Author Archives: Donncha

Phishing in Irish

Well, this is a surprise. One of my .ie email addresses got a very targeted phishing email. It was so specific that it was actually written in Irish! It wasn’t directed at me, but at a list owner address at linux.ie.
I wonder if the spammers know how many Irish people could actually read their email easily? It’d certainly be easier for most people to read in English.

Aire

Tá mé an tUasal Patrick KW Chan an Stiúrthóir Feidhmiúcháin agus Príomh-Oifigeach airgeadais Hang Seng Bank Ltd, Hong Cong.
Tá mé togra gnó brabúsaí leasa choitinn a roinnt le leat;
Baineann sé leis an aistriú suim mhór airgid.
Fuair mé do tagairt i mo cuardach a dhéanamh ar dhuine a oireann mo chaidreamh gnó molta.
Má tá suim agat i obair liom teagmháil a dhéanamh liom mo trí r-phost príobháideach (mrpatkwchan52@yahoo.com.hk) le haghaidh tuilleadh sonraí

Dearbhófar do fhreagra túisce chun an litir seo a mhór.

An tUasal Patrick Chan
E-mail: mrpatkwchan52@yahoo.com.hk

I suppose it was bound to happen now that Google translates text into Irish. Well done to Gmail for marking it as spam!

Ok, so Commando gives you a longer lunge…

Ok, so Commando gives you a longer lunge when knifing. I wasn’t sure just how far it was until I read this post and saw this video and the other one David linked to. Amazing.

Should it be removed? Hell no. Equip yourself with a shotgun and if you’re in close quarters use that instead of your primary weapon. Either that or don’t stay in the one corner.

Oh, if you’re interested in knifing, check out ONLYUSEmeBLADE.

Gooochi talks to /bc/123kah.php

This is weird, a huge number of POST requests started to hit the Shite Drivers website a few days ago. The requests came from lots of IP addresses and all requests went to the non existent /bc/123kah.php

The payload was an array that looked like this:

Array
(
    [showed] =>
    [clicked] =>
    [version] => 2.6.2.4
    [id] => c3b342beb6ad7adf39499e7a38f93c09f681611d
    [tm] => 1266855758
    [aff_id] => gooochi
    [net_id] => gooochi
    [safe] => 1
    [exceed] => 2505,2507,2582,2597,2602
)

So I presume it’s the Gooochi malware referenced in this search for that word. Strange that the infected PCs hit my server though.

The traffic was never overwhelming but I decided to put a stop to it with a simple deny from all in a .htaccess file. Much better than having WordPress serve up a 404 page.

I mentioned the 123kah.php file on Twitter and I’m not the only one to see these odd requests. I guess even malware has bugs! (which is all the more reason to keep your anti-virus software up to date if you use Windows)

Remove unused utm_source from your urls

Sometime last year I noticed that links to my blog on Feedburner had attracted a few extra parameters. A simple link to a post became this huge monstrosity:

http://ocaoimh.ie/exploit-scanner-095/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+HolyShmoly+(Holy+Shmoly!)&
utm_content=Google+Reader

It’s a marketing thing right? It’s all useful information but I don’t really care about it, have never used it and don’t like my URLs getting mangled. It annoys me for two reasons:

  • People will probably use that big long url in their own posts. Other people will use the shortened custom permalink that my blog provides. Won’t the pagerank earned by the post be split in two now?
  • It makes caching less efficient. Supercache won’t create a static cached file of the page. It will create a regular php powered cache file but when you’re running Supercache you want the very best performance don’t you?

So I added a new option to Supercache to redirect the url and get rid of the utm_source bloat.

If you want to give it a go, grab the development version of the plugin and upgrade.

Oh, and if someone has decent docs on utm_source and it’s friends I’d love to read it. Google didn’t return much when I went looking.

Exploit Scanner 0.95

I’ve just released version 0.95 of WordPress Exploit Scanner.

This release fixes a number of bugs and makes it easier to scan for exploits and read the results.

I’ve added an “Exploits” scan level which looks for obvious code that hackers use. It will return a few false positives but it’s a good first scan to try if you suspect your website has been hacked. You can then use the “Blocker” and “Severe” to scan for ever more suspect strings.

Scans are now done 50 files at a time, with the page reloading after each. The scan results are saved in the database (in your options table as not-autoloaded records to minimize load on your blog) and you can open another browser window or tab on the Exploit Scanner admin page to view the saved results even before the scan is completed.

MD5 hash records for WordPress 2.9.2 have been added, and the hash records for 2.9.1 were corrected.

In other news I’m looking for testers to try out the almost ready WordPress MU 2.9.2. More details are on the forum thread above.

Close

Ad-blocker not detected

Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security. Here are a few options.

  • uBlock Origin is a free, open source, ad blocker for your browser.
  • Use pi-hole if you have a spare Raspberry Pi on your network.
  • Set the private DNS settings on your phone to dns.adguard.com to block adverts and trackers.