Movie review: “San Andreas”

San Andreas” is what I call a summer popcorn movie. Something very different from the art house fare I usually watch (e.g., “Far From the Madding Crowd“). That was reflected in the audience which included a man who fiddled with his phone, making no attempt to shield the screen, at least eight times throughout the film. He was close enough to be annoying but far enough away that I couldn’t discreetly tell him to stop being a self-centered asshole. Too, a lot of the audience applauded at the end. Which made me think these are people who think the TV show “Duck Dynasty” is awesome.

Let me start with the two things about the movie that were good: Paul Giammati’s performance as the scientist and the special effects. Not only was Paul’s performance excellent his character avoided the usual movie scientist cliches. And the CGI special effects were for the most part amazingly realistic and blended extremely well into the live action.

The rest of the movie was a disaster (pun intended). Formulaic. Stocked with the usual disaster movie stereotypes and cardboard cutout characters. No thinking required because you could predict the next scene and each scene required no knowledge of what preceded it.

The opening scene wasn’t just implausible it was downright ludicrous. It portrayed a helicopter (piloted by Dwayne “The Rock” Johnson’s character) descending into canyon narrower in places than the diameter of the helicopter’s rotors. The pilot deals with that by angling the helicopter along its long axis to “side slip” into the canyon. And he did it with a civilian reporter and cameraman onboard. Such ludicrous scenes appeared every few minutes from start to finish. Which is acceptable in a movie like “Avengers: Age of Ultron” or “Mad Max: Fury Road” where you know you’re in a comic book universe (and I thoroughly enjoyed both). In “San Andreas” it just made me chuckle every time it occurred.

I’m damn happy I only paid $5.50 for a Sunday matinee showing. Had I paid $11+ I would be royally pissed.

Malware attacking the WordPress Download Manager plugin

I’ve seen three attempts to exploit the WordPress Download Manager plugin in the past couple of days and forty since I saw the first one on 2015-02-06. Not a huge number which is why it escaped my attention until now when I saw several attacks in a short interval. The signature is a “POST /” request with payloads like the following (these are from the most recent attacks):

action=wpdm_ajax_call&user_login=admin-jonns&execute=wp_insert_user&role=administrator&user_pass=1213141516

action=wpdm_ajax_call&user_login=userdemo&execute=wp_insert_user&role=administrator&user_pass=demopassword

action=wpdm_ajax_call&user_login=uLIr2a&execute=wp_insert_user&role=administrator&user_pass=c3oTzz

This article at blog.sucuri.net provides details about the nature of the attack.

Can such attacks be detected and blocked in a generic manner? What are the rules or minimal requirements for issuing a POST request to the WordPress root document? The WordPress documentation doesn’t answer that question; at least not in a manner someone who doesn’t write plugins can find and understand. A lot of Googling didn’t find any answers. I’ve asked how to determine if a post request is valid on the WordPress support forums but so far no answers.

Since I’ve never seen a legitimate “POST /” request at my site I’ve implemented the following .htaccess rule:

# Detect attempts to POST / without an authentication token. We regularly see
# malware attempt to create accounts via that API.
RewriteCond %{REQUEST_METHOD} POST [NC]
RewriteCond %{REQUEST_URI} =/ [NC]
RewriteCond %{HTTP_REFERER} !^https?:// [NC,OR]
RewriteCond %{HTTP_COOKIE} !wordpress_test_cookie=WP\+Cookie\+check [NC,OR]
RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_ [NC,OR]
RewriteCond %{THE_REQUEST} \sHTTP/(?:0\.9|1\.0)$ [NC]
RewriteRule ^ /blocked.php [END,E=error-notes:invalid-wp-root-post]

That rule is almost certainly wrong. For example, I have no reason to believe that such requests should include the cookie “wordpress_test_cookie“. I’ve included those requirements because I’ve noticed that a lot of malware violates those conditions even where they are known to be required. As I’ve never seen a legitimate post to my WordPress root document it seems reasonable to be too strict.

