My host for http://www.digitalartform.com keeps taking it offline, claiming that...
------
Please be advised that your hosting account digitalartform.com is in violation of our Internet Service Agreement at [redacted for this forum post] due to consistent 73% CPU usage by your website during the last 48 hours. CPU usage must never exceed 33% on shared hosting accounts. We have found the following to be the primary cause of your problem:
> >
> > [redacted for this forum post]
> >
> > Your /cgi-bin/mt/mt-comments.cgi script and associated php-cgi processes have crashed server 37 twice in the last two days.
> >
> > It appears that the script is being abused from one particular IP address, so you may be able to just use your traffic blocking tool to filter it.
> >
> >
> > Unfortunately, your website has caused downtime for other clients on your server on multiple occasions, and we must take immediate action to disable your account in order to preserve the quality and integrity of our service.
-----------------------------------------------------------
Does anyone have any insight into this? Should I block that IP and hope the problem doesn't come up again, or should I move the web site to someplace that is better equipped to handle this circumstance? (is there such a place?)
Reported on Movable Type 5
It would help to block the IP by MT's spam filter, but the best way is to block the entire access from the IP at the web server level if your hosting has that kind of tool or allows to configure Apache httpd.
Thank you.
I wonder if I should find a provider who can handle higher demands on the server, or if when I block one IP this problem will immediately resume on another one? Hard to predict that. I guess this is some sort of spam attack?
It is likely a spam attack. There is a IP ban list feature in Movable Type.
http://www.movabletype.org/documentation/appendices/config-directives/showipinformation.html
But your support is also mentioning about "traffic blocking tool to filter", and I think that is the best way to block more broader addresses.
For example, If you know about Apache and htaccess, you can configure it to deny/allow more broader addresses. The following .htaccess only allows HTTP posts from the IP addresses in Japan. (Do NOT try this since you are obviously not living in Japan !).
http://www.xrea.com/files/htaccess_allowjpaddr.txt
It would be better to block the IP based on a htaccess file. That way, Apache won't won't even attempt to load the script at all if it's that IP address doing the requesting.
thanks, everyone.
Blocking the IP address ultimately didn't help. The attack is from a new address now. The host has disabled the blog again.
Even though I have disabled comments there is a continuous attempt to post a comment which seems to stress the host server.
It's an ongoing /cgi-bin/mt/mt-comments.cgi POST attack. Any thoughts?
I have received that kind of direct access to mt-comment.cgi.
and blocked them by the following .htaccess file by placing it at the same path of my mt-comments.cgi.
SetEnvIf Referer "^http://www.YOURHOST.com" ref
order deny,allow
deny from all
allow from env=ref
Thank you for the information.
I'm afraid I'm a bit of a beginner with all of this. When you say YOURHOST would I substitute my own web site address itself? Or would I substitute an address associated with the company that hosts my web site and who keeps having to disable it?
He means your domain name.
thank you
Is that caret ^ required in the line
SetEnvIf Referer "^http://www.YOURHOST.com" ref
?
Yes. It means that the string starts with that value.
Thanks Mike,
Yes, it's a regex to indicate your domain.