Another day, another Chinese attack on my home web/media server...

Last month I posted about noticing my internet going very slowly, and after a few days of trying to figure out what was wrong, I hopped onto my home server and looked at its access log, only to find that thousands of access attempts were being made by IP addresses registered in China. Several posters recommended that I contact the FBI and report it, but after looking into the situation I realized I had deleted the access logs and figured I no longer had proof. I did turn off the server, and sure enough my connection speed shot right back up.

I had been meaning to make some changes to the server itself for a while, but since I've been busy at work I never got around to it, and so never even turned it back on, until last night when I needed a file off of it. Sure enough I forgot to turn it back off...

Anywhos, the partner just comes in and asks me if I'm doing anything major online that would be killing the internet, (apparently it's going slowly again and wreaking havoc with some WOW mission to liberate Doritos Valley or something in the next room). After telling him that I'm just scrolling past 95,357 pirates-related threads to see what happened at DU today, I realize that the server is up, and pull up a Remote Desktop Connection to see if it's the problem.

Sure enough, there in the access logs are more than a few random IP addresses that when checked are registered in China, trying to talk to the server at various times today. This time I saved the log file and am going to file the complaint.

What the heck is so interesting about my crap web/home media server that would prompt Chinese people to want to get into it? I'm not exactly running the nation's power grid off of it. And is there anything the government will actually be able to do to stop these "Chinese Server Pirates", (heh heh), from doing this every time I turn it on?

Is anyone else having this problem?

Methinks M$ wants to train a local workforce who are hungry for work, specific to M$. Now why might they want to go and do something like that?

Sheeeet, if I worked at M$ in WA, I'd be pissed about this.

It's probably also a good idea to report them. There have been some concerns recently about apparent Chinese attacks on U.S. servers.

Looks like I can also block them by modifying Apache's .htaccess file.

Using .htaccess would probably put more load on the server than using the firewall.

This website will generate code you can put in .htaccess to block by country.
http://www.blockacountry.com/
You can use it in .htaccess or you could copy the IP addresses from it to put in the firewall.

Thanks very much for this!

you definitely want to block it at the firewall.

.htaccess will only keep them out of the web server.

Downthread it's mentioned that the partner's pc may be a problem and I agree. All the more reason to block it at the connection.

Three reasons:
1) Blocking them at the web server leaves the entire rest of the network vulnerable. If they are aware of a vulnerability you are not well you already let the intruder into your house.

2) Load could be substantial on your server. They may attempt to break it by ramping up load.

3) IP addresses can be spoofed. They also can be proxied. Any well equiped organization has proxies in multiple countries. If server doesn't respond to direct attack a proxy attack is coming next.

Improve your firewall security. You may need to get a better grade hardware firewall (or build your own there are many linux based firewall distros that can run on <600mhz computer as long as it has 2 LAN cards (LAN & WAN).

Once the enemy is past your firewall your system is already 90% of the way to compromised. Defense in layers is good strategy but don't give up

And have been looking for a project. I've known for a while that I could put together a nice linux firewall, but haven't ever been motivated. Looks like the motivation may have found me...

Thinking about it it's obvious that blocking them on the server won't fix the problem. The firewall really is the only option. I've got an old 950 MHz Athlon Duron processor, motherboard, case, powersupply, and I think about 256 MB in RAM that's compatible with the board. The board has built in ethernet and I have an extra wireless card.

If I take some time this week to put one together, does anyone have any idea if an older computer serving as a firewall will in any way slow down the internet speed of each computer on the network.

And strangely, I have a lot of computers networked here. One in just about every room of the house--8 in all counting the 3 I have in my home office.

of the slowest network card, as long as they're 100MB NIC cards you shouldn't see much if any performance impact, a 950MHz PC acting as a firewall is more than sufficient for the size of your application, I say go for it!

Sounds like this is just the thing I have been looking to put together now that I think it over. And since I love playing around with Linux it'll probably make for a very satisfying day off.

Thanks!

The "cpu" in most consumer routers has about has much processing power as a late generation 486.

