Botnet still chugging along

Its still going:

Jun 12 18:41:25 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 9 secs): user=<colin@some.domain.here>, method=PLAIN, rip=36.7.79.21,
Jun 12 18:42:01 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<colin>, method=PLAIN, rip=113.240.237.10,
Jun 12 19:11:58 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 9 secs): user=<drtone@some.domain.here>, method=PLAIN, rip=218.201.83.148,
Jun 12 19:12:18 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<drtone>, method=PLAIN, rip=220.164.2.80,
Jun 12 19:14:47 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<doug@some.domain.here>, method=PLAIN, rip=60.8.106.22,
Jun 12 19:15:19 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 9 secs): user=<doug>, method=PLAIN, rip=183.167.200.62,
Jun 12 21:18:41 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<lastfm@canalplan.org.uk>, method=PLAIN, rip=59.49.33.247,
Jun 12 21:19:36 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<lastfm>, method=PLAIN, rip=58.218.194.81,
Jun 12 22:29:33 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<nick@some.domain.here>, method=PLAIN, rip=213.34.206.155,
Jun 12 22:29:53 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<nick>, method=PLAIN, rip=221.239.8.178,
Jun 12 23:10:50 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<richard@some.domain.here>, method=PLAIN, rip=58.216.156.58,
Jun 12 23:11:12 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<richard>, method=PLAIN, rip=61.91.54.142,
Jun 12 23:12:18 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<richard_s@some.domain.here>, method=PLAIN, rip=221.130.130.238,
Jun 12 23:12:41 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 9 secs): user=<richard_s>, method=PLAIN, rip=36.7.113.194,
Jun 12 23:45:46 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<simon@some.domain.here>, method=PLAIN, rip=123.233.118.91,
Jun 12 23:46:30 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<simon>, method=PLAIN, rip=125.75.206.244,
Jun 12 23:56:55 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<steve@some.domain.here>, method=PLAIN, rip=210.73.8.244,
Jun 12 23:57:37 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 9 secs): user=<steve>, method=PLAIN, rip=61.191.123.11,
Jun 13 00:17:03 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<richard_s@some.domain.here>, method=PLAIN, rip=58.195.100.130,
Jun 13 00:17:45 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<richard_s>, method=PLAIN, rip=221.178.227.10,
Jun 13 02:04:24 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<colin@some.domain.here>, method=PLAIN, rip=61.37.150.5,
Jun 13 02:04:49 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<colin>, method=PLAIN, rip=223.241.247.6,
Jun 13 02:22:15 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 14 secs): user=<richard_s@some.domain.here>, method=PLAIN, rip=209.151.146.9,
Jun 13 02:22:54 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<richard_s@some.domain.here>, method=PLAIN, rip=5.196.3.190,
Jun 13 02:23:26 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<richard_s>, method=PLAIN, rip=219.93.121.6,
Jun 13 02:34:53 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<drtone@some.domain.here>, method=PLAIN, rip=190.211.92.29,
Jun 13 02:35:15 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<drtone>, method=PLAIN, rip=222.187.193.230,
Jun 13 05:16:35 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 13 secs): user=<richard_s@some.domain.here>, method=PLAIN, rip=81.82.223.109,
Jun 13 05:20:58 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<richard_s@some.domain.here>, method=PLAIN, rip=62.149.211.160,
Jun 13 05:22:17 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<richard_s>, method=PLAIN, rip=104.251.100.141,
