Pwning WordPress for fun and profit

Posted on by
30

I have a love/hate relationship with WordPress.

Actually, that’s not true. I like WordPress rather a lot, and I wish that more open-source projects had the finish, polish, and sophistication of WordPress. I own about a half-dozen Web sites that run it, and I’m overall very fond of it.

What I don’t like is the number of people who set up a WordPress install, then walk away from it and never install any updates or security patches. WordPress is a popular target for hackers, because it’s widely deployed and easy to find, and because so, so many people don’t keep on top of updates.

Which, frankly, baffles me. It’s incredibly easy to update–easier, in fact, than any open-source server software I’ve ever used. You log in to the admin area. It tells you “There is an update. Click here to install the update.” You click one button. Bang, that’s it! There literally is nothing else you have to do.

So, anyway, today I found yet another phony bank phish in my email. The phish pretends to be an HSBC Bank page, and it attempts to trick the gullible into handing out their bank account number and password. So far, so bog-standard.

*** WARNING *** WARNING *** WARNING ***
The URLs in this post are live at the time of this writing. They do not lead to malware sites, but they DO lead to phony bank phish sites.

The phish page in my email lives at

http://internalcommunications.co.uk/img/1/IBlogin.html

It’s a pretty bog-standard phish, a page living on a hacked server that collects personal financial information and then sends them off to the phishers via a php-to-email script.

The server that it lives on, internalcommunications.co.uk, is hosted by heartinternet.co.uk and belongs to a guy named Simon Wright; his Whois details, including his email address, are protected by a privacy service.

The site itself is completely defaced. The defacement left a hole big enough to drive a truck through, and the phishers put the phony bank page on the site after the person or group who defaced it hacked it and left it wide open. EDIT: The site defacer, who goes by the name “NONE-STOP,” is also a phisher who sells stolen credit card numbers, stolen bank account login information, and other stolen identity information. More at the end of this post.

The front page of the hacked site, as of the time of this writing, looks like this (click for larger):

I haven’t heard of NONE.STOP, whoever he/she/they are; as near as I can tell, there’s only one other site defacement (www.cegm.ca) he/she/thay have claimed responsibility for.

Now is where it gets interesting, and where WordPress comes in.

Normally, when a site is defaced, the images that are used in the defacement are uploaded to the hacked server. Not in this case. In this case, the images used in the defacement are being remote loaded from another server.

A hacked WordPress install, that was set up a while ago, had a single test post added to it, and was abandoned.

Specifically, the images used in the defacement are being loaded from

http://devriestree.com/components/com_content/views/.index/aa__blut.gif
http://devriestree.com/components/com_content/views/.index/4scpcn.jpg

and so on. The Web site devriestree.com is the one running the pwm3d WordPress, and it has been left alone; no defacement, no phishes, nothing. The person or group called NONE.STOP has simply created a hidden .index directory which is being used to store the pictures that he/she/they use when he/she/they deface other sites.

The site devriestree.com is hosted at Server Beach, and belongs to:

$whois devriestree.com

Whois Server Version 2.0

Domain Name: DEVRIESTREE.COM
Registrar: GODADDY.COM, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS.NETVTECH.COM
Name Server: NS1.GEODNS.NET
Name Server: NS2.GEODNS.NET
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 21-oct-2008
Creation Date: 19-oct-2005
Expiration Date: 19-oct-2010

Registrant:
NetVenture Technologies, Inc.
1490 S Military Trail
Suite 13E
West Palm Beach, Florida 33415
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: DEVRIESTREE.COM
Created on: 18-Oct-05
Expires on: 19-Oct-10
Last Updated on: 12-Jul-07

Administrative Contact:
DeVries, James j@netvtech.com
NetVenture Technologies, Inc.
1490 S Military Trail
Suite 13E
West Palm Beach, Florida 33415
United States
5613016666 Fax — 5618288035

Technical Contact:
DeVries, James j@netvtech.com
NetVenture Technologies, Inc.
1490 S Military Trail
Suite 13E
West Palm Beach, Florida 33415
United States
5613016666 Fax — 5618288035

Domain servers in listed order:
NS1.GEODNS.NET
NS2.GEODNS.NET
NS.NETVTECH.COM

The Web site at netvtech.com

Folks, seriously, update your WordPress installs. It’s automatic and effortless.

EDITED TO ADD:
The person who defaced the Web site and who is storing his images on hacked WordPress sites has a Web site of his own, through which he sells stolen credit card numbers, phish kits, stolen bank account information, and so on. His Web site is at

http://ne-stop.com/
hosted by Hurricane Electric.

