[wp-hackers] Zombies aimed at WordPress

Roy Schestowitz r at schestowitz.com
Thu Oct 13 09:47:32 GMT 2005

I apologise to have started a new thread, but there are many new dimensions to
this problem, which increases/spreads exponentially as it seems. All
occurrences of zombie attacks of this kind (see previous thread for context)
target WordPress... at least the ones I am aware of, having researched the Web.
 The spammers handpick sensitive (read: heavy) WordPress-generated pages. I have
only comes across 3 occurrences of such attacks, best characterised by Tonga
domains in the referrer field. All occur around the same time across the

The zombies in question are all Windows-based and they almost double in number
on a daily basis. I shall soon collaborate with my Web host (SpamValve and Bad
Behaviour spring to mind). otherwise, considering the current pace of
expansion, my domain would be isolated from cyberspace.  They are eCommerce
sites whose income depends on the Web and their shops are crippled by attacks
on my site.

The attacks I know of affect Windows-, Linux-, and Mac-oriented sites, so there
is no O/S zeal as a motive; maybe there is CMS zeal, if at all.

More evidence of the problems are beginning to resurface. Some of you in this
list might be affected, but have not noticed it yet. This began (for me) at the
start of this month. There were only dozens of attacks at the start so they were
hard to notice among the logs. Use Technorati to find information on the attacks
as it's all fairly recent so unindexed. One source claims that there are many
sites affected, but they choose to remain silent or wait for a diminish rather
than expansion of this disease. Even the mainstream media exposed similar
issues a day ago. Some of you may have heard of the Dutch gang that had 100,000
zombies and planned an attack. They have just been arrested. A friend of mine
said it is a small scale considering what else if out there already.

I posting this to wp-hackers because it appears to have developed into a
possible yet-to-be-seen plague that is most detrimental to WordPress. Judging
by the pattern of the attacks, I can make a few speculations. The spammers
hijacks or simply inject a rogue process with hard-coded URL's that vary (both
referrer and target URL vary, thereby making it hard to filter).

I don't want to get political (admittedly I have the tendency), but who is
liable? It is sure not the host, or Apache, or WordPress (I won't pull Matt's
finger - pun intended). Who is it that used code spaghetti that left a gap to
be exploited in the O/S? Or lazy ISP's that harbour rotten traffic? Countries
of shame in this case are China with thrice as many attacks than Russia at
second. Something must be done. This keeps doubling and affecting more blogs.


Roy S. Schestowitz      | Roughly 2% of your keyboard is O/S-specific
http://Schestowitz.com  |    SuSE Linux    |     PGP-Key: 74572E8E
 10:30am  up 48 days 22:44,  3 users,  load average: 0.30, 0.32, 0.24
      http://iuron.com - next generation of search paradigms

More information about the wp-hackers mailing list