Scribblings from Steve
I’ve been using spambucket as a junk email address for quite some time – this is first time someone has ever actually sent email to it.
Any email that comes to this address is automatically flagged as spam and reported back to Spamcop
So several days after reporting to Capita that they had a compromised machine on their network what do I see but the same IP address come back and start doing exactly the same thing. A search on the internet shows that other people have had this same IP address hitting them.
So tell me Capita – what are you doing to stop this criminal activity?
Given that your company runs several large scale contracts for the government but you apparently are unable to stop illegal activity from your networks what does that say about your own internal security? If that machine is compromised what else is? What machines on your network are compromised and stealing personal information on UK Citizens?
Capita – that company who the UK Government think can be trusted to run so much of our infrastructure can’t apparently stop their own network from being used to attempt to hack servers:
31.222.208.86 - - [03/Dec/2014:01:22:43 +0000] "GET /wp/wp-login.php HTTP/1.1" 301 - "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:01:22:43 +0000] "GET /Wp/wp-login.php HTTP/1.1" 404 12141 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:01:22:44 +0000] "GET /wordpress/wp-login.php HTTP/1.1" 301 - "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:01:22:44 +0000] "GET /Wordpress/wp-login.php HTTP/1.1" 404 12260 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:01:22:44 +0000] "GET /test/wp-login.php HTTP/1.1" 301 - "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:01:22:45 +0000] "GET /Test/wp-login.php HTTP/1.1" 404 12175 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:01:22:45 +0000] "GET /site/wp-login.php HTTP/1.1" 301 - "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:01:22:45 +0000] "GET /Site/wp-login.php HTTP/1.1" 404 12175 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:01:22:45 +0000] "GET /old/wp-login.php HTTP/1.1" 301 - "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:01:22:46 +0000] "GET /Old/wp-login.php HTTP/1.1" 404 12158 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:01:22:46 +0000] "GET /shop/wp-login.php HTTP/1.1" 301 - "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:01:22:46 +0000] "GET /Shop/wp-login.php HTTP/1.1" 404 12175 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:01:22:47 +0000] "GET /store/wp-login.php HTTP/1.1" 301 - "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:01:22:47 +0000] "GET /Store/wp-login.php HTTP/1.1" 404 12192 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:01:22:47 +0000] "GET /blog/wp-login.php HTTP/1.1" 301 - "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:01:22:48 +0000] "GET /Blog/wp-login.php HTTP/1.1" 404 12175 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:01:22:48 +0000] "GET /blogs/wp-login.php HTTP/1.1" 301 - "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:01:22:48 +0000] "GET /Blogs/wp-login.php HTTP/1.1" 404 12192 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:01:22:49 +0000] "GET /forum/wp-login.php HTTP/1.1" 301 - "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:01:22:49 +0000] "GET /Forum/wp-login.php HTTP/1.1" 404 12192 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:08:20:33 +0000] "GET /wp/wp-login.php HTTP/1.1" 404 293 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:08:20:33 +0000] "GET /wordpress/wp-login.php HTTP/1.1" 404 300 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:08:20:33 +0000] "GET /test/wp-login.php HTTP/1.1" 404 295 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:08:20:33 +0000] "GET /site/wp-login.php HTTP/1.1" 404 295 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:08:20:33 +0000] "GET /old/wp-login.php HTTP/1.1" 404 294 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:08:20:33 +0000] "GET /shop/wp-login.php HTTP/1.1" 404 295 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:08:20:33 +0000] "GET /store/wp-login.php HTTP/1.1" 404 296 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:08:20:33 +0000] "GET /blog/wp-login.php HTTP/1.1" 404 295 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:08:20:33 +0000] "GET /blogs/wp-login.php HTTP/1.1" 404 296 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
31.222.208.86 - - [03/Dec/2014:08:20:33 +0000] "GET /forum/wp-login.php HTTP/1.1" 404 296 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the “-B” flag.
