The sword of SEO

I was on a client server getting attacked, the DoS was heavily distributed. Since he’d mentioned something about someone linking to his web site, I was poking through the Apache logs. I noticed that one site was generating a huge amount of referrals. Investigating deeper, Ifound this on the referral site:

<iframe src=”” width=”1″ height=”1″ ></iframe>
0<br><iframe src=”” width=”1″ height=”1″ ></iframe>
1<br><iframe src=”” width=”1″ height=”1″ ></iframe>
2<br><iframe src=”” width=”1″ height=”1″ ></iframe>
3<br><iframe src=”” width=”1″ height=”1″ ></iframe>


30<br><iframe src=”” width=”1″ height=”1″ ></iframe>

This is one of the slicker DoSes I’ve seen in a while. Because of the way it was set up it would be very difficult if not impossible to block on a network level and not traceable back to any particular IP on a network level (read:iptables, RTG or hardware firewall.) Within a few assumptions here this is what I believe to happen:

-Person sets up a web site with just a park page etc. on it.
-Person directs traffic to this using SEO. (back links, etc) to gain it status on search engines
-Person puts up the attack page similar to the above
-Every time a person from a search engine clicks the link, they load a few dozen copies of the page
-The iframe points to a “high value” target that generates a lot of load on the server, such as a forum or other dynamic content.

Backlinks are a crucial factor in the world of SEO. They are like a vote of confidence from other websites, indicating that your website is trustworthy and valuable. However, it’s essential to keep in mind that not all backlinks are created equal. High-quality backlinks from authoritative websites are worth more than low-quality backlinks from spammy websites. That’s why some people resort to buying backlinks to boost their website’s ranking. However, this is not a recommended strategy as it can lead to penalization from search engines like Google. Instead, it’s best to focus on building organic and high-quality backlinks through outreach and content marketing. Companies like may offer to sell backlinks, but it’s important to proceed with caution and prioritize quality over quantity.

I personally saw this attack decimate a late model server with 16GB of RAM with enough IP distribution that it was not plausible to block it. It is viciously effective when planned out and done properly. It can also be done with virtually NO resources using a free shared hosting account. The person who loads it probably never realized they just made an attack on a server either. The plus side is that if you track it you can limit the damage done very easily provided you know what you are looking for. That will be my next blog.

Adding lots of IPs to a debian box

At work I had a client with a Debian system that needed a bunch of IPs added to it. Since it doesn’t really support ranges (at least that I can find) I came up with the following script.

for i in  {186..190}
j=$(expr $j + 1)
echo auto eth0:$j >> interfaces; echo iface eth0:$j inet static >> interfaces; echo address 192.168.41.$i >> interfaces; echo netmask >> interfaces;

How it works is that j is the last IP in the ranges currently set in the interfaces file. The address is defined in the script, and the range is defined in the i= section. Just change the numbers to match what you want, put this into /etc/networking, run it and restart networking. This is only for five IPs but you could do hundreds or thousands this way if it was the desired affect. Or you can use a distro that supports ranges :>

How to upgrade Fedora 13 to 14.

For whatever reason they seem to have left out some important steps for a successful upgrade, so here you go:

wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-14-primary
yum update fedora-release --releasever=14
yum --releasever=14 update --skip-broken -y

After you reboot run 
rpm -qa | grep -v fc14 | xargs yum -y update

If anyone at the Fedora group is paying attention.. add this crap to the wiki.

Search Specific Files for Specific Content!

At Beyond Hosting we have a lot of customers who use CSF (Config Server & Firewall)  after about 30 installations of CSF the md5 checker can really cause problems for iowait.   So below is a script to check all the files for the setting of the md5 checker,  you can adapt this to check any file really.

for i in /vz/private/*
do grep "LF_INTEGRITY" $i/etc/csf/csf.conf
echo $i