As many know, a trove of SkS images was discovered resulting in some discussion of whether “Mad Hackor Skillz” were involved in finding these. In a post at WUWT, Brandon explained how he actually found these. No “Mad Hackor Skillz” were involved.
Brandon’s post did however result in some discussion of security at my blog, with Poptech making various suggestions. One of his comments seems to suggest that no one would even try to hack my blog,
Jo Nova got legitimately hacked because she has the most popular skeptic website in Australia, you don’t. All of the legitimate instances are likely comment spam bots trying to post links, a bulk is likely false positives. You are just not that important.
Of course that statement is wrong on many counts. I’m not going to disucss them all. But since I have access to my server logs, while Poptech does not, I thought I would show the sorts of entries I suspect are much more likely to be attempts to hack in rather than attempts to post comment spam. Here’s a set from this mornings logs:
174.24.204.75 - - [11/Aug/2013:06:17:15 -0700] "GET /wp-login.php HTTP/1.1" 404 1837 "-" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
174.24.204.75 - - [11/Aug/2013:06:17:15 -0700] "GET /administrator/index.php HTTP/1.1" 404 312 "-" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
174.24.204.75 - - [11/Aug/2013:06:17:15 -0700] "GET /admin.php HTTP/1.1" 404 312 "-" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
These requests seem to be ‘fingerprinting’ or ‘vulnerability scans’, which attempt to probe the site in anticipation of hacking. That can be diagnosed by recognizing that
- /wp-login.php preceded by the blog name is the default location of the login page for WordPress.
- /administrator/index.php preceded by an appropriate domain name is a default location for Joomla’s administration login.
- /admin.php preceded by a domain name is a default location for administration of lots and lots of php systems. (If you do an advanced google search for urls containing that string you’ll find tons of stuff.)
Notice the requests are all from the same IP; all 3 arrive during the same second. Though Poptech decrees the hits to my site are probably spambots, I would suggest that these are nothing of the sort: They are cracker bots or hackbots. Specifically: someone has programmed something to try to hack into websites and sent that cracker bot to my site.
A reader might say: “Oh. But that’s only one attempt.” Nope: looking back over the previous 3 days of logs, I see dozens of these a day. In case you are wondering: Yes, these appear at the nearly defunct knitting blog too though to a lesser extent.
Another reader might ask, “Are these targeted at your site?” My answer: “I doubt it”. The reason I doubt it’s targeted is that anyone specifically targeting my blog would already know I use wordpress. They would know my blog is at “http://rankexploits.com/musings”, not “http://rankexploits.com” and so would at least guess the correct location of the login file. (BTW: Do not guess it and visit. You will probably get banned.) This looks a lot more like a script-kiddie that has collected a bunch of domain names to visit and setting his script to guess urls. The script would likely keep track of ‘hits’ vs. ‘misses’. Once he finds ‘hits’ he would set a new script on that url and attempt a dictionary attack or possibly hunt for other vulnerabilities.
Some might wonder: Do such scripts really exist? Would anyone really spend time trying to find login pages this way? The answer is yes. In fact, you can find a script at githib.com.
That script requests the user to enter a domain name (e.g. “rankexploits.com” and then proceedes to hunt for 357 different possible guesses for various resources, starting and ending with
Adminlist = ["admin", "adm", "admincp", "admcp", ..., "administrador/", "ADMIN/login.php", "panelc/", "ADMIN/login.html"]
The script also reports some useful information to the user. For example, if the domain returns a “200” (i.e. page found) , the script prints out “Administrators Page Found: {0}\n’.format(Admin)” (with the appropriate ending inserted where “.format(Admin) appears.)
One would suppose that a kiddie running this script would use the output of this script as input to a second script which would proceed to attempt to login submitting “POST” with a format tailored to the particular cms (e.g. WordPress, Joomla and so on.) Of course, a slightly more clever script kiddie would modify the script to write output to a file to better automate hacking attempts; they would also automate selection of domains in some way.
