Getting banned by VPS

Hi,

I've been getting a lot of spam warning from my VPS provider and not sure if it's from GSA but this is the only software that is running currently in my VPS. Can you please help and view the log as per below :

--047d7bdc188c10c67204e7a0e783
Content-Type: text/plain; charset=ISO-8859-1

Greetings,

Please read the forwarded email for a log snippet of an attack coming from
your network against our website, soldierx.com.  Please let us know as soon
as possible what you can do about these attacks.  You can reach one of our
technicians, Shawn Burrell, at 817-287-8705.

We can provide detailed logs if needed.

Failure to reply may result in legal action as these attacks have been
disrupting our business.  At this point in time, we are trying to work with
companies in order to get them to cease.

Respectfully,

David Caudill
Network Security and Operations, soldierx.com

---------- Forwarded message ----------
From: Fail2Ban <fail2ban@shinra.soldierx.com>
Date: Sun, Sep 29, 2013 at 1:17 AM
Subject: [Fail2Ban] apache-bots: banned 176.9.221.94
To: caudilldk@gmail.com


Hi,

The IP XX.XX.XX.XX has just been banned by Fail2Ban after
1 attempts against apache-bots.

Comments

  • Are you using private proxies everywhere?
  • SvenSven www.GSA-Online.de
    Hmm I don't see any logs from this. Can you ask them for details?
  • Hi cherub,

    I'm using the harvested proxies from GSA, i'm using it for my tier 2 and tier 3 thou
  • The harvested proxies (public proxies) could easily be leaking your IP. As they are public, they are very unreliable, and offer you no guarantee of security or anonymity. You'd be better off with some semi-dedicated/dedicated proxies, then any problems you have with them you can take up with the proxy providers.
  • this are the rest of log sent from them :


    % This is the RIPE Database query service.
    % The objects are in RPSL format.
    %
    % The RIPE Database is subject to Terms and Conditions.
    % See http://www.ripe.net/db/support/db-terms-conditions.pdf

    % Note: this output has been filtered.
    %       To receive output for a database update, use the "-B" flag.

    % Information related to 'XX.XX.XX.XX - 176.9.221.95'

    % Abuse contact for 'XX.XX.XX.XX - 176.9.221.95' is 'abuse@hetzner.de'

    inetnum:        176.9.221.XX - 176.9.221.XX
    netname:        CH-HOSTING
    descr:          ch hosting
    country:        DE
    admin-c:        JA2982-RIPE
    tech-c:         JA2982-RIPE
    status:         ASSIGNED PA
    mnt-by:         HOS-GUN
    source:         RIPE # Filtered

    person:         Jeff AY
    address:        ch hosting
    address:        Jln BK
    address:        47100 Puc
    address:        MALAYSIA
    phone:          +60163336388
    nic-hdl:        JA2982-RIPE
    abuse-mailbox:  abuse@chhost.net
    mnt-by:         HOS-GUN
    source:         RIPE # Filtered

    % Information related to '176.9.0.0/16AS24940'

    route:          176.9.0.0/16
    descr:          HETZNER-RZ-FKS-BLK4
    origin:         AS24940
    org:            ORG-HOA1-RIPE
    mnt-by:         HOS-GUN
    source:         RIPE # Filtered

    organisation:   ORG-HOA1-RIPE
    org-name:       Hetzner Online AG
    org-type:       LIR
    address:        Hetzner Online AG
    address:        Attn. Martin Hetzner
    address:        Stuttgarter Str. 1
    address:        91710
    address:        Gunzenhausen
    address:        GERMANY
    phone:          +49 9831 610061
    fax-no:         +49 9831 610062
    admin-c:        TF2013-RIPE
    admin-c:        MF1400-RIPE
    admin-c:        GM834-RIPE
    admin-c:        HOAC1-RIPE
    admin-c:        MH375-RIPE
    admin-c:        SK8441-RIPE
    admin-c:        SK2374-RIPE
    mnt-ref:        HOS-GUN
    mnt-ref:        RIPE-NCC-HM-MNT
    mnt-by:         RIPE-NCC-HM-MNT
    abuse-c:        HOAC1-RIPE
    source:         RIPE # Filtered

    % This query was served by the RIPE Database Query Service version 1.69
    (WHOIS4)


