Sometimes It Feels Like Work….

Your JoeDog distributes this software and hosts this site mostly as a hobby. He loves to code and he likes sharing his thoughts with you. Still, some days it can be aggravating. Some days it can be drudgery. Some days it can be both. Today was one of those days.

Yesterday evening an automated Turdpress update exposed a problem in Your JoeDog’s theme. This site came to a screeching halt. dowload.joedog.org was zippy quick but www.joedog.org lumbered along like a drunken walrus. Those sites share the same infrastructure so for once we couldn’t blame Amazon. It wasn’t a hosting issue. Something else brought the site to its knees.

Then Your JoeDog found this in his error_log:

PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 
940175 bytes) in /content/joedog.org/wp-includes/functions.php on line 380

So Your JoeDog went to line 380 of the functions.php file in his theme directory.  Line 380 was the end of the file. At that location, he discovered were several functions no longer in use. He deleted those functions and — bam! — the site was zippy again. But here’s the thing: He misread that error message. The functions.php file wasn’t the one from his theme, it was a core Turdpress file.

So what happened? The current working theory is the one expressed at the start of this post. An upgrade exposed a flaw and Your JoeDog pulled a Homer. So we’re running again but this Saturday feels like just another day at work….



Helpful Heuristic: Quick Links In WordPress

Here’s a handy-dandy labor saving tip for you. Let’s say — and why not? — we want to make a linky-link like Pittsburgh Pirates in WordPress. With the URL copied to your clipboard, highlight the link text in the WordPress editor then hit Ctrl-v. Done and done. No need to use the chain link icon. You’re welcome.

NOTE: Andrew McCutchen tied the game for the Pirates in the bottom of the eight as Your JoeDog was working on the Pittsburgh Pirates link for this entry….



How To Stop A WordPress Dictionary Attack

You guys! Lest we forget, Your Joe Dog was under attack!

Apparently there’s a widespread dictionary attack that uses tens of thousands of malwared computers to attack WordPress sites. Your JoeDog uses WordPress as a CMS. Your JoeDog was attacked!

The extent of the attack was not initially clear. I was alerted by sluggish performance. I noticed a lot of POSTs to wp-login.php. Those POSTs appeared in the access log like this:

92.47.65.37 - - [17/Jun/2013:09:06:42 -0400] "POST /wp-login.php HTTP/1.0" 
200 3444 "-" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/2010 Firefox/19.0"

I have a script that allows me to quickly block IP addresses with iptables. So I started harvesting addresses and blocking them. Done and done.

Except the attacker seemed to have an endless supply of IP addresses. The attack persisted no matter how many addresses I blocked.

Take a look at the log entry above. The referer field is empty. A JoeDog Fellow suggested I block all POSTs that don’t include a referer. Afterall, you don’t POST out of the blue – you submit a form in your browser. I blocked those types of requests with a simple mod_rewrite rule:

 RewriteCond %{REQUEST_METHOD} =POST
 RewriteCond %{HTTP_REFERER} ^-?$
 RewriteRule ^/(wp-login.php|wp-admin) - [F,NS,L]

Done and done. Amiright? Sadly, no….

Continue reading How To Stop A WordPress Dictionary Attack



Your Joe Dog Is Under Attack

Wanted: Kevin MitnickThis site has been under attack for several weeks now. The attacker is using an unthrottled brute force dictionary attack. He seems to have an unlimited supply of IP addresses. After examining some of the source addresses, I’ve concluded that we’re on the wrong end of a bot net.

I’ve been harvesting IP addresses and blocking them as fast as I can. I’ve also added Rewrite rules to deny these attempts based on his request signature. Those rules reduce overhead since his requests won’t generate database transactions. Yet no matter how many timeouts he gets and no matter how many Access Denied responses he endures, the attacks persist.

Because this dictionary attack is unthrottled, the affect is, at times, not unlike a DOS attack. Your Joe Dog is a public service with shallow pockets. We simply don’t have the resources to eat these attacks and provide you with snappy service. Bare with us as we deal with this asshole.

UPDATE: While it provides additional inconvenience, I applied an access control to the page he’s attacking. You can protect a single file inside a FilesMatch block like this:

 <FilesMatch "wp-login.php">
   AuthType Basic
   AuthName "Kiss my fscking ass"
   AuthUserFile /path/to/my/file
   Require user franklindelanoroosevelt
 </FilesMatch>

Obviously, some of that information was obfuscated but “Kiss my fscking ass” really is the realm I’m using.

The benefit to this approach is two-fold: 1. Apache doesn’t expend much effort to say, “401 gimme a password!” 2. If this layer is cracked, he still has to bust the next one before I reset the password on the first one….

 



Newlines In WordPress

Did you ever want to add a new line to a WordPress entry but it gives you a new paragraph? Instead of this:

– haha
– papa
– mama

You get this:

– haha

– papa

– mama

I hate that. It adds extra space between each line. Fortunately, there’s an easy fix. In order to produce the first list without spaces between each line, just hold the shift key while you hit return.