Digg this topic Add to my del.icio.us Submit to SlashDot  
Reply to this topicStart new topic
> **** you Brasil!, You're BANNED!!!!
DaemonForce
post Sep 27 2007, 11:55 AM
Post #1


Advanced Member
***

Group: Members
Posts: 74
Joined: 29-August 07
From: SEA
Member No.: 10,328


United States


I'm a web server on a dialup connection. I don't promote my site, but I give some places some very subtle hints that I have one. It's mainly used by me for remote administration purposes. Lately, I've been receiving quite a number of attacks when I shouldn't even be targeted. It's been especially slow this past week when I've been trying to get very large files off of the Microsoft OEM site. Speeds have been crawling at .6KBs this whole time due to this garbage. I just read my IIS logs. Check it out.

#Date: 2007-09-17 04:44:04
#Fields: time c-ip cs-method cs-uri-stem sc-status sc-win32-status
04:44:04 70.85.39.82 [1]USER Administrator 331 0
04:46:44 70.85.39.82 [1]closed - 421 121
This same action repeated on for a solid 15 minutes.

#Date: 2007-09-19 04:22:06
#Fields: time c-ip cs-method cs-uri-stem sc-status sc-win32-status
04:22:06 61.175.245.71 [4]USER Administrator 331 0
04:22:13 61.175.245.71 [4]PASS - 530 1327
04:22:24 61.175.245.71 [4]USER Administrator 331 0
04:22:25 61.175.245.71 [4]PASS - 530 1326
04:22:25 61.175.245.71 [4]USER Administrator 331 0
04:22:27 61.175.245.71 [4]PASS - 530 1326
04:22:27 61.175.245.71 [4]USER Administrator 331 0
04:22:39 61.175.245.71 [4]PASS - 530 1326
04:22:52 61.175.245.71 [4]USER Administrator 331 0
04:22:52 61.175.245.71 [4]PASS - 530 1326
04:22:54 61.175.245.71 [4]USER Administrator 331 0
04:22:54 61.175.245.71 [4]PASS - 530 1326........................
08:59:53 61.175.245.71 [4]USER Administrator 331 0
09:00:17 61.175.245.71 [4]PASS - 530 1326
09:00:33 61.175.245.71 [4]USER Administrator 331 0
09:00:33 61.175.245.71 [4]PASS - 530 1326
09:01:14 61.175.245.71 [4]USER Administrator 331 0
09:01:14 61.175.245.71 [4]PASS - 530 1326
09:01:48 61.175.245.71 [4]USER Administrator 331 0
09:02:38 61.175.245.71 [4]PASS - 530 1326
09:02:38 61.175.245.71 [4]USER Administrator 331 0
09:04:53 61.175.245.71 [4]closed - 421 121

No comment. :\




I opened my log from the 21st and it's been mysteriously zero'd at 0725. It's exactly 64KB in size, but the interaction log has been completely blanked out. There isn't even an IIS log marker stamp, it's just gone.



This one went on for a whole ****ing hour:
#Date: 2007-09-22 00:27:16
#Fields: time c-ip cs-method cs-uri-stem sc-status sc-win32-status
00:27:16 64.91.254.163 [1]USER administrator 331 0
00:27:18 64.91.254.163 [1]PASS - 530 1326
00:27:20 64.91.254.163 [1]USER administrator 331 0
00:27:22 64.91.254.163 [1]PASS - 530 1326
00:27:25 64.91.254.163 [1]USER administrator 331 0
00:27:27 64.91.254.163 [1]PASS - 530 1326
00:27:30 64.91.254.163 [1]USER administrator 331 0
00:27:33 64.91.254.163 [1]PASS - 530 1326
00:27:38 64.91.254.163 [1]USER administrator 331 0
00:27:41 64.91.254.163 [1]PASS - 530 1326........................

As if I'm not pissed enough, after shutting off my DNS router, I passworded my worker account. The 23rd approaches. I'm away that entire day doing an interview among other things. I look back at my log:


461KB




............



