I manage dozens of web servers, most of which run commercial advertorial sites such as blogsite.com.  Over the past few days, I had been noticing that my company site at myst-technology.com was periodically showing signs of traffic stress but that there was no apparent traffic increase (i.e., neither Google Analytics nor VisiStat were reporting increased activity.)

Then, yesterday, I happened to be looking at the real-time Apache server status for that site and I serendipitously noticed a bunch of POST requests to "/mysmartchannels/sign-up".  Aha!  Slime balls at play!

For years, we hosted a public MySmartChannels service that anyone could sign up for an use for free.  And, guess what the URL of the sign-up form was?  Yep, as it turns out, there is still someone out there trying to hack their way into a free service that is no longer available.  (Why would they do that?  I suppose to use the service anonymously for some nefarious purpose.)

Several years ago, I developed a web server security system called SlimeGate which has been protecting our servers from a wide-range of hackers and spammers.  Once I realized what was happening, it was a trivial matter to augment the SlimeGate rule set to detect and block these "sign-up" probes.

It's now been about 14 hours since I deployed the rule updates and in that time, SlimeGate has identified and blocked 181 unique servers (i.e., IP addresses) attempting this probe. [21 Apr 2008, fas: as of today, we're up to 828 unique servers.]

SlimeGate maintains a database of slime balls, making it easy to analyze patterns and trends.  Looking at these 181 new entries revealed that all but two were WordPress servers as identified by their user agent string of "Incutio XML-RPC -- WordPress/<version>".  Of course, user agent strings are easily spoofed, so to confirm, I randomly selected 25 of the 181 IP address and actually visited them with a web browser.  Of these, 18 were confirmed WordPress sites, five presented a generic Apache server page, and two were unreachable.

The bottom line is that it appears that there are hundreds of compromised WordPress servers running some type of zombie processes on behalf of hackers.

Armed with the new data collected by SlimeGate, I was able to revisit the server loading issue.  I found that in the previous 96 hours, these compromised WordPress blogs had generated over 200,000 unwanted requests!

I'm not quite sure the best way to notify the compromised site owners.  But from my end, SlimeGate is nicely managing the problem, deflecting this new class of slime at the firewall.