WordPress.org

Ready to get started?Download WordPress

Forums

I am under phentermine attack? (49 posts)

  1. mwillems
    Member
    Posted 7 years ago #

    My server is under attack and it is a blog thing.

    A number of times every day I get hundreds of simultaneous reads from many different IP addresses, all directed to me by some phentermine-type domain. That domain changes each time.

    Example HTTPDD access log:

    222.66.48.253 - - [19/Jun/2007:17:59:54 -0400] "GET /blog/?p=97 HXXP/1.1" 200 14645
    "hxxp://www.shaablog.com/orderingphenterminetabs.html"
    "Mozilla/4.0 (compatible; MSIE 5.0; Windows ME) Opera 5.11 [en]"

    207.158.20.118 - - [19/Jun/2007:17:59:58 -0400] "GET /blog/?p=210 HXXP/1.1" 200 13714 "hxxp://www.shaablog.com/purchasinggenericdietpills.html"
    "Mozilla/4.0 (compatible; MSIE 4.01; AOL 4.0; Windows 98)"

    (I replaced the hxxp myself to allow this post to proceed; it said TT, not XX of course)

    Anyway, I get HUNDREDS of such simultaneous entries, all from different IPs. That then brings my server to a halt.

    What can I do? Any ideas?

    I run 2.2

    Michael

  2. Terry
    Member
    Posted 7 years ago #

    You can try this:

    http://unknowngenius.com/blog/wordpress/ref-karma/

    If it doesn't automatically block them, you can manually add the url in the blacklist.

  3. mwillems
    Member
    Posted 7 years ago #

    Will follow the link.

    The URL changes several times a day, so that wil not work.

    Can you or anyone tell me what is actually happening here? Is some fake site pointing to me, and are people following that link? Why?? Is this a DDOS, or is this somehow intended to get people to buy fake drugs: in which case why would it do that? I am really puzzled!

  4. Terry
    Member
    Posted 7 years ago #

    I'd still try it, the script may catch them anyway so you won't have to add them manually.

    It's a referrer spam attack.

    Edit:

    I do use this on one blog and it catches the vast majority of them for me.

  5. mwillems
    Member
    Posted 7 years ago #

    Ok, tha looks like what I need, except when I run the test page, I see only a red bar that says:

    check_referrer() error.

    Does that mean it cannot do a reverse lookup on my own internal IP, or is something else wrong? I am reluctant to mess with my site unless I know what is going on, of course.. anyone use this great-looking script?

  6. whooami
    Member
    Posted 7 years ago #

    making wordpress handle referer spam is unnecessary.

    You can battle referer spam using what most hosts already make available to you, an .htaccess.

    http://www.google.com/search?hl=en&q=referer+spam+.htaccess&btnG=Google+Search

  7. mwillems
    Member
    Posted 7 years ago #

    Cancel that red bar question - my bad. Apologies. Typo in the database name... sorry.

  8. Terry
    Member
    Posted 7 years ago #

    Did you follow steps 2, 3 and 4 precisely? It sounds like you missed the true/check page/then switch back to false step.

    I could be wrong, it's been a loooong time since I've set it up (I'm sure it's been 2+ years that I've used it).

    Good luck with it, I'm very confident in the script myself and has kept a lot of bad boys out of my hair :).

  9. Terry
    Member
    Posted 7 years ago #

    Black and orange lines show what's been blocked, the green shows what's been allowed. To add something to the black list (or vice versa), switch to the other page and toggle the url to the list you want it handled (the black list/or white list).

    Good luck!

  10. mwillems
    Member
    Posted 7 years ago #

    It seems to be working now - added to /bog/index.php

    But I see nothing in the logs yet, even though I see people hitting the blog (I am watching tail -f /var/log/httpd/access.log in real time). Is ther ea delay before log entries show, or does it only show blocked entries?

  11. whooami
    Member
    Posted 7 years ago #

    lol, you have root on this box, and you are using a wordpress plugin to block referer spam? good God, what has the world come to.

  12. Terry
    Member
    Posted 7 years ago #

    No it should show immediately. Hmmm, I'm out of ideas. You can block each url or IP in htaccess, but that's not going to help since they switch up all the time.

    Quick Question, did you add this to the index.php file:

    <? php include_once ("/home/host/public_html/wp-content/referrer-karma.php"); check_referrer(); ?>

    That's added to the main wordpress index.php, not the theme index.php

  13. whooami
    Member
    Posted 7 years ago #


  14. whooami
    Member
    Posted 7 years ago #

    HELLOO!

    You block referer spam using an .htaccess like this:

    RewriteCond %{HTTP_REFERER} ^(.*)phentermine(.*)$ [NC,OR]
    RewriteCond %{HTTP_REFERER} ^(.*)another-spam-word(.*)$ [NC,OR]
    RewriteCond %{HTTP_REFERER} ^(.*)pillh(.*)$ [NC]
    RewriteRule ^.* - [F]
  15. mwillems
    Member
    Posted 7 years ago #

    Terry,

    Yes I did add that line, and yes, to the Blog's main index.php file.

    Whoami,

    No, the strings change daily. HELLOOO! to you too. :-)

  16. Terry
    Member
    Posted 7 years ago #

    Thank you whooami for doing your best to make us feel like idiots.

    mwillems is just asking for ideas and I'm just suggesting what I can.

    Have a nice day spreading more joy in the world :).

  17. Terry
    Member
    Posted 7 years ago #

    mwillems is it the very first line in the index.php? Sorry if it's obvious, just that's the only thing I can think of.

  18. mwillems
    Member
    Posted 7 years ago #

    Terry, yes, it is the very first line.

    And your ideas are very welcome, Terry!

