sevent — 2010-09-25T11:52:26-04:00 — #1
Not by hotlinking images, but by using my url redirection site to hotlink a .js file. Makes no sense, but I'm getting thousands of requests every second for the file i.cx/1ya coming from http://www.orkut.com.br/Main. If my server was able to keep up with the requests, it would serve up a redirect to rodlac.com.br/js/xss.js (which is not loading right now, perhaps because too many requests were passed through before I shut down the redirect).
I've tried signing up to Orkut.com.br but google insists on showing me the ".com" site, even after I said I was from Brasil, so I can't view the source code for the page in question. Meanwhile, I tried dumping all traffic with "orkut" in the referrer, but there are still too many requests. I've had to change nameservers for my site so it doesn't resolve, though the requests are still coming in at an overwhelming rate. Obviously I'd like to get the site back up soon.
Suggestions? I don't see any support link at orkut.com that suggests I will get a quick response to this, and I want to get my site back up asap. Can someone from Brazil login and find where it's being pulled in the source code? Thanks!
mittineague — 2010-09-26T10:22:40-04:00 — #2
Instead of returning a blank page, can you return 410 GONE HTTP headers for the URL instead?
sevent — 2010-09-26T04:14:04-04:00 — #3
Hi thanks for the information! I have had to take down the entire URL redirection website temporarily, it was killing the entire server. Before disabling the website I set all requests for this specific URL redirect to return a blank page, but just serving thousands of blank pages a second was too much. Can you tell me is this still a problem? Has Orkut fixed the problem yet? I need to get i.cx back up asap.
brunobehnken — 2010-09-25T19:48:09-04:00 — #4
I'm from Brazil, and I know what's happening. It's a code for orkut that a guy created that loads a Brazil's flag image on an user profile. this image has a script, and the source code of the script is on your server. This script sends the same flag to other users, and they see it, sending to others and others... It's a security fail in orkut. Millions of users has seen the flag, and requested the souce code for your server. Please delete the link from your server, so, we here in Brazil can stop recieving this worm.
sevent — 2010-09-27T08:40:37-04:00 — #5
Hey brunobehnken tks for letting me know it's fixed! I never got a response from Google/Orkut.
@Mittineague I had tried various redirects with .htaccess but the request load was still way to high.
brunobehnken — 2010-09-26T14:50:28-04:00 — #6
Orkut has fiked it and deleted all the users who created the worm, so you can bak up your server now. Thanks for stopping the worm and sorry, in name of all Orkut users!