This is the IPaddress(37.59.164.208) calling a hacked script file on my server

[ziggrat]

37.59.164.208 - - [09/Nov/2012:00:31:55 -0600] "POST /scripts/wp-trackbacks9.php HTTP/1.1" 200 183 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 When i traced it i found the location as France and its going to Google homepage when i run it in the address bar. I'm unable to understand this and need your help HN.

[dexcs]

It just a redirect to google:

< HTTP/1.1 200 OK < Server: nginx < Date: Fri, 09 Nov 2012 11:26:14 GMT < Content-Type: text/html < Connection: keep-alive < Content-Length: 97 < Last-Modified: Fri, 19 Oct 2012 14:01:40 GMT < Expires: Sat, 10 Nov 2012 11:26:14 GMT < Cache-Control: max-age=86400 < Cache-Control: private < Cache-Control: must-revalidate < Accept-Ranges: bytes < <html> <head> <meta http-equiv="refresh" content="0; url=http://www.google.com>; </head> </html>

[ziggrat]

Thanks. This bot is using a old wordpress hack. How can this kind of thing be stopped? I dont mean stopping it after it happens, I mean getting the bot down, maybe like DDOS it or something.

[xvolter]

The easiest would be to modify your web server to reject requests to that URL. Therefore it no longer causes annoyances. However, if that URL is still being used, your best shot is to reject on a per-IP basis.

You cannot DDOS any server, a DDOS attack works primary on web servers, and the server it's coming from isn't likely to have a web server that matters, since it just redirects DDOSing would be nearly impossible to accomplish without a huge effort.

What may be easier is getting the website shutdown, if you trace the host provider or ISP you can file a claim and possibly get their connection or hosting turned off.

[bmelton]

I don't mean to seem critical, but

1) it would be slightly better to DROP requests to the URL than to reject them and

2) you can DDOS plenty of other servers besides web servers. You're right of course that there likely isn't a server attached to the IP address (though you could likely tie up at least the one thread with programmatic recursion / redirects), but DDOSing isn't particular to web servers at all.

[xvolter]

No, but DDOSing does require an open listener - the most common and easiest is a web server. If whoever is trying to use some old Wordpress hacks is smart, however likely that is, he/she would not have a ton of ports open.

You can also drop requests if per-IP if you are setup on a web provider that has a hardware firewall, but I do not know your setup, so my recommendation was one that would work anywhere.

[jmtucu]

If you are using wordpress, install Mute Screamer to stops some attacks. It's very useful.