Tag Archives: pain

Attack of the Chinese Comment Spam Robots

First, if you’re reading this through the feedburner you may have noticed in the past a little “Payday Loan” thing right below the title in past posts. Hopefully that is dead now.  I’ll explain what’s going on with that in a minute.  But if you see it above, please let me know!

I’m going to get a little geeky here, skip to the headlines if you want to get the big picture. You may have read my article on What’s in A Website?  It’s not all puppies and butterflies to set up and keep a website running. That was proved all the more last week.

Holy Smoking Internet

Below is a graph of the bandwidth (the number of megabytes of data) that was consumed by visitors to our little niche in cyberspace. I suspect that the “zeroes” here are due to throttling by GoDaddy, not actually spots where there was no traffic.  You see those spikes? Those are ROBOTS. It’s obvious the attacks began around 5/10, but didn’t reach a crescendo until 5/22 (as you can see on the next graph).

The attack begins.

But it’s about to get ugly:

Capture_20130528_188

Clever, but seriously demented people have written programs to run about on the web, find blogs to which they can add comments and then attempt to automatically add drivel so that they can hawk their worthless (and often scam) products. They also hope that by adding their links to more sites, their rank in search engines will go up. How else are you going to learn about Viagra and fancy watches? The comments are sometimes blatant:

soccer cleats for sale… quality. These cheap and quality nike air maxConcords are my favorite in life. You also give me good service, thank you. When I saw the nike air max Concords here, I know they are good and can be the best choice. My friend told me to buy nike air max …

Sometimes truly stupid:

replica watches… checked out demonstrate just about all invisible records within machine nonetheless absolutely no htaccess record. my spouse and i dont buy it. this is certainly insane, very much assist desired in this article. all i wish to accomplish will be be capa…

And sometimes sneaky:

Pretty nice post. I just stumbled upon your weblog and wished to say that I’ve really enjoyed browsing your blog posts. In any case I will be subscribing to your feed and I hope you write again soon!…

Huge banks of machines that have been zombified do this comment spamming on a massive scale. We had 545,611 “hits” in a 5 day period. Those hits consumed 15.96 Gigabytes of bandwidth. 372,000 of the hits out of 545,611 were robots!  Each was trying to comment on one of my old blog articles and collectively slurped up 11.6 Gbytes of bandwidth.  72% of all that traffic went to Chinese servers. Talk about trade imbalance! We didn’t know we were that popular abroad. There was also that guy in Poland who tried super hard to crack into our site through the login portal. He/it was turned away about 4,000 times in one day.

Unfortunately the extreme load caused GoDaddy, our hosting provider, to shut us down and hold us hostage.  It’s a good thing I know a little bit about networking… otherwise they probably would never have turned us back on. This all happened right when I launched the initiative to raise money for the Oklahoma Tornado victims. Talk about stress!  I felt like I was facing my own tornado – this one made in China. Fortunately the destruction was nothing like what my friends in Oklahoma endured.

This was the second time that the GoDaddy strategy was to punish the innocent. I won’t bother with all the details – I’ll just let you know that we’re folding up shop on GoDaddy and moving to HostGator real soon now. Hopefully it will be mostly transparent to you.

Countermeasures

With the thousands of assaults on the one blog article, it was obvious that I had to fix it. The problem is that WordPress incurs quite a bit of overhead to serve a particular article – it has to find it in the database, format all the ancillary content and then spit out all the parts of the page. That overhead was crushing the server, so I had to eliminate it.

I first took a look at where all the hits were coming from – I needed to shed most of the traffic and I used .htaccess instructions to deny a large range of network addresses from  China.  If you’re in China on one of those subnets you still won’t  be able to read my pages. So there! Hah!

<Limit GET POST>
order allow,deny
# - Chop the balls off of an intruder from triolan.net
deny from 178.151.216.53
# - Cut the balls off of the Chinese Spam bots-
deny from 110.85.
deny from 110.86.
deny from 121.205.
deny from 117.26.
deny from 218.86.
deny from 27.153.
allow from all
</Limit>

Then I wrote a very simple page that only says “Go away jerk”. Nothing fancy there.