% Information related to ‘31.222.208.0 – 31.222.208.255’
% Abuse contact for ‘31.222.208.0 – 31.222.208.255’ is ‘lir @ capita.co.uk’
inetnum: 31.222.208.0 – 31.222.208.255
netname: OPENHIVEisp
descr: Capita
country: GB
remarks: INFRA-AW
org: ORG-AGP1-RIPE
admin-c: SYN3-RIPE
tech-c: SYN3-RIPE
status: ASSIGNED PA
mnt-by: synetrix
source: RIPE # Filtered
organisation: ORG-AGP1-RIPE
org-name: Synetrix (Holdings) Limited
org-type: LIR
address: Synetrix Neil Tramaseur Synetrix House, 49 – 51 Victoria Rd GU14 7PA Farnborough UNITED KINGDOM
phone: +44 1252 405600
fax-no: +44 1252 405605
abuse-mailbox: lir @ synetrix.co.uk
admin-c: NT722-RIPE
mnt-ref: RIPE-NCC-HM-MNT
mnt-ref: synetrix
mnt-by: RIPE-NCC-HM-MNT
abuse-c: SA3890-RIPE
source: RIPE # Filtered
role: Synetrix Ltd
address: Innovation Court
address: New Street
address: Basingstoke
address: Hampshire
address: RG21 7DN
phone: +441256 383600
abuse-mailbox: lir @ capita.co.uk
admin-c: SA3890-RIPE
tech-c: ST2925-RIPE
nic-hdl: SYN3-RIPE
mnt-by: synetrix
source: RIPE # Filtered
Although I should be working on getting all the data loaded into the Canalplan Boats Database I’ve not been making a lot of progress on getting the new data and the old data mapped into a new structure which I wanted to use to make the data better.
As well as that it’s been a continual battle against the scum who just want to break servers and use them to post spam, send spam or compromise their websites.
Ecatel Limited seem to be a company who delight in hosting scammers and criminals. They had several machines in several different IP address blocks all hammering the xmlrpc.php file on this server. Doing some research into this shows that this problem has been going on for over 18 months and Ecatel do not seem to do anything about it. Emails to their abuse department went unreplied which seems to be pretty much par for the course. So their CIDRs have been firewalled.
The Shellshock attempts continue from various places and although some companies have replied quickly others simply haven’t.
You do wonder how much better the internet could be if people building websites and on-line systems didn’t have to devote significant resources to stopping scum from attempting to break things. All these stupid attempts against servers are also using up resources that should be being used to serve real data to real users.
#smartctl -t short /dev/sdb
then
#smartctl -a /dev/sdb
SMART Self-test log structure revision number 1
Num Test_Description Status Remaining LifeTime(hours) LBA_of_first_error
# 1 Short offline Completed: read failure 20% 50556 1132724807
# 2 Extended offline Completed: read failure 90% 50556 490221916
# 3 Short offline Completed: read failure 20% 50556 490221916
# 4 Short offline Completed: read failure 20% 50555 490221916
# 5 Extended offline Completed: read failure 90% 50555 490221917
# 6 Short offline Completed: read failure 20% 50554 490221916
# 7 Short offline Completed: read failure 20% 50554 490221916
# 8 Offline Aborted by host 90% 50554 –
# 9 Short offline Completed without error 00% 42680 –
#10 Short offline Completed without error 00% 42 –
#fdisk -lu /dev/sdb
Disk /dev/sdb: 1000.2 GB, 1000204886016 bytes
255 heads, 63 sectors/track, 121601 cylinders, total 1953525168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x447d8526
Device Boot Start End Blocks Id System
/dev/sdb1 63 1953520064 976760001 83 Linux
root@kodaly:~# tune2fs -l /dev/sdb1 | grep Block
Block count: 244190000
Block size: 4096
Blocks per group: 32768
use the lba_of_sector and the start offset in the following calculation
#echo “(1132724807-63)*512/4096” | bc -l