New malware user-agent value: “Jorgee”

Update 2015-09-09: I’ve seen a huge increase in people reading this article in the past two days. Checking my logs I see that my server was attacked again by the “Jorgee” malware yesterday. The previous attack was almost exactly three months ago (specifically 2015-06-03). The latest attack was from a personal computer in Brasil with a gvt.net.br domain name. The attack signature appears to be identical to earlier attacks. As I say below the smart thing to do is explicitly disallow proxying and blacklist any source trying to use your server as a proxy. Also, blacklist any HTTP user-agent containing the word “Jorgee”.

Lastly, consider blacklisting URIs that you know are not valid for your site and which are frequent targets of attacks. For example, the WordPress “revslider” plugin has had multiple vulnerabilities. Hardly a day goes by that I do not see an attack trying to exploit a revslider vulnerability. Which means it will never be installed on my site. I automatically blacklist any source which makes a request that references that plugin.

Update 2015-05-03: I’ve seen relatively few “Jorgee” attacks since the original one I wrote about below. This morning I saw a coordinated attack from 80 machines, each making over 100 requests, in the span of two minutes. The user-agent string was “Mozilla/5.0 Jorgee“. The URIs included those I recorded in the original attack (see below) plus a few new ones. Also, like the original attack all of these were HEAD requests phrased as a proxy request with the ultimate target my own server.

Today I saw a heretofore unknown HTTP user-agent string: “Jorgee“. The word “Jorgee” has appeared in the Cookie HTTP header of the “Ringing.at.your.dorbell!” attack. I strongly recommend blacklisting the “Jorgee” user-agent value. These are the rules I have in my .htaccess file to reject blocked user-agents:

# Block ZmEu and other bots based on their user agent signature. Another sign
# that hackers aren't as smart as they think they are. Note the first
# condition. A quoted user-agent string is another sign of a sloppy hacker. No
# legitimate browser or web crawler quotes the user-agent string.
RewriteCond %{HTTP_USER_AGENT} ^" [OR]
RewriteCond %{HTTP_USER_AGENT} =x00_-gawa.sa.pilipinas.2015 [OR]
RewriteCond %{HTTP_USER_AGENT} =Jorgee [OR]
RewriteCond %{HTTP_USER_AGENT} =ZmEu [OR]
RewriteCond %{HTTP_USER_AGENT} =immoral [OR]
RewriteCond %{HTTP_USER_AGENT} ^PHP/5\.{ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*\stools.ua.random [OR]
RewriteCond %{HTTP_USER_AGENT} ^chroot [OR]
RewriteCond %{HTTP_USER_AGENT} ^DataCha0s [OR]
RewriteCond %{HTTP_USER_AGENT} ^I'm\sa\smu\smu [OR]
RewriteCond %{HTTP_USER_AGENT} ^\(\)\s{ [OR]
RewriteCond %{HTTP_USER_AGENT} ^q\[ [OR]
RewriteCond %{HTTP_USER_AGENT} ^Morfeus\sFucking\sScanner
RewriteRule ^ blocked.php [END,E=error-notes:blacklisted-user-agent]

The attack came from a dynamic address in domain telefonica.de in Germany. The malware was issuing requests that superficially looked like proxy requests. I say superficially because the IP address was that of my server. For example:

HEAD http://75.101.21.75:80/mysql/admin/ HTTP/1.1

The proxy formulation caused my web server abuse monitor to automatically blacklist the source since I don’t allow proxying via my web server. For posterity here are the 85 URIs this malware probed:

