Brute Force Attacks Coming From OVH in France
If you have a website or blog, expect that cyber attacks, malware, database injections and other crimes are going to accelerate in 2013 so we all need to take actions to ward off the inevitable compromises we’ll undoubtedly experience.
Throughout 2012 I logged all activity on this blog and on many of my sites. Analyzing our logs I’ve found that numerous attacks — specifically ones where someone is running a script to perform brute force login attempts with the default username “admin” — emanate from the same ISPs and hosting companies as well as the same domains. So I thought I’d do this post as an “open letter” to the founder of OVH.com and see if he’s willing to engage in a discussion and take some action to stop it.
Wait until you read the updates and, especially, A HUGE COINCIDENCE?
TO: OVH Founder Octave Klaba
SUBJECT: Attacks Generated from OVH IPs
While I have taken to blocking some countries in total due to all of the attacks on this blog, I have instead added more security layers and closed as many holes as possible. Unfortunately there are ongoing brute force login attempts and scanning occurring from Kimsufi.com (an OVH entity) and the ones listed here have happened in just the last week:
- 29 December 2012
- Paris, France attempted a failed login using an invalid username “admin”.
- IP: 220.127.116.11
- Hostname: ks383693.kimsufi.com
- 30 December 2012
- An unknown location at IP 18.104.22.168 attempted a failed login using an invalid username “admin”.
- IP: 22.214.171.124
- Hostname: ks22943.kimsufi.com
- 4 January 2013
- An unknown location at IP 126.96.36.199 attempted a failed login using an invalid username “admin”.
- IP: 188.8.131.52
- Hostname: ks3289006.kimsufi.com
- 5 January 2013
- An unknown location at IP 184.108.40.206 attempted a failed login using an invalid username “admin”.
- IP: 220.127.116.11
- Hostname: ks3289007.kimsufi.com
- 5 January 2013
- An unknown location at IP 18.104.22.168 attempted a failed login using an invalid username “admin”.
- IP: 22.214.171.124
- Hostname: ks3289009.kimsufi.com
In addition to these attacks I have logged just on this blog, I have also discovered numerous entries at ProjectHoneypot.org that identify IPs generating from Kimsufi/OVH which are spamming, performing brute force attacks and more.
Please let me know what steps you will take to stop these attacks.
UPDATE 1/7/13: I tweet to Octave (and send him an email after finding it at Whois) and this is the smart ass reply he sends. As the leader of OVH, he should actually be embarrassed since he comes across as a complete douchebag who could seemingly care less about taking any action.
A HUGE COINCIDENCE?
After receiving a few comments on this post at about 1pm CST today all my sites went down. I contacted Dreamhost technical support and it turns out — for the first time EVER in 14 years of hosting websites — that my virtual private server was receiving a “UDP flood” as a distributed denial of service attack. Dreamhost simply turned off UDP so the sites came back up, but I suspect this isn’t the end of this adventure.
Gee…what a coincidence this happened today. Though it is highly unlikely Dreamhost or I will ever be able to trackback to the originating IP address and discover where this attack emanated from, I can tell you that none of this happened until I verbally bitch-slapped Octave Klaba on Twitter. Could be Klaba asking others to do attack for him, could be script kiddies in support of him, or it might be none of that and is just a coincidence (the latter which I’m saying to ensure I can’t get sued for libel as I have no proof).
UPDATE 1/8/13: Now that I’m getting over the flu I’m perhaps a bit more rational. Again, I have no proof and it is my opinion that something is going on which suddenly appeared after this began. I doubt Klaba had anything to do with it (too much to lose) but the untraceable nature of this sort of attack makes it simple for any geek to do if they had a compelling reason to go after a small blog like mine. If you could see the access logs I read and the volume of attacks that occur every single day, you’d be agitated also.
Leave a Comment
About Steve Borsch
Strategist. Learner. Idea Guy. Salesman. Connector of Dots. Friend. Husband & Dad. CEO. Janitor. More here.