$whois ne-stop.com

Whois Server Version 2.0

Domain Name: NE-STOP.COM
Registrar: REGISTER.COM, INC.
Whois Server: whois.register.com
Referral URL: http://www.register.com
Name Server: NS1.HE.NET
Name Server: NS2.HE.NET
Name Server: NS3.HE.NET
Status: clientTransferProhibited
Updated Date: 12-jan-2010
Creation Date: 11-jan-2010
Expiration Date: 11-jan-2011

>>> Last update of whois database: Mon, 18 Jan 2010 07:57:57 UTC <<< Registration Service Provided By: Hurricane Electric Internet Services Contact: hostmaster@he.net Visit: hurricanenames.net Domain name: ne-stop.com Registrant Contact: Ladde Weiong Ladde Weiong () Fax: 125 Club Garden Road Sheffield, S11 8BW GB Administrative Contact: Hurricane Electric Internet Services Hostmaster he.net (hostmaster@he.net) +1.5105804100 Fax: 760 Mission Court Fremont, CA 94539 US Technical Contact: Hurricane Electric Internet Services Hostmaster he.net (hostmaster@he.net) +1.5105804100 Fax: 760 Mission Court Fremont, CA 94539 US Status: Locked Name Servers: ns1.he.net ns2.he.net ns3.he.net Creation date: 11 Jan 2010 11:56:14 Expiration date: 11 Jan 2011 11:56:14 As of the time of this writing, the front page of the site looked like this (click for larger):

Some thoughts on “Avatar”

Posted on by
58

No, I’m not going to write a review of the movie. There are reviews already posted all over the place, and for the most part, anything I could write in a review has already been said. Gorgeous scenery, check; incredible CGI characters, check; plot that’s very similar to Dances with Wolves, check; incredible, nearly obsessive-compulsive attention to detail, check; oodles of money, check.

Instead, I’m going to talk about just one thing about the movie, that really has nothing to do with the plot or the characters or the story. But first, I need to back up a bit. And by “a bit,” I mean “about thirty-five years.”

Back when I was a kid, I used to watch a whole lot of Saturday morning TV fare. And one day, when I was probably about six or eight years old or so, I caught a TV program about a group of people exploring space in a spaceship. This was, and is, a subject dear to my heart, and is just about bound to get my attention, so I watched it.

In the show–I don’t remember what it was called–there was a scene in which the captain ordered the crew to change course, so the navigator got out a slide rule and started plotting a new course. Now, I was about six or eight at the time, as I’ve mentioned; I didn’t yet have my first computer (in fact, microcomputers were still quite some number of years away, which probably dates me); I’d never even seen a computer, though I’d heard of them and knew that they were the size of basketball courts and used punched paper cards.

And still, that scene felt jarringly, obviously wrong to me. I had no idea what a computer might be like, and could not have hoped to describe what a computerized spacecraft might look like, but I knew that in the future, if we had faster-than-light spacecraft and we were voyaging to the stars, we were not going to be using slide rules.

Early on in the movie Avatar, there’s a scene where the main character and several other newcomers to the planet load up onto a shuttle for their trip down to the surface. We see, very briefly, a shot of the shuttle’s flight deck as the flight crew fires it up and gets read to descend.

As the flight crew does their thing, the instruments come to life, surrounding the pilot with a holographic heads-up display of all this instrumentation and information. Later, as he makes his final approach, part of the heads-up display slides aside to give him an unobstructed view out the cockpit window. (I cant find a shot of that particular scene, more’s the pity.)

That is one of the places where this movie succeeds brilliantly, and it instantly makes every science-fiction movie that we’ve seen ’til now look like a bunch of blokes fumbling around with slide rules.

One of the things that separates good writing from bad writing is attention to detail. In the case of science fiction, one of the details that separates good writing from bad writing is an understanding of how people use technology.

Science fiction is not a good predictor of technology, of course; if the day comes when we have vehicles and spacecraft as capable as the ones in Avatar, they probably won’t look the same, and there will probably be all sorts of things the movie missed.

But on that day, I bet a shuttle pilot could watch Avatar and nod her head, and say “Yeah, I can see designing a cockpit like that,” without the same sort of jarring navigating-with-a-slide-rule thing I felt watching that TV show.

This is not true of most of the rest of science fiction. Take the new, “rebooted” Star Trek, for instance. The bridge of the Enterprise is pretty and all, but it seems to my eye to be lacking a certain…functionality.

Consoles that you have to stand behind. Flat, 2D control surfaces everywhere. Mechanical fixtures. Chairs without armrests. This is a set that was intended to be pretty, but was not designed with any sort of sense of how people in the future might actually use their technology. The first time I saw Avatar, that quick scene in the shuttle’s flight deck brought images of the Star Trek movie painfully to mind, and I cringed. There was an idea of “Yes, this makes sense, and why can’t other movies get this right?”

