0

My server was compromised last year and a phishing site was uploaded. It was detected and removed within a few days. A year later I'm still getting huge volumes of traffic to the dodgy url on my server http://myipaddress/www.bankofamerica.com/ which means my log files are filling up very quickly. What's the best way to handle this unwanted traffic?

A blank holding page would mean they wouldn't get a 404 error so that idea wouldn't help.

Also, one of my IPs is blacklisted after being used in the phishing attack. I don't use this IP so what's the best thing to do, can I disable it? Should I disable it? Just after people's thoughts.

MikeyB
  • 38,725
  • 10
  • 102
  • 186

3 Answers3

1

Since you've given no indication of the hardware and OS you're working with, I will give you the general advice to just firewall the packets. The traffic is of no value to you, so why should you even let it put a load on your webserver? You have no obligation to return a 404, nor will it serve a purpose.

Due to a similar issue I've been sending back 404's on a URL for about 7 years now, and I still receive hits. Don't bother.

If you're using a Linux based server, you can use the IPTables firewall for this. You should enable string matching support (most likely it's already enabled, so just try) and use parameters such as the following to match a string to all tcp packets to port 80 on your input chain:

iptables -I INPUT -p tcp --dport 80 -s 0.0.0.0/0 \
-m string –string "www.bankofamerica.com" –algo bm -j REJECT

For the purpose of letting the incoming traffic know that you're not accepting it, I would suggest using the REJECT policy instead of DROP, since REJECT sends back an error packet.

Martijn Heemels
  • 7,438
  • 6
  • 39
  • 62
0

You should setup a robots.txt to disallow indexing of the whole directory/vhost so it hopefully becomes removed from indexes following the standards.

Additionally you could answer with a HTTP 410 Gone header, see: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

Redirect all GET and POST requests to this single header reply and send no further content.

I'm pretty sure you can also disable logging on that particular resource and instruct the webserver to use bandwidth/connection limiting to keep traffic low.

hurikhan77
  • 567
  • 3
  • 9
  • 22
  • The answer with the iptables solution also looks interesting but I wonder if this could pile up half-open connections on your webserver as it let's the connection handshake come through and then just drop the connection before apache notices... Could that be? – hurikhan77 Sep 07 '09 at 21:35
0

Offtopic:

I'd almost be inclined to toss up a Google Adwords page or redirect that traffic somehow. See if you can't make a few bucks off it.

Aside from that, you should be able to configure your system not to log that particular site/page. If all else fails, IPTABLES (assuming Linux here) to check for a string then DROP or REJECT the packet.

I'd also take a look to see WHERE the traffic is coming from and see if I couldn't do something to stop it at the source.

KPWINC
  • 11,274
  • 3
  • 36
  • 44