalf of forum members to attempt to navigate to or even worse, attempt to retaliate against this IP. Both these situations could be bad because if the attacker has setup some form of malware hosted on the IP, it could easily infect those accessing the page. This is not an uncommon technique to drive unsuspecting people to an infected host. I can go on and on, but I what I am saying is that I strongly suggest that you dont attempt to connect to the IP let alone PING it, port scan it, etc. Alright, I'll take off the Information Security Evangelist hat and put back on my fisherman hat

Sorry guys if it sounds like I am lecturing, I am really trying more to educate. Sending you a PM Alan!

Ron Jones · October 25, 2012, 05:16:25 AM

I wholeheartedly agree with everything ReefMonsta said. What I recomended is still my (and the Navy's) first step in reducing issues, but if we're dealing with something more than an idiot, things get harder fast. Good on you Alan, in a major way, for reviewing your logs and identifying the issue. Log reviews are the most uninteresting thing to do in the world, and probably the most important in the terms of a computer system.

Ron

Jerseymic · October 25, 2012, 06:20:01 AM

Very slow here in the UK again this morning.

alantani · October 25, 2012, 06:55:29 AM

thanks for the advise, guys. and yeah, it's slow again......