I Reckon THIS Must be the Place
THIS This HTML Is Simple - A PHP blog-like application that is small, efficient and fast or something
This website gets hundreds of "revslider" exploit attempts every month. Why? Because Revslider sucks. It's as simple as that.
In the first ten days of October, the Apache log file shows 604 revslider exploit attempts. Always with at least two tries, on
/ and on
/this/. The maximum attempts from a single IP was 86. They all get 403'd, but they keep coming back week after week, month after month.
Oddly, of the 604, 552 (from varying IPs) had the UA string:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
- I wish exploit code implementors would write better code too. Some of the URLs have the revslider exploit after a
? — I don't think that would work. And if they keep a list of sites to exploit, why not test for the 403? And the multiple tries in a row? They repeat the same URLs over and over. Why not adhere to the 403 and stop? It would even make their code run faster.
- Of course, many of these exploiters got here because I had put the string of the revslider location in a post. Not in a URL, just as text.
We are so fucked: you are probably infected aleady.
And double fucked: CEOs don't give a shit about it.
And there will be nothing you can do about it.
I think we can add the major Software Companies to the list: tobacco, lead, asbestos and oil for letting their shit fuck us over.
As some software companies seem to have betrayed their customers.
A song softly echoes away...
They ran down every lead
They repeated every test
They checked out all the data on their lists
And then the alien anthropologists
Admitted they were still perplexed
But on eliminating every other reason
For our sad demise
They logged the only explanation left
This species has exploited itself to death
Update, Sept 21: See this: Renaming the WordPress Login Page via a Setup Setting.
Update, June 27: See this for why exploits have increased here and this Hoisted with my own Petard.
Our logs have see an explosion in code exploit attempts these last few months. Here are a few tips to drastically prevent code from being exploited.
No, this is not to install a WAF. As I've written elsewhere, "Mod Security is the new Magic Quotes".
The thing is simply programming into any new Advanced and Powerful software, the ability to have custom Admin, Config, Plugin, Content directories and file names.
Wordpress seems so proud of their "5 minute install" — it's made them lazy. Spend some time to explain the vulnerabilities of default file names and locations during install. Explain to not install in the known defaults.
Like with default passwords, force your installation code to not use the defaults.
So you will have to eliminate hundreds of in-line strings like
wp-admin/ to be a variable like
$wp_admin throughout your code; and it will take a while; and there are others; and there will be much testing to do — but do it!
Have you seen the statistics that nearly half of Internet traffic is exploit attempts? Well guess why? They all have known exploitable names and locations!
Please, let us finally see some truly advanced software for a change.
Many Cisco security appliances contain default, authorized SSH keys that can allow an attacker to connect to an appliance and take almost any action he chooses.
- - Default SSH Key Found in Many Cisco Security Appliances June 25, 2015
Here is a good Tips for Internet Security starting point for developers new and old (unless you know everything already). Like tip 5: "Change the Default CMS Settings!"
I think they should add to tip 4: "Sensible User Access", to separate User Login pages from Admin Login pages. (Hint, hint, Wordpress!)
- With all due respect to Amused To Death by Roger Waters.
- They even have a function named:
- If routers and other internet hardware devices forced users to use a unique password, millions of worms, bots and cracks would have been prevented over the last 20 years.
The real Node vs Apache benchmark.
I came across the zgadzaj Node vs. Apache benchmark the other day and was immediately skeptical. Node is not as fast as the benchmark claims as it was an apples to oranges comparison.
Here is The Real Node vs Apache Benchmark.
And as a GIST The Real Node vs Apache Benchmark.
P.S. Even what I have done is not "real" enough as the code should calculate the size of the file, create the date and form the referer and UA strings, etc. The "real" real Node.js code would be much larger...
THIS is an experimental attempt at a blogging API in PHP. No classes. No globals. Read more here: README.
Last Update: November 25, 2015
Version: 1.7.2 - not done yet
Version: 1.6.1 - See changes-1.6.1.
Version: 1.6.0 - See changes-1.6.0.
Version: 1.5.7 - Admin much improved.
Version: 1.5.6 - Code reduced in size; better visitor/cookie code; start of Admin CLI.
Here is the Download page.
Almost Internet Ready
This is not "Internet ready" code like you know all the names of Content Management Systems software. But it is close.
Yeah, this code works, but it is not user friendly at all. As said elsewhere, this code is not advanced and is not powerful.
It is part good, part sloppy, part odd, part really cool, part stupid. But it is getting better with each release.
- detailed, technical looks at the architecture (still kind of lame).
- invented and real conversations related to coding (that I find amusing).
- various musings about our Apache log file (that range from stupid to bizarre)
The GMLP Language Processor: GMLP Here, and GMLP on GitHub.
Batch Language Rules Processor: BLRP Here, and BLRP on GitHub.
Debug: Debug Here, and Debug on GitHub.
And the WordPress clone written in GNU Bash — in under 2000 lines of pure BASH code. Also WordBash on GitHub.