[wp-hackers] Zombies aimed at WordPress???

Roy Schestowitz r at schestowitz.com
Thu Oct 13 15:35:09 GMT 2005

_____/ On Thu 13 Oct 2005 16:04:17 BST, [Jason Bainbridge] wrote : \_____

> On 10/13/05, Roy Schestowitz <r at schestowitz.com> wrote:
>> _____/ On Thu 13 Oct 2005 14:24:18 BST, [Jason Bainbridge] wrote : \_____
>> > On 10/13/05, Roy Schestowitz <r at schestowitz.com> wrote:
>> >> ...
>> >> * Bad Behaviour - needs access to server (pointed out here)
>> >
>> > Uhm no it doesn't and hence why several times you've been recommended
>> > to install it:
>> >
>> > http://www.ioerror.us/software/bad-behavior/in...
>> >
>> > Well unless you call FTP'ng the plugin files "Access to the server"
>> > but if you don't have FTP well no comment...
>> Oh, sorry...! My misinterpretation. The only glaring pitfall is that 
>> it covers
>> WordPress only, which probably occupies around 10% of my site's 
>> content. There
>> is indeed an advantage to using a single, uniformal CMS across the 
>> entire site
>> as opposed to a diversity. It decreases the amount of work associated with
>> critical updates and it saves some learning curve, complements 
>> integration and
>> so forth. Then again, what would you do when features "in the wild" do not
>> overlap sufficiently? For example, image galleries using WordPress, Wiki
>> intergation with/encapsulation in WordPress, Forums and blog software...
> Huh? First you make a big political speech about zombies targetting
> Wordpress sites only and then a solution to address problems with
> Wordpress isn't adequate as Wordpress is only used for 10% of your
> site, so which is it?

You are right at putting it that way. I mistakenly posted with the 
subject line
"Re: [wp-hackers] Zombies aimed at WordPress" although I intended to put
question marks at the end. By the time I had posted the message I 
realised that
it was too late to add indication of doubt. I have just renamed the subject
line, hoping it would not lead to anomalies among other people's E-mail client
(fragmented threading).

In principle, I sought a solution that will protect the site by principle, not
just WordPress. That's what I had in mind all along. If the spammers 'stop by'
Bad Behaviour et al., I believe that would still muck up the logs.

> FYI Bad Behavior also runs with Drupal, MediaWiki, Geeklog and
> DotClear out of the box with logging and you can use it on any other
> PHP script but you lose the logging unless you are knowledgable enough
> to port it over:
> http://www.ioerror.us/software/bad-behavior/installing-and-using-bad-behavior/
> Personally I only use Spam Karma 2 at the moment as I only get the
> ocassional bot trying to post comments and SK2 takes care of that just
> fine.
> Also I saw you mentioned earlier that you were generating AWStats
> during the day (well US time at least), you probably don't want to do
> that as that would upset your host more than what the attacks would as
> it takes quite a bit of grunt to process those stats.

Yes, I'm aware of the issue with aggregating numbers at the end; it is taking
big lumps of memory, especially when large logs are involved and IP tables can
become huge. Having said that, the attackers change targetted URL's. Some such
URL's take _megabytes_ per page request. it's no coincidence. The attacks aim
for it. Therefore, I must keep abreast of what they do and redirect to
403.shtml as soon as possible. I even removed images and stripped things off
that page temporarily. Had I not done that yesterday, I estimate that roughly
2MB x 30,000 (~60GB) of bandwidth would have been requested for the 'most
sensitive' page which flagged the beginning of these attacks around Oct. 2nd.
Needless to say, that traffic would not have been delivered. The server would
have denied access or grind to a halt. To make matters worse, it is a shared


Roy S. Schestowitz      | Software patents destroy innovation
http://Schestowitz.com  |    SuSE Linux    |     PGP-Key: 74572E8E
  4:20pm  up 49 days  4:34,  3 users,  load average: 0.33, 0.45, 0.45
      http://iuron.com - next generation of search paradigms

More information about the wp-hackers mailing list