tipping point network upgrade news....

[GatorBrent]

About a week ago we announced a network upgrade that would be done.

you can read about it here... http://forums.hostgator.com/showthread.php?t=2187

The upgrade has been done however they are still improving upon it daily to catch different exploits and types of attacks.

I want everyone to see how much this has done for us on just a single server in a few days time.......


Count Source IP Dest IP Dest Port Severity Alert Type Description Begin Time End Time Hit Count
1 38.115.168.231 67.18.52.95 80 Major Block 2400: HTTP: Malformed URI 1/28/2005 3:15:01 1/28/2005 3:18:01 8
2 38.115.168.231 67.18.52.95 80 Minor Block 2840: HTTP: Crystal Reports WebViewer Information Disclosure 1/28/2005 3:15:01 1/28/2005 3:21:01 22
3 38.115.168.231 67.18.52.95 80 Major Block 0845: HTTP: carbo.dll Exploit 1/28/2005 3:12:01 1/28/2005 3:15:33 16
4 38.115.168.231 67.18.52.95 80 Critical Block 0236: HTTP: Nimda Attack (cmd.exe) 1/28/2005 3:09:22 1/28/2005 3:09:22 1
5 38.115.168.231 67.18.52.95 80 Critical Block 0234: HTTP: Nimda Attack (root.exe) 1/28/2005 3:09:01 1/28/2005 3:17:55 5
6 38.115.168.231 67.18.52.95 80 Critical Block 1279: HTTP: Shell Command Execution (winnt/system32/cmd.exe) 1/28/2005 3:08:01 1/28/2005 3:22:00 52
7 38.115.168.231 67.18.52.95 143 Minor Block 0290: Invalid TCP Traffic: Possible Recon Scan (SYN FIN) 1/28/2005 3:04:17 1/28/2005 3:11:09 1
8 38.115.168.231 67.18.52.95 1 Minor Block 0290: Invalid TCP Traffic: Possible Recon Scan (SYN FIN) 1/28/2005 3:04:01 1/28/2005 3:04:17 1
9 38.115.168.231 67.18.52.95 1 Minor Block 0317: Nmap scanner: NULL OS Fingerprinting Probe 1/28/2005 3:04:01 1/28/2005 3:04:17 1
10 38.115.168.231 67.18.52.95 53 Minor Block 0560: DNS: Version Request (udp) 1/28/2005 3:04:01 1/28/2005 3:04:43 1
11 38.115.168.231 67.18.52.95 2 Minor Block 0321: Nmap scanner: FUP OS Fingerprinting Probe 1/28/2005 3:04:01 1/28/2005 3:04:17 1
12 38.115.168.231 67.18.52.95 80 Minor Block 1194: HTTP: IIS Translate:f Exploit 1/28/2005 2:52:01 1/28/2005 3:05:12 1
13 202.99.177.59 67.18.52.95 1434 Critical Block 1456: MS-SQL: Slammer-Sapphire Worm 1/28/2005 2:39:58 1/28/2005 2:39:58 1
14 38.115.168.231 67.18.52.95 80 Major Block 0495: HTTP: Shell Command Execution (cmd.exe) 1/28/2005 1:24:07 1/28/2005 3:17:30 4
15 195.141.101.158 67.18.52.95 1434 Critical Block 1456: MS-SQL: Slammer-Sapphire Worm 1/28/2005 0:13:33 1/28/2005 0:13:33 1
16 38.115.168.231 67.18.52.95 80 Critical Block 2486: FPSE: FrontPage Server Extensions Chunked Transfer Overflow 1/27/2005 23:50:25 1/28/2005 3:08:38 1
17 38.115.168.231 67.18.52.95 80 Critical Block 0263: HTTP: PHF Command Execution Exploit 1/27/2005 21:46:01 1/28/2005 3:08:21 16
18 209.133.64.51 67.18.52.95 1434 Critical Block 1456: MS-SQL: Slammer-Sapphire Worm 1/27/2005 20:16:28 1/28/2005 1:08:07 2
19 210.245.226.219 67.18.52.95 1434 Critical Block 1456: MS-SQL: Slammer-Sapphire Worm 1/27/2005 19:09:57 1/27/2005 19:09:57 1
20 219.150.161.16 67.18.52.95 1434 Critical Block 1456: MS-SQL: Slammer-Sapphire Worm 1/27/2005 19:06:58 1/27/2005 19:07:00 1
21 38.115.168.231 67.18.52.95 80 Minor Block 0884: HTTP: perl.exe Access 1/27/2005 18:18:01 1/28/2005 3:18:01 16
22 217.8.185.146 67.18.52.95 25 Minor Block 0290: Invalid TCP Traffic: Possible Recon Scan (SYN FIN) 1/27/2005 17:45:01 1/27/2005 17:45:42 1
23 69.2.200.182 67.18.52.95 53 Minor Block 0560: DNS: Version Request (udp) 1/27/2005 16:51:01 1/27/2005 16:51:15 1
24 38.115.168.231 67.18.52.95 80 Major Block 1214: HTTP: Apache2.pl Exploit 1/27/2005 15:29:01 1/28/2005 3:18:01 26
25 38.115.168.231 67.18.52.95 80 Critical Block 0983: HTTP: TalentSoft webplus Directory Traversal Exploit 1/27/2005 14:57:01 1/28/2005 3:15:01 16
26 38.115.168.231 67.18.52.95 80 Major Block 0870: HTTP: ftp.pl Exploit 1/27/2005 14:47:01 1/28/2005 3:14:01 16
27 38.115.168.231 67.18.52.95 80 Critical Block 1695: HTTP: .bat Command Execution 1/27/2005 14:45:01 1/28/2005 3:16:17 17
28 38.115.168.231 67.18.52.95 80 Major Block 0720: HTTP: Big Brother bb-hostsvc.sh Exploit 1/27/2005 14:37:01 1/28/2005 3:11:38 16
29 38.115.168.231 67.18.52.95 80 Major Block 0825: HTTP: apexec.pl Exploit 1/27/2005 14:37:01 1/28/2005 3:17:01 16
