This is weird, a huge number of POST requests started to hit the Shite Drivers website a few days ago. The requests came from lots of IP addresses and all requests went to the non existent /bc/123kah.php
The payload was an array that looked like this:
Array
(
[showed] =>
[clicked] =>
[version] => 2.6.2.4
[id] => c3b342beb6ad7adf39499e7a38f93c09f681611d
[tm] => 1266855758
[aff_id] => gooochi
[net_id] => gooochi
[safe] => 1
[exceed] => 2505,2507,2582,2597,2602
)
So I presume it’s the Gooochi malware referenced in this search for that word. Strange that the infected PCs hit my server though.
The traffic was never overwhelming but I decided to put a stop to it with a simple
in a .htaccess file. Much better than having WordPress serve up a 404 page.deny from all
I mentioned the 123kah.php file on Twitter and I’m not the only one to see these odd requests. I guess even malware has bugs! (which is all the more reason to keep your anti-virus software up to date if you use Windows)
4 Comments
Viper007Bond (28 comments.) on February 23, 2010 at 10:25 am.
More info:
http://www.f-secure.com/sw-desc/adware_w32_adrotator_gen.shtml
http://www.google.com/search?q=123kah.php
donnacha | WordSkill (27 comments.) on February 23, 2010 at 2:31 pm.
Wow, interesting site … The Hidden Rage of Donncha O’ Caoimh
Donncha (1707 comments.) on February 23, 2010 at 3:08 pm.
Haha, I took it on from the original admin who wasn’t going to maintain it. Didn’t want the domain passing into spammer’s hands!
David Pankhurst (1 comments.) on March 4, 2010 at 10:15 am.
When it happens to me I’ve tried a quick remedy – put a dummy file of that name in the way (ie create a small file bc/123kah.php). Saves the .htaccess call, and avoids server log/404 hits. Whether that ends up being less of a performance hit than htaccess, can’t really say…