I think my server is under attack from the Chinese...

My internet and network connection have been periodically slow for the last few weeks and it's been driving me nuts. I've scanned all the computers on the home network for spyware, viruses, and tried resetting the modem and router with varying degrees of luck.

This slowdown started a few minutes ago again. This time I pulled up a Remote Desktop connection to the server in the living room and opened the access log to see if anyone has been trying to access it. It's covers the last 20 or so days and is about 10 miles long. It's nothing but one GIGANTIC string of hits from 2 different IP addresses and they seem to be trying to guess the username and password to get into the contents of the server.

I just mapped the location of the 2 IP addresses and they're coming from China.

:tinfoilhat: The Chinese are spying on me and want my vacation pictures and resume.

I just turned off the server and the internet resumed it's normal speed. I guess I have to keep it offline for now.

Damn Chinese cyber terrorists ruining all my fun. If they really wanted to access the weekday live feed of my dog sleeping on the pool table, (a major no-no), all they had to do was e-mail me. I would have given them the address...

:-(

and you might want to contact the FBI.

I saved a copy of the access and error logs on this computer in case I needed them for some reason.

?

I didn't know if there's some special site or e-mail they prefer that someone may know, since I'm too lazy to go look for it myself.

and tell them you have logs. Copy the logs for your own benefit.

You can also go to the website and try to navigate around to computer fraud.

This might be an inconvenience you're tempted to laugh off, but they take it seriously, especially when it's coming from offshore.

I originally had thought they were trying to get in for the files until you posted "DOS attack". Then it all fell into place.

slows down my service if I download too many bytes in a twenty four hour period. So if I stay under the limit I get to keep the speed. It sucks but I have to use them because of where I live.

We used to have satellite broadband. It was the only high speed thing available at the time for my location. It was better than dial up and the speed could be decent. But the amount they'd allow you to download a month before slowing you down (12 gig) was a joke. We hit that a couple times, eventually I started going to coffee shops all the time to do all my serious downloading of podcasts and other stuff.

Fortunately last December we were able to switch over to another service. This service uses radio towers to distribute internet service over the air to homes and businesses. It is so much faster and has unlimited downloading.

And the fucking chinese used to try to hack me, too.....

I would put a rule in iptables (if its being ran) to drop anything matching the ip range in question. I wouldn't even let it get further. Save Apache the trouble.

Sorry. Couldn't resist.

Or do you mean your router?

What firewall are you using?

Serves media to the home network and files through the web if you have the username and password. It's also feeding a webcam of my dog's daily activities through JustinTV. I set it up a little over a year ago. This is the first problem I've had with it.

The dog service it provides is actually its best feature, IMHO. It always amazes me that as soon as I head out the door she immediately breaks every single rule in the house. When I'm home she won't even look at that pool table for fear of my reaction, but she'll practically live on it while I'm gone.

Edited to add: Dog feed available, (when the server is up and not being attacked), at www.jeffreywilliamson.net.

You've got a webcam on the dog's collar, is that right?

That's great. :rofl:

That wouldn't last very long knowing her. I have a webcam mounted near the ceiling in the living room shooting down and into the den. You can see the most of both rooms, especially the pool table.

She's terrified of even acknowledging it when I'm home. If I put a plate of food on it she'll act like it doesn't exist. Yet within 15 minutes of leaving she'll park herself on it. It's nuts.

PLEASE tell me you've posted pics of your dog and the the dog feed link to the lounge. Breaking every rule the moment you leave the house makes me love her instantly. :D

It's been a month or so since I've had it broadcasting. I used to do it every day and need to start again.

It's hilarious, and when I say EVERY rule I'm in no way exaggerating, trust me.

Is the reconstuction still hellish?

Although there are still areas that are pretty bad. Many people are just beginning repairs, so there's still a good deal of debris lining the streets as people gut their homes. There don't seem to be anymore electric/phone/internet issues, and a good number of businesses are up and running again. This weekend is Mardi Gras, and there were large crowds at the parade I just came back in from.

The biggest issue we're dealing with now are the loss of jobs--major employers are moving their businesses off the island or just cutting large numbers of staff. It's causing a job crunch for those who have remained. The Strand, (the historic shopping/tourist district downtown), was hit very hard and is still being repaired. Driving through that area is a real downer.

That puppycam has gotten the attention of the packet sniffers.

I'll post a link to the working Dog Cam when it's up.

An hour later you'll be attacked again.

It seemed like there would be a round of 50 - 100 "hits" by one IP address, followed by the same thing from the other, and then nothing for a day or so. Then it starts back up again. It seems to occur at regular intervals in the log.

Srsly. That is strange. And rather obvious for a Chinese hacker.

stop downloading porn with bittorrent or change the settings to clear dropped/inactive connections faster and stop storing recent connections in the buffer for so long.

the Chinese have been doing this for awhile & with the way things are going it may escalate. I wonder if they have built in a blind patch & that's why those 2 submarines collided?

give them copies of the logfile(s) showing the attack.

Sounds like their attempting a brute force/dictionary attack in concert with the DOS attack. If not already doing so, I would institute password shadowing (using Linux right?) and change passwords to be at least 10-15 characters using upper-case, lower-case, and special characters. Ensure that you do not use birthdates, or easy to guess combinations, or keyboard walks (ex: qwerty7890).

Also make sure that you're not running any services necessary, and if running an internal private IP addressing scheme, make sure that you've set up the external access to not allow any packets with your internal address to enter the network (prevents IP Spoofing).

Hope some of this helps.

Sincerely,
Thomas Kangas

Due to the specs, and because since FLP is a trimmed down version of XP Professional, it still offers the Terminal Server so that I can connect to it from another computer.

The username and password of the server were very simple. I would have thought that it would have been very easy to break open. The more I think about it, and the more I think about my network slowing to a crawl, I think the object was to knock it offline. The error log suggests that it went offline a few times during the attacks, so it must have been somewhat successful.

I am concerned that a virus on the server itself may have led to this. I'm going to pull the drives tomorrow and scan them through this pc, (much better virus software), and see if I can find anything. I may try to wipe the OS partition and reinstall to make sure I take anything serious out.

to scan for virii. Hopefully you won't have to slick it, and rebuild. If you have a firewall of some type installed, you can try blocking TCP and UDP port 3389 which is used for terminal services. Also, set the terminal services for administrative access only in it's installation, which will allow you to access terminal services only with an XP Administrative account.

I'm not sure what all services run in FLP, but anything that is not necessary for you to remotely connect, it would be a good idea to disable. That prevents the possibility of hackers attempting backdoor attacks on service vulnerabilities. let me know (by PM) what services run on it, and I can let you know which ones you could probably safely disable.

If they truly are attempting brute force/dicitionary attacks, it would only be a matter of time before they become successful. You can mitigate that a little by setting up password protection that locks the account after a certain number of invalid attempts.

Hope this helps.

Sincerely,
Thomas Kangas