I don't have any questions in this post, just wanted to rant a little about a customer I caught on one of my servers attempting a DOS attack on another website. I can't really say it was a real DOS attack, but maybe a way for this guy to try to slow this other guys site down and run his bandwith up.
So here it goes. I notice the load of one my servers starts going really high for a while. So I login to the server and see a ton httpd processes running. A lot more than normal. So I trace one of the services and I see that it is comming from a script running on one of my resellers accounts. This person had just bought one of my larger reseller packages and had been hosting with me for less than a month.
So I track down the script and it is just a simple php script with one loop in it. It basically loopped 1000 times with the command to get a picture that was on this other guys site. And I had litterly hundreds and hundreds of httpd processes running this script over and over.
So I log into the one control panel for the first domain I found doing this. I look at his cron jobs, and he has about 50 cron jobs, each to run every minute...running that script. So I kill all of his cron jobs, but still see a lot of processes running. I track them down to 7 domains, each calling this same script.
So I kill all the domains, and the server load is good again. However, I am still seeing a lot of processes comming from outside my server.
They were comming from two of the IP address's back to another web hosting company. I am pretty sure this person had cron jobs over on this guys hosting company as well. I blocked his IP address's and everything appeared to stop.
Since I traced the IP address's to this other hosting company, I did a whois on them and e-mailed both their abuse and admin contacts. The hosting company was called ThePlanet.com. anyone ever heard of them? Well I never even recieved a response. What a joke. If someone was reported to me doing that on my server, I would at least look into it and give them a response.
At anyrate, I was able to catch this guy doing this within about 15 minutes of it starting, so I am pretty happy about that.
I should have caught this order as a fraudulent order, but we have been a little backed up with site designs and such latetly that I haven't had the resources to scrutinize all of our incomming orders.
This one was really obvious though. First they bought our largest reseller package and paid a year up front. No questions asked. That usually doesn't happened. Then the billing was from a lady in Miami. The domain name was registered through "Euro-dns" and the contact e-mail was "[email protected]". Pretty fishy and should have been caught right away.
Anyways, I thought it was a sneaky thing to do, and I wanted to post it here just in case anyone comes across the same thing.
One of the many nice things I love about H-Sphere from http://www.psoft.net/ is the ability to use their SignUp guard fraud protector to enter in email addresses such as [email protected] to prevent automated provisioning.
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.