    Lines containing IP:XX.XX.XX.XX in /var/log/apache*/*access.log

    /var/log/apache2/soldierx-access.log:XX.XX.XX.XX- - [29/Sep/2013:01:17:26
    -0400] "GET /bbs/201307/Kann-ich-DDoS-haben-5957176 HTTP/1.1" 302 546 "
    http://www.soldierx.com/" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_3 like
    Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10B329
    Safari/8536.25"
    /var/log/apache2/soldierx-access.log:XX.XX.XX.XX - - [29/Sep/2013:01:17:28
    -0400] "GET /bbs/201307/Kann-ich-DDoS-haben-5957176 HTTP/1.1" 200 10983 "
    http://www.soldierx.com/" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_3 like
    Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10B329
    Safari/8536.25"
    /var/log/apache2/soldierx-access.log:XX.XX.XX.XX - - [29/Sep/2013:01:17:31
    -0400] "GET /?q=node/add HTTP/1.1" 301 5289 "https://www.soldierx.com/"
    "Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_3 like Mac OS X) AppleWebKit/536.26
    (KHTML, like Gecko) Version/6.0 Mobile/10B329 Safari/8536.25"
    /var/log/apache2/soldierx-access.log:XX.XX.XX.XX - - [29/Sep/2013:01:17:33
    -0400] "GET /node/add HTTP/1.1" 403 3140 "https://www.soldierx.com/"
    "Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_3 like Mac OS X) AppleWebKit/536.26
    (KHTML, like Gecko) Version/6.0 Mobile/10B329 Safari/8536.25"
  • Lol..now Im too scared to let it run as I have been warned about this twice..is there any setting to stop the GSA from running if the proxies are not available / block? I dont want it to run by using my local ip
  • You can enable 'Automatically disable public/private proxies when detected to be down on use', and 'Remove non anonymous proxies' in the proxy options screen, and then also 'Stop projects on no active proxies' in the main settings screen, but as long as you rely on public proxies you'll always run the risk of your IP being known. Buy a set of 10 semi-dedicated proxies to start off with is your best bet.
  • SvenSven www.GSA-Online.de
    sorry I have no idea whats wrong on that log. I see it things that site might be a drupal one and trying to post to it. But thats not like happening in a DDOS. I don't know whats a problem on that log.
  • Hi cherub/sven,

    I'm getting a warning again even though I have followed your advice on the settings and I'm using 10 private proxies from buyproxies. Please help. Below is the log I received:

    Return-path: <autogenerated@blocklist.de>
    Envelope-to: abuse@hetzner.de
    Delivery-date: Tue, 08 Oct 2013 15:12:32 +0200
    Received: from [109.239.50.114] (helo=reporting2.blocklist.de)
            by lms.your-server.de with esmtp (Exim 4.74)
            (envelope-from <autogenerated@blocklist.de>)
            id 1VTX5U-0001Lu-1m
            for abuse@hetzner.de; Tue, 08 Oct 2013 15:12:32 +0200
    Received: by reporting2.blocklist.de (Postfix, from userid 1003)
            id 2CEC02C81037A; Tue,  8 Oct 2013 15:17:10 +0200 (CEST)
    Received: from reporting3.blocklist.de (unknown [185.21.101.162])
            (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
            (No client certificate requested)
            by reporting2.blocklist.de (Postfix) with ESMTPS id 17CB22C81056E
            for <abuse@hetzner.de>; Tue,  8 Oct 2013 15:17:10 +0200 (CEST)
    X-DKIM: OpenDKIM Filter v2.0.1 reporting2.blocklist.de 17CB22C81056E
    Received: by reporting3.blocklist.de (Postfix, from userid 1002)
            id 52B561034C6E5; Tue,  8 Oct 2013 15:14:49 +0200 (CEST)
    To: "Abuse-Team of IP: 176.9.221.94" <abuse@hetzner.de>
    Subject: [noreply] abuse report about XX.XX.XX.XX - Tue, 08 Oct 2013 15:12:14 +0200 -- service: regbot (Again x 2) RID: 396989232
    MIME-Version: 1.0
    Reply-To: "Abuse-Team" <abuse-team@blocklist.de>
    From: "Abuse-Team (auto-generated)" <autogenerated@blocklist.de>
    Sender: abuse-team@blocklist.de
    X-Mailer: blocklist.de
    Errors-To: autogenerated@blocklist.de
    Auto-Submitted: auto-generated
    Content-Transfer-Encoding: 7bit
    Content-Type: multipart/mixed;
             boundary="Abuse-64cd926b145da72573ffbeda8e68eb7a";
    X-XARF: PLAIN
    X-Report-ID: 396989232
    Message-Id: <20131008131449.52B561034C6E5@reporting3.blocklist.de>
    Date: Tue,  8 Oct 2013 15:14:49 +0200 (CEST)
    X-Virus-Scanned: Clear (ClamAV 0.97.6/17948/Mon Oct  7 22:39:25 2013)
    X-Spam-Score: 0.5 (/)
    Delivered-To: he1-abuse@hetzner.de

