(no commit message)

diff --git a/README.rst b/README.rst
new file mode 100644 (file)
index 0000000..4f52c18
--- /dev/null
+++ b/README.rst
@@ -0,0 +1,15 @@
+Spam attack on phubb, my websub server\r
+\r
+- 3500 URL update pings per minute (seconds 0-~20)\r
+- >1500 IP addresses\r
+- 33 countries\r
+\r
+example URLs:\r
+- romareis dot nl/atom320756.xml\r
+- sunmit dot fr/atom243169.xml\r
+- machinesousvide dot be/atom336675.xml\r
+- airbnco dot fr/atom549642.xml\r
+\r
+feeds are valid atom feeds and seem autogenerated\r
+\r
+all URLs in this feeds go to "bt-fr-cl dot com" and a subpath (only when viewed in a browser, not with curl). seems to be some tracking or ad link abuse.
\ No newline at end of file

diff --git a/countries.log b/countries.log
new file mode 100644 (file)
index 0000000..ceab6cc
--- /dev/null
+++ b/countries.log
@@ -0,0 +1,34 @@
+root@ahso4:~> grep '10/Sep/2025:07:27' /var/log/apache2/cweiske/phubb.cweiske.de-access.log|grep ' 400 '|cut -d' ' -f1|xargs -L1 geoiplookup|sed 's/GeoIP Country Edition: //' | sort | uniq -c|sort -n\r
+      1 DK, Denmark\r
+      1 TR, Turkey\r
+      3 CZ, Czech Republic\r
+      4 BR, Brazil\r
+      6 BE, Belgium\r
+      6 IP Address not found\r
+      6 LV, Latvia\r
+      7 AL, Albania\r
+      8 FR, France\r
+      8 PS, Palestinian Territory\r
+      8 SG, Singapore\r
+     10 RU, Russian Federation\r
+     12 LT, Lithuania\r
+     13 AM, Armenia\r
+     13 ES, Spain\r
+     13 PL, Poland\r
+     17 BD, Bangladesh\r
+     17 DE, Germany\r
+     17 IT, Italy\r
+     18 JP, Japan\r
+     22 CL, Chile\r
+     22 EU, Europe\r
+     24 HK, Hong Kong\r
+     31 SE, Sweden\r
+     32 IN, India\r
+     39 CA, Canada\r
+     39 CN, China\r
+     53 NL, Netherlands\r
+     59 IR, Iran, Islamic Republic of\r
+     64 RO, Romania\r
+    123 UA, Ukraine\r
+    311 GB, United Kingdom\r
+   1000 US, United States\r