Programming

How to Stop a Brute Force xmlrpc.php Attack on Bitnami WordPress

WordPress Inspiration (oxymoron).

I was trying to access my site the other day and noticed it took fucking forever for anything to load. I thought something was broken: server out of memory from a recurring CRON job, or maybe I had royally fucked over my WordPress ecosystem by accident. Who knows? It's WordPress after all...

Are you experiencing any of these symptoms? Then read on...

  • Perpetually waiting for a response from while your browser displays a white page?
  • When your website does manage to load, clicking any links could make the entire application stop responding..
  • Seeing an abnormally high AWS charge for a small instance? Blame Amazon for expensive cloud computing first...

Being the curious programmer here, I tried to look for the issue. PRO TIP: Always look at your Apache or NGINX logs. My god. Fuck this guy. Spamming my site with pointless brute-force password attempts on a file called xmlrpc.php. Eventually, you'll never succeed because the password is a million fucking digits long. Realistically, however, I'll probably be so pissed off at the AWS charge, that I would cancel the EC2 instance before giving into my blog's new commander.

Check out some of these logs from streaming the Apache logs:

$ tail -1000f /opt/bitnami/apache2/logs/access_log

185.188.204.7 - - [21/Nov/2017:08:07:19 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370
185.188.204.7 - - [21/Nov/2017:08:07:18 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370
185.188.204.7 - - [21/Nov/2017:08:07:17 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370
185.188.204.7 - - [21/Nov/2017:08:07:20 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370
185.188.204.7 - - [21/Nov/2017:08:07:18 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370
185.188.204.7 - - [21/Nov/2017:08:07:19 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370
185.188.204.7 - - [21/Nov/2017:08:07:21 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370
185.188.204.7 - - [21/Nov/2017:08:07:19 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370
185.188.204.7 - - [21/Nov/2017:08:07:20 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370
185.188.204.7 - - [21/Nov/2017:08:07:22 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370

Great, my server is being spammed by a Russian bot every few milliseconds. WordPress, why the hell are these requests succeeding from an external source? At least this explains why my site has been unresponsive - someone else is using its resources.

Let's block his ass. The best way to do this is on the intermediary Apache server. We're going to write an Apache policy to prevent access to the xmlrpc.php file.

One thing to note before we continue here is that Bitnami automatically disables .htaccess files by default for performance reasons. So to write any Apache configurations at all, we'll have to edit the customized .conf file under:

$ vi /opt/bitnami/apps/wordpress/conf/htaccess.conf

// Now add these lines at the end of the file, please learn VIM to complete the edit

<FilesMatch "xmlrpc.php">
  Order Deny,Allow
  Deny from all
  Allow from 192.0.64.0/18
  Satisfy All
  ErrorDocument 403 http://127.0.0.1/
</FilesMatch>

Once we have edited the htaccess.conf file, we are going to restart the Apache server for the changes to take place:

$ sudo /opt/bitnami/ctlscript.sh restart apache

We can verify this works by trying to access the file via GET or POST on the file, http://dasun.us/xmlrpc.php, it should redirect. The policy above effectively redirects all external users to their localhost, while allowing traffic internally from WordPress. This allows certain plugins, such as JetPack, to correctly function. Let's look at the access logs now:

185.188.204.7 - - [21/Nov/2017:08:41:24 +0000] "POST /xmlrpc.php HTTP/1.0" 302 201
185.188.204.7 - - [21/Nov/2017:08:41:24 +0000] "POST /xmlrpc.php HTTP/1.0" 302 201
185.188.204.7 - - [21/Nov/2017:08:41:25 +0000] "POST /xmlrpc.php HTTP/1.0" 302 201
185.188.204.7 - - [21/Nov/2017:08:41:29 +0000] "POST /xmlrpc.php HTTP/1.0" 302 201
185.188.204.7 - - [21/Nov/2017:08:41:31 +0000] "POST /xmlrpc.php HTTP/1.0" 302 201
185.188.204.7 - - [21/Nov/2017:08:41:31 +0000] "POST /xmlrpc.php HTTP/1.0" 302 201
185.188.204.7 - - [21/Nov/2017:08:41:31 +0000] "POST /xmlrpc.php HTTP/1.0" 302 201

Ahhh success, and a breath of go annoy someone else now. The 302 is a redirection status which means they are now trying to access their own localhost rather than wasting resources on your WordPress website. Cheers, hope this helps!

