1 Has Pixy upgraded you to MT 3? (I think that's the latest one) I know he had a post not too long ago about the upgrade enabling you to turn off old comments en masse.

I am getting tons of hits from a single IP address - but no spam! I tried banning the IP address to see if it stops, but I just did it about an hour ago - don't know if that will work. According to my Stat Counter I'm getting 300-400 hits a day from this IP! The funny thing is that Sitemeter doesn't register the hits at all - very weird. Well, I'll take the hits over the spam attack any time - but it must be using up Pixy's bandwidth!

The IP I'm seeing is from Comcast
67 - 173 - 130 - 77
Anyone else seeing this one?

2 Yea, Theresa, I just had to ban that address using .htaccess for a couple of blogs I'm doing spam cleanup for.

The Blacklist is blocking every one of those hits you're getting - thankfully.

Pixy... looks like another candidate for some .htaccess lovin' at MuNu as the IP address hasn't changed in several days.

3 Rat's, sorry about that extra 'h' in there Teresa!

4 Yeah, Pixy set me up with an MT3. I just don't have the time to actually get it up and running.

There were only another 15 when i got up this morning, on 3 posts. I locked those up too so maybe this attack is over.

5 Added that one to my list.

Yes, the best thing for this is to move to MT3. It doesn't cure it completely, but it makes it much easier to control.

6 I sent an email to Comcast - got an auto-reply so I don't know what they'll do about it. I gave them the offending address and told them what was happening. The only thing I didn't give them was my IP and port number. According the the email I received, this invalidates my request... I wonder if anyone there will take the initiative and investigate. Unfortunately I didn't get the email with "instructions" until AFTER I sent in the report. It's nearly impossible to find an email address to report this stuff. But for further reference if you are being hit by a Comcast addy. Send an email to

abuse@comcast.net

Supposedly required info for this type of attack:

2.Include all logs or information relevant to the incident, ensure the logs
your submitting contain:
a.Date of incident
b.Time of incident and time zone
c.Source Internet protocol (IP) address or host name
d.Destination IP address or host name
e.Destination port

My email told them that the attack had been going on for the last 4 days straight (time and time zone seem pretty irrelevant in that case!) and the offending IP address - that "should" be enough for them to look into it. But it doesn't specifically meet all their requirements - so they might just dump it. I don't have "log" files per se - I have the records from Stat Counter. And I suppose I could ping my site to give them my IP and tell them the port number is 80... ARG! Makes me want to tear my hair out.

7 Oh yeah - I forgot to add - they tell me that they take these things very seriously... just thought I should throw that out there.

8 Heh. I'm a Comcast customer so that treatment comes as absolutely no surprise to me.

9 I hate these weasels. They're worse than spammers. GRRRR!!!

10 Teresa;
I'm sure Pixy could give you snippets of server logs if you wanted to continue to try to nail this assmunch.

Question for Pixy:

Are you seeing any weird 'attacks' on non-existant php files in the public_html directory on your server? Specifically d.php and s.php? I'm helping Velociman with spam issues and noticed massive hits to these never-existed files, (hundreds per hour) including a bunch from the same IP address that's been hitting Teresa.

Any ideas?

P.

11 There have been a bunch of new attacks on PHP (and phpBB in particular) in the past couple of weeks. I ran around patching everything in sight so we should be safe, but that doesn't stop them trying.

Now, how the heck do I set up a global deny rule in Apache? Everything I've tried makes the server barf. .htaccess works, but it's per-directory of course.

12 Since removing direct comment submission (you have to preview before posting a comment now) I haven't been crapped on.

[Cross fingers]

13 "Are you seeing any weird 'attacks' on non-existant php files in the public_html directory on your server? Specifically d.php and s.php?"

Paul you might be seeing the Santy worm in it's effort to infect public sites. It's a php specific worm, although I haven't had time to pay attention to the particulars of the thing. Since blogs are "public" the worm will likely try to infect them - but if you aren't running a blog with php the only problem is the annoyance of the hits.

Pixy - if you want me to send in any other requests with more particular information about the current attack to Comcast, let me know. Perhaps we can draft an email and all of us can send in a copy... Just a thought.

14 Is this why I can't get your site to load at all? It cannot find server, baby!

15 Contacting Comcrap does nothing. I tried it when I got my first crapflood, and got the usual form letter back. I heard nothing else from 'em.

Their customer-no-service (to coin a Clark Howard phrase) is notorious; it's one of the reasons that I'm on DSL and have a satellite dish today.