This is weird, a huge number of POST requests started to hit the Shite Drivers website a few days ago. The requests came from lots of IP addresses and all requests went to the non existent /bc/123kah.php
The payload was an array that looked like this:
Array ( [showed] => [clicked] => [version] => 126.96.36.199 [id] => c3b342beb6ad7adf39499e7a38f93c09f681611d [tm] => 1266855758 [aff_id] => gooochi [net_id] => gooochi [safe] => 1 [exceed] => 2505,2507,2582,2597,2602 )
So I presume it’s the Gooochi malware referenced in this search for that word. Strange that the infected PCs hit my server though.
The traffic was never overwhelming but I decided to put a stop to it with a simple
in a .htaccess file. Much better than having WordPress serve up a 404 page.
deny from all
I mentioned the 123kah.php file on Twitter and I’m not the only one to see these odd requests. I guess even malware has bugs! (which is all the more reason to keep your anti-virus software up to date if you use Windows)