I could next talk about how to best respond to page requests by these script. But the fact is, while everyone should adopt some universally agreed on minimum behaviors (like steps 1 and 2 on this page this page), the best response depends on the level of security required, the purpose of ones site, the budget for site hosting and– surprisingly to some– one’s preferences. Discussions of what is worth doing requires understanding the behavior of the entire population of hackers whose talents and goals vary and recognizing that different actions might be required to improve security and save server resources. Such a conversation would be extremely long so I’ll defer discussion of that to comments.
However, with respect to Poptech’s assertion that the things I identify are probably spambots: I think I can safely say that these visits are have nothing whatsoever to do with spam. They are cracker-bot visits directed by script kiddies whose ultimate intention is to hack into whatever CMS they can find.
I would also note that whoever running these bots probably doesn’t have “Mad Haxor Skillz”. Despite that they will probably manage to hack somebody. I have no idea what they will do after hacking into a CMS. But whatever their intentions, I prefer to ban them from my site.
This is a very well funded and executed global activity. Lots of security sites are talking about it, eg: http://threatpost.com/hackers-using-brute-force-attacks-harvest-wordpress-sites-041513/77730
There is a problem in that there are a lot of older WordPress installations out there that are very vulnerable. That creates a spill-over effect since the only way to know if an older installation is present is to try it, and all that trying is filling up the logs of those of us who regularly update WordPress.
What caused the earlier 404 error with this thread? Was it the “.” in the title?
dp–
I don’t know what caused the 404 error. It didn’t register anything in the killed_log.txt files. I got it to. So I renamed the post and reposted.
Yes. I’ve been reading the articles on the threats since April.
On this
I bet the spillover even hits sites with no WordPress. Writing code with every possible “if” is time consuming. Examination of server logs suggests people write fairly simple code and just accept that most of the time, they get a 404 or 403, and sometimes they hit gold. There is lots of pretty obvious “guessing” of urls. So, it’s plausible the bot-net, designed to break into WordPress sends requests to sites where WordPress is not installed.
Very definitely non-WP sites are probed. Here is an email report from my log watch script that specifically looks for this and other admin account probes:
1 93.120.85.59 /wp-login.php **.***.***.**
1 93.120.85.59 /wp-login.php *****.com
1 93.120.85.59 /wp-login.php ******.us
1 93.120.85.59 /wp-login.php ******-**-*********.net
1 93.120.85.59 /wp-login.php **********.com
1 93.120.85.59 /wp-login.php ******.net
1 93.120.85.59 /wp-login.php **********.com
1 93.120.85.59 /wp-login.php ******.********.net
1 93.120.85.59 /wp-login.php ********.org
1 93.120.85.59 /wp-login.php *****************.com
1 93.120.85.59 /wp-login.php ********************.com
2 93.120.85.59 /wp-login.php ******.com
1 93.120.85.59 /wp-login.php **************************.com
1 93.120.85.59 /wp-login.php **********************.com
1 93.120.85.59 /wp-login.php ************.com
1 93.120.85.59 /wp-login.php *******-*********.com
1 93.120.85.59 /wp-login.php *********.net
1 93.120.85.59 /wp-login.php *************.com
1 93.120.85.59 /wp-login.php *****************.com
1 93.120.85.59 /wp-login.php *********.com
1 93.120.85.59 /wp-login.php ***.******************.com
1 93.120.85.59 /wp-login.php ***.******************.org
1 93.120.85.59 /wp-login.php ***.****************.com
1 93.120.85.59 /wp-login.php ***.*************.org
1 93.120.85.59 /wp-login.php ***.********************.com
Most of these sites I host do not have WordPress. This probe lasted about 30 seconds. Here is the perp:
# wi.sh 93.120.85.59
IP: 93.120.85.59
inetnum: 93.120.84.0 – 93.120.85.255
descr: S.C. SoftGuard Business Management Systems S.R.L.
descr: Str. Franz Liszt Nr. 4
descr: Timis, Timisoara
country: RO
address: Aleea Diham, Nr. 5
address: Bucuresti, Sector 2
route: 93.120.84.0/23
descr: Softguard
wi.sh is a whois shell script I wrote that sucks the useful info from whois pages:
# cat wi.sh (Note there are three lines in the script so ignore possible linewrap)
echo;echo “IP: $1”
/usr/bin/whois -s $1 | /bin/egrep -i \
“^(orgname:|orgid:|city:|StateProv:|country:|descr:|ref:|netrange:|cidr:|inetnum:|route:|address:|network:)”
93.120.84.0/23 isn’t a very large network but it is all in the IPTABLES file now.
