Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: [Urgent] Apache Help

__/ [Matt Probert] on Thursday 13 October 2005 07:11 \__

> On Thu, 13 Oct 2005 04:42:46 +0100, Roy Schestowitz
> <newsgroups@xxxxxxxxxxxxxxx> wrote:
>> My site has come under heavy attacks by infected machines world-wide (no
>> idea why they chose me). It has been getting worse for the past week or
>> so and is now reaching levels that put my hosting provider in jeopardy.
>> The referrer seems to be a good criterion for filtering. I see about 50
>> referring URL's, all of them from Tonga (ending with the .to suffix),
>> apart from a single German referral and one from Cocos Islands (I'm
>> serious).
>> New referring URL's continue to be added as we speak, but not too
>> quickly.
>> How do I write something to have Apache {die} all requests based on
>> referring URL?
>> Help please... soon if possible...
>> Many thanks,
>> Roy
> Roy,
> firstly, CALM DOWN!

Yes, I try. I managed to get some sleep and even eat nonetheless.

> You're making a lot of allegations about the nature of "the attacks"
> without much evidence. IP addresses may be spoofed, and TLD certainly
> doesn't reflect nationality!


I have investigated and seen these attacks on the increase for almost 2
weeks. It is only now that their dimension is very worrying and the
filtering mechanisms I have been using are understood by the attackers,
subsequently leading to change.

> Perhaps if you gather together the facts, and then review them.
> Matt

I continue doing so. Thanks, Matt.

__/ [John Bokma] on Thursday 13 October 2005 07:28 \__

> comments@xxxxxxxxxxxxxxxxxxxxxxxx (Matt Probert) wrote:
> [ REFERER spam ]
>> You're making a lot of allegations about the nature of "the attacks"
>> without much evidence. IP addresses may be spoofed,
> Not sure if that works with a webserver, e.g. if you can transfer
> header(s) to the webserver with a spoofed IP address.

The phenomenon is fairly well-understood by now, at least as far as its
nature is concerned. See message below -- a message I have just posted to
the WordPress Hackers mailing list.

>> and TLD certainly
>> doesn't reflect nationality!
> Moreover, if I am correct, it are "innocent" bystanders.


I apologise to have started a new thread, but there are many new dimensions
this problem, which increases/spreads exponentially as it seems. All
occurrences of zombie attacks of this kind (see previous thread for context)
target WordPress... at least the ones I am aware of, having researched the
 The spammers handpick sensitive (read: heavy) WordPress-generated pages. I
only comes across 3 occurrences of such attacks, best characterised by Tonga
domains in the referrer field. All occur around the same time across the

The zombies in question are all Windows-based and they almost double in
on a daily basis. I shall soon collaborate with my Web host (SpamValve and
Behaviour spring to mind). otherwise, considering the current pace of
expansion, my domain would be isolated from cyberspace.  They are eCommerce
sites whose income depends on the Web and their shops are crippled by
on my site.

The attacks I know of affect Windows-, Linux-, and Mac-oriented sites, so
is no O/S zeal as a motive; maybe there is CMS zeal, if at all.

More evidence of the problems are beginning to resurface. Some of you in
list might be affected, but have not noticed it yet. This began (for me) at
start of this month. There were only dozens of attacks at the start so they
hard to notice among the logs. Use Technorati to find information on the
as it's all fairly recent so unindexed. One source claims that there are
sites affected, but they choose to remain silent or wait for a diminish
than expansion of this disease. Even the mainstream media exposed similar
issues a day ago. Some of you may have heard of the Dutch gang that had
zombies and planned an attack. They have just been arrested. A friend of
said it is a small scale considering what else if out there already.

I posting this to wp-hackers because it appears to have developed into a
possible yet-to-be-seen plague that is most detrimental to WordPress.
by the pattern of the attacks, I can make a few speculations. The spammers
hijacks or simply inject a rogue process with hard-coded URL's that vary
referrer and target URL vary, thereby making it hard to filter).

I don't want to get political (admittedly I have the tendency), but who is
liable? It is sure not the host, or Apache, or WordPress (I won't pull
finger - pun intended). Who is it that used code spaghetti that left a gap
be exploited in the O/S? Or lazy ISP's that harbour rotten traffic?
of shame in this case are China with thrice as many attacks than Russia at
second. Something must be done. This keeps doubling and affecting more


Roy S. Schestowitz      | Microsof(fshore)t Window(ntime)s Vista(gnating)
http://Schestowitz.com  |    SuSE Linux    |     PGP-Key: 74572E8E
 11:00am  up 48 days 23:14,  4 users,  load average: 0.49, 0.71, 0.59
      http://iuron.com - next generation of search paradigms

[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index