From 8600487b13aa4fbbf365bc2e07fbaf134e3b8682 Mon Sep 17 00:00:00 2001 From: wgroeneveld Date: Mon, 29 Mar 2021 18:23:18 +0200 Subject: [PATCH] wordpress hacking attempt spotted --- .../post/2021/03/exploring-the-alternet.md | 2 +- .../03/lousy-wordpress-hacking-attempts.md | 33 +++++++++++++++++++ ...udents-how-to-follow-development-trends.md | 4 ++- 3 files changed, 37 insertions(+), 2 deletions(-) create mode 100644 content/post/2021/03/lousy-wordpress-hacking-attempts.md diff --git a/content/post/2021/03/exploring-the-alternet.md b/content/post/2021/03/exploring-the-alternet.md index 3833ca5d..0d3901a2 100644 --- a/content/post/2021/03/exploring-the-alternet.md +++ b/content/post/2021/03/exploring-the-alternet.md @@ -32,7 +32,7 @@ According to the HTTP Archive, the average size of a webpage [has gone up to 203 ## Back to the 90s Web, then. -As Max [likes to call it](https://mxb.dev/blog/the-return-of-the-90s-web/): things come around full circle. I don't see this happening very soon for the mainstream web, but yes, there has been a movement. Leaner blogs, the "host it yourself" approach, the blogroll comeback page, and even [guestbooks](https://kevq.uk/guestbook/). +As Max [likes to call it](https://mxb.dev/blog/the-return-of-the-90s-web/): things come around full circle. I don't see this happening very soon for the mainstream web, but yes, there has been a movement. Leaner blogs, the "host it yourself" approach, the blogroll comeback page, and even [guestbooks](https://kevq.uk/guestbook/). Oh, and MySpace is back, in the form of SpaceHey. Thanks, [Garrett Brown](https://blog.spacehey.com/entry?id=12111)! Then there's the ActivityPub protocol - an even more complicated set of agreements coded in a bunch of REST services. It gave birth to Mastodon (where I learned a lot about these efforts, thanks!), [Pixelfed](https://pixelfed.org) as a federated alternative to Instagram, and they're working on [BookWyrm](https://www.bookwyrm.social/), a social reading and reviewing platform on the same protocol that hopefully proves to be more interesting than the now ad-ridden Goodreads. diff --git a/content/post/2021/03/lousy-wordpress-hacking-attempts.md b/content/post/2021/03/lousy-wordpress-hacking-attempts.md new file mode 100644 index 00000000..019d014e --- /dev/null +++ b/content/post/2021/03/lousy-wordpress-hacking-attempts.md @@ -0,0 +1,33 @@ +--- +title: Lousy Wordpress Hacking Attempts detected +subtitle: Spotted in nginx error logs +date: 2021-03-29 +--- + +My Dutch bread baking blog, [redzuurdesem.be](https://redzuurdesem.be), was migrated from Wordpress to Hugo years ago. During the transition, I came up with a bunch of shoddy scripts that did the job adequately: copying over `/wp-content/` to the `/static/` directory in order to preserve relative image locations. + +Wodpress-enabled sites are _very_ easy to spot: just look for `wp-` anything in the source, or try out the location `/wp-admin` if you fancy a brute-force attack. Naturally, some pages of my site still comply to this rule, because of the archived image folder. Some Russian malicious IP, [45.146.165.157](https://www.abuseipdb.com/check/45.146.165.157), that has been reported numerous times before at abuseipdb.com, tried the following today: + +``` +2021/03/29 09:57:47 [error] 162453#162453: *179870 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1", host: "146.59.146.120:80" +2021/03/29 09:57:47 [error] 162453#162453: *179871 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /solr/admin/info/system?wt=json HTTP/1.1", host: "146.59.146.120:80" +2021/03/29 09:57:47 [error] 162453#162453: *179872 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /console/ HTTP/1.1", host: "146.59.146.120:80" +2021/03/29 09:57:47 [error] 162453#162453: *179873 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "POST /Autodiscover/Autodiscover.xml HTTP/1.1", host: "146.59.146.120:80" +2021/03/29 09:57:47 [error] 162453#162453: *179874 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /wp-content/plugins/wp-file-manager/readme.txt HTTP/1.1", host: "146.59.146.120:80" +2021/03/29 09:57:47 [error] 162453#162453: *179875 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1", host: "146.59.146.120:80" +2021/03/29 09:57:47 [error] 162453#162453: *179876 