/2phpmyadmin/
/MyAdmin/
/PMA/
/PMA2011/
/PMA2012/
/admin/
/admin/db/
/admin/pMA/
/admin/phpMyAdmin/
/admin/phpmyadmin/
/admin/sqladmin/
/admin/sysadmin/
/admin/web/
/administrator/PMA/
/administrator/admin/
/administrator/db/
/administrator/phpMyAdmin/
/administrator/phpmyadmin/
/administrator/pma/
/administrator/web/
/database/
/db/
/db/db-admin/
/db/dbadmin/
/db/dbweb/
/db/myadmin/
/db/phpMyAdmin-3/
/db/phpMyAdmin/
/db/phpMyAdmin3/
/db/phpmyadmin/
/db/phpmyadmin3/
/db/webadmin/
/db/webdb/
/db/websql/
/dbadmin/
/myadmin/
/mysql-admin/
/mysql/
/mysql/admin/
/mysql/db/
/mysql/dbadmin/
/mysql/mysqlmanager/
/mysql/pMA/
/mysql/pma/
/mysql/sqlmanager/
/mysql/web/
/mysqladmin/
/mysqlmanager/
/php-my-admin/
/php-myadmin/
/phpMyAdmin-3/
/phpMyAdmin/
/phpMyAdmin2/
/phpMyAdmin3/
/phpMyAdmin4/
/phpMyadmin/
/phpmanager/
/phpmy-admin/
/phpmy/
/phpmyAdmin/
/phpmyadmin/
/phpmyadmin2/
/phpmyadmin3/
/phpmyadmin4/
/phppma/
/pma/
/pma2011/
/pma2012/
/program/
/shopdb/
/sql/myadmin/
/sql/php-myadmin/
/sql/phpMyAdmin/
/sql/phpMyAdmin2/
/sql/phpmanager/
/sql/phpmy-admin/
/sql/phpmyadmin2/
/sql/sql-admin/
/sql/sql/
/sql/sqladmin/
/sql/sqlweb/
/sql/webadmin/
/sql/webdb/
/sql/websql/
/sqlmanager/

Hosting provider Aventice.com lets their clients attack other computers

Immediately after posting the article below I emailed this to the Aventice abuse team:

You're clearly trying to balance the needs of the Internet as a whole while not pissing off your customers. But your VPN customer in this case is clueless. The right thing to do is to not blacklist my server so that you and your customer stop hearing unpleasant news. You and your VPN customer should continue to accept attack reports and deal with each one to minimize the harm to the Internet as a whole.

In the past week I’ve blacklisted 30 addresses owned by hosting provider Aventice.com for HTTP attacks against my piddling blog. I reported nearly all of those attacks to Aventice. Their initial response was that they had forwarded the report to the client who was leasing those addresses.

I then received a rather unusual response from the Aventice abuse department in the past 24 hours:

Our client confirmed that they have now blocked your IP address from all of their servers and you should not receive any further attacks to your network. If you receive anything from today’s onwards please forward it to us and we will take action against them.

What. The. Fuck. Note that I do not own a “network”. I have a dynamically assigned IP address from Sonic.net for my personal use.

I replied to that message with

In what manner is blocking outgoing traffic to a specific IP an acceptable solution to a malware infestation? Presumably their servers are still attacking other sites if they haven’t removed the malware.

The Aventice abuse team responded with

We have a client who’s one of the largest VPN providers in the world and they have over 4 million customers and 40 servers with us in different cities and states. Unfortunately they have a few “Bad” users where they mis-use their services to initiate attacks on other websites. They have suspended and terminated their “Bad” users however they sign up with different names and email addresses. So by blocking your IP address in all of their servers they will not be able to attack your websites anymore. I would also recommend you to block those mentioned IP addresses in your server permenantly and not just for 90 days.

Obviously Aventice is trying to do the right thing yet cares more about their revenue stream than they do about protecting the Internet from abuse. Their customer who is running a VPN service is clearly clueless about dealing with abusers of their service. They think that blacklisting individual complainants to stop them from reporting attacks is an acceptable response.

Aventice refused to name their VPN client so I can’t publicly shame them. But I can publicly shame Aventice for aiding and abetting companies that don’t care if they destroy the Internet.

New WordPress attack: POST /wp-admin/maint/repair.php

Update: I received the following reply from Dion Hulse speaking on behalf of the WordPress project in response to my email to security@wordpress.org. He points out what should have been obvious to me: the malware is probably probing for details about the database schema in hopes of crafting SQL injection attacks.

The 'pass' and 'p2' parameters have never been used, nor have any effect, on the maint/repair.php script. It's possible that these could be used by a plugin though.

The script in question is a tool for when a database has become corrupt, and user-logins are no longer possible (for example, the user table has crashed), because of this, no user authentication is handled on the request.

