First, if you’re reading this through the feedburner you may have noticed in the past a little “Payday Loan” thing right below the title in past posts. Hopefully that is dead now. I’ll explain what’s going on with that in a minute. But if you see it above, please let me know!
I’m going to get a little geeky here, skip to the headlines if you want to get the big picture. You may have read my article on What’s in A Website? It’s not all puppies and butterflies to set up and keep a website running. That was proved all the more last week.
Holy Smoking Internet
Below is a graph of the bandwidth (the number of megabytes of data) that was consumed by visitors to our little niche in cyberspace. I suspect that the “zeroes” here are due to throttling by GoDaddy, not actually spots where there was no traffic. You see those spikes? Those are ROBOTS. It’s obvious the attacks began around 5/10, but didn’t reach a crescendo until 5/22 (as you can see on the next graph).
But it’s about to get ugly:
Clever, but seriously demented people have written programs to run about on the web, find blogs to which they can add comments and then attempt to automatically add drivel so that they can hawk their worthless (and often scam) products. They also hope that by adding their links to more sites, their rank in search engines will go up. How else are you going to learn about Viagra and fancy watches? The comments are sometimes blatant:
soccer cleats for sale… quality. These cheap and quality nike air maxConcords are my favorite in life. You also give me good service, thank you. When I saw the nike air max Concords here, I know they are good and can be the best choice. My friend told me to buy nike air max …
Sometimes truly stupid:
replica watches… checked out demonstrate just about all invisible records within machine nonetheless absolutely no htaccess record. my spouse and i dont buy it. this is certainly insane, very much assist desired in this article. all i wish to accomplish will be be capa…
And sometimes sneaky:
Pretty nice post. I just stumbled upon your weblog and wished to say that I’ve really enjoyed browsing your blog posts. In any case I will be subscribing to your feed and I hope you write again soon!…
Huge banks of machines that have been zombified do this comment spamming on a massive scale. We had 545,611 “hits” in a 5 day period. Those hits consumed 15.96 Gigabytes of bandwidth. 372,000 of the hits out of 545,611 were robots! Each was trying to comment on one of my old blog articles and collectively slurped up 11.6 Gbytes of bandwidth. 72% of all that traffic went to Chinese servers. Talk about trade imbalance! We didn’t know we were that popular abroad. There was also that guy in Poland who tried super hard to crack into our site through the login portal. He/it was turned away about 4,000 times in one day.
Unfortunately the extreme load caused GoDaddy, our hosting provider, to shut us down and hold us hostage. It’s a good thing I know a little bit about networking… otherwise they probably would never have turned us back on. This all happened right when I launched the initiative to raise money for the Oklahoma Tornado victims. Talk about stress! I felt like I was facing my own tornado – this one made in China. Fortunately the destruction was nothing like what my friends in Oklahoma endured.
This was the second time that the GoDaddy strategy was to punish the innocent. I won’t bother with all the details – I’ll just let you know that we’re folding up shop on GoDaddy and moving to HostGator real soon now. Hopefully it will be mostly transparent to you.
Countermeasures
With the thousands of assaults on the one blog article, it was obvious that I had to fix it. The problem is that WordPress incurs quite a bit of overhead to serve a particular article – it has to find it in the database, format all the ancillary content and then spit out all the parts of the page. That overhead was crushing the server, so I had to eliminate it.
I first took a look at where all the hits were coming from – I needed to shed most of the traffic and I used .htaccess instructions to deny a large range of network addresses from China. If you’re in China on one of those subnets you still won’t be able to read my pages. So there! Hah!
<Limit GET POST> order allow,deny # - Chop the balls off of an intruder from triolan.net deny from 178.151.216.53 # - Cut the balls off of the Chinese Spam bots- deny from 110.85. deny from 110.86. deny from 121.205. deny from 117.26. deny from 218.86. deny from 27.153. allow from all </Limit>
Then I wrote a very simple page that only says “Go away jerk”. Nothing fancy there.
WordPress relies on .htaccess rules to help serve content on my blog. Here are two important .htaccess rules. What they mean is simply: if the “path” is actually a directory or a file, then serve that path – otherwise it will hand the work off to the scripts that do all the processing.
RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d
Since the url that the robots were hitting was
blog.starcircleacademy.com/2011/03/driven-to-abstraction
All I really needed to do was to create a directory path: 2011/03/driven-to-abstraction and add an index.html file in there. Wordpress is thus bypassed and all I need to do to restore access is to delete the folders.
