Hi all,

I've been reading just about everything in this forum, and its all great, but I have an issue, now I'm not a networking expert so please correct me if I am wrong.

I witnessed this live with TCPVIEW a utility that allows to monitor connections, I turn this on from time to time, This time however I turned it on cause I heard my PC going nuts (disk thrashing). What I saw was multiple connections to my computer, let me define multiple 100 connections in a period of 10 seconds. I have the log file and it looks like this, I wont post it all its much too big.

216.75.18.65 - - [16/Apr/2006:16:49:11 -0400] "CONNECT 168.95.5.49:25 HTTP/1.0" 200 423
216.75.18.65 - - [16/Apr/2006:16:49:11 -0400] "CONNECT 203.84.195.1:25 HTTP/1.0" 200 423
216.75.20.133 - - [16/Apr/2006:16:49:12 -0400] "CONNECT 203.84.195.1:25 HTTP/1.0" 200 423
216.75.20.133 - - [16/Apr/2006:16:49:12 -0400] "CONNECT 168.95.5.27:25 HTTP/1.0" 200 423
216.75.2.225 - - [16/Apr/2006:16:49:12 -0400] "CONNECT 168.95.5.26:25 HTTP/1.0" 200 423
216.75.20.79 - - [16/Apr/2006:16:49:13 -0400] "CONNECT 168.95.5.4:25 HTTP/1.0" 200 423
216.75.20.133 - - [16/Apr/2006:16:49:13 -0400] "CONNECT 168.95.5.46:25 HTTP/1.0" 200 423
66.240.231.145 - - [16/Apr/2006:16:49:13 -0400] "CONNECT 168.95.5.11:25 HTTP/1.0" 200 423
216.75.20.79 - - [16/Apr/2006:16:49:14 -0400] "CONNECT 203.84.195.1:25 HTTP/1.0" 200 423
66.240.231.145 - - [16/Apr/2006:16:49:14 -0400] "CONNECT 168.95.5.47:25 HTTP/1.0" 200 17796
216.75.20.79 - - [16/Apr/2006:16:49:14 -0400] "CONNECT 168.95.5.9:25 HTTP/1.0" 200 17795

now this log snippet goes on for about 5 MB with the ip changing continuously.

Obviously I was forced to shutdown the server and began my defense planning.

Being that I installed a server and b2e only days ago I did not have a disaster recovery plan. (server been up 3 days), wow! go figure.

1- First things first - I enabled mod rewrite thanks to some tips I found on the web. It goes something like this:

#php_flag magic_quotes_gpc off
Options +FollowSymLinks -Indexes
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_METHOD} ^CONNECT
RewriteRule .*$ - [F]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [S=35]
</IfModule>

The (RewriteCond %{REQUEST_METHOD} ^CONNECT) part I found googling, I tested it with telnet and seems to work, cant tell realy until next attack.

I then began analyzing the log fishing for ip's and thanks to apache's support page added the following:

<limit GET>
order allow,Deny
allow from all
##attacker ip's
deny from 216.75.0.0/18
deny from 216.75.2.0/24
deny from 202.43.0.0/16
</Limit>

I did not list all the network id's here the list is much too long, the snippet is just an example. I actually did a whois on every ip then with a CIDR convertor denied the whole range. Just as an F.Y.I 80% of the ip's were in Asia, 20% in the US, Hotmail/Microsoft was part of it and so was Yahoo Asia.

I turned my server back on and fortunately, the attacker/s stopped, but I wont know how good all this realy is until the next time. Can you guys please advise me on what more I can do.

I dont want to give the attackers a forbidden message cause that will still drain my server, and denying a whole network id access just isn't right, some poor bloke in China may actually want to read my stuff, :)

Any help would be greatly appreciated, I know that there are some real guru's in here, I wont mention you by name, but some of the stuff you guys wrote in past posts are realy scarry 8| In an intelligent way.

Thanks in advance

Oh ya!, forgot to mention I did update my antispam database thanks b2e for that, it was the least tiresome part of this whole process.