RO Been DDOS'ed


Galt, thanks so much for your efforts…AND money! (If I had ANY extra, I’d share! You’ve certainly done enough sharing w/us!)

I’m sure you, mods, etc., noticed that four people who look much like bots are trying to register as of this moment.
What a headache!
Thanks, again.

Oops, now 6. I don’t envy you your ‘job’, Galt.


Most of the attacks appear to come from the following networks. It was using a common Wordpress RPC vulnerability in remote sites to cause them to DDoS our server.

These IPs appear to have triggered many of the RPC calls to vulnerable WP sites:
ecatel Netherlands Netherlands

Netherlands neighborhood IP



I hope I’ll have more time to analyze the logs and pin the tail on the donkey.


Good luck, Galt. No doubt you’ve got a life, too, and really are entitled to it.


It is nice to know that my electronic contraption had not gone belly up or that its operator had not messed up. For that info I thank all and especially WIJG.


More than 162,000 WordPress sites used in DDoS attack

How the attack was carried out.

Thanks, everyone, for your patience and support.


[quote=“Volk, post:37, topic:43330”]
Easy. Someone controls a network capable of effectively DDoSing a site, advertises that service with rates and all, and business owners pay to have competitor’s sites taken down. Of course this isn’t the case with sites targetted for political purposes but I’m giving an example.

It’s very easy to find such services (and not only) pretty cheap on the Russian clearweb, I would imagine the situation is similar in China. In the West you probably have to delve into the deep web if you want something like that.

About 3 years ago in Russia you could pay approximately the equivalent of $85 to gain access to an email account. As proof of work you send a message to the target email, the service provider reads it back to you, then you pay and get the account password once the payment goes through.

Just looked up an example DDoS service on (Russian site where you can buy anything ranging from from ex-USSR police/civil service databases to DDoS/other hacking services to counterfeit passports to stolen credit card information to details of a phone number’s incoming/outgoing calls/sms [a favorite of spouses who suspect their other half of being disloyal]… you get the point), DDoS rates start at $50 per day (rates vary based on the durability of the target server, discounts for “wholesale” orders and frequent customers).

It’s unethical, but a very easy and safe way to make money if you have the skills required to set up an effective botnet. I say safe because now it’s very easy to pay anonymously so that the money is not easily traceable neither to the customer nor the service provider. Virtual currencies have been around forever and now with bitcoins/litecoins etc it’s basically impossible to trace the flow of funds if even minimal precautions are taken. Buy some bitcoins from a private reseller, “mix” them through a couple different addresses at no extra cost except an optional miniscule transaction fee, and then on to the destination they go.

Check what IP addresses your accounts have been logged into from, some of you may be surprised…
[/quote] are you talking about checking the event log on one’s computer and then the ip’s of all log-ons?

as far as my own ip goes, it puts me in grand rapids where I’ve never been but I guess my at&t server is there? one of the weather sites always wants to give me the weather for potwin, Kansas, no matter how many times I change it to Houghton, Michigan.


[quote=“ClassicalTeacher, post:10, topic:43330”]
Who would want to do something like that? I never understood why someone would create a computer virus to cause peoples’ computers and business computers to be rendered unusable or having to be cleaned out at great cost to the owner. What kind of sick mind would find that kind of thing a fun thing to do?
[/quote]There are many reasons, and some in this thread have articulated some of them.

But one that I don’t think has been mentioned is . . . BRAGGING RIGHTS.

There is a whole subculture of malware writers that do these things JUST TO ENHANCE THEIR STATURE AMONG THEIR ASSOCIATES in the subculture. They have THEIR OWN FORUMS, and it’s not uncommon to see a post by, say, “HackerDude” that “I successfully DDoSed/SQL Injected/Penetrated/Defaced over XXXX sites today. Can anybody beat that?”

These . . . “people” . . . are “approval starved” and the only place they can massage their egos is within that subculture.

I have no idea if the culprit(s) that did this was/were in that group, nor do I know how large that group is, but I DO know they exist.


[quote=“Maylar, post:30, topic:43330”]
I never click links from inside eMails unless I was expecting said eMail for a specific purpose. To much chance of getting attacked otherwise.
[/quote]That’s definitely a “Security Best Practice”: Security Best Practices . . . - Tech Support Guy


[quote=“Volk, post:37, topic:43330”]
It’s very easy to find such services (and not only) pretty cheap on the Russian clearweb
[/quote]No offense intended to you personally, Volk, but the Russian “Mob” does a lively cybercrime business:

Russian cybercriminals earned $4.5 billion in 2011 - Computerworld

However, one thing to note in this article is that there is a difference between “Russian speaking” crooks and “in country” crooks:

In the report, Group-IB differentiates between cybercriminals living in Russia and Russian-speaking cybercriminals, who include citizens of the countries of the former Soviet Union and other countries. In the 28-page report the researchers estimate that the total share of the Russian cybercrime market alone doubled to $2.3 billion, while the whole Russian-speaking segment of the global cybercrime market also almost doubled, to $4.5 billion. The researchers noted that the Russian-speaking segment of the global cybercrime market traditionally encompasses twice the amount of the Russian segment
The tentacles of the Russian “Mob” go far beyond the traditional physical boundaries.

[quote=“Volk, post:37, topic:43330”]
About 3 years ago in Russia you could pay approximately the equivalent of $85 to gain access to an email account
[/quote]There are actually two “rates” for email address lists.

The higher rate is for those email addresses where the account holder has recently responded, thus indicating an “ACTIVE EMAIL ACCOUNT”. (IOW, you pay more for an “Active email account”).

