This is the IPaddress(37.59.164.208) calling a hacked script file on my server

5 pointsziggrat13y ago6 comments

37.59.164.208 - - [09/Nov/2012:00:31:55 -0600] "POST /scripts/wp-trackbacks9.php HTTP/1.1" 200 183 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 When i traced it i found the location as France and its going to Google homepage when i run it in the address bar. I'm unable to understand this and need your help HN.

6 comments

dexcs13y ago

It just a redirect to google:

< HTTP/1.1 200 OK < Server: nginx < Date: Fri, 09 Nov 2012 11:26:14 GMT < Content-Type: text/html < Connection: keep-alive < Content-Length: 97 < Last-Modified: Fri, 19 Oct 2012 14:01:40 GMT < Expires: Sat, 10 Nov 2012 11:26:14 GMT < Cache-Control: max-age=86400 < Cache-Control: private < Cache-Control: must-revalidate < Accept-Ranges: bytes < <html> <head> <meta http-equiv="refresh" content="0; url=http://www.google.com>; </head> </html>

ziggratOP13y ago

Thanks. This bot is using a old wordpress hack. How can this kind of thing be stopped? I dont mean stopping it after it happens, I mean getting the bot down, maybe like DDOS it or something.

xvolter13y ago

The easiest would be to modify your web server to reject requests to that URL. Therefore it no longer causes annoyances. However, if that URL is still being used, your best shot is to reject on a per-IP basis.

You cannot DDOS any server, a DDOS attack works primary on web servers, and the server it's coming from isn't likely to have a web server that matters, since it just redirects DDOSing would be nearly impossible to accomplish without a huge effort.

What may be easier is getting the website shutdown, if you trace the host provider or ISP you can file a claim and possibly get their connection or hosting turned off.

1 more reply

jmtucu13y ago

If you are using wordpress, install Mute Screamer to stops some attacks. It's very useful.

j / k navigate · click thread line to collapse