[wp-hackers] Zombies aimed at WordPress [s]

John Ha [c] mailing-lists at netspace.net.au
Thu Oct 13 14:19:30 GMT 2005 

3rd time lucky? haha...bad-behaviour does not need server access. it's a
plugin. drop in and activate, then forget. so if u have access to your admin
pages you can use bad-behaviour. (i view logs using phpadmin - althought
bb-stats can be used to see stats generated from this plugin)

john ha
----- Original Message ----- 
From: "Roy Schestowitz" <r at schestowitz.com>
To: <wp-hackers at lists.automattic.com>
Sent: Thursday, October 13, 2005 11:03 PM
Subject: Re: [wp-hackers] Zombies aimed at WordPress


> _____/ On Thu 13 Oct 2005 12:43:10 BST, [Frederic de Villamil] wrote :
\_____
>
> > On Thu, 13 Oct 2005 10:47:32 +0100, Roy Schestowitz wrote
> >> I apologise to have started a new thread, but there are many new
> >> dimensions to this problem, which increases/spreads exponentially as
> >> it seems. All occurrences of zombie attacks of this kind (see
> >> previous thread for context) target WordPress... at least the ones I
> >> am aware of, having researched the Web. The spammers handpick
> >> sensitive (read: heavy) WordPress-generated pages. I have only comes
> >> across 3 occurrences of such attacks, best characterised by Tonga
> >> domains in the referrer field. All occur around the same time across
> >> the domains.
> >>
> >> The zombies in question are all Windows-based and they almost double
> >> in number on a daily basis. I shall soon collaborate with my Web
> >> host (SpamValve and Bad Behaviour spring to mind). otherwise,
> >>  considering the current pace of expansion, my domain would be
> >> isolated from cyberspace.  They are eCommerce sites whose income
> >> depends on the Web and their shops are crippled by attacks on my site.
> >>
> >> The attacks I know of affect Windows-, Linux-, and Mac-oriented
> >> sites, so there is no O/S zeal as a motive; maybe there is CMS zeal,
> >> if at all.
> >>
> >> More evidence of the problems are beginning to resurface. Some of
> >> you in this list might be affected, but have not noticed it yet.
> >> This began (for me) at the start of this month. There were only
> >> dozens of attacks at the start so they were hard to notice among the
> >> logs. Use Technorati to find information on the attacks as it's all
> >> fairly recent so unindexed. One source claims that there are many
> >> sites affected, but they choose to remain silent or wait for a
> >> diminish rather than expansion of this disease. Even the mainstream
> >> media exposed similar issues a day ago. Some of you may have heard
> >> of the Dutch gang that had 100,000 zombies and planned an attack.
> >> They have just been arrested. A friend of mine said it is a small
> >> scale considering what else if out there already.
> >>
> >> I posting this to wp-hackers because it appears to have developed
> >> into a possible yet-to-be-seen plague that is most detrimental to
> >> WordPress. Judging by the pattern of the attacks, I can make a few
> >> speculations. The spammers hijacks or simply inject a rogue process
> >> with hard-coded URL's that vary (both referrer and target URL vary,
> >>  thereby making it hard to filter).
> >>
> >> I don't want to get political (admittedly I have the tendency), but
> >> who is liable? It is sure not the host, or Apache, or WordPress (I
> >> won't pull Matt's finger - pun intended). Who is it that used code
> >> spaghetti that left a gap to be exploited in the O/S? Or lazy ISP's
> >> that harbour rotten traffic? Countries of shame in this case are
> >> China with thrice as many attacks than Russia at second. Something
> >> must be done. This keeps doubling and affecting more blogs.
> >>
> >> Roy
> >
> > We've had the same attack yesterday on Parisist
(http://www.parisist.com)
> > which runs a Movable Type.
> > So I don't think it's a Wordpress only attack.
>
> Have you found any generic solution yet? All solutions that I could gather
are
> not simple to incorporate (see below). I am still waiting for some
software to
> be installed on the server.
>
> * Bad Behaviour - needs access to server (pointed out here)
>
> * SpamValve - root privileges? (pointed out here)
>
> * modsecurity.org - root privileges? (pointed out in Manchester's LUG)
>
> * Patch-o-Matic netfilter/iptables  <
> http://www.netfilter.org/patch-o-matic/pom-extra.html > - needs installing
> (from the Linux advocasy NG) -  one wonders about the name, which
resembles
> "Ping-o-Matic"
>
> * Apache .htaccess filter for Tonga domains - untested and hard to test
> reliably
>
> RewriteEngine On
> RewriteCond %{HTTP_REFERER} .to/
> RewriteRule .* - [F]
>
> (John Bokma from alt.www.webmaster)
>
> Hope this turns out to be handy to someone else...
>
> Roy
>
> -- 
> Roy S. Schestowitz
> http://Schestowitz.com  |    SuSE Linux    |     PGP-Key: 74572E8E
>   1:55pm  up 49 days  2:09,  3 users,  load average: 0.23, 0.37, 0.18
>       http://iuron.com - next generation of search paradigms
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>



-- 
------------------------ [ SECURITY NOTICE ]
------------------------
To: wp-hackers at lists.automattic.com.
For your security, mailing-lists at netspace.net.au
digitally signed this message on 13 October 2005 at 14:20:40 UTC.
Verify this digital signature at http://www.ciphire.com/verify.
------------------- [ CIPHIRE DIGITAL SIGNATURE ]
-------------------
Q2lwaGlyZSBTaWcuAjh3cC1oYWNrZXJzQGxpc3RzLmF1dG9tYXR0aWMuY29tAG1haWxpb
mctbGlzdHNAbmV0c3BhY2UubmV0LmF1AGVtYWlsIGJvZHkAAhAAAHwAfAAAAAEAAAA4bU
5DAhAAAMUBAAIAAgACACAe5TcBbmIU6owNe1xZd/iId1LWxoic0s8JYnXeBrMqZgEAoH7
uzw9IZPyJ563ZYHUtH1HUo9KSbjEaKJV3swG1UnqW9DG8ImLeS8LLUBDXDdax6dmZKxqi
ZeSIbLMSwdb+U5MAiOU1U2lnRW5k
--------------------- [ END DIGITAL SIGNATURE ]
---------------------

More information about the wp-hackers mailing list