#Date: 2007-09-23 09:09:31
#Fields: time c-ip cs-method cs-uri-stem sc-status sc-win32-status
09:09:31 143.107.133.103 [2]USER abby 331 0
09:09:31 143.107.133.103 [2]PASS - 530 1326
09:09:31 143.107.133.103 [2]USER abby 331 0
09:09:32 143.107.133.103 [2]PASS - 530 1326
09:09:32 143.107.133.103 [2]USER abby 331 0
09:09:32 143.107.133.103 [2]PASS - 530 1326
09:09:32 143.107.133.103 [2]USER abigail 331 0
09:09:33 143.107.133.103 [2]PASS - 530 1326
09:09:33 143.107.133.103 [2]USER abigail 331 0
09:09:35 143.107.133.103 [2]PASS - 530 1326
09:09:35 143.107.133.103 [2]USER abigail 331 0
09:09:35 143.107.133.103 [2]PASS - 530 1326
09:09:35 143.107.133.103 [2]USER abraham 331 0
09:09:36 143.107.133.103 [2]PASS - 530 1326
09:09:36 143.107.133.103 [2]USER abraham 331 0
09:09:36 143.107.133.103 [2]PASS - 530 1326
09:09:36 143.107.133.103 [2]USER abraham 331 0
09:09:37 143.107.133.103 [2]PASS - 530 1326
09:09:37 143.107.133.103 [2]USER abuse 331 0
09:09:37 143.107.133.103 [2]PASS - 530 1326
09:09:37 143.107.133.103 [2]USER abuse 331 0
09:09:38 143.107.133.103 [2]PASS - 530 1326
09:09:38 143.107.133.103 [2]USER abuse 331 0
09:09:38 143.107.133.103 [2]PASS - 530 1326
09:09:38 143.107.133.103 [2]USER access 331 0
09:09:40 143.107.133.103 [2]PASS - 530 1326
09:09:40 143.107.133.103 [2]USER access 331 0
09:09:40 143.107.133.103 [2]PASS - 530 1326
09:09:40 143.107.133.103 [2]USER access 331 0
09:09:41 143.107.133.103 [2]PASS - 530 1326
09:09:41 143.107.133.103 [2]USER account 331 0
09:09:41 143.107.133.103 [2]PASS - 530 1326
09:09:41 143.107.133.103 [2]USER account 331 0
09:09:42 143.107.133.103 [2]PASS - 530 1326
09:09:42 143.107.133.103 [2]USER account 331 0
09:09:42 143.107.133.103 [2]PASS - 530 1326
09:09:42 143.107.133.103 [2]USER accounts 331 0
09:09:43 143.107.133.103 [2]PASS - 530 1326
09:09:43 143.107.133.103 [2]USER accounts 331 0
09:09:43 143.107.133.103 [2]PASS - 530 1326
09:09:43 143.107.133.103 [2]USER accounts 331 0
09:09:45 143.107.133.103 [2]PASS - 530 1326
09:09:45 143.107.133.103 [2]USER adam 331 0
09:09:45 143.107.133.103 [2]PASS - 530 1326
09:09:45 143.107.133.103 [2]USER adam 331 0
09:09:46 143.107.133.103 [2]PASS - 530 1326
09:09:46 143.107.133.103 [2]USER adam 331 0
09:09:46 143.107.133.103 [2]PASS - 530 1326
09:09:46 143.107.133.103 [2]USER adm 331 0
09:09:47 143.107.133.103 [2]PASS - 530 1326
09:09:47 143.107.133.103 [2]USER adm 331 0
09:09:47 143.107.133.103 [2]PASS - 530 1326
09:09:47 143.107.133.103 [2]USER adm 331 0
09:09:48 143.107.133.103 [2]PASS - 530 1326
09:09:48 143.107.133.103 [2]USER admin 331 0
09:09:48 143.107.133.103 [2]PASS - 530 1326
09:09:48 143.107.133.103 [2]USER admin 331 0
09:09:50 143.107.133.103 [2]PASS - 530 1326
09:09:50 143.107.133.103 [2]USER admin 331 0
09:09:50 143.107.133.103 [2]PASS - 530 1326
09:09:50 143.107.133.103 [2]USER admin2 331 0
09:09:51 143.107.133.103 [2]PASS - 530 1326
09:09:51 143.107.133.103 [2]USER admin2 331 0
09:09:51 143.107.133.103 [2]PASS - 530 1326
09:09:52 143.107.133.103 [2]USER admin2 331 0
09:09:52 143.107.133.103 [2]PASS - 530 1326
09:09:52 143.107.133.103 [2]USER adrian 331 0
09:09:53 143.107.133.103 [2]PASS - 530 1326
09:09:53 143.107.133.103 [2]USER adrian 331 0
09:09:53 143.107.133.103 [2]PASS - 530 1326
09:09:53 143.107.133.103 [2]USER adrian 331 0
09:09:54 143.107.133.103 [2]PASS - 530 1326
09:09:54 143.107.133.103 [2]USER aerial 331 0
09:09:54 143.107.133.103 [2]PASS - 530 1326
09:09:54 143.107.133.103 [2]USER aerial 331 0
09:09:56 143.107.133.103 [2]PASS - 530 1326
09:09:56 143.107.133.103 [2]USER aerial 331 0
09:09:56 143.107.133.103 [2]PASS - 530 1326
09:09:56 143.107.133.103 [2]USER agent 331 0
09:09:57 143.107.133.103 [2]PASS - 530 1326
09:09:57 143.107.133.103 [2]USER agent 331 0
09:09:57 143.107.133.103 [2]PASS - 530 1326
09:09:57 143.107.133.103 [2]USER agent 331 0
09:09:58 143.107.133.103 [2]PASS - 530 1326
09:09:58 143.107.133.103 [2]USER alan 331 0
09:09:58 143.107.133.103 [2]PASS - 530 1326
09:09:58 143.107.133.103 [2]USER alan 331 0
09:10:00 143.107.133.103 [2]PASS - 530 1326
09:10:00 143.107.133.103 [2]USER alan 331 0
09:10:00 143.107.133.103 [2]PASS - 530 1326
09:10:00 143.107.133.103 [2]USER albert 331 0
09:10:01 143.107.133.103 [2]PASS - 530 1326
09:10:01 143.107.133.103 [2]USER albert 331 0
09:10:01 143.107.133.103 [2]PASS - 530 1326
09:10:01 143.107.133.103 [2]USER albert 331 0
09:10:02 143.107.133.103 [2]PASS - 530 1326
09:10:02 143.107.133.103 [2]USER alberto 331 0
09:10:02 143.107.133.103 [2]PASS - 530 1326
09:10:02 143.107.133.103 [2]USER alberto 331 0
09:10:03 143.107.133.103 [2]PASS - 530 1326
09:10:03 143.107.133.103 [2]USER alberto 331 0
09:10:03 143.107.133.103 [2]PASS - 530 1326
09:10:03 143.107.133.103 [2]USER alec 331 0
09:10:05 143.107.133.103 [2]PASS - 530 1326
09:10:05 143.107.133.103 [2]USER alec 331 0
09:10:05 143.107.133.103 [2]PASS - 530 1326
09:10:05 143.107.133.103 [2]USER alec 331 0
09:10:07 143.107.133.103 [2]PASS - 530 1326..........................



