MT.Net

There are 145 posts filed in MT.Net (this is page 10 of 15).

Michael Jordan’s net worth

For some reason, MT.Net has been deluged with Yahoo searches for “Michael Jordan’s net worth.” This leads folks to my earlier musing about the legends surrounding Jordan.

Yahoo is running this story on their front page about His Airness buying a rather large house in Jupiter, Florida. There is a tiny link under the headline “Michael Jordan’s Costly Mansion” that runs the search. So essentially MT.Net is one step away from being linked to from Yahoo’s home page.

(And for those of you who were wondering, Michael Jordan’s net worth is estimated to be somewhere north of $400 million.)

Botnet

It’s definitely a botnet I’m seeing. Since it has a common HTTP_USER_AGENT I have banned that agent. If you’re a human and you’re still using IE6, you’re out of luck, dude.

Unknown bot detected

This morning I was looking through the webserver logs for MT.Net when I noticed the following three successive hits from yesterday:

91.120.21.161 – – [24/Sep/2009:07:34:15 -0400] “GET /category/Checking%20In/ HTTP/1.1” 404 11629 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
24.77.243.153 – – [24/Sep/2009:07:34:17 -0400] “GET /category/Checking%20In/ HTTP/1.0” 404 11629 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
200.43.232.165 – – [24/Sep/2009:07:34:22 -0400] “GET /category/Checking%20In/ HTTP/1.0” 404 11629 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”

Highly suspicious, right? Three different IPs hit the same obscure link at the same time, all with identical browser strings?

Then there were these hits from this morning:

77.94.32.33 – – [25/Sep/2009:06:42:14 -0400] “GET /2009/09/22/ HTTP/1.0” 200 15894 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
77.94.32.33 – – [25/Sep/2009:06:42:27 -0400] “GET /2009/09/23/ HTTP/1.0” 200 17625 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
77.94.32.33 – – [25/Sep/2009:06:42:34 -0400] “GET /wp-login.php?action=register HTTP/1.0” 200 4141 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
190.175.0.151 – – [25/Sep/2009:06:43:09 -0400] “GET /wp-login.php?action=register HTTP/1.1” 200 4141 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”

Continue reading

MT.Net mystery solved

I think I solved the mystery I was seeing on MT.Net, so now I can tell you what happened.

I’m using the SABRE WordPress plugin to block bot users from wreaking havoc on the MT.Net blogosphere. Earlier this week, a supposed bot passed the SABRE math test, so I decided to crank up the CAPTCHA feature of SABRE to further weed out bots. (Now, I don’t know if it actually was a bot that registered or simply some bored Russian, but I wanted to see what the CAPTCHA did anyway.)
Continue reading

MT.Net maintenance ahead

I found an “unexpected inconsistency” with MT.Net today. Can’t go into details yet but I’ve been pondering it this afternoon and can’t think of any reason it should be occurring.

MT.Net may go dark briefly while I try a few things to fix it. Stay tuned.

Spam bot figures out SABRE math test

It was bound to happen eventually. This morning a spam bot figured out the math test check that my SABRE plugin was using to filter human website visitors from spam bots. This happened on one of my less-frequented blogs, which actually helped me discover it as that particular blog doesn’t get many registrations.

Looks like now I’ll have to graduate my blog universe to the full-blown CAPTCHA tests if I want to keep the Russian spammers from crashing the MT.Net party.

Turning the tables on hackers

Every dark cloud has a silver lining, and the recent hacker attacks on MT.Net are no exception. Once I had safely reassembled the website and taken measures against active attacks, I realized what risk hackers run when they attempt remote code execution attacks like the one they ran on my site: they expose the location of their hacker code!

After repelling a couple of attacks per day, I got wise and began to contact the owners of the websites used to attack my site, politely letting them know their servers had been compromised. After doing this for five or so websites, the hacker attacks against my site all but dried up! Perhaps I hit a nerve?

It’s still usually not worth the trouble to track hackers back to their original IP addresses (or at least, not worth the trouble for anyone lacking search warrant power), but taking away a few of a hacker’s precious hideouts sends a message that messing with me comes at a cost.

Blogging and hackers

I found the Stop Forum Spam site this morning when watching l0ser bots try to register accounts on MT.Net. A Google search on an email address used by an obvious bot brought me to the site. There’s an API for automated rejection of these fake user accounts which I’m thinking of using to head off many of the hacker attacks I’ve seen. I’m thinking blocking attacks at the Apache level would be ideal.

On another note, it looks like my WordPress hack post has become very popular with both hackers and webmasters alike. Hackers frequently use its url for attempt cross-site scripting attacks against my machine, while webmasters point to it as one of the first public announcements of a critical WordPress vulnerability. Kudos again to MT.Net reader Scootdawg for being the first to see my blog wasn’t working!

On yet another note, I’m thinking of writing a screenplay where a lowly blogger disses the reclusive dictator of a backwards Asian country and becomes an unwilling “guest” of the dictator for a bizarre weekend.

MT.Net outage from 3 PM to possibly 9 PM

MT.Net’s provider will be performing work on our server this afternoon beginning at 3 PM and will be down until possibly 9 PM. The expected outage is two hours, so MT.Net expects to be back by 5 PM or sooner.

This would be a good time to watch wedding videos.