$1.719

So, in the course of trying to get all the old functionality working on WordPress 1.5, I turned my attention to getting the “Today’s Photos” stuff working again. An awful lot of that code was in the hacks file, so I knew I had some potential for challenges. However, I moved the hacks file over from the old install, and things started working…. sorta.

I discovered that instead of the photos, I was just getting the date returned. Now, I’d seen that before when I originally coded this, and found that I wasn’t using the_time correctly in my code. I checked my code, though, and it looked ok. I thought maybe it was an incompatibility between WP 1.2 and 1.5. To test, I hard coded the date in my code, and it worked fine.

Long story short, I discovered that the function the_time has changed, maybe intentionally, and no longer can be used to pass the date of the current blog entry to another function. I started digging, and found that the function had changed from previous versions to this one. So….. I found the function in template-functions-general.php, and made the block for the_time look like this:

function the_time( $d = '', $echo = true ) {
        $the_time = apply_filters('the_time', get_the_time( $d ), $d);
    if ($echo) {
        echo $the_time;
    } else {
        return $the_time;
    }
}

This mirrors closely the code used in the_date, so I’m pretty confident it’s safe. It does fix my problem, and barring anyone screaming and hollering, that’s good enough for me!

So, I’m patting myself on the back — finding a bug in someone else’s code, and killing it. Ahhh, ain’t open source wonderful!

$1.769

Well, tonight I was gonna work on Colin Wright Photography, but…… I got an e-mail that WordPress 1.5 is out, and it addresses so much of the issues I’m manually dealing with — comment spam, trackback spam, Hormel Spam… oh wait, not so much the last one! — that I’ve gotta spend the cycles to move over to it tonight.

So, if you’re trying to get in here tonight, don’t be surprised if things aren’t quite the way they were, or quite as functional as you’d expect. It’ll all come in time.

Two words: Woo. Hoo. 😉

$1.779

So, the zombie assault continues today. I’m getting about 50-60 hits an hour (sustained) from tons of machines all over the world, each with the referrer field set to a primary domain, with lots of subdomains for dealing with whatever ails you — pharmaceuticals, gambling… you name it, it’s represented!

I guess what they’re trying to do is put referrer activity that looks to be from their site in the logs so they show up in my server stats. As I’ve discovered, once I’ve blocked them, those referrrals no longer show up (heh-heh-heh), but the hits do, although their source isn’t evident. That’s ok with me. I just watch them get their 403’s, and chuckle at the futility of all these goofy unpatched Windows boxes (probably) doing their master’s bidding unbeknownst to their owners.

What’s interesting is that in January, I had almost 60,000 hits on the site (many of them this same spammer junk). In the first day and a half of February, I have almost a fifth of that already. This short month looks to be a great workout for the server! 🙂

$1.789

They’re baaaaack…. Yup, the spammers are back, and have gotten creative. Now, they are going after trackbacks to post their dirty links.

From what I’ve been reading at the WP support fora, it looks like this started after the first of the year for a great many blogs. I feel a little cheated that it’s taken this long for someone to finally get around to slamming my blog. 🙂 In any case, I’ve turned off pingbacks/trackbacks and moved wp-trackbacks.php, as that’s the quick and dirty fix right now until a better flyswatter is discovered. I’m not sure how much use the pingbacks and trackbacks have been on this site anyway.

This is a war, and the fight is on!!!!

$1.789

A very cool thing going on over the last few days in the web server logs. I noticed a large number of hits from long ago banned IPs, and a few new ones, but all with one thing in common: the referer field.

Why would someone do that? Well I have a stats package running, and it tracks referers, and puts them in a list, complete with links back to them. By having these links show up on a stats page that might be indexed, I’m sure it’s thought that this will increase their “score” on Google, etc.

However, there were so many that I’d already bounced, it stood out like a sore thumb in the logs. So I weather dozens and dozens of hits an hour from all over the world with odd variant subdomains (gambling, financial, pharmaceuticals) of the basic referer, and laugh and laugh as they all fall in the bitbucket. A few of them will show up in the stats for this month, but next month, there won’t be a trace of ’em. 👿

Over the last week or two, I’ve been honing my counterpunch for my blogspambombers, doing some research on other avenues to stem the flood, and figuring out how to combine the best of these efforts. There are some very nice solutions out there, including displaying a numeric image to would-be commenters that they can enter to validate that there are human eyes on the other side of the keyboard. Since most of my readers aren’t hardcore bloggers, and since I like making the user experience simple, I didn’t want to complicate the process of leaving comments on the site.