When I look at the bridge of the Enterprise now, it reminds me very strongly of the Lincoln Futura concept car, an outrageously expensive vehicle built in 1955 as a sort of exploration of how the future might go.

Apparently, the inability to think about how people interact with technology is not a failing unique to science fiction writers; the designers who thought this car up didn’t consider the possibility that perhaps two people who are riding together might want to…talk to each other.

Storytelling, especially science fiction, often succeeds or fails on the details, and in this particular case, these are details that Avatar does very well indeed.

False Advertising

Posted on by
18

So a few weeks back, zaiah and I went shopping, and found a bargain basement bin of B-movies (say that ten times fast!) for about five bucks each.

Some of the movies were cheesy old low-budget horror flicks that have been re-released on DVD by a company which uses a woman being ravished by a tentacle monster as their logo:

Now, I may be a purist, but I don’t think that anyone should be allowed to put a picture of a woman being ravished by a tentacle monster on the front cover of any DVD that does not actually contain scenes of a woman being ravished by a tentacle monster. That is DEFINITELY false advertising, it is.

I also think it’s kind of interesting that “woman being ravished by a tentacle monster” has apparently become kind of synonymous with “horror movie.” I <3 living in this society...

Sex Toy Roundup: Santa’s List for Naughty Girls and Boys

Posted on by
10

I’ve just posted a quick rundown of the ten best things to put under the tree for the naughty people on your list over at weeklysextip.com — and I’m sure you’re all dying of curiosity to know what made the list. Check it out!

Kittens!

Posted on by
32

We have, through no fault of our own, kittens.

Six of them. All black. Five boys and one girl. One of the cats at zaiah‘s farm house got loose when she was in heat, and got knocked up almost instantly, so kittens! Six tiny fuzzy cute little tiny cute fuzzy little kittens!

They need homes. If you want one of these kittens, and you’re in or near Portland, let me know! My cat Liam, who is not included in this offer, loves them to death.

Computer security? Best practice? yeah, those are things we’ve heard of.

Posted on by
14

If you’ve ever run a small business, or done any accounting, you’re probably familiar with Intuit, the company that makes the popular QuickBooks accounting software.

Intuit does a lot of things other than QuickBooks, of course. They are also a business Web hosting company, a payroll tax service, a credit card merchant account company, a computer virus distribution network, and a marketing company, among other things. Not everyone knows about all the services they offer; in particular, their marketing and computer virus distribution services appear to be underrated.

Yep, you read that right. They distribute computer viruses.

Oh, not on purpose, I’m sure. They simply appear to run Web sites whose Webmasters don’t really seem to know a lot about Web security. Which would seem to be about par for the course these days, except that they..err, specialize in software that handles business financial information.

Which is a wee bit concerning, if you use Intuit and would like to feel reassured that they take the security of their network and servers seriously.

Now, to be fair, it’s not actually their main site that has the problem, at least not that I’ve seen so far. Instead, they run many “community” sites, and on some of these sites they appear to have a…relaxed approach to security and best practices.

*** WARNING *** WARNING *** WARNING ***
The URLs listed below are live as of the time of this writing. They WILL try to redirect you to sites that attempt to download malware onto your computer. DO NOT visit these URLs if you don’t know what you’re doing!

While cleaning out the contents of the spam trap on one of the WordPress sites I run, I spotted a large number of spam-trapped comments advertising FREE NUDE PICTURES with URLs of an Intuit-owned property, community.quickbooks.co.uk. Now, I see these spam posts all the time, usually made from machines in Eastern Europe and usualy pointing to sites that try to download the Asprox or Zlob malware.

This particular site, though, is overrun to a large degree even for sites that have security problems. The site itself allows users to create their own profiles, but it does not appear to sanitize the user-supplied profiles for things like JavaScript and it allows users to embed links and images in their profiles.

Which is, when you get right down to it, a recipe for disaster.

Anyway, the community.quickbooks.co.uk Web site is currently home to a large number of fake, automatically-generated profiles which redirect through a series of intermediates to malware sites that use a cocktail of browser exploits and social engineering tricks to try to slip malware onto visitors’ computers.

A smattering of these profiles includes:

http://community.quickbooks.co.uk/discussion/index.php?showuser=57944

http://community.quickbooks.co.uk/discussion/index.php?showuser=58063

http://community.quickbooks.co.uk/discussion/index.php?showuser=58395

http://community.quickbooks.co.uk/discussion/index.php?showuser=57939

Some of these profile sites, unusually, redirect through TinyURL to to destination payload site; others redirect more conventionally, through traffic loader sites in a manner similar to the ones I’ve written about before.

