From: "Massimo S." Received: from [192.168.100.201] (HELO mail.2rosenthals.com) by 2rosenthals.com (CommuniGate Pro SMTP 5.4.10) with ESMTPS id 413944 for ecs-isp@2rosenthals.com; Wed, 05 Feb 2020 14:45:09 -0500 Received: from secmgr-va.2rosenthals.com ([50.73.8.217]:42036 helo=mail2.2rosenthals.com) by mail.2rosenthals.com with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1izQbn-0000vC-0U for ecs-isp@2rosenthals.com; Wed, 05 Feb 2020 14:45:11 -0500 Received: from mail2.quasarbbs.net ([80.86.52.115]:57495) by mail2.2rosenthals.com with esmtp (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1izQbg-0000pd-0e for ecs-isp@2rosenthals.com; Wed, 05 Feb 2020 14:45:04 -0500 Received: from [192.168.10.199] (dtp [192.168.10.199]) by srv2 (Weasel v2.71) for ; 05 Feb 2020 20:45:00 X-CTCH-RefID: str=0001.0A020212.5E3B1B47.0030,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0 X-CTCH-RefID: str=0001.0A02020A.5E3B1B40.0054,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0 Reply-To: ml@ecomstation.it Subject: Re: [eCS-ISP] pings from AWS IPs/servers To: eCS ISP Mailing List References: Organization: eComStation dot it Message-ID: <024963e1-d9f6-d222-2df1-f70da7437fff@ecomstation.it> Date: Wed, 5 Feb 2020 20:45:00 +0100 User-Agent: Mozilla/5.0 (OS/2; U; Warp 4.5; it-IT; rv:1.7.13) Gecko/20060424 Thunderbird/1.0.8 Mnenhy/0.7.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: it-IT Content-Transfer-Encoding: 7bit Il 05/02/2020 20:08, Lewis G Rosenthal ha scritto: > Hi, Max... > > On 02/05/20 06:17 am, Massimo S. wrote: >> Hi all, >> >> anyone has the same experience? >> >> my webserver is being pinged by at least 113 differents IPs/servers >> all with fqdn like "ecs-......compute.amazonaws.com" >> >> i'm writing deny rules, since i've enough that someone ping my webserver >> i'm at 113 rules at the moment 8-) >> >> any comment? >> any idea? >> why they ping my server? >> maybe it's a botnet? >> > > No idea. > Here, looking at today's stats, we're being hit by two IPs from Panama (about 300 packets in > total - LOL). > > Last month, our biggest offenders came from Ireland and Panama. These appear to have been SQL > injection attempts. The Panamanian host appears to be coming from directwebhost.org. here too i've banned those ip directly on the router ACLs ... > > If you are concerned about malicious activity, you should probably contact Amazon: > > https://aws.amazon.com/premiumsupport/knowledge-center/report-aws-abuse/ > > Asking us here is not likely to get you any useful results, because as you can see, we > typically have different experiences at different times. > > GL i guess that sharing this kind of info is allways useful ;) massimo