Standard
Design, Programming

Montserrat Font and Legacy Support

See the ongoing GitHub discussion.

Without going into too much detail, Google updated the Montserrat font and its weights remotely, affecting millions of designs across the world wide web which integrate with Google fonts. This affected me personally, as I use Montserrat for my blog titles.

I absolutely despise API's which introduce breaking changes. All of these breaking changes destroy any legacy applications which are using the API's. Google in particular has a penchant for deprecating, breaking, or removing their API's: remember when the internet of shit's favorite Samsung smart fridge couldn't connect to its dumb calendar? Lol. This time, millions of websites across the web were forcing shitty text overflows down everyone's throats.. Who wants that???

I'm not sure who's in charge of these decisions, but developers - the best rule of thumb to go by is once an API is deployed to production, everything in that API spec cannot change. LEAVE IT BE! The end consumer is always expecting things to abide by the status quo. The majority of users will not update their application, and they will immediately complain about anything that doesn't work at a prolific scale.

It's an awful user experience. All designers and programmers should consider these legacy customers and find creative solutions to scale and expand their API's rather than forcing major upgrades.

Before I sign off here, I'd like to talk about one of my nightmares. I can hear it now...

what about Internet Explorer??

If you don't want to deal with an awful browser or device (Windows phone I'm looking at you), do not build applications for these devices in the first place. Once you decide to start supporting anything at all, you will have to support it for all its technological life.

Standard
Programming, Thoughts

Introversion at the Latest / Earliest Hour

I often find myself coding deep into the night. I can't quite put my finger on it, but there's something subtly addicting about staying up late, by myself, with F.lux blasting on its most orange setting as I punch my keys in a sequence of logical events.

In the past, I would always take time out of my work day to play video games, socialize, or maybe even have a drink and smoke. But now... the digitalization of my coder life has become an artistic medium, unforeseen, and unexperienced by most. Many of my peers see computers as solely a tool for work. I see it as an evolution of sorts. A paradigm shift of life - as you must. An artistic grounds for innovation.

I can easily see myself never letting go of this addiction. This QWERTY keyboard layout... These languages. These console outputs... These frameworks - my own grown up K'nex. I can't even begin to express the ideas in which I want to tackle - the applications I want to build. The art I want to code. The relationship I want to nurture.

Alas, time is not on my side. Programming is a time consuming process, despite all of the optimizations I try to incorporate in my daily interactions. Shortcuts and five fingers can only get you so far.

It's quite possibly the ephemeral, evolution of Moore's Law. Holy shit, it is beautiful. Year over year, improvements on both hardware and software allowing us to do the most ridiculous of things. Once you reach the zen of programming, your life will never be the same. I feel limitless in this virtual realm. It has become my religion. A deity in the most computerized form, yet inhibited and enabled by these keystrokes...

I can deconstruct worlds and layers, unforeseen by 99% of the population. It is the most enjoyable experience I have ever been a part of. 25 years of my life and so much more to learn, so much more to suffer, so much more to LIVE.

Standard
Programming, Thoughts

Beat the Burnout

Inspiration from Sam Altman

After almost 3 years of nonstop hacking and coding, the toughest part of the job is not burning out. There are many a times when the thing that kept you interested (programming) just doesn't cut it anymore. The spark isn't there. When you don't want to go any further - when you'd rather eat ice cream for the rest of your life..

The burnout is real. Any programmer would be able to tell you this. Every big, massive undertaking has an equally large and massive undertaking for bug squashing, testing, and endless hours of debugging. No one writes perfect code, but in order to survive the gruesome, computer stare-down (maybe breakdown too) - you must know a few tricks:

  1. Coffee coffee coffee - I can't stress this one enough. Nothing gets you going like a cup (or 5) of joe. Nothing.
  2. Working out - Specifically, cardio. Even a twenty minute bike ride will light your brain on fire. Challenging your body is paramount to challenging your mind.
  3. Spoil yourself - Every techie is obsessed with something, whether it be a side-project, more electronics, energy drinks, video games, etc. Find that thing which keeps the hamster wheel spinning.
  4. Downtime - This is the part where you kick back, relax, and enjoy the show, or meal, or company, or music, or your bed.. Whatever it is, make sure you don't touch your computer during this time.
  5. Multitask - This could be unique to certain individuals, but being able to work on multiple projects with varying levels of difficulty, ensures that you are able to constantly stay busy while being productive. For example, in office, I will tackle the hardest challenges while I have all of the motivation, but when I lose focus, I will then revert to cleaning up the lower hanging fruit, such as icon updates.
  6. Operate on your best hours - Not everyone is productive at 5AM, but if you are, you know better to twiddle your thumbs during those times. Do what you got to do.
  7. Work on something you love - This is the best part about coding. You get to build something which has never been built before. Use a new framework with your favorite language or contribute to projects which you strongly believe in. The world is your oyster.

