From 518759d95b827ddedcef3726a187d3ea29a30d7f Mon Sep 17 00:00:00 2001 From: Christian Weiske Date: Wed, 10 Sep 2025 07:36:58 +0200 Subject: [PATCH 1/1] --- README.rst | 15 +++++++++++++++ countries.log | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 README.rst create mode 100644 countries.log diff --git a/README.rst b/README.rst new file mode 100644 index 0000000..4f52c18 --- /dev/null +++ b/README.rst @@ -0,0 +1,15 @@ +Spam attack on phubb, my websub server + +- 3500 URL update pings per minute (seconds 0-~20) +- >1500 IP addresses +- 33 countries + +example URLs: +- romareis dot nl/atom320756.xml +- sunmit dot fr/atom243169.xml +- machinesousvide dot be/atom336675.xml +- airbnco dot fr/atom549642.xml + +feeds are valid atom feeds and seem autogenerated + +all URLs in this feeds go to "bt-fr-cl dot com" and a subpath (only when viewed in a browser, not with curl). seems to be some tracking or ad link abuse. \ No newline at end of file diff --git a/countries.log b/countries.log new file mode 100644 index 0000000..ceab6cc --- /dev/null +++ b/countries.log @@ -0,0 +1,34 @@ +root@ahso4:~> grep '10/Sep/2025:07:27' /var/log/apache2/cweiske/phubb.cweiske.de-access.log|grep ' 400 '|cut -d' ' -f1|xargs -L1 geoiplookup|sed 's/GeoIP Country Edition: //' | sort | uniq -c|sort -n + 1 DK, Denmark + 1 TR, Turkey + 3 CZ, Czech Republic + 4 BR, Brazil + 6 BE, Belgium + 6 IP Address not found + 6 LV, Latvia + 7 AL, Albania + 8 FR, France + 8 PS, Palestinian Territory + 8 SG, Singapore + 10 RU, Russian Federation + 12 LT, Lithuania + 13 AM, Armenia + 13 ES, Spain + 13 PL, Poland + 17 BD, Bangladesh + 17 DE, Germany + 17 IT, Italy + 18 JP, Japan + 22 CL, Chile + 22 EU, Europe + 24 HK, Hong Kong + 31 SE, Sweden + 32 IN, India + 39 CA, Canada + 39 CN, China + 53 NL, Netherlands + 59 IR, Iran, Islamic Republic of + 64 RO, Romania + 123 UA, Ukraine + 311 GB, United Kingdom + 1000 US, United States -- 2.30.2