That IP has hit at least one honey bot at sites whose killed_log.txt files I monitor:
http://bannasties.com/BanNastiesScripts/ShowDetailsIP.php?IP=93.120.85.59&Days=200
It looks like “purehost.ro ” might not be so pure?
But I’m sure should Poptech appear using on of ‘his’ 1000 IPs which– he assures me– will permit him to comment at my blog using any name he likes– he’ll tell us those requests for wp-login.php are just spambots. 🙂
Spambot or not, Joanne Nova blocks many people from posting comments, especially when they ask for evidence to support her crazy ideas. Did you hear the one about the oceans being warmed from the sea floor vents? She thinks the 700m-2000m OCH is getting warmer from an increase in hydrothermal vent activity – despite there being no evidence for this.
WheresWallace,
Link?
WheresWallace,
The average temperature from 700m to 2000m can increase, or the OHC for 700m to 2000m can increase, or the water from 700m to 2000m can warm, but OHC most certainly can’t be ‘getting warmer’. Units of energy do not have a temperature; you can’t warm or cool a joule.
I suspect this is the original story that Jo Nova linked to:
Geothermal vents actually do warm the deep ocean (maybe “more than we thought”), that’s just physics, but in general geothermal warming is included when you compute the Earth’s heat energy budget. Nothing particularly crazy about any of this.
Suggestion for WheresWallace: Technically illiterate people should stick to technically illiterate blogs where nobody notices how confused and poorly informed they are.
@lucia
http://joannenova.com.au/2011/12/the-travesty-of-the-missing-heat-deep-ocean-or-outer-space/
Nova says “and if the water 2,000m down is warming, it’s more likely that subterranean heat is rising up from the planet-sized-ball of molten lava below, rather than leap frogging down from atmospheric imbalances in a trace gas.”
http://joannenova.com.au/2012/10/man-made-global-warming-disproved/#comment-1255990
Nova says “Me, I’m thinking of hydrothermal vents at 400C (average depth 2100m), not to mention black smokers, chimneys, warm diffusing undersea ridges, and I wonder if they increased their activity by 0.01% whether they might affect the water directly around them?”
@SteveF & Carrick – I’ve forwarded your comments to pedanticsrus.com Cheers!
WheresWallace,
One thing I’m personally rather critical of is people paraphrasing other people rather than taking the two seconds it takes to copy and paste what the person really said.
I’m not sure you have much left once you let Nova speak in her own words. She did clearly label her opinion as her opinion, did she not? It’s probably wrong, but so are most other opinions.
Carrick/WhereWallace,
My main issue here is that if WeresWallace thinks there is something obviously wrong with JoAnnNova’s claim, WheresWallace should tell me why he thinks it’s obviously wrong, providing empirical evidence and some discussion of phenomemlogy. Otherwise, I seem to be left with “homework” to figure out precisely why he thinks there is something clearly foolish in what Joannenova said.
Has WhereWallce done bounding calculations about how much an increase in thermal vents might make on temperature at the bottom of the ocean? Had he compared this to the amount that might be down-welling? Especially in light of failure to detect an increase in OHC in the upper layers? And so on.
Am I just supposed to magically “know” the results of all such bounding calculations? Because — you know what? I don’t.
Not sure what this is supposed to communicate. Are they supposed to be frightened? Should they care who you forward stuff too? For that matter, who the heck is pedanticrus.com? I’m mystified.
pedantic_r_us
Apparently, he’s more clever than he is analytical.
I wonder what magically stops heat from transferring below 700m? Ocean eddies, gyres and radiative heat transfer, and correct me if I am wrong, all seem to obey the laws of physics.