141590593.00000000000000000000
#debugfs
debugfs 1.42 (29-Nov-2011)
debugfs: open /dev/sdb1
debugfs: testb 141590593
Block 141590593 not in use
if it reports as not in use block it out then :
# dd if=/dev/zero of=/dev/sdb1 bs=4096 count=1 seek=141590593
# sync
then
# smartctl -t long /dev/sdb
If it reports in use then
Block 141623865 marked in use
debugfs: icheck 141623865
Block Inode number
141623865 35397635
debugfs: ncheck 35397635
Inode Pathname
35397635 /shares/stuff/Steves Lapto/backups/myers/investigations/Everyman/media/Audio/hitmike.wav
2014-10-23 04:39:51,514 fail2ban.actions: WARNING [apache-wplogin] Ban 198.23.155.76
2014-10-23 11:02:05,033 fail2ban.actions: WARNING [postfix] Ban 111.249.35.151
2014-10-23 12:44:57,061 fail2ban.actions: WARNING [sasl] Ban 63.152.242.19
2014-10-23 12:47:16,215 fail2ban.actions: WARNING [postfix] Ban 49.230.184.69
2014-10-23 12:49:02,731 fail2ban.actions: WARNING [postfix] Ban 185.7.100.97
2014-10-23 12:49:41,087 fail2ban.actions: WARNING [postfix] Ban 103.229.84.194
2014-10-23 12:51:27,010 fail2ban.actions: WARNING [postfix] Ban 59.94.15.250
2014-10-23 12:51:51,892 fail2ban.actions: WARNING [postfix] Ban 94.20.224.54
2014-10-23 12:52:20,205 fail2ban.actions: WARNING [postfix] Ban 190.178.92.83
2014-10-23 12:52:38,306 fail2ban.actions: WARNING [postfix] Ban 69.198.18.202
2014-10-23 12:52:50,037 fail2ban.actions: WARNING [postfix] Ban 118.102.169.44
2014-10-23 12:53:31,943 fail2ban.actions: WARNING [postfix] Ban 79.97.188.35
2014-10-23 12:54:24,326 fail2ban.actions: WARNING [postfix] Ban 5.42.193.34
2014-10-23 12:54:24,600 fail2ban.actions: WARNING [postfix] Ban 117.204.153.6
2014-10-23 12:54:52,445 fail2ban.actions: WARNING [postfix] Ban 122.171.119.247
2014-10-23 12:57:45,569 fail2ban.actions: WARNING [postfix] Ban 117.204.143.124
2014-10-23 12:57:58,709 fail2ban.actions: WARNING [postfix] Ban 154.70.236.29
2014-10-23 13:03:41,906 fail2ban.actions: WARNING [postfix] Ban 139.216.57.220
2014-10-23 13:04:55,166 fail2ban.actions: WARNING [postfix] Ban 116.33.2.37
2014-10-23 13:06:18,096 fail2ban.actions: WARNING [postfix] Ban 123.176.22.30
2014-10-23 13:08:37,083 fail2ban.actions: WARNING [postfix] Ban 77.234.44.138
2014-10-23 13:11:02,561 fail2ban.actions: WARNING [postfix] Ban 105.186.68.107
2014-10-23 13:12:33,356 fail2ban.actions: WARNING [postfix] Ban 74.112.58.73
2014-10-23 13:13:51,867 fail2ban.actions: WARNING [postfix] Ban 179.8.149.180
2014-10-23 13:14:14,576 fail2ban.actions: WARNING [postfix] Ban 197.253.66.208
2014-10-23 13:14:32,456 fail2ban.actions: WARNING [postfix] Ban 82.199.201.242
2014-10-23 13:15:55,821 fail2ban.actions: WARNING [postfix] Ban 67.231.35.166
2014-10-23 13:16:44,822 fail2ban.actions: WARNING [postfix] Ban 97.66.124.251
2014-10-23 13:17:42,694 fail2ban.actions: WARNING [postfix] Ban 124.200.250.27
2014-10-23 13:18:28,604 fail2ban.actions: WARNING [postfix] Ban 111.91.86.171
2014-10-23 13:18:35,479 fail2ban.actions: WARNING [postfix] Ban 123.18.208.252
2014-10-23 13:21:52,572 fail2ban.actions: WARNING [postfix] Ban 39.55.155.246
2014-10-23 13:21:59,394 fail2ban.actions: WARNING [postfix] Ban 122.167.201.219
2014-10-23 13:23:22,519 fail2ban.actions: WARNING [sasl] Ban 93.125.94.2
2014-10-23 13:23:34,367 fail2ban.actions: WARNING [postfix] Ban 221.158.66.84
2014-10-23 13:23:39,667 fail2ban.actions: WARNING [postfix] Ban 94.79.231.59
2014-10-23 13:25:58,138 fail2ban.actions: WARNING [postfix] Ban 5.160.183.163
2014-10-23 13:29:49,723 fail2ban.actions: WARNING [postfix] Ban 68.118.118.10
2014-10-23 13:30:06,548 fail2ban.actions: WARNING [postfix] Ban 50.250.213.34
