We help IT Professionals succeed at work.

Abuse of an IP in my logs

Medium Priority
191 Views
Last Modified: 2019-09-27
Hello,

My site has not stopped planting for a while.
I was advised to check my logs and I see that there is this IP 150.918 times in my logs from 00:00:07am to 12:36:01am

ip.png
what do you advise me to do?

I added this Deny from 104.248.248.206 to my .htaccess but ip continues to show...

Thank you for your advice,
Jaber
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
The IP address seems to belong to DigitalOcean. Does you utilize them (or a service that does) for anything?

Also, this looks like outbound traffic, not inbound. So if this should be blocked, you need to deny traffic *to* 104.248.248.206. Note: If for some reason, you doe use something from DigitalOcean, you may notice that something suddenly ceases to work.

Author

Commented:
I use Microsoft Office exchange...
But it's oddly the only IP address in addition to my host ...
I do not understand why my site crashes in this case and returns me the 408 and 504 errors...

If I have to check the logs as I am suggested, what should I look at?

And microsoft Exchange is on a different link from my site (ex.mail.ovh.net/) which has nothing to do with my domain ... why so I have this IP 150,000 times?
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
I corrected my post (I think Microsoft does have a bunch of 104.x.x.x addresses as well, hence my error in the initial writing). However, you're going to need to check on your site exactly what process is connecting outward.

Author

Commented:
The only module used for the exterior are:
- Pixel Facebook
- bootstrapcdn
- unpkg for popper.js
- google.com/recaptcha

these are the only elements that call the outside...

Author

Commented:
Also, this looks like outbound traffic, not inbound. So if this should be blocked, you need to deny traffic *to* 104.248.248.206. Note: If for some reason, you doe use something from DigitalOcean, you may notice that something suddenly ceases to work.
I do not use anything (to my knowledge) of this DigitalOcean site.
The only problem I have is that my site is rowing and crashes.

So I added this line to my .htaccess:
Deny from 104.248.248.206
But the result is the same
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
I think you missed my point. You're blocking traffic coming *from* that IP address. I'm suggesting blocking traffic *to* that IP address. Same idea, different direction.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Do you have a network firewall for your site?

Author

Commented:
I am mutualised, I think yes but the only file that allows us to change OVH is .htaccess and .ovhconfig

here is what I have in my .ovhconfig
app.engine=php
app.engine.version=7.2
http.firewall=none
environment=production
container.image=stable
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
I'm looking at your screenshot again, and have to ask the following:
  • What is the range of your logs you're searching within? (Starting time/date, ending time/date)
  • Is anything set up to let you block outbound connections from your server? (This is where your problem really lies)
  • Do you have access to the command line on your server? You should look at what processes are consuming your memory, along with what is making connections to the IP in question. Because if a process is constantly trying to connect to that IP, even if you block it, you may still be consuming a lot of memory on the server. Which would still leave you needing to solve that issue.

Author

Commented:
  • Looking at the log file, the first appearance is at 00:00:07 am This IP still continues at this time to be displayed.
  • I do not know, being in pooled I can not answer this question. I will ask the question to my host.
  • Again, I can not answer that question. But I confirm that I do not have access to the command lines.
If I have to ask my host, what should I ask him concretely?
David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Likely you'll have to get into your machine + look at other logs.

You'll have to determine if the HTTPS requests are actually valid requests (like broken crawlers) or DDOS attacks.

In either case you can use a combination of iptables + Fail2Ban recipes to throttle crawler/indexer traffic + block attack traffic + allow other traffic to flow at full speed.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
I can think of 4 questions to ask:
  • First of all ask whether the connections involving that IP address are from or to your server. (From what I can see, it seems that your server is making the connections to that IP)
  • Assuming my theory to be true, ask which process on the server is making all of the connections to that IP address. (They will either give a concrete answer or make you do it yourself)
  • You can ask why those connections are getting made, but it is most likely something you or some other party involved with the site set up.
  • Ask how you can block OUTGOING connections to an IP address
Group MD
CERTIFIED EXPERT
Commented:
The IP address 104.248.248.206 (and using port TCP 443) resolve to an  online Exchange Rate service, and it is likely that your website either has an embedded frame loading content from that website (https://exchangerate.guru/) or you have managed to inject some SEM/SEO malware in to your website.

Look at the source (HTML) of your website and find any reference to the above website/domain and that will be the cause for all of your outgoing calls. This could be a JavaScript call, an iFrame or even just a couple of images.

In turn, if that particular service (exchangerate.guru) is genuine, then they may be blocking calls from your IP address, which would in turn cause your website to appear to be broken as it attempts to continually load content from them.

Author

Commented:
Thank you all for your invaluable help.

Indeed, it took me time and especially the chance to detect this IP among many others.
Indeed, it came from this module which absorbed enermement ...

I disabled this module from my pages and put it in CRON task.
My site became more fluid and no more errors were displayed.

I thank all the experts for your help and consider the topic solved.