Alex,
htaccess modification seems to have done the trick.
Why was I processing their requests and returning a 200 code??
Thanx.
On Tue, Apr 29, 2014 at 10:19:24AM -0400, Alex wrote:
Hey Joe,
Sounds like your getting DDoSed via this virus'es attempt to obfuscate its
home base. I would recommend turning on some form of rate limiting. It
won't help that the clients are pushing data at you, but at least your web
server won't spend nearly as many cpu cycles accepting and processing the
requests.
-Alex
On Tue, Apr 29, 2014 at 9:46 AM, Joe Golden <[email protected]> wrote:
Hi Vagrants.
Anyone come across the Pushdo virus? See http://www.scmagazine.com/new-
pushdo-variant-infects-more-than-100k-computers/article/257666/
I think one of my clients got bit. Thousands of different IPs hitting the
site with apache records like the following, with multiple hits per second.:
186.120.72.90 - - [29/Apr/2014:08:10:26 -0400] "POST / HTTP/1.1" 200 13490
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
Only thing that changes is the IP and the timestamp. Always a 200 code and
13490 size.
My question is should the 200 code concern me? This means apache was happy
and accepted the POST right? I've captured the bodies of some of these
posts and they look like garbage. Is there a tool to look at these, or are
they just supposed to be garbage packets that Pushdo is using to cover it's
real communications?
This is a Drupal site and Drupal shows no record of activity in the logs
or on the back end. How is someone posting to the base URL and getting away
with it??
I dropped in some Rewriteconds in htaccess and it looks like I've locked
them out and normal Drupal operations still run smoothly.
Cheers. Happy Spring.
--
Joe Golden /_\ www.Triangul.us /_\ Coding, Drupalism, Open Sourcery
--
Joe Golden /_\ www.Triangul.us /_\ Coding, Drupalism, Open Sourcery
