Category Archives: Internet Security

Fewer TimThumb Attacks

Lately we have seen a decline in the number of TimThumb RFI attacks against our WordPress sites. A year ago this was the most common hacking probe logged for every WordPress site we manage. Back then we’d see a lot; from 10 to 50, sometimes more, different sources a day. Hardly a day would go by without at least one hacker looking for the vulnerability.

Over the last 6 months, the number of witnessed attempts has declined. Sometimes we don’t see a single probe looking for the old, vulnerable, timthumb.php / thumb.php script for several days. Read the full article here.

Fewer TimThumb Attacks

Bork-Edition User Agent

Opera User Agent “Bork-Edition”

bork-edition spam bot iconHave you seen Bork-edition user agent strings? Wondered what browser uses this string? Maybe noticed nearly all traffic to your site with Bork edition in the user agent string is spam and hacking attempts. User agents with Bork-edition are considered by at least one writer among the top 10 spam bots that must be blocked.

There’s several user agents which on first glance look harmless e.g. user agent string Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en]

Opera Software released a version of it’s browser that behaves differently when visiting MSN.

Users accessing the MSN site will see the page transformed into the language of the famous Swedish Chef from the Muppet Show: Bork, Bork, Bork!

This special version of Opera 7.02 uses the Bork-edition string in the browser ID. Read more

Bork-Edition User Agent

Weird Spam by E-Mail

Nonsense Spam

Just when I thought I’d seen it all, I get some really weird spam e-mail from a webform response. Every possible field filed in with a website URL, or nonsense text. And there are lot’s of fields. Stranger still, the mail form responds to a promotion that ended in October last 2011…

Email: wxgokb@

First Name: zmcpff
Last Name: zmcpff
Company: zmcpff

Bus Tel: 5283678809
Cell: 2194836070

Post Address L2: http: //
Suburb: http: //
City: New York
Code: 9804

Street Address: http: //
Street Address L2: http: //
Suburb: http: //
City: New York
Code: 9804

Ownership Type:  Self Employed (Sole Trader)
Business Sector:  Clothing/Textile

Employees: 1-3

Description of Business: Gog0rh <a href=”http: //”>geqsrfadufdz</a>http: //]chxxwqcqcloy, http: //, http: //

Read the rest of this entry

Botnet Attacks WordPress Website

Read this article here

Botnet Attack on WordPress Website

What appeared to be a botnet attacked one of my sites ( this morning in a brute-force wp-login attempt from multiple IP addresses. This was the most coordinated attack against any of my sites I’ve experienced. Usually the hacker bots I see use up to 6 IP’s in these attacks – 146 IPs is serious stuff…

146 IP’s Used in Simultaneous Attack. The IP’s listed are the guilty parties to this brute-force login attack on the site. The main attack started at 05h09 GMT this morning (November 25, 2012) and continued until 05h15 GMT. A second but less intense attacked followed; starting from 05h16 GMT tailing off until ending at 05h43 GMT

FreeWebMonitoring SiteChecker/0.1

Hacker Bot FreeWebMonitoring SiteChecker/0.1 Pays a Visit

FreeWebMonitoring SiteChecker/0.1 bad botBad bot “FreeWebMonitoring SiteChecker/0.1 (+” paid a visit to one of my websites yesterday from IP address which belongs to Canadian service provider: Canada Montreal Thst Golf Inc.

The full range of IP’s owned by Canada Montreal Thst Golf Inc. is –

Only used by Hackers.

The “FreeWebMonitoring SiteChecker/0.1 (+” User agent is not used by any legitimate bot, it’s only used by hackers. Read more here.

FreeWebMonitoring SiteChecker/0.1

Go Away Baidu and Yandex

Read the full article on

Go Away Baidu and Yandex

Baidu and Yandex Bots Forbidden Access: That’s it folk, I have denied access to the Baidu and Yandex web spiders. I don’t want them crawling my sites, I don’t want them crawling my clients’ sites (unless the client wants them to of course).

Both these bots do not follow advanced robots.txt disallow rules, and crawl areas of the sites I don’t want indexed… In particular I don’t want them continually searching my sites for non-existent RSS feeds and trackback urls thus generating excessive page not found errors.

What is Verify Compliance Page

This article can be viewed at

What is Verify Compliance Page

I noticed a few 404 page not found errors in activity logs for several sites today using these strings; verify-Compliance_Page?aHR0cDovL3d3dy5ncmFwaGljbGluZS5jby56YS8= and notified-Compliance_Page with the same rubbish string on the end.

When I find odd GET requests I invariably try to find out more information about what the ‘visitor’ is trying to do. Are they trying to hack, access forbidden areas, upload malware or post spam…

As far as verify-Compliance_Page and notified-Compliance_Page are concerned, the amount of substantiated information is notable only in it’s scarcity.

WordPress Plugin Phishing Scam

Phishing Scam Targets WordPress Plugin Developers

wordpress plugin scam imageWhat may be the first phishing scam specifically targeting WordPress Plugin authors has been discovered. The scam comes in the form of an e-mail claiming the developers plugin has been removed from the WordPress Repository, and tells the plugin author to use the link in the mail to login and change their password.

The e-mail uses the Subject line “[ Plugins] Urgent: Your Plugin Has Been Removed” and starts “Dear WordPress Plugin Developer”

This is not an official WordPress email! Read More

WordPress Plugin Phishing Scam

Microsoft Security Essentials

Microsoft Security Essentials Under Microscope

Microsoft Security Essentials LogoA look at Microsoft Security Essentials, the free anti-virus application from Microsoft. Is Microsoft Security Essentials any good? Will it protect a Windows PC from most common threats? Can MSE compete with commercial security applications?

I have become increasingly annoyed with commercial anti-virus applications. They have become overpriced, use too much system resources, interfere with other applications, or slow down internet access. Worse still, none of the apps are able to detect every virus or malware.

Installing Microsoft Security Essentials was easy. The basic installer downloaded fast, and ran without any conflicts (Win XP 32 bit and Win7 (Enterprise Developers) 64bit. A few options were offered. Read More.

Microsoft Security Essentials

Picasa Spoofed for Malware Injection

Hackers Using Picasa Spoof for Web Malware

Strange looking referer URLs and GET requests that appear to be Picasa are being used by hackers to find website vulnerabilities to picasa spoof malwareinject malware or spam. Examining the details of the referer reveals something like this example /wp-content/themes/biznizz/thumb.php?src=***** (stars replace the actual characters in string for your safety – leads nowhere). This particular example will inject malware using the WordPress TimThumb exploit. The file 2.php contains a trojan horse!

Any query string repeating www. is suspicious, although it way have been a user error – often by copy/pasting a link without fully overwriting the existing address, but then at least the first www reference will normally be your blog or website (or a page on it). If a search engine has indexed something like this resulting in a broken link to your site – whoever posted the link probably made a mistake, and it should be redirected to a suitable page… Read More

Picasa Spoofed for Malware Injection