The authentication which the script relies upon is the existence of the 'WP_ALLOW_REPAIR' constant, which a remote user cannot trigger, only someone with code-level access to the server can.

My assumption here is that they're searching for WordPress installs which have incorrectly left the script open and available, they could use this to discover the database table prefixes, which in itself doesn't give them much details, but could be used to get a more reliable SQL Injection through a vulnerability in a plugin. The chances of all these aligning is very small though.

The following trac ticket has a few improvements which could be made to this script:
https://core.trac.wordpress.org/ticket/11717 

Today I logged a new attack against my WordPress installation. Malware is now issuing POST /wp-admin/main/repair.php (and rrepair.php) requests. The data in all four requests is the following:

pass=asldkjsdfhoiuer3u98iuefghkjdbvmnbkjhas398&p2=ZWNobyAieHh4ISEheHh4Ijs=

WordPress quite unhelpfully returns a 200 (OK) HTTP status even though the request was rejected. This is something about WordPress that really irritates me. It frequently reports a OK HTTP status when in fact something went wrong; e.g., an authentication failure. In this particular case the failure is because I have not enabled the feature. How did I learn this? I created a file named wp-repair-post.req with the content of the request sent by the malware:

POST /wp-admin/maint/repair.php HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Length: 74
Host: www.skepticism.us
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://www.skepticism.us/wp-admin/maint/repair.php
Cookie: wordpress_test_cookie=WP+Cookie+check

pass=asldkjsdfhoiuer3u98iuefghkjdbvmnbkjhas398&p2=ZWNobyAieHh4ISEheHh4Ijs=

I then manually sent that request to my web server:

nc localhost 80 < wp-repair-post.req

The output from WordPress helpfully told me:

To allow use of this page to automatically repair database problems, please add the following line to your wp-config.php file. Once this line is added to your config, reload this page.

define('WP_ALLOW_REPAIR', true);

I then enabled that feature and reissued the request. This time WordPress returned a HTML page that included a button with the link repair.php?repair=1. So I modified the request to include that query string.

Holy shit! Even though the passwords in the post are completely bogus WordPress reported that it did in fact perform a repair:

The <code>blog_users</code> table is okay.
The <code>blog_usermeta</code> table is okay.
The <code>blog_posts</code> table is okay.
The <code>blog_comments</code> table is okay.
The <code>blog_links</code> table is okay.
The <code>blog_options</code> table is okay.
The <code>blog_postmeta</code> table is okay.
The <code>blog_terms</code> table is okay.
The <code>blog_term_taxonomy</code> table is okay.
The <code>blog_term_relationships</code> table is okay.
The <code>blog_commentmeta</code> table is okay.
Repairs complete. Please remove the following line from wp-config.php to prevent this page from being used by unauthorized users.

<code>define('WP_ALLOW_REPAIR', true);</code>

The /wp-admin/maint/repair.php URI performs no authentication. WTF! Who in the hell thinks an unauthenticated administrative interface is acceptable in the year 2015?

What is unclear is why the malware is probing that URI. On the bleeding edge WordPress 4.2.3 release I’m running the “pass” and “p2” parameters appear to be ignored. Are they utilized on earlier versions? If so then these probes might be a way to verify whether a password is valid. Is the malware simply trying to overload the site with database repair activity? Whatever the case I’ve opened an enhancement request to make this interface authenticate the request and filed a security report with security@wordpress.org.

Movie review: “The Last Brickmaker in America”

I put “The Last Brickmaker in America” in my Netflix queue solely because it starred Sidney Poitier. If you haven’t seen “To Sir, with Love”, “In the Heat of the Night”, and “Guess Who’s Coming to Dinner” you really should do so. Those were filmed when Mr. Poitier was at his peak and are amazing films. Especially the last one which is set in the 1960’s and involves an interracial romance that has both sets of parents initially dead set against the pending marriage.

