Latest TweetsWordPress and the Blank Target Vulnerability (aka rel noopener + noreferrer): perishablepress.com/wordpress-… #WordPress #security #html
Perishable Press

Blacklist Candidate Number 2008-01-02

Welcome to the Perishable Press “Blacklist Candidate” series! In this first post, we begin a new tradition of exposing, humiliating and banishing spammers, crackers and other worthless scumbags..

[ Photo: Bob Barker Pointing ] Every Wednesday, I take a little time to investigate my 404 error logs. In addition to spam, crack attacks, and other deliberate mischief, the 404 logs for Perishable Press contain errors due to missing resources, mistyped URLs, and the occasional bizarre or even suspicious behavior of the search-engine robots. Whenever possible, I attempt to resolve a majority of the “fixable” errors, either by restoring missing resources, adding an htaccess redirect, or by any other means available. Needless to say, perpetually analyzing and optimizing website traffic requires a healthy dose of determination, patience, and focus.

Our first candidate..

Having exercised a rigorous maintenance practice for well over a year now, my 404 error logs are almost completely devoid of all “fixable” 404 errors, and are filled almost exclusively with spam attacks, XSS attempts, and other miscellaneous cracker nonsense. Fortunately, my site has only fallen victim to such espionage on one occasion, and on a different server.

These days, I go through great lengths to ensure the stability and security of my site, banning all scum-infested IP addresses via my htaccess blacklist. Most of the meatsacks I encounter are small-time, piddly-wink candy-apples, but occasionally a more serious disease-bag will stumble along.

So, inspired by the helpful notices posted by A Daily Rant, I have decided to share some of the more depraved neanderthals with my audience (so kind, I know). Thus, in addition to the blacklist and blackhole data that I share with you, I am now also focusing on individual and small-group candidates for blacklisting. And so, in the philanthropic spirit of A Daily Rant, I am proud to expose blacklist candidate number 2008-01-02:

Some anonymous shmuck with IP address 75.126.85.215

Synopsis

According to my 404 error log, IP address 75.126.85.215 attempted to access the non-existent resource, “/wp-admin/admin-ajax.php” 312 times on September 30th, 2007 and another 312 times on October 1st, 2007. During each attack, half of the access attempts were targeted at “/press/2007/wp-admin/admin-ajax.php” and the other half at “/press/wp-admin/admin-ajax.php”. The IP was blocked early October 2nd to prevent further attempts. Update: blocking this specific IP address seems to be effective — it is now January of 2008 and no similar attacks have yet occurred.

Identification

According to the reverse-lookup results returned via kloth.net’s free DNS utility, the identity of IP address 75.126.85.215 is as follows:

Host   215.85.126.75.in-addr.arpa	
Type   PTR	
Value  75.126.85.215.infomart.reverse.dnska.com.

IP Address Contact Information

SoftLayer Technologies Inc. SOFTLAYER-4-3 (NET-75-126-0-0-1)
75.126.0.0 - 75.126.255.255

Innovation IT Solutions Corp. NET-75-126-85-192 (NET-75-126-85-192-1)
75.126.85.192 - 75.126.85.223

# ARIN WHOIS database, last updated 2008-01-01 19:10

Discussion

Apparently, certain versions of WordPress suffer a potential security vulnerability related to an admin-related file named admin-ajax.php. Fortunately, at the time of the attack, I was running a version of WordPress that had fixed the vulnerability, however, that didn’t seem to stop our first official blacklist candidate from executing 624 access attempts. Candidate 2008-01-02’s attacks each lasted a duration of around 2 minutes, which translates to around 2.6 hits per second.

Details

Here are the first and last 404-log entries for both attacks. Here is the excerpt from September 30th1:

Note: in the following log entries, each instance of perishablepress.com was replaced with example.com. This was required to prevent endless 404 errors from googlebot constantly crawling plain-text URLs.
// SEPTEMBER 30th, 2007 (first and last 404 entries):

September 30th 2007, 07:50am   >>   https://example.com/press/2007/wp-admin/admin-ajax.php
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 75.126.85.215
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
REMOTE IDENTITY: 
.
.
.
[310 similar records omitted for clarity]
.
.
.
September 30th 2007, 07:52am   >>   https://example.com/press/wp-admin/admin-ajax.php
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 75.126.85.215
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
REMOTE IDENTITY:

And here is the excerpt from the subsequent attack on October 1st:

// OCTOBER 1st, 2007 (first and last 404 entries):

October 1st 2007, 08:58pm   >>   https://example.com/press/2007/wp-admin/admin-ajax.php
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 75.126.85.215
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
REMOTE IDENTITY: 
.
.
.
[310 similar records omitted for clarity]
.
.
.
October 1st 2007, 09:00pm   >>   https://example.com/press/wp-admin/admin-ajax.php
REFERRER: 
QUERY STRING: 
REMOTE ADDRESS: 75.126.85.215
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
REMOTE IDENTITY:

Let’s stop this nonsense..

Blacklist

Candidate #2008-01-02, come on down — you’re the next contestant on the htaccess blacklist! Two ways to block this moron: via .htaccess OR via PHP.

