From the article:
The twist here is that the botmasters have customized the malware so
that it simultaneously delivers HTTP requests to some 300 lesser
known, but legitimate, websites, which mixes in with traffic meant
for the command-and-control hub
It sounds like your website is one of the unfortunate 300 websites
included to obscure the real command & control network. What's the size
of your normal index page? If it's 13490, then you're fine, just ride
out the extra traffic.
Rene
On 4/29/2014 9:46 AM, Joe Golden wrote:
Hi Vagrants.
Anyone come across the Pushdo virus? See
http://www.scmagazine.com/new-pushdo-variant-infects-more-than-100k-computers/article/257666/
I think one of my clients got bit. Thousands of different IPs hitting
the site with apache records like the following, with multiple hits
per second.:
186.120.72.90 - - [29/Apr/2014:08:10:26 -0400] "POST / HTTP/1.1" 200
13490 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
Only thing that changes is the IP and the timestamp. Always a 200 code
and 13490 size.
My question is should the 200 code concern me? This means apache was
happy and accepted the POST right? I've captured the bodies of some of
these posts and they look like garbage. Is there a tool to look at
these, or are they just supposed to be garbage packets that Pushdo is
using to cover it's real communications?
This is a Drupal site and Drupal shows no record of activity in the
logs or on the back end. How is someone posting to the base URL and
getting away with it??
I dropped in some Rewriteconds in htaccess and it looks like I've
locked them out and normal Drupal operations still run smoothly.
Cheers. Happy Spring.
--
------------------------------------------------------------------------
René Churchill
VP of Development (i.e. Geek #2)
WherezIt.com - Your source for Local information
[email protected] <mailto:[email protected]>
802-244-7880 x527
http://www.wherezit.com/
