Malicious bots sending as the HTTP referer

I’ve received a few hundred requests originating from bots setting as their referrer. These attacks are scanning for compromised WordPress installations and PHP based shells and backdoors. The attacking IP’s belong to compromised hosts and websites from service providers around the world.
Probes using as the HTTP referer.

Who owns

The host is currently unavailable, but according to the Internet Archieve it was previously running a news portal credited to a company named Inforos. The domain has enabled WHOIS privacy so no further information was available regarding its owner. However, the current nameserver records for do still show a connection to Inforos.

dig ns +short

Why send a fake HTTP referer?

The technique is called spamdexing and it’s used to drive large volumes of traffic to a specific URL or domain. However, the advertising benefits of attaching your domain to this kind of hostile activity seem dubious at best. It’s entirely plausible that someone unrelated to the domain is behind the traffic.

Thanks for all the fish

Anyhow, my favorite bots are always those that uniquely identify themselves. Let’s simply use the HTTP referer to block every single one of these requests.

<IfModule mod_rewrite.c>
  RewriteCond %{HTTP_REFERER} site\.ru [NC]
  RewriteRule ^(.*)$ - [L,R=403]  

A list of IP addresses from the offending hosts is available here.

Thank you for reading!
Feel free to waste more time by subscribing to my RSS feed or check out the human-readable sitemap for more content.

Related posts