Well, the Irish economy is tanking and is heading towards recession. Last time things were this bad was in the Eighties so here’s a few memories from that decade. After yesterday’s rather technical post, I need a nice squeaky throw away nostalgic one today.
Tag Archives: irishblogs
More ways to stop spammers and unwanted traffic
Comment spammers, trackback spam, stupid bots and AVG linkscanner eating into your bandwidth and server resources? Here’s how to put a dent in their activities with a few mod_rewrite rules.
I hate those blogs that send me fake trackbacks and pingbacks. Unfortunately it’s impossible to stop but this morning I figured out a way of stopping some of them.
Look through the log files of your web server for the string ‘ “-” “-“‘. Lots of requests there aren’t there? I found 914 requests yesterday. Those are requests without a USER_AGENT or HTTP_REFERER and almost all of them are suspicious because they weren’t followed by requests for images, stylesheets. or Javascript files. Unfortunately the WordPress cron server also falls into this category so you need to filter out requests from your own server’s IP address.
This morning I checked up on a spam trackback that came in. This one came from 85.177.33.196:
URL: /xmlrpc.php
HTTP_RAW_POST_DATA: <?xml version=”1.0″?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>http://7wins. eu/cbprod/detail_10347/cure+your+tight+foreskin.html</string></value>
</param>
<param>
<value><string>http://ocaoimh.ie/2005/03/01/i-am-bored-sites-for-when-youre-bored/all-comments/</string></value>
</param>
</params>
</methodCall>
I looked through my log files for that IP address and discovered the following:
85.177.33.196 – – [03/Jul/2008:06:40:01 +0000] “GET /2005/02/18/10-more-ways-to-make-money-with-your-digital-cameras/ HTTP/1.0” 200 36151 “-” “-”
85.177.33.196 – – [03/Jul/2008:07:04:18 +0000] “GET /2007/06/07/im-not-the-only-one-to-love-the-alfa-147/ HTTP/1.0” 200 44967 “-” “-”
85.177.33.196 – – [03/Jul/2008:08:09:40 +0000] “GET /2005/03/01/i-am-bored-sites-for-when-youre-bored/all-comments/ HTTP/1.0” 200 410423 “-” “-”
85.177.33.196 – – [03/Jul/2008:08:09:44 +0000] “POST /xmlrpc.php HTTP/1.0” 200 249 “-” “XML-RPC for PHP 2.2.1”
85.177.33.196 – – [03/Jul/2008:09:00:09 +0000] “GET /2007/10/28/what-time-is-it-wordpress/ HTTP/1.0” 200 63332 “-” “-“
So, the spammer grabs “/2005/03/01/i-am-bored-sites-for-when-youre-bored/all-comments/” at 8:09am and 4 seconds later sends a trackback spam to the same blog post. Annoying isn’t it?
The following mod_rewrite rules will kill those fake GET requests dead.
# stop requests with no UA or referrer
RewriteCond %{HTTP_REFERER} ^$
Rewritecond %{HTTP_USER_AGENT} ^$
RewriteCond %{REMOTE_ADDR} !^64\.22\.71\.36$
RewriteRule ^(.*) – [F]
Replace “64\.22\.71\.36” with the IP address of your own server. If you don’t know what it is, look through your logs for requests for wp-cron.php, run ifconfig from the command line, or check with your hosting company.
Here are a few of the requests already stopped this morning:
72.21.40.122 – – [03/Jul/2008:09:59:59 +0000] “GET /2005/04/02/photo-matt-a-response-to-the-noise/ HTTP/1.1” 403 248 “-” “-”
216.32.81.66 – – [03/Jul/2008:10:00:11 +0000] “GET /2006/12/14/bupa-to-leave-irish-market/ HTTP/1.1” 403 240 “-” “-”
66.228.208.166 – – [03/Jul/2008:10:03:18 +0000] “GET /2008/05/23/youre-looking-so-silly-wii-fit HTTP/1.1” 403 212 “-” “-”
216.32.81.74 – – [03/Jul/2008:10:04:52 +0000] “GET /1998/03/22/for-the-next-month-o/ HTTP/1.1” 403 234 “-” “-”
69.46.20.87 – – [03/Jul/2008:10:06:06 +0000] “GET /2006/10/01/killing-off-php/ HTTP/1.1” 403 229 “-” “-”
72.21.58.74 – – [03/Jul/2008:10:07:54 +0000] “GET /2005/08/12/thunderbird-feeds-and-messages-duplicates/ HTTP/1.1” 403 255 “-” “-“
Some spam bots are stupid. They don’t know where your wp-comments-post.php is. That’s the file your comment form feeds when a comment is made. If your blog is installed in the root, “/”, of your domain you can add this one line to stop the 404 requests generated:
RewriteRule ^(.*)/wp-comments-post.php – [F,L]
Trackbacks and pingbacks almost always come from sane looking user agents. They usually have the blog or forum software name to identify them. Look for “/trackback/” POSTs in your logs. Notice how 99% of them have browser names in them? Here’s how to stop them, and this has been documented for a long time:
RewriteCond %{HTTP_USER_AGENT} ^.*(Opera|Mozilla|MSIE).*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteCond %{REQUEST_METHOD} ^POST$
RewriteRule ^(.*)/trackback/ – [F,L]
I’ve been using that chunk of code for ages. It works exceptionally well. This was prompted by a deluge of 40,000 spam trackbacks this site received in one day a few months ago.