Connecting the Dots Podcast
Podcasting hit the mainstream in July of 2005 when Apple added podcast show support within iTunes. I'd seen this coming so started podcasting in May of 2005 and kept going until August of 2007. Unfortunately was never 'discovered' by national broadcasters, but made a delightfully large number of connections with people all over the world because of these shows. Click here to view the archive of my podcast posts.
ovh.com is hosting 150’000+ dedicated servers 😉
as already said, for scans or attack problems, send a mail to firstname.lastname@example.org ^^
Site is in French. Also what’s “lazy and ridiculous” is that Octave couldn’t forward it to his own team, tell me he did that, and then say something like, “In the future please use email@example.com” to let us know about abuse.”
To do what he did shows he’s not a leader and doesn’t care what happens within the bowels of OVH.
You need an american site in order to send email at firstname.lastname@example.org ?
Can’t you see 11 flags at the bottom of http://www.ovh.com?...
Only 1 failed login by day on https://iconnectdots.com/wp-login.php is an attack for you??? it’s a joke?
Install ecSTATic and you will have many options to block this.
First of all thank you for this post !! I am glad I am not alone with this stupid kimsufi attacks. In fact I suspect there must be hundreds or even thousands… And I suppose that a lot of floks who get attacked are using the WORDFENCE plugin… So just as a idea: why not get Mark Maunder (I am nt sure I got his name right) from WORDFENCE involved and he gathers all those under attack and then together we make a plea to this Octave Klaba to take action. I suppose that via the WORDFENCE plugin it should be possible to see how many blogs are being attacked by this kimsufi guy. Just an idea…
I did write to email@example.com – but to no avail.
Thank you – Barbara
ovh is still alive and well. On a forum I run Ive been hounded by fake registrations that trace back to ovh.net Result is that I had to block 130000 ip addresses to slow them down. My forum has little interest to people in France so I can risk affecting real users. I know there are more ips to find and block.
What is the purpose of large numbers of registrations that never post
Though the founder and ceo, Octave Klaba (Oles), is someone who seems to have little interest in being a good internet citizen or has somehow defined his place in cyberspace in some unique way.
As you can see from this post, my blog got it’s first DDOS attack (though I’d been blogging for EIGHT YEARS) after my interactions with Octave. Curiously I somehow got on a list of script kiddies trying to hack in to WordPress sites and it’s been going on for nearly a year. In fact, this morning I had over 500 attempts in an hour — and I’ve discovered in my logs that a lot of them emanate from Kimsufi, one of OVH’s platforms.
a) Try sending “Oles” a tweet
b) Go to Abuse.OVH.Net and report an abuse.
Good luck complaining though.
Things that worked for me.
First when you get an attack trace the ip then run whois on it Whois will give you an entry in a database along with that complete ip range. Ban the range. OVH has many ranges and you wont get them in one hit. This cut my problems in half eventually
Second and most effective Set a registration question with an invalid answer as default
The bots dont read the question but try to guess the answer based on the default. I wont post my question but it is impossible for a person to fail and appears impossible for a machine to answer.
I went from 300 fake registrations a day to 3 a month. 3 a month I can deal with
ovh never read abuse.
On abuse.ovh.net we can’t poste brute force abuse.
OVH are absolute scum, bottom-feeders of the internet.
We have seen an endless parade of registration bots, brute-force login attempts, trackback posting bots, SQL injection attempts, every form of malware known to man, all originating from OVH IP addresses.
When management are obviously complicit in the spam and hacking attempts, there’s no point emailing their abuse address. Just block every IP range you see of theirs and forget about them.
OVH are pure scum, they attack all mysql websites. Remedy is to catch them by creating a form with database access which is not visible to the public and log the ip’s. Copy and paste the ip’s into a whois website and get the ranges. Then you need to block these ranges in cpanel.
Hey OVH and OPH FUCK YOU. CRIMINAL SCUM.
They are at it again my site has been targeted with 24 failed log in attempts.