Page 1 of 1

please firewall !

Posted: Mon Sep 11, 2017 7:42 pm
by sokrat
Hi venerable Admin,

Can you do something to get ride of those ugly connections ?

Lost connection: c7052 from ec2-52-201-46-197.compute-1.amazonaws.com (client disconnected).
Lost connection: c7053 from ec2-52-201-46-197.compute-1.amazonaws.com (client disconnected).
Lost connection: c7054 from ec2-52-201-46-197.compute-1.amazonaws.com (client disconnected).

They're ruining the chat of LT38 :(

Posted: Mon Sep 11, 2017 8:57 pm
by cgalik
I second that. Not sure if it's possible, but that would be great.

Posted: Fri Sep 15, 2017 1:31 pm
by wieder
Made an abuse report about this to amazonaws.com

Let's see if they can make it to stop.

Posted: Tue Sep 19, 2017 7:51 am
by wieder
Hello,

Thank you for submitting your abuse report. We have begun our investigation into the source of the activity or content you reported.

We've determined that an Amazon EC2 instance was running at the IP address you provided in your abuse report. We have reached out to our customer to determine the nature and cause of this activity or content in your report.

We will investigate your complaint to determine what additional actions, if any, need to be taken in this case. Due to our privacy and security policies, we cannot provide details regarding the resolution of this case, or the identity of our customer. We may notify you during our investigation if our customer requires more information from you to complete their troubleshooting of the issue. Our customer may reply stating that the activity or content is expected and instructions on how to prevent the activity or manually remove the content, as well. If you wish to provide additional information to us or our customer regarding this case, please reply to this email.

Please note that if we determine the activity or content to not be abusive, we will notify you and resolve the case; we may refrain from communicating further, in that case.

We will notify you once this case has been marked resolved. Thank you for alerting us to this issue.

Regards,
AWS Abuse Team

Posted: Tue Sep 19, 2017 10:54 am
by ptizoom
they are really covering themselvesby using complicated terms !

Posted: Tue Sep 19, 2017 10:56 am
by Corbeau
This looks like an automated response.

Posted: Tue Sep 19, 2017 12:42 pm
by wieder
Maybe automated but not 100% automated since I got the reply 4 days after reporting about the problem.

Posted: Tue Sep 19, 2017 2:33 pm
by Lord_P
Just out of interest.... Is the Longturn host server shared with something that might be worth hacking?
Looks like someone just found an open port on a server/ip, that they are targeting for another reason, and have been trying to find a working username for whatever they think the service is.
If they where actually trying to hack LT (Who would want to?) it would be a lot faster to use one of our publicly available usernames :P

Posted: Tue Sep 19, 2017 3:53 pm
by Corbeau
I'd say it's a virus.

Posted: Wed Sep 20, 2017 6:47 am
by ptizoom
Lord_P, Wieder, Corbeau et al,

once I set up a kamilio server, and one week after sitting there on the web...
a continuous ping 1second interval appeared ... even with a message attached to it like "I am a friendly ping"!... such an anodin message.
and then, like the apprentice sorcerer and its brooms... more appeared from other hosts... but always at the same rate.
filtering the host would only make it angry and try harder than 1s/ping to the limit of the DOS, in fact we do not know what twisted algorithme is at work !

who ever made this fishing software is up to no good.
I think, like the coucou, it is looking to breach and make this LT server another "pinging" host...
if not , convert it to a stronghold for striking another site !

I guess it is because the login is not done through a stronger software filtering the spam right from the port; like say wrapped with "ssh"?

as you might have noticed at the start of the game, the bot could not enter at all, but now I read sometimes it reaches a second stage of login...
it must have found a valid user name at this stage.

I guess with our weak and clear md5 passwords it is a matter of time to exploit freeciv-server security bugs and convert the machine !
wieder I hope for you, to have partitionned and backup your server from the rest. maybe a chroot /vm /xen /dedicated hardware or so are enough?

Posted: Thu Sep 21, 2017 4:50 pm
by cgalik
Thanks, akfaew!

Posted: Sat Sep 23, 2017 8:32 am
by Marduk
Yea thanks man!

Recently web-longturn (Andreas) also got hacked, could it be related?