The Four-eyed Journal » Security

Globe Broadband IP addresses blacklisted by Spamhaus Project

jhay — Mon, 29 Sep 2008 01:02:42 +0000

One of the most frustrating events a blogger or commenter could face on the net is being blocked or their comments being eaten by some anti-spam system employed by the blogs that they visit.

I for one had many of this incidents before. The latest was just a few minutes ago when I posted a comment on Aja Lapus’ blog post about Schools still teaching deprecated HTML. Aja’s blog is protected by Bad Behavior, an anti-spam plugin that is indeed powerful and effective. Yet it has received its fair share of complaints from bloggers because in some instances, it has blocked or eaten the comments by non-spammers or “false positives” even comments by the blog owners themselves.

Of course, I vouch that my laptop is spam and malware free so it’s a bit frustrating to know that I’m being blocked as a spammer. It’s a good thing that Bad Behavior displays a web page pointing to the Spamhaus Project explaining why my comment as blocked, because some anti-spam plugins simply swallow your comment and dumps it in the spam comments list.

Going back, I followed the links to the Spamhaus project and it turns out that it was my IP or Internet Protocol address that was blocked. Here below is the entirety of the explanation:

Ref: SBL63950
222.127.223.0/24 is listed on the Spamhaus Block List (SBL)
23-Mar-2008 10:14 GMT | SR01

Proxy Hijacker

Spammer operating from 222.127.223.72, hijacking PCs in other networks for spamming.

——–

Removal Procedure
To have record SBL63950 (222.127.223.0/24) removed from the SBL, the Abuse/Security representative of globenet.com.ph (or the Internet Service Provider responsible for connectivity to 222.127.223.0/24) needs to contact the SBL Team to explain how the spam problem has been terminated. If the spam problem that caused this listing has been terminated we will normally remove the listing from the SBL.

So, a spammer using the same ISP as I do has been using the network or the set of IP addresses which the one I’m currently using right now to spread spam over the internet. Damn it!

There’s little I could for now because the problem, or rather the solution itself rests on my ISP, Globe Broadband to contact the SBL Team and work out a solution so that the IP range in question be cleaned and removed from the block list. Question now is, will Globe Broadband do something about it? Are they even aware of this issue?

Last month, I recall receiving a phone call from a Globe Broadband representative asking my if I was aware of anti-spamming techniques to protect my computer from attacks. This was part of their effort in ‘cleaning up’ their network to provide a ‘better broadband internet service to their customers’.

It seems that they either missed a spot or they need to clean up their networks again. This may be an issue isolated to blogs being protected by Bad Behavior because Akismet-protected blogs are not flagging my comments, as far as I can tell. I wonder if other Globe Broadband users are having the same or similar problems. I suppose it’s time to give them a wake up call once more.

Philippine Senate’s website downed by p0rn0graphers?

jhay — Wed, 10 Sep 2008 06:13:28 +0000

Upon reading on Philippine Commentary about John Silva discussing the proposed Anti-Obscenity and Pornography Bill when he substituted for Manolo Quezon on his show The Explainer, I quickly visited the Philippine Senate’s website to get a copy of the Senate Bill 2464 but for reasons not yet known, their website is down.

Senate website down

Just to make sure, I re-checked using downforeveryoneorjustme.com and yes, the Senate’s website is still down as of this writing.

Pray that the downtime is intended for site upgrades or maintenance or otherwise, many would come to think that someone opposed to the bill is really making their opposition felt.

Do you feel safe doing online banking?

jhay — Fri, 25 Jul 2008 08:00:42 +0000

Here’s an interesting news written by Michael Hatamoto of BetaNews about online banking in the US:

Study says bank Web sites leave clients vulnerable to theft

When you hop on the Internet to check your online bank statement or pay some bills, do you ever wonder how secure your bank’s computer network is? A new study claims most bank Web sites are vulnerable to identity theft.
A study done by Atul Prakash, a professor at the University of Michigan who teaches in the department of electrical engineering and computer science, found that more than 75 percent of 214 financial institutions checked in 2006 had at least one design flaw that could open up online bank users to potential identity theft. (source)

Sounds scary indeed right? Well that’s in the United States, I wonder if there’s a similar study that focuses on our local banks here in the Philippines. With the increasing rate of internet penetration, the popularity of money-less transactions via mobile phones and the internet, especially with the spread of a fully-functional PayPal services and other online banking services, security concerns over this emerging field will slowly begin to hog headlines and buzz on Philippine cyberspace.

