If you have a website or blog, expect that cyber attacks, malware, database injections and other crimes are going to accelerate in 2013 so we all need to take actions to ward off the inevitable compromises we’ll undoubtedly experience.
Throughout 2012 I logged all activity on this blog and on many of my sites. Analyzing our logs I’ve found that numerous attacks — specifically ones where someone is running a script to perform brute force login attempts with the default username “admin” — emanate from the same ISPs and hosting companies as well as the same domains. So I thought I’d do this post as an “open letter” to the founder of OVH.com and see if he’s willing to engage in a discussion and take some action to stop it.
Wait until you read the updates and, especially, A HUGE COINCIDENCE?
Octave Klaba
TO: OVH Founder Octave Klaba
SUBJECT: Attacks Generated from OVH IPs
Mr. Klaba,
While I have taken to blocking some countries in total due to all of the attacks on this blog, I have instead added more security layers and closed as many holes as possible. Unfortunately there are ongoing brute force login attempts and scanning occurring from Kimsufi.com (an OVH entity) and the ones listed here have happened in just the last week:
- 29 December 2012
- Paris, France attempted a failed login using an invalid username “admin”.
- IP: 94.23.250.149
- Hostname: ks383693.kimsufi.com
- 30 December 2012
- An unknown location at IP 91.121.9.21 attempted a failed login using an invalid username “admin”.
- IP: 91.121.9.21
- Hostname: ks22943.kimsufi.com
- 4 January 2013
- An unknown location at IP 5.135.182.147 attempted a failed login using an invalid username “admin”.
- IP: 5.135.182.147
- Hostname: ks3289006.kimsufi.com
- 5 January 2013
- An unknown location at IP 5.135.182.148 attempted a failed login using an invalid username “admin”.
- IP: 5.135.182.148
- Hostname: ks3289007.kimsufi.com
- 5 January 2013
- An unknown location at IP 5.135.182.150 attempted a failed login using an invalid username “admin”.
- IP: 5.135.182.150
- Hostname: ks3289009.kimsufi.com
In addition to these attacks I have logged just on this blog, I have also discovered numerous entries at ProjectHoneypot.org that identify IPs generating from Kimsufi/OVH which are spamming, performing brute force attacks and more.
Please let me know what steps you will take to stop these attacks.
~Steve Borsch
UPDATE 1/7/13: I tweet to Octave (and send him an email after finding it at Whois) and this is the smart ass reply he sends. As the leader of OVH, he should actually be embarrassed since he comes across as a complete douchebag who could seemingly care less about taking any action.
A HUGE COINCIDENCE?
After receiving a few comments on this post at about 1pm CST today all my sites went down. I contacted Dreamhost technical support and it turns out — for the first time EVER in 14 years of hosting websites — that my virtual private server was receiving a “UDP flood” as a distributed denial of service attack. Dreamhost simply turned off UDP so the sites came back up, but I suspect this isn’t the end of this adventure.
Gee…what a coincidence this happened today. Though it is highly unlikely Dreamhost or I will ever be able to trackback to the originating IP address and discover where this attack emanated from, I can tell you that none of this happened until I verbally bitch-slapped Octave Klaba on Twitter. Could be Klaba asking others to do attack for him, could be script kiddies in support of him, or it might be none of that and is just a coincidence (the latter which I’m saying to ensure I can’t get sued for libel as I have no proof).
UPDATE 1/8/13: Now that I’m getting over the flu I’m perhaps a bit more rational. Again, I have no proof and it is my opinion that something is going on which suddenly appeared after this began. I doubt Klaba had anything to do with it (too much to lose) but the untraceable nature of this sort of attack makes it simple for any geek to do if they had a compelling reason to go after a small blog like mine. If you could see the access logs I read and the volume of attacks that occur every single day, you’d be agitated also.
About Steve Borsch
Strategist. Learner. Idea Guy. Salesman. Connector of Dots. Friend. Husband & Dad. CEO. Janitor. 
Podcasting
lol ^^
ovh.com is hosting 150’000+ dedicated servers
as already said, for scans or attack problems, send a mail to abuse@ovh.net ^^
abuse@ovh.net is too difficult for you? don’t be lazy and ridiculous
Site is in French. Also what’s “lazy and ridiculous” is that Octave couldn’t forward it to his own team, tell me he did that, and then say something like, “In the future please use abuse@ovh.net” to let us know about abuse.”
To do what he did shows he’s not a leader and doesn’t care what happens within the bowels of OVH.
You need an american site in order to send email at abuse@ovh.net ?
Can’t you see 11 flags at the bottom of http://www.ovh.com?...
Only 1 failed login by day on http://iconnectdots.com/wp-login.php is an attack for you??? it’s a joke?
spback: “Flags” were not obvious on the site so no, didn’t see them. What’s curious is that, all of a sudden, OVH flipped the switch on content localization (or maybe it was turned off the past few days?). I used Google Translate on the French site but that’s not exact and I didn’t have time to bother and go on the hunt (plus I was bugged).
Also my experience with ISP/Hosting company “abuse@” responses have been virtually zero over the last several years.
1 failed per day? Hardly. This blog has been around since 2004 and used to receive anywhere between 50-100 *per day* from various sources. Then I started country blocking the worst offenders and that helped. Now I’m trying to slowly stomp out the remaining few from countries I’d prefer not to block (since I have legitimate readers from France, for example).
Install ecSTATic and you will have many options to block this.
Didn’t know about this tool, Humberto. I use Wordfence which has their capabilities and several more.
First of all thank you for this post !! I am glad I am not alone with this stupid kimsufi attacks. In fact I suspect there must be hundreds or even thousands… And I suppose that a lot of floks who get attacked are using the WORDFENCE plugin… So just as a idea: why not get Mark Maunder (I am nt sure I got his name right) from WORDFENCE involved and he gathers all those under attack and then together we make a plea to this Octave Klaba to take action. I suppose that via the WORDFENCE plugin it should be possible to see how many blogs are being attacked by this kimsufi guy. Just an idea…
I did write to abuse@ovh.net – but to no avail.
Thank you – Barbara
Hi Barbara — You are so welcome. I’ll get on the WORDFENCE forum now and ask Mark about your idea.
By the way — and this depends on your host Apache configuration — but I’ve used this in my .htaccess file to disallow certain domains, including kimsufi and OVH (and it works):
#Stop Access from Certain Domains
Allow from all
deny from .*kimsufi\.com.*
deny from .*ovh\.net.*
deny from .*yandex\.com.*
deny from .*baidu\.com.*
Good luck and thanks for stopping by!
ovh is still alive and well. On a forum I run Ive been hounded by fake registrations that trace back to ovh.net Result is that I had to block 130000 ip addresses to slow them down. My forum has little interest to people in France so I can risk affecting real users. I know there are more ips to find and block.
What is the purpose of large numbers of registrations that never post