Monthly Archives: January 2015

WordPress and other CMS

Testing a WordPress URL problem

Leave a comment

In monitoring the logs for this web site, I’ve noticed a lot of weird URLs with invalid parameters like ‘loginid’ and ‘commentid’. At first I ignored them, because those parameters don’t do anything and are essentially ignored by WordPress.

But the volume of these strange requests grew to the point where I started to wonder what was going on. It turns out that although WordPress ignores invalid URL parameters, it also – in some cases – returns those invalid parameters in page content. If you go to the home page of boot13.com, and add ‘/?blahblah’ to the end of the URL, then hover your mouse over the ‘Older posts’ link at the bottom of the resulting page, it will show ‘/?blahblah’.

The fact that WordPress echoes arbitrary parameters in itself isn’t a huge problem. And most web crawlers are smart enough to recognize that the spurious parameters don’t correspond to unique pages on the site, so they are ignored automatically. That includes Googlebot. But some crawlers, in particular Bing’s crawler and the MJ12bot crawler, see every URL that includes any arbitrary parameters as a unique URL, and indexes them accordingly.

This produces a lot of clutter in Bing’s search results for boot13, and the information provided by Bing Webmaster Tools is filled with these bogus URLs. And that’s annoying.

I’ve taken several steps to try to reduce this clutter. I used robots.txt to tell crawlers to ignore any URL with ‘loginid’ or ‘commentid’. Using Bing Webmaster Tools, I told bingbot to ignore those parameters. As a result, Bing’s search results and site data are looking a lot better. But while most crawlers honour robots.txt, some don’t. In particular, some MJ12bot nodes clearly ignore robots.txt. These may be rogue MJ12bot nodes, or those nodes may be misconfigured in some way.

Now I’m trying to determine just how much of a problem this really is. I decided to see if I could introduce some arbitrary text into the search results and related data for another WordPress site (one not owned or managed by me).

Here’s a link to the UPS blog. That site runs on WordPress, and it exhibits the same behaviour I’ve been seeing on boot13. The URL in the first sentence of this paragraph contains a special, unique parameter. The idea is to see what happens when the URL is crawled by Bingbot. Will my special parameter show up in the search results for the UPS blog? I’ll update this post as I learn more.

Update 2015Jan30: The parameter is now appearing in Google site search results for the UPS blog! There are at least 79 entries, most of which are actually duplicates, as I write this. Still nothing in Bing’s search results.

Update 2015Jan31: I checked the WordPress bug tracking system to see if anyone had reported this previously. They had. I ended up re-opening an existing ticket and adding my observations. Hopefully this will lead to a fix!

Microsoft, Windows 7

Windows 7 supported until January 14, 2020

Leave a comment

You may have noticed that Microsoft’s support for Windows 7 changed yesterday: ‘mainstream’ support ended. However, ‘extended’ support continues until January 14, 2020.

In Microsoft parlance, ‘mainstream’ support includes requests for feature changes, certain free support options (eg. phone support), and non-security updates. Now that Windows 7 is in the ‘extended’ support phase, Microsoft will no longer be changing the O/S, except to fix security issues.

In other words, there’s no need to panic. Windows 7 will continue to get security updates until 2020.

Adobe, Flash, Patches and updates, Security

Flash update

Leave a comment

Yesterday, Adobe announced a new version of Flash for all platforms. Version 16.0.0.257 fixes numerous security issues, as well as some other bugs.

As usual, Google Chrome will update its embedded Flash automatically, and updates for the embedded Flash in Internet Explorer on Windows 8.x will be available via Windows Update.

Anyone using a web browser with Flash enabled should install the new Flash as soon as possible.

Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for January 2015

Leave a comment

This month we have eight updates from Microsoft, affecting most versions of Windows, with one being flagged as Critical.

Anyone using a Windows computer is encouraged to use Windows Update to install available updates as soon as possible.

For complete technical details on the updates, see the official bulletin on the Microsoft Security TechCenter site.

There’s a related post on the MSRC blog.

Update 2015Jan13: One of the updates in this batch is the source of some ill-will between Microsoft and Google. Google reported a Windows 8.1 vulnerability to Microsoft on October 13, and in keeping with its disclosure policies, made the vulnerability public 90 days later. By the time Microsoft got around to developing a fix, it was too late to make the patch available before the 90 day delay would end. Microsoft apparently asked Google to wait for the patch to be released on January 13, but Google stuck to its policy. Now Microsoft has publicly expressed its displeasure with Google. Information Week has additional details.

Internet crime, Malware, Security, Spam and scams, Windows

CryptoWall update

Leave a comment

Despite the demise of CryptoLocker, ransomware is still prevalent, mostly in the form of CryptoWall, now in its ‘improved’ 2.0 version.

Security researchers recently deconstructed CryptoWall 2.0 and shared their findings in a post on a Cisco security blog.

The researchers discovered that the malware uses a variety of techniques to obfuscate itself on target systems. It’s also able to infect both 32 and 64 bit Windows systems. And it can detect whether it’s running on a virtual machine, making it more difficult to analyze. The command and control servers are apparently in Russia.

A Windows computer can become infected with CryptoWall in a variety of ways, including as part of an e-mail ‘phishing’ attack, through a malicious website, via malicious PDF files, or in a spam e-mail disguised as an ‘Incoming Fax Report’.

Ars Technica has additional details.

Hardware, Internet crime, Security

DDoS services powered by compromised routers

Leave a comment

Malicious hackers are increasingly using compromised, consumer-grade routers to amplify the power of their DDoS attacks. Ordinary users are often unaware that their network devices can be compromised, and even less likely to recognize any actual compromise.

Adding to the problem is the slow pace – or utter lack – of security updates from device manufacturers. Even when updates are made available, users are unlikely to know about them, and in most cases don’t possess the skill required to install them.

All of this makes routers attractive targets. Ars Technica reports on one DDoS-for-hire service that uses a vast network of compromised routers.

There’s a related post on Brian Krebs’ blog. Scroll down to ‘ROUTER SECURITY 101’ for some useful recommendations. At the very least, log in to your router’s admin interface and check for any available security updates.