I know I’m probably tipping my hand on how I’m trying to block this junk, but it just seems appropriate to share this knowledge, both here and in the WordPress support fora. Some of this is either directly lifted from, or inspired by, the WP fora, or other sites. I’ll give credit where I can, and if I mess up the credit, just let me know.

• From the WP support fora:
  

  RewriteEngine On
  RewriteCond %{HTTP_REFERER} "!^http://mysite.com/.*$" [NC]
  RewriteCond %{REQUEST_URI} ".*wp-comments-post.php$"
  RewriteRule .* - [F]

  This one seems like it would help some. Basically, this addition to httpd.conf (or .htaccess) will return a 403 if a request to wp-comments-post.php isn’t referred from some page from mysite.com — your comment script name and domain are probably different, so just make that change. It seems like a blogspambomber could easily change the HTTP_REFERER in their request, so that might not fix things for long, although their script would have to be pretty nimble to put the right thing in the HTTP_REFERER field. Also, you run the risk of boxing out real user clients that don’t send the HTTP_REFERER information.

  I think this change is probably a nice touch, but I would rather ban the IP address from hitting anything on the site if they are trying to hit the commenting scripts directly. My feeling is that if they’re doing something creepy by trying to hit my scripts, then there’s no telling what might be tried next! I didn’t implement this; read on…..

• Also from the same thread on the WP support fora:
  There was a conversation point that if you changed the name of wp-comments-post.php to something else without leaving something named wp-comments-post.php behind to “answer the phone” when the blogspambombers hit, they would realize that the comment posting script name had changed, and they could simply parse through a comment form to get the name of the new comment posting script. In fact, that could even happen automagically with some not-too-difficult scripting. So, when I changed the file name to something else, I made sure that something was left behind for the blogspambombers to hit. What did I leave behind? Read on…
• From a site somewhere:
  I read about a tripwire system to trip up badly behaving bots. I implemented this, and it works great to trap robots that don’t obey robots.txt, banning them after they stray from the happy path. I thought that would be a great addition to my WordPress blogspambomber arsenal. Here’s the code that lives in my wp-comments-post.php, mostly commented for your enjoyment:
  

  < !DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
  <html>
  <head>
  <title>Banned for life!</title>
  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
  <style type="text/css">
  <!--
  body {
  font-family: Verdana, Arial, Helvetica, sans-serif;
  font-size: medium;
  color: #CCCCCC;
  background-color: #000000;
  }

  a {color: #CCCCCC;}
  a:hover {color: #FFFFFF;}
  a:active {color: #FFFFFF;}
  a:visited {color: #CCCCCC;}
  a:link {color: #CCCCCC;}
  -->
  </style>
  </head>

  <body>
  <p>You have triggered a trip-wire. This script exists solely to catch people doing
  things they shouldn't be, such as looking for administrative scripts like you were.</p>
  <p>As a result, your IP network address (

  < ?php $remote_addr = getenv("REMOTE_ADDR"); $remote_host = getenv("REMOTE_HOST"); $remote_agent = getenv("HTTP_USER_AGENT"); echo $remote_addr; ?>

  ) has been blocked from this
  entire site. You will no longer be able to browse domains here. In addition, the webmaster
  has been alerted to this activity and will be reviewing the records for possible
  action with your service provider.</p>
  <p>If you have stumbled here by accident, you can
  <a href="mailto:webmaster@mysite.com?subject=IP Ban for <?php echo $remote_addr ?>">send the webmaster an email</a>.
  Click the link and explain why you're reading this screen. Be sure to paste
  in the network address in parentheses above so that the webmaster can unblock you. If you
  don't e-mail the webmaster, you will <strong>NOT</strong> be able to get back to this screen
  again - you are <strong>BANNED</strong>.</p>

  < ?php

  # send an e-mail telling me about the banning

  $to = "banned@mysite.com";

  $subject = "[Alert] A ban has been triggered! (wp-comments-post.php)";

  $dateout = date ( 'Y-M-d @ G:i' );

  $message = "An address has been blocked from accessing mysite.com because it called wp-comments-post.php.\n\r";
  $message .= "\tDate\t\t$dateout\n\r";
  $message .= "\tIP address\t$remote_addr\n\r";
  $message .= "\tHostname\t$remote_host\n\r";
  $message .= "\tAgent\t\t$remote_agent\n\r";

  $headers = "From: ip_ban@mysite.comrn";
  $headers .= "Reply-To: ip_ban@mysite.comrn";

  mail($to, $subject, $message, $headers);

  ?>

  < ?php

  # add this ip to htaccess

  $htaccess = "/www/apache/htdocs/.htaccess";

