This is weird, a huge number of POST requests started to hit the Shite Drivers website a few days ago. The requests came from lots of IP addresses and all requests went to the non existent /bc/123kah.php
The payload was an array that looked like this:
Array
(
[showed] =>
[clicked] =>
[version] => 2.6.2.4
[id] => c3b342beb6ad7adf39499e7a38f93c09f681611d
[tm] => 1266855758
[aff_id] => gooochi
[net_id] => gooochi
[safe] => 1
[exceed] => 2505,2507,2582,2597,2602
)
So I presume it’s the Gooochi malware referenced in this search for that word. Strange that the infected PCs hit my server though.
The traffic was never overwhelming but I decided to put a stop to it with a simple
in a .htaccess file. Much better than having WordPress serve up a 404 page.deny from all
I mentioned the 123kah.php file on Twitter and I’m not the only one to see these odd requests. I guess even malware has bugs! (which is all the more reason to keep your anti-virus software up to date if you use Windows)
4 replies on “Gooochi talks to /bc/123kah.php”
More info:
http://www.f-secure.com/sw-desc/adware_w32_adrotator_gen.shtml
http://www.google.com/search?q=123kah.php
Wow, interesting site … The Hidden Rage of Donncha O’ Caoimh 🙂
Haha, I took it on from the original admin who wasn’t going to maintain it. Didn’t want the domain passing into spammer’s hands!
When it happens to me I’ve tried a quick remedy – put a dummy file of that name in the way (ie create a small file bc/123kah.php). Saves the .htaccess call, and avoids server log/404 hits. Whether that ends up being less of a performance hit than htaccess, can’t really say…