Holy ****ing ****! Somebody is trying to brute-force my SQL Server! (IMG:../forums/style_emoticons/default/eek.gif)

*connection dies*

I reboot the server after applying a few hotfixes.


More ****.


This went on until...

14:43:48 218.249.108.182 [3]USER Administrator 331 0
14:43:49 218.249.108.182 [3]PASS - 530 1326
14:43:49 218.249.108.182 [3]USER Administrator 331 0
14:43:49 218.249.108.182 [3]PASS - 530 1326
14:43:51 218.249.108.182 [3]USER Administrator 331 0
14:43:51 218.249.108.182 [3]PASS - 530 1326
14:43:51 218.249.108.182 [3]USER Administrator 331 0
14:43:52 218.249.108.182 [3]PASS - 530 1326
14:43:52 218.249.108.182 [3]USER Administrator 331 0
14:43:52 218.249.108.182 [3]PASS - 530 1326

Then my connection died a second time. (IMG:../forums/style_emoticons/default/mad.gif)



Traced 143.107.133.103: Some ****ty site romeo.if.usp.br

Nuno or somebody with a T1 line that has nothing better to do, please Ddos that ****** until they're no longer in service. (IMG:../forums/style_emoticons/default/mad.gif)

Also.....

BANNED! (IMG:../forums/style_emoticons/default/mad.gif)

Mother****ers....(IMG:../forums/style_emoticons/default/mad.gif)



I know there are only four places on the web where my server link is posted. Google is not one of them. I know the majority of people marked with Brazil on sites I go to are here. If I catch anyone on here abusing my server, you're banned. Period. I'm done warning hundreds of people that can't read English. Also, I'm going to start working on an auto-ban application to take care of this.
Go to the top of the page
 
+Quote Post
Nuno Brito
post Sep 27 2007, 12:58 PM
Post #2


Advanced Member
***

Group: .script developer
Posts: 4,213
Joined: 13-July 06
From: Azores
Member No.: 1


Portugal


I simply think you should just let them get bored and add a few extra digits on your password for safe keeping your database - if you try to strike back it will only become more fun on the other side and then it can extend for months, months, months.. (IMG:../forums/style_emoticons/default/dry.gif)

If you need some temporary hosting then I can help you gladly but I really don't promote DDoS under any circunstance.

Why don't you contact the IT department on brazil?

This seems some sport action from the local students and if the senior staff knows about this behavior they'll surely try to keep them behaved.

If english is not their strong then I can also help with translations or whatever needed.


btw: Our server here is not T1, it goes almost to OC12 speed serving around 3Tb worth of monthly data on a virtual private server located in california.. (IMG:../forums/style_emoticons/default/wink.gif)
Go to the top of the page
 
+Quote Post
DaemonForce
post Sep 27 2007, 11:06 PM
Post #3


Advanced Member
***

Group: Members
Posts: 74
Joined: 29-August 07
From: SEA
Member No.: 10,328


United States


QUOTE(Nuno Brito @ Sep 27 2007, 12:58 PM) *
I simply think you should just let them get bored and add a few extra digits on your password for safe keeping your database - if you try to strike back it will only become more fun on the other side and then it can extend for months, months, months.. (IMG:../forums/style_emoticons/default/dry.gif)

It has been brought to my attention that through a WHOIS, I have been attacked by LACNIC.
QUOTE(Nuno Brito @ Sep 27 2007, 12:58 PM) *
If you need some temporary hosting then I can help you gladly but I really don't promote DDoS under any circunstance.