30 38.115.168.231 67.18.52.95 80 Critical Block 0542: HTTP: pals-cgi Code Execution or File Read 1/27/2005 14:36:01 1/28/2005 3:13:01 18
31 38.115.168.231 67.18.52.95 80 Major Block 1739: HTTP: htsearch File Disclosure Exploit 1/27/2005 14:35:01 1/28/2005 3:12:01 16
32 38.115.168.231 67.18.52.95 80 Major Block 0726: HTTP: commerce.cgi Exploit 1/27/2005 14:35:01 1/28/2005 3:08:20 16
33 38.115.168.231 67.18.52.95 80 Major Block 0737: HTTP: faxsurvey Exploit 1/27/2005 14:34:01 1/28/2005 3:15:17 16
34 38.115.168.231 67.18.52.95 80 Major Block 0771: HTTP: htgrep Exploit 1/27/2005 14:33:01 1/28/2005 3:08:15 16
35 38.115.168.231 67.18.52.95 80 Critical Block 0544: HTTP: wayboard.cgi Directory Traversal 1/27/2005 14:32:01 1/28/2005 3:10:01 18
36 38.115.168.231 67.18.52.95 80 Critical Block 0923: HTTP: Thinking Arts store.cgi Exploit 1/27/2005 14:30:01 1/28/2005 3:11:42 16
37 38.115.168.231 67.18.52.95 80 Major Block 0990: HTTP: Webstore Exploit 1/27/2005 14:29:01 1/28/2005 3:16:01 16
38 38.115.168.231 67.18.52.95 80 Major Block 0988: HTTP: webspirs Exploit 1/27/2005 14:27:01 1/28/2005 3:15:47 16
39 38.115.168.231 67.18.52.95 80 Major Block 1001: HTTP: YaBB.pl Exploit 1/27/2005 14:26:01 1/28/2005 3:11:50 16
40 38.115.168.231 67.18.52.95 80 Major Block 0883: HTTP: cal_make.pl Exploit 1/27/2005 14:25:01 1/28/2005 3:11:53 16
41 38.115.168.231 67.18.52.95 80 Critical Block 0911: HTTP: Armada search.cgi Exploit 1/27/2005 14:24:01 1/28/2005 3:20:06 16
42 69.159.200.198 67.18.52.95 80 Minor Block 0292: Invalid TCP Traffic: Possible nmap Scan (No Flags) 1/27/2005 14:21:01 1/27/2005 16:07:21 1
43 38.115.168.231 67.18.52.95 3306 Critical Block 2902: MySQL: MySQL Authentication Bypass 1/27/2005 14:17:01 1/28/2005 3:15:20 1
44 38.115.168.231 67.18.52.95 53 Minor Block 0567: DNS: Authors Request (tcp) 1/27/2005 14:10:01 1/28/2005 3:04:46 1
45 38.115.168.231 67.18.52.95 53 Minor Block 0568: DNS: Version Request (tcp) 1/27/2005 14:08:01 1/28/2005 3:05:01 2
46 82.224.80.57 67.18.52.95 1434 Critical Block 1456: MS-SQL: Slammer-Sapphire Worm 1/27/2005 13:09:18 1/27/2005 13:09:18 1
47 204.186.56.15 67.18.52.95 25 Major Block 2686: SMTP: Beagle J Virus Propagation 1/27/2005 10:28:01 1/27/2005 10:30:44 3
48 38.115.168.231 67.18.52.95 80 Major Block 1328: HTTP: viewcode.jse Exploit 1/27/2005 8:06:01 1/28/2005 3:05:05 1
49 38.115.168.231 67.18.52.95 80 Major Block 0778: HTTP: htsearch Exploit 1/27/2005 8:06:01 1/28/2005 3:09:01 16
50 38.115.168.231 67.18.52.95 80 Critical Block 0818: HTTP: admin.php Exploit 1/27/2005 8:06:01 1/28/2005 3:13:31 16
51 38.115.168.231 67.18.52.95 80 Critical Block 0524: HTTP: pollit Exploit 1/27/2005 7:54:01 1/28/2005 3:16:57 16
52 38.115.168.231 67.18.52.95 80 Major Block 0790: HTTP: infosrch Exploit 1/27/2005 7:54:01 1/28/2005 3:09:01 18
53 38.115.168.231 67.18.52.95 80 Critical Block 0833: HTTP: mmstdod Exploit 1/27/2005 7:54:01 1/28/2005 3:09:01 16
54 38.115.168.231 67.18.52.95 53 Minor Block 0561: DNS: Authors Request (udp) 1/27/2005 7:29:01 1/28/2005 3:04:37 1
55 66.138.244.33 67.18.52.95 1434 Critical Block 1456: MS-SQL: Slammer-Sapphire Worm 1/27/2005 3:30:50 1/27/2005 3:30:52 1
56 61.134.62.4 67.18.52.95 1434 Critical Block 1456: MS-SQL: Slammer-Sapphire Worm 1/27/2005 3:19:28 1/27/2005 3:19:29 1
57 211.241.96.129 67.18.52.95 25 Minor Block 0291: Invalid TCP Traffic: Possible nmap Scan (FIN no ACK) 1/27/2005 2:28:01 1/28/2005 2:13:01 32
58 60.2.5.33 67.18.52.95 1434 Critical Block 1456: MS-SQL: Slammer-Sapphire Worm 1/27/2005 2:10:34 1/27/2005 2:10:34 1
59 38.115.168.231 67.18.52.95 80 Critical Block 0992: HTTP: whoisraw CGI Exploit 1/27/2005 2:10:01 1/28/2005 3:11:50 16
60 202.99.159.6 67.18.52.95 1434 Critical Block 1456: MS-SQL: Slammer-Sapphire Worm 1/27/2005 2:07:41 1/27/2005 2:07:41 1
61 38.115.168.231 67.18.52.95 80 Minor Block 0984: HTTP: TalentSoft webplus IP Address Exploit 1/27/2005 1:45:01 1/28/2005 3:10:35 26
62 38.115.168.231 67.18.52.95 80 Major Block 0548: HTTP: sojourn.cgi Directory Traversal 1/27/2005 1:09:01 1/28/2005 3:18:39 16
63 38.115.168.231 67.18.52.95 80 Critical Block 2362: HTTP: myPHPNuke PHP File Include Vulnerability 1/26/2005 23:52:01 1/28/2005 3:20:01 16
64 38.115.168.231 67.18.52.95 80 Critical Block 0948: HTTP: test-cgi Exploit 1/26/2005 23:51:01 1/28/2005 3:09:01 16