In “The Last Brickmaker in America” the only redeeming feature is Mr. Poitier’s performance. Let me start by pointing out that the DVD begins with trailers for four other “family friendly” (a phrase mentioned several times) films. One of the trailers included the breathlessly intoned “This is the film Christians have been waiting for.” The distributor of this film and at least two of the trailers is Phase 4 Films. Their logo makes you immediately think of a Christian cross. Given the company is based in North America and focuses on family-oriented films that is probably intentional:

Phase 4 Films logo

This is apparently a made for TV movie similar to those produced by the Hallmark Channel that anyone watching TV in the 1970’s and 1980’s will remember. Unfortunately this is movie is far worse than anything I remember from the Hallmark Channel.

Every single character is cherubic with not a hair out of place and clothing so clean and starched, even when digging a ditch, you marvel at their ability to go through life as if every moment was wearing their Sunday best as they enter church. The child protagonist is given dialog that is completely unbelievable for a 13 year old.

There were a couple of memorable scenes before I gave up around the halfway point and ejected the DVD. The first was a set piece between the estranged husband and wife. The husband is expressing his frustration that the wife not only went to college after they were married but went on to have a career that didn’t involve spending all day cooking and cleaning their home. The second was a storm of biblical proportions that destroyed several hundred bricks the Poitier character and the child protagonist had made earlier that day. Note that this wasn’t just an unexpected rain storm. It was a hurricane level event. Something you might think the national weather service might have predicted and a brick maker might have prepared for.

I remember when “God’s Not Dead” was released last year. I did not waste my money to see it in the theater. Not even a $5.50 matinee showing. Yet based on the reviews of “God’s Not Dead” I can only conclude it is a better movie than “The Last Brickmaker In America”.

I just learned there is a Christian movie even worse than the one I just wrote about. This review of “C Me Dance” by The Bible Reloaded team makes “The Last Brickmaker in America” seem almost Oscar worthy in comparison. Also, see the reviews of “C Me Dance” on IMDB. Awful dialog, storylines, acting, directing and cliches seem to epitomize “Christian” movies. This is itself a strong argument for reducing the influence of Christianity in America.

Newspaper gives honest answer to “Why do you support such a liberal agenda?”

The title of this post is from Daily Kos where Black Max points out that the newspaper’s answer contains

No snark, no smartassery. This is one of the finest responses I’ve ever seen to this kind of question.

I encourage you to read the article by Taylor Batten. Here are a couple of the answers that resonated especially strongly with me:

We believe in consistency, so if you are going to drug-test recipients of public assistance, drug-test them all, including the corporate chieftains who are the biggest beneficiaries.

That’s because the “masters of the universe” on Wall Street who precipitated the 2008 economic collapse and received enormous bailouts by the US government have suffered no consequences. No drug testing let alone jail time. And

We believe if you’re a fan of a politician solely because he has a ‘D’ or an ‘R’ after his name, then you’re not paying attention.

That last quote struck home because until the 2010 midterm elections I gave little consideration to the political affiliation of a candidate. Until 2010 I had always believed in voting for the most qualified candidate regardless of their party affiliation. But in the 2010 election I voted for any candidate who was not a Republican. It didn’t matter to me if the Republican was a better choice than their opponents. The Republican party was so toxic that I would vote for anyone who was not a Republican as long as they had not been convicted of a crime.

Having said that I’m still in agreement with Batten’s point that you should not vote for someone simply because of the political party (i.e., tribe) of which they are a member. Whether you should vote against someone due to their political party affiliation is an open question. As I write this I’m sorry to say the Republican party has been taken over by insane people unable to distinguish between reality and what they wished were true. Thus while I won’t vote for someone simply because they’re a Democrat I will vote against someone because they’re a Republican.

Also, you’ve got to read some of the comments to the article by Taylor Batten. Including this by John Keller:

He lost me with the Obama is not from Kenya comment. That was an obvious dig at conservatives, the majority of whom never believed that was true. …

Several people replied, correctly, that there was nary a conservative (and certainly not FOX News) arguing against the assertion that Obama was not a USA citizen and thus eligible to be president.

New, in your face, malware attacks me: /Ringing.at.your.dorbell!

Once in a great while I see a novel piece of malware. Novel in the sense that it is particularly stupid in its behavior and tells us the author is an egotistical asshole.