Jun 13 05:40:23 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<nma@canalplan.org.uk>, method=PLAIN, rip=61.182.51.230,
Jun 13 05:40:44 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<nma>, method=PLAIN, rip=218.28.135.178,
Jun 13 06:15:35 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<richard@some.domain.here>, method=PLAIN, rip=60.169.65.62,
Jun 13 06:15:57 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<richard>, method=PLAIN, rip=14.205.4.56,
Jun 13 06:45:56 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<simon@some.domain.here>, method=PLAIN, rip=89.17.36.35,
Jun 13 06:46:18 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<simon>, method=PLAIN, rip=221.210.46.222,
Jun 13 07:29:58 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<richard_s@some.domain.here>, method=PLAIN, rip=60.8.245.174,
Jun 13 07:30:39 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<richard_s>, method=PLAIN, rip=61.182.82.34,
Jun 13 08:00:06 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<richard_s@some.domain.here>, method=PLAIN, rip=94.137.142.49,
Jun 13 08:00:25 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<richard_s>, method=PLAIN, rip=49.65.204.11,
Jun 13 08:52:00 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 9 secs): user=<colin@some.domain.here>, method=PLAIN, rip=121.174.171.153,
Jun 13 08:52:20 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<colin>, method=PLAIN, rip=223.72.168.150,
Jun 13 09:17:23 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 9 secs): user=<doug@some.domain.here>, method=PLAIN, rip=111.121.220.219,
Jun 13 09:17:44 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<doug>, method=PLAIN, rip=58.242.66.218,
Jun 13 09:20:40 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<drtone@some.domain.here>, method=PLAIN, rip=211.246.198.105,
Jun 13 09:21:01 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<drtone>, method=PLAIN, rip=60.29.145.218,
Jun 13 09:26:42 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<richard_s@some.domain.here>, method=PLAIN, rip=178.161.147.218,
Jun 13 09:27:08 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<richard_s>, method=PLAIN, rip=121.28.169.234,
Jun 13 09:58:05 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 9 secs): user=<richard_s@some.domain.here>, method=PLAIN, rip=183.167.225.165,
Jun 13 09:58:25 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<richard_s@some.domain.here>, method=PLAIN, rip=218.28.171.213,
Jun 13 09:58:57 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 9 secs): user=<richard_s>, method=PLAIN, rip=200.115.38.99,
Jun 13 10:27:05 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<richard_s@some.domain.here>, method=PLAIN, rip=221.228.229.48,
Jun 13 10:28:21 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<richard_s>, method=PLAIN, rip=123.234.215.242,
Jun 13 10:58:43 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<richard_s@some.domain.here>, method=PLAIN, rip=218.92.238.86,
Jun 13 10:59:51 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<richard_s>, method=PLAIN, rip=114.104.158.172,
Jun 13 11:50:41 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<michael@some.domain.here>, method=PLAIN, rip=211.99.139.250,
Jun 13 11:51:03 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<michael>, method=PLAIN, rip=113.194.69.247,
Jun 13 12:04:12 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<richard_s@some.domain.here>, method=PLAIN, rip=201.140.110.78,
Jun 13 12:05:29 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 25 secs): user=<richard_s>, method=PLAIN, rip=222.189.41.46,
Jun 13 12:05:38 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 10 secs): user=<richard_s>, method=PLAIN, rip=172.87.163.42,
Jun 13 12:08:06 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<nicka@canalplan.org.uk>, method=PLAIN, rip=88.87.64.43,