I'm a private host. There's a reason.
QUOTE(Nuno Brito @ Sep 27 2007, 12:58 PM) *
Why don't you contact the IT department on brazil?

Because the main server is located in some Mexican city called Montevideo.
QUOTE(Nuno Brito @ Sep 27 2007, 12:58 PM) *
This seems some sport action from the local students and if the senior staff knows about this behavior they'll surely try to keep them behaved.

Agreed.
QUOTE(Nuno Brito @ Sep 27 2007, 12:58 PM) *
If english is not their strong then I can also help with translations or whatever needed.

Just five minutes...That's all I ask....
QUOTE(Nuno Brito @ Sep 27 2007, 12:58 PM) *
btw: Our server here is not T1, it goes almost to OC12 speed serving around 3Tb worth of monthly data on a virtual private server located in california.. (IMG:../forums/style_emoticons/default/wink.gif)

Uh huh. (IMG:../forums/style_emoticons/default/huh.gif) And with all the consistent attacks this place is about as fast as ISDN. (IMG:../forums/style_emoticons/default/blink.gif)
Go to the top of the page
 
+Quote Post
MedEvil
post Sep 27 2007, 11:20 PM
Post #4


Advanced Member
***

Group: .script developer
Posts: 1,276
Joined: 29-December 06
Member No.: 2,192



QUOTE(DaemonForce @ Sep 28 2007, 01:06 AM) *
Uh huh. (IMG:../forums/style_emoticons/default/huh.gif) And with all the consistent attacks this place is about as fast as ISDN. (IMG:../forums/style_emoticons/default/blink.gif)

I think Nuno was talking about his workplace not Boot-Land.

(IMG:../forums/style_emoticons/default/cheers.gif)
Go to the top of the page
 
+Quote Post
DaemonForce
post Sep 28 2007, 03:24 AM
Post #5


Advanced Member
***

Group: Members
Posts: 74
Joined: 29-August 07
From: SEA
Member No.: 10,328


United States


Is there a difference? (IMG:../forums/style_emoticons/default/tongue.gif)
Go to the top of the page
 
+Quote Post
thunn
post Sep 28 2007, 05:45 AM
Post #6


Advanced Member
***

Group: .script developer
Posts: 359
Joined: 27-July 06
From: Queens, New York
Member No.: 75


United States


They used to be the same, but I think he's been retired from active duty, so perhaps we've migrated. (IMG:../forums/style_emoticons/default/smile.gif) .. dunno for sure.

DaemonForce,

I woundn't advocate a ddos attack, but sometimes just the right message will do the trick.
Your friend(s) have certainly exposed themselves.

...
Nuno may remember this, a prisioner from an institution in the US was probing a small server I have at home. Eventually I decided to ping him for about just 2 min. with a small looping batch file, the data containing a particular text message, he decided to pick on someone else. (IMG:../forums/style_emoticons/default/wink.gif)
Go to the top of the page
 
+Quote Post
TheHive
post Sep 29 2007, 03:17 AM
Post #7


Advanced Member
***

Group: .script developer
Posts: 1,863
Joined: 14-July 06
Member No.: 5



QUOTE(thunn @ Sep 28 2007, 12:45 AM) *
Eventually I decided to ping him for about just 2 min. with a small looping batch file, the data containing a particular text message, he decided to pick on someone else. (IMG:../forums/style_emoticons/default/wink.gif)

(IMG:../forums/style_emoticons/default/roll1.gif)
Go to the top of the page
 
+Quote Post
« Next Oldest · Websites · Next Newest »
 

Fast ReplyReply to this topicStart new topic

Collapse

> Similar Topics

  Topic Replies Topic Starter Views Last Action
No New Posts Your Freewares
Do you like free software? It is here.
7 yahoouk 289 Today, 09:35 AM
Last post by: yahoouk
No New Posts Your favorite VistaPE version? 008 vs. 009
7 booty#1 445 27th September 2007 - 08:29 AM
Last post by: booty#1
No New Posts Your favorite Linux distributions & links!!
5 Mikorist 956 20th January 2007 - 04:49 PM
Last post by: Mikorist
No New Posts You can use RAMDiskXP to create a bootable disk image
2 Mikorist 792 3rd September 2006 - 12:40 PM
Last post by: Mikorist


 

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

- Lo-Fi Version Time is now: 17th October 2007 - 10:05 AM

MKPortal ©2003-2006 mkportal.it