Jump to content

Recommended Posts

Posted (edited)

The ddos that was hitting Johnny is now hitting tommy instead since we took down Johnny for maintenance.

Ok thanks for the information...Can you tell me how much it take to solve the problem??

 

Just figure out that Cpanel is accessible may be some ports are not working!!!

Edited by abhi16
Posted

Considering we can't fix the ddos on Johnny, we have to just wait it out, which considering this botnet's persistence, it could be months.

 

Maybe it will move back to Johnny when that maintenance is completed, but who knows. More than likely the goal of the attacker is to crash all of our servers and run us out of business. The attack started shortly after we banned ~150 phishing sites that signed up over the course of a week (mostly paypal phishing, and significantly more than normal), so my theory is that its retaliation for us banning some clown who wanted to phish paypal accounts.

 

 

 

Just figure out that Cpanel is accessible may be some ports are not working!!!

That's because the attack just overloads Apache, effectively keeping it from doing anything.

 

The cPanel stuff runs under a dedicated web server application known as cpsrvd that is unaffected. Email and the like should still work too. Unlike Johnny, which buckled from load, Tommy is much beefier, so between him simply having a lot more capability and his firewall not hogging the CPU, he handles being attacked much better.

 

TL;DR: Some idiot phisher is attacking us and his botnet ain't big enough  :P

Posted

The mail server itself seems to be working fine (I can telnet to it inside SSH and get the expected responses, webmail also works). Apache is actually up as well if I telnet to it from localhost and request a document.

 

The issue is that the traffic can't get in or out right now.

 

EDIT: Just heard for Krydos...it's blocked intentionally to mitigate the attack.

Posted

Considering we can't fix the ddos on Johnny, we have to just wait it out, which considering this botnet's persistence, it could be months.

 

Maybe it will move back to Johnny when that maintenance is completed, but who knows. More than likely the goal of the attacker is to crash all of our servers and run us out of business. The attack started shortly after we banned ~150 phishing sites that signed up over the course of a week (mostly paypal phishing, and significantly more than normal), so my theory is that its retaliation for us banning some clown who wanted to phish paypal accounts.

 

 

 

Just figure out that Cpanel is accessible may be some ports are not working!!!

That's because the attack just overloads Apache, effectively keeping it from doing anything.

 

The cPanel stuff runs under a dedicated web server application known as cpsrvd that is unaffected. Email and the like should still work too. Unlike Johnny, which buckled from load, Tommy is much beefier, so between him simply having a lot more capability and his firewall not hogging the CPU, he handles being attacked much better.

 

TL;DR: Some idiot phisher is attacking us and his botnet ain't big enough  :P

 

 

OH MY GOD!!!! May this problem get solved very soon....Let us know once the problem is solved. Thank you...

Posted

I got a response from Krydos on this. Turns out his botnet is big enough, we just blocked the shared IP to keep it from being effective. Bad news is that means all the websites are down. The good news is all the other stuff is on another IP, which is why cPanel and everything else is accessible.

Posted (edited)

The attack started shortly after we banned ~150 phishing sites that signed up over the course of a week (mostly paypal phishing, and significantly more than normal), so my theory is that its retaliation for us banning some clown who wanted to phish paypal accounts.

Seems to be half working at times, but only barely. Even cpsrvd barely responds.

 

It seems Cody has taken a hit too. Helionet.org and Heliohost.org seem to be slower than usual.

Edited by ziad87
  • Like 1
Posted

Ziad's got it, but to clarify the reason above a bit more. The Tommy attack is actually a different type of DDoS (wasting traffic vs. just leaving connections open all day on Johnny). It may or may not be the same attacker. It could be retaliation for cleaning up AnonymousFox too.

 

The people who have the resources to launch these attacks are almost certainly involved in other cybercrime too. You don't generally just keep a botnet around (or hire one and keep it on retainer) for no reason. Spam and phishing have the one of the best effort-to-profit ratios out there. Both are relatively easy to execute and very profitable when they pay off (send 1000 phishing emails, if just one user falls for it they can potentially get a few grand from a paypal account...).

 

Sometimes other abuse comes along, usually with phishing or spam being the end goal. For example look at AnonymousFox, who used a 0-day WP exploit to take over more than 100 websites, saving him the hassle of getting domains and accounts and giving him the advantage of the site owner's reputation. Many of those then had a phishing site and/or spambot uploaded.

 

Also, most hosting companies are reactive. Phisher goes phishing, email and security companies squawk, and eventually the host gets abuse reports and bans them. We don't wait for that report and instead proactively monitor for abuse. To cyber-criminals, that means "We make easy money difficult." Their response to us wasting their time is a botnet to the face. <_<

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...