If you use my Cookies for Comments plugin. Check your browser for the cookie it leaves and use the following code to block almost all of your comment spam:
RewriteCond %{HTTP_COOKIE} !^.*put_cookie_value_here.*$
RewriteRule ^wp-comments-post.php – [F,L]
That will block the spammers even before they hit any PHP script. Your server will breeze through the worst spam attempts. It blocked 2308 comment spam attempts yesterday. Unfortunately it also stops the occasional human visitor leaving a comment but I think it’s worth it.
Do something different. That’s what you have to do. Place a hurdle before the spammers and they’ll fall. On that note, I shouldn’t really be blogging all this, but almost all these ideas can be found elsewhere already and the spammers still haven’t adapted.
Unwanted traffic? What’s that? Surely all visitors are good? Nope, unfortunately not. Robert alerted me to the fact that AVG anti-virus now includes an AJAX powered browser plugin called “Linkscanner” that scans all the links on search engine result pages for viruses and malicious code. Unfortunately that generates a huge number of requests for pages that are never even seen by the visitor. I counted over 7,000 hits yesterday.
Thankfully Padraig Brady has a solution. I hope he doesn’t mind if I reprint his mod_rewrite rules here (unfortunately WordPress changes the ” character so you’ll have to change them back, or grab the code from Padraig’s page.)
#Here we assume certain MSIE 6.0 agents are from linkscanner
#redirect these requests back to avg in the hope they’ll see their silliness
Rewritecond %{HTTP_USER_AGENT} “.*MSIE 6.0; Windows NT 5.1; SV1.$” [OR]
Rewritecond %{HTTP_USER_AGENT} “.*MSIE 6.0; Windows NT 5.1;1813.$”
RewriteCond %{HTTP_REFERER} ^$
RewriteCond %{HTTP:Accept-Encoding} ^$
RewriteRule ^.* http://www.avg.com/?LinkScannerSucks [R=307,L]
The EU Gravy Train
Irish MEP Kathy Sinnott and other MEPs filmed in Brussells at 7am on a Friday morning clocking in with bags packed. Oh dear.
Kathy Sinnott, fresh faced and angry after 7 hours work overnight.
Makes me wonder if I should have voted yes to Lisbon. Kathy Sinnott was looking for a No vote (no, she didn’t influence me) but perhaps the Lisbon Treaty would have stopped this sort of thing. Oh wait! Who am I kidding? Of course it’ll continue!
(via someone on #linux who mentioned the video)
Update Kathy Sinnott published a fair video response to the RTL report. She doesn’t defend her colleagues, but makes it fairly clear (unless those emails were doctored which is easy, but I digress..) that she was working through the night. She also adds that the “[expenses] regime is ending in the next term”.
Via Fred, who came from here according to my logs so I presume he’s spreading the word.
Saor Patrol in Cork
Saor Patrol, a Scottish band “with their vibrant pipe tunes and drum rhythms [that] please and excite many a crowd” certainly lived up to their reputation when they played for the crowds in front of Brown Thomas on Patrick Street this afternoon.
I came upon them when they were nearly finished but the few minutes of music I heard was exciting and lively, and my son Adam totally enjoyed the spectacle. When the crowd clapped in appreciation, Adam joined in, and almost jumped out of his buggy to dance to the beat!
