websub spam attack
Spam attack on phubb, my websub server
- 3500 URL update pings per minute (seconds 0-~20)
- >1500 IP addresses
- 33 countries
example URLs:
- romareis dot nl/atom320756.xml
- sunmit dot fr/atom243169.xml
- machinesousvide dot be/atom336675.xml
- airbnco dot fr/atom549642.xml
feeds are valid atom feeds and seem autogenerated
feed URLs themselves are dynamic (atom132248.xml, atom150088.xml, atom161840.xml, ...)
all URLs in this feeds go to "bt-fr-cl dot com" and a subpath (only when viewed in a browser, not with curl). seems to be some tracking or ad link abuse.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | root@ahso4:~> grep '10/Sep/2025:07:27' /var/log/apache2/cweiske/phubb.cweiske.de-access.log|grep ' 400 '|cut -d' ' -f1|xargs -L1 geoiplookup|sed 's/GeoIP Country Edition: //' | sort | uniq -c|sort -n 1 DK, Denmark 1 TR, Turkey 3 CZ, Czech Republic 4 BR, Brazil 6 BE, Belgium 6 IP Address not found 6 LV, Latvia 7 AL, Albania 8 FR, France 8 PS, Palestinian Territory 8 SG, Singapore 10 RU, Russian Federation 12 LT, Lithuania 13 AM, Armenia 13 ES, Spain 13 PL, Poland 17 BD, Bangladesh 17 DE, Germany 17 IT, Italy 18 JP, Japan 22 CL, Chile 22 EU, Europe 24 HK, Hong Kong 31 SE, Sweden 32 IN, India 39 CA, Canada 39 CN, China 53 NL, Netherlands 59 IR, Iran, Islamic Republic of 64 RO, Romania 123 UA, Ukraine 311 GB, United Kingdom 1000 US, United States |
