Tag: wordpress

WordPress Trackback Spam Technique for Content Spamming

Recently I have been observing a different WordPress spam technique that uses WP trackbacks. This technique has some interesting characteristics that are unlike other types of spam, so my usual clues as to origin and banning method did not work. Fortunately this technique also has some unique characteristics that can be used to ban them. Fortunately.

WordPress Trackbacks
When one WP site links to another WP site, the WP sites communicate with each other using a method called trackbacks. The first site sends a trackback request to the second site. The second site posts the trackback as a special comment, which invites the user to click through to the first site. These trackbacks are automated, making it convenient for both sites.

Hacked By An0n 3xPloiTeR, 8B0K3N H34R7, Team Pak Cyber Ghosts: Cyber Hack Forensic Examination

Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G], main message screen with running footer 1

Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G], main message screen with running footer 1

This hack suspended the hosting account and the web site as a malware infected account. The hack set up a malware attack for anyone who visited the site, specifically targeting Windows. I am still trying to figure out how they got in, This is a Pakistani-based attack, or so their message says. I’ll try to document as much as I can to help others in the same situation.

Caught me: Adblock-plus goes Rogue

The National Post put up a news article about user centered design in cars, which turned out to be an ad. I took screen caps of this offending article and wrote about it. The image file name I used included the snippet “-ad-“, which was enough for my ad-block plus browser plugin to remove it from my view. Only after renaming the file name and reuploading it could I actually see the ad. Lesson learned.

Content Security Policy on WordPress

Reading, I was, about a web site security tool from Mozilla, so I had to try it. My site, the one you are on now, rated “D-“. It was no consolation that most sites rate “F”. Within the rating there was this criteria called “Content Security Policy” (CSP) that tweaked my interest.

Content Security Policy: Purpose
A CSP is a policy that you put into the head section of your page that whitelists all the sites that contribute to your page. If someone tries to add something to your page’s content but is not on you CSP, your browser will not load it. This stops a nasty infection of something called “cross site scripting” or XSS.

WordPress Web URIs: wpcspReceiveCSPviol=1 and wpCSPNonce from the WP Content Security Policy Plugin

I started to receive these WordPress URIs after someone read one of my WordPress posts. This confused me. These are connected to WordPress Failure Notices, but not quite.

The first part, wpcspReceiveCSPviol=1, was once used in a WordPress spoof to redirect people to some other site, but there was no other URL and no redirection.

POST /wp?wpcspReceiveCSPviol=1&wpCSPNonce=6606ca489f HTTP/1.1

Brute Force xmlrpc.php Attack on WordPress: Case Study

Brute force attacked, I was, for the xmlrpc.php API in WordPress. Thankfully WordPress was strong enough to ward off this attack. I’ve had random attacks on xmlrpc.php before, but nothing this organized. I thought I’d document a case of 57 xmlrpc.php POST attempts here for all to see. Maybe someone can identify the culprit, as I could not.

I had 57 POSTs to xmlrpc.php on WordPress. They are randomly spaced apart throughout the day, use different IP addresses and hosts, but use the same POST (POST /wp/xmlrpc.php HTTP/1.0), referrer (http://dontai.com/wp/xmlrpc.php) and user agent (Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko)

WordPress Comment Spam Methods

Hate, we do, all comment spam. They post, we delete, but I actively ban. Still, they come back for more. It must be economically worthwhile for these people to continually do this, because there seems to be no end in sight as to when they will stop. Comment spam is here to stay. Innovations are bound to happen, so I’ve logged what I have learned.

You will need to utilize your raw access log to see these techniques in action.

Your typical comment spam

Adding an Air Quality Widget to WordPress

Air, you really cannot live without it. Literally. Dirty air gets into everything, especially PM2.5 sized. No household air cleaners or air conditioners can get rid of this pollution. I’m sure a house sized hepa filter could do it, but open a door and your air quality would quickly drop. What would life be if you could not go outside?

Anyway, I thought I’d add city air quality readings to my WordPress blog, but I’m only partially satisfied. I actually want 2 cities but can only get one at a time. There are instructions on aqicn.org Air Quality Widget – New Improved Feed