That's it for now. I revamped my website with a few more CSS goodies. I plan on adding a portfolio page soon to give you a snapshot of all the projects I'm working on!

Standard
Programming, Thoughts

Let's add a backdoor to one of the world's most secure devices

Apple's Letter

We are, yet again, at another pivotal piece of Internet legislature. Recently, a federal judge in Riverside, California ordered Apple to assist the government in unlocking and decrypting the iPhone 5C, used by Syed Rizwan Farook, responsible for the San Bernardino shootings in December.

These shootings were one of the worst acts of domestic terrorism in 2015. My thoughts go out to all of those affected. These attacks are despicable and those responsible for the attacks must be help accountable for their actions. Apple has already complied with all valid subpoenas and search warrants, even going as far to make Apple engineers available for advising the FBI.

The FBI fucked up. They compromised their entry to the sized iPhone 5C by changing the Apple ID and password associated with the phone by someone in the county health department, per the FBI's request.

Given that the iCloud auto-backup solution failed and all other feasible recovery solutions are now inviable, the FBI and the Department of Justice asked a judge to order Apple to re-write the firmware just for their unlocking purposes. This proposed new firmware would allow the FBI to remove the automatic wipe feature, allowing them to brute force the password.

I've been reading a lot of misinformed comments on the Internet and thought I'd give my computer science perspective of the situation:

1. Many Internet souls are arguing that Apple is operating based purely off its business model, and that they are using it's security features to maintain its company and brand marketability.

Let me make it very clear that Apple is NOT operating under its best marketing and business interests (surprisingly). This is about Apple's customers and their basic freedoms. Creating a backdoor is not only unlawful, but it puts the vast majority of law abiding citizens and their personal information at risk.

2. Many uninformed Internet warriors are wondering why Apple just doesn't comply with the FBI, given that it's only one user's iPhone and that that user is one of the San Bernardino shooters.

The issue isn't as black and white as it seems. The situation is not a hardware hack, rather it is a software hack. It is easy to think that the backdoor would only be applied to the single iPhone. However, this backdoor vulnerability could be applied to every iOS device in existence. That's over 1 billion devices.

I hope Apple takes this case all the way up to the Supreme Court. This backdoor, if created, could be abused by Apple's internal employees, hackers, even foreign governments if it ended up in the wrong hands. History has shown us that as soon as something is leaked, it becomes available on The Pirate Bay an hour later.

We cannot sacrifice our basic freedoms in the name of terrorism. As soon as we encourage this type of misbehavior, it gives our government unlimited access to all of our private devices. This is how oppressive regimes operate. Let democracy stand.

Standard
Programming

Cloud Security and a $20000 AWS Charge

Cloud security is a hot topic right now. In the current state of the Software Revolution, pretty much everything in everyday life is moving to the cloud: movies (Netflix & Hulu), business communications (Google Hangouts & Slack), driverless cars (Google & Tesla), storage (DropBox & OneDrive), cloud robotics (Google & Industrial Perception) to name a few of the thousands of cloud-based technologies available today. There are so many smart-* apps and devices coming out that all of our daily computational power is moving to the cloud.

This is awesome. This allows software developers and engineers like me to work from any location as long as I have an internet connection. In fact, my current job (shameless plug for Yappee) allows me to work remotely because all of our technologies are based on the cloud - GitHub, Amazon AWS, and Slack are a developer's best friend.

Under the carpet, all of these applications have critical security features and complex API's which are crucial to the success of these technologies. On the front-end side of things, the users are presented with elegant interfaces with a ton of power at their fingertips. This is the future and it's awesome.

This magical ride with cloud computing is only going to get bigger and faster according to Moore's Law. This 2^* exponential growth is going to allow us to do things we never thought possible with software, but STOP RIGHT THERE...

