Apache spam flood

P

Petertjuh360

Verified User
Joined
Nov 7, 2010
Messages
340
Hello all,

Apache often causes a high load on my server because of a spam flood.
At /server-status I can see that these kind of urls are often requested:
Code: 
GET /index.php?conumile=buy_zithromax_melbourne_pharmacy&conumi
GET /index.php?conumile=buy_online_viagra_super_active_prices_w
It are always other IP addresses.

Does somebody know how to prevent this?
It causes a high load (because of Wordpress and other engines).
 
Hello,

What "/index.php?conumile=" is used for? Is it a legitimate page link or not? Anyway you might want to block with apache all requests containing "?conumile=" if it does not break browsing websites of your customers for normal users.
 
It's not a legitimate page.
My client is using the latest WP version, but I'll suggest him to change his passwords.
The requests are only on all of his websites.
 
By the way do you see any different content if you visit the site by www.domain.com/index.php and www.domain.com/index.php?conumile=buy_zithromax_melbourne_pharmacy ? Note you might want to grep full request from apache logs in order to see it.
 
GET /index.php?sakes=where_to_buy_brand_viagra_online_au_now&sa
GET /index.php?conumilel=419 HTTP/1.1
Click to expand...

Are some other requests.
There isn't difference between /index.php and index.php?conumile=buy_zithromax_melbourne_pharmacy
 
Limit ip connections with CSF or block URLs manually with mod_rewrite rules.
 
I have the impression his index.php is compromised. I would check that anyway, or replace it from a WP version from which you surely know that it has no problems.
I had something a while ago with one of my customers. He also had a fully up2date wordpress.
The problem resided in a theme he used, which could be abused. Attackers also compromised the index.php and send spam via files they put somewhere else. This had the mysql passwords from the database.
So it could be advisable to also change the database passwords.
 
We had clients using "cracked" themes that they downloaded from various known sites and had their account defaced/hacked. Mainly these themes and templates were for Joomla, Wordpress and forum software. Once, a new client created a new account and within minutes after transferring his website from another host, his account was hacked and automatically suspended because of high server load - on a cpanel server.
 
My customer did not even use a cracked theme, but a free them though a bit old.

But it's true, they get their accounts hacked within minutes. I think Petertjuh could best completely check that Wordpress installation for strange files etc. or let somebody with security and server knowledget do it for him if he can't do it himself.
 
Petertjuh360 said:
Are some other requests.
There isn't difference between /index.php and index.php?conumile=buy_zithromax_melbourne_pharmacy
Click to expand...

You might need to check with full request as the site is requested by a hacker. With google I've found a site which gives different content with and without conumile.

Also you might want to try maldetect (http://forum.directadmin.com/showthread.php?t=42393&p=216079#post216079) we very often find shells and compromised files of WP and Joomla (as well as others) with the help of the scanner.
 
Thanks for your comments, I will check the client's files.

I have maldetect running, but the cron-scan doesn't give positives. I'll run a manual maldetect scan on his directory.
You guys will hear from me, thanks in advance!
 
I'd suggest running:

Code: 
maldet -a /home?/?/domains/?/public_html/

to scan all the existing files at least for the first run.
 
I ran a scan yesterday on his files (with a command similair like above, thanks zEitEr) and I got some positives.
The files are in quarantaine and im monitoring the apache spam flood/load now.
It looks like the load and the flood is less now.
 
We capture the frequent-access IP regularly (by cron and shell script), and use iptables and ipset to block them.
It can decrease the frequency.
 
You must log in or register to reply here.
Back
Top