This week it is malware written by someone who can’t resist announcing in big bold letters that they are up to no good. Specifically, the malware makes HTTP attacks with the first request being “GET /Ringing.at.your.dorbell! HTTP/1.0“. Yes, that’s “dorbell” not “doorbell”. That plus the odd grammar implies this is a non-native speaker of English. The user-agents I’ve seen are “x00_-gawa.sa.pilipinas.2015” and “CVE-2014-6271 ;)“.

As is typical for these morons the malware fails to include a Host header. Which isn’t mandatory for a HTTP/1.0 request but has been standard practice for a decade since it is necessary for virtual hosts to function properly. The absence of a host header is something I use to decide the request is from malware since no legitimate browser or web crawler written in the past decade would omit it.

Note that this is fundamentally a shellshock attack. You can read about how I block such attacks here.

Update 2015-05-19: I feel compelled to note that this particular malware may have more than one signature. The first couple of attacks looked a lot like typical shellshock attacks. For example, here are the HTTP headers from the first attack I logged (this is from the request that followed the GET /Ringing.at.your.dorbell! request):

Cache-Control: no-cache
Connection: close
Pragma: no-cache
Cookie: () { goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`
Referer: http://google.com/search?q=2+guys+1+horse
User-Agent: () { goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`
Test: () { goo;}; echo Content-Type: text/plain ; echo ; echo shellshot_`expr 1344 - 7`

That was my basis for asserting that this is fundamentally a shellshock attack. However, the next attack was not of the shellshock variety. For example, I then saw this in the HTTP headers in a request for URI /Diagnostics.asp:

Cookie: Greetz to M, st0n3d, Jorgee, CoLdZeRo, and Tomato lol!

That cookie was not in the original “Ringing.at.your.dorbell” shellshock attacks that caught my attention. So is the malware mutating or is someone else hijacking the signature of the original attack?

Update 2015-07-11: Prior to today I hadn’t seen an attack from this particular malware in nearly two months. Today I saw two attacks, both with the same pattern:

1) First request was “GET /Ringing.at.your.dorbell!“.
2) Second request was “GET /“.
3) Third request was “GET /Diagnostics.asp“.

The cookie this time was slightly different: “Cookie: Greetz to M, st0n3d, Jorgee, CoLdZeRo and justa“. Notice the replacement of “Tomato lol!” from the earlier attack with “justa“. As before there is no Host header and the referer value is “http://google.com/search?q=2+guys+1+horse“.

So it appears this malware is active again and that explains why I’ve seen a huge spike in the number of people reading this particular article recently.

Adam Miller, faith-healer, fraud, and all around scumbag IMHO

Check out this story about Adam Miller.

View post on imgur.com

Apparently Mr. Miller believes he is Jesus Christ. If he can prove he is capable of healing any of the illnesses or injuries he claims to be able to cure I’ll eat my hat and agree he should win his libel suit against Stephanie Guttormson. There has never been a documented case of faith healing. There have been a huge number of self proclaimed faith healers proven to be committing fraud. So I feel pretty comfortable stating that in my opinion Mr. Miller is a scumbag bilking money from desperate people.

Note too that as I write this his web site returns a page that only says “Site Unavailable” (not a HTTP 404 status). It seems he doesn’t care for the attention he’s getting. Fortunately Google has a cached version.

Update 2015-05-20: There has been a biblical flood of articles, YouTube videos, podcasts, etc. about the douchebaggery of Mr. Miller since I wrote my original post. For example, this [Salon article](http://www.salon.com/2015/05/07/atheist_trans_blogger_exposes_snake_oil_salesman_faith_healer_and_get_slammed_with_lawsuit/) and [Ring of Fire](http://www.ringoffireradio.com/2015/05/scared-faith-healing-bully-gets-called-out-online-decides-to-sue-everyone/) blog post. Also, shortly after I posted this article the first time Mr. Miller’s web site was back online. As I write this it is once again inaccessible because the hostname “`www.adam-healer.com“` doesn’t resolve to an IP address. And I wish that wasn’t true because I’d like to verify that he has the quack miranda warning on his website that his services are for “entertainment purposes only” as reported by others.