Skip to content

VPS suspended because of "Abuse report"

machovskimachovski
in Need Help

Hi! My VPS sent me message today, that they recieved complaint about my IP. It is weird, because I use GSA SER with proxies and I set "Pause all projects if no proxy available". They wrote: "It can be unsuspended once we received your reply back with what corrective action you are going to take in order to prevent such issues in the future. However please note you need to ensure that the issue not going to be repeated in the future."

What can I do with it?

Here is the Abuse Report:

########################################################################################

your Server/Customer with the IP: *184.154.41.196* has attacked one of our servers/partners.
The attackers used the method/service: *regbot* on: *Sat, 19 Oct 2013 19:06:49 0200*.
The time listed is from the server-time of the Blocklist-user who submitted the report.
The attack was reported to the Blocklist.de-System on: *Sat, 19 Oct 2013 19:17:01 0200*

The IP has been automatically blocked for a period of time. For an IP to be blocked, it needs
to have made several failed logins (ssh, imap....), tried to log in for an "invalid user", or have
triggered several 5xx-Error-Codes (eg. Blacklist on email...), all during a short period of time.
The Server-Owner configures the number of failed attempts, and the time period they have
to occur in, in order to trigger a ban and report. Blocklist has no control over these settings.
He has registered automatically on a honeypot Wiki/Forum/Blog-System....
At the site there is a notice that all postings and registrations will be reported.
He used xrumer or other Tools or had a false configured mod_rewrite/mod_proxy who is abused:
http://blog.blocklist.de/2011/03/14/erlauterung-der-einzelnen-dienste-badbots-apacheddos-postfix/#regbots

If the IP is a Tor-Server: http://blog.blocklist.de/tor-server-owner/

Please check the machine behind the IP 184.154.41.196 (adc2.adnshost.com) and fix the problem.
To search for AS-Number/IPs that you control, to see if any others have been infected/blocked, please go to:
http://www.blocklist.de/en/search.html?as=32475

If you need the logs in another format (rather than an attachment), please let us know.
You can see the Logfiles online again: https://www.blocklist.de/en/logs.html?rid=400398910&ip=184.154.41.196


You can parse this abuse report mail with X-ARF-Tools from http://www.x-arf.org/tools.html e.g. validatexarf-php.tar.gz.
You can find more information about X-Arf V0.2 at http://www.x-arf.org/specification.html

This message will be sent again in one day if more attacks are reported to Blocklist.
In the attachment of this message you can find the original logs from the attacked system.

To pause this message for one week, you can use our "Stop Reports" feature on Blocklist.de to submit
the IP you want to stop recieving emails about, and the email you want to stop receiving them on.
If more attacks from your network are recognized after the seven day grace period, the reports will start
being sent again.

To pause these reports for one week:
http://www.blocklist.de/en/insert.html?ip=184.154.41.196&email=abuse@singlehop.com


We found this abuse email address in the Whois-Data from the IP under the SearchString "abuse-mailbox (own-db)"
Reply to this message to let us know if you want us to send future reports to a different email. (e.g. to abuse-quiet or a special address)


------------------------------
blocklist.de Abuse-Team
This message was sent automatically. For questions please use our Contact-Form:
https://www.blocklist.de/en/contact.html?RID=400398910
Logfiles: https://www.blocklist.de/en/logs.html?rid=400398910&ip=184.154.41.196


########################################################################################

Tagged:

Comments

  • bloupbloupbloupbloup Spain
    edited October 2013
    did you tick: "check if anonymous" in proxy configuration?

    in options,

    did you check use proxy, and then did you check everything and "public"
  • machovskimachovski
    edited October 2013

    No, I didn't tick "check if anonymous", I thought it is only needed if GSA searches for proxies.


    Here are my proxy settings:

    image

  • cherubcherub UK
    You don't have 'Private' ticked next to Submission, PR checking etc, which means you're effectively not using proxies at all
  • machovskimachovski

    I don't have privat proxies, I use only public ones. But I tested them and they are working.

    So should I tick all the fields under "Use proxies"? I mean all "Public", "Privat", "Search Engines", "Skip for identification"?

  • cherubcherub UK
    If you're using public proxies, you need to tick the 'Public' box next to Submission etc, in order to tell SER to actually use them. Though public proxies may easily leak your VPS IP address. You'd do better with private proxies.
  • machovskimachovski
    Thank you! And what if I will tick "Check if anonymous"? Than probably it will check if that public proxy is hiding my IP or not, wouldn't it?
  • cherubcherub UK
    It will check whether the proxy is anonymous at time of checking. A public proxy may not be anonymous all of the time though. YMMV
  • bloupbloupbloupbloup Spain
    edited October 2013
    @machovski
    you will find "check if anonymous" after clicking on "configure" next to  "use proxies"
    and then click on the "Options" button
  • machovskimachovski
    Ok, thanks guys! So it seems that I should get some privat proxies. I was looking at some seller sites, it is about 10$ per 10 proxies monthly. So every month they will send me new proxies which I will add to GSA? And if some of the proxies will die during this month they will replace it?
  • spunko2010spunko2010 Isle of Man
    Yes and yes.

    You would be better off buying 20-30 semi private though I think.
Sign In or Register to comment.