cancel
Showing results for 
Search instead for 
Did you mean: 

Reporting server abuse coming from a Plusnet IP

SteveA
Pro
Posts: 1,847
Thanks: 106
Fixes: 3
Registered: ‎17-06-2007

Reporting server abuse coming from a Plusnet IP

A week ago I sent an email to abuse@plus.net concerning a compromised machine which is running some pretty stupid malware.
It went quiet for a week but its back on the same IP address which suggests either the machine has got re-infected or its cycling round a list of targets.
I've put a .htaccess rule in to block it but obviously the machine is still compromised
The logs it's leaving behind look like this:
[tt]212.159.xxx.xxx - - [31/May/2015:10:46:56 +0100] "GET /Ringing.at.your.dorbell! HTTP/1.0" 403 306 "http://google.com/search?q=2+guys+1+horse" "x00_-gawa.sa.pilipinas.2015" www.tty.org.uk
212.159.xxx.xxx - - [31/May/2015:10:46:57 +0100] "GET / HTTP/1.0" 403 282 "-" "x00_-gawa.sa.pilipinas.2015" www.tty.org.uk
212.159.xxx.xxx - - [31/May/2015:10:46:57 +0100] "GET / HTTP/1.1" 403 277 "http://google.com/search?q=2+guys+1+horse" "x00_-gawa.sa.pilipinas.2015" 127.0.0.1
212.159.xxx.xxx - - [31/May/2015:10:46:57 +0100] "GET /Diagnostics.asp HTTP/1.0" 403 297 "-" "x00_-gawa.sa.pilipinas.2015" www.tty.org.uk
212.159.xxx.xxx - - [31/May/2015:10:46:57 +0100] "GET / HTTP/1.0" 403 282 "-" "x00_-gawa.sa.pilipinas.2015" www.tty.org.uk
212.159.xxx.xxx - - [31/May/2015:10:46:57 +0100] "GET / HTTP/1.0" 403 282 "-" "x00_-gawa.sa.pilipinas.2015" www.tty.org.uk
212.159.xxx.xxx - - [31/May/2015:10:46:57 +0100] "GET / HTTP/1.0" 403 282 "-" "x00_-gawa.sa.pilipinas.2015" www.tty.org.u[/tt]k

7 REPLIES 7
bobpullen
Community Gaffer
Community Gaffer
Posts: 16,869
Thanks: 4,950
Fixes: 315
Registered: ‎04-04-2007

Re: Reporting server abuse coming from a Plusnet IP

No harm in submitting another abuse report Steve. If it's still happening, then PM me the offending IP address and an excerpt from the logs and I'll make sure it's being seen to.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

SteveA
Pro
Posts: 1,847
Thanks: 106
Fixes: 3
Registered: ‎17-06-2007

Re: Reporting server abuse coming from a Plusnet IP

I've sent another report in.
Steve
SteveA
Pro
Posts: 1,847
Thanks: 106
Fixes: 3
Registered: ‎17-06-2007

Re: Reporting server abuse coming from a Plusnet IP

Bob
I got a response from link:csa removed so hopefully the problem is now resolved.
Steve

adie:red removed CSA name as per link:rules]
SteveA
Pro
Posts: 1,847
Thanks: 106
Fixes: 3
Registered: ‎17-06-2007

Re: Reporting server abuse coming from a Plusnet IP

But apparently no-one did anything as exactly the same IP address was back on June 3rd doing exactly the same thing :
[tt]212.159.xxx.xxx - - [03/Jun/2015:11:56:39 +0100] "GET / HTTP/1.0" 403 282 "-" "x00_-gawa.sa.pilipinas.2015" www.tty.org.uk
212.159.xxx.xxx - - [03/Jun/2015:11:56:40 +0100] "GET / HTTP/1.1" 403 277 "http://google.com/search?q=2+guys+1+horse" "x00_-gawa.sa.pilipinas.2015" 127.0.0.1
212.159.xxx.xxx - - [03/Jun/2015:11:56:40 +0100] "GET /Diagnostics.asp HTTP/1.0" 403 297 "-" "x00_-gawa.sa.pilipinas.2015" www.tty.org.uk
212.159.xxx.xxx - - [03/Jun/2015:11:56:40 +0100] "GET / HTTP/1.0" 403 282 "-" "x00_-gawa.sa.pilipinas.2015" www.tty.org.uk
212.159.xxx.xxx - - [03/Jun/2015:11:56:40 +0100] "GET / HTTP/1.0" 403 282 "-" "x00_-gawa.sa.pilipinas.2015" www.tty.org.uk
212.159.xxx.xxx - - [03/Jun/2015:11:56:40 +0100] "GET / HTTP/1.0" 403 282 "-" "x00_-gawa.sa.pilipinas.2015" www.tty.org.uk
212.159.xxx.xxx - - [03/Jun/2015:12:14:23 +0100] "GET /Ringing.at.your.dorbell! HTTP/1.0" 403 306 "http://google.com/search?q=2+guys+1+horse" "x00_-gawa.sa.pilipinas.2015" www.tty.org.uk
212.159.xxx.xxx - - [03/Jun/2015:12:14:23 +0100] "GET / HTTP/1.0" 403 282 "-" "x00_-gawa.sa.pilipinas.2015" www.tty.org.uk
212.159.xxx.xxx - - [03/Jun/2015:12:14:24 +0100] "GET / HTTP/1.1" 403 277 "http://google.com/search?q=2+guys+1+horse" "x00_-gawa.sa.pilipinas.2015" 127.0.0.1
212.159.xxx.xxx - - [03/Jun/2015:12:14:24 +0100] "GET /Diagnostics.asp HTTP/1.0" 403 297 "-" "x00_-gawa.sa.pilipinas.2015" www.tty.org.uk
212.159.xxx.xxx - - [03/Jun/2015:12:14:25 +0100] "GET / HTTP/1.0" 403 282 "-" "x00_-gawa.sa.pilipinas.2015" www.tty.org.uk
212.159.xxx.xxx - - [03/Jun/2015:12:14:26 +0100] "GET / HTTP/1.0" 403 282 "-" "x00_-gawa.sa.pilipinas.2015" www.tty.org.uk
212.159.xxx.xxx - - [03/Jun/2015:12:14:26 +0100] "GET / HTTP/1.0" 403 282 "-" "x00_-gawa.sa.pilipinas.2015" www.tty.org.uk[/tt]
So did the CS representative actually do anything?
bobpullen
Community Gaffer
Community Gaffer
Posts: 16,869
Thanks: 4,950
Fixes: 315
Registered: ‎04-04-2007

Re: Reporting server abuse coming from a Plusnet IP

The owner of the IP in question was contacted on the 2nd. Have there been any further instances since the 3rd?

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

SteveA
Pro
Posts: 1,847
Thanks: 106
Fixes: 3
Registered: ‎17-06-2007

Re: Reporting server abuse coming from a Plusnet IP

Not that I've seen but it seems to be several days between hits.
bobpullen
Community Gaffer
Community Gaffer
Posts: 16,869
Thanks: 4,950
Fixes: 315
Registered: ‎04-04-2007

Re: Reporting server abuse coming from a Plusnet IP

Drop me another message if you notice it again.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