Evidence for an increase in hydrothermal vents, that somehow have transfeerred their heat from an average depth of 4,000+ meters to the 700-2000m level is as abundant as evidence for hypothesis that Moby Dick is the cause.
The responsibility for supporting her idea lay with her. I’ll not go blaming Migaloo without real evidence.
To go back to the subject of this post – bots and hacking.
Pretty much every IP address on the internet gets probed multiple times a day to see if it is a web server. If it is they the attackers then try some or all of the attempts you noted using scripts similar to the github one.
It sounds like you are blocking attackers. I’m not sure if you are doing so automatically or manually. If manual then there are plenty of tools that can automate this e.g. fail2ban. You may also find it useful to contribute data to the DShield project and use the output of that as a blocklist so as to reduce your attack surface.
FrancisT
I’m blocking automatically with ZBBlock. I can’t use fail2ban on my VPS hosting since my server is “virtual private” not “real private”. I’ll look up DShield.
WheresWallace
Who claims heat doesn’t transfer below 700m? Does anyone claim eddies, gyres etc don’t obey laws of physics. (I’m wondering a bit about what you are trying to imply ‘radiative heat transfer” at 700 ms of water. I know water is not opaque like dirt.. but what are you contemplating here? )
And.. this is relevant to what JoNova actually said how? (Anyeay, if ocean gyres and so forth are operating, I don’t know why heat transfer is somehow magically blocked between 700-2000m. If it happens, it can happen both in the ‘up’ and ‘down’ direction. )
Sure. She has the responsibility for supporting her idea. But she’s not required to support ideas she hasn’t advanced. And you haven’t quoted or linked so that we can figure out what her idea is.
It might be nice if you quoted or linked so we know whether she even claimed whatever notion you seem to be rebutting. Until you show what she claimed I’ll assume you have not rebutted anything she actually claimed.
“Who claims heat doesn’t transfer below 700m?”
Joanne Nova does. Follow the links I provided earlier. Read her article and her comments.
Re: WheresWallace (Aug 14 16:47),
14C from atmospheric bomb tests in the 1950’s has transferred to well below 700m. While 14C transport has chemistry involved as well as diffusion, it’s still mainly diffusion. Carbon dating shows the abyssal water to be ~2,000 years older than the surface water. If there were no mixing, it would be a lot older.
Why do you care what Joannenova thinks anyway? I certainly don’t.
New water? Churning it up all the time I guess. One of the main theories about where the oceans came from in the first place is that they bubbled up from the mantle. But that is inconvenient for the theory that deep water is old water.
Wheres Wallace
Nonesense. The part you quoted is JoNova saying heat transfer can occur depths. Specifically:
Heat rising up is heat transfer, and that heat transfer in going on below 700 m. So: you are just wrong. She says heat transfer occurs below 700.
lucia:
Sorry to interrupt your red-cat pouncing on the mouse play with the Wallace, but I thought it worth noting a bit of the physics at work here (as well as I understand it and hopefully no further): It is true that heat energy exchange can occur in both directions, but it’s worth noting that warm water spikes preferentially move upwards and cold water spikes downwards.
I know you know this, but I thought others who haven’t looked at this, might find this interesting:
One should be able to sort out the physics associated with my assertion using this illustration.
The green line shows the unperturbed pressure vs temperature profile associated with a particular ARGO sensor on a particular day (decibars ≈ meters). I’ve inserted a positive temperature spike (red) and a negative temperature spike (blue).
It’s relatively easy to see that the original green profile is stable—no convective mixing. This is because a positive temperature gradient typically equals a negative density gradient in the ocean (warmer water is typically less dense of course).
That means that if you displace a parcel of water upwards, it will be denser than the surrounding water and will tend to sink back to its original depth.
If you inject a parcel of warmer water, it will be less dense than the surroundings and will tend to rise to the depth where the temperature is the same. Similarly colder parcels of water will tend to sink to the same depth where the temperature is the same.
