Hi Vagrants.
Anyone come across the Pushdo virus? See
http://www.scmagazine.com/new-pushdo-variant-infects-more-than-100k-computers/article/257666/
I think one of my clients got bit. Thousands of different IPs hitting the site
with apache records like the following, with multiple hits per second.:
186.120.72.90 - - [29/Apr/2014:08:10:26 -0400] "POST / HTTP/1.1" 200 13490 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
Only thing that changes is the IP and the timestamp. Always a 200 code and
13490 size.
My question is should the 200 code concern me? This means apache was happy and
accepted the POST right? I've captured the bodies of some of these posts and
they look like garbage. Is there a tool to look at these, or are they just
supposed to be garbage packets that Pushdo is using to cover it's real
communications?
This is a Drupal site and Drupal shows no record of activity in the logs or on
the back end. How is someone posting to the base URL and getting away with it??
I dropped in some Rewriteconds in htaccess and it looks like I've locked them
out and normal Drupal operations still run smoothly.
Cheers. Happy Spring.
--
Joe Golden /_\ www.Triangul.us /_\ Coding, Drupalism, Open Sourcery
