[ale] Ouch, dang it.

lollipopman691 lollipopman691 at pm.me
Mon Jun 2 11:47:45 EDT 2025 


Well Phew!   I think I have at least gotten out from this a little. 

AWS ACL access rules allow you to block CIDRs.  I added:

Port: http
Range: 47.239.0.0/16
Action DENY

So far that seems to be ok?  

I can see my website from my phone and from my home machine ( http://tomshiro.org ).  

Now to work on Let's Encrypt ( https://letsencrypt.org/getting-started/ ) and get this fool thing up to date!

-- CHS


-- CHS


On Thursday, May 29th, 2025 at 6:31 PM, lollipopman691 <lollipopman691 at pm.me> wrote:

> 
> 
> I run a small TWiki server which is in robots.txt on an aws instance. Recently that VM started to become unstable. Today I logged on and found that the disk was completely full up. It normally runs about 85% full. After poking around a bit I found that the TWiki access logs for the last few days were multiple gigabytes in size. Further, someone or something was requesting a single page on my TWiki over and over at a prodigious rate. I use that instance as a forwarding email server, so it's critical that it stays on line. So I took the simplest course and shut httpd off, removing all my web content from view for now, including a bunch of recipes I use weekly. Dang it.
> 
> I grabbed today's log file and did some simple shell scripting on it to try to figure out what was going on. It looks like the requests are coming at over 200 times a minute from a variety of addresses in the far east, at least according to https://www.iplocation.net/ .
> 
> My last TWiki log has requests from about 70,000 ip addresses for that one TWiki page. About 90% of them are hitting the page only once. Most of the rest are hitting it twice. A handful are over 100, with the largest at around 700. I nmap(1) ed a couple of them for fun. The one which appeared to be up ( 47.239.152.3 ) showed:
> 
> PORT STATE SERVICE
> 80/tcp closed http
> 443/tcp closed https
> 3389/tcp closed ms-wbt-server
> 
> Mildly interesting. The Net of 10,000 lies claims that "ms-wbt-server" is a Microsoft remote desktop server, so at a guess I'd say this was a compromised Windows machine.
> 
> Has anyone seen this kind of thing before? I currently plan to leave httpd down for a few days and then restart it and see if this trouble has gone away. I reckon the long-term solution is to move my mail server off the web machine and then just let it do its thing?
> 
> -- CHS

More information about the Ale mailing list