Jun 13 12:08:32 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<nicka>, method=PLAIN, rip=123.232.125.198,
Jun 13 12:08:45 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<nick@some.domain.here>, method=PLAIN, rip=42.115.2.162,
Jun 13 12:09:05 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<nick>, method=PLAIN, rip=58.18.137.83,
Jun 13 12:24:36 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<paul@some.domain.here>, method=PLAIN, rip=222.137.252.29,
Jun 13 12:24:58 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<paul>, method=PLAIN, rip=219.148.39.134,
Jun 13 12:37:18 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<richard_s@some.domain.here>, method=PLAIN, rip=61.167.79.135,
Jun 13 12:37:44 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<richard_s>, method=PLAIN, rip=82.130.202.19,
Jun 13 12:49:53 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<richard@some.domain.here>, method=PLAIN, rip=218.64.63.195,
Jun 13 12:50:15 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<richard>, method=PLAIN, rip=123.138.78.210,
Jun 13 13:03:27 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 9 secs): user=<richard_s@some.domain.here>, method=PLAIN, rip=218.90.162.234,
Jun 13 13:03:53 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<richard_s>, method=PLAIN, rip=119.1.98.121,
Jun 13 13:14:36 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<richard_s@some.domain.here>, method=PLAIN, rip=112.4.235.211,
Jun 13 13:15:15 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<richard_s>, method=PLAIN, rip=218.24.67.210,
Jun 13 13:24:22 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<steve@some.domain.here>, method=PLAIN, rip=221.131.86.182,
Jun 13 13:25:00 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<steve>, method=PLAIN, rip=221.230.139.83,
Jun 13 14:43:58 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<richard_s@some.domain.here>, method=PLAIN, rip=220.180.172.173,
Jun 13 14:44:16 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<richard_s>, method=PLAIN, rip=79.58.247.178,
Jun 13 15:13:42 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 9 secs): user=<colin@some.domain.here>, method=PLAIN, rip=60.190.165.34,
Jun 13 15:14:06 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<colin>, method=PLAIN, rip=187.174.201.250,
Jun 13 15:37:46 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<drtone@some.domain.here>, method=PLAIN, rip=58.248.164.150,
Jun 13 15:38:09 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 9 secs): user=<drtone>, method=PLAIN, rip=218.2.26.174,
Jun 13 15:43:47 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<richard_s@some.domain.here>, method=PLAIN, rip=218.22.100.42,
Jun 13 15:44:05 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<richard_s>, method=PLAIN, rip=109.226.23.26,
Jun 13 16:09:59 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 8 secs): user=<richard_s@some.domain.here>, method=PLAIN, rip=62.86.32.206,
Jun 13 16:10:35 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 10 secs): user=<richard_s>, method=PLAIN, rip=213.87.106.187,
Jun 13 16:10:53 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<richard_s>, method=PLAIN, rip=31.168.157.167,
Jun 13 17:41:25 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<richard_s@some.domain.here>, method=PLAIN, rip=90.183.127.106,
Jun 13 17:41:53 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<richard_s>, method=PLAIN, rip=91.140.255.82,
Jun 13 18:07:09 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<michael@some.domain.here>, method=PLAIN, rip=188.75.220.72,
Jun 13 18:07:30 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=<michael>, method=PLAIN, rip=222.175.49.22,
Jun 13 18:14:40 Debussy dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<richard_s@some.domain.here>, method=PLAIN, rip=216.20.131.103,
Fail2Ban