Active? Response? That could be just clicking on the “unsubscribe” link. Very often, that “unsubscribe” link goes right back to the spammer and he/she puts you on their “Active email account” list and can sell THAT list for more than a list of email addresses that haven’t been confirmed to be “active”.

That’s why it’s often not prudent to click on that unsubscribe link in that Newsletter you never heard of and that you don’t remember soliciting. By doing that, you’re telling the bandit that your email address IS ACTIVE. Just delete it, and DON’T respond to it.

[quote=“Volk, post:37, topic:43330”]
an effective botnet
[/quote]This is why you should do things like monitor your network activity (there’s a bunch of free software out there that will do this . . . Linux comes with some of those tools built into the system). If you’re on line but not communicating with the network and your network activity is “high”, that’s a red flag that you need to look further. There may be an explanation (like a download you’re doing), but you need to look into it.

Firewalls are NOT 100%. Neither are antivirus programs. Actually, there’s no such thing as 100% security, unless you encase your machine in concrete and never get on the Internet.

If you’re computer is unusually slow while on line, THAT’S a red flag. Again, there may be perfectly benign explanations (like poor housekeeping), but you need to look into it.

“Botnets” are created when a bad guy hijacks your machine to use it, and others he’s hijacked, as the “source” of attacks or criminal activity. That list of Citibank account numbers that were hacked may be traced back to YOUR COMPUTER. When the FBI comes crashing through your door (admittedly melodramatic, but it DOES happen), you’re going to be nervously explaining to them that you “DIDN’T DO IT”.

You need to know what’s going on with your machine. I’m not suggesting everybody needs to turn into a paranoid security freak like me, but you need to know the basics if you want to drive these things responsibly.


[quote=“Robert_Clay, post:16, topic:43330”]
Pretty sure it is, hard to enforce though
[/quote]LE won’t even lift a finger unless it’s a commercial site that has been penetrated (like CitiBank, PayPal, Amazon, or such), and even then they rarely get involved unless the potential losses are greater than $5,000.00 dollars.

If you’re a private concern . . . Good Luck!!!


The last time I tried to get on last night was just after 7:30. The front page said that the highest number of users was 7836 at 7:25. It still says the same thing this morning, so that must have been just about the end of it. I woke up around 4:30 this morning, and couldn’t get back to sleep, so I decided to see if I could get out. It’s now about 5:45 am.


WOW! Be gone for a few days and all hell breaks loose. So far I’ve had pretty good luck with Norton blocking questionable websites. I know that doesn’t help what happened here, but it sure helps me. They provided me with a website that allows me to check a url before I click on it. This is specifically good for the “Heartbleed” thing.


[quote=“WhoIsJohnGalt, post:42, topic:43330”]
I hope I’ll have more time to analyze the logs and pin the tail on the donkey.
[/quote]I don’t know if your anger was like mine, but I built a website for my BIL and it was defaced. Not the same as a Denial of Service attack, nevertheless it made me furious.

So furious, in fact, that I traced down the culprit (that’s where I became familiar with that “bragging” subculture . . . if the moron hadn’t bragged on those stupid forums, I likely wouldn’t have tracked him down.)

Took me over a month, but I was THAT furious.

Turned out he was a student at a University in Indonesia that was using the school’s computers in their computer lab to do his defacing. I suspect he was “practicing” ('cause defacing a web site is not all that high on the list of complexities) for bigger and profitable endeavors. He was “learning” how to penetrate web sites.

Anyway, I hope your anger sustains a patient approach and you don’t give up on finding this clown.


[quote=“WhoIsJohnGalt, post:45, topic:43330”]
Thanks, everyone, for your patience and support.
[/quote]Nooooooo . . . thank YOU.

Now I know you haven’t “pandered” for donations and wouldn’t, and I respect that . . . I’m not even sure there’s a place on here FOR donations. I’ve looked and haven’t found it.

I think your predecessor didn’t solicit donations, and you may not either.

But, as unseemly as some might think this is, I will say:

IS THERE ANY BETTER REASON FOR DONATIONS? I MEAN, THIS GUY HAS SPENT HIS TIME AND MONEY FOR OUR PLEASURE. Look at how we all hyperventilated (Melodrama and exaggeration? Probably) when this site went down for a day. Can you imagine how we’d react if it went off line permanently?

Yes, I know we’d all move on and not grieve too long, but the effort WIJG is making, though partly for his own edification perhaps, is for us also.

Thanks, genuinely, John.


Geesh! How can you tell that there are people trying to register??


He better not close RO down! I have over 10,000 posts! I’ve never done that or close to that anywhere!!


WIJG: Thanks for all your hard work and money spent keeping RO running. I love it here and feel like I’ve made some good friends because of your site. I’ve learned a lot from everyone’s various postings–even the liberals–and enjoy it here immensely. Thanks!


If a hostile interest paid them to. In our case, my first suspicion would be the “tolerant” left…

I was worried that I would be swamped with new registrations, but I haven’t been. Since day before yesterday, I’ve only got nine new registrations awaiting approval (looks on the face of it like it’s all spam).

My opinion is that they’re spanking-starved…


Pin the tail on the donkey and report it to foxnews.


I’m guessing 2c was looking at the list of members who visited RO and counted the number of unfamiliar names. A minute or two ago I saw 12. When I did that last evening there were just 4, and when I looked at them all 4 had registered yesterday. My guess is that however many of those are probable spamster, they are unrelated to yesterday’s DDOS attack.

The other two sites I’ve been checking on are still down. Is it my imagination? Or is RO really FAST this AM?