2014-10-23 13:30:22,595 fail2ban.actions: WARNING [postfix] Ban 116.202.81.162
2014-10-23 13:31:57,825 fail2ban.actions: WARNING [postfix] Ban 39.32.186.142
2014-10-23 13:32:28,672 fail2ban.actions: WARNING [postfix] Ban 194.28.73.230
2014-10-23 13:32:39,027 fail2ban.actions: WARNING [postfix] Ban 113.173.24.237
2014-10-23 13:32:56,914 fail2ban.actions: WARNING [postfix] Ban 86.127.100.34
2014-10-23 13:36:51,449 fail2ban.actions: WARNING [postfix] Ban 121.167.24.204
2014-10-23 13:37:46,247 fail2ban.actions: WARNING [postfix] Ban 59.103.133.23
2014-10-23 13:39:40,248 fail2ban.actions: WARNING [postfix] Ban 1.53.13.143
2014-10-23 13:39:53,154 fail2ban.actions: WARNING [postfix] Ban 77.30.185.250
2014-10-23 13:41:21,550 fail2ban.actions: WARNING [postfix] Ban 14.141.111.226
2014-10-23 13:43:55,238 fail2ban.actions: WARNING [sasl] Ban 201.213.221.103
2014-10-23 13:45:26,703 fail2ban.actions: WARNING [postfix] Ban 124.200.250.26
2014-10-23 13:45:54,620 fail2ban.actions: WARNING [postfix] Ban 122.178.156.172
2014-10-23 13:45:57,720 fail2ban.actions: WARNING [postfix] Ban 176.121.227.102
2014-10-23 13:46:32,047 fail2ban.actions: WARNING [postfix] Ban 103.23.33.158
2014-10-23 13:47:55,975 fail2ban.actions: WARNING [postfix] Ban 122.169.58.113
2014-10-23 13:48:33,866 fail2ban.actions: WARNING [postfix] Ban 208.46.50.130
2014-10-23 13:49:49,784 fail2ban.actions: WARNING [postfix] Ban 167.135.119.251
2014-10-23 13:52:53,732 fail2ban.actions: WARNING [postfix] Ban 139.193.101.138
2014-10-23 13:53:33,484 fail2ban.actions: WARNING [postfix] Ban 43.252.101.98
2014-10-23 13:53:52,645 fail2ban.actions: WARNING [postfix] Ban 117.193.55.91
2014-10-23 13:53:59,459 fail2ban.actions: WARNING [postfix] Ban 121.101.186.118
2014-10-23 13:54:32,347 fail2ban.actions: WARNING [postfix] Ban 192.30.241.146
2014-10-23 13:54:35,170 fail2ban.actions: WARNING [postfix] Ban 209.181.18.217
2014-10-23 13:55:20,781 fail2ban.actions: WARNING [postfix] Ban 178.120.186.83
2014-10-23 13:57:58,082 fail2ban.actions: WARNING [sasl] Ban 87.197.159.118
2014-10-23 13:58:23,294 fail2ban.actions: WARNING [postfix] Ban 119.35.25.251
2014-10-23 14:00:33,406 fail2ban.actions: WARNING [postfix] Ban 94.97.129.113
2014-10-23 14:01:12,811 fail2ban.actions: WARNING [postfix] Ban 117.213.79.39
2014-10-23 14:04:49,980 fail2ban.actions: WARNING [postfix] Ban 115.112.33.53
2014-10-23 14:05:22,824 fail2ban.actions: WARNING [sasl] Ban 181.15.215.181
2014-10-23 14:05:49,183 fail2ban.actions: WARNING [postfix] Ban 121.130.137.95
2014-10-23 14:05:51,867 fail2ban.actions: WARNING [postfix] Ban 221.138.252.114
2014-10-23 14:06:29,756 fail2ban.actions: WARNING [postfix] Ban 198.0.71.201
2014-10-23 14:06:38,342 fail2ban.actions: WARNING [postfix] Ban 39.32.208.77
2014-10-23 14:08:17,665 fail2ban.actions: WARNING [sasl] Ban 70.196.64.104
2014-10-23 14:08:46,309 fail2ban.actions: WARNING [postfix] Ban 72.54.223.53
2014-10-23 14:09:26,133 fail2ban.actions: WARNING [postfix] Ban 151.64.98.8
2014-10-23 14:10:58,584 fail2ban.actions: WARNING [postfix] Ban 199.96.245.158
2014-10-23 14:13:49,421 fail2ban.actions: WARNING [postfix] Ban 91.241.224.135
2014-10-23 14:15:47,858 fail2ban.actions: WARNING [sasl] Ban 71.183.239.18
2014-10-23 14:16:33,898 fail2ban.actions: WARNING [postfix] Ban 74.202.252.56
2014-10-23 14:17:09,129 fail2ban.actions: WARNING [postfix] Ban 39.32.155.178
2014-10-23 14:18:08,113 fail2ban.actions: WARNING [postfix] Ban 12.25.8.201
2014-10-23 14:18:12,973 fail2ban.actions: WARNING [postfix] Ban 112.150.194.150
2014-10-23 14:18:54,821 fail2ban.actions: WARNING [postfix] Ban 64.16.141.26
