Brute Force Attacks Coming From OVH in France
If you have a website or blog, expect that cyber attacks, malware, database injections and other crimes are going to accelerate in 2013 so we all need to take actions to ward off the inevitable compromises we’ll undoubtedly experience.
Throughout 2012 I logged all activity on this blog and on many of my sites. Analyzing our logs I’ve found that numerous attacks — specifically ones where someone is running a script to perform brute force login attempts with the default username “admin” — emanate from the same ISPs and hosting companies as well as the same domains. So I thought I’d do this post as an “open letter” to the founder of OVH.com and see if he’s willing to engage in a discussion and take some action to stop it.
Wait until you read the updates and, especially, A HUGE COINCIDENCE?
TO: OVH Founder Octave Klaba
SUBJECT: Attacks Generated from OVH IPs
While I have taken to blocking some countries in total due to all of the attacks on this blog, I have instead added more security layers and closed as many holes as possible. Unfortunately there are ongoing brute force login attempts and scanning occurring from Kimsufi.com (an OVH entity) and the ones listed here have happened in just the last week:
- 29 December 2012
- Paris, France attempted a failed login using an invalid username “admin”.
- IP: 126.96.36.199
- Hostname: ks383693.kimsufi.com
- 30 December 2012
- An unknown location at IP 188.8.131.52 attempted a failed login using an invalid username “admin”.
- IP: 184.108.40.206
- Hostname: ks22943.kimsufi.com
- 4 January 2013
- An unknown location at IP 220.127.116.11 attempted a failed login using an invalid username “admin”.
- IP: 18.104.22.168
- Hostname: ks3289006.kimsufi.com
- 5 January 2013
- An unknown location at IP 22.214.171.124 attempted a failed login using an invalid username “admin”.
- IP: 126.96.36.199
- Hostname: ks3289007.kimsufi.com
- 5 January 2013
- An unknown location at IP 188.8.131.52 attempted a failed login using an invalid username “admin”.
- IP: 184.108.40.206
- Hostname: ks3289009.kimsufi.com
In addition to these attacks I have logged just on this blog, I have also discovered numerous entries at ProjectHoneypot.org that identify IPs generating from Kimsufi/OVH which are spamming, performing brute force attacks and more.
Please let me know what steps you will take to stop these attacks.
UPDATE 1/7/13: I tweet to Octave (and send him an email after finding it at Whois) and this is the smart ass reply he sends. As the leader of OVH, he should actually be embarrassed since he comes across as a complete douchebag who could seemingly care less about taking any action.
A HUGE COINCIDENCE?
After receiving a few comments on this post at about 1pm CST today all my sites went down. I contacted Dreamhost technical support and it turns out — for the first time EVER in 14 years of hosting websites — that my virtual private server was receiving a “UDP flood” as a distributed denial of service attack. Dreamhost simply turned off UDP so the sites came back up, but I suspect this isn’t the end of this adventure.
Gee…what a coincidence this happened today. Though it is highly unlikely Dreamhost or I will ever be able to trackback to the originating IP address and discover where this attack emanated from, I can tell you that none of this happened until I verbally bitch-slapped Octave Klaba on Twitter. Could be Klaba asking others to do attack for him, could be script kiddies in support of him, or it might be none of that and is just a coincidence (the latter which I’m saying to ensure I can’t get sued for libel as I have no proof).
UPDATE 1/8/13: Now that I’m getting over the flu I’m perhaps a bit more rational. Again, I have no proof and it is my opinion that something is going on which suddenly appeared after this began. I doubt Klaba had anything to do with it (too much to lose) but the untraceable nature of this sort of attack makes it simple for any geek to do if they had a compelling reason to go after a small blog like mine. If you could see the access logs I read and the volume of attacks that occur every single day, you’d be agitated also.