Brute Force Attacks Coming From OVH in France

January 5, 2013/

If you have a website or blog, expect that cyber attacks, malware, database injections and other crimes are going to accelerate in 2013 so we all need to take actions to ward off the inevitable compromises we’ll undoubtedly experience.

Throughout 2012 I logged all activity on this blog and on many of my sites. Analyzing our logs I’ve found that numerous attacks — specifically ones where someone is running a script to perform brute force login attempts with the default username “admin” — emanate from the same ISPs and hosting companies as well as the same domains. So I thought I’d do this post as an “open letter” to the founder of OVH.com and see if he’s willing to engage in a discussion and take some action to stop it.

Wait until you read the updates and, especially, A HUGE COINCIDENCE?

OctaveKlaba

Octave Klaba

TO:  OVH Founder Octave Klaba

SUBJECT: Attacks Generated from OVH IPs

Mr. Klaba,

While I have taken to blocking some countries in total due to all of the attacks on this blog, I have instead added more security layers and closed as many holes as possible. Unfortunately there are ongoing brute force login attempts and scanning occurring from Kimsufi.com (an OVH entity) and the ones listed here have happened in just the last week:

  • 29 December 2012
    • Paris, France attempted a failed login using an invalid username “admin”.
    • IP: 94.23.250.149
    • Hostname: ks383693.kimsufi.com
  • 30 December 2012
    • An unknown location at IP 91.121.9.21 attempted a failed login using an invalid username “admin”.
    • IP: 91.121.9.21
    • Hostname: ks22943.kimsufi.com
  • 4 January 2013
    • An unknown location at IP 5.135.182.147 attempted a failed login using an invalid username “admin”.
    • IP: 5.135.182.147
    • Hostname: ks3289006.kimsufi.com
  • 5 January 2013
    • An unknown location at IP 5.135.182.148 attempted a failed login using an invalid username “admin”.
    • IP: 5.135.182.148
    • Hostname: ks3289007.kimsufi.com
  • 5 January 2013
    • An unknown location at IP 5.135.182.150 attempted a failed login using an invalid username “admin”.
    • IP: 5.135.182.150
    • Hostname: ks3289009.kimsufi.com

In addition to these attacks I have logged just on this blog, I have also discovered numerous entries at ProjectHoneypot.org that identify IPs generating from Kimsufi/OVH which are spamming, performing brute force attacks and more.

Please let me know what steps you will take to stop these attacks.

~Steve Borsch

UPDATE 1/7/13: I tweet to Octave (and send him an email after finding it at Whois) and this is the smart ass reply he sends. As the leader of OVH, he should actually be embarrassed since he comes across as a complete douchebag who could seemingly care less about taking any action.

oles

A HUGE COINCIDENCE?

After receiving a few comments on this post at about 1pm CST today all my sites went down. I contacted Dreamhost technical support and it turns out — for the first time EVER in 14 years of hosting websites — that my virtual private server was receiving a “UDP flood” as a distributed denial of service attack. Dreamhost simply turned off UDP so the sites came back up, but I suspect this isn’t the end of this adventure.

Gee…what a coincidence this happened today. Though it is highly unlikely Dreamhost or I will ever be able to trackback to the originating IP address and discover where this attack emanated from, I can tell you that none of this happened until I verbally bitch-slapped Octave Klaba on Twitter. Could be Klaba asking others to do attack for him, could be script kiddies in support of him, or it might be none of that and is just a coincidence (the latter which I’m saying to ensure I can’t get sued for libel as I have no proof).

UPDATE 1/8/13: Now that I’m getting over the flu I’m perhaps a bit more rational. Again, I have no proof and it is my opinion that something is going on which suddenly appeared after this began. I doubt Klaba had anything to do with it (too much to lose) but the untraceable nature of this sort of attack makes it simple for any geek to do if they had a compelling reason to go after a small blog like mine. If you could see the access logs I read and the volume of attacks that occur every single day, you’d be agitated also.

Posted in  

12 Comments

  1. Blocked_Visitor on January 7, 2013 at 9:19 am

    lol ^^

    ovh.com is hosting 150’000+ dedicated servers 😉

    as already said, for scans or attack problems, send a mail to abuse@ovh.net ^^



  2. Steve Borsch on January 7, 2013 at 9:32 am

    Site is in French. Also what’s “lazy and ridiculous” is that Octave couldn’t forward it to his own team, tell me he did that, and then say something like, “In the future please use abuse@ovh.net” to let us know about abuse.”

    To do what he did shows he’s not a leader and doesn’t care what happens within the bowels of OVH.



  3. spback on January 7, 2013 at 9:55 am

    You need an american site in order to send email at abuse@ovh.net ?
    Can’t you see 11 flags at the bottom of http://www.ovh.com?...