Close to 700 attacks were stopped in about a two day period on a single server. This is the first report I have looked at for any of the servers so I'm sure a greater number of attacks were stopped on other boxes! Everyone's up time and server stability has been improved greatly by this network upgrade. I'm very excited and I just want everyone to see how much this thing is doing.

[gtoddv]

Thanks for posting that Brent! Very impressive (and scary). Just another reason I am glad I switched to hostgator.

[TeeJa]

By looking at the log, I hope that was not an MS server, as it looks like most of it is targeted for MS commands and files?
Thank you Linux...!

[Nutter]

Let me lead in with this: I'm in no way trying to talk you out of leaving here. In fact, I left about a month ago to a VPS. I still have an active account just because of the free months I got after the Supra fiasco. But, I like these forums; that's why I still hang out here.

But, on to my point, I was with StartLogic for a while. Honestly I can't recall the exact events, but I had a bad experience with them. I do remember it being related to billing (like billed twice or something). I know that's not a really convincing argument, but just keep in mind they're not as perfect as a lot of their writeups show. Of course, nobody is. Even a perfect host will have a few users with problems.

- Ryan

[netuser]

I will not go with SL (edited) because they don't have a user forum. Granted that HostGator's track record is not as nice as I would like, but at least it has an uncensored forum. I can at least get some information for other people.

[GatorBrent]

Sorry had to remove the posts soliciting other hosting companys. This is one thing we do moderate.

[dmcl1]

... and does this explain why mercedes has been down for at least the past half hour?