• My server is under attack and it is a blog thing.

    A number of times every day I get hundreds of simultaneous reads from many different IP addresses, all directed to me by some phentermine-type domain. That domain changes each time.

    Example HTTPDD access log:

    222.66.48.253 – – [19/Jun/2007:17:59:54 -0400] “GET /blog/?p=97 HXXP/1.1” 200 14645
    “hxxp://www.shaablog.com/orderingphenterminetabs.html”
    “Mozilla/4.0 (compatible; MSIE 5.0; Windows ME) Opera 5.11 [en]”

    207.158.20.118 – – [19/Jun/2007:17:59:58 -0400] “GET /blog/?p=210 HXXP/1.1” 200 13714 “hxxp://www.shaablog.com/purchasinggenericdietpills.html”
    “Mozilla/4.0 (compatible; MSIE 4.01; AOL 4.0; Windows 98)”

    (I replaced the hxxp myself to allow this post to proceed; it said TT, not XX of course)

    Anyway, I get HUNDREDS of such simultaneous entries, all from different IPs. That then brings my server to a halt.

    What can I do? Any ideas?

    I run 2.2

    Michael

Viewing 15 replies - 1 through 15 (of 48 total)
  • You can try this:

    https://unknowngenius.com/blog/wordpress/ref-karma/

    If it doesn’t automatically block them, you can manually add the url in the blacklist.

    Thread Starter mwillems

    (@mwillems)

    Will follow the link.

    The URL changes several times a day, so that wil not work.

    Can you or anyone tell me what is actually happening here? Is some fake site pointing to me, and are people following that link? Why?? Is this a DDOS, or is this somehow intended to get people to buy fake drugs: in which case why would it do that? I am really puzzled!

    I’d still try it, the script may catch them anyway so you won’t have to add them manually.

    It’s a referrer spam attack.

    Edit:

    I do use this on one blog and it catches the vast majority of them for me.

    Thread Starter mwillems

    (@mwillems)

    Ok, tha looks like what I need, except when I run the test page, I see only a red bar that says:

    check_referrer() error.

    Does that mean it cannot do a reverse lookup on my own internal IP, or is something else wrong? I am reluctant to mess with my site unless I know what is going on, of course.. anyone use this great-looking script?

    making wordpress handle referer spam is unnecessary.

    You can battle referer spam using what most hosts already make available to you, an .htaccess.

    https://www.google.com/search?hl=en&q=referer+spam+.htaccess&btnG=Google+Search

    Thread Starter mwillems

    (@mwillems)

    Cancel that red bar question – my bad. Apologies. Typo in the database name… sorry.

    Did you follow steps 2, 3 and 4 precisely? It sounds like you missed the true/check page/then switch back to false step.

    I could be wrong, it’s been a loooong time since I’ve set it up (I’m sure it’s been 2+ years that I’ve used it).

    Good luck with it, I’m very confident in the script myself and has kept a lot of bad boys out of my hair :).

    Black and orange lines show what’s been blocked, the green shows what’s been allowed. To add something to the black list (or vice versa), switch to the other page and toggle the url to the list you want it handled (the black list/or white list).

    Good luck!

    Thread Starter mwillems

    (@mwillems)

    It seems to be working now – added to /bog/index.php

    But I see nothing in the logs yet, even though I see people hitting the blog (I am watching tail -f /var/log/httpd/access.log in real time). Is ther ea delay before log entries show, or does it only show blocked entries?

    lol, you have root on this box, and you are using a wordpress plugin to block referer spam? good God, what has the world come to.

    No it should show immediately. Hmmm, I’m out of ideas. You can block each url or IP in htaccess, but that’s not going to help since they switch up all the time.

    Quick Question, did you add this to the index.php file:

    <? php include_once (“/home/host/public_html/wp-content/referrer-karma.php”); check_referrer(); ?>

    That’s added to the main wordpress index.php, not the theme index.php

    HELLOO!

    You block referer spam using an .htaccess like this:

    RewriteCond %{HTTP_REFERER} ^(.*)phentermine(.*)$ [NC,OR]
    RewriteCond %{HTTP_REFERER} ^(.*)another-spam-word(.*)$ [NC,OR]
    RewriteCond %{HTTP_REFERER} ^(.*)pillh(.*)$ [NC]
    RewriteRule ^.* - [F]
    Thread Starter mwillems

    (@mwillems)

    Terry,

    Yes I did add that line, and yes, to the Blog’s main index.php file.

    Whoami,

    No, the strings change daily. HELLOOO! to you too. ??

    Thank you whooami for doing your best to make us feel like idiots.

    mwillems is just asking for ideas and I’m just suggesting what I can.

    Have a nice day spreading more joy in the world :).

Viewing 15 replies - 1 through 15 (of 48 total)
  • The topic ‘I am under phentermine attack?’ is closed to new replies.