December 27, 2004

Crapflood!

I'm being bombarded by a crapflooder. Any way to just turn off all commenting on posts over a couple weeks old? Some script or something?

This shit is really putting me off my oats.

Posted by Jim at December 27, 2004 08:53 PM
Comments
#1

Has Pixy upgraded you to MT 3? (I think that's the latest one) I know he had a post not too long ago about the upgrade enabling you to turn off old comments en masse.

I am getting tons of hits from a single IP address - but no spam! I tried banning the IP address to see if it stops, but I just did it about an hour ago - don't know if that will work. According to my Stat Counter I'm getting 300-400 hits a day from this IP! The funny thing is that Sitemeter doesn't register the hits at all - very weird. Well, I'll take the hits over the spam attack any time - but it must be using up Pixy's bandwidth!

The IP I'm seeing is from Comcast
67 - 173 - 130 - 77
Anyone else seeing this one?

Posted by Teresa at December 28, 2004 05:05 AM
#2

Yea, Theresa, I just had to ban that address using .htaccess for a couple of blogs I'm doing spam cleanup for.

The Blacklist is blocking every one of those hits you're getting - thankfully.

Pixy... looks like another candidate for some .htaccess lovin' at MuNu as the IP address hasn't changed in several days.

Posted by Light & Dark at December 28, 2004 08:20 AM
#3

Rat's, sorry about that extra 'h' in there Teresa!

Posted by Light & Dark at December 28, 2004 08:20 AM
#4

Yeah, Pixy set me up with an MT3. I just don't have the time to actually get it up and running.

There were only another 15 when i got up this morning, on 3 posts. I locked those up too so maybe this attack is over.

Posted by Jim at December 28, 2004 10:16 AM
#5

Added that one to my list.

Yes, the best thing for this is to move to MT3. It doesn't cure it completely, but it makes it much easier to control.

Posted by Pixy Misa at December 28, 2004 01:44 PM
#6

I sent an email to Comcast - got an auto-reply so I don't know what they'll do about it. I gave them the offending address and told them what was happening. The only thing I didn't give them was my IP and port number. According the the email I received, this invalidates my request... I wonder if anyone there will take the initiative and investigate. Unfortunately I didn't get the email with "instructions" until AFTER I sent in the report. It's nearly impossible to find an email address to report this stuff. But for further reference if you are being hit by a Comcast addy. Send an email to

abuse@comcast.net

Supposedly required info for this type of attack:

2.Include all logs or information relevant to the incident, ensure the logs
your submitting contain:
a.Date of incident
b.Time of incident and time zone
c.Source Internet protocol (IP) address or host name
d.Destination IP address or host name
e.Destination port

My email told them that the attack had been going on for the last 4 days straight (time and time zone seem pretty irrelevant in that case!) and the offending IP address - that "should" be enough for them to look into it. But it doesn't specifically meet all their requirements - so they might just dump it. I don't have "log" files per se - I have the records from Stat Counter. And I suppose I could ping my site to give them my IP and tell them the port number is 80... ARG! Makes me want to tear my hair out.

Posted by Teresa at December 28, 2004 08:23 PM
#7

Oh yeah - I forgot to add - they tell me that they take these things very seriously... just thought I should throw that out there.

Posted by Teresa at December 28, 2004 08:24 PM
#8

Heh. I'm a Comcast customer so that treatment comes as absolutely no surprise to me.

Posted by Jim at December 28, 2004 08:40 PM
#9

I hate these weasels. They're worse than spammers. GRRRR!!!

Posted by Pixy Misa at December 29, 2004 12:26 AM
#10

Teresa;
I'm sure Pixy could give you snippets of server logs if you wanted to continue to try to nail this assmunch.

Question for Pixy:

Are you seeing any weird 'attacks' on non-existant php files in the public_html directory on your server? Specifically d.php and s.php? I'm helping Velociman with spam issues and noticed massive hits to these never-existed files, (hundreds per hour) including a bunch from the same IP address that's been hitting Teresa.

Any ideas?

P.

Posted by Light & Dark at December 29, 2004 12:42 AM
#11

There have been a bunch of new attacks on PHP (and phpBB in particular) in the past couple of weeks. I ran around patching everything in sight so we should be safe, but that doesn't stop them trying.

Now, how the heck do I set up a global deny rule in Apache? Everything I've tried makes the server barf. .htaccess works, but it's per-directory of course.

Posted by Pixy Misa at December 29, 2004 01:11 AM
#12

Since removing direct comment submission (you have to preview before posting a comment now) I haven't been crapped on.

[Cross fingers]

Posted by Jim at December 29, 2004 02:13 AM
#13

"Are you seeing any weird 'attacks' on non-existant php files in the public_html directory on your server? Specifically d.php and s.php?"

Paul you might be seeing the Santy worm in it's effort to infect public sites. It's a php specific worm, although I haven't had time to pay attention to the particulars of the thing. Since blogs are "public" the worm will likely try to infect them - but if you aren't running a blog with php the only problem is the annoyance of the hits.

Pixy - if you want me to send in any other requests with more particular information about the current attack to Comcast, let me know. Perhaps we can draft an email and all of us can send in a copy... Just a thought.

Posted by Teresa at December 29, 2004 03:47 AM
#14

Is this why I can't get your site to load at all? It cannot find server, baby!

Posted by Helen at December 29, 2004 09:18 AM
#15

Contacting Comcrap does nothing. I tried it when I got my first crapflood, and got the usual form letter back. I heard nothing else from 'em.

Their customer-no-service (to coin a Clark Howard phrase) is notorious; it's one of the reasons that I'm on DSL and have a satellite dish today.

Posted by mhking at December 29, 2004 02:02 PM
Live Comment Preview
Post a comment









Remember personal info?