Betsy
11-10-04, 01:52 AM
This afternoon we got a message relating to these forums from the company where we host our site .
It was asking if we had installed any custom modules into the forums (there hasn't been) because a rogue spider got caught up in one particular area of the forums :smash:
It caused an incredible server load and while I haven't downloaded the stats for the day yet (I don't do real time monitoring and they don't get published for about another hour or so) I am fearful of what I will find in there. This is an image of what the server load underwent during this time:
http://bodieslikeours.org/spike.png
To give you a quick idea of what the picture means, there are probably 200 sites on that server and normal traffic can be seen on either side. That spike was from this forum and that particular IP address alone.
I did look quickly at the raw logs as well as the overload log which was generated during the incident (the first time blo has ever generated an overload log in the almost three years we have been online). Something real bad was going on. One bright spot is it's nice to see so many folks are using mozilla (there's a new version out today that I'm going to download shortly) I usually don't do a browser check but the overload log included it. One other note, our log files are usually about 300 kb for an average day. Tuesday they were 3.1 MB.
I was about to add the ip in question to our ip banning script (I ban certain ill behaved bots and those that are known spam harvesting bots) A bot is basically a little program hosted by those scanning websites for emails for spammers, those that scan for other reasons, and most importantly those that scan the web for search engines like google bot. Ironically, I had kept all bots out of the forums until recently but implemented the built-in vb archive that is good for search engine rankings and allowed all but the bad ones back in and directed to the archives. You can actually see the archives by clicking on the archive link at the bottom of the pages. But I digress...
As I was about to ban the IP, I decided just out of curiousity to see who it belonged to and discovered that I know the location. A bit more investigation revealed that this person was here around that time.
While writing this, I just got an email back from our host saying that the IP came perilously close to being firewalled by them today which would have extremely baffling to fix when I received the email from this person asking why access was being denied which would have had me totally baffled. In a nutshell, it could have been a real disaster. It could have also gotten us being flagged for a TOS violation which could cause us to have to find a new host. If we can't play well in the sandbox we need to leave or we need to make the offending issue go away.
I suspect the machine this person is using may have been compromised (I don't know that for sure but is my gut feeling here...because something serious was going on) and have sent an email to the person to let them know. I wanted to share it here as well as a warning to others.
My request is that you keep your anti virus files up to date. There's a new nasty one going around out there spreading via links in email. Firewalls and AV are really two things you can't live without these days. For AV, I recommend Computer Associates EZ Antivirus as it updates silently and automagically. For a firewall, I recommend Zone Alarm which you can download for free. To check your machine for trojans and other bad things, Ad-aware and spybot are both good options that are free. I use both. We have a hardware firewall in place for Bodies because there are other important things to keep safe as well and it's pretty darn impossible to get through the encryption I am behind. even so, I check those logs frequently and have some internal stuff set to alert me if something bad is going on. At the very least, if you are using windows, update it and make sure you have the built-in firewall enabled; it's better than nothing.
If your machine is compromised and your IP becomes firewalled at the server level, there's not a lot I'll be able to do to get that undone. This is an unfortunate fact of life in today's internet. If we were on a dedicated server, this wouldn't be an issue but dedicated servers are not an option we afford.
Thanks for listening.
Betsy
It was asking if we had installed any custom modules into the forums (there hasn't been) because a rogue spider got caught up in one particular area of the forums :smash:
It caused an incredible server load and while I haven't downloaded the stats for the day yet (I don't do real time monitoring and they don't get published for about another hour or so) I am fearful of what I will find in there. This is an image of what the server load underwent during this time:
http://bodieslikeours.org/spike.png
To give you a quick idea of what the picture means, there are probably 200 sites on that server and normal traffic can be seen on either side. That spike was from this forum and that particular IP address alone.
I did look quickly at the raw logs as well as the overload log which was generated during the incident (the first time blo has ever generated an overload log in the almost three years we have been online). Something real bad was going on. One bright spot is it's nice to see so many folks are using mozilla (there's a new version out today that I'm going to download shortly) I usually don't do a browser check but the overload log included it. One other note, our log files are usually about 300 kb for an average day. Tuesday they were 3.1 MB.
I was about to add the ip in question to our ip banning script (I ban certain ill behaved bots and those that are known spam harvesting bots) A bot is basically a little program hosted by those scanning websites for emails for spammers, those that scan for other reasons, and most importantly those that scan the web for search engines like google bot. Ironically, I had kept all bots out of the forums until recently but implemented the built-in vb archive that is good for search engine rankings and allowed all but the bad ones back in and directed to the archives. You can actually see the archives by clicking on the archive link at the bottom of the pages. But I digress...
As I was about to ban the IP, I decided just out of curiousity to see who it belonged to and discovered that I know the location. A bit more investigation revealed that this person was here around that time.
While writing this, I just got an email back from our host saying that the IP came perilously close to being firewalled by them today which would have extremely baffling to fix when I received the email from this person asking why access was being denied which would have had me totally baffled. In a nutshell, it could have been a real disaster. It could have also gotten us being flagged for a TOS violation which could cause us to have to find a new host. If we can't play well in the sandbox we need to leave or we need to make the offending issue go away.
I suspect the machine this person is using may have been compromised (I don't know that for sure but is my gut feeling here...because something serious was going on) and have sent an email to the person to let them know. I wanted to share it here as well as a warning to others.
My request is that you keep your anti virus files up to date. There's a new nasty one going around out there spreading via links in email. Firewalls and AV are really two things you can't live without these days. For AV, I recommend Computer Associates EZ Antivirus as it updates silently and automagically. For a firewall, I recommend Zone Alarm which you can download for free. To check your machine for trojans and other bad things, Ad-aware and spybot are both good options that are free. I use both. We have a hardware firewall in place for Bodies because there are other important things to keep safe as well and it's pretty darn impossible to get through the encryption I am behind. even so, I check those logs frequently and have some internal stuff set to alert me if something bad is going on. At the very least, if you are using windows, update it and make sure you have the built-in firewall enabled; it's better than nothing.
If your machine is compromised and your IP becomes firewalled at the server level, there's not a lot I'll be able to do to get that undone. This is an unfortunate fact of life in today's internet. If we were on a dedicated server, this wouldn't be an issue but dedicated servers are not an option we afford.
Thanks for listening.
Betsy