Gooochi talks to /bc/123kah.php

This is weird, a huge number of POST requests started to hit the Shite Drivers website a few days ago. The requests came from lots of IP addresses and all requests went to the non existent /bc/123kah.php

The payload was an array that looked like this:

Array
(
    [showed] =>
    [clicked] =>
    [version] => 2.6.2.4
    [id] => c3b342beb6ad7adf39499e7a38f93c09f681611d
    [tm] => 1266855758
    [aff_id] => gooochi
    [net_id] => gooochi
    [safe] => 1
    [exceed] => 2505,2507,2582,2597,2602
)

So I presume it’s the Gooochi malware referenced in this search for that word. Strange that the infected PCs hit my server though.

The traffic was never overwhelming but I decided to put a stop to it with a simple deny from all in a .htaccess file. Much better than having WordPress serve up a 404 page.

I mentioned the 123kah.php file on Twitter and I’m not the only one to see these odd requests. I guess even malware has bugs! (which is all the more reason to keep your anti-virus software up to date if you use Windows)


You might also like

If you like this post then please subscribe to my full RSS feed. You can also click here to subscribe by email. There are also my fabulous photos to explore too!

4 thoughts on “Gooochi talks to /bc/123kah.php


  1. When it happens to me I’ve tried a quick remedy – put a dummy file of that name in the way (ie create a small file bc/123kah.php). Saves the .htaccess call, and avoids server log/404 hits. Whether that ends up being less of a performance hit than htaccess, can’t really say…

Leave a Reply

Loading Facebook Comments ...