[wp-hackers] Zombies aimed at WordPress

Jason Bainbridge jbainbridge at gmail.com
Thu Oct 13 13:24:18 GMT 2005

On 10/13/05, Roy Schestowitz <r at schestowitz.com> wrote:
> _____/ On Thu 13 Oct 2005 12:43:10 BST, [Frederic de Villamil] wrote : \_____
> > On Thu, 13 Oct 2005 10:47:32 +0100, Roy Schestowitz wrote
> >> I apologise to have started a new thread, but there are many new
> >> dimensions to this problem, which increases/spreads exponentially as
> >> it seems. All occurrences of zombie attacks of this kind (see
> >> previous thread for context) target WordPress... at least the ones I
> >> am aware of, having researched the Web. The spammers handpick
> >> sensitive (read: heavy) WordPress-generated pages. I have only comes
> >> across 3 occurrences of such attacks, best characterised by Tonga
> >> domains in the referrer field. All occur around the same time across
> >> the domains.
> >>
> >> The zombies in question are all Windows-based and they almost double
> >> in number on a daily basis. I shall soon collaborate with my Web
> >> host (SpamValve and Bad Behaviour spring to mind). otherwise,
> >>  considering the current pace of expansion, my domain would be
> >> isolated from cyberspace.  They are eCommerce sites whose income
> >> depends on the Web and their shops are crippled by attacks on my site.
> >>
> >> The attacks I know of affect Windows-, Linux-, and Mac-oriented
> >> sites, so there is no O/S zeal as a motive; maybe there is CMS zeal,
> >> if at all.
> >>
> >> More evidence of the problems are beginning to resurface. Some of
> >> you in this list might be affected, but have not noticed it yet.
> >> This began (for me) at the start of this month. There were only
> >> dozens of attacks at the start so they were hard to notice among the
> >> logs. Use Technorati to find information on the attacks as it's all
> >> fairly recent so unindexed. One source claims that there are many
> >> sites affected, but they choose to remain silent or wait for a
> >> diminish rather than expansion of this disease. Even the mainstream
> >> media exposed similar issues a day ago. Some of you may have heard
> >> of the Dutch gang that had 100,000 zombies and planned an attack.
> >> They have just been arrested. A friend of mine said it is a small
> >> scale considering what else if out there already.
> >>
> >> I posting this to wp-hackers because it appears to have developed
> >> into a possible yet-to-be-seen plague that is most detrimental to
> >> WordPress. Judging by the pattern of the attacks, I can make a few
> >> speculations. The spammers hijacks or simply inject a rogue process
> >> with hard-coded URL's that vary (both referrer and target URL vary,
> >>  thereby making it hard to filter).
> >>
> >> I don't want to get political (admittedly I have the tendency), but
> >> who is liable? It is sure not the host, or Apache, or WordPress (I
> >> won't pull Matt's finger - pun intended). Who is it that used code
> >> spaghetti that left a gap to be exploited in the O/S? Or lazy ISP's
> >> that harbour rotten traffic? Countries of shame in this case are
> >> China with thrice as many attacks than Russia at second. Something
> >> must be done. This keeps doubling and affecting more blogs.
> >>
> >> Roy
> >
> > We've had the same attack yesterday on Parisist (http://www.parisist.com)
> > which runs a Movable Type.
> > So I don't think it's a Wordpress only attack.
> Have you found any generic solution yet? All solutions that I could gather are
> not simple to incorporate (see below). I am still waiting for some software to
> be installed on the server.
> * Bad Behaviour - needs access to server (pointed out here)

Uhm no it doesn't and hence why several times you've been recommended
to install it:


Well unless you call FTP'ng the plugin files "Access to the server"
but if you don't have FTP well no comment...

Jason Bainbridge
http://kde.org - webmaster at kde.org
Personal Site - http://jasonbainbridge.com

More information about the wp-hackers mailing list