Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: [wp-hackers] Zombies aimed at WordPress

_____/ On Thu 13 Oct 2005 12:43:10 BST, [Frederic de Villamil] wrote : \_____

On Thu, 13 Oct 2005 10:47:32 +0100, Roy Schestowitz wrote
I apologise to have started a new thread, but there are many new
dimensions to this problem, which increases/spreads exponentially as
it seems. All occurrences of zombie attacks of this kind (see
previous thread for context) target WordPress... at least the ones I
am aware of, having researched the Web. The spammers handpick
sensitive (read: heavy) WordPress-generated pages. I have only comes
across 3 occurrences of such attacks, best characterised by Tonga
domains in the referrer field. All occur around the same time across
the domains.

The zombies in question are all Windows-based and they almost double
in number on a daily basis. I shall soon collaborate with my Web
host (SpamValve and Bad Behaviour spring to mind). otherwise,
 considering the current pace of expansion, my domain would be
isolated from cyberspace.  They are eCommerce sites whose income
depends on the Web and their shops are crippled by attacks on my site.

The attacks I know of affect Windows-, Linux-, and Mac-oriented
sites, so there is no O/S zeal as a motive; maybe there is CMS zeal,
if at all.

More evidence of the problems are beginning to resurface. Some of
you in this list might be affected, but have not noticed it yet.
This began (for me) at the start of this month. There were only
dozens of attacks at the start so they were hard to notice among the
logs. Use Technorati to find information on the attacks as it's all
fairly recent so unindexed. One source claims that there are many
sites affected, but they choose to remain silent or wait for a
diminish rather than expansion of this disease. Even the mainstream
media exposed similar issues a day ago. Some of you may have heard
of the Dutch gang that had 100,000 zombies and planned an attack.
They have just been arrested. A friend of mine said it is a small
scale considering what else if out there already.

I posting this to wp-hackers because it appears to have developed
into a possible yet-to-be-seen plague that is most detrimental to
WordPress. Judging by the pattern of the attacks, I can make a few
speculations. The spammers hijacks or simply inject a rogue process
with hard-coded URL's that vary (both referrer and target URL vary,
 thereby making it hard to filter).

I don't want to get political (admittedly I have the tendency), but
who is liable? It is sure not the host, or Apache, or WordPress (I
won't pull Matt's finger - pun intended). Who is it that used code
spaghetti that left a gap to be exploited in the O/S? Or lazy ISP's
that harbour rotten traffic? Countries of shame in this case are
China with thrice as many attacks than Russia at second. Something
must be done. This keeps doubling and affecting more blogs.

Roy

We've had the same attack yesterday on Parisist (http://www.parisist.com) which runs a Movable Type. So I don't think it's a Wordpress only attack.

Have you found any generic solution yet? All solutions that I could gather are not simple to incorporate (see below). I am still waiting for some software to be installed on the server.

* Bad Behaviour - needs access to server (pointed out here)

* SpamValve - root privileges? (pointed out here)

* modsecurity.org - root privileges? (pointed out in Manchester's LUG)

* Patch-o-Matic netfilter/iptables  <
http://www.netfilter.org/patch-o-matic/pom-extra.html > - needs installing
(from the Linux advocasy NG) -  one wonders about the name, which resembles
"Ping-o-Matic"

* Apache .htaccess filter for Tonga domains - untested and hard to test reliably

RewriteEngine On
RewriteCond %{HTTP_REFERER} .to/
RewriteRule .* - [F]

(John Bokma from alt.www.webmaster)

Hope this turns out to be handy to someone else...

Roy

--
Roy S. Schestowitz
http://Schestowitz.com  |    SuSE Linux    |     PGP-Key: 74572E8E
 1:55pm  up 49 days  2:09,  3 users,  load average: 0.23, 0.37, 0.18
     http://iuron.com - next generation of search paradigms


[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index