We are becoming so enveloped within this digital world that we are failing to recognize the consequences that may occur from cloud security.

Two days ago, I was playing around with my GitHub repo and to make room for another private repository, I switched one of my previous Ionic projects to a public, open-source project because what the heck someone might find it useful. That someone wasn't who I expected.

I received an email yesterday morning, with the title Your AWS account is compromised. Wow what's going on here? I read into the email and saw that my GitHub project was listed with my AWS security credentials listed through my elastic beanstalk configuration. I took immediate action to change all my passwords and keys associated with this account as well as deleted my github repo from the cloud. It didn't take long until I received another email regarding a support case I didn't even open myself.

Thank you for taking quick action to delete your exposed access key. The hold on your account has been lifted.

However, prior to you deleting your access key your AWS account has been compromised and currently there's a charge of $13510.95 USD. To prevent further charges as well as for me to submit a concession request, please go through and delete any unauthorized resources.

Holy shit!!!! $13510.95 USD. My account was compromised... as fuck. These GitHub bots have no mercy. Overnight, they were able to acquire my AWS credentials through their scraper and launch up 500 SpotInstances as well as 500 more c3.8xlarge EC2 instances in all regions of the world - all using my billing account. Absolutely nuts.

I contacted Amazon AWS support immediately with my pressing issue. One of their employee's, Ben, let me know about all of "suspicious" activity that my account had undergone. Ben is my hero. He got my attention immediately through a phone call and voicemail, and immediately submitted a concession request on my behalf, assuring me that all of my expenses would be covered by Amazon. Amazon and their customer support receive my highest regards. 10/10.

Screen Shot 2015-10-29 at 3.38.57 PM

This is my billing account by the morning. Within 1 day of my GitHub repo going public, the bot was able to launch off 500 of the largest EC2 instances available on Amazon with spot requests to continually relaunch them if they went down, accruing over $20000 of computing costs. This is insane (also impressive from a hacker standpoint).

Admittedly, I am 100% responsible for leaking my credentials to a public zone, but trust me, if it can happen to me, it can happen to anyone. There are bots these days for everything. Keep your shit safeguarded.

tldr: Cloud Security is important. Keep your passwords safe.

Standard
Programming

WordPress Automatic Updates

They suck so hard. I had my entire site configured how I wanted it to look like, and of course automatic theme updates are default for this piece of shit platform.

How many hours am I going to waste to achieve the same effect that I've had before?!

What the fuck.

Download Easy Automatic Updates plugin to stop the bleeding.

WordPress is the worst developer platform.

Standard
Programming, Thoughts

Venmo

Something really, really, really needs to be addressed here, and it's the current state of everyone's favorite instant money app: Venmo.

Hell, I use Venmo for rent, splitting checks, and paying for just about anything. It's quick, easy, and all emoji jokes aside, it gets money to your bank in a day's time. That's amazing, considering that PayPal, the software-boom parent of Braintree, takes three days time to transfer money from PayPal to your bank.

Last year in 2014, Venmo processed $2.4 billion of payments. $2.4 billion dollars. It doesn't stop there though, as Venmo has already processed $1.6 billion in transactions in the 2nd quarter alone. At this current rate, Venmo will process anywhere between $5 - $10 billion dollars in 2015.

The money-making scheme behind Venmo is actually quite genius: all of the cash-moneys sitting inside your Venmo account is actually gathering interest for the company. But this is also the whole reason why Venmo is unsafe. When you transfer your Venmo credits to any of your friends on Venmo, that money is only getting moved around on the application layer. That money is not being moved from your account to your friend's. Let me repeat that, even if you receive the notification, the email, and the verbal confirmation that the money was transferred, there's absolutely no guarantee that money will reach your bank account when you cash out.

This article does a tremendous job of explaining the intricacies of Venmo:

if I Venmo you $20 for Chipotle, the “+ $20.00” notification you get isn’t actually reflecting a transfer from me to you. Rather, in most cases, Venmo is floating you the money until it can come out of my account. The actual mechanics of the transaction are much more complicated; the point is that Venmo is just the top layer with which you interact. “The current systems that [the United States has] in place for consumers don’t allow for real-time payments or instant payments, but instead just create this illusion that the funds are good and immediately available,”

It's completely plausible for someone to deposit to Venmo from a fraudulent or maxed out credit card. Those "funds" can then be moved around from account to account until a user decides to cash out on his/her Venmo funds. One day later, the funds from that cash-out transaction will come back with an error: "payment that you requested to be transferred to your bank came back for insufficient funds".

