__/ [Matt Probert] on Thursday 13 October 2005 07:11 \__
> On Thu, 13 Oct 2005 04:42:46 +0100, Roy Schestowitz
> <newsgroups@xxxxxxxxxxxxxxx> wrote:
>
>> My site has come under heavy attacks by infected machines world-wide (no
>> idea why they chose me). It has been getting worse for the past week or
>> so and is now reaching levels that put my hosting provider in jeopardy.
>>
>> The referrer seems to be a good criterion for filtering. I see about 50
>> referring URL's, all of them from Tonga (ending with the .to suffix),
>> apart from a single German referral and one from Cocos Islands (I'm
>> serious).
>>
>> New referring URL's continue to be added as we speak, but not too
>> quickly.
>>
>> How do I write something to have Apache {die} all requests based on
>> referring URL?
>>
>> Help please... soon if possible...
>>
>> Many thanks,
>>
>> Roy
>
> Roy,
>
> firstly, CALM DOWN!
Yes, I try. I managed to get some sleep and even eat nonetheless.
> You're making a lot of allegations about the nature of "the attacks"
> without much evidence. IP addresses may be spoofed, and TLD certainly
> doesn't reflect nationality!
http://the.taoofmac.com/space/blog/2005-10-07.19%3A18
I have investigated and seen these attacks on the increase for almost 2
weeks. It is only now that their dimension is very worrying and the
filtering mechanisms I have been using are understood by the attackers,
subsequently leading to change.
> Perhaps if you gather together the facts, and then review them.
>
> Matt
I continue doing so. Thanks, Matt.
__/ [John Bokma] on Thursday 13 October 2005 07:28 \__
> comments@xxxxxxxxxxxxxxxxxxxxxxxx (Matt Probert) wrote:
>
> [ REFERER spam ]
>
>> You're making a lot of allegations about the nature of "the attacks"
>> without much evidence. IP addresses may be spoofed,
>
> Not sure if that works with a webserver, e.g. if you can transfer
> header(s) to the webserver with a spoofed IP address.
The phenomenon is fairly well-understood by now, at least as far as its
nature is concerned. See message below -- a message I have just posted to
the WordPress Hackers mailing list.
>> and TLD certainly
>> doesn't reflect nationality!
>
> Moreover, if I am correct, it are "innocent" bystanders.
============
Quote
I apologise to have started a new thread, but there are many new dimensions
to
this problem, which increases/spreads exponentially as it seems. All
occurrences of zombie attacks of this kind (see previous thread for context)
target WordPress... at least the ones I am aware of, having researched the
Web.
The spammers handpick sensitive (read: heavy) WordPress-generated pages. I
have
only comes across 3 occurrences of such attacks, best characterised by Tonga
domains in the referrer field. All occur around the same time across the
domains.
The zombies in question are all Windows-based and they almost double in
number
on a daily basis. I shall soon collaborate with my Web host (SpamValve and
Bad
Behaviour spring to mind). otherwise, considering the current pace of
expansion, my domain would be isolated from cyberspace. They are eCommerce
sites whose income depends on the Web and their shops are crippled by
attacks
on my site.
The attacks I know of affect Windows-, Linux-, and Mac-oriented sites, so
there
is no O/S zeal as a motive; maybe there is CMS zeal, if at all.
More evidence of the problems are beginning to resurface. Some of you in
this
list might be affected, but have not noticed it yet. This began (for me) at
the
start of this month. There were only dozens of attacks at the start so they
were
hard to notice among the logs. Use Technorati to find information on the
attacks
as it's all fairly recent so unindexed. One source claims that there are
many
sites affected, but they choose to remain silent or wait for a diminish
rather
than expansion of this disease. Even the mainstream media exposed similar
issues a day ago. Some of you may have heard of the Dutch gang that had
100,000
zombies and planned an attack. They have just been arrested. A friend of
mine
said it is a small scale considering what else if out there already.
I posting this to wp-hackers because it appears to have developed into a
possible yet-to-be-seen plague that is most detrimental to WordPress.
Judging
by the pattern of the attacks, I can make a few speculations. The spammers
hijacks or simply inject a rogue process with hard-coded URL's that vary
(both
referrer and target URL vary, thereby making it hard to filter).
I don't want to get political (admittedly I have the tendency), but who is
liable? It is sure not the host, or Apache, or WordPress (I won't pull
Matt's
finger - pun intended). Who is it that used code spaghetti that left a gap
to
be exploited in the O/S? Or lazy ISP's that harbour rotten traffic?
Countries
of shame in this case are China with thrice as many attacks than Russia at
second. Something must be done. This keeps doubling and affecting more
blogs.
============
Roy
--
Roy S. Schestowitz | Microsof(fshore)t Window(ntime)s Vista(gnating)
http://Schestowitz.com | SuSE Linux | PGP-Key: 74572E8E
11:00am up 48 days 23:14, 4 users, load average: 0.49, 0.71, 0.59
http://iuron.com - next generation of search paradigms
|
|
