wgroeneveld
/
brainbaking
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

wordpress hacking attempt spotted

This commit is contained in:
Wouter Groeneveld 2021-03-29 18:23:18 +02:00
parent cbeb3d3ab3
commit 8600487b13
3 changed files with 37 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
content/post/2021/03/exploring-the-alternet.md
View File

@ -32,7 +32,7 @@ According to the HTTP Archive, the average size of a webpage [has gone up to 203
## Back to the 90s Web, then.
As Max [likes to call it](https://mxb.dev/blog/the-return-of-the-90s-web/): things come around full circle. I don't see this happening very soon for the mainstream web, but yes, there has been a movement. Leaner blogs, the "host it yourself" approach, the blogroll comeback page, and even [guestbooks](https://kevq.uk/guestbook/).
As Max [likes to call it](https://mxb.dev/blog/the-return-of-the-90s-web/): things come around full circle. I don't see this happening very soon for the mainstream web, but yes, there has been a movement. Leaner blogs, the "host it yourself" approach, the blogroll comeback page, and even [guestbooks](https://kevq.uk/guestbook/). Oh, and MySpace is back, in the form of SpaceHey. Thanks, [Garrett Brown](https://blog.spacehey.com/entry?id=12111)!
Then there's the ActivityPub protocol - an even more complicated set of agreements coded in a bunch of REST services. It gave birth to Mastodon (where I learned a lot about these efforts, thanks!), [Pixelfed](https://pixelfed.org) as a federated alternative to Instagram, and they're working on [BookWyrm](https://www.bookwyrm.social/), a social reading and reviewing platform on the same protocol that hopefully proves to be more interesting than the now ad-ridden Goodreads.

33
content/post/2021/03/lousy-wordpress-hacking-attempts.md Normal file
View File

@ -0,0 +1,33 @@
---
title: Lousy Wordpress Hacking Attempts detected
subtitle: Spotted in nginx error logs
date: 2021-03-29
---
My Dutch bread baking blog, [redzuurdesem.be](https://redzuurdesem.be), was migrated from Wordpress to Hugo years ago. During the transition, I came up with a bunch of shoddy scripts that did the job adequately: copying over `/wp-content/` to the `/static/` directory in order to preserve relative image locations.
Wodpress-enabled sites are _very_ easy to spot: just look for `wp-` anything in the source, or try out the location `/wp-admin` if you fancy a brute-force attack. Naturally, some pages of my site still comply to this rule, because of the archived image folder. Some Russian malicious IP, [45.146.165.157](https://www.abuseipdb.com/check/45.146.165.157), that has been reported numerous times before at abuseipdb.com, tried the following today:
```
2021/03/29 09:57:47 [error] 162453#162453: *179870 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1", host: "146.59.146.120:80"
2021/03/29 09:57:47 [error] 162453#162453: *179871 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /solr/admin/info/system?wt=json HTTP/1.1", host: "146.59.146.120:80"
2021/03/29 09:57:47 [error] 162453#162453: *179872 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /console/ HTTP/1.1", host: "146.59.146.120:80"
2021/03/29 09:57:47 [error] 162453#162453: *179873 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "POST /Autodiscover/Autodiscover.xml HTTP/1.1", host: "146.59.146.120:80"
2021/03/29 09:57:47 [error] 162453#162453: *179874 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /wp-content/plugins/wp-file-manager/readme.txt HTTP/1.1", host: "146.59.146.120:80"
2021/03/29 09:57:47 [error] 162453#162453: *179875 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1", host: "146.59.146.120:80"
2021/03/29 09:57:47 [error] 162453#162453: *179876 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1", host: "146.59.146.120:80"
2021/03/29 09:57:47 [error] 162453#162453: *179877 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1", host: "146.59.146.120:80"
2021/03/29 09:57:47 [error] 162453#162453: *179878 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1", host: "146.59.146.120:80"
2021/03/29 09:57:48 [error] 162453#162453: *179879 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "POST /api/jsonws/invoke HTTP/1.1", host: "146.59.146.120:80"
2021/03/29 09:57:48 [error] 162453#162453: *179880 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /_ignition/execute-solution HTTP/1.1", host: "146.59.146.120:80"
```
I mean, really? `<?php>die(@md5(HelloThinkCMF))</php>`? Are servers that badly managed that any GET parameter is dynamically evaluated on the server?
You might notice a repeating pattern in the above log: when setting up the new server (the previous one [got up in flames](/post/2021/03/always-have-a-disaster-recovery-plan/) a couple of weeks ago), I forgot to add the classic 404 page - which results in an error entry in the nginx log. To be honest, I never check those logs. I happened to be looking for something else and got curious.
Now, what to do? Well, nothing. Smile. It's all static. Still, it's very sad to see these pathetic attempts, and it makes me angry because years ago, a Wordpress site of mine _was_ effectively hacked because I did not upgrade the instance in due time. If those guys are any good at coding, their skills could have been used for good instead of bullying people.
Time to test out the [Fail2ban jail config](https://www.thegeekstuff.com/2010/07/fail2ban-howto/)... I guess I need to keep an eye out for malicious behavior in the future, 'cause I do have some dynamic stuff running on there. Wait, no, let Fail2ban monitor your nginx error/access logs automatically and [decide what to do with it](https://www.digitalocean.com/community/tutorials/how-to-protect-an-nginx-server-with-fail2ban-on-ubuntu-14-04)!
Hope you Russians are reading this and saying вызов принят (challenge accepted)!

4
content/post/2021/03/teaching-students-how-to-follow-development-trends.md
View File

@ -29,9 +29,11 @@ I was thinking about this, because yearly, I receive a few interesting trend rep
- [GitHut's Small Place to Discover Languages on GitHub](https://githut.info/)
- [Stack Overflow Annual Developer Survey](https://insights.stackoverflow.com/survey)
- [TIOBE Programming Languages Index 2021](https://www.tiobe.com/tiobe-index/)
- [The RedMonk Programming Language Rankings: Jan 2021](https://redmonk.com/sogrady/2021/03/01/language-rankings-1-21/)
- [JetBrain's The State of Developer Ecosystem 2020](https://www.jetbrains.com/lp/devecosystem-2020/)
- ...
Wow, there are so many of these juicy reports nowadays![^some] I guess every self-respecting data-collecting entity should have one. The first thing to do, when deciding which language to learn, would be to do a quick cross-reference on multiple sources, and see if it's actually worth to do so. Of course, as Brit likes to say: [everyone should learn at least one _fringe_ language](https://blog.kingcons.io/).
Wow, there are so many of these juicy reports nowadays![^some] I guess every self-respecting data-collecting entity should have one. The first thing to do, when deciding which language to learn, would be to do a quick cross-reference on multiple sources, and see if it's actually worth to do so. Of course, as Brit likes to say: [everyone should learn at least one _fringe_ language](https://blog.kingcons.io/). The RedMonk graph in particular is interesting because they contain a cross-cut of popularity rank on GitHub (x-axis) compared to the popularity rank on Stack Overflow (y-axis). For instance, many questions on Visual Basic still pop up on Stack, but not many projects use it on GitHub.
[^some]: Some clearly need a lesson or two in data visualization. The GitHut one makes no sense, even with my eyes firmly squinted.