wordpress hacking attempt spotted
This commit is contained in:
parent
cbeb3d3ab3
commit
8600487b13
|
@ -32,7 +32,7 @@ According to the HTTP Archive, the average size of a webpage [has gone up to 203
|
||||||
|
|
||||||
## Back to the 90s Web, then.
|
## Back to the 90s Web, then.
|
||||||
|
|
||||||
As Max [likes to call it](https://mxb.dev/blog/the-return-of-the-90s-web/): things come around full circle. I don't see this happening very soon for the mainstream web, but yes, there has been a movement. Leaner blogs, the "host it yourself" approach, the blogroll comeback page, and even [guestbooks](https://kevq.uk/guestbook/).
|
As Max [likes to call it](https://mxb.dev/blog/the-return-of-the-90s-web/): things come around full circle. I don't see this happening very soon for the mainstream web, but yes, there has been a movement. Leaner blogs, the "host it yourself" approach, the blogroll comeback page, and even [guestbooks](https://kevq.uk/guestbook/). Oh, and MySpace is back, in the form of SpaceHey. Thanks, [Garrett Brown](https://blog.spacehey.com/entry?id=12111)!
|
||||||
|
|
||||||
Then there's the ActivityPub protocol - an even more complicated set of agreements coded in a bunch of REST services. It gave birth to Mastodon (where I learned a lot about these efforts, thanks!), [Pixelfed](https://pixelfed.org) as a federated alternative to Instagram, and they're working on [BookWyrm](https://www.bookwyrm.social/), a social reading and reviewing platform on the same protocol that hopefully proves to be more interesting than the now ad-ridden Goodreads.
|
Then there's the ActivityPub protocol - an even more complicated set of agreements coded in a bunch of REST services. It gave birth to Mastodon (where I learned a lot about these efforts, thanks!), [Pixelfed](https://pixelfed.org) as a federated alternative to Instagram, and they're working on [BookWyrm](https://www.bookwyrm.social/), a social reading and reviewing platform on the same protocol that hopefully proves to be more interesting than the now ad-ridden Goodreads.
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,33 @@
|
||||||
|
---
|
||||||
|
title: Lousy Wordpress Hacking Attempts detected
|
||||||
|
subtitle: Spotted in nginx error logs
|
||||||
|
date: 2021-03-29
|
||||||
|
---
|
||||||
|
|
||||||
|
My Dutch bread baking blog, [redzuurdesem.be](https://redzuurdesem.be), was migrated from Wordpress to Hugo years ago. During the transition, I came up with a bunch of shoddy scripts that did the job adequately: copying over `/wp-content/` to the `/static/` directory in order to preserve relative image locations.
|
||||||
|
|
||||||
|
Wodpress-enabled sites are _very_ easy to spot: just look for `wp-` anything in the source, or try out the location `/wp-admin` if you fancy a brute-force attack. Naturally, some pages of my site still comply to this rule, because of the archived image folder. Some Russian malicious IP, [45.146.165.157](https://www.abuseipdb.com/check/45.146.165.157), that has been reported numerous times before at abuseipdb.com, tried the following today:
|
||||||
|
|
||||||
|
```
|
||||||
|
2021/03/29 09:57:47 [error] 162453#162453: *179870 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1", host: "146.59.146.120:80"
|
||||||
|
2021/03/29 09:57:47 [error] 162453#162453: *179871 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /solr/admin/info/system?wt=json HTTP/1.1", host: "146.59.146.120:80"
|
||||||
|
2021/03/29 09:57:47 [error] 162453#162453: *179872 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /console/ HTTP/1.1", host: "146.59.146.120:80"
|
||||||
|
2021/03/29 09:57:47 [error] 162453#162453: *179873 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "POST /Autodiscover/Autodiscover.xml HTTP/1.1", host: "146.59.146.120:80"
|
||||||
|
2021/03/29 09:57:47 [error] 162453#162453: *179874 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /wp-content/plugins/wp-file-manager/readme.txt HTTP/1.1", host: "146.59.146.120:80"
|
||||||
|
2021/03/29 09:57:47 [error] 162453#162453: *179875 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1", host: "146.59.146.120:80"
|
||||||
|
2021/03/29 09:57:47 [error] 162453#162453: *179876 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1", host: "146.59.146.120:80"
|
||||||
|
2021/03/29 09:57:47 [error] 162453#162453: *179877 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1", host: "146.59.146.120:80"
|
||||||
|
2021/03/29 09:57:47 [error] 162453#162453: *179878 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1", host: "146.59.146.120:80"
|
||||||
|
2021/03/29 09:57:48 [error] 162453#162453: *179879 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "POST /api/jsonws/invoke HTTP/1.1", host: "146.59.146.120:80"
|
||||||
|
2021/03/29 09:57:48 [error] 162453#162453: *179880 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /_ignition/execute-solution HTTP/1.1", host: "146.59.146.120:80"
|
||||||
|
```
|
||||||
|
|
||||||
|
I mean, really? `<?php>die(@md5(HelloThinkCMF))</php>`? Are servers that badly managed that any GET parameter is dynamically evaluated on the server?
