[wp-hackers] Zombies aimed at WordPress [s]

John Ha [c] mailing-lists at netspace.net.au
Thu Oct 13 14:30:12 GMT 2005


i used to use referrer-bouncer plugin, but then i needed separate plugins
for comment spam. now bad-behaviour catches all these before a page is
requested.

if it seems i'm pushing bad-behaviour so much, it's because i'm sick of
spammers.

if more people used this or a similar technique that blocks page access from
spambots, it'd make a big difference (for legit users and spammers -
depending on perspective) imho.

john ha

----- Original Message ----- 
From: "Jason A. Trommetter" <jasontromm at gmail.com>
To: <wp-hackers at lists.automattic.com>
Sent: Friday, October 14, 2005 12:16 AM
Subject: Re: [wp-hackers] Zombies aimed at WordPress


> I've been very happy with Referrer Karma from
> http://unknowngenius.com/blog/
>
> It catches thousands of referrer spam hits per day and I suppose it's
> blocking zombies also? It integrates very easily into WordPress and
> cooperates nicely with Spam Karma.
>
>
> ----- Original message -----
> From: "Roy Schestowitz" <r at schestowitz.com>
> To: wp-hackers at lists.automattic.com
> Date: Thu, 13 Oct 2005 10:47:32 +0100
> Subject: [wp-hackers] Zombies aimed at WordPress
>
> I apologise to have started a new thread, but there are many new
> dimensions to
> this problem, which increases/spreads exponentially as it seems. All
> occurrences of zombie attacks of this kind (see previous thread for
> context)
> target WordPress... at least the ones I am aware of, having researched
> the Web.
>  The spammers handpick sensitive (read: heavy) WordPress-generated
>  pages. I have
> only comes across 3 occurrences of such attacks, best characterised by
> Tonga
> domains in the referrer field. All occur around the same time across the
> domains.
>
> The zombies in question are all Windows-based and they almost double in
> number
> on a daily basis. I shall soon collaborate with my Web host (SpamValve
> and Bad
> Behaviour spring to mind). otherwise, considering the current pace of
> expansion, my domain would be isolated from cyberspace.  They are
> eCommerce
> sites whose income depends on the Web and their shops are crippled by
> attacks
> on my site.
>
> The attacks I know of affect Windows-, Linux-, and Mac-oriented sites,
> so there
> is no O/S zeal as a motive; maybe there is CMS zeal, if at all.
>
> More evidence of the problems are beginning to resurface. Some of you in
> this
> list might be affected, but have not noticed it yet. This began (for me)
> at the
> start of this month. There were only dozens of attacks at the start so
> they were
> hard to notice among the logs. Use Technorati to find information on the
> attacks
> as it's all fairly recent so unindexed. One source claims that there are
> many
> sites affected, but they choose to remain silent or wait for a diminish
> rather
> than expansion of this disease. Even the mainstream media exposed
> similar
> issues a day ago. Some of you may have heard of the Dutch gang that had
> 100,000
> zombies and planned an attack. They have just been arrested. A friend of
> mine
> said it is a small scale considering what else if out there already.
>
> I posting this to wp-hackers because it appears to have developed into a
> possible yet-to-be-seen plague that is most detrimental to WordPress.
> Judging
> by the pattern of the attacks, I can make a few speculations. The
> spammers
> hijacks or simply inject a rogue process with hard-coded URL's that vary
> (both
> referrer and target URL vary, thereby making it hard to filter).
>
> I don't want to get political (admittedly I have the tendency), but who
> is
> liable? It is sure not the host, or Apache, or WordPress (I won't pull
> Matt's
> finger - pun intended). Who is it that used code spaghetti that left a
> gap to
> be exploited in the O/S? Or lazy ISP's that harbour rotten traffic?
> Countries
> of shame in this case are China with thrice as many attacks than Russia
> at
> second. Something must be done. This keeps doubling and affecting more
> blogs.
>
> Roy
>
> -- 
> Roy S. Schestowitz      | Roughly 2% of your keyboard is O/S-specific
> http://Schestowitz.com  |    SuSE Linux    |     PGP-Key: 74572E8E
>  10:30am  up 48 days 22:44,  3 users,  load average: 0.30, 0.32, 0.24
>       http://iuron.com - next generation of search paradigms
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>



-- 
------------------------ [ SECURITY NOTICE ]
------------------------
To: wp-hackers at lists.automattic.com.
For your security, mailing-lists at netspace.net.au
digitally signed this message on 13 October 2005 at 14:31:23 UTC.
Verify this digital signature at http://www.ciphire.com/verify.
------------------- [ CIPHIRE DIGITAL SIGNATURE ]
-------------------
Q2lwaGlyZSBTaWcuAjh3cC1oYWNrZXJzQGxpc3RzLmF1dG9tYXR0aWMuY29tAG1haWxpb
mctbGlzdHNAbmV0c3BhY2UubmV0LmF1AGVtYWlsIGJvZHkAtw4AAHwAfAAAAAEAAAC7b0
5Dtw4AAP0CAAIAAgACACAe5TcBbmIU6owNe1xZd/iId1LWxoic0s8JYnXeBrMqZgEAoH7
uzw9IZPyJ563ZYHUtH1HUo9KSbjEaKJV3swG1UnqDDYiRg2mqu8lzfq7KteUpQnmO9A7L
HZGuiscTb+02xBlDq8g+U2lnRW5k
--------------------- [ END DIGITAL SIGNATURE ]
---------------------



More information about the wp-hackers mailing list