this is not a blog

I Reckon This Must be the Place, I Reckon

Some Robots have behavioral issues; some Robots suck.

About Bots


Here is a text file summary of some of the many Bots seen in the last few months:

Robots List.

See, also logs for these very annoying Bots:

Zgrab
LeakIX
the "Hello World" Bot.
Linux Gnu Cow

And, Wordpress Plugins with known exploits:

"it's capitol P dang it!"

Oh, all the seemingly random (though they ain't) POSTs to one's domain? Wow! Just wow:

POST Log

Ah, and the "dotenv"... thing:

That DOTENV Thing

WTF is wlwmanifest.xml?


WTF is wlwmanifest.xml and why do Bots keep looking for it? For example, this happens dozens of times a month and this is from one IP:

    /blog/wp-includes/wlwmanifest.xml
    /web/wp-includes/wlwmanifest.xml
    /wordpress/wp-includes/wlwmanifest.xml
    /website/wp-includes/wlwmanifest.xml
    /wp/wp-includes/wlwmanifest.xml
    /news/wp-includes/wlwmanifest.xml
    /2020/wp-includes/wlwmanifest.xml
    /2019/wp-includes/wlwmanifest.xml
    /shop/wp-includes/wlwmanifest.xml
    /wp1/wp-includes/wlwmanifest.xml 
    /test/wp-includes/wlwmanifest.xml
    /wpX/wp-includes/wlwmanifest.xml
    /cms/wp-includes/wlwmanifest.xml 
    /sexx/wp-includes/wlwmanifest.xml

Let's take a look at it, shall we?

  <weblog>
    <adminUrl>
      <![CDATA[
        {blog-postapi-url}/../wp-admin/
      ]]>
    </adminUrl>
    <postEditingUrl>
      <![CDATA[
        {blog-postapi-url}/../wp-admin/post.php?action=edit&post={post-id}
      ]]>
    </postEditingUrl>
  </weblog>

So that's why! The fucking Admin shit!

When is Wordpress going to grow up and add some basic security measures!

You read that right! Basic Security Measures!

sigh

WTF No. 87


Yet another program access – effing Go (golang) and that effing Git...

    185.220.102.245 - - [17/Nov/2021:04:32:57] "GET /.git/config HTTP/1.1" 404 - "-" "Go-http-client/1.1"

WTF is wrong with these people?

Yah gahtta be kidding me! All "config" file shtuff is protected by a Web Host's WAF (Web Application Firewall; like, "Mod Security", – what I call the new "Magic Quotes"... more on that later).

Like, Bots trying to read .env – futile (if the hosting company knows it's shit).

Related to WTF is wlwmanifest.xml?


Looking at not just what a Bad bot does but why a Bot does what it does...

This case, it's xmlrpc.php – part of Wordpress, and it (with path variations) is constantly being POSTed to.

So here's what I did.

<?php
# /xmlrpc.php
$fd fopen('xmlrpc.log','a');
if (
$fd) {
        
$out print_r($_POST,true);
        
$UA $_SERVER['HTTP_USER_AGENT'];
        
$d date(DATE_RFC822);
        
fwrite($fd,"$d\n{$_SERVER['REMOTE_ADDR']}\n$UA\n$out\n");
        
fclose($fd);
}
header('HTTP/1.1 403 Forbidden');
exit(
'idiots');
?>

Be back with data...

Update:

Got the first two hits:

    Wed, 24 Nov 21 12:46:34 -0700
    20.98.245.87
    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36
    Array
    (
    )
    
    Wed, 24 Nov 21 18:04:07 -0700
    128.199.210.248
    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
    Array
    (
    )

That's it? Crap, now I gotta look into what xmprpc.php does and what it returns... Fuck... Just fix yer shit, Wordpress!

Update: December, 1

While the Wordpress xmlrpc.php is small, the Wordpress "XML-RPC protocol support" is 7,000 lines long, and that's just the file with the constructor! Not something I want to wallow in for any prolonged amout of time...