WordPress relies on .htaccess rules to help serve content on my blog. Here are two important .htaccess rules. What they mean is simply: if the “path” is actually a directory or a file, then serve that path – otherwise it will hand the work off to the scripts that do all the processing.

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d

Since the url that the robots were hitting was
blog.starcircleacademy.com/2011/03/driven-to-abstraction

All I really needed to do was to create a directory path:  2011/03/driven-to-abstraction and add an index.html file in there.  Wordpress is thus bypassed and all I need to do to restore access is to delete the folders.

However, I first played with redirecting the traffic by putting this in the .htaccess at the root of my website(s).

RedirectMatch 301 /2011/03/driven-to-abstraction(.*) http://theamusing.com/badrobo/jerk.html

I noticed that most of the robots that were generating the spam hits were following the redirects.  If they keep this up I’ll redirect them to 127.0.0.1 in which case they’ll be asking themselves for content – and burning their own bandwidth!

RedirectMatch 301 /2011/03/driven-to-abstraction(.*) http://127.0.0.1:8676/youareanidiot

I’ve also thought about pointing them at those damn loan sites that have been infecting many webs.

Payday Loan Hack

Now getting back to that “payday loan” garbage. The problem is that GoDaddy’s servers are not secure – they are vulnerable to attack, especially via “sneaky files” designed to commandeer some aspects of the BLOG and surreptitiously insert their own drivel. In this case, the insertion was only visible to those who either looked at the HTML code or happened to read from email. Why? Because only Google’s feedburner exposed the otherwise invisible spam. The sneaky code has infected THOUSANDS of websites. Don’t believe me? I found 700+ sites infected with a simple Google search.  All the ones I checked are hosted on GoDaddy!  And please note that the search I did – trying to find news of a cure only include sites that contain both the subversive ads AND the world malware.  Guess how many hits there are here: t0inpaydayloans.com xmlrpc Over 4,000!  And that hawked site is only one of THOUSANDS of similar sites.

Get your Geek On

I used a number of tools to hunt down the invasion. There is a WordPress plugin called “Exploit Scanner” which gave me so many false positives at first that I had to drop back and do some clean up. Most of the false positives were related to our store, WordPress E-Cart.  A great free site that helped me is Securi.net.  I could kiss them.  They even offer a reasonably priced plan where they will regularly scan your site and fix any problems. It was tempting except the geek in me wanted to find the source of the garbage.

Boy was it well hidden.  Doubly encrypted – it had to be because there is plenty of advice out on the network warning about the presence of code like this: base64_decode(

This attacker hid his code well. But not well enough!

References:

We’ll be back on topic with the next article. Promise.

Photoshop CS6 Upgrade: A tough row to hoe

5 Replies

I finally succumbed. I saw a few articles touting the video features that were moved out of the Extended versions of Photoshop into the standard version. Since I’ve been doing a fair amount of opportunistic timelapses using the free tool Picsasa it seemed like the experience was worth the $200 upgrade outlay.

With some of my past escapades with upgrades of Adobe Photoshop still searing my psyche (3 to 5 was especially traumatic), I proceeded anyway. First I made sure to buy the upgrade ON DVD. It means I have to store something, but it also means it’s a physical thing – not a space eating behemoth to add to my bulging file archives that might get lost or deleted.

Let me step back a moment and explain that I do my photo processing on two different machines. A laptop which is with me much of the time and a desktop machine at home. The desktop machine is my wife’s and she’s beginning to get the idea it’s not really for her use. I should also point out that I am an “IT Professional”. Herding around arcane settings on Windows is just one of the many things I do on a daily basis. I also do not have or use a Mac. There, I said it. I’m not a Mac hater. Heaven knows I’ve spent a great sum of money on iPhones and other Apple gear. But I’ve never been able to convince myself that switching to a Mac and giving up all my fancy PC-only software was worth the risk, frustration and significant additional expense. But I digress.

