Chrononautic Log

«	As I was saying

Main

Another triumph for Drosophila

Someone needs to have their ass kicked (updated)

1 o'clock, December 15, 2004

I’ve just spent ~~half~~ [Updated] an hour dealing with a denial of service attack in the form of comment spam. MT-Blacklist no avail. Brought the server to a complete stop; luckily Rob was home for lunch and was able to flip the big red switch, but as soon as it came up again — bam, same thing. Managed to stop the web server; problem went away. Log messages are full of:

[Wed Dec 15 12:14:09 2004] [error] [client 66.119.33.153] Premature end of script headers: mt-comments.cgi

from four IP addresses: 66.119.33.153-156. Those, in turn, resolve to proxyche01-04.ia3.marketscore.com, said domain being allegedly based on Sunset Hills Road in Reston, VA. I’m not going to link to or even describe their web site, except to say that it’s professionally designed and looks like it might be supporting three or four different kinds of scam.

And they definitely need to have their asses kicked.

Comments

Not only was I home for lunch, but I have Jared's car today; otherwise it's a 45-minute round trip to go home, and the big red switch would have waited until dinnertime. :) Fortuitous timing, at least.

—— aphrael, 2:04 PM, Wednesday, December 15, 2004

I was actually able to type (vvveeeerrrrry sllllowwwwly and blindly) in my ssh sessions even when the machine was nearly locked -- something like "^C ^C su -root ^M [password] ^M service httpd stop" seemed to do the trick after ten or fifteen minutes. :) Still, not ideal.

Too bad there's no really simple, cheap way to get chrononaut and discontent to each watch the other for problems....

—— David Moles, 2:09 PM, Wednesday, December 15, 2004

You must have had an old ssh session open, then. I couldn't *establish* such a connection .... ten minutes would pass without getting any reaction at all. Ergk.

—— aphrael, 2:15 PM, Wednesday, December 15, 2004

After the first time I was careful, and made sure I had a couple of connections open before restarting the web server. :)

—— David Moles, 2:36 PM, Wednesday, December 15, 2004

Have you considered Brad T's approach to comment spam?

http://ideas.4brad.com/

—— boh, 4:22 PM, Wednesday, December 15, 2004

Hah. That's kind of clever.

Though I suspect just renaming the script will stop most of those.

—— David Moles, 4:33 PM, Wednesday, December 15, 2004

P.S. Sashiburi.

—— David Moles, 4:33 PM, Wednesday, December 15, 2004

David, I'm sorry to hear about your computer troubles (because when mine isn't working my life is miserable--take my TV but leave me my computer.) But mostly I wanted to tell you how beautiful your journal is. I love the graphic design.

—— Maureen McHugh, 5:04 AM, Thursday, December 16, 2004

Renaming the script won't help; the spammers have evolved past that.

—— Stephanie, 6:27 AM, Thursday, December 16, 2004

Thanks, Maureen!

Steph, some have evolved and some haven't. The ones that were hitting me yesterday, and several of their cousins, haven't. I haven't had one of those "premature end of script headers" telltales at the new URL yet, while they're still gamely trying to hit mt-comments.cgi.

And since I run my own server, I don't have to worry about the 2 AM knock on the door. :)

—— David Moles, 9:58 AM, Thursday, December 16, 2004

Yes. The worse thing that happens - if one of the machines gets infected - is that our ISP turns off connectivity. Which has already happened once, and was REALLY F***ING ANNOYING, but easy enough to fix.

—— aphrael, 3:43 PM, Thursday, December 16, 2004

Yes, it's been a while hasn't it? Hope you're doing well.

P.S. Have you checked your Jabber account recently? :-)

—— boh, 7:15 PM, Thursday, December 16, 2004

Not for months. :( I just don't have a synchronous digital communication lifestyle.

—— David Moles, 9:17 AM, Friday, December 17, 2004