this is not a blog

I Reckon THIS Must be the Place


 This HTML Is Simple - A PHP blog-like application that is small, efficient and fast or something

Sick of Revslider

This website gets hundreds of "revslider" exploit attempts every month. Why? Because Revslider sucks. It's as simple as that.


In the first ten days of October, the Apache log file shows 604 revslider exploit attempts. Always with at least two tries, on / and on /this/. The maximum attempts from a single IP was 86. They all get 403'd, but they keep coming back week after week, month after month.

Oddly, of the 604, 552 (from varying IPs) had the UA string:

    Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
  1. I wish exploit code implementors would write better code too. Some of the URLs have the revslider exploit after a ? — I don't think that would work. And if they keep a list of sites to exploit, why not test for the 403? And the multiple tries in a row? They repeat the same URLs over and over. Why not adhere to the 403 and stop? It would even make their code run faster.
  2. Of course, many of these exploiters got here because I had put the string of the revslider location in a post. Not in a URL, just as text.

You Are Being Exploited

We are so fucked: you are probably infected aleady.

And double fucked: CEOs don't give a shit about it.

And there will be nothing you can do about it.

I think we can add the major Software Companies to the list: tobacco, lead, asbestos and oil for letting their shit fuck us over.

As some software companies seem to have betrayed their customers.

Exploited to Death

A song softly echoes away...

 They ran down every lead
 They repeated every test
 They checked out all the data on their lists
 And then the alien anthropologists
 Admitted they were still perplexed
 But on eliminating every other reason
 For our sad demise
 They logged the only explanation left
 This species has exploited itself to death

Update, Sept 21: See this: Renaming the WordPress Login Page via a Setup Setting.

Update, June 27: See this for why exploits have increased here and this Hoisted with my own Petard.

Our logs have see an explosion in code exploit attempts these last few months. Here are a few tips to drastically prevent code from being exploited.

No, this is not to install a WAF. As I've written elsewhere, "Mod Security is the new Magic Quotes".

The thing is simply programming into any new Advanced and Powerful software, the ability to have custom Admin, Config, Plugin, Content directories and file names.

Wordpress seems so proud of their "5 minute install" — it's made them lazy. Spend some time to explain the vulnerabilities of default file names and locations during install. Explain to not install in the known defaults.

Like with default passwords, force your installation code to not use the defaults.

So you will have to eliminate hundreds of in-line strings like wp-admin/ to be a variable like $wp_admin throughout your code; and it will take a while; and there are others; and there will be much testing to do — but do it!

Have you seen the statistics that nearly half of Internet traffic is exploit attempts? Well guess why? They all have known exploitable names and locations!

Please, let us finally see some truly advanced software for a change.

Many Cisco security appliances contain default, authorized SSH keys that can allow an attacker to connect to an appliance and take almost any action he chooses.
- - Default SSH Key Found in Many Cisco Security Appliances June 25, 2015

Here is a good Tips for Internet Security starting point for developers new and old (unless you know everything already). Like tip 5: "Change the Default CMS Settings!"

I think they should add to tip 4: "Sensible User Access", to separate User Login pages from Admin Login pages. (Hint, hint, Wordpress!)

  1. With all due respect to Amused To Death by Roger Waters.
  2. They even have a function named: capital_P_dangit().
  3. If routers and other internet hardware devices forced users to use a unique password, millions of worms, bots and cracks would have been prevented over the last 20 years.


Not so Fast Node

The real Node vs Apache benchmark.

I came across the zgadzaj Node vs. Apache benchmark the other day and was immediately skeptical. Node is not as fast as the benchmark claims as it was an apples to oranges comparison.

Here is The Real Node vs Apache Benchmark.

And as a GIST The Real Node vs Apache Benchmark.

P.S. Even what I have done is not "real" enough as the code should calculate the size of the file, create the date and form the referer and UA strings, etc. The "real" real Node.js code would be much larger...

About THIS

THIS is an experimental attempt at a blogging API in PHP. No classes. No globals. Read more here: README.

Last Update: November 25, 2015

Release Notes

Version: 1.7.2 - not done yet
Version: 1.6.1 - See changes-1.6.1.
Version: 1.6.0 - See changes-1.6.0.
Version: 1.5.7 - Admin much improved.
Version: 1.5.6 - Code reduced in size; better visitor/cookie code; start of Admin CLI.

Here is the Download page.

Almost Internet Ready

This is not "Internet ready" code like you know all the names of Content Management Systems software. But it is close.

Yeah, this code works, but it is not user friendly at all. As said elsewhere, this code is not advanced and is not powerful.

It is part good, part sloppy, part odd, part really cool, part stupid. But it is getting better with each release.

Posts Here

detailed, technical looks at the architecture (still kind of lame).
invented and real conversations related to coding (that I find amusing).
various musings about our Apache log file (that range from stupid to bizarre)

Other Code

The GMLP Language Processor: GMLP Here, and GMLP on GitHub.

Batch Language Rules Processor: BLRP Here, and BLRP on GitHub.

Debug: Debug Here, and Debug on GitHub.

And the WordPress clone written in GNU Bashin under 2000 lines of pure BASH code. Also WordBash on GitHub.