Block via htaccess

# blacklist candidate 2008-01-02: admin-ajax.php attack
Deny from 75.126.85.215

Block via PHP

<?php // blacklist candidate 2008-01-02: admin-ajax.php attack
$deny = array("75.126.85.215");
if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
   header("location: http://www.google.com/");
   exit();
} ?>

Thanks for playing, #2008-01-02 — we wouldn’t have done it without you!

Download

1 For the purists among us, here is a copy of the logged activity recorded for this month’s Blacklist Candidate.

Download log file »

Jeff Starr
About the Author Jeff Starr = Creative thinker. Passionate about free and open Web.
Archives
10 responses
  1. Haha, your way of taking spammers as if it was personnal is funny.

    I like this blog a little more every day !

    Also, I wonder what tools you use to analyse the requests leading to a 404. I’m curious to see if my blog is menaced too, and kick some robot ass :)

  2. Jeff Starr

    Hi Louis,

    Glad to see you again!

    Trust me, I do get the joke — thus the lighthearted tone of the article — and I am glad you also see the humor in the whole charade. I do, however, take seriously all attempts to exploit my site, regardless how “impersonal” they may be perceived. Sure, the warfare is automated and largely randomized, but that does not detract from the negative consequences associated with deliberate site attacks. The mindless spammers may have no idea who they are attacking, but I assure you that those of us forced to spend time, effort, and money to combat such idiocy understand the situation quite intimately.

    As for the tools I use to keep an eye on such nefarious behavior, I am preparing a plugin that is designed to do the job. Basically, I am using a variety of predefined PHP variables to create a log for all 404 hits. You need a writable log file that is written to by a custom 404 error page that captures all the desired information. Much more on this process is on the way — stay tuned..

    Regards,
    Jeff_

  3. DeepFreeze January 6, 2008 @ 4:28 am

    you r very lucky to have escaped a very vulnerable situation. You must be thinking “Thank God I updated blog platform…”

  4. I do, however, take seriously all attempts to exploit my site, regardless how “impersonal” they may be perceived. Sure, the warfare is automated and largely randomized, but that does not detract from the negative consequences associated with deliberate site attacks.

    Of course ! I underlined the pleasant part (I mean, you making fun of them) but these spammers are the modern scourge. I really wish we had a juridic way to deal with them.

    As for the plugin you raise,that is gold news. Such a plugin would be a killer ! I’m waiting on the edge of my seat :)

    Note: I’m sad not to be able to tell you what I mean in my comments. I’m french and even if I get used to reading english, writing is still a pain for me.

    What I’m trying to say is that there wouldn’t be confusion between us sometimes if I could write in my native langage.

    Oh, and I’d say that me enhancing my english thanks to you makes you kind of a teacher for me :D

  5. Jeff Starr

    @DeepFreeze: Yes, I am very fortunate to have been running a version of WP that was not vulnerable to that particular exploit, however, there are countless others targeted at nearly every version of WordPress available. But yes, I am indeed grateful!

    @Louis: I agree, especially if you mean “juridic” in the sense of, “skinning them alive and feeding their still warm flesh to the dogs..” — they are indeed the modern day scourge (well said). As for the plugin, I have the 404 scripting stuff done, I just need to work it into the WP Admin. When finished, it will serve as an excellent way for WordPress users to keep a close eye on their 404 errors. I am excited about it as well :)

  6. I agree, especially if you mean “juridic” in the sense of, “skinning them alive and feeding their still warm flesh to the dogs..”

    :’D

  7. DeepFreeze January 6, 2008 @ 8:00 pm

    Good Blogs (also forums) are always targets of Hackers (Lame Guys who have too much time in their hands). So you should be extra careful.

    PS: Also its better to try to hack(/test) into your own blog to check whether your blog is vulnerable.

  8. LinkAtivity July 9, 2008 @ 7:13 am

    Great website, found searching Google for “PHP block IP address”. I’m having a guy from Russia (apparently) leave link requests for his sick porno-sites. I’m going to use your information to block him.

    But I thought, why send him to Google where he can just search for his next victim. Instead let’s send them to: http://www.fbi.gov/cyberinvest/cyberhome.htm

    Maybe that will give them a shock, even if momentarily. ;-)

  9. Hi Jeff

    I got to this link by reading your latest blackhole post for bad bots. I wanted to get your opinion on something. In my perusal of my logs containing bad people or bots landing on my pages over three websites I noticed that almost all of them are running IE 6. Do you also notice this situation?

    I refer to this because there is so much discussion about whether or not a person should design for IE 6 or not. I contend that the largest numbers of users people pick up in their logs are bad bots or spammers.

  10. Jeff Starr

    Hi Brad,

    Great point! IE6 as identified via user-agent string is a common site in my error logs, but I can’t say that “almost all” are IE6. It’s a common spoof string for bad bots, so it seems safe to say that the usage numbers for IE6 are even lower than data suggests.

    And that’s good news :)

[ Comments are closed for this post ]