Blog Archives
Massive Number Websites in Botnet
Massive Number of Hacked USA Websites Participate in WordPress Botnet Attack
For the past couple of days we’ve been watching a customers WordPress site being attacked by a botnet of websites trying to access site admin with user name “admin” and a variety of simple passwords.
Most of these attacks are coming from USA based web hosting services. One particular top level service provider, Provo Unified Layer, stands out above the rest as the most hacked network. Many 2nd tier providers use Provo Unified Layer infrastructure including Bluehost and Hostmonster. Of the hosts using Provo Unified Layer infrastructure, Bluehost is ahead of the pack in having hosted sites participating in the botnet. (Read more about Bluehost and the Botnet).
CartPress Sends no-cache Headers
WordPress Plugin News Feed Stops Website Caching
It’s hard to believe a simple news feed from the CartPress e-commerce plugin for WordPress prevents WordPress from caching pages. This is apparently what happened to a website recently.
We received a request for assistance for a WordPress e-commerce site with this problem. The owner read our article; Fastest WordPress Caching System – and asked if we thought it would overcome a problem with his site. We explained this system wasn’t suitable for e-commerce.
Roubaix Ovh Systems
Roubaix Ovh Systems – Most Dangerous Host?
Is Roubaix Ovh Systems, a hosting and Internet Service Provider in France, one of the most dangerous ISPs and hosts in the world? We could be justified in thinking so. At least out of ISPs and hosting companies in the Western economic zone, outside of former Soviet Union states.
When you see a spambot active on your site, a hacking attempt, or a trackback spammer, there’s a pretty good chance it’s coming from an IP registered to Roubaix Ovh Systems, or another Ovh Systems IP.
Roubaix Ovh Systems Banned on Sight
We (Graphicline Web & Technology) have seen so much bad activity from IPs traced back to Roubaix Ovh Systems we now ban all their IPs as soon as I find them. Activity from all other OVH Systems networks are watched carefully
Website Down for Visitor Safety
Website Offline after DoS Attack
My Drupal website, graphicline.co.za, remains offline today following yesterdays JavaScript injection / denial of service attack. I decided to take the site offline to ensure the safety of visitors while I check the site for any malware. My hosting service technicians are also examining the server for any possible faults or configuration problems. Other sites on sub-domains of graphicline.co.za were affected at times, and further disruptions of service are expected.
The DoS (denial of service) attack began in the early hours of January 24 2012 and continued for nearly 2 hours. During this time thousands of attempts were made to inject JavaScript redirect code into the website (there are too many related entries in the log to count). Although initial inspection showed no successful hack, I felt it prudent to take the site down until certain no malware or other bad stuff had been included.
Auto Hyperlinks
Now we Get Auto Hyperlinks – Bad News
Text gets turned into hyperlinks automatically. I just discovered this annoying thing that’s part of the latest version of WordPress used by WordPress.com – WordPress 3.5. Type the text for a URL and the darn thing turns into a hyperlink when published. That’s right, you don’t have to click on the link function in the editor, so no options to add target info and title… No options not to create the hyperlink… Arrgghhh!
Maybe it’s handy for the terminally lazy, but it’s bad news for SEO. And what about the bloggers who write about malware and bad websites, and want to tell readers about these bad addresses? They don’t want visitors to click a hyperlink, just want to inform people about the bad address. With auto-hyperlinks the information becomes an active link!
For example, this hacker information “Exploit attempt on WordPress GD Star Rating plugin”
Banned IPs
Banning the Bad Hosts
I’m a no-compromise banner. It doesn’t take much effort to get an IP banned from my websites. A single bad event will normally be enough to block access to my sites from an IP address. Several attempts from a range of IP’s with a common service provider will get the entire IP range banned, the hostname or domain banned.
Currently there are about 700 entries in the banned list – representing millions of IPs, and the list gets longer daily. I cannot recall a day this year when at least one new bad IP was not added to the list.
Sharing the Bad IP Info
Mostly these IP’s were simply denied access, and no record was kept about the reason for the ban. At one time I started keeping a record, then lost interest and lacked time to continue. So I decided to start again, this time publishing the info where I can get to it, and other bloggers can also find the details. So now it’s published as a page on this blog…
Stop Timthumb Attacks at Server
Stop Timthumb Attacks Before WordPress
All owners of busy, and not so busy, self-hosted WordPress sites and blogs will know all about timthumb scripting attacks on their site. If the site has the latest up to date version of the vulnerable files, that’s as far as the attack will go.
But constant timthumb attacks are still annoying and use up resources with 404 page not found responses.
Stop Timthumb Attacks at Front Door
Here’s a way to stop these annoying attacks at the front door, before they even get to WordPress. The following script shown below added to your website or blog .htaccess file will prevent nearly all timthumb RFI attacks from wasting server resources.
FreeWebMonitoring SiteChecker/0.1
Hacker Bot FreeWebMonitoring SiteChecker/0.1 Pays a Visit
Bad bot “FreeWebMonitoring SiteChecker/0.1 (+http://www.freewebmonitoring.com)” paid a visit to one of my websites yesterday from IP address 184.107.201.242 which belongs to Canadian service provider: Canada Montreal Thst Golf Inc.
The full range of IP’s owned by Canada Montreal Thst Golf Inc. is 184.107.0.0 – 184.107.255.255
This bot is not the bot used by freewebmonitoring.com. Their bot is “FreeWebMonitoring SiteChecker/0.2 (+http://www.freewebmonitoring.com/bot.html)”
WPOnlineStore PHP Fatal Error ‘function.require’
Googlebot Error with WPOnlineStore Plugin
Googlebot triggers a PHP Fatal Error ‘function.require‘ error causing the bot to receive a “500” internal server error when trying to crawl the pages created by the WordPress WPOnlineStore plugin. In my previous post I mentioned this ongoing problem. Today I can provide some additional information.
The problem is not unique to my shop site; initial searches of the internet found only a few references to this problem. for the past two days the hosting company server engineers have been looking into the problem, unfortunately without any success. After disabling Apache mod_secure settings, which appeared to be causing the error, Googlebot still triggered this error. As previously mentioned in Googlebot has Problems with WPOnlineStore, it is only Googlebot – and there lies the first clue.
Beware Panasonic Recorder Driver Downloads
Panasonic Recorder Driver Downloads are Malware
Drivers are simply not available online for most of the range of Panasonic digital audio recorders with model numbers rr-US***. Included are Panasonic rr-US430, Panasonic rr-US450 and Panasonic rr-US500.
Although a quick Google for Panasonic driver rr-US450 or any of the models numbers mentioned will produce hundreds of search results, NONE of the links will lead the searcher to a driver file for this range of products. “Downloads for Panasonic DVC USB Driver” will produce the same negative result.
All of the links will eventually take you to one of a small handful of “download” sites. The majority will send you to Driver Guide (www.driverguide.com) and several mirror type sites that look the same and do the same.
Driverguide.com Fake Driver Software
Driver Guide (www.driverguide.com) packages are fakes and a way of spreading Babylon software. They do not have the required Panasonic Recorder driver in their packages, or even in their library. Claiming they do is false advertising. Driverguide.com should be blacklisted for distributing rubbish software under the guise of drivers for well-known products.