This is how a Venmo scam works. You trade your virtual credits for real-life goods or services, only to realize that you never received your money. The biggest difference between Venmo and PayPal is that PayPal has securities to prevent merchants from scamming you; however, Venmo's user agreement has something completely different:

“Business, commercial, or merchant transactions may not be conducted using personal accounts.”

This means that if you sold your Craigslist item for illicit Venmo funds, Venmo will not refund you the price of the item if the transaction doesn't go through because you violated their terms of service.

Wow. Talk about shady business practices. Venmo wants you to use their application for virtually all transactions, but they conveniently forgot to mention that they won't reimburse your loss.

Be careful out there. Venmo isn't magic.

Standard
Programming, Thoughts

Startup Girlfriend Threesome Balance

And this one comes up a lot.. How do you balance your girlfriend with your 60-70 hr / week job affair?? Short answer - you don't without some sacrifice. Choosing your job before girlfriend creates a rift in communication and questions about priority. Choosing your girlfriend before your job results in unnecessary stress, poor work, and unwarranted work-review meetings with your boss.

What do you do? And how do you achieve this balance when it seems impossible? I'll start by saying that it's not an easy task, but if you want results, you must be attentive and willing to put in the effort with sacrifices.

  1. Communication is key. Don't fret the hours and be confident on what your needs are. Make sure you and your girlfriend are aware of the commitment necessary for both people to be happy.. You get to work while she curls up next to you in bed.
  2. Keep your priorities straight. Don't let the love of your life become an afterthought. Your girlfriend loves and cares about you -- something that your job can't offer. Emotional support is the name of the game. Make sure she knows that you're not purposefully ignoring her for your work.
  3. Reassure her about your free time availability. This is a big one. You must be able to set boundaries on when you're working and when you're playing. There's no in between ground, so make sure you have your entire day's schedule straight. The best is when you both can find free time to work together.
  4. Create a list of goals each day, and achieve them. This one may seem unnecessary, but it's important. These don't have to be work related at all! Even small goals like 'Take girlfriend out to dinner' or 'Spoon her for at least 20 minutes' should be on this list.
  5. Compromise. This is a given in any relationship, but especially important in the startup / girlfriend threesome. Your weekends are limited while hers are empty. Go out and have fun, but let her know that you'll need to be up early the next morning to get your shit done.
  6. Have fun. Don't let the work clog your mind. I am for one, an emotional robot whenever I'm working. It's either coding or girlfriend.. They both deserve your full attention. When you're out having fun, have fun and don't worry about work until you boot up your laptop again. Trust me, there will be plenty of time to do that.

These are the most important things off the top of my head. Any less and I wouldn't be the best working / loving man I could be. Life moves on in mysterious ways, but you can't get what you want or deserve without setting some boundaries with communication. I suck at it, but I'm working towards a more mutually beneficial threesome here.. Coding, love, happiness. That's all.

Standard
Programming, Thoughts

First Software Job

It's been awhile since I last blogged, but I just wanted to say how pleased I am with life at this moment. Since taking a 5 month hiatus from any strenuous work/code, I've decided to get back on the horse of life.

Trust me, taking 5 months off was one of the best decisions in my life. I FINALLY disintegrated my dependence from stimulants, and I evolved socially in ways I could have never imagined.

Coming out of college, I wanted to find the highest paying salary job possible -- $100,000 sounds just superb. But I realized there's more to it than just money. Sure, I could afford better cars, better booze, better food, but would I really be happy? Probably not.

I interviewed with over 20 companies for senior-level development roles. In retrospect, I was a little too ambitious. Senior-level software roles need their employees to deploy code from day one. I remember being asked to code a 20 questions AI on the spot, and just miserably failing. Not saying that all college grads should go for easier roles, but senior engineers need the experience to deploy quickly -- something that us juniors could accomplish, but in a much larger time frame.

Even though you would make a dick-load of money, ask yourself if doing your job is all that's important in your life. For me, the spare time away from work and the ability to hang out with my girlfriend all days of the week easily trumps any job which requires you to work 60+ hours a week.

Nerds need time away from the computer.. Ya know?

Standard