    --Abuse-64cd926b145da72573ffbeda8e68eb7a
    MIME-Version: 1.0
    Content-Transfer-Encoding: 7bit
    Content-Type: text/plain; charset=utf-8;

    Hello Abuse-Team,

    your Server/Customer with the IP: *XX.XX.XX.XX* has attacked one of our servers/partners.
    The attackers used the method/service: *regbot*  on: *Tue, 08 Oct 2013 15:12:14 +0200*.
    The time listed is from the server-time of the Blocklist-user who submitted the report.
    The attack was reported to the Blocklist.de-System on: *Tue, 08 Oct 2013 15:14:44 +0200*

    The IP has been automatically blocked for a period of time. For an IP to be blocked, it needs
    to have made several failed logins (ssh, imap....), tried to log in for an "invalid user", or have
    triggered several 5xx-Error-Codes (eg. Blacklist on email...), all during a short period of time.
    The Server-Owner configures the number of failed attempts, and the time period they have
    to occur in, in order to trigger a ban and report. Blocklist has no control over these settings.
    He has registered automatically on a honeypot Wiki/Forum/Blog-System....
    At the site there is a notice that all postings and registrations will be reported.
    He used xrumer or other Tools or had a false configured mod_rewrite/mod_proxy who is abused:
    http://blog.blocklist.de/2011/03/14/erlauterung-der-einzelnen-dienste-badbots-apacheddos-postfix/#regbots

    If the IP is a Tor-Server: http://blog.blocklist.de/tor-server-owner/

    Please check the machine behind the IP XX.XX.XX.XX (static.94.221.9.176.clients.your-server.de) and fix the problem.
    This is the 2 Attack (reported: 2) from this IP; see:
    http://www.blocklist.de/en/view.html?ip=XX.XX.XX.XX

    If you need the logs in another format (rather than an attachment), please let us know.
    You can see the Logfiles online again: https://www.blocklist.de/en/logs.html?rid=396989232&ip=XX.XX.XX.XX


    You can parse this abuse report mail with X-ARF-Tools from http://www.x-arf.org/tools.html e.g. validatexarf-php.tar.gz.
    You can find more information about X-Arf V0.2 at http://www.x-arf.org/specification.html

    This message will be sent again in one day if more attacks are reported to Blocklist.
    In the attachment of this message you can find the original logs from the attacked system.

    To pause this message for one week, you can use our "Stop Reports" feature on Blocklist.de to submit
    the IP you want to stop recieving emails about, and the email you want to stop receiving them on.
    If more attacks from your network are recognized after the seven day grace period, the reports will start
    being sent again.

    To pause these reports for one week:
    http://www.blocklist.de/en/insert.html?ip=XX.XX.XX.XX&email=abuse@hetzner.de


    We found this abuse email address  in the Whois-Data from the IP under the SearchString "abuse-c (Ripe AbuseFinder)"
    Reply to this message to let us know if you want us to send future reports to a different email. (e.g. to abuse-quiet or a special address)

  • SvenSven www.GSA-Online.de
    post your proxy settings (screenshot) again please.
  • Hi Sven

    Pls refer to the link here http://imgur.com/aFJVLNO,alQLR5f

  • SvenSven www.GSA-Online.de
    So basically you do not use any proxies...you have to check them for submissions at least.
  • Hi Sven,

    This is just the sample setting from my desktop because I couldnt login to my vps right now.I've inserted my proxies in my VPS and just showing you the actual setting i've made
  • X_X Eek! For starters, check the box next to 'Submission', then check the box 'Private' on the same line. And in your 'Configure' screen, make sure your proxies are labelled as private.

    Basically with those options in your screenshot you aren't using proxies anywhere.
  • Dang..ok will send the screenshot again once I get my vps back.how should my tell my vps provider then since I've been warned many time now?
  • Yep looks good, make sure your proxies are marked as private in the 'Configure' window.
  • alright .. hope it will be ok this time. cheers man and thank you
  • Dude, buy private proxies. 
  • I did :). But using it for my Tier 1 and I have been using GSA for over 5 month now and this is the first time getting banned.
  • Is soldierx  the ones complaining to your vps? Some weird free mason website... (free masons are the root of evil)

    I dont use private proxies and dont get that problem... i find proxies slow down my submission speed and just use them for scraping search engines

    Anyway they cannot pursue "legal" action because it isnt a attack a attack would mean you were deliberately targeting their website.. when in actual fact you weren't... gsa search engine doesnt attack peoples websites is just so happens to find websites and posts on them.

    Thanks for the drupal website anyway ;D
Sign In or Register to comment.