    AHA -- the string as suggested by the sacript was wrong: it was <?php include_once ("/var/www/html/willems.ca/blog/wp-content/referrer-karma.php"); check_referrer(); ?>

    That should have read <?php include_once ("/blog/wp-content/referrer-karma.php"); check_referrer(); ?>

    So now, wqhen I browse my own site, I get a blank page only. Maybe my internal IP is not reverse lookup-able or something?

    The database is still empty though., In other words the passwords etc are good, since the tables have been created - but the tables are still empty.

    Michael

  19. whooami
    Member
    Posted 7 years ago #

    excuse me?

    This is an open thread. Im not doing anything you arent doing , Terry. Last time I checked I am able to make suggestions as well. And please dont forget that there might be other people that read this -- maybe THEY wont want to use a wordpress plugin to fight referer spam. After all, its somewhat ass backwards to make a blogging application perform a task that Apache already handles.

    Secondly,

    RewriteCond %{HTTP_REFERER} ^(.*)pill(.*)$ [NC]

    catches ANY referer with the string pill in it.

    RewriteCond %{HTTP_REFERER} ^(.*)phent(.*)$ [NC]

    catches any string with the partial match phent in it.

    And obviously, you add more strings.

    You're obviously not interested in any more suggestions, so good luck with your spam.

  20. mwillems
    Member
    Posted 7 years ago #

    Whoami,

    If you saw my logs you would not suggest that, I think. It is not just Phentermine. There are literally hundreds of strings. From child porn to herbal viagra. They change daily.

    Michael

  21. Terry
    Member
    Posted 7 years ago #

    Whatever whooami, carry on. And FYI your htaccess suggestion is helpful, I was just saying it's too bad you chose to talk to us the way you did.

    So now, wqhen I browse my own site, I get a blank page only. Maybe my internal IP is not reverse lookup-able or something?

    Not a good thing! lol. I'm tapped out for ideas mwillems, sorry.

  22. whooami
    Member
    Posted 7 years ago #

    On the contrary, I assure you that I would suggest using my method. Its not a mystery, and youre not the only one to have had this happen.

    If you had looked at the Google results I pointed you to, you might have seen this. Its very similar to what Ive already suggested.

    http://www.joemaller.com/htaccess.txt

    It sounds to me, like you just dont understand the power of Apache and mod_rewrite.

    PS: terry, get over yourself, as of yet, Ive not said anything rude, so chill out, and YOU carry on. 3 of my posts were caught by askimet and NOT showing up, hence the HELLLO - you flatter yourself to think that I was adressing you.

  23. Terry
    Member
    Posted 7 years ago #

    you are using a wordpress plugin to block referer spam? good God, what has the world come to.

    What were you suggesting here? That we're brainiacs or idiots?

    Edit: I'm done in here for the day. Have a good one :).

  24. whooami
    Member
    Posted 7 years ago #

    was I addressing you? No.

    If you must know, I find it absolutely ludicrous and very comical that, especially, someone that has root access to a box would resort to making WordPress manage referer spam.

    The plugin, notwithstanding, using wordpress to do something that Apache/mod_rewrite already handles efficiently is like putting the steering wheel of your car in your trunk.

  25. mwillems
    Member
    Posted 7 years ago #

    But surely, whoami, mod_rewrite does not do the kind of stuff that this script does?

  26. Samuel Wood (Otto)
    Tech Ninja
    Posted 7 years ago #

    Are these all referrer to the same other site? Specifically, shaablog.com?

    If so, what's the problem?

    RewriteCond %{HTTP_REFERER} ^(.*)shaablog(.*)$ [NC]
    RewriteRule ^.* - [F]

    Now, I grant you that referrer karma is a neat plugin, and it's more generalized and capable of a wider variety of things.

    But if this is a one-shot deal, the .htaccess method is best simply because it takes nearly no server resources and will more or less instantly stop the denial of service attack that the referrer spam basically amounts to.

  27. whooami
    Member
    Posted 7 years ago #

    caught by askimet again, so im not sure if this got through the first time:

    what are you trying to do? prevent refer spam from showing up in your logs?

    IF you look at that script, it sends referer spammers a 403.

    What Ive suggested doing does exactly the same thing.

    IF you want to bloat your database with needless data, recording crap referers.

    No, I'm sorry, my solution wont do that.

    And for the record, just because a referer gets sent a 403 doesn't mean it doesn't show up in your logs. It still shows up. regardless of what is responsible for the 403.

    222.66.48.253 - - [21/Jun/2007:21:02:56 -0400] "GET /archives/2005/01/02/guestbook-entries/ HTTP/1.1" 403 1030 "http://www.txmind.com/buy_diet_pill_phentermine_com_canadian_pharmacies.html" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1)"

    right out of my own access log, and that, is referer spam getting a 403.

    --

    otto :) my point exactly :)

  28. mwillems
    Member
    Posted 7 years ago #

    >>>Are these all referrer to the same other site? Specifically, shaablog.com?<<<

    I wish. Twice a day, that domain changes.

    Whoami: OK, aha... .htaccess then? Let's see if I can get httpd.conf configured right to actually read it then.

  29. mwillems
    Member
    Posted 7 years ago #

    Oh and what am I tryoing to do? When this happens, several times a day (like, 2-4 times), my server load goes up to at least 50-100. So the server effectively dies. I turn off httpd (which takes me forever under that load) and the load vanishes immediately.

  30. mwillems
    Member
    Posted 7 years ago #

    And I still wonder how to do this using .htaccess.

    Like I have 152 variants in the last two days of the word "mortgage". I counted. I either exclude all mortgage posts (might be a bit heavy) or add 152 lines to the htaccess for THIS thing alone - and then there's all the pills, the sex, etc.

Topic Closed

This topic has been closed to new replies.

About this Topic