Blog Archives

Fewer TimThumb Attacks

Are We Seeing an End to Timthumb Attacks on WordPress?

fewer timthumb attacks thumbnail imageLately we have seen a decline in the number of TimThumb RFI attacks against our WordPress sites. A year ago this was the most common hacking probe logged for every WordPress site we manage. Back then we’d see a lot; from 10 to 50, sometimes more, different sources a day. Hardly a day would go by without at least one hacker looking for the vulnerability.

Over the last 6 months, the number of witnessed attempts has declined. Sometimes we don’t see a single probe looking for the old, vulnerable, timthumb.php / thumb.php script for several days.

Read the rest of this entry

Advertisements

GIMP Gone from Sourceforge

GIMP Download Moved from Sourceforge to Gimp.org

gimp gone from sourceforge thumbnailThe GIMP Windows installer package download was removed from Sourceforge by the developers of the software. Citing the recent changes made by Sourceforge where their own so-called “installer” package is pushed in visitors faces, GIMP announced they could not expose GIMP users to this practice.

The GIMP is available directly from www.gimp.org and this is the only download anyone looking the application should use now.

Read the rest of this entry

Massive Number Websites in Botnet

Massive Number of Hacked USA Websites Participate in WordPress Botnet Attack

website botnet thumbnail imageFor the past couple of days we’ve been watching a customers WordPress site being attacked by a botnet of websites trying to access site admin with user name “admin” and a variety of simple passwords.

Most of these attacks are coming from USA based web hosting services. One particular top level service provider, Provo Unified Layer, stands out above the rest as the most hacked network. Many 2nd tier providers use Provo Unified Layer infrastructure including Bluehost and Hostmonster. Of the hosts using Provo Unified Layer infrastructure, Bluehost is ahead of the pack in having hosted sites participating in the botnet. (Read more about Bluehost and the Botnet).

Read the rest of this entry

Botnet Attacks on WordPress

Latest Botnet Attacking WordPress wp-login.php

botnet ddos brute force attack iconA botnet is currently attacking WordPress login (wp-login.php) with user name admin in a dDOS (Distributed Denial of Service) Brute Force attack intended to force the server and WordPress to allow the cyber-criminals access to the site

We’ve seen this botnet hammering some of our WordPress sites the last several days. So far we’ve seen attacks from the IPs listed below. (Note: These are only those used to attack our monitored sites – and the botnet will have more…

Be Pro-active and Defend Your WordPress Site

Read the rest of this entry

Roubaix Ovh Systems

Roubaix Ovh Systems – Most Dangerous Host?

ovh systems france graphic

Is Roubaix Ovh Systems, a hosting and Internet Service Provider in France, one of the most dangerous ISPs and hosts in the world? We could be justified in thinking so. At least out of ISPs and hosting companies in the Western economic zone, outside of former Soviet Union states.

When you see a spambot active on your site, a hacking attempt, or a trackback spammer, there’s a pretty good chance it’s coming from an IP registered to Roubaix Ovh Systems, or another Ovh Systems IP.

Roubaix Ovh Systems Banned on Sight

We (Graphicline Web & Technology) have seen so much bad activity from IPs traced back to Roubaix Ovh Systems we now ban all their IPs as soon as I find them. Activity from all other OVH Systems networks are watched carefully

Read the rest of this entry

Website Down for Visitor Safety

Website Offline after DoS Attack

My Drupal website, graphicline.co.za, remains offline today following yesterdays JavaScript injection / denial of service attack. I decided to take the site offline to ensure the safety of visitors while I check the site for any malware. My hosting service technicians are also examining the server for any possible faults or configuration problems. Other sites on sub-domains of graphicline.co.za were affected at times, and further disruptions of service are expected.

website affline after dos attack graphic imageThe DoS (denial of service) attack began in the early hours of January 24 2012 and continued for nearly 2 hours. During this time thousands of attempts were made to inject JavaScript redirect code into the website (there are too many related entries in the log to count). Although initial inspection showed no successful hack, I felt it prudent to take the site down until certain no malware or other bad stuff had been included.

Read the rest of this entry

Auto Hyperlinks

Now we Get Auto Hyperlinks – Bad News

wordpress.com automatic hyperlinks thumbnail imageText gets turned into hyperlinks automatically. I just discovered this annoying thing that’s part of the latest version of WordPress used by WordPress.com – WordPress 3.5. Type the text for a URL and the darn thing turns into a hyperlink when published. That’s right, you don’t have to click on the link function in the editor, so no options to add target info and title… No options not to create the hyperlink…  Arrgghhh!

Maybe it’s handy for the terminally lazy, but it’s bad news for SEO. And what about the bloggers who write about malware and bad websites, and want to tell readers about these bad addresses? They don’t want visitors to click a hyperlink, just want to inform people about the bad address. With auto-hyperlinks the information becomes an active link!

For example, this hacker information “Exploit attempt on WordPress GD Star Rating plugin”

Read the rest of this entry

Botnet Attacks WordPress Website

Apparent Botnet Attacked My WordPress Website

graphic image of botnet attackerWhat appeared to be a botnet attacked one of my sites (tech.graphicline.co.za) this morning in a brute-force wp-login attempt from multiple IP addresses. This was the most coordinated attack against any of my sites I’ve experienced. Usually the hacker bots I see use up to 6 IP’s in these attacks – 146 IPs is serious stuff…

146 IP’s Used in Simultaneous Attack

The IP’s listed below are the guilty parties to this brute-force login attack on the site. The main attack started at 05h09 GMT this morning (November 25, 2012) and continued until 05h15 GMT. A second but less intense attacked followed; starting from 05h16 GMT tailing off until ending at 05h43 GMT

Read the rest of this entry

Banned IPs

Banning the Bad Hosts

banning bad ips bad boy iconI’m a no-compromise banner. It doesn’t take much effort to get an IP banned from my websites. A single bad event will normally be enough to block access to my sites from an IP address. Several attempts from a range of IP’s with a common service provider will get the entire IP range banned, the hostname or domain banned.

Currently there are about 700 entries in the banned list – representing millions of IPs, and the list gets longer daily. I cannot recall a day this year when at least one new bad IP was not added to the list.

Sharing the Bad IP Info

Mostly these IP’s were simply denied access, and no record was kept about the reason for the ban. At one time I started keeping a record, then lost interest and lacked time to continue. So I decided to start again, this time publishing the info where I can get to it, and other bloggers can also find the details. So now it’s published as a page on this blog…

button link to list of banned ips

Read the rest of this entry

Markmonitor dotcom | Watchdog or What?

What is Markmonitor.com?

brandmark monitor iconMarkmonitor.com is a company providing brand protection to (mainly) global brands.

Markmonitor monitors the Internet (supposedly) looking for brand-piracy, domain name hijacking and counterfeiting (of branded goods) among it’s range of client services. The company must use search spiders to trawl websites looking for this information.

They also have another side of business, as  a domain registrar, and a number of large corporations including Apple.com have their domains under their ambit.

Read the rest of this entry