Ok,
So, I was looking at tarvos.seekbrain.com (the host that serves these pages) and it was sitting at a load of 1.5 constantly. This box is only a single proc hyperthreaded box so for something which overall gets very few hits this was strange and when I was trying to get some images (for my home photo collection) it plain locked up.
Initially, I thought, well, ok, what’s it’s uptime? 620 days. Hmm, at this point it’s not unusual to see ‘crap’ introducing 0.5-0.8 of the load average (specially with hosting machines constantly spawning processes). With that in mind I did a full update of all packages including a new kernel. A reboot later (after Redhat’s initrd.img creator was kind enough not to add support for my mobo) and it was back online BUT, still 1.0 load. What’s going on here….
A little investigation and it was revealed that my somewhat defunct Gallery install was copping an absolute flogging from comment spam. Joy, so, with comments disabled I went to clean up this mess. Running the uninstall option has triggered a DELETE and OPTIMIZE so things will be a bit slow but at least I’m not adding to the quagmire. After 660,175 comments in the past 48hrs it was no surprise this poor little box was choking.
So, the lucky top hitters are as follows are as follows:
[root@tarvos logs]# cat /tmp/newspams2 | sort -nr | head -n 10
128475 access_log.processed:195.225.177.40
122578 access_log.processed:195.225.178.21
67396 access_log.processed:84.16.227.86
36641 access_log.processed:83.233.30.39
18589 access_log.processed:200.63.42.133
15927 access_log.processed:67.19.22.194
9139 access_log.processed:83.233.30.34
6814 access_log.processed:62.90.102.146
6225 access_log.processed:62.90.102.148
5376 access_log.processed:195.225.178.19
[root@tarvos logs]#
With a bit of foo and absolutely no intention of wasting my time further with people that can’t control their botnets:
[root@tarvos logs]# iptables -I INPUT -s 195.225.176.0/22 -j DROP
[root@tarvos logs]# iptables -I INPUT -s 195.225.177.40/32 -j DROP
[root@tarvos logs]# iptables -I INPUT -s 195.225.178.0/24 -j DROP
[root@tarvos logs]# iptables -I INPUT -s 83.233.0.0/16 -j DROP
[root@tarvos logs]# iptables -I INPUT -s 195.225.176.0/22 -j DROP
[root@tarvos logs]# iptables -I INPUT -s 62.90.0.0/16 -j DROP
[root@tarvos logs]# iptables -I INPUT -s 200.63.40/22 -j DROP
[root@tarvos logs]# iptables -I INPUT -s 200.63.40/21 -j DROP
[root@tarvos logs]# iptables -I INPUT -s 84.16.224.0/19 -j DROP
Good bye a good million or so IPs, I don’t want you don’t need you and you can kindly pissoff and die.
Stuart