[wp-hackers] Zombies aimed at WordPress

Frederic de Villamil fdevillamil at gmail.com
Thu Oct 13 11:43:10 GMT 2005

On Thu, 13 Oct 2005 10:47:32 +0100, Roy Schestowitz wrote
> I apologise to have started a new thread, but there are many new 
> dimensions to this problem, which increases/spreads exponentially as 
> it seems. All occurrences of zombie attacks of this kind (see 
> previous thread for context) target WordPress... at least the ones I 
> am aware of, having researched the Web. The spammers handpick 
> sensitive (read: heavy) WordPress-generated pages. I have only comes 
> across 3 occurrences of such attacks, best characterised by Tonga 
> domains in the referrer field. All occur around the same time across 
> the domains.
> The zombies in question are all Windows-based and they almost double 
> in number on a daily basis. I shall soon collaborate with my Web 
> host (SpamValve and Bad Behaviour spring to mind). otherwise,
>  considering the current pace of expansion, my domain would be 
> isolated from cyberspace.  They are eCommerce sites whose income 
> depends on the Web and their shops are crippled by attacks on my site.
> The attacks I know of affect Windows-, Linux-, and Mac-oriented 
> sites, so there is no O/S zeal as a motive; maybe there is CMS zeal, 
> if at all.
> More evidence of the problems are beginning to resurface. Some of 
> you in this list might be affected, but have not noticed it yet. 
> This began (for me) at the start of this month. There were only 
> dozens of attacks at the start so they were hard to notice among the 
> logs. Use Technorati to find information on the attacks as it's all 
> fairly recent so unindexed. One source claims that there are many 
> sites affected, but they choose to remain silent or wait for a 
> diminish rather than expansion of this disease. Even the mainstream 
> media exposed similar issues a day ago. Some of you may have heard 
> of the Dutch gang that had 100,000 zombies and planned an attack. 
> They have just been arrested. A friend of mine said it is a small 
> scale considering what else if out there already.
> I posting this to wp-hackers because it appears to have developed 
> into a possible yet-to-be-seen plague that is most detrimental to 
> WordPress. Judging by the pattern of the attacks, I can make a few 
> speculations. The spammers hijacks or simply inject a rogue process 
> with hard-coded URL's that vary (both referrer and target URL vary,
>  thereby making it hard to filter).
> I don't want to get political (admittedly I have the tendency), but 
> who is liable? It is sure not the host, or Apache, or WordPress (I 
> won't pull Matt's finger - pun intended). Who is it that used code 
> spaghetti that left a gap to be exploited in the O/S? Or lazy ISP's 
> that harbour rotten traffic? Countries of shame in this case are 
> China with thrice as many attacks than Russia at second. Something 
> must be done. This keeps doubling and affecting more blogs.
> Roy

We've had the same attack yesterday on Parisist (http://www.parisist.com)
which runs a Movable Type.
So I don't think it's a Wordpress only attack.

Hey mr Money, I can be your honey,
It's just us three, champaign, you and me!

More information about the wp-hackers mailing list