    Only 1 failed login by day on https://iconnectdots.com/wp-login.php is an attack for you??? it’s a joke?



  4. Humberto on January 18, 2013 at 2:09 am

    Install ecSTATic and you will have many options to block this.



  5. Barbara Robertson on January 19, 2013 at 11:11 pm

    First of all thank you for this post !! I am glad I am not alone with this stupid kimsufi attacks. In fact I suspect there must be hundreds or even thousands… And I suppose that a lot of floks who get attacked are using the WORDFENCE plugin… So just as a idea: why not get Mark Maunder (I am nt sure I got his name right) from WORDFENCE involved and he gathers all those under attack and then together we make a plea to this Octave Klaba to take action. I suppose that via the WORDFENCE plugin it should be possible to see how many blogs are being attacked by this kimsufi guy. Just an idea…
    I did write to abuse@ovh.net – but to no avail.

    Thank you – Barbara



  6. alan geeves on May 10, 2013 at 5:07 pm

    ovh is still alive and well. On a forum I run Ive been hounded by fake registrations that trace back to ovh.net Result is that I had to block 130000 ip addresses to slow them down. My forum has little interest to people in France so I can risk affecting real users. I know there are more ips to find and block.
    What is the purpose of large numbers of registrations that never post



  7. Steve Borsch on October 23, 2013 at 8:53 am

    Though the founder and ceo, Octave Klaba (Oles), is someone who seems to have little interest in being a good internet citizen or has somehow defined his place in cyberspace in some unique way.

    As you can see from this post, my blog got it’s first DDOS attack (though I’d been blogging for EIGHT YEARS) after my interactions with Octave. Curiously I somehow got on a list of script kiddies trying to hack in to WordPress sites and it’s been going on for nearly a year. In fact, this morning I had over 500 attempts in an hour — and I’ve discovered in my logs that a lot of them emanate from Kimsufi, one of OVH’s platforms.

    Suggestions:

    a) Try sending “Oles” a tweet

    b) Go to Abuse.OVH.Net and report an abuse.

    Good luck complaining though.



  8. Alan Geeves on October 23, 2013 at 8:45 pm

    Things that worked for me.
    First when you get an attack trace the ip then run whois on it Whois will give you an entry in a database along with that complete ip range. Ban the range. OVH has many ranges and you wont get them in one hit. This cut my problems in half eventually
    Second and most effective Set a registration question with an invalid answer as default
    The bots dont read the question but try to guess the answer based on the default. I wont post my question but it is impossible for a person to fail and appears impossible for a machine to answer.
    I went from 300 fake registrations a day to 3 a month. 3 a month I can deal with



  9. kimkof on November 8, 2013 at 3:03 am

    ovh never read abuse.

    On abuse.ovh.net we can’t poste brute force abuse.



  10. The Claw on February 23, 2014 at 9:28 pm

    OVH are absolute scum, bottom-feeders of the internet.

    We have seen an endless parade of registration bots, brute-force login attempts, trackback posting bots, SQL injection attempts, every form of malware known to man, all originating from OVH IP addresses.

    When management are obviously complicit in the spam and hacking attempts, there’s no point emailing their abuse address. Just block every IP range you see of theirs and forget about them.



  11. Web01 on January 2, 2016 at 9:17 am

    OVH are pure scum, they attack all mysql websites. Remedy is to catch them by creating a form with database access which is not visible to the public and log the ip’s. Copy and paste the ip’s into a whois website and get the ranges. Then you need to block these ranges in cpanel.
    Hey OVH and OPH FUCK YOU. CRIMINAL SCUM.



  12. Scott Adderson on January 16, 2021 at 8:08 pm

    They are at it again my site has been targeted with 24 failed log in attempts.



Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Steve Borsch

Strategist. Learner. Idea Guy. Salesman. Connector of Dots. Friend. Husband & Dad. CEO. Janitor. More here.

Facebook | Twitter | LinkedIn

Posts Menu

Posts by Category

Archives (2004 – Present)

Tags

#Minnedemo Adobe apple bitcoin bodyscanning civil liberties coffee collaboration communications Computing COVID-19 education Featured flash food formaldehyde HD HD video heavy rain history of computing Internet of Things #IoT iPad London meaning micropayments obama oil organic penny photo archiving photo retouching processed food ps3 Senseo Social Media storytelling toxic TSA Twitter video VPN webconferencing Wikileaks Wordpress Woz

Connecting the Dots Podcast

Podcasting hit the mainstream in July of 2005 when Apple added podcast show support within iTunes. I'd seen this coming so started podcasting in May of 2005 and kept going until August of 2007. Unfortunately was never 'discovered' by national broadcasters, but made a delightfully large number of connections with people all over the world because of these shows. Click here to view the archive of my podcast posts.