AlienWoman.bmpI tackled the upgrade on the desktop machine first. The DVD arrived 5 days after I ordered it from Adobe. Inside the packing box I came face to face with creepy Pale Faced Scaly Woman. It happens she’s not really a box, but a slip case covering another box. Inside the box is yet another box. And inside the box that is inside the box inside the other box is another box – a CD jacket actually. You have to inspect all the edges of the slip case to find out this is an “upgrade” – I thought at first they had sent me the wrong thing – a full version (which I’d have welcomed). I hurled the DVD into the drive. Since I have disabled auto install (no smart person would allow an inserted DVD to automatically run anything), I hunted down the rather odd place where the setup program lived and started it. It whirred and eventually it offered to install. After some more whirring it asked me for the serial number. Crap, I thought, I don’t know where I had written that down and then I remembered it’s registered under my Adobe ID. I looked it up, wrestled with the serial number entry tool that tries to be helpful but which actually makes entering the digits harder and pressed GO. Invalid serial number. It told me unceremoniously.  Perhaps I made a digit mistake. Yes, I did. I fixed it and THEN:  “Invalid Serial Number”.  How can it be that my serial number which is recorded at Adobe is wrong, I wondered.

I began a search of the Adobe Website. Call me dense, but after trying to use the “contact an agent” pop up that gets in your face when you visit Adobe and getting no contact;  after scanning a half dozen useless articles that were returned from my Adobe site search I discovered that it didn’t want my moldy OLD serial number. The elusive Serial Number I needed was written on a sticker or printed on the packaging material.  It WASN’T on the CD case.  It wasn’t on the alien lady slip case. It wasn’t on the box held by the alien lady. Oh wait, it was on the box inside the box, inside the box just NOT on the DVD or CD cover.  That’s consistent with the way you find things in Photoshop. You know, when you need the ruler tool you have to first consult the eyedropper (or sampler or note) tool.

Of course I did what I always do and I immediately wrote the serial number directly on the DVD in indelible ink.

Sharp Poke in the Eye

The upgrade proceeded pretty quickly and Photoshop 13 installed.  13? Yes, for arcane historical reasons you need to know that Photoshop CS6 is REALLY Photoshop 13.  The luckiest Photoshop yet!  When you look at your Adobe account you’ll notice that it doesn’t say CS6 apparently that would have been too many digits and letters to add after “Photoshop” on the web page and it might have made it just a bit too clear what it is.

Here is what my “Product and Services says”

Adobe Photoshop     12 Win Aug 20, 2010
Adobe Photoshop 13 Win Jan 17, 2013

But I guess I should be thankful that now it has an icon!

Now comes the sharp poke. When I started CS6, er, I mean 13, it asked me if I wanted to import my presets from the previous version. Why YES, thank you.  Except apparently “presets”  means ONLY presets – my custom settings for correcting light pollution using the Levels adjustment tool.

Presets do not NOT include:

And to add insult to injury… guess what you CAN NOT DO… you cannot have both CS5 and CS6 (I mean 12 and 13) running simultaneously – so you can NOT do a head to head comparison to figure out what is missing.

After reading some more about “migrating filters” (and great good luck to you on finding something on that since Adobe calls them Plugins even though I have only ever known them as filters) I realized that I am on the hook to reinstall all my filters and actions by hand on EACH machine that I use Photoshop on.

And it MIGHT exist, but why, oh why does Adobe not have a findable page on the 99 things you may need or want to do when you “upgrade” their product(s)?  I have a suspicion that they don’t publish an all-in-one compendium because if people found it they would have justifiable fear and trepidation about attempting an upgrade.  It might in fact, lessen their sales.

Now before you conclude that I hate Adobe that’s not at all true. I only hate SOME of them – the ones who fail to anticipate how new and veteran users are likely to suffer when trying to use their heavily featured product(s).  I’m sure my loathesome-ness will subside, eventually. Meanwhile I am REALLY glad I didn’t go with the Cloud thing.  I am subscribed to several discussions and every day there is a new horror story about failure and misadventure that make my serial number search look like a vacation.

When I get a bit more of the “Motion” features under my belt, you can bet I’ll be writing about those too. Of course I won’t be the first or that last to write about the subject. My first feat will be to find the elusive “stop watch” (aka Key Frame).  Apparently it’s located under a triangle somewhere.  Maybe the triangle is hidden under the ruler tool…