[wp-hackers] Zombies aimed at WordPress

Roy Schestowitz r at schestowitz.com
Thu Oct 13 13:03:45 GMT 2005


_____/ On Thu 13 Oct 2005 12:43:10 BST, [Frederic de Villamil] wrote : \_____

> On Thu, 13 Oct 2005 10:47:32 +0100, Roy Schestowitz wrote
>> I apologise to have started a new thread, but there are many new
>> dimensions to this problem, which increases/spreads exponentially as
>> it seems. All occurrences of zombie attacks of this kind (see
>> previous thread for context) target WordPress... at least the ones I
>> am aware of, having researched the Web. The spammers handpick
>> sensitive (read: heavy) WordPress-generated pages. I have only comes
>> across 3 occurrences of such attacks, best characterised by Tonga
>> domains in the referrer field. All occur around the same time across
>> the domains.
>>
>> The zombies in question are all Windows-based and they almost double
>> in number on a daily basis. I shall soon collaborate with my Web
>> host (SpamValve and Bad Behaviour spring to mind). otherwise,
>>  considering the current pace of expansion, my domain would be
>> isolated from cyberspace.  They are eCommerce sites whose income
>> depends on the Web and their shops are crippled by attacks on my site.
>>
>> The attacks I know of affect Windows-, Linux-, and Mac-oriented
>> sites, so there is no O/S zeal as a motive; maybe there is CMS zeal,
>> if at all.
>>
>> More evidence of the problems are beginning to resurface. Some of
>> you in this list might be affected, but have not noticed it yet.
>> This began (for me) at the start of this month. There were only
>> dozens of attacks at the start so they were hard to notice among the
>> logs. Use Technorati to find information on the attacks as it's all
>> fairly recent so unindexed. One source claims that there are many
>> sites affected, but they choose to remain silent or wait for a
>> diminish rather than expansion of this disease. Even the mainstream
>> media exposed similar issues a day ago. Some of you may have heard
>> of the Dutch gang that had 100,000 zombies and planned an attack.
>> They have just been arrested. A friend of mine said it is a small
>> scale considering what else if out there already.
>>
>> I posting this to wp-hackers because it appears to have developed
>> into a possible yet-to-be-seen plague that is most detrimental to
>> WordPress. Judging by the pattern of the attacks, I can make a few
>> speculations. The spammers hijacks or simply inject a rogue process
>> with hard-coded URL's that vary (both referrer and target URL vary,
>>  thereby making it hard to filter).
>>
>> I don't want to get political (admittedly I have the tendency), but
>> who is liable? It is sure not the host, or Apache, or WordPress (I
>> won't pull Matt's finger - pun intended). Who is it that used code
>> spaghetti that left a gap to be exploited in the O/S? Or lazy ISP's
>> that harbour rotten traffic? Countries of shame in this case are
>> China with thrice as many attacks than Russia at second. Something
>> must be done. This keeps doubling and affecting more blogs.
>>
>> Roy
>
> We've had the same attack yesterday on Parisist (http://www.parisist.com)
> which runs a Movable Type.
> So I don't think it's a Wordpress only attack.

Have you found any generic solution yet? All solutions that I could gather are
not simple to incorporate (see below). I am still waiting for some software to
be installed on the server.

* Bad Behaviour - needs access to server (pointed out here)

* SpamValve - root privileges? (pointed out here)

* modsecurity.org - root privileges? (pointed out in Manchester's LUG)

* Patch-o-Matic netfilter/iptables  <
http://www.netfilter.org/patch-o-matic/pom-extra.html > - needs installing
(from the Linux advocasy NG) -  one wonders about the name, which resembles
"Ping-o-Matic"

* Apache .htaccess filter for Tonga domains - untested and hard to test 
reliably

RewriteEngine On
RewriteCond %{HTTP_REFERER} .to/
RewriteRule .* - [F]

(John Bokma from alt.www.webmaster)

Hope this turns out to be handy to someone else...

Roy

-- 
Roy S. Schestowitz
http://Schestowitz.com  |    SuSE Linux    |     PGP-Key: 74572E8E
  1:55pm  up 49 days  2:09,  3 users,  load average: 0.23, 0.37, 0.18
      http://iuron.com - next generation of search paradigms



More information about the wp-hackers mailing list