They were playing in Cork City Hall today as part of the Your Mental Health awareness campaign by the HSE. Depression and other mental health problems still have an awful stigma in this country. People can be reluctant to talk about those problems, families and friends hide them away, or pretend they don’t exist, but they’re health problems like any other. With the right treatment at the right time most people can be helped.
Listening to Saor Patrol certainly lifted my spirits. I was tired and worn down but their music reinvigorated me!
Edit – I was wrong. The mental health event they were promoting is a Scientology event. Not a HSE one. Can’t believe those maniacs managed to hire out City Hall. I definitely do not want to have anything to do with that crowd. Ugh.
Meadows Fringe Festival (doesn’t do them justice at all.)
WordPress Exploit Scanner 0.1
My previous post about hacked WordPress sites caused Donnacha to ask,
After your last post on this subject, I was thinking that it would be a good idea for Automattic to create a plugin that carries out all the checks you suggested people do to find out if they’ve been hacked…
At the time I wasn’t too optimistic about it but after thinking about the idea for a few days I came up with the WordPress Exploit Scanner which does most of what Donnacha wanted.
This WordPress plugin searches the files on your site for a few known strings sometimes used by hackers, and lists them with code fragments taken from the files. It also makes a few checks of the database, looking at the active_plugins blog option, the comments table, and the posts table.
It also allows the blog owner to search for whatever string they like which could come in handy when new exploit code is used in a hack.
You must be running WordPress 2.5.1 or higher to use this plugin. There’s not much point in finding exploited files if you’re running an old version of the software that can be broken into again.
Download the plugin from here: WordPress Exploit Scanner
Thanks to those who tested the plugin, especially Cathal Garvey who provided some great feedback!
Sweet Galaxy bites Super Mario Galaxy
I love to play Super Mario Galaxy on the Wii. The cartoon graphics, unusual planet based locations and gameplay make it really fun to play. It’s also relatively easy but I’m really stumped by Sweet Galaxy. Unlike every other galaxy in the game it’s a merciless obstacle course where Mario has to jump over gaping holes that move. Mistakes are cruelly punished and it is the most frustrating level I’ve played on any platform in a long time.
I even left the Wii switched on all day yesterday because I made it halfway through, but the final third of the level defeated me each time. Grrr.
Anyway, if like me you’re ready to give up on Super Mario Galaxy because of this level, here’s proof that it can be completed. I’ll try it again, once my left hand thumb recovers from twisting the nunchuk around.
(via)
In related gaming news. Boom Blox was fun for a while, but boy does it get boring quickly. Worse thing is, I paid the 20 Euro surcharge Irish shops charge for supporting local business. I could have bought it on play.com for 41 Euro, but Gamestop and Xtravision were both charging 59 Euro. Damn my need for instant gratification!
Back to Mario Kart Wii methinks.
Tom's going away dinner at Proby's Bistro
Last night a number of bloggers met in Proby’s Bistro for a dinner to see of Tom Raftery who’s leaving our fair isle and heading off to live in Spain next Sunday. I won’t bore you with details of who went and who said what to whom, but a good night was had by all! If you really must know who attended, Conor O’Neill listed each blogger’s Twitter account. Check out the gallery for more!
My wife noticed this morning that Tom was featured in yesterday’s Evening Echo. Alongside him are Pat Phelan of MAXroam and Catherine Wall of IT@Cork. That was the Echo with the photo of the Spencer Tunick Blarney shoot, so I’m sure that copy’s circulation numbers were up!
The last photo in the gallery is a shot of that image. Note the prominent WordPress sticker? Thanks Pat!
Continue reading “Tom's going away dinner at Proby's Bistro”
Catch website file changes with AIDE
A week ago I suggested installing AIDE to track changes on your server in case it had been hacked. I think AIDE Is so useful that it deserves a post of it’s own. Here’s a short guide to get it working properly.
The AIDE .deb package includes configuration files for over 80 different software packages or log files. That’s great if you have all that software installed or want to keep a paranoid eye on /var but what if you only care about the directory where your website lives?
When I first installed AIDE (using apt-get install aide), it said I needed to run /usr/sbin/aideinit after installation. Every morning I’d get an email from AIDE with a list of changed files from all over my server, including mail logs, Apache logs, and more. I didn’t need all that so I removed the files from /etc/aide.conf.d/ except my WordPress config file:
/home/web/ Checksums
!/home/web/logs/.*
!/home/web/public_html/wp-content/cache/.*
!/home/web/.*/htdocs/wp-content/cache/.*
Unfortunately after I removed the configuration files the daily AIDE email was flooded with open_dir() errors:
Output is 40577 lines, truncated to 1000.
open_dir():Not a directory: /home/donncha/.bashrc
open_dir():Not a directory: /home/donncha/.bash_profile
open_dir():Not a directory: /home/donncha/.viminfo
open_dir():Not a directory: /home/donncha/.bash_history
AIDE was rendered useless by all the errors. Thankfully it was easy to fix. Run aideinit again and it regenerates the AIDE database.