2014-10-23 14:18:58,961 fail2ban.actions: WARNING [postfix] Ban 97.97.32.66
2014-10-23 14:19:42,557 fail2ban.actions: WARNING [postfix] Ban 115.241.116.191
2014-10-23 14:20:10,477 fail2ban.actions: WARNING [postfix] Ban 24.49.3.240
2014-10-23 14:21:46,013 fail2ban.actions: WARNING [sasl] Ban 98.101.135.206
2014-10-23 14:36:04,447 fail2ban.actions: WARNING [postfix] Ban 154.100.143.195
2014-10-23 14:37:43,726 fail2ban.actions: WARNING [sasl] Ban 76.187.73.212
2014-10-23 14:39:29,745 fail2ban.actions: WARNING [postfix] Ban 124.200.250.21
2014-10-23 15:42:01,739 fail2ban.actions: WARNING [sasl] Ban 111.248.45.220
2014-10-23 18:31:20,220 fail2ban.actions: WARNING [apache-wplogin] Ban 192.99.150.55
2014-10-23 19:39:30,989 fail2ban.actions: WARNING [apache-wplogin] Ban 104.151.230.82
So I tweaked Fail2ban so it picked up failed SASL auth sesssion…
There are a LOT of compromised machines out there:
2014-10-21 15:57:08,236 fail2ban.actions: WARNING [postfix] Ban 222.247.167.96
2014-10-21 22:00:08,119 fail2ban.actions: WARNING [postfix] Ban 122.165.90.186
2014-10-21 22:00:09,089 fail2ban.actions: WARNING [postfix] Ban 77.42.202.232
2014-10-21 22:00:09,383 fail2ban.actions: WARNING [postfix] Ban 69.198.18.202
2014-10-21 22:00:09,828 fail2ban.actions: WARNING [postfix] Ban 167.135.119.251
2014-10-21 22:00:10,632 fail2ban.actions: WARNING [postfix] Ban 191.113.84.245
2014-10-21 22:00:11,741 fail2ban.actions: WARNING [postfix] Ban 184.71.165.174
2014-10-21 22:00:13,544 fail2ban.actions: WARNING [postfix] Ban 186.116.237.173
2014-10-21 22:00:14,812 fail2ban.actions: WARNING [postfix] Ban 12.25.8.201
2014-10-21 22:00:15,682 fail2ban.actions: WARNING [postfix] Ban 112.150.194.150
2014-10-21 22:00:16,488 fail2ban.actions: WARNING [postfix] Ban 68.118.118.10
2014-10-21 22:00:17,362 fail2ban.actions: WARNING [postfix] Ban 139.193.101.137
2014-10-21 22:00:19,292 fail2ban.actions: WARNING [postfix] Ban 192.30.241.146
2014-10-21 22:00:19,769 fail2ban.actions: WARNING [postfix] Ban 190.239.170.29
2014-10-21 22:00:20,741 fail2ban.actions: WARNING [postfix] Ban 178.120.155.241
2014-10-21 22:00:20,986 fail2ban.actions: WARNING [postfix] Ban 74.112.58.73
2014-10-21 22:00:30,266 fail2ban.actions: WARNING [postfix] Ban 212.215.218.191
2014-10-21 22:00:30,535 fail2ban.actions: WARNING [postfix] Ban 186.121.93.138
2014-10-21 22:00:31,159 fail2ban.actions: WARNING [postfix] Ban 190.51.59.93
2014-10-21 22:00:31,773 fail2ban.actions: WARNING [postfix] Ban 23.30.82.137
2014-10-21 22:00:32,636 fail2ban.actions: WARNING [postfix] Ban 41.228.195.145
2014-10-21 22:00:33,409 fail2ban.actions: WARNING [postfix] Ban 5.160.182.24
2014-10-21 22:00:33,704 fail2ban.actions: WARNING [postfix] Ban 105.186.70.162
2014-10-21 22:00:34,417 fail2ban.actions: WARNING [postfix] Ban 64.89.211.243
2014-10-21 22:00:34,988 fail2ban.actions: WARNING [postfix] Ban 111.91.86.86
2014-10-21 22:00:35,807 fail2ban.actions: WARNING [postfix] Ban 190.187.47.55
2014-10-21 22:00:36,768 fail2ban.actions: WARNING [postfix] Ban 14.192.128.34
2014-10-21 22:02:46,842 fail2ban.actions: WARNING [postfix] Ban 79.97.188.35
2014-10-21 22:03:10,199 fail2ban.actions: WARNING [postfix] Ban 49.249.55.38
2014-10-21 22:03:31,018 fail2ban.actions: WARNING [postfix] Ban 91.75.74.12
2014-10-21 22:03:49,365 fail2ban.actions: WARNING [postfix] Ban 190.176.210.91
2014-10-21 22:04:17,027 fail2ban.actions: WARNING [postfix] Ban 199.96.245.158
2014-10-21 22:12:58,539 fail2ban.actions: WARNING [postfix] Ban 123.176.22.30
This morning I apparently sent myself some spam.
Who in their right mind would ever think that this wasn’t spam when it arrives in their inbox?