This has interesting implications—a volcanic eruption, which results in surface cooling, will quickly be communicated downwards via convection. A warming event will result in a warmer surface, that will only slowly–through ocean currents and temperature conduction—result in a new equilibrium profile.
Similarly, if you have a thermal event on the bottom of the ocean (or transfer of geothermal energy from the ocean floor), this will efficiently be transmitted vertically. Vents are a more involved, because they are continuous in outflow, and the water that is being injected has a different salinity, which aids to mixing.
Seems like this statement:
is consistent with that and that Wallace is assuming that everybody else is as equally uninformed as he apparently is.
Carrick–
Yes. As a generic statement, heat is morelikely to rise than sink. As far as I can tell not only does Joan not suggest anything
or that say anything to contradict “Ocean eddies, gyres and radiative heat transfer, and correct me if I am wrong, all seem to obey the laws of physics.”, she is pointing out that the fact that warm water from lower depths is more likely to rise. So there is an additional mechanism. Now it may well be that JoAnn did say something incorrect. But all WhereisWallace seems to be doing is criticizing her for claiming something she did not claim.
On the hacking front: todays gems
… /musings/2013/not-spambots/extras/curltest.php
…/musings/2013/extras/curltest.php
What’s /extras/curtest.php looking for? A Zen Cart vulnerability.
http://www.securityfocus.com/bid/37283
http://xforce.iss.net/xforce/xfdb/54687 says the vulnerability “allows remote attackers to read arbitrary files via a file:// URI ”
This would be a bad thing. Even without my scripts this wouldn’t succeed because I don’t have ZenCart installed. But it does show those scriptkiddies do just try to hack everyone and everything.
And on the paranoia front, why block my ip address?
Ww-
Your comment was moderated because you are a first time commenter. This is a feature of WordPress and I don’t supress it. The policy is indicated under the Submit button where it reads “Note: First & second time commenters may be moderated. If you have questions,”.
Your IP is obviously not blocked because you were able to load the page and comment.
Lucia-
Interesting US District Court ruling regarding Craigslist and 3Taps, a third party content scraper:
http://www.scribd.com/doc/161362591/Craigslist-Ruling-on-CFAA
Of note, Craigslist tendered a cease and desist letter to 3Taps, 3Taps continued to access Craigslist via a proxy server. The court ruled that intentional use of a proxy server to circumvent the letter is subject to criminal/civil penalties under CFAA.
“…The Plain Language of the Statute
The CFAA
4
imposes criminal penalties on any person who, among other prohibitions,“intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.†18 U.S.C. § 1030(a)(2). A“protected computer†is a computer “used in or affecting interstate or foreign commerce or communication.†Id. § 1030(e)(2). “Any person who suffers damage or loss by reason of aviolation of [the CFAA] may maintain a civil action against the violator to obtaincompensatory damages and injunctive relief or other equitable relief,†provided that certainfactors, not in dispute for the purpose of this motion, are satisfied. Id. § 1030(g)”
This may be far reaching. Climate bloggers may want to use caution using a Proxy IP to access data after subsequently being blocked by the data owner.
Duke C.
Yes. I read that. It’s those accessing. In this case, the judge noted that the hard hypotheticals weren’t applicable because 3Taps connected with proxy IPs after:
1) Craigslist sent then a cease and desist telling them to not connect for any purpose whatsoever.
2) 3Taps was violating Craiglist TOS and
3) Craiglist blocked 3Taps IPs.
So, there is no question of ambiguity, “not knowing” that Craigslist didn’t want 3Taps specifically to not connect and 3Taps had to actually do something to get around the technological block. (It’s not a difficult block to get around. But it was present and blocked them.)
I strongly suspect that it was their servers being blocked and so to a large extent, the IPs being blocked were effectively static. And it would be very, very clear that it’s 3Taps IPs and not someone else’s IPs blocked. Plus, there is a cease and desist.
I think the case is interesting. Oh… also, I’m not a lawyer, but the only think the judge ruled was that he would not dismiss the CFAA case against 3Taps. He hasn’t actually ruled on the case. So I anticipate there will be further legal discussions when the case actually gets to course.