And here’s the fail2ban list:

Status for the jail: dovecot-disconnect
 |- filter
 | |- File list: /var/log/mail.log
 | |- Currently failed: 0
 | `- Total failed: 210
 `- action
 |- Currently banned: 208
 | `- IP list: 50.97.183.121 45.55.11.188 195.64.158.177 109.168.95.140 93.174.95.106 141.212.122.32 198.199.98.246 80.82.77.33 1.234.63.173 91.143.198.162 91.234.33.53 164.52.0.130 220.73.163.113 5.188.11.11 37.122.211.33 36.34.121.162 117.245.14.183 120.203.25.58 132.255.226.13 58.42.238.15 113.195.181.115 27.151.116.2 115.182.95.85 218.8.118.39 123.212.12.66 161.0.153.101 95.181.179.186 216.248.98.186 178.57.119.82 120.194.236.114 120.194.236.118 109.224.32.226 120.37.91.121 202.97.147.183 220.178.151.125 60.22.24.218 161.0.153.110 218.64.165.194 61.177.60.140 221.192.141.2 58.244.173.130 220.169.102.6 206.214.6.158 221.4.61.180 122.90.22.43 61.158.173.58 61.184.79.234 91.195.103.44 64.131.74.54 183.167.228.134 47.88.171.122 61.190.99.62 60.172.22.178 192.80.133.64 112.123.63.205 122.227.185.67 213.133.101.8 109.236.180.59 120.209.180.82 61.14.228.146 95.56.234.117 113.200.254.171 218.23.114.22 46.229.131.87 218.29.52.2 115.84.112.138 94.26.62.172 60.166.35.162 119.160.199.228 58.19.182.235 61.148.124.108 202.99.199.142 220.178.82.124 222.134.45.34 60.6.229.50 218.56.156.226 196.52.43.65 168.1.128.76 168.1.128.77 66.228.38.107 89.248.172.195 217.69.162.183 110.52.126.51 172.245.160.85 178.216.52.202 223.247.220.185 111.246.93.129 85.214.192.131 190.60.95.15 45.55.9.189 45.55.11.72 101.236.21.125 139.162.78.6 60.189.50.133 45.55.13.26 208.86.155.26 187.87.198.32 194.44.203.179 132.148.21.108 141.212.122.64 59.148.52.194 177.153.17.240 45.55.11.8 45.55.11.229 176.56.58.177 79.170.198.223 36.7.79.21 113.240.237.10 218.201.83.148 220.164.2.80 60.8.106.22 183.167.200.62 59.49.33.247 218.23.156.227 118.180.215.146 58.218.194.81 213.34.206.155 221.239.8.178 58.216.156.58 61.91.54.142 221.130.130.238 36.7.113.194 123.233.118.91 125.75.206.244 210.73.8.244 113.204.147.26 61.191.123.11 58.195.100.130 221.178.227.10 61.37.150.5 223.241.247.6 209.151.146.9 113.28.129.125 5.196.3.190 219.93.121.6 190.211.92.29 222.187.193.230 81.82.223.109 91.187.93.52 109.226.31.98 62.149.211.160 200.29.187.138 104.251.100.141 61.182.51.230 218.28.135.178 60.169.65.62 14.205.4.56 89.17.36.35 221.210.46.222 60.8.245.174 61.182.82.34 94.137.142.49 49.65.204.11 121.174.171.153 223.72.168.150 111.121.220.219 58.242.66.218 211.246.198.105 60.29.145.218 178.161.147.218 121.28.169.234 183.167.225.165 218.28.171.213 200.115.38.99 221.228.229.48 123.234.215.242 218.92.238.86 114.104.158.172 80.11.77.63 211.99.139.250 113.194.69.247 201.140.110.78 222.189.41.46 172.87.163.42 88.87.64.43 123.232.125.198 42.115.2.162 58.18.137.83 222.137.252.29 219.148.39.134 61.167.79.135 82.130.202.19 218.64.63.195 123.138.78.210 218.90.162.234 119.1.98.121 112.4.235.211 218.24.67.210 221.131.86.182 221.230.139.83 220.180.172.173 79.58.247.178 60.190.165.34 187.174.201.250 58.248.164.150 218.2.26.174 218.22.100.42 109.226.23.26 62.86.32.206 213.87.106.187 31.168.157.167 90.183.127.106 91.140.255.82 188.75.220.72 222.175.49.22 216.20.131.103 202.98.212.95 221.178.138.106
 `- Total banned: 208

Hackers, crackers and other annoyances

My server was getting swamped the other day, checking into it I found that it was links from LiveJournal to a pic in my photo albums which someone had used to illustrate a tack poem. Livejournal users had then copied this poem round each other, and republished it – and every view was leeching the pic off my server.

Now I guess its a compliment that they liked my squirrel pic but it was used without permission and with no credit.

So I stopped it.. specifically that image cannot be accessed when the referrer URL is livejournal.

So then I started looking round and found lots of attempts to hijack awstats for hacking other servers. So I’ve put in a redirect based on IP to stop this happening.

I also tightened up my SSH logins – and record unauthorised accesses onto that (which populates the website black list).

Today I had some scum from Israel (specifically a user of Barak I.T.C) use a java application to post Viagra spam on my forum. So if you were on 85.65.58.1 a few minutes ago – I saw you, deleted your post and blocked your IP.

Its sad that the internet is now full of people who try to break into, hijack or otherwise misuse other peoples resources.

Still thats the way of the world I suppose.

Oddly enough its THIS blog entry that the spamming scum keep picking on. I wonder why.