This site, along with others I run, was swamped by traffic from Semalt in the past . Today the following article came to my attention which just confirms what I think myself and many other people had realised – that Semalt really are rogue and should be avoided and blocked at all costs. Here is the opening paragraph.
The software known as Semalt, which claims to be an ‘SEO tool,’ has been found to be using Soundfrost malware to hijack hundreds of thousands of computers. In the last 30 days, it has organized a huge spambot that is originating from more than 290,000 different IP addresses around the globe, with a concentration in South America.
Info Security Magazine
Also there is a very detailed blog entry over on nabble which gives a lot more detail and makes for pretty scary reading.
I just posted this to EE’s wall on Facebook. I expect they will delete it… they are a company in complete denial.
===================
Well its time to say goodbye to EE. I’d like to say I’m sad that I’m leaving but that would be a total lie.
The last 2 years with you have been a complete and utter farce.
I pay over £36 a month for a 3G service which constantly fails to deliver. The signal in my home post code has now been downgraded to “Your phone should work in limited outdoors and indoors areas. This is a guide only and not a guarantee of service, coverage will vary by location.” – and I live in a large town so this is hardly acceptable in 2014, although you apparently think it is as you seem totally unwilling to admit that there are any problems, or give any details for plans to improve the service. I have a phone which will sit on the coffee table and not ring but then buzz and tell me I’ve missed a call and then when I try to return the call simply refuses to connect, which frankly is useless.
For 2 years my bill has, every month, informed me that I have charges outside my plan. In 9 out 10 cases I didn’t have any charges outside my plan but I could never actually view my bills properly on line, and frequently I couldn’t even get into the billing system at all.
You put up the cost of my contract – but as I only had a couple of months to go till I was out of contract I didn’t bother doing about it but frankly that stinks, as does your latest scam – the “Pay us money and we’ll answer the phone”. If you got your contract prices wrong then that is YOUR problem… accept that you miscalculated things and take the hit rather than passing your mistakes onto your customers.
Customer services are useless and incompetent – Oddly enough it only took me 15 minutes to get my PAC compared to over 1 hour to renew my contract ( and another 2 hours when somehow you managed to send the phone to the wrong address ), plus the 3+ hours I spent trying to get you to restore my data connectivity when you removed it from my contract ( and tried to deny that I’d got a data enabled contract and wanted me to BUY a data bundle ) … and don’t get me started on the stupid things they’ve had me do to try to fix my on line billing which you must have known was completely broken.
So here I am the end of my contract with a locked S3 which you’ll want me to pay to get unlocked (By the way – other mobile providers don’t lock their customers phones ) – not that it’s worth it because the S3 you sold me has barely lasted 2 years and Samsung no longer support it. If you are going to lock people into 2 year contracts how about making sure that not only are the phones actually built well enough to make it through the 2 years but that the manufacturer will actually provide software updates for that period