# /usr/sbin/aideinit
Overwrite existing /var/lib/aide/aide.db.new [Yn]? y
Running aide –init…AIDE, version 0.13.1
### AIDE database at /var/lib/aide/aide.db.new initialized.
Overwrite /var/lib/aide/aide.db [yN]? y
For good measure, I ran /etc/cron.daily/aide again which sent me the “Daily AIDE report”, and yes, it reported that my .htaccess file had been changed. Nice.
If your site is on a shared hosting account then you’re out of luck, but if you have a dedicated host, or virtual private server (VPS) then please consider using AIDE to keep track of changed files. It will send you a short email every day listing changed, added or deleted files. It may save you a lot of hassle and embarrassment if your site is hacked.
Edit: By default, the nightly cron script doesn’t update the AIDE database leading to the same files changes reported every day. Edit /etc/default/aide and make sure COPYNEWDB is set to “yes”. That will update the database.
Burning rubbish poisons us
What would you do if your neighbour was burning rubbish in their fireplace and the smoke and ash from it was being blown into your house? That’s what I want to know in today’s post on inphotos.org
I really want to know what you would do. If it’s happened to you, did it have a happy ending?
The Lisbon Treaty: Too long; didn't read
My vote has been cast. I voted no to the Lisbon Treaty half an hour ago in Blarney. Why? It wasn’t to be aligned with Sinn Fein or the Socialist Party who I’d never vote for. It wasn’t because I wanted to piss off Brian Cowen and the main parties. It was partly because I didn’t know who to believe.
Both sides of the Treaty made wild claims. There were the usual dire warnings that Ireland would suffer badly if we rejected the Treaty, there was the extreme claims of the No side. Abortion, the death penalty, armies marching to their deaths. Who’s half truths and exaggerations do you want to believe? What are their biases?
The first “debate” I heard about the Treaty was over a month ago. A TD and a representative from Libertas were on Today FM to fight for their corners. Boy did they fight! Within minutes there was a slagging match with mud and names flying. Accusations were made, and I didn’t learn a thing about this important treaty.
I was almost convinced to vote yes a few days ago. All the resources of the Government couldn’t convince me but The Spoofer’s Guide to the Treaty, written by Jason O’Mahony, a PD candidate, almost did. Even that was too long however, and I only read the first few pages before I had to leave the computer and attend to the baby. Like most people, I simply don’t have time to read and digest everything about the Treaty. Top that off with the with half truths and exaggerations I mentioned above and it became even more difficult.
I know it’s my own fault for not reading the 400 odd pages of the Treaty and being ignorant, but I won’t sign my name to a contract I haven’t read. The Spoofer’s Guide is probably the equivalent of the Readers Digest version of the Treaty but even that was too long. I blame life for getting in the way. tl; dr (thanks Matt!)
I wonder will the Irish Government rerun the referendum if the Irish Population vote no?
Some links I read, and some I commented on:
- Thanks, but no thanks
- Lisbon Treaty – Vote No.
- Lisbon Treaty – still voting No…
- Weighing in on Lisbon
- JIm Corr didn’t do the No side any favours when he went on national radio talking about the New World Order. Bloody idiot. I hope Tony Fenton was cringing when he heard what “his friend” was talking about!
- The No Side didn’t get any more loony than a particular Catholic group who campaigned on very conservative and close minded issues, including equality of men and women.
As conscientious Irish Catholics, we cannot but reject a Treaty that imposes on our country and on the whole of Europe an unnatural equality between men and women which opposes God’s plan for society and for His Church.
It was not to be aligned with them that I voted No.
- Paul Browne was convinced to vote Yes after he read the Spoofer’s Guide. He makes very good reasons why he’s voting Yes today.
- Still undecided? Here’s a quick way to clear up the confusion.
- Finally, Tom is holding an exit poll. I voted there, but the Yes vote is still winning. It’ll be interesting to see if that reflects the national vote.
Images from Biffsniff.com. Lolmartin created by Frank based on an idea by Walter.