So far, I’ve not been an active user of online banking. I only use UnionBank’s website to check my EON account to see how much money I have left in the bank or to see if my blog earnings have finally been remitted via PayPal.

My international transactions like paying for domains, webhosting and a few subscriptions to online services are all done with PayPal and so far I feel safe with them.

On the other hand, I still do local transactions ‘manually’, I still personally do the following: deposit the payments to local bank accounts of merchants I deal with, pay internet and telephone bills at their business centers, and I only use my EON card to withdraw cash from ATM machines for my daily and school expenses.

Though I’m a regular user of Globe’s G-Cash service but anything above Php3,000.00 I revert to local bank deposits or in-store transactions. And yes, up to now, I’ve never used my EON card to pay for things I’ve bought. Handing out cash payments still gives me the highest assurance that my money went to the right pockets.

Or maybe I’m just being paranoid. Since I reckon online banking is not that popular, yet, here in the country, bad guys are not that interested in it yet. Then again I may be wrong.

Anyone else having similar thoughts? What about those who are active in using online banking? Do you feel safe every time you do online banking?

Why my pc was never infected by viruses, worms and trojans from email attachments

jhay — Thu, 24 Jul 2008 23:40:44 +0000

Long before my blogging days, I have always read from the forums I frequented, read from websites and in signs in most internet shops that I should be very careful of any email I receive that has an attachment.

They were right, because back then and even up to now, viruses, worms, trojans and other badware are spread through email via attachments. However I was a bit puzzled. If that were really true, then how come my computer has never been infected by such badware when in fact I had the habit of checking out what those email attachments were. Plus, the rise of email groups which we used in classes to share notes, lectures and readings also needed to have a look at attachments to emails I’ve received.

I’m not kidding, the only way my computer was ever invaded by viruses, et. al were through infected diskettes and later on flash drives from my classmates and friends or from the internet shops I visited. Thankfully, despite the many invasions, my anti-virus programs have successfully fended off any badware that has ever managed to touch my computer.

Still, I was puzzled as to how come there are still reports, stories and warnings about the spread of new destructive viruses via email all over the world? My friends, classmates and teachers were being infected too and even consulted me on what to do once their PCs have been ravaged by badware.

I helped them clean-up their PCs, encouraged them to use the same anti-virus tools and other security apps I use and even repaired the PCs of some of them. Still, they get infections from email attachments.
This prompted me to think deeper into the matter.

Since we were practically using the same set of security apps (AV, firewall and other tools) what else could be considered as a “point-of-vulnerability” or entry on their PCs.

The answer dawned upon me when one of my friends while using my desktop computer asked why Outlook was in such a ‘pristine’ state, he accidentally launched it and the auto-configuration wizard greeted him. I answered, “What is Outlook for anyways?”

Yes, though I’m geek and a blogger, back then I have no idea what Outlook was for. Going back, the conversation went on like this (I’ve already translated it into English and restored it from my half-life memory)

James: You don’t know what Outlook is for? It’s an e-mail client.

Me: What’s an email client?

James: WTF? You’re a geek and you don’t know what an email client is?

Me: Dude, I’m a geek but I did not invent the internet, email or an email client.

James: It’s a program that handles your email for you. With it you don’t have to be online all the time to read and reply to email.

Me: Sounds cool. But why use an email client when I could access my email using a web browser?

James: But you need to be online to do so.

Me: But isn’t that how email works? You need the internet to do email.

James: Not with an email client. Like Outlook, it downloads all you email on your computer so that you can read it even when you’re not connected to the internet. When you make replies to email, it saves it so that when you do get back online it then those replies are sent.