However, I first played with redirecting the traffic by putting this in the .htaccess at the root of my website(s).
RedirectMatch 301 /2011/03/driven-to-abstraction(.*) http://theamusing.com/badrobo/jerk.html
I noticed that most of the robots that were generating the spam hits were following the redirects. If they keep this up I’ll redirect them to 127.0.0.1 in which case they’ll be asking themselves for content – and burning their own bandwidth!
RedirectMatch 301 /2011/03/driven-to-abstraction(.*) http://127.0.0.1:8676/youareanidiot
I’ve also thought about pointing them at those damn loan sites that have been infecting many webs.
Payday Loan Hack
Now getting back to that “payday loan” garbage. The problem is that GoDaddy’s servers are not secure – they are vulnerable to attack, especially via “sneaky files” designed to commandeer some aspects of the BLOG and surreptitiously insert their own drivel. In this case, the insertion was only visible to those who either looked at the HTML code or happened to read from email. Why? Because only Google’s feedburner exposed the otherwise invisible spam. The sneaky code has infected THOUSANDS of websites. Don’t believe me? I found 700+ sites infected with a simple Google search. All the ones I checked are hosted on GoDaddy! And please note that the search I did – trying to find news of a cure only include sites that contain both the subversive ads AND the world malware. Guess how many hits there are here: t0inpaydayloans.com xmlrpc Over 4,000! And that hawked site is only one of THOUSANDS of similar sites.
Get your Geek On
I used a number of tools to hunt down the invasion. There is a WordPress plugin called “Exploit Scanner” which gave me so many false positives at first that I had to drop back and do some clean up. Most of the false positives were related to our store, WordPress E-Cart. A great free site that helped me is Securi.net. I could kiss them. They even offer a reasonably priced plan where they will regularly scan your site and fix any problems. It was tempting except the geek in me wanted to find the source of the garbage.
Boy was it well hidden. Doubly encrypted – it had to be because there is plenty of advice out on the network warning about the presence of code like this: base64_decode(
This attacker hid his code well. But not well enough!
References:
- http://www.blogtips.org/godaddy-hacked-again-another-way-to-cure/
- https://sucuri.net/
- http://www.branded3.com/blogs/htaccess-mod_rewrite-ultimate-guide/
- CloudFlare.com – to protect against such attacks. (Thanks to Enrico for tipping me off about this)
We’ll be back on topic with the next article. Promise.
Good move to dump GoDaddy. I’ve been with HostGator for 8 years now and they are great. Also switched all my domain registrations from GoDaddy to Namecheap.com about a year ago.
I wanted to add a plug for Namecheap.com as well. Great hosting, no hassle it was amazingly difficult to move from GoDaddy; because GoDaddy made it a difficult but been happy with Namecheap ever since.
Pretty nice post. I just stumbled upon your weblog and wished to say that I’ve really enjoyed browsing your blog posts. In any case I will be subscribing to your feed and I hope you write again soon!… (sorry, couldn’t resist) 🙂
Oh no, another robot. 😉
If you really want to get paranoid, real Tom Clancy’s new book, Threat Vector. I hope someone in one of our intelligence agencies has read it.
Interesting info. Glad you’re taking steps to suppress this scourge.
Very interesting!
Thank you for sharing
The attempts to login to the site have continued. About 4700 tries yesterday. Curiously there are about a dozen attempts from many different (no doubt spoofed) IP addresses.
Seems it’s now time to double secure the login and admin pages. For the reasons noted earlier, a “login lockdown” script doesn’t make sense as it will not shed the load of all the login attempts, nor would it really prevent the continued brute-force attacks.
So what is next is adding authentication to access the WordPress pages (wp-login and wp-admin). A simple method would be to require a specific cookie – then it would be portable and low trouble. However I’ve found I really like using LastPass so creating completely unguessable ids and passwords is easy to do and to manage. For example, LastPass just generated this: vBs!P5!46%GR.
Some other steps I’ve taken include changing my permissions on my primary account to give very little access and creating and admin account with a userid and password like the one I gave above.
To follow up with my prior content, The folks at Tips and Tricks have rolled the login attack logic into a very good – and free – plugin that I use and highly recommend: All In One WordPress Security: http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin
I am using the “Cookie Based Brute Force Rejection” rejection method in the “Brute Force” page.
