Attack against postgresql.org ...
There are some days where High Speed Internet for Personal use just should
never have been invented ...
Over the past 24 hours, we've been experiencing a problem with the network
that has taken us a bit to identify as being at our end, and a little bit
longer to identify as being with the postgresql.org vServer ... someone is
attacking it ...
our provider has blocked the IP for now, so that direct access to the
vServer isn't possible, but due to the delivery rules, and MXs, email
should still flow properly ...
The attacking IP, from the logs, appears to be "87.230.6.96" ...
I'm lowering the TTL for the the DNS right now, and, if this persists past
a few hours, I will change the IP and hope that they are attacking the IP,
and not the domain ...
----
Marc G. Fournier Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org MSN . scrappy@hub.org
Yahoo . yscrappy Skype: hub.org ICQ . 7615664
"Marc G. Fournier" <scrappy@postgresql.org> writes:
The attacking IP, from the logs, appears to be "87.230.6.96" ...
Perhaps a complaint to their ISP is in order --- RIPE suggests
net-abuse@hosteurope.de
regards, tom lane
On Fri, 2006-07-28 at 17:37, Tom Lane wrote:
"Marc G. Fournier" <scrappy@postgresql.org> writes:
The attacking IP, from the logs, appears to be "87.230.6.96" ...
Perhaps a complaint to their ISP is in order --- RIPE suggests
net-abuse@hosteurope.de
That looks 1 level too high, the immediate source seems to be
http://www.ehost.pl/onas.php
They could probably act faster and more at the source... down on the
page from the link above you can find abuse@ehost.pl for complaints.
Cheers,
Csaba.
$> nslookup 87.230.6.96
Server: 192.168.1.4
Address: 192.168.1.4#53
Non-authoritative answer:
96.6.230.87.in-addr.arpa name = vpsdws.xip.pl.
Authoritative answers can be found from:
6.230.87.in-addr.arpa nameserver = dns.hosteurope.de.
6.230.87.in-addr.arpa nameserver = dns2.hosteurope.de.
dns.hosteurope.de internet address = 80.237.128.156
dns2.hosteurope.de internet address = 80.237.129.61
$> whois xip.pl
[Querying whois.dns.pl]
[whois.dns.pl]
% This is the NASK WHOIS Server.
% This server provides information only for PL domains.
% For more info please see http://www.dns.pl/english/whois.html
Domain object:
domain: xip.pl
registrant's handle: dinz5du40 (CORPORATE)
nservers: ns1.ehost.pl.[80.237.184.22]
ns2.ehost.pl.[83.149.119.142]
created: 2003.10.06
last modified: 2005.09.19
registrar: Dinfo Systemy Internetowe
ul. Mostowa 5
43-300 Bielsko-Biala
Polska/Poland
+48.33 8225471
biuro@dinfo.pl
option: the domain name has not option
Subscribers Contact object:
company: eHost s.c.
organization: eHost.pl
street: Cichockiego 13/6
city: 24-100 Pulawy
location: PL
handle: dinz5du40
phone: +48.502533333
last modified: 2004.11.03
registrar: Dinfo Systemy Internetowe
ul. Mostowa 5
43-300 Bielsko-Biala
Polska/Poland
+48.33 8225471
biuro@dinfo.pl
Technical Contact:
company: eHost s.c.
organization: eHost.pl
street: Cichockiego 13/6
city: 24-100 Pulawy
location: PL
handle: dinz5du40
phone: +48.502533333
last modified: 2004.11.03
registrar: Dinfo Systemy Internetowe
ul. Mostowa 5
43-300 Bielsko-Biala
Polska/Poland
+48.33 8225471
biuro@dinfo.pl
On Fri, 28 Jul 2006 17:51:11 +0200
Csaba Nagy <nagy@ecircle-ag.com> wrote:
Perhaps a complaint to their ISP is in order --- RIPE suggests
net-abuse@hosteurope.deThat looks 1 level too high, the immediate source seems to be
http://www.ehost.pl/onas.php
I would go to both. ehost.pl could very well be some kid in his
parent's basement and may be the problem. RIPE says that hosteurope.de
is responsible for that IP. You have to take them at their word.
--
D'Arcy J.M. Cain <darcy@druid.net> | Democracy is three wolves
http://www.druid.net/darcy/ | and a sheep voting on
+1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.I have email'd both, thanks ...
On Fri, 28 Jul 2006, Csaba Nagy wrote:
On Fri, 2006-07-28 at 17:37, Tom Lane wrote:
"Marc G. Fournier" <scrappy@postgresql.org> writes:
The attacking IP, from the logs, appears to be "87.230.6.96" ...
Perhaps a complaint to their ISP is in order --- RIPE suggests
net-abuse@hosteurope.deThat looks 1 level too high, the immediate source seems to be
http://www.ehost.pl/onas.phpThey could probably act faster and more at the source... down on the
page from the link above you can find abuse@ehost.pl for complaints.Cheers,
Csaba.$> nslookup 87.230.6.96
Server: 192.168.1.4
Address: 192.168.1.4#53Non-authoritative answer:
96.6.230.87.in-addr.arpa name = vpsdws.xip.pl.Authoritative answers can be found from:
6.230.87.in-addr.arpa nameserver = dns.hosteurope.de.
6.230.87.in-addr.arpa nameserver = dns2.hosteurope.de.
dns.hosteurope.de internet address = 80.237.128.156
dns2.hosteurope.de internet address = 80.237.129.61$> whois xip.pl
[Querying whois.dns.pl]
[whois.dns.pl]
% This is the NASK WHOIS Server.
% This server provides information only for PL domains.
% For more info please see http://www.dns.pl/english/whois.htmlDomain object:
domain: xip.pl
registrant's handle: dinz5du40 (CORPORATE)
nservers: ns1.ehost.pl.[80.237.184.22]
ns2.ehost.pl.[83.149.119.142]
created: 2003.10.06
last modified: 2005.09.19
registrar: Dinfo Systemy Internetowe
ul. Mostowa 5
43-300 Bielsko-Biala
Polska/Poland
+48.33 8225471
biuro@dinfo.ploption: the domain name has not option
Subscribers Contact object:
company: eHost s.c.
organization: eHost.pl
street: Cichockiego 13/6
city: 24-100 Pulawy
location: PL
handle: dinz5du40
phone: +48.502533333
last modified: 2004.11.03
registrar: Dinfo Systemy Internetowe
ul. Mostowa 5
43-300 Bielsko-Biala
Polska/Poland
+48.33 8225471
biuro@dinfo.plTechnical Contact:
company: eHost s.c.
organization: eHost.pl
street: Cichockiego 13/6
city: 24-100 Pulawy
location: PL
handle: dinz5du40
phone: +48.502533333
last modified: 2004.11.03
registrar: Dinfo Systemy Internetowe
ul. Mostowa 5
43-300 Bielsko-Biala
Polska/Poland
+48.33 8225471
biuro@dinfo.pl
----
Marc G. Fournier Hub.Org Networking Services (http://www.hub.org)
Email . scrappy@hub.org MSN . scrappy@hub.org
Yahoo . yscrappy Skype: hub.org ICQ . 7615664