The sites redirect through TinyURL or another traffic loader to several intermediates and eventually end up at a place such as

http://stereotube.net/xfreeporn.php?id=45035

which offers free porn if you download a movie-player codec…which is, of course, a virus. (No free porn for YOU!)

Unsurprisingly, the payload site stereotube.net is registered with bogus information belonging to an identity theft victim; also unsurprisingly, it’s hosted on black-hat Web hosting company Calpop, a California Web host that has a long and ignoble history of knowingly hosing malware sites for Russian organized crime, as I’ve mentioned before.

In basic scope and layout, this is nothing but yet another Russian malware distribution network. There are only a few things about it that deviate at all from the bog-standard run-of-the-mill compromises I see every day. The first is that the compromised site is owned by Intuit, which makes me very nervous about how seriously they take computer security.

The second is that the phony profile pages that redirect to malware hide some of the redirection steps behind TinyURL redirectors such as http://tinyurl.com/25avirua rather than relying 100% on their own redirector network (the TinyURL address redirects to a more conventional traffic redirector at http://arhetector.com/in.cgi?3&parameter=25aug, hosted by Worldstream.nl, which itself redirects to one of several sites such as stereotube.net or to http://tinyurl.com/stereotubeonline-boom-03, which redirects to http://stereotubeonline.com/xplays.php?id=48034 also hosted by Calpop.

The third is that the phony profile pages are pulling images from various real porn sites. For example,

http://community.quickbooks.co.uk/discussion/index.php?showuser=57939

is grabbing a picture from http://www.pink4free.com/blogs/wp-content/uploads/Pink4Free/Cecash/BigTits/AllFreePorn.gif. The Web site pink4free.com used to run a WordPress blog–it appears to be defunct now–but that WordPress blog still has an open image directory, and it contains advertising banners that the Russian hackers are drawing from in a bid to make the redirectors look more convincing.

When I go to my taxes next year, I don’t think I’ll use Intuit.

Because sex is a lot like astrophysics…

Posted on by
46

In the study of stellar evolution, there is this concept called the main sequence, a well-defined band that you see whenever you survey all the stars in the sky and plot their color on one axis and their brightness on the other. Not all stars fall into the main sequence, but the vast majority do; there’s even a lovely image of the graph here.

It seems the same is true of relationships. Stellar evolution and stellar nucleosynthesis map with remarkable fidelity onto relationships, I’ve observed, with a plot of “intensity of relationship” (as a function of emotional investment and expectation of continuity) vs. “sexual boundaries” showing patterns startlingly similar to the main sequence. At least to me.

So for example if you plot sexual boundaries horizontally and relationship intensity vertically, you might see something like this:

The sexual boundaries increase from left to right, with the classifications as:

A: Anything goes. Unbarriered, unprotected, full-on squishy fluid-bonded sex.
B: Barriers for anal and PIV sex
O: Unbarriered oral; no penetrative sex.
F: Fisting and/or fingering without barriers; barriers for anything else.
G: Gloves for fingering; no wet and squishy contact, even manual, without them.
P: Pants stay on; above-the-pants contact allows.
M: Makeout partners–no removing of clothing.

Now, not all the partners one can have fall in the main sequence. Along the top of the graph, we see partners distributed in Type Ia and Type Ib classifications: these are people you will schedule regular orgies with or a regular BDSM play relationship with, which may or may not involve sex (directly) but do involve a high level of emotional investment and commitment. Some of these folks might even be considered “family.”

If you’re part of the sex-positive community, you might go to orgies or play parties on a regular basis, and see the same folks over and over. These are folks you don’t necessarily have squishy sex with, but you might have some sort of irregular or semi-regular play/makeout relationship with. There’s not necessarily a high level of emotional investment, but you notice when you show up to a party and they aren’t there.

Type IV partners are most commonly found in poly relationships. These are the “Too Complicated To Explain” partners–they’re not necessarily partner partners, and they’re not necessarily part of the family, but they’re not not partners either…

A branch from the main sequence sometimes occurs for metamours, who a person might have some sort of sexual relationship with, but might not continue if that person’s partner breaks up with that person, but then again, sometimes these relationships do continue on their own, and…yeah, it’s complicated. Past a certain point, it’s not always clear from a single partner whether that person is main sequence or metamour.

A scattering of partners exist with a high level of sexual contact but a low level of relationship investment. These partners tend to scatter along the Friends with Benefits and One-Night Stand axes.