Josh linked to http://www.thegwpf.org/ on twitter. I followed the link and my WOT add on showed me this:
My intial reaction was that someone had gamed the ratings because they didn’t like the site. That was the reaction of a number of people who left comments at WOT. But I looked at their html and found hidden links to all sorts of “not good” sites. Here is the screenshot.
Add that to the list of hacked climate blogs.
What’s [Wot’s?] a WOT add-on?
It’s the “World of Trust” add on for Firefox. It rates sites. http://www.mywot.com/
Wow. Is that what would happen to The Blackboard without constant diligence?
SteveF–
That’s one of the things the hackers try to do. But other problems arise from things that are not quite so objectively bad but which just suck bandwidth and cpu for reasons that have no benefit to either (a) me or (b) my site visitors. Some hacks are worse. A bot might try to ‘infect’ the server and turn it into a zombie-drone-hack server that hacks other machines. Once it’s a hack drone, it might be used to inject links (as in the screenshot) or it might be used to download malware onto visitors machines, or it might be used to DDOS someone during a coordinated attack. So, that’s worse than just injecting porn ads.
In all case, getting these things off the site is necessary!
A big reason for recent 6 or so weeks of relative silence is that my database reached a point where I have a sort of “critical mass” of data sufficient to identify suspicious “blocks” of IPs. So… I’ve been locating and reporting to Zaphod. He has better (or at least different) skillzzzz than I do.
Anyway, I’ve been sucking in my “killed_log.txt” files and those of others online, stored, and I have a searchable database. I can find recent IPs banned by me and others (for whatever reason.) Some of those are mistakes– and I sometimes delete mistakes. But patterns appear.
So.. go here:
http://bannasties.com/BanNastiesScripts/ShowBannedIPs.php
That’s the IPs banned *very recently* .
The ones like “RFI (http) (QU-107). RFI (http) (QU-237). WP Probe Detected (CUST-URI-001). INSTA-BAN. ” are very bad attack attempts– recently– but not at my site. 🙂
Here’s one from my site:
Opinion: bad cookie:(expires,path,domain,); INSTA-BAN. !! X |-| . . . ; Custom. 0 |:| prev: [] . || ( ax=0) [US] | 2 X_Forward= [unknown,67.209.190.8 ] Check Cookies; FORWARDED_FOR=[unknown,67.209.190.8] left over cookies:(0, names=[] ) ; no address avatar=[] num_missing_cookies=[1] Revisit: No cookies. [U
Mozilla /5.0 (Windows; U; Windows NT 5.1; pl; rv:1.9.1.3) Gecko /20090824 Firefox /3.5.3
That’s my site. That was *probably* just a comment spammer who got “caught” because it set a cookie that tries to trick me into thinking it’s logged in somewhere. I’m checking a lot of stuff with cookies– some of the checks turned out to be pointless. (I see your eyes rolling Brandon. Yes…. you knew the IP check was going to be pointless…)
Anyway, you might wonder: How is this useful? Well… scroll down. Notice near 142.54.163.74 , there are quite a few entries starting with 142.54. Click one. (I”m going to go ahead and add the “Days” option)
http://bannasties.com/BanNastiesScripts/ShowDetailsIP.php?IP=142.54.187.74&Days=360
Notice tons of spam, scrape etc. between 142.54.163.0-142.54.187.255
Notice lots of hits? That’s a bit suspicious. So… go here:
http://whois.domaintools.com/142.54.163.74
Notice that Datashack would appear to be a hosting service (not ISP) and it’s in the range
142.54.160.0 – 142.54.191.255 .
My theory: That company is pretty lax about permitting people to run bots. Or, it’s security is bad and their machines are now zombie drone spammers.
Anyway, it’s not an ISP. So, quite likely banning everything from that range would result in zero loss of real traffic to a blog. It could potentially result in loss of incoming pings or trackbacks. But that’s not a big loss.
Of course, I can’t be certain. But Zaphod and others at the ZBblock forum site know better how to follow up the ranges I identify as bad. I shared many of my blocked ranges — often based on just inspecting the logs of what is doing what at sites– with Zaphod and he’s following lots of them up. He’s confirmed I often find range that — based on other resources– really, truly are what the web admins consider “nests of vipers”.
Anyway, quite recently my database became “full enough” to just sit here and look at what’s in it. Also, it’s “full enough” that I can — at least casually– identify which of my concept for rules caught a substantial number of “bad things”. ( Monitoring for *fake* cookies is one of the notions that catches lots of “bad things” with few– actually zero– false positives. Zaphod of ZBblock is looking into doing that in a safer more general way than I do it.)
It looks like gwpf could use ZBBlock (and possibly my custom rules.)
I’m telling you it was a whistle blower.
Yes, and it can be seen they use another company called Wholesale Internet to actually announce that IP block
http://bgp.he.net/AS33387#_graph4
and their single upstream provider looks to be just a low cost budget provider http://bgp.he.net/AS33387#_peers with similar hosting.
and if you’re curious, here the websites that they host from the lower part of that range :
http://bgp.he.net/net/142.54.160.0/19#_dns the IPs you have are higher and evidently non-website hosts.
MrE–
Yep. Usually Zap looks these up in another location. The difficulty is that sometimes we need to see if the range contains a mix of people and spammers (some do). Also, these guys break up their ranges so they end up interlaced. The bad sub-bits are “popping out” in my database. But sometimes there is some teasing out required. I don’t know how to do that so well!
But thanks for those links. It helps me learn!
MrE– The names of those domain just sound spammy!!
lucia:
You have no idea how much my eyes have been rolling recently. Your security efforts are respectable, but I’ve taken to examining a number of blogs/sites, and it’s a joke. I’m starting to wonder if there isn’t a climate blog that couldn’t be infected with a fair amount of ease.
Brandon–
Yes. I know something could get through what I do to prevent it. And I do 1000% more than most climate blogs.
With the IP check– at least I did follow your suggestion – by -rhetorical question (if it was that) that maybe somethings can be sandboxed. I often just try rules. But knew I wanted to see what would happen if I banned ip changers before I made that a rule. IPs change. They just do. Especially on mobile devices. (FWIW, lots of cr*p connections are on mobile devices. The fact the IPs change is an advantage for them. But… can’t ban people for changing IPs ever 5 minutes. The innocent do it. Just happens.)
On the other hand– for the most part– except for changing to a feed user agent and back, user agent changes seem to be “evil”.
lucia:
For little things like spam and whatnot, things can obviously get through. I’m less certain about things wanting to take down/over your server.
It was primarily a genuine question, but it was also a suggestion. I find it a useful approach at times. Plus, I hadn’t given you any suggestions in a while, and I felt useless!
That looks like the usual stuff that link spam script kiddies insert. People try to stuff their links in any sites which they can. It happens to sites of all kinds… and I know of one other climate-related site which is still suffering from it. They’ve been notified, and told Lucia is one person to ask for advice. They have received at least my first message, so I won’t mention them here because their decisions are their business. Maybe they’re actually showing the links on purpose; I just don’t know.