abhi16 Posted August 7, 2018 Posted August 7, 2018 Is tommy server down today? It's not working from my side.
r0nmlt Posted August 7, 2018 Posted August 7, 2018 Yes I think it is down. My emails aren't being forwarded and pop3 access is also affected.
abhi16 Posted August 7, 2018 Author Posted August 7, 2018 Yes still it is down but there is reply while pinging to the server...
wolstech Posted August 7, 2018 Posted August 7, 2018 The ddos that was hitting Johnny is now hitting tommy instead since we took down Johnny for maintenance.
abhi16 Posted August 7, 2018 Author Posted August 7, 2018 (edited) The ddos that was hitting Johnny is now hitting tommy instead since we took down Johnny for maintenance.Ok thanks for the information...Can you tell me how much it take to solve the problem?? Just figure out that Cpanel is accessible may be some ports are not working!!! Edited August 7, 2018 by abhi16
wolstech Posted August 7, 2018 Posted August 7, 2018 Considering we can't fix the ddos on Johnny, we have to just wait it out, which considering this botnet's persistence, it could be months. Maybe it will move back to Johnny when that maintenance is completed, but who knows. More than likely the goal of the attacker is to crash all of our servers and run us out of business. The attack started shortly after we banned ~150 phishing sites that signed up over the course of a week (mostly paypal phishing, and significantly more than normal), so my theory is that its retaliation for us banning some clown who wanted to phish paypal accounts. Just figure out that Cpanel is accessible may be some ports are not working!!!That's because the attack just overloads Apache, effectively keeping it from doing anything. The cPanel stuff runs under a dedicated web server application known as cpsrvd that is unaffected. Email and the like should still work too. Unlike Johnny, which buckled from load, Tommy is much beefier, so between him simply having a lot more capability and his firewall not hogging the CPU, he handles being attacked much better. TL;DR: Some idiot phisher is attacking us and his botnet ain't big enough
r0nmlt Posted August 7, 2018 Posted August 7, 2018 it does affect mail somewhat. pop3 was down this morning (CET) and you also get this
wolstech Posted August 7, 2018 Posted August 7, 2018 The mail server itself seems to be working fine (I can telnet to it inside SSH and get the expected responses, webmail also works). Apache is actually up as well if I telnet to it from localhost and request a document. The issue is that the traffic can't get in or out right now. EDIT: Just heard for Krydos...it's blocked intentionally to mitigate the attack.
abhi16 Posted August 7, 2018 Author Posted August 7, 2018 Considering we can't fix the ddos on Johnny, we have to just wait it out, which considering this botnet's persistence, it could be months. Maybe it will move back to Johnny when that maintenance is completed, but who knows. More than likely the goal of the attacker is to crash all of our servers and run us out of business. The attack started shortly after we banned ~150 phishing sites that signed up over the course of a week (mostly paypal phishing, and significantly more than normal), so my theory is that its retaliation for us banning some clown who wanted to phish paypal accounts. Just figure out that Cpanel is accessible may be some ports are not working!!!That's because the attack just overloads Apache, effectively keeping it from doing anything. The cPanel stuff runs under a dedicated web server application known as cpsrvd that is unaffected. Email and the like should still work too. Unlike Johnny, which buckled from load, Tommy is much beefier, so between him simply having a lot more capability and his firewall not hogging the CPU, he handles being attacked much better. TL;DR: Some idiot phisher is attacking us and his botnet ain't big enough OH MY GOD!!!! May this problem get solved very soon....Let us know once the problem is solved. Thank you...
wolstech Posted August 7, 2018 Posted August 7, 2018 I got a response from Krydos on this. Turns out his botnet is big enough, we just blocked the shared IP to keep it from being effective. Bad news is that means all the websites are down. The good news is all the other stuff is on another IP, which is why cPanel and everything else is accessible.
abhi16 Posted August 7, 2018 Author Posted August 7, 2018 Tommy has returned to normal.THank you so much
dtopalov Posted August 7, 2018 Posted August 7, 2018 Again down why someone would ddos free hosting 1
ziad87 Posted August 7, 2018 Posted August 7, 2018 (edited) The attack started shortly after we banned ~150 phishing sites that signed up over the course of a week (mostly paypal phishing, and significantly more than normal), so my theory is that its retaliation for us banning some clown who wanted to phish paypal accounts.Seems to be half working at times, but only barely. Even cpsrvd barely responds. It seems Cody has taken a hit too. Helionet.org and Heliohost.org seem to be slower than usual. Edited August 7, 2018 by ziad87 1
wolstech Posted August 7, 2018 Posted August 7, 2018 Ziad's got it, but to clarify the reason above a bit more. The Tommy attack is actually a different type of DDoS (wasting traffic vs. just leaving connections open all day on Johnny). It may or may not be the same attacker. It could be retaliation for cleaning up AnonymousFox too. The people who have the resources to launch these attacks are almost certainly involved in other cybercrime too. You don't generally just keep a botnet around (or hire one and keep it on retainer) for no reason. Spam and phishing have the one of the best effort-to-profit ratios out there. Both are relatively easy to execute and very profitable when they pay off (send 1000 phishing emails, if just one user falls for it they can potentially get a few grand from a paypal account...). Sometimes other abuse comes along, usually with phishing or spam being the end goal. For example look at AnonymousFox, who used a 0-day WP exploit to take over more than 100 websites, saving him the hassle of getting domains and accounts and giving him the advantage of the site owner's reputation. Many of those then had a phishing site and/or spambot uploaded. Also, most hosting companies are reactive. Phisher goes phishing, email and security companies squawk, and eventually the host gets abuse reports and bans them. We don't wait for that report and instead proactively monitor for abuse. To cyber-criminals, that means "We make easy money difficult." Their response to us wasting their time is a botnet to the face.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now