« Quote | Main | Review: GrendelSweets »
March 2, 2007
Go Away, Russian Business Network!
Kindly cease and desist from hammering my server!
A remote misconfigured, malicious or compromised server is engaging in frequent and repeated attempts to access resources on my webserver. These access attempts are consistent with a spam bot or script attempting to compromise the server or site software.*
Based upon the raw logs, 756 attempts or more per day have been made by the following Russian Business Network IP addresses:
81.95.144.66
81.95.144.67
81.95.144.68
81.95.144.69
81.95.144.70
81.95.148.50
inetnum: 81.95.144.0 - 81.95.147.255
Russian Business Network Registry
Russian Business Network
12 Levashovskiy pr.
197110 Saint-Petersburg
Russia
***@rbnnetwork.com
The hosting company I've used for the past few years, 1&1, has been completely useless and has not made a single attempt to fix the problem. Repeated email messages to their clueless tech support staff have been responded to with nothing more than an automated reply or one that suggested I contact 1&1 UK's abuse department, which I did, and that ended up being ignored as well.
My friend Greg in Australia has been trying to help me sort this out, going so far as to compose a letter* only a technical support person would comprehend (though I did indeed 'get it') as well as putting together .htaccess code that might stop the repeated accesses (which, by the way, are all aimed at /mt/mt-tb.cgi/ (mt = Movable Type, tb = trackback.) Unfortunately our efforts have resulted in a dead end, and I'm posting this with the hope that maybe someone has a brilliant suggestion or three to help me fix this problem. Any ideas would be greatly appreciated.
Cindy
Comments
We encounter a similar problem from time to time.
I think you've already done the first thing required: utilise the .htaccess file - this amazingly powerful little file is oft forgotten by many.
Secondly, you can try restricting access to anyone with an IP in the range, or host, within MT. Having not used MT for quite a long time now, I can't quite remember to do it (helpful, huh?).
As for 1&1. Dear gawd almighty. I remember them well. They were my first hosts many moons ago and I think I ditched them after about 3 months. I see nothing has changed on the tech support front then?
Anyway, chin up! It's almost our birthday time again!
Brain matter deposited by: Piggy and Tazzy on March 2, 2007 4:05 PM
Hi P&T,
I've set up a .htaccess file to take care of the worst, however it's not been enough (missing a parameter in one of the rules tends to make it less effective than I'd like -- this has been sorted now :) ).
Really, the only way to completely remove them is to either have the offending services at the Russian Business Network shut down or have the IP's / netblocks null routed at 1&1 (which they do not appear to be too keen on doing, or they are just ignoring the request).
Brain matter deposited by: Greg on March 3, 2007 8:31 PM
I too am having this problem - they are trying to access /cgi-bin/mt-tb.cgi which is pathetic since I don't use Moveable Type anymore ;) - about a 1000 or so hits a day. Thankfully cPanel allows me a convenient way to block /24 with ease and I have blocked the entire Russian Business Network. From the looks of it they are trying not to compromise the server but to insert trackback spam for the Google juice. Another way this is happening is through Wordpress's comments.rss according to a co-worker I just got off the phone with.
Unfortunately it seems that Akismet AntiSpam ate the comment you left on my blog the other day - it got caught up with 28 others and although I marked it Not Spam it seems to have disappeared when I told Akismet to get rid of the SPAM.
Brain matter deposited by: Doug Alder on March 5, 2007 11:30 PM