: How can I stop a bot attack on my site? I have a site (built with wordpress) that is currently under a bot attack (as best I can tell). A file is being requested over and over, and the
I have a site (built with wordpress) that is currently under a bot attack (as best I can tell). A file is being requested over and over, and the referrer is (almost every time) turkyoutube.org/player/player.swf. The file being requested is deep within my theme files, and is always followed by "?v=" and a long string (i.e. r.php?v=Wby02FlVyms&title=izlesen.tk_Wby02FlVyms&toke).
I've tried setting an .htaccess rule for that referrer, which seems to work, except that now my 404 page is being loaded over and over, which is still using lots of bandwidth. Is there a way to create an .htaccess rule that requires no bandwidth usage on my part?
I also tried creating a robots.txt file, but the attack seems to be ignoring that.
#This is the relevant part of the .htaccess file:
RewriteCond %{HTTP_REFERER} turkyoutube.org [NC]
RewriteRule .* - [F]
More posts by @Carla537
5 Comments
Sorted by latest first Latest Oldest Best
Simply do the 301 redirect to fbi site.
RewriteEngine on
RewriteCond %{HTTP_REFERER} ^http(s)?://(www.)?turkyoutube.org.$ [NC]
RewriteRule ^(.)$ www.fbi.gov [R=301,L]
I use DenyHosts[1] on all my servers. DenyHosts disallow all IPs which failed to login after n times. You can also send notifications. So you have a great overview from which ips/hosts the logins came; and it also have a web update function and other great features. But it's still very simple to install.
An other method is to disallow all IP Ranges/Blocks (in e.g.) from China or other countries which are not your targeted group. This can be done with online "Blacklists" or just with the hosts.deny file (like DenyHosts).
[1] denyhosts.sourceforge.net/
How about a little corbomite maneuver?
RewriteEngine on
RewriteCond %{HTTP_REFERER} ^http(s)?://(www.)?turkyoutube.org.*$ [NC]
RewriteRule ^(.*)$ 127.0.0.1/ [R=401,L]
Note, untested but should redirect requests from them back to themselves with a 401 Not Authorized status code. That is, if the bot even handles redirects (very unlikely), but it will still see the status code. A 404 status code may be more effective. Either one should tell the bot that it should probably give up.
The rule you posted in comments is also more than adequate if you broaden the expression to match the host a little more. I use something close (as far as the actual rule) to block user-agents matching libwww-perl:
RewriteCond %{HTTP_USER_AGENT} libwww-perl.*
RewriteRule .* - [F,L]
Aside from the IP blocking, I would scrutinize the files that are being requested. It's a fairly common thing for open-source systems such as WordPress and Joomla to be exploited, which is one reason why they're frequently updated. If you've neglected a few updates, it's possible that someone has penetrated your site.
I've had that scenario happen to me twice, once on a testing site that never got fully deployed (but was left in place) and another time on a company website where an employee with valid access "snuck" a phpBB on for his family to communicate--updates would have prevented the issues. In both cases, the problem was found with analytics as it seems might be true in your case. The Joomla attack injected javascript that caused the user's browser to load software, while the latter allowed the hacker to upload files to the server that were part of a distributed "alternate" google site that lead the user to p*rn every time. Though it's not entirely a common hack, check your DB users table, just in case.
I certainly don't mean to cause alarm, but it never hurts to take the time to dig through your site once in a while to know exactly what's going on. Sometimes you'll be surprised what you find.
If the attack is coming from the same IP number each time (or a small set of IP numbers) you should block that IP number in your firewall. That should not cost any bandwidth or load on your web server.
If you are hosting it on a Linux machine that you have root access to this article explains how to do this.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.