Excessive Resource Usage by Replica Spam

Chinese replica spam campaigns aim for large number of doorways per infected site. And quite often their doorways are static, which means hundreds of thousands created .html files.

Last year the most popular approach was creating several directories with meaningless names with 10-30 thousand doorways in each. This year we began noticing a new modification that creates only one doorway file (content.php) per directory, but the number of such spammy directories may be staggering. For example, on a site that had been compromised for at least three months (it easy to tell as the directory names are time stamps such as 20160112123901 or 20160123165028), the hackers created over 200,000 such directories.

As you might imagine, not all shared hosts may properly manage such large numbers of files. In some cases, this leads to exceeding account inode quota. Even a simple ls command may become a problem. Here’s the warning that you may see on a DreamHost server when you execute the ls command in a directrory with too many spammy subdirectories.

$ ls -l | wc -lYikes! One of your processes (ls, pid 21519) was just killed for excessive resource usage.Please contact DreamHost Support for details.208897

Don’t wait until hackers cause serious problems. Add security monitoring and protection to your site.