WordPress XMLRPC Bruteforce & Spam

There’s an incredible amount of trolls/spammers/hackers on the internet and even if your site isn’t that popular, don’t underestimate the amount of bots and whatnot that’re about.

One of the most recent attempts has been from the IPs “185.188.204.2” and “185.188.204.5” (by the way; I would never disclose an IP address of someone whom I believed to be innocent, so if your computer has simply been hacked send me a message and I’ll remove this!) I’m quite often having trouble with IPs in the 185.*.*.* range, and it’s really amusing but also a bit worrisome you might think.

The quickest way I notice suspicious behaviour is when my website receives a lot of hits from a specific IP address.  If you’re not too tech savvy, I suggest installing the WP Statistics plugin. You’ll be faced with a list of IPs on the overview page and you’ll see the hits an IP has there:

Rank	Hits	Flag	Country	IP	Agent	Platform	Version
1	633	Unknown	Unknown	185.188.204.5	MSIE	Windows	7.0
2	278	Unknown	Unknown	185.188.204.2	MSIE	Windows	7.0

Accessing the access log will typically give you a rough idea as to what’s happening, for example they might be using an xmlrpc.php exploit. You can view the log using nano:

nano /var/log/httpd/access_log

Once in the log, search for the IP address and you’ll be faced with the user’s activity:

185.188.204.5 - - [01/Nov/2017:13:53:08 +0000] "POST /xmlrpc.php HTTP/1.0" 200 394 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
185.188.204.5 - - [01/Nov/2017:13:53:08 +0000] "POST /xmlrpc.php HTTP/1.0" 200 394 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
185.188.204.5 - - [01/Nov/2017:13:53:09 +0000] "POST /xmlrpc.php HTTP/1.0" 200 394 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

 

The lazy way to deal with them using CentOS (or any operating system, but this won’t work with all operating systems) is to firewall them:

firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address=185.188.204.2/24 reject"
firewall-cmd --reload
firewall-cmd --zone=public --list-all

Unfortunately, this can be problematic if your site is extremely popular as someone else can use that IP address (if it’s dynamic) and you’ve blocked them from your site. They can also change IP address, but there are benefits to simple IP firewall bans (I’ll speak more about that soon.)

Another method is to add these lines to virtualhost:

<VirtualHost>
    <^><files xmlrpc.php>
      order allow,deny
      deny from all
    </files><^>
</VirtualHost>

I did something slightly more crafty though. Rename the xmlrpc.php file or make a backup of it and delete the old:

cp xmlrpc.php xmlrpc.php.backup
rm -rf xmlrpc.php
nano xmlrpc.php

Then in nano, add a redirect:

<?php
header("Location: http://127.0.0.1");

exit;
?>

With the XMLRPC exploit, people are using your website to send spam information and it becomes a bit like what’s called a “botnet.” Using this method, when something malicious connects to the xmlrpc.php page, it gets redirected to the home IP.

I said there’s benefits to simple IP firewall banning, and there is. If a user is targeting you specifically (attacks like these are very rarely personal, but trolls are another matter), then an IP firewall demonstrates you’ve attempted to ban the perpetrator. The ban doesn’t have to be perfect for you to prove you’ve made ample effort to get the perpetrator to leave you alone. Actions you take might also have an equal and opposite reaction. For example, editing the xmlrpc.php file in such a way means that plugins which rely on it might not function at all. Jetpack is one of these plugins for example. You should never reveal your hand, and you should always appear weak. A simple IP firewall might be easy to circumvent, but you can show an access log to an ISP and it’s proof enough.

The benefits of running your own webserver

Obviously it might be considered a hassle to have to worry about trolls, spammers, hackers, people trying to bruteforce you, etc. but the benefits outweigh the cons, for me.

For example, facebook or any popular site could have something negative happen to it to cause information to get lost. Correct me if I’m wrong, but I don’t believe they have a legal obligation to backup your data if you’re not paying and even if you do pay for a service e.g. squarespace, unless it’s specifically stated in the contract, I don’t believe they have to backup your data. Even if they do backup your data, it’s not necessarily easy to put that data into a usable format. With running your own MySQL server and whatnot, it’s relatively easy (it’s one command line) to save the database.

You also have access to log files and while this might be available for other services (I’m sure it is with some), it’s a lot easier to access if you own/manage everything. In the event you get targeted by a specific person, you have access to the logs–they give you more information than a simple IP address. Hosting is also a lot cheaper if you manage everything–as it should be, it’s costing you time. If you have a lot of time but not a lot of money, this method is better, in my opinion. If you’re experienced with computers, it might also cost you less time than if you signed up for a service like square space.

I don’t make much from this site after server costs and I’ve only received the one donation–thank you by the way–I put 100% of that towards a charity, but I like to keep costs down regardless :).

The Sony a7rIII is a beautiful camera

The Sony a7rIII has been announced and I think it’s a great camera in its own right. I’d love one if I could afford one. Well, I can technically afford one but I think it’s a smarter decision to put my money into travel/glass….

Sony does not make too many cameras

Sony often gets railed at for releasing a lot of cameras in a short space of time, but when you look at Canon, Nikon or any other company interested in catering to multiple demographics, they release quite a few products. Canon has the rebel line, the 5dSR (which is neither a 5dmk3 or a 5dmk4), 5Dmk4, 6DII, 7DII, 80D, etc. However, Canon make their cameras vastly different in shape, and no one says they’re releasing too many cameras a year, even if they release a million all in the same year.

