There are 150 posts filed in MT.Net (this is page 11 of 15).
It was bound to happen eventually. This morning a spam bot figured out the math test check that my SABRE plugin was using to filter human website visitors from spam bots. This happened on one of my less-frequented blogs, which actually helped me discover it as that particular blog doesn’t get many registrations.
Looks like now I’ll have to graduate my blog universe to the full-blown CAPTCHA tests if I want to keep the Russian spammers from crashing the MT.Net party.
Every dark cloud has a silver lining, and the recent hacker attacks on MT.Net are no exception. Once I had safely reassembled the website and taken measures against active attacks, I realized what risk hackers run when they attempt remote code execution attacks like the one they ran on my site: they expose the location of their hacker code!
After repelling a couple of attacks per day, I got wise and began to contact the owners of the websites used to attack my site, politely letting them know their servers had been compromised. After doing this for five or so websites, the hacker attacks against my site all but dried up! Perhaps I hit a nerve?
It’s still usually not worth the trouble to track hackers back to their original IP addresses (or at least, not worth the trouble for anyone lacking search warrant power), but taking away a few of a hacker’s precious hideouts sends a message that messing with me comes at a cost.
I found the Stop Forum Spam site this morning when watching l0ser bots try to register accounts on MT.Net. A Google search on an email address used by an obvious bot brought me to the site. There’s an API for automated rejection of these fake user accounts which I’m thinking of using to head off many of the hacker attacks I’ve seen. I’m thinking blocking attacks at the Apache level would be ideal.
On another note, it looks like my WordPress hack post has become very popular with both hackers and webmasters alike. Hackers frequently use its url for attempt cross-site scripting attacks against my machine, while webmasters point to it as one of the first public announcements of a critical WordPress vulnerability. Kudos again to MT.Net reader Scootdawg for being the first to see my blog wasn’t working!
On yet another note, I’m thinking of writing a screenplay where a lowly blogger disses the reclusive dictator of a backwards Asian country and becomes an unwilling “guest” of the dictator for a bizarre weekend.
MT.Net’s provider will be performing work on our server this afternoon beginning at 3 PM and will be down until possibly 9 PM. The expected outage is two hours, so MT.Net expects to be back by 5 PM or sooner.
This would be a good time to watch wedding videos.
I just discovered why WordPress was not resizing my image uploads. It turns out that WordPress requires the php-gd library to do this, but as this gentleman points out, WordPress does not document this anywhere.
Now that I’ve got it working again, expect more photos here at MT.Net.
WordPress 2.8.1 has now been released. It fixes a number of WordPress bugs, including a rather serious one affecting plugins that I suspect led to the compromise of MT.Net a few months back.
If you run any WordPress sites and use any types of plugins, you’d be very wise to upgrade, pronto.
I’m retiring my long-time domain, siteseers.net, next week. I’ve had it since 1997, back when I used ISDN to access the Internet. While it will be sad to see it go, I don’t really use it anymore. I’ve got more than a dozen other domain names and this one is needlessly adding to the cost of annual domain renewals.
I’m going to park it at Sedo in case anyone is interested in buying it.
MT.Net was down for the last couple of days due to more strangeness seen on the server. I took it down and rebuilt everything.
Should you experience any quirkiness here (outside of the stuff I post already, ha ha), let me know!
Hey Lazyweb,
When my WordPress site got compromised, The Google began indexing links that have a “?y%” in the middle of the URLs:
http://www.markturner.net/2007/04/page/4/?y%/you-are-what-you-grow/
This turns the second half of the URL into a query string, which complicates fixing it a bit. I’ve tried a few RewriteCond rules but haven’t figured out this voodoo well enough yet:
RewriteCond %{QUERY_STRING} y\%/(.*) [NC]
RewriteRule (.*) $1 [R=302,L]
Anyone have any pointers on how to turn the above URL into this?
http://www.markturner.net/2007/04/page/4/you-are-what-you-grow/
P.S. WordPress 2.8 is now out. Time to upgrade!
I received an email this evening from Philippe Martin at RankCrawler, apologizing for the bad bot behavior:
Dear Mark Turner,
I apologize for not properly identifying our crawler (RankCrawler) by using the user agent. Our reverse-dns go to rankcrawler.com but we don’t use our own user agent. We will fix this problem soon. We have stopped to crawl your website as soon as I read your message.
We DO NOT crawl with the IP 94.23.51.159 as you claim in your second blog post about Rancrawler. It should be another company that we don’t know and that uses the same ISP (OVH is a very large ISP). We uses at this time only 5 IP that goes to rankcrawler.com.
I apologize again for this problem and I hope you will let our crawler access your website once we properly identify our crawler with our own user agent.
Thank you for your message,
Philippe Martin
http://rancrawler.com
I’m pleased that Mr. Martin chose to respond to my complaint and as such, I will allow RankCrawler to access MT.Net once again.