There are a couple of custom distros to turn a late model computer into a firewall or firewall/router.

http://www.ipcop.org/

AND

http://m0n0.ch/wall/ (mono wall)

are the two most common.

Here are some more:
http://en.wikipedia.org/wiki/List_of_Linux_router_or_firewall_distributions

Most will run perfectly fine on old hardware. Wireless can be a little more tricky as some chipsets don't have open source drivers. Now they aren't plug & play like a linksys/netgear/dlink router (toaster) but they are much more powerful.

I used monowall & iproute2 to link up 36 soldiers to a sat internet connection when we were in Iraq. We bought our own dish and leased capacity from French bird. monowall helped me keep bandwidth under control (one person trying to make VOIP calls or using p2p can bring a sat connection to it's knees).

And it makes sense now that I think about it, since I really wouldn't think that my router would have the processing power of that Duron. I will look into IPCop and Monowall. I've heard of Monowall before, and I've read up a little bit on ClarkConnect at DistroWatch, but admittedly haven't ever REALLY read up on putting together a firewall. For someone like me it should be fun.

Any by the way, thanks for your work over there.

is it safe?

What did it say? :scared:

malware name: HTML:Iframe-inf
malware type: Virus/Worm
vps version: 090413-0, 04/13/2009

maybe it's nothing? :shrug:

Here's a thread on the avast forum about a similar error.

http://forum.avast.com/index.php?topic=43764.0

They do nasty things from your server, you get blamed, they stay in business.

you can see the Chinese IP addresses hitting firewalls trying to get in 24x7 if you would want to do such a thing. It really is laughable. They're like water, they take the paths of least resistance. So invest in some GOOD protection, because if the CHinese don't get you, the Russians, Serbs, Saudis, French, or the 10 year old down the block will!
I mean you don't leave your doors and windows wide open do you??????

I haven't seen any evidence that they've actually gotten any further than trying to get in. The problem seems to come when they eat up all my bandwidth trying. I've got great software, and I keep all the computers on the network, (with the exception of the partner's) very well updated and scanned. And having said that about the partner's computer, I'll respond to post #7...

Do you have access to the WOW addict's PC? Maybe he has a nasty virus running as a service, announcing it's availability for hackers to exploit? You can check your own PC too but you seem to know what you're doing...

As a matter of security, that's going to change. It won't be easy getting him to scale it back to 65 hours a week so that I can work in a little scan/update time, but I'm sure he can find something else to do, say, like, go outside and retrain his eyes to function in daylight, maybe go over go over to a friend's mom's house and hang out in their basement, etc. We'll see...

In all seriousness I've been bugging him to let me update it and give it a good once over for a few months now. The requests have been met with endless refusals. And now that I think about it, I wonder if that means there's anything else on there that I'm not supposed to be finding. Like maybe a nice healthy collection of pron...

World of Warcraft uses the TCP protocol on port 3724, that would be a good way to get him off for awhile! Beware, he may become insanely cranky if he's deprived of his fix.

You feel like you have to get hacked again an hour later!

and not just viruses and worms on computers in China?

Other than an indication that they attempts are all coming from the same general area/province, as opposed to coming from all over the place, which is what I would expect if the attacks were coming from pc's infected with some kind of spreading virus.

Maybe they'll cut you some slack.

I did some research and it appeared that they are constantly doing this probing, but there is little damage they can do.

Definitely how I'd classify it, although it's reached the level of attack on occasions. The logs show that most of the time the server will get a dozen or so hits a day, and then other times, like tonight, it will get huge numbers in a short time frame--right around the time our internet speed slows down.

But the strange thing is, they don't appear to be doing anything specific other than trying to access it half-heartedly. I'm sure if they really wanted to get into it they could, but they aren't. That sure doesn't stop them from showing up at the gate in huge numbers though...

I'll call it the "ass probe" virus.

I'd like to see how much they'd like getting a "package" through their "back door", so to speak.

What the fuck is all this traffic doing on my router?