Slashdot Mirror


User: JustAnotherOldGuy

JustAnotherOldGuy's activity in the archive.

Stories
0
Comments
5,725
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 5,725

  1. Re:What's Wordpress walling ... on Wordpress Brute Force Attacks Using Multiple Passwords Per Login Via XML-RPC (sucuri.net) · · Score: 1

    Your shitty answer is useless as tits on a boar hog.

    Only to the mentally deficient, like you.

    It doesn't answer the question as to why in Sam Hill you'd want Wordpress access to do that stuff.

    Wow, you're like The Fountain Of Stupid. Why does anyone hack a server? To get its resources and/or data. Duh. .

    You're suggesting hacking one of the weakest interfaces on the planet that ALSO rats out your activity.
    You're not making one single goddam penny.
    The risk/reward is whack.

    Oh, that must be why no one ever hacks Wordpress sites. You're right, it never happens, so obviously you're spot-on. Oh, wait... .

    Your last line, which you bolded so everyone else but me can see it clearly (because you know> I don't give a shit) clearly demonstrates your need to compensate for inability to provide a valid answer.

    Lol, oh look, Captain Dork is also a psychologist...what color crayon did they sign your diploma with?

    Seriously, you have no idea what you're babbling about, and it's painfully obvious to everyone here but you. People hack Wordpress sites for all sorts of reasons, none of which you seem to be able to grasp. There is clearly value in doing so or they wouldn't bother doing it. As with most things that baffle you, just because you're too stupid to understand it doesn't mean there isn't a reason.

    I'd tell you to shove it up your ass, but your head is in the way.

  2. Re:What's Wordpress walling ... on Wordpress Brute Force Attacks Using Multiple Passwords Per Login Via XML-RPC (sucuri.net) · · Score: 3, Informative

    What's Wordpress walling ... that's worth anybody's time to brute force?

    Your answer ... isn't one.

    As I said, you can modify the WP files to include your own code- PHP, javascript, whatever, and from there you can use the platform as part of an attack or DDOS network. You could use it to attack and infect any user visiting the site.

    You could store files on the server (kiddie porn, malicious code, MP3s, movies, stolen credit card numbers, social security numbers, etc) and so on. You could use it to send emails to the White House and threaten the president's life. You could set up online pill stores, a XXX-video site, etc etc. You could steal the login names and passwords of anyone who logs in.

    You can also run compiled code (C, C++, etc) and more than likely escalate your privileges until you're root, at which point the server is yours for all intents and purposes. You can steal user creds and any info you like that may be there (credit card data, PIN codes, passwords, personal info, etc etc).

    You could alter the DNS and email records and potentially use that to steal domains on the server. You could also impersonate any user on the server to send and receive email as them. You could alter data at will (think medical info, dosage info, diagnostic info).

    All that took me about 10 seconds to come up with, and I'm sure there's much more that I could think of given a little more time. The real question is not "what can you do", but what couldn't you do? And the answer is basically nothing, there's nothing you couldn't do.

    The fact that you couldn't think of any of this does not speak well of you, although it does prove that your user name is entirely accurate, "Captain Dork".

  3. Re:And that's why I'm backing Sanders on 2016 Election Cycle Led By Billionaire Donors · · Score: 2

    Bingo. He's the real deal.

    I don't agree with everything he says but I agree with a hell of a lot of it, more so than any other candidate by far. I'm voting for him.

  4. Re:And that's why I'm backing Sanders on 2016 Election Cycle Led By Billionaire Donors · · Score: 5, Insightful

    I would be viewed as holding to a number of relatively conservative and libertarian views, but this man has my respect.

    Same here for the most part, and that's why I'm going to vote for him. He's been consistent on his views for the last 30 years and that is something you just don't see among 99.999999999% of politicians.

    He voted against the war and against the PATRIOT act, and that counts for something in my book. Those were two incredibly unpopular positions to take, but now he's been vindicated for having the courage not to go along with the masses. .

  5. Re:Brain-dead security hole on Wordpress Brute Force Attacks Using Multiple Passwords Per Login Via XML-RPC (sucuri.net) · · Score: 1

    It almost makes you wonder if Wordpress is actually a secret attempt to knock over web servers.

    Judging by the stats, it leads in that category.

    I'm convinced that there is no easier way to allow a server to be nailed than to install WP with no hardening plugins, Hell, half the themes out there for it contain obfuscated code and built-in spam links.

  6. SHOCKED on 2016 Election Cycle Led By Billionaire Donors · · Score: 0

    I'm shocked, SHOCKED, I tell you!

  7. Re:What's Wordpress walling ... on Wordpress Brute Force Attacks Using Multiple Passwords Per Login Via XML-RPC (sucuri.net) · · Score: 1

    ... that's worth anybody's time to brute force?

    Oh, there are lots of naughty things you can once you've managed to login, especially as an admin.

    As an admin you can edit the Wordpress php files to add or remove anything you want. Yup, think about that for a minute. Muwahahahaha.

  8. Re:How is this not severe incompetence? on Wordpress Brute Force Attacks Using Multiple Passwords Per Login Via XML-RPC (sucuri.net) · · Score: 1

    Can somebody explain to me how this could be the result of anything other than severe incompetence?

    No, because that's pretty much the only explanation. You called it dead-on.

    Why WordPress doesn't have this kind of login-limiting built in by default can also only be explained by sheer, utter incompetence.

