Hey Joe, Sounds like your getting DDoSed via this virus'es attempt to obfuscate its home base. I would recommend turning on some form of rate limiting. It won't help that the clients are pushing data at you, but at least your web server won't spend nearly as many cpu cycles accepting and processing the requests. -Alex
On Tue, Apr 29, 2014 at 9:46 AM, Joe Golden <[email protected]> wrote: > Hi Vagrants. > > Anyone come across the Pushdo virus? See http://www.scmagazine.com/new- > pushdo-variant-infects-more-than-100k-computers/article/257666/ > > I think one of my clients got bit. Thousands of different IPs hitting the > site with apache records like the following, with multiple hits per second.: > > 186.120.72.90 - - [29/Apr/2014:08:10:26 -0400] "POST / HTTP/1.1" 200 13490 > "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" > > Only thing that changes is the IP and the timestamp. Always a 200 code and > 13490 size. > > My question is should the 200 code concern me? This means apache was happy > and accepted the POST right? I've captured the bodies of some of these > posts and they look like garbage. Is there a tool to look at these, or are > they just supposed to be garbage packets that Pushdo is using to cover it's > real communications? > > This is a Drupal site and Drupal shows no record of activity in the logs > or on the back end. How is someone posting to the base URL and getting away > with it?? > > I dropped in some Rewriteconds in htaccess and it looks like I've locked > them out and normal Drupal operations still run smoothly. > > Cheers. Happy Spring. > > -- > Joe Golden /_\ www.Triangul.us /_\ Coding, Drupalism, Open Sourcery >
