Dyce & Sons Ltd.

Helping IT since 1993

How The Developer Learned His Lesson

Thursday 15th August, 2013

Are you sitting comfortably? Then I’ll begin…

I recently had a major panic when I received a charming email from the ‘Abuse’ boys at 1and1. And judging by the email, they take the title quite seriously.The important section of the email (my emphasis) was:

Your account activity has demonstrated that your site deserves its own server to better suit its performance needs.

Please visit 1and1.com to review the server products we offer. You will have one (1) month to make a decision and migrate your account over to a 1&1 server or another host provider.

You can choose to return your account back to the previous state (unlocked), provided that you take steps to reduce resource usage of your account. If the account has to be locked again you will only have the option of purchasing a dedicated server account to continue hosting with 1&1 Internet.

Please reply to this email promptly. Further questions/comments should be directed to blah blah blah….

The problem I had with this was the context.

Only a month earlier I’d received an email from 1&1 telling me that all I had to do to get a wonderful upgrade (to minor features I didn’t want) was … to do nothing. And I would be moved to a new tariff. How wonderful. If I didn’t want to take advantage of these great features … blah … then please get in touch.

I promptly, replied, and was told, no problem, nothing would be done, and I wouldn’t be receiving the unrequested tariff upgrade.

Now this server does practically nothing. Serves a few small websites, and really just acts as storage space when working on clients who have a pathological objection to DropBox. There was as far as I was aware no usage issue.

I called up tech support (funny, the free 0800 number is now absent from the contact details on the website), and was told, no there was no problem, my site wasn’t locked, and everything was fine. Really.

I now have my tin-foil hat on, and I’m thinking - yep, scam. For you, the cheap hosting is over tommy, you vill upgrade.

I then ring the abuse team. I’m quite cross right now. I get a man whose US nasal tones remind me of the teacher in Charlie Brown. Tin-foil prejudice kicks up a gear, and I think, deliberate choice to man this department.

He informs me that, actually, no there was a problem - my Wordpress site was being brute-force attacked, and it was slowing down the machine that my shared instance is running on. He then hangs up.

Okay, having calmed down, and removed said tin-foil accoutrement, I see that yep, actually, 1&1 are probably not the bogeyman, and I probably should do something about it. I email them asking them for the evidence. They send me some logs, which I swear I looked for, (but probably had “my bloke-eyes in” as my wife would say).

log | cut -d\  -f 7 | cut -d\? -f 1 | sort | uniq -c | sort -k 1 -r -n | head -n 10
101558 /wp-login.php
   259 /robots.txt
   247 /
    77 /cron.php
    20 /images/fireplace.jpg
     8 /2009/10/28/more-than-just-files/
     6 /admin.php
     6 /administrator/index.php
     5 /2013/07/11/anniversaries/
     3 /index.php

As you can see traffic spiked yesterday. Judging from today’s access log the source of the load is brute force attacks on your Wordpress. Please see http://codex.wordpress.org/Brute_Force_Attacks

Nice bit of one-liner shell there.

And the sentiment was really what closer to what I would have expected front (a) the orientalise email (fail: boilerplate), or (b) the ever unhelpful cartoon primary teacher manning the abuse desk. (I did wonder if the phone support had been told they were there to spot it, not give it out? Or are they just so used to taking it?)

I’m a definite gamma male. I can ask for directions when driving, and put my hands up when I’m in the wrong. I was wrong to jump to the conclusions I did (nagging voice: sure?)

I come down from defcon 1 and have a think.

But, obviously not a deep think, as will become apparent shortly.

I fire up an FTP connection, and delete the blog folder. I then ping the abuse desk and ask that my site be unlocked. I breathe a sigh of relief. I then spend twenty minutes sticking up possibly the most horrendous bootstrap-based holding page just to stop dyce.com showing up as 1&1 default “site not found, but would like to by some cheap tat from one of our affiliates?” page.

Can you spot the inadvertent mistake? Yup, deleted the blog folder. We’ll come back to that.

Eventually I get an email back from 1&1 telling me they’ve unlocked the account (which in fact was not locked in the first place) and that I appear to have resolved the issue.

From their end certainly. But no blog.

“How are am I reading this?”, you may wonder.

And that, oh dearly beloved, is a tale for another time.