Joe, My solution was lower level solution, blocking the connection at the kernel level, the htaccess is blocking at the application level. Both are valid solutions.
As for why your processing there request and returning 200 (I'm assuming you mean before htaccess blocking) I believe that is because they are sending valid http connections with all the correct protocols. It's what your web server would do if any other client requested a page from the server. With out getting to deep in to malware CnC I have to imagine it sends the same to request to the actual CnC and they server up a page that the malware can understand for its next operation. -Alex On Tue, Apr 29, 2014 at 11:21 AM, Joe Golden <[email protected]> wrote: > Alex, > > htaccess modification seems to have done the trick. > > Why was I processing their requests and returning a 200 code?? > > Thanx. > > > On Tue, Apr 29, 2014 at 10:19:24AM -0400, Alex wrote: > >> Hey Joe, >> Sounds like your getting DDoSed via this virus'es attempt to obfuscate its >> home base. I would recommend turning on some form of rate limiting. It >> won't help that the clients are pushing data at you, but at least your web >> server won't spend nearly as many cpu cycles accepting and processing the >> requests. >> -Alex >> >> >> On Tue, Apr 29, 2014 at 9:46 AM, Joe Golden <[email protected]> wrote: >> >> Hi Vagrants. >>> >>> Anyone come across the Pushdo virus? See http://www.scmagazine.com/new- >>> pushdo-variant-infects-more-than-100k-computers/article/257666/ >>> >>> I think one of my clients got bit. Thousands of different IPs hitting the >>> site with apache records like the following, with multiple hits per >>> second.: >>> >>> 186.120.72.90 - - [29/Apr/2014:08:10:26 -0400] "POST / HTTP/1.1" 200 >>> 13490 >>> "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" >>> >>> Only thing that changes is the IP and the timestamp. Always a 200 code >>> and >>> 13490 size. >>> >>> My question is should the 200 code concern me? This means apache was >>> happy >>> and accepted the POST right? I've captured the bodies of some of these >>> posts and they look like garbage. Is there a tool to look at these, or >>> are >>> they just supposed to be garbage packets that Pushdo is using to cover >>> it's >>> real communications? >>> >>> This is a Drupal site and Drupal shows no record of activity in the logs >>> or on the back end. How is someone posting to the base URL and getting >>> away >>> with it?? >>> >>> I dropped in some Rewriteconds in htaccess and it looks like I've locked >>> them out and normal Drupal operations still run smoothly. >>> >>> Cheers. Happy Spring. >>> >>> -- >>> Joe Golden /_\ www.Triangul.us /_\ Coding, Drupalism, Open Sourcery >>> >>> > -- > Joe Golden /_\ www.Triangul.us /_\ Coding, Drupalism, Open Sourcery >
