this is not a blog

I Reckon This Must be the Place, I Reckon

Some Robots have behavioral issues; some Robots suck.

About Bots

I have been tracking and investigating Robots for a few years now, so, gotta lot a things to say...

But for now, here is a text file summary of some of the many Bots seen in the last few months:

Robots List.

later more...

WTF is wlwmanifest.xml?

WTF is wlwmanifest.xml and why do Bots keep looking for it? For example, this happens dozens of times a month and this is from one IP:

    /blog/wp-includes/wlwmanifest.xml
    /web/wp-includes/wlwmanifest.xml
    /wordpress/wp-includes/wlwmanifest.xml
    /website/wp-includes/wlwmanifest.xml
    /wp/wp-includes/wlwmanifest.xml
    /news/wp-includes/wlwmanifest.xml
    /2020/wp-includes/wlwmanifest.xml
    /2019/wp-includes/wlwmanifest.xml
    /shop/wp-includes/wlwmanifest.xml
    /wp1/wp-includes/wlwmanifest.xml 
    /test/wp-includes/wlwmanifest.xml
    /wp2/wp-includes/wlwmanifest.xml 
    /site/wp-includes/wlwmanifest.xml
    /cms/wp-includes/wlwmanifest.xml 
    /sito/wp-includes/wlwmanifest.xml

Let's take a look at it, shall we?

  <weblog>
    <adminUrl>
      <![CDATA[
        {blog-postapi-url}/../wp-admin/
      ]]>
    </adminUrl>
    <postEditingUrl>
      <![CDATA[
        {blog-postapi-url}/../wp-admin/post.php?action=edit&post={post-id}
      ]]>
    </postEditingUrl>
  </weblog>

So that's why! The fucking Admin pages!

When is Wordpress going to grow up and add some basic security measures!

You read that right! Basic Security Measures!

sigh

WTF No. 87

Yet another program access – effing Go (golang) and that effing Git...

    185.220.102.245 - - [17/Nov/2021:04:32:57 -0700] "GET /.git/config HTTP/1.1" 404 - "-" "Go-http-client/1.1"

WTF is wrong with these people?

Yah gahtta be kidding me! All "config" file shtuff is protected by a Web Host's WAF
(Web Application Firewall; like, "Mod Security", – what I call the new "Magic Quotes"...).

Like, Bots trying to read .env – futile (if the hosting company knows it's shit).

Related to Post 2 - WTF is wlwmanifest.xml?

Looking at not just what a Bad bot does but why a Bot does what it does...

This case, it's xmlrpc.php – part of Woprdpress, and just like the other file mentioned here, it and with path variations, is constantly being POSTed to.

So here's what I did.

<?php
# /xmlrpc.php
$fd fopen('tmp/xmlrpc.log','a');
if (
$fd) {
        
$out print_r($_POST,true);
        
$UA $_SERVER['HTTP_USER_AGENT'];
        
$d date(DATE_RFC822);
        
fwrite($fd,"$d\n{$_SERVER['REMOTE_ADDR']}\n$UA\n$out\n");
        
fclose($fd);
}
header('HTTP/1.1 403 Forbidden');
exit(
'idiots');
?>

Be back with data... (Though stupid me forget to "unblock" it from .htaccess...)

Update:

Got the first two hits:

    Wed, 24 Nov 21 12:46:34 -0700
    20.98.245.87
    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36
    Array
    (
    )
    
    Wed, 24 Nov 21 18:04:07 -0700
    128.199.210.248
    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
    Array
    (
    )

That's it? Crap, now I gotta look into what xmprpc.php does and what it returns... Fuck... Just fix yer shit, Wordpress.

Update: December, 1

While the Wordpress xmlrpc.php is small, the Wordpress "XML-RPC protocol support" is
only 7000 lines long, and that's the file with the constructor! Not something I want to wallow in
for any prolonged amout of time...