Well...one of our sites went from a few megs to 9Gb transfer usage almost overnight. In the logs, I found loads of entries from suhosin about "variable name length limits" being exceeded, along with the IPs in question. These all pointed back to MCI/Verizon in the US.
At that point I drew a blank, and informed the customer (one of our best/nicest/most wonderful) of my findings, and asked him if he had any clues because I certainly didn't.
He did some research and found http://www.katsbits.com/smforum/index.php?topic=293.0 which mentions a number of the IPs in question. [ Light Bulb! ]
It makes interesting reading. There's a bunch of IPs in there that I'd recommend adding to your firewalls to prevent this. Gods, I wonder if it was related to my Google AdSense banning? Surely Google would have noticed something like that and would not blame the webmaster.
Anyway...I've blocked the /24 on each of those ranges rather than just the ones mentioned, as a temporary measure. Unfortunately I can't figure out the /subnets to use and I'd rather not enter all those IPs individually, but I'll bite the bullet tomorrow and do so.
[EDIT: p.s. some, but not all, listed on project honeypot as "rule breakers" ]
Some IPs to add to your firewall
Some IPs to add to your firewall
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>