A few days ago I installed the Bad Behavior plugin for Word Press just as an extra way of combatting spam comments etc. In 2 days it’s blocked 49 attempts by malicious scripts to access this blog. I just looked at the log and most of them are attempts to run a remote PHP script to see if I am running a vulnerable script. The remote scripts are all the same and simply contain
<?php /* Fx29ID */ echo("FeeL".CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>
Basically from what I can see there is a bunch of script kiddies who like to call themselves hackers but haven’t got the first clue about real hacking. All they can do is follow step by step instructions they have found on security web sites. A real hacker is a person who actually knows how things work and looks for ways to exploit them so that the makers can make the products more secure.
Had quite a few hits on this one with people searching for information so have decided to add some.
If you are running Word Press then I highly recommend installing the Bad Behavior plugin as this has, to my knowledge, blocked all attempts by these kiddies. I have also added a couple of the banned useragents from Bad Behavior to my sites .htaccess file to prevent them accessing the site all together. It also blocks some known spambots.
SetEnvIfNoCase User-Agent "^libwww-perl*" spammer=yes
SetEnvIfNoCase User-Agent "^Mozilla/5\.0$" spammer=yes
SetEnvIfNoCase User-Agent "^Java/1*" spammer=yes
SetEnvIfNoCase User-Agent "^Java 1*" spammer=yes
SetEnvIfNoCase User-Agent "^<sc" spammer=yes
SetEnvIfNoCase User-Agent "^Jakarta*" spammer=yes
SetEnvIfNoCase User-Agent "^TrackBack*" spammer=yes
SetEnvIfNoCase User-Agent "^USERAGENT$" spammer=yes
SetEnvIfNoCase Via pinappleproxy spammer=yes
SetEnvIfNoCase X-AAAAAAAAAAAA 1 spammer=yes
Deny from env=spammer
Just remember it is also up to you to make sure that any scripts you are running on your site, be they a forum, a blog, a guestbook etc are the latest versions.
BTW if you came here because you found a file containing the FeeL.CoMz text from above then I’m sorry to say your site has already been exploited by this idiots. All you can do is look for other files last updated around the same time to see what else they did. Then make sure your scripts are updated.
I saw similar activity on my logs.
The domain with the remote file was gumansin.com, and the IP address 118.100.71.15.
The sad thing is that it wasn’t some bot like the usual, but some stupid kids browsing my site and then trying to include that to the URL. Googlebot picked up the thing and crawled the links too with 200, so they had a true browser running google’s javascript from my pages.
I did scan the database and everything was fine. Serving cached files can also be useful against dynamic requests.
Regards
[Translate]
I liked Bad Behavior blocking these scripts even earlier than my current stuff does. But Bad Behavior also broke a lot of stuff in Wordpress. For instance, scheduled posts no longer worked, because Bad Behavior flagged wp-cron initiated hits.
[Translate]
Yes I have to agree that I feel Bad Behavior can be to strict and doesn’t give you enough control over what it blocks. I mean personally I am happy to accept the Range header. I do feel that it does block the occasional legitimate user. I would like th eoption to be able to enable/diable th evarious checks it does as I feel that only useragent checking and accept header checking are what I need. I have other anti spam stuf in place to deal with spammers.
[Translate]
Script kiddies, hardly even that. They are attempted to run the same script on my site. What makes it even worse it that the muppets are trying to execute this PHP script on my asp.net server. n00bs.
[Translate]
If the vulnerabilty is successfully exploited, that snippet of code would appear on your blog page. From that, the script can tell if you are vulnerable to a particular exploit. Once its found 1000 or so vulnerable sites, suddenly the “script kiddie” has a potentially quite valuable list of vulnerable sites, which he can then sell or use to exploit the sites himself.
[Translate]