|
||||||
|
|
||||||
|
You might notice a repeating pattern in the above log: when setting up the new server (the previous one [got up in flames](/post/2021/03/always-have-a-disaster-recovery-plan/) a couple of weeks ago), I forgot to add the classic 404 page - which results in an error entry in the nginx log. To be honest, I never check those logs. I happened to be looking for something else and got curious.
|
||||||
|
|
||||||
|
Now, what to do? Well, nothing. Smile. It's all static. Still, it's very sad to see these pathetic attempts, and it makes me angry because years ago, a Wordpress site of mine _was_ effectively hacked because I did not upgrade the instance in due time. If those guys are any good at coding, their skills could have been used for good instead of bullying people.
|
||||||
|
|
||||||
|
Time to test out the [Fail2ban jail config](https://www.thegeekstuff.com/2010/07/fail2ban-howto/)... I guess I need to keep an eye out for malicious behavior in the future, 'cause I do have some dynamic stuff running on there. Wait, no, let Fail2ban monitor your nginx error/access logs automatically and [decide what to do with it](https://www.digitalocean.com/community/tutorials/how-to-protect-an-nginx-server-with-fail2ban-on-ubuntu-14-04)!
|
||||||
|
|
||||||
|
Hope you Russians are reading this and saying вызов принят (challenge accepted)!
|
|
@ -29,9 +29,11 @@ I was thinking about this, because yearly, I receive a few interesting trend rep
|
||||||
- [GitHut's Small Place to Discover Languages on GitHub](https://githut.info/)
|
- [GitHut's Small Place to Discover Languages on GitHub](https://githut.info/)
|
||||||
- [Stack Overflow Annual Developer Survey](https://insights.stackoverflow.com/survey)
|
- [Stack Overflow Annual Developer Survey](https://insights.stackoverflow.com/survey)
|
||||||
- [TIOBE Programming Languages Index 2021](https://www.tiobe.com/tiobe-index/)
|
- [TIOBE Programming Languages Index 2021](https://www.tiobe.com/tiobe-index/)
|
||||||
|
- [The RedMonk Programming Language Rankings: Jan 2021](https://redmonk.com/sogrady/2021/03/01/language-rankings-1-21/)
|
||||||
|
- [JetBrain's The State of Developer Ecosystem 2020](https://www.jetbrains.com/lp/devecosystem-2020/)
|
||||||
- ...
|
- ...
|
||||||
|
|
||||||
Wow, there are so many of these juicy reports nowadays![^some] I guess every self-respecting data-collecting entity should have one. The first thing to do, when deciding which language to learn, would be to do a quick cross-reference on multiple sources, and see if it's actually worth to do so. Of course, as Brit likes to say: [everyone should learn at least one _fringe_ language](https://blog.kingcons.io/).
|
Wow, there are so many of these juicy reports nowadays![^some] I guess every self-respecting data-collecting entity should have one. The first thing to do, when deciding which language to learn, would be to do a quick cross-reference on multiple sources, and see if it's actually worth to do so. Of course, as Brit likes to say: [everyone should learn at least one _fringe_ language](https://blog.kingcons.io/). The RedMonk graph in particular is interesting because they contain a cross-cut of popularity rank on GitHub (x-axis) compared to the popularity rank on Stack Overflow (y-axis). For instance, many questions on Visual Basic still pop up on Stack, but not many projects use it on GitHub.
|
||||||
|
|
||||||
[^some]: Some clearly need a lesson or two in data visualization. The GitHut one makes no sense, even with my eyes firmly squinted.
|
[^some]: Some clearly need a lesson or two in data visualization. The GitHut one makes no sense, even with my eyes firmly squinted.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue