{"type":"rich","version":"1.0","provider_name":"phorkie","provider_url":"https:\/\/p.cweiske.de\/","title":"websub spam attack","author_name":"Christian Weiske","cache_age":86400,"width":900,"height":900,"html":"<!-- embedding all files of https:\/\/p.cweiske.de\/932 -->\n<link rel=\"stylesheet\" href=\"https:\/\/p.cweiske.de\/css\/embed.css\"\/>\n<div class=\"phork\" id=\"932\">\n    <div class=\"phork-file\">\n <div class=\"phork-content\">\n  \n<div class=\"document\">\n\n\n<p>Spam attack on phubb, my websub server<\/p>\n<ul class=\"simple\">\n<li>3500 URL update pings per minute (seconds 0-~20)<\/li>\n<li>&gt;1500 IP addresses<\/li>\n<li>33 countries<\/li>\n<\/ul>\n<p>example URLs:<\/p>\n<ul class=\"simple\">\n<li>romareis dot nl\/atom320756.xml<\/li>\n<li>sunmit dot fr\/atom243169.xml<\/li>\n<li>machinesousvide dot be\/atom336675.xml<\/li>\n<li>airbnco dot fr\/atom549642.xml<\/li>\n<\/ul>\n<p>feeds are valid atom feeds and seem autogenerated<\/p>\n<p>feed URLs themselves are dynamic (atom132248.xml, atom150088.xml, atom161840.xml, ...)<\/p>\n<p>all URLs in this feeds go to &quot;bt-fr-cl dot com&quot; and a subpath (only when viewed in a browser, not with curl). seems to be some tracking or ad link abuse.<\/p>\n<\/div>\n\n <\/div>\n <div class=\"phork-meta\">\n  <a href=\"https:\/\/p.cweiske.de\/932\/rev-raw\/9c4e5aa36a3d6737a2778c282b0315a4c359746d\/README.rst\" style=\"float: right\">view raw source<\/a>\n  <a href=\"https:\/\/p.cweiske.de\/932#README.rst\">README.rst<\/a>\n <\/div>\n<\/div>\n    <div class=\"phork-file\">\n <div class=\"phork-content\">\n  <style type=\"text\/css\"><\/style><div class=\"code\"><table class=\"log\"><tbody><tr class=\"li1\"><td class=\"ln\"><pre class=\"de1\">1\n2\n3\n4\n5\n6\n7\n8\n9\n10\n11\n12\n13\n14\n15\n16\n17\n18\n19\n20\n21\n22\n23\n24\n25\n26\n27\n28\n29\n30\n31\n32\n33\n34\n35\n<\/pre><\/td><td class=\"de1\"><pre class=\"de1\">root@ahso4:~&gt; grep '10\/Sep\/2025:07:27' \/var\/log\/apache2\/cweiske\/phubb.cweiske.de-access.log|grep ' 400 '|cut -d' ' -f1|xargs -L1 geoiplookup|sed 's\/GeoIP Country Edition: \/\/' | sort | uniq -c|sort -n\r\n&#160; &#160; &#160; 1 DK, Denmark\r\n&#160; &#160; &#160; 1 TR, Turkey\r\n&#160; &#160; &#160; 3 CZ, Czech Republic\r\n&#160; &#160; &#160; 4 BR, Brazil\r\n&#160; &#160; &#160; 6 BE, Belgium\r\n&#160; &#160; &#160; 6 IP Address not found\r\n&#160; &#160; &#160; 6 LV, Latvia\r\n&#160; &#160; &#160; 7 AL, Albania\r\n&#160; &#160; &#160; 8 FR, France\r\n&#160; &#160; &#160; 8 PS, Palestinian Territory\r\n&#160; &#160; &#160; 8 SG, Singapore\r\n&#160; &#160; &#160;10 RU, Russian Federation\r\n&#160; &#160; &#160;12 LT, Lithuania\r\n&#160; &#160; &#160;13 AM, Armenia\r\n&#160; &#160; &#160;13 ES, Spain\r\n&#160; &#160; &#160;13 PL, Poland\r\n&#160; &#160; &#160;17 BD, Bangladesh\r\n&#160; &#160; &#160;17 DE, Germany\r\n&#160; &#160; &#160;17 IT, Italy\r\n&#160; &#160; &#160;18 JP, Japan\r\n&#160; &#160; &#160;22 CL, Chile\r\n&#160; &#160; &#160;22 EU, Europe\r\n&#160; &#160; &#160;24 HK, Hong Kong\r\n&#160; &#160; &#160;31 SE, Sweden\r\n&#160; &#160; &#160;32 IN, India\r\n&#160; &#160; &#160;39 CA, Canada\r\n&#160; &#160; &#160;39 CN, China\r\n&#160; &#160; &#160;53 NL, Netherlands\r\n&#160; &#160; &#160;59 IR, Iran, Islamic Republic of\r\n&#160; &#160; &#160;64 RO, Romania\r\n&#160; &#160; 123 UA, Ukraine\r\n&#160; &#160; 311 GB, United Kingdom\r\n&#160; &#160;1000 US, United States\r\n&#160;<\/pre><\/td><\/tr><\/tbody><\/table><\/div>\n <\/div>\n <div class=\"phork-meta\">\n  <a href=\"https:\/\/p.cweiske.de\/932\/rev-raw\/9c4e5aa36a3d6737a2778c282b0315a4c359746d\/countries.log\" style=\"float: right\">view raw source<\/a>\n  <a href=\"https:\/\/p.cweiske.de\/932#countries.log\">countries.log<\/a>\n <\/div>\n<\/div>\n<\/div>\n"}