Recently I have been observing a different WordPress spam technique that uses WP trackbacks. This technique has some interesting characteristics that are unlike other types of spam, so my usual clues as to origin and banning method did not work. Fortunately this technique also has some unique characteristics that can be used to ban them. Fortunately.
When one WP site links to another WP site, the WP sites communicate with each other using a method called trackbacks. The first site sends a trackback request to the second site. The second site posts the trackback as a special comment, which invites the user to click through to the first site. These trackbacks are automated, making it convenient for both sites.
This is a preview of
WordPress Trackback Spam Technique for Content Spamming
. Read the full post (1127 words, 1 image, estimated 4:30 mins reading time)
Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G], main message screen with running footer 1
This hack suspended the hosting account and the web site as a malware infected account. The hack set up a malware attack for anyone who visited the site, specifically targeting Windows. I am still trying to figure out how they got in, This is a Pakistani-based attack, or so their message says. I’ll try to document as much as I can to help others in the same situation.
This is a preview of
Hacked By An0n 3xPloiTeR, 8B0K3N H34R7, Team Pak Cyber Ghosts: Cyber Hack Forensic Examination
. Read the full post (1149 words, 6 images, estimated 4:36 mins reading time)
The National Post put up a news article about user centered design in cars, which turned out to be an ad. I took screen caps of this offending article and wrote about it. The image file name I used included the snippet “-ad-“, which was enough for my ad-block plus browser plugin to remove it from my view. Only after renaming the file name and reuploading it could I actually see the ad. Lesson learned.
Reading, I was, about a web site security tool from Mozilla, so I had to try it. My site, the one you are on now, rated “D-“. It was no consolation that most sites rate “F”. Within the rating there was this criteria called “Content Security Policy” (CSP) that tweaked my interest.
Content Security Policy: Purpose
A CSP is a policy that you put into the head section of your page that whitelists all the sites that contribute to your page. If someone tries to add something to your page’s content but is not on you CSP, your browser will not load it. This stops a nasty infection of something called “cross site scripting” or XSS.
Again, they come, but this time with individual IPs. Huh? Not so funny anymore. 18 individual IP, all timed differently.
UA: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36
Permanent link to this post
(71 words, 0 images, estimated 17 secs reading time)
Strong, WordPress is, otherwise it would have been breached long ago. These three attackers did a brute force login attack on me today. This is not the first and will certainly not be the last. While I can track down the IP and ISP, and ban them, their origins I will never know. This is the murky world of the internet, and it is worldwide.
- 22.214.171.124: 126.96.36.199 – 188.8.131.52 WIFLY GA GABON has tried security hacks on my site before, 6 attempts
- 184.108.40.206 mes.megion.ru 220.127.116.11 – 18.104.22.168 Lider Telecom Ru, 52 attempts
- 22.214.171.124 126.96.36.199 – 188.8.131.52 Wimax New Delhi IN, 8 attempts
Three hackers, one from Africa, one from Russia, one from India. This is the global entity called the Internet.
Brute force attacked, I was, for the xmlrpc.php API in WordPress. Thankfully WordPress was strong enough to ward off this attack. I’ve had random attacks on xmlrpc.php before, but nothing this organized. I thought I’d document a case of 57 xmlrpc.php POST attempts here for all to see. Maybe someone can identify the culprit, as I could not.
I had 57 POSTs to xmlrpc.php on WordPress. They are randomly spaced apart throughout the day, use different IP addresses and hosts, but use the same POST (POST /wp/xmlrpc.php HTTP/1.0), referrer (http://dontai.com/wp/xmlrpc.php) and user agent (Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko)
This is a preview of
Brute Force xmlrpc.php Attack on WordPress: Case Study
. Read the full post (1619 words, 0 images, estimated 6:29 mins reading time)
Hate, we do, all comment spam. They post, we delete, but I actively ban. Still, they come back for more. It must be economically worthwhile for these people to continually do this, because there seems to be no end in sight as to when they will stop. Comment spam is here to stay. Innovations are bound to happen, so I’ve logged what I have learned.
You will need to utilize your raw access log to see these techniques in action.
Your typical comment spam
Air, you really cannot live without it. Literally. Dirty air gets into everything, especially PM2.5 sized. No household air cleaners or air conditioners can get rid of this pollution. I’m sure a house sized hepa filter could do it, but open a door and your air quality would quickly drop. What would life be if you could not go outside?
Anyway, I thought I’d add city air quality readings to my WordPress blog, but I’m only partially satisfied. I actually want 2 cities but can only get one at a time. There are instructions on aqicn.org Air Quality Widget – New Improved Feed