Me: I see. That is neat. But wait, when you say it downloads all your email on your computer does that mean the attachments are included?

James: Of course, what good is an email client if attachments wouldn’t be downloaded as well.

Me: Aha! That’s it!

—–

And that is the “point-of-entry” I’ve been looking for. That’s the explanation why warnings about opening email attachments still prevail to this day. That’s the reason my PCs have never been infected from an email attachment. All this time I’ve been accessing my email directly on the internet where my email providers (Hotmail and then Gmail) were scanning the attachments for me. My ignorance of email clients have been saving me from viruses, worms, trojans and other badware that is the scourge of using computers since time immemorial.

I’ve recently installed Mozilla Thunderbird on my notebook, just to try it out. After a few days, I was back to using Gmail on the web browser. It’s so much better and safer.

How I fixed the WP 2.5.1 upgrade issue

jhay — Thu, 01 May 2008 13:42:03 +0000

When I updated this blog to WordPress 2.5.1 five days ago, a problem propped up. That “Please upgrade” strip wouldn’t go away and has become an annoyance. Blogged about it and posted a support question in the WordPress support forums and soon enough possible explanations and solutions to this issue were given by other friendly WP users.

A user who goes by the name Rosie M Banks pointed me to a post by Ultrasonic who had the same problem after upgrading his blog to WP 2.5.1. As it turns out, this is caused by a vulnerability in WordPress 2.5.x where hackers can wreak havoc in a WP blog by inserting PHP scripts or files that could further exploit your WordPress-powered blog.

ia has written a good overview and guide to check whether your blog has been hacked or not over at WordPress Philippines. Gave it a good read and used it like a checklist in my investigation to root out and solve this issue.

Luckily for me, my blog’s internal folders and directories were not littered with new files ending in _new, _old, .pngg, .jpgg, .giff. As ia wrote:

These files will be executables that when called from a browser will display a fake “404 Not Found” error, but if called from a script with the matching hash from one of the hacked PHP scripts, will display system info about the server your site is sitting on.

The solution of course, is to delete these files.

A phantom WP user

But when I checked my blog’s database using phpMyAdmin, I found out that there is a phantom “WordPress” user in my blog. Again ia sheds light on this phantom WordPress user:

One other thing I noticed, and this happened on the new 2.5 installs as well as the older ones that hadn’t been upgraded yet, was the silent addition of the user “WordPress”, with no info save a password, and an add date of all zeroes. There’s also no indication of user level in the database, and the user doesn’t show up in the User menu. However, when I was going through and deleting unnecessary “admin” logins, “WordPress” came up as one of the user options to reassign posts to… otherwise it might have been a while before I’d found that buried in the database.

Again, the solution is to delete this user using phpMyAdmin which can be accessed from your site’s CPanel.

A plugin that’s not supposed to be there

Continuing with my investigation, I followed Ultrasonic’s advice and checked out my ‘wp_options’ table and looked at these VALUES ‘active_plugins’ and ‘deactivated_plugins’. In it I also found a plugin entry about a plugin that is not supposed to be there. The suspicious entry looked like this:

i:0;s:117:”../../../../../../../../../../../../../../../../../../../../../../tmp/tmpon81ev/
sess_197dd29a88afb90e3a9d82b3227c3369″;

I simply deleted that section of line entry. Of course you must BACKUP your database before fiddling with it using phpMyAdmin as Ultrasonic warns that this solution has not been verified to work for everyone.

It worked on my blog and I simply had to re-activate all of the plugins I regularly use once back inside the dashboard. Since applying this fix, my blog has returned to normal and that annoying update reminder strip has gone away my dashboard tells me that I am indeed running WP 2.5.1

Right now, I’m still in the process of checking my blog for other vulnerabilities. I hope the solutions I shared here would be useful to others who are experiencing the same problems. If not, I strongly recommend posting a support question in the WordPress forums, the wonderful folks from the WP community will always lend a helping hand.