Fun and Games with WordPress Blog Hacker

June 18, 2008

As Pajamadeen prepared for an underwhelming trip to the East Coast which, for now, defies further description, she noticed that an energetic, if deluded, hacker had been hard at work in the wee hours of the morning, trying to guess our password to gain administrative access to Pajamadeen. In other words, the hacker wanted control of the blog. As is often the case in life, this proved to be easier said than done. IP address 202.75.39.82 in the Wilayeh Persekutuan area of Kuala Lumpur in Malaysia was a determined dullard. Do I know anyone in Kuala Lumpur or Malaysia? What do you think? (Hint: Pajamadeen is an East Coast WASP.)

WordPress Blog Login

About 100 tries later, the hacker gave up. Obvious password attempts such as blog, wpblog, pajamadeen and password were among the first tries, followed by a flurry of attempts using common surnames such as Jones, Robinson, Garcia, Rodriguez, etc. With increasing desperation, the hacker tried common first names such as Barbara, Margaret, John and David. In May 2007, PC Magazine published a list of the top 10 passwords which people use on the Internet. The remarkably unimaginative list, in order of popularity, included:

  1. 1. password
  2. 2. 123456
  3. 3. qwerty
  4. 4. abc123
  5. 5. letmein
  6. 6. monkey
  7. 7. myspace1
  8. 8. password1
  9. 9. blink182
  10. 10. (your first name)

How could we tell what the Malaysian hacker was up to? To fully participate in the fun and games, download vi-postlogger . This way-cool plugin actively logs all $POST variables used — including IP address — when any activity is performed at your blog, from blog post composition to hack attempts. The Malaysians weren’t counting on this little gem. It provided a time-stamped log of all their attempts to guess Pajamadeen’s password. Some attempts were lame, while others were humorous:

log = admin
pwd = pajamadeen

redirect_to = wp-admin/
testcookie = 1
wp-submit = Log In
202.75.39.82
/wp-login.php
June 2, 2008, 3:36 am

log = admin
pwd = admin

redirect_to = wp-admin/
testcookie = 1
wp-submit = Log In
202.75.39.82
/wp-login.php
June 2, 2008, 3:37 am

log = admin
pwd = abc123

redirect_to = wp-admin/
testcookie = 1
wp-submit = Log In
202.75.39.82
/wp-login.php
June 2, 2008, 3:37 am

log = admin
pwd = letmein <—- oh, paleeeze. This is lame.

redirect_to = wp-admin/
testcookie = 1
wp-submit = Log In
202.75.39.82
/wp-login.php
June 2, 2008, 3:37 am

log = admin
pwd = wordpress

redirect_to = wp-admin/
testcookie = 1
wp-submit = Log In
202.75.39.82
/wp-login.php
June 2, 2008, 3:37 am

Use any one of several websites which will pinpoint IP addresses. We like IP-Adress. (Note the funky spelling of address with one “d.” Guess they couldn’t get the domain name they wanted.) What is My IP Address is another such service. Click the link to the IP Tracer tool and input the address in question. Here, we find Whois information for the IP address. The company serving this IP address is Telekom Malaysia Berhad and the host is svservers.com. Note that Telekom covers this IP range: 202.75.32.0 – 202.75.63.255.

The contact people are listed as Azman Ali/20th Floor, Wisma Celcom Semarak/Jalan Raja Muda Abdul Aziz/50400 Kuala Lumpur/Malaysia with two phone numbers: 603-26812075 and 603-26810186 and an e’mail address of gatekeeper@eastgate.net.my. His compadre is Mohd Ghazali Sabri/3rd Floor, TM IT Complex/3300 Lingkaran Usahawan 1 Timur/63000 Cyber Jaya Selangor/Malaysia with phone numbers of 603-83180322 and 603-83188061 and e’mail addresses of m_ghaza@tm.net.my and gmen@tm.net.my. Using Google maps, we see approximately where in Kuala Lumpur the gamers are:

It looks like too many people in the vicinity of the Kuala Lumpur hospital have too much time on their hands. This makes for great fun while drinking morning coffee.

Remember that IP range? If, like most people, you can access your cpanel (control panel) at your host, go there and locate the IP Deny Manager, or IP address blocker. (This should be located at http://www.yourdomainname.com/cpanel.) We were going to block just this IP address, but then we decided we didn’t really care if people in Malaysia read the blog, so we blocked the whole IP range by typing in: 202.75. Poof. They’re gone. Wasn’t that fun?

WP-Deadbolt is another groovy plugin from village-idiot. This one will allow you to block entire spammy e’mail domains from being used while registering at your blog. A long list of spammy domains is available (where else?) at village-idiot. To this list, you can add your own personal favorites; xanga and hotmail addresses are on my hit list.

The moral of the story? Harden your blog password. While you’re at it, harden all of your passwords. Pick a long password that is hard to guess and which contains a mixture of upper and lower case letters, numbers and, just for good measure, some of the non-numerical characters located on your keyboard above the numbers. It’s like safe sex: You want to be protected! For the password from hell, which no one will ever guess, go to Gibson Research and get a cryptographic-strength password. There’s no charge for this service.

Check your new blog registrants as well. We had six new subscribers. Five of them were in…Malaysia. Using Google, we found that one of them was bragging about attending a hacking conference this fall in Malaysia. Too bad, so sad, all gone.

Read more computer security news.

Copyright © 2008 pajamadeen.com



Next Page »

archives