  $htaccess_lines[1] = "\n#----- LOOKING FOR WP-COMMENTS-POST.PHP -----\n";
  $htaccess_lines[2] = "# $dateout $remote_agent\n";
  $htaccess_lines[3] = "SetEnvIf Remote_Addr ^$remote_addr$ denied \n";
  $htaccess_lines[4] = "#----- LOOKING FOR WP-COMMENTS-POST.PHP -----\n";

  # get current htaccess lines into array
  $htaccess_current = file($htaccess);

  # merge the arrays (prepending new lines)
  $htaccess_array = array_merge($htaccess_lines, $htaccess_current);

  # shove array into string
  $htaccess_output = "";
  $num_lines = count($htaccess_array);
  for ($i=0; $i< =$num_lines; $i++) { $htaccess_output .= $htaccess_array[$i]; } # open, lock, write, unlock, close $fp = fopen($htaccess, 'w+'); flock($fp, LOCK_EX); fwrite ($fp, $htaccess_output); flock($fp, LOCK_UN); fclose($fp); ?>

  If someone hits this script, they were looking for something they shouldn’t have been, so there’s no mercy. When the script is triggered, a nice informative message is sent back to the caller letting them know they hit the tripwire, and that they are banned. If it’s a bot driving the bus, then they won’t pay attention; if it’s a human, they’ll know they were being bad. Either way, their IP address is added with a deny to .htaccess and they are thrown 403’s from then on. It’s entertaining to watch the bot dip its toe in the water with a GET of some page, try a POST to wp-comments-post.php, and then get 403’s from then on. An e-mail is also sent to me to tell me of the ban. As I said before, I enjoy entertainment.

  How well does this work? Well, as I mentioned a few days ago, I had what appeared to be a zombie-net hitting my site. Had it been successful, or had I had to moderate all the comments, I could’ve been in for a lot of work. Aside from seeing 108 e-mails telling me of IP bans, the work on my side to recover was zero. And, the logs were fun to examine. Again, bizarre entertainment at the cost of zombie-bot-blogspambombers.

  As a side note, it was just cool to see the zombie-net move from IP to IP every few minutes when it figured out that I’d automagically banned the current one. What was neater was seeing my system respond well to that, blowing away the IPs, one by one.

• Lastly, here’s the coup de gras for turning the sun-seared maginifying glass upon the ants on the spamhill. I was reading about having timeslots for comment posting on Internet Alchemy which had some of the concepts of an idea I had lobbed at Beck just a few nights ago. I figured I wasn’t the first person to think of changing the comment script name programmatically, and I was glad to see someone had already climbed that mountain.

  I also read on inf7.net about some scripting to programmatically make the changes that are needed to rename the wp-comments-post.php and wp-comments.php scripts and change the references to them in all the right places.

  So why not marry those ideas, and add a little spice to them? In fact, let’s make it so even I don’t know what the script names are!!! Here’s what we do.

  First, we need to add some stuff to the .htaccess file in the root of the WordPress installation (so, wherever your index.php and comment scripts live).

  I could just update .htaccess with the name of the real comments scripts, and send every other request for something that looks like the old comment scripts to the 403 bit-bucket. However, I want to ban their IP from the site, too, and just giving them perpetual 403’s when they hit the old scripts — but not for everything else on the site — just isn’t entertaining enough for me.

  So, the first part of the solution is to make the change to .htaccess as I described above. But, for the old script requests, I will direct them to script we wrote above using a RewriteRule. So, .htaccess gets:

  # if they ask for the right posting script, but didn't come through me, they get 403

  RewriteCond %{HTTP_REFERER} "!^/.*$" [NC]
  RewriteCond %{REQUEST_URI} ".*wp-dummy-comments-12345-post.php$"
  RewriteRule .* - [F,L]

  # if they ask for the right script, and came through me, then it's ok
  # if it's spam content, the spam filter can catch it

  RewriteCond %{HTTP_REFERER} "^/.*$" [NC]
  RewriteCond %{REQUEST_URI} ".*wp-dummy-comments-12345-post.php$"
  RewriteRule .* - [PT,L]

  # if they look like they're trolling about for the posting script, they get banned -- needs work for use against bots

  RewriteCond %{REQUEST_URI} "wp([-dummy]*)-comments(-[0-9]*)-post.php$" [NC]
  RewriteRule .* "/wp-comments-post.php" [R]

  That last rule will direct them to the script I included way above in this missive, and ban them if they are snooping too much or trying to guess the comment post script name. And that, my faithful readers, will allow the bad guys to be banned when they hit the old scripts, no matter whether the request is for a real old script, or one fairly recent.

  The next step is to create the script that will change the comment script names, incorporating something random, along with references to them.

