My server (it’s not the one this site is stored on by the way!) has been very, very busy this week being attacked by bots and crazed hackers from all over the world. One of the most persistent was from a Thailand IP address, the address was allocated from a Thai ISP and the reverse DNS is node-or5.pool-1-10.dynamic.totbb.net. The ISP responsible for this naughty Thai attacker is TOT Public Company Limited who are based in Bangkok.
It’s target was the EXIM service which is a message transfer agent, so our friend was looking for ways for relaying his Spam messages I would guess. I have the latest version of Exim which I think is 4.85, there were some security problems with earlier versions so make sure you’re up to date. At the very least make sure you’re running version 4.
The attack was automated and pretty dumb – consistently attacking the same service with the same username. Obviously this triggered an automatic IP address ban and it’s been added to CPhulk brute force protection. This is a service (available and configurable through WHM) which is designed to block Brute force attacks from troublesome IP addresses. This basically maintains two lists regarding logins to the server – a black list and a whitelist. When you add an IP address to the blacklist it won’t be able to ever logon to that server at all. This covers every service so it’s useful to automated penetration or hacking tools which try to brute force every service in turn. You have to be careful using it though as it’s perfectly possible to blacklist your own address, which I nearly did when I had a British IP address enabled through a VON which I didn;t recognise.