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /?a=fetch&content=die(@md5(HelloThinkCMF)) HTTP/1.1", host: "146.59.146.120:80" +2021/03/29 09:57:47 [error] 162453#162453: *179877 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1", host: "146.59.146.120:80" +2021/03/29 09:57:47 [error] 162453#162453: *179878 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1", host: "146.59.146.120:80" +2021/03/29 09:57:48 [error] 162453#162453: *179879 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "POST /api/jsonws/invoke HTTP/1.1", host: "146.59.146.120:80" +2021/03/29 09:57:48 [error] 162453#162453: *179880 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /_ignition/execute-solution HTTP/1.1", host: "146.59.146.120:80" +``` + +I mean, really? `die(@md5(HelloThinkCMF))`? Are servers that badly managed that any GET parameter is dynamically evaluated on the server? + +You might notice a repeating pattern in the above log: when setting up the new server (the previous one [got up in flames](/post/2021/03/always-have-a-disaster-recovery-plan/) a couple of weeks ago), I forgot to add the classic 404 page - which results in an error entry in the nginx log. To be honest, I never check those logs. I happened to be looking for something else and got curious. + +Now, what to do? Well, nothing. Smile. It's all static. Still, it's very sad to see these pathetic attempts, and it makes me angry because years ago, a Wordpress site of mine _was_ effectively hacked because I did not upgrade the instance in due time. If those guys are any good at coding, their skills could have been used for good instead of bullying people. + +Time to test out the [Fail2ban jail config](https://www.thegeekstuff.com/2010/07/fail2ban-howto/)... I guess I need to keep an eye out for malicious behavior in the future, 'cause I do have some dynamic stuff running on there. Wait, no, let Fail2ban monitor your nginx error/access logs automatically and [decide what to do with it](https://www.digitalocean.com/community/tutorials/how-to-protect-an-nginx-server-with-fail2ban-on-ubuntu-14-04)! + +Hope you Russians are reading this and saying вызов принят (challenge accepted)! \ No newline at end of file diff --git a/content/post/2021/03/teaching-students-how-to-follow-development-trends.md b/content/post/2021/03/teaching-students-how-to-follow-development-trends.md index 25a7cd2e..cd42d904 100644 --- a/content/post/2021/03/teaching-students-how-to-follow-development-trends.md +++ b/content/post/2021/03/teaching-students-how-to-follow-development-trends.md @@ -29,9 +29,11 @@ I was thinking about this, because yearly, I receive a few interesting trend rep - [GitHut's Small Place to Discover Languages on GitHub](https://githut.info/) - [Stack Overflow Annual Developer Survey](https://insights.stackoverflow.com/survey) - [TIOBE Programming Languages Index 2021](https://www.tiobe.com/tiobe-index/) +- [The RedMonk Programming Language Rankings: Jan 2021](https://redmonk.com/sogrady/2021/03/01/language-rankings-1-21/) +- [JetBrain's The State of Developer Ecosystem 2020](https://www.jetbrains.com/lp/devecosystem-2020/) - ... -Wow, there are so many of these juicy reports nowadays![^some] I guess every self-respecting data-collecting entity should have one. The first thing to do, when deciding which language to learn, would be to do a quick cross-reference on multiple sources, and see if it's actually worth to do so. Of course, as Brit likes to say: [everyone should learn at least one _fringe_ language](https://blog.kingcons.io/). +Wow, there are so many of these juicy reports nowadays![^some] I guess every self-respecting data-collecting entity should have one. The first thing to do, when deciding which language to learn, would be to do a quick cross-reference on multiple sources, and see if it's actually worth to do so. Of course, as Brit likes to say: [everyone should learn at least one _fringe_ language](https://blog.kingcons.io/). The RedMonk graph in particular is interesting because they contain a cross-cut of popularity rank on GitHub (x-axis) compared to the popularity rank on Stack Overflow (y-axis). For instance, many questions on Visual Basic still pop up on Stack, but not many projects use it on GitHub. [^some]: Some clearly need a lesson or two in data visualization. The GitHut one makes no sense, even with my eyes firmly squinted.