Rene,
I became aware of this when the site bogged down to the point of being intermittently unloadable.
Site is on a low level account hosted by Hot Drupal. Was getting lots of MySQL messages along the
lines of "too many queries", "exceeded resources", etc.
A couple of lines in htacess as outlined at
http://2bits.com/ddos/yet-another-denial-service-dos-attack.html seems to be
doing the trick for now ;-)
Cheers.
On Tue, Apr 29, 2014 at 09:53:46AM -0400, Rene Churchill wrote:
From the article:
The twist here is that the botmasters have customized the malware so
that it simultaneously delivers HTTP requests to some 300 lesser
known, but legitimate, websites, which mixes in with traffic meant
for the command-and-control hub
It sounds like your website is one of the unfortunate 300 websites
included to obscure the real command & control network. What's the
size of your normal index page? If it's 13490, then you're fine, just
ride out the extra traffic.
Rene
On 4/29/2014 9:46 AM, Joe Golden wrote:
Hi Vagrants.
Anyone come across the Pushdo virus? See
http://www.scmagazine.com/new-pushdo-variant-infects-more-than-100k-computers/article/257666/
I think one of my clients got bit. Thousands of different IPs
hitting the site with apache records like the following, with
multiple hits per second.:
186.120.72.90 - - [29/Apr/2014:08:10:26 -0400] "POST / HTTP/1.1" 200
13490 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
Only thing that changes is the IP and the timestamp. Always a 200
code and 13490 size.
My question is should the 200 code concern me? This means apache was
happy and accepted the POST right? I've captured the bodies of some
of these posts and they look like garbage. Is there a tool to look
at these, or are they just supposed to be garbage packets that
Pushdo is using to cover it's real communications?
This is a Drupal site and Drupal shows no record of activity in the
logs or on the back end. How is someone posting to the base URL and
getting away with it??
I dropped in some Rewriteconds in htaccess and it looks like I've
locked them out and normal Drupal operations still run smoothly.
Cheers. Happy Spring.
--
------------------------------------------------------------------------
René Churchill
VP of Development (i.e. Geek #2)
WherezIt.com - Your source for Local information
[email protected] <mailto:[email protected]>
802-244-7880 x527
http://www.wherezit.com/
--
Joe Golden /_\ www.Triangul.us /_\ Coding, Drupalism, Open Sourcery