The Sony a7II, Sony a9Sony a7sII and the Sony a7rIII all look pretty similar but they appeal to a different demographic just as much as the 5dmk4 and the 80D do. In other words, I think Sony would get criticised less for releasing numerous cameras a year if they made their cameras a different shape. Do I believe they should do that? Generally speaking, no. I like their decision for the most part. I love that they’re all pretty much the same size/shape with the same battery (the most recent cameras have a bigger battery but I’m sure they’ll stick with it as a standard across the board, soon enough.)

The Sony a9 line should be the exception, in my opinion. I believe it should be slightly larger. At some point, the Sony a7II series is going to be so good that it’s going to step on the toes of the Sony a9. If the Sony a9 was slightly bigger, it could have another processor or extra ram or whatever. When you start putting everything in the same body, you’re deliberately gimping something, and I’m not sure what should be gimped with the Sony a7III. The autofocus? I don’t think mirrorless autofocus is fast enough to be gimped yet, and it was originally meant to compete with the 5d line, so it’d be nice if it had a great autofocus. Gimp the dual card memory slots? Not a good idea, in my opinion. Gimp the joystick? Again, not a good idea. The Sony a9 forces the Sony a7rII series to be gimped in some way.

Where’s the extra dial?

The Sony a7rIII doesn’t have the extra dial the Sony a9 has, and in my opinion this is a sign of the aforementioned; the cheaper series is now starting to look deliberately cheaper. It wouldn’t cost more than $2 for Sony to implement an extra dial, and it’s something I’d really like to see on the camera.

The other improvements are great, in my opinion. It’s also great they’ve implemented a USB-C port. I think USB-C is single-handedly the best thing to happen to handheld devices. I hope this doesn’t mean they’ll start turning into power hogs just because they can be power hogs.

I bought the Sony a7rII with the plan to one day hike 2650+ miles along the Pacific Crest Trail in America. Although my Visa was denied twice, and I’ve basically said **** America for now, I still plan to do a long distance hike (I’m now looking at Canada, for next year as I’m allowed to stay there quite some time) next year. I’ll most likely hike the Great Divide Trail and some additional hikes. Having an efficient camera is important to me.

The dual card slots are a welcome addition. It’s the one thing I really, really want. I’m not even sure I need a bigger battery (I can charge my camera up with a power bank), but dual card slots is always nice. If the card doesn’t malfunction and the card slot doesn’t break, it’s not needed obviously. There’s ways I can circumvent this problem somewhat and use my smartphone as a portable backup device (I can plug my SD card directly into my Samsung Galaxy Note 8 and copy my RAW photographs) but it makes me feel uncomfortable.

The autofocus I don’t really care about too much but it’s a smart move, in my opinion. Sony’s done a good job here, there’s just two main complaints I have really…

 

What the **** is with the PC sync port? Camera companies are encouraging flash companies to use this archaic technology. We’re in 2017…

I’m not sure about the MicroSD port plus a USB-C port. I guess it makes sense because you can charge the camera while supplying data. It’d be better to just have two USB-C ports though.

The lack of a dial the Sony a9 has is a bit of a bummer, in my opinion.

There’s not really any huge complaints here though. It’s a solid camera, and I’d definitely buy one if I could justify the price for the extra battery life, SD card slot and an improved viewfinder (I don’t care about the other stuff so much.)

For people in the UK who want to pick up a bargain, eBay has the Sony a7rII at a very cheap price point.

Strange DDOS attack

Rank Hits Flag Country IP Agent Platform Version
1 591 Unknown 185.188.204.11 MSIE Windows 7.0
2 589 Unknown 185.188.204.7 MSIE Windows 7.0
3 571 Unknown 185.188.204.12 MSIE Windows 7.0
4 566 Unknown 185.188.204.9 MSIE Windows 7.0
5 547 Unknown 185.188.204.8 MSIE Windows 7.0
6 517 Unknown 185.188.204.6 MSIE Windows 7.0
7 492 Unknown 185.188.204.10 MSIE Windows 7.0
8 138 Unknown 185.188.204.14 MSIE Windows 7.0
9 138 Unknown 185.188.204.16 MSIE Windows 7.0
10 138 Unknown 185.188.204.18 MSIE Windows 7.0

It’s funny, I’ve recently had spam requests trying to guess my admin password for the CentOS server I use to run this website. I can only assume it’s some kind of bruteforce attack.

Then even more recently, someone’s tried to trouble me with this attempted DDOS attack. In my opinion, as oxymoronic as this sounds, security through obscurity isn’t really security at all; however, WordPress is extremely popular and there are ways it can be violated/exploited. This specific type of attack probably wouldn’t exist if WordPress wasn’t so popular. I suggest reading about the “Disable XML-RPC Pingback” plugin and installing it.

 

Why we should love USB-C. Apple, Android, Sony and future possiblities

Not every thought is a diamond and perhaps this post is a bit crazy.

Part of wanting to hike the Pacific Crest Trail in Northern America so badly has made me research countless technological items, especially camera storage methods and anything to do with cameras or phones. USB 3.1 and USB-C has made me think about various future possibilities for both phones and cameras. Continue reading “Why we should love USB-C. Apple, Android, Sony and future possiblities”

Happy new year

Happy new year :). I’ve updated some of the site to make it more readable. There’s still plenty of bugs to fix and I need to make the theme prettier.