  # get the old random number
  OLDRANDOM=`egrep "wp-dummy-comments-([0-9]*)-post.php" .htaccess | cut -d"-" -f4`

  NEWRANDOM=$RANDOM

  echo "Old " $OLDRANDOM " New " $NEWRANDOM

  # copy to the new filenames
  cp wp-dummy-comments-${OLDRANDOM}.php wp-dummy-comments-${NEWRANDOM}.php
  cp wp-dummy-comments-${OLDRANDOM}-post.php wp-dummy-comments-${NEWRANDOM}-post.php

  # change the php files
  replace 'wp-dummy-comments-'${OLDRANDOM} 'wp-dummy-comments-'${NEWRANDOM} -- *.php

  # change .htaccess
  replace 'wp-dummy-comments-'${OLDRANDOM} 'wp-dummy-comments-'${NEWRANDOM} -- .htaccess

  # remove the old copies
  rm wp-dummy-comments-${OLDRANDOM}.php
  rm wp-dummy-comments-${OLDRANDOM}-post.php

  We need to make sure that this script is executed every so often, so I stuck it in my crontab. How often to run it, thus changing the script names and references, is left as an exercise for the reader! 😉

So that’s how I’ve attacked the blogspambomber issue. YMMV, but for me, this seems to work pretty doggone well.

$1.849

Well, in trying to keep the blogspambombers out, it appears I locked things down a bit too tight last night. A small change to my Apache configuration, and I ended up with no one able to leave comments — oops!

I saw where someone was trying to leave comments — c’mon back, and try again!

As is usually the case when I’m quiet with my writing, I’m working on stuff in the background. This time I’m trying to put the ribbons on a writeup and implementation to help the blogspambombing plans take place automatically. With any luck, I’ll have that complete tonight, and have it posted tonight or tomorrow. Watch for it — it’ll be fun!

$1.669

I spent some of my time over the New Year’s weekend strengthening the jaws on the spider traps and filling the blogspambomber tar pits. The results were an eye-opening — I had no idea just how much my site was getting hit by unsavory types.

Previous to these changes, I would get about one automatic IP ban added to the blacklist weekly, with one or two manual additions thrown in for good measure. These were usually bots that immolating themselves on the fire hot talons of the badbot trap.

I kept seeing activity, though, that led me to believe that there were occassional attempts to post comments on the site from some automated agent. The activity wasn’t real significant, and these bots were frequently guessing the wrong name of files that would be significant if they existed, so aside from the humor factor in watching them flail and fail, there wasn’t much to see.

So, as an exercise, I decided to turn the fire on these beasties. The end result was that if something — human or bot — hit a file that had no need to be hit, and you’re flogged with the wet noodle of banishment from all the sites that run here. I thought I’d catch a couple more IPs a week. Wrong by a long shot.

How many skewered themselves today? 108. One hundred and eight attempts at files that, were they here, would be privileged files and could cause grief if accessed. Wow.

So, was this a normal number, and was I just missing it amongst the rest of the stuff in the logs? Well, yeah, kinda. The last couple of days have seen a bunch of this kind of activity, and it seems to come from all over the world. It’s almost like a zombie bomb went off, and many, many computers around the world have started trying to blogspambomb mine (and probably many, many other) WordPress-based sites.

Today’s attack — for lack of a better term — started just after 8am, and ran relentlessly until about 2.30pm, with a IP ban being triggered about every two to five minutes. The pattern was the same: try a blind POST (which triggers the ban), then try hitting a valid page, and then try again. If that didn’t work, then another IP was used. That’s what makes me think it’s a zombie-net out there somewhere.

So, while I feel as though I’ve won this battle, the war is far, far, far from over. However, I’ve got some other tricks up my sleeve that I’m working on….. 😉

Every month, I get a visit from the bot that the Cyveillance folks run. They tickle everything on all three domains I run, including (apparently) trying to touch the administrative functions. It’s been pretty innocuous, and so far they haven’t tripped the spider-bait, which means they are (so far) paying attention to the rules in my robot file. However….

In reading a bit more about them on Webmaster World and gulker.com, it seems that they are quite a bit more insidious than their traipsing about my site would make them appear. At best, I infer they are a “copyright protection” outfit, looking for copyrighted material. At worst, it appears they are a “cease and desist” generating machine, with no human at the helm. Gulker.com has a pretty good introduction to their tactics and compares them against a kinder, friendlier bot, our friend Googlebot.

A site, Cyveillance Exposed, even refers to their tactics as computer terrorism, as things are defined nowadays. Given the description of their tactics, and what I’ve seen them try here, I guess I’d have to agree.

DiveIntoMark has a great bit of info on how to identify and block some of these abusive bots, like Cyveillance’s appears to be.

Too snoopy, too sneaky. Congratulations Cyvelliance — you made the banned list!