08-10-2006, 01:57 PM
|
|
Junior Guru
|
|
Join Date: May 2006
Posts: 232
|
|
Does anyone know about this company? Are they a pain to deal with as a server administrator?
On May 5th, one of my client's sites was compromised with an eBay phishing scam. I disabled the site within minutes of the pages discovery and took the necessary security measures, yet to this day (and despite three emails to the company requesting that they stop), two internetidentity.com hosts have been probing the server for the same page, possibly thinking we haven't put any security measures in place to prevent this kind of activity from recurring (seriously now... three months on a clean slate and they are still trying to find a way to make themselves marketable/profitable?)
What bothers me is that they are still probing my server for a website that was disabled over 3 months ago and have ignored my requests to stop. I've blocked the offending IP addresses, but it looks like they change every so often.
Does anyone have any suggestions on how to deal with this company?
|
08-10-2006, 03:17 PM
|
|
Stairway To Hosting
|
|
Join Date: Mar 2003
Location: Canada
Posts: 7,936
|
|
Are they all different netblocks?
__________________
SYN Hosting - Affordable, Reliable & Secure Web Hosting - Proudly In Business Since 2006!
Host Unlimited Websites -/ - cPanel -/ - Softaculous -/ - CloudFlare -/ - SSH Access -/ - 24/7 Tech Support
http://www.synhosting.com - Need a Canadian budget managed dedicated server? Click here for details.
|
08-10-2006, 03:32 PM
|
|
Junior Guru
|
|
Join Date: May 2006
Posts: 232
|
|
Actually, the two I blocked this morning are on 209.147.*.*.
Unfortunately, I do not recall what the previous IP addresses were.
|
08-10-2006, 03:36 PM
|
|
Stairway To Hosting
|
|
Join Date: Mar 2003
Location: Canada
Posts: 7,936
|
|
Well, their IP block belongs to "Optic Fusion".
http://ws.arin.net/whois/?queryinput=209.147.112.0
You "could" filter their IP addresses if you think it's worth it, but that could potentially block people unrelated to the company...
__________________
SYN Hosting - Affordable, Reliable & Secure Web Hosting - Proudly In Business Since 2006!
Host Unlimited Websites -/ - cPanel -/ - Softaculous -/ - CloudFlare -/ - SSH Access -/ - 24/7 Tech Support
http://www.synhosting.com - Need a Canadian budget managed dedicated server? Click here for details.
|
08-10-2006, 03:37 PM
|
|
Junior Guru
|
|
Join Date: May 2006
Posts: 232
|
|
Yup -- maybe I will report these attempts to the NOC there. While I'm at it, I'll just discourage against using this service.
|
08-10-2006, 03:38 PM
|
|
Stairway To Hosting
|
|
Join Date: Mar 2003
Location: Canada
Posts: 7,936
|
|
Well, when you say they are "probing" the server... are they just connecting to the webserver trying to request the page in question or are they doing a port scan, etc?
__________________
SYN Hosting - Affordable, Reliable & Secure Web Hosting - Proudly In Business Since 2006!
Host Unlimited Websites -/ - cPanel -/ - Softaculous -/ - CloudFlare -/ - SSH Access -/ - 24/7 Tech Support
http://www.synhosting.com - Need a Canadian budget managed dedicated server? Click here for details.
|
08-10-2006, 03:59 PM
|
|
Junior Guru
|
|
Join Date: May 2006
Posts: 232
|
|
Sorry that wasn't clear. They are consistently, every few minutes, trying to access this site that was taken down 3 months ago. I placed a mod_security rule to catch when users would try to access this page so all these attempts have been logged in audit_log for easier parsing (since we have plenty of other websites to monitor).
They aren't performing portscans. However, they seem to be forging their browser identification strings -- the same host uses over 40 different "browsers," some of which appear below from the access_logs:
"Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/412 (KHTML, like Gecko) Safari/412"
"LG/U8138/v1.0"
"Amiga-AWeb/3.4.167SE"
"Mozilla/2.0 (compatible; MSIE 2.1; Mac_PowerPC)"
"Mozilla/4.0 (compatible; MSIE 5.0; Windows ME) Opera 5.19 [jp]"
"Mozilla/2.0 (compatible; AOL 3.0; Mac_PowerPC)"
"Mozilla/3.0 (X11; I; OSF1 V4.0 alpha)"
"Cyberdog/2.0 (Macintosh; 68k)"
"Mozilla/5.0 (compatible; Fedora Core 5) FC5 KDE"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060206 Songbird/0.1"
"Mozilla/3.0 (Win16; I)"
"Mozilla/2.02Gold (Win95; I)"
"Aladin/3.324"
"Mozilla/3.0 WebTV/1.2 (compatible; MSIE 2.0)"
"Ace Explorer"
"Aplix_SEGASATURN_browser/1.x (Japanese)"
"Aplix_SANYO_browser/1.x (Japanese)"
This is all from the same host, and then the list cycles again.
My last email to them to request that they cease this activity was over a month ago. They haven't listened. That is what is most frustrating.
|
08-10-2006, 04:05 PM
|
|
Stairway To Hosting
|
|
Join Date: Mar 2003
Location: Canada
Posts: 7,936
|
|
You could try sending an email to noc@opticfusion.net and provide the FULL logs along with a brief summary of the problem.
Don't expect much (if anything) to happen, but it's worth a shot.
__________________
SYN Hosting - Affordable, Reliable & Secure Web Hosting - Proudly In Business Since 2006!
Host Unlimited Websites -/ - cPanel -/ - Softaculous -/ - CloudFlare -/ - SSH Access -/ - 24/7 Tech Support
http://www.synhosting.com - Need a Canadian budget managed dedicated server? Click here for details.
|
08-10-2006, 04:09 PM
|
|
Junior Guru
|
|
Join Date: May 2006
Posts: 232
|
|
Yep - that's my intention. These guys boast that they have an immediate response time to these problems but yet cannot cancel accessing a single website. I hope someone Googles this and thinks twice before considering their services.
Thanks, Pat.
|
Related posts from TheWhir.com
|
| Title |
Type |
Date Posted |
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
| Postbit Selector |
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
|
| Login: |
|
|
| Advertisement: |
|
|
| Web Hosting News: |
|
|
|
