Raw Look At The Trackback Attack

Now that I’ve weathered the storm and the attacks have subsided for now, I think it would be good to share with you what my raw access log files looked like during that day to see the distributed denial of service in action. Thanks to Kim Parsell, I was able to rename the raw access log file into a text file so I could examine it within NotePad++. Since a large amount of trackbacks were aimed at the backup buddy review I published, I performed a search in the log file for that post. Here is a sample of what I saw.

I’ve opted to use a screenshot instead of text as to not link to any of the sites within the log file. As you can see via the screenshot, the Backup Buddy post was being loaded every few minutes by one IP address. While I did receive a large number of trackbacks from a variety of websites, the log file clearly indicates that at least one IP address was the major culprit. It’s also interesting to note that this one IP address hosted different domains as you can see on the right. Those URLs on the right hand side were the ones generating the trackbacks. This makes me think that IP address is hosting a good sized splog network.

The two files that were blamed for sucking up resources on the shared server I was on, XMLRPC.php and Index.php are shown multiple times being accessed by a variety of IP addresses, not just the one shown in the first screenshot. This is where I think the attack was more distributed in nature.

What angers me is the fact that AnHosting, my original hosting provider of 3 years told me that they had an Automated Firewall System in place but because of the distributed nature of the attack coming from multiple IP addresses, they couldn’t tell what was legitimate traffic versus illegitimate. Their automated firewall must be broken because it should have blocked that IP address shown in the first screenshot.

None the less, I’m currently on HostGator now with WP-Super Cache installed. I just can’t help but think with a little more help from AnHosting, I wouldn’t have had to go through webhosting hell. But they operate on a three strikes rule with suspended sites. Once you hit the third strike, they do not lift the suspension of the site. Since I was on my second strike, I had to leave.


4 responses to “Raw Look At The Trackback Attack”

  1. Always delete xmlrpc.php immediately from virtually all WP installs.
    It’s responsible for several of the security issues with WP over the years, and it also allows unlimited password attempts. You can live without the mostly spam trackbacks for the safety of it being gone.

    If you are on a dedicated or VPS (and you should be) I highly recommend the (free) configserver firewall http://configserver.com/cp/csf.html – it’s not just for cpanel anymore and it’s extremely good about blocking too many connections.

    Last but not least when you can’t solve a ddos, replace apache with something like litespeed which is a drop in replacement (uses httpd.conf and .htaccess files directly unlike nginx). There is a free version and it can weather a ddos when apache would be long dead. Even automattic uses litespeed to this very day.

  2. Ah…some of us *use* xml-rpc, which you need for offline editors like Windows Live Writer. I’ve been using it for years, and never come in for the kind of attack that hit Jeffro, which seems to have been bad luck as much as anything. (Well, that and lack of eptitude from his host.)

    Jeff, any idea who resides at that IP address or owns those domains? A competent hacker would be hiding several jumps back, and not likely traceable, but whoever it is deserves a smackdown.

  3. @_ck_

    Even automattic uses litespeed to this very day.

    I’m pretty sure that they switched to nginx in early 2008.

    There is a free version …

    No, there is a 15-day free trial. Then you get mugged.

    … and it can weather a ddos when apache would be long dead.

    Modern versions of Apache are fine if properly configured.

    HOWEVER, the whole discussion is pretty ridiculous, it only promotes the fantasy that you can have any control at all when you share a server with tens of thousands of people you don’t know.

  4. donnacha, I assure you, many automattic servers are still running LiteSpeed and it’s easy to prove based on certain responses to certain queries.

    There is no 15-day timeout on the free version of Litespeed, only the commercial version. The free version has a limit of 5 httpd.conf accounts and 100 simultaneous connections (1500 can be queued). It’s definitely not for everyone but something to try when a site outgrows apache.

    If starting from scratch I would definitely use nginx, but if you need a drop in apache replacement that can be done in less than an hour, use litespeed. It’s literally doubles the capacity of any server that was using apache. I am not a fan of the commercial price tag and I hope they feel the pressure from open source alternatives over time to reduce that.

    I do agree with you that shared hosting is a bad idea for any larger site. The wrong VPS environment can be just as bad because it’s a complete lie you are isolated from neighbors on the node. But not everyone can afford dedicated so the right VPS is a good solution.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.