  9. Re:Change Username From Admin on Wordpress Brute Force Attacks Using Multiple Passwords Per Login Via XML-RPC (sucuri.net) · · Score: 1

    One of the first things you should do with any WordPress installation is make sure that the admin username isn't "admin", your site's name, "administrator"

    Good advice. Yep, mine is usually some oddball chars after "admin", i.e. "admin77YT43" or something completely unrelated (but still hard to guess).

  10. Why are insane amounts of passwords permitted? Why are wrong attemp timers missing? Why are instant resubmissions permitted?

    Dictionary attacks would not be feasable if the 1st incorrect attempt required a 60 second delay for a 2nd attempt, 120 seconds for the 2nd attempt, 240 for the 3rd attempt, etc. 64 attempts would be beyond my lifetime.

    Wordfence lets you set this sort of gate. I have mine set to trigger on 3 wrong login attempts over the course of 3 hours, and then it locks the user out for 10 days.

    No, that's not a typo. These are for sites where I'm usually the only person logging in, ever.

    For sites with actual user I use 3 wrong login attempts (over the course of 3 hours), and then it locks the user out for 6 hours.

    Sometimes I just add an "exit;" command after the opening PHP tag at the very top of wp-login.php. It just kills the file dead and so no login attempt using it will ever succeed, it doesn't even show the form, just a blank page. Drives the bots crazy, lol.

  11. Re:Brain-dead security hole on Wordpress Brute Force Attacks Using Multiple Passwords Per Login Via XML-RPC (sucuri.net) · · Score: 2

    Starting with Wordpress 3.5 XML-RPC was turned on by default, and the ability to turn off XML-RPC was removed.

    I know, that was simply fucking brilliant of them. I saw that and nearly fell out of my chair, it was an instant "WTF???"

    Dev 1: "Hey, let's create a potential exploit hole and let's make sure that it can't be disabled!"
    Dev 2: "Magnificent! Give that man a raise!"

  12. Use wordfence or "Disable XML-RPC" on Wordpress Brute Force Attacks Using Multiple Passwords Per Login Via XML-RPC (sucuri.net) · · Score: 3, Informative

    I highly recommend "WordFence", or if you don't want to use that, use Disable XML-RPC. Both of them work to stop this kind of attack.

    Wordfence is worth its weight in gold and it's a standard plugin I install whenever I have to do a Wordpress site.

    It has lots of useful options and I wouldn't run a Wordpress site without it, period.

  13. Re:Paper finds most webmasters don't have a clue on Cloud DDoS Mitigation Services Can Be Easily Bypassed (softpedia.com) · · Score: 1

    What I did at first to fix this potential hole was to catch the incoming email and then do a manual activation and reply from a Yahoo account. Later I had the email trigger a script that sent a signal to a different server and that server sent the email.*

    Of course, if they were really determined they'd just start DDOSing that server which would crash other sites I own, but I figured they'd be watching the original site to see if it was being affected, and when it wasn't (because they weren't hitting the right server) then after getting no satisfaction they'd give up after a while.

    .

    *this was pretty much a shameful, miserable hack, but it worked. :)

  14. Re:Flawless AI in 5 years? Yeah, right... on Replacement of Writers Leads Gartner's Predictions (computerworld.com) · · Score: 1

    I predict that AI has always been hard :-)

    Lol, It is difficult to prophesy, especially about the future :)

  15. Re:Flawless AI in 5 years? Yeah, right... on Replacement of Writers Leads Gartner's Predictions (computerworld.com) · · Score: 1

    It's possible - you don't really need to make the AI any smarter if you can just make the "consumers" dumber instead.

    That seems to be the current trend. Just feed 'em enough reality shows and constant photo essays of Kim Kardashian's ass and pretty soon IQs will start to drop below room temperature*. Mission accomplished!

    -

    *some say this has already happened

  16. The funny part on Replacement of Writers Leads Gartner's Predictions (computerworld.com) · · Score: 1

    The funny part is that these robo-generated documents will be put on the web where they'll be read by other bots scanning for stories.

    So the stories written by robots will mostly be read by other robots, in an endless cycle of circle-jerk robo-journalism.

  17. Re:Elephants next, please on Chinese Company To Sell Genetically Modified Micro Pigs as Pets (abc.net.au) · · Score: 0

    "some kind of mini-elephant"

    A truncated elephant, presumably?

    Heh, that's worthy of mod points. Sadly I do not have any to bestow upon you. :(

  18. Re:Paper finds most webmasters don't have a clue on Cloud DDoS Mitigation Services Can Be Easily Bypassed (softpedia.com) · · Score: 1

    All of these things can totally be avoided if you do your job carefully and methodically. e.g. maybe change the IP address of the server after launching your DDoS mitigation service, oh look, now half that list is moot.

    One "hole" that they missed is that a lot of sites send confirmation emails when creating an account, and that can reveal the IP in the email headers.

  19. Re:Email Headers on Cloud DDoS Mitigation Services Can Be Easily Bypassed (softpedia.com) · · Score: 1

    One other detection method not specifically called out is via email headers. Often times automated emails are sent from the same origin IP (not always, of course). Even if the email is routed through an email service before delivery, you can still see the origin in the full header.

    Dang, you beat me to it. :)

    I posted a slightly longer explanation, but yes, you are exactly right. Email confirmation messages can reveal the IP.

  20. This is true, plus on they missed on Cloud DDoS Mitigation Services Can Be Easily Bypassed (softpedia.com) · · Score: 1

    All of what they described is true, plus one that they didn't cover explicitly.

    Even if you have your site behind something like cloudflare, if you allow people to sign up for an account and your site sends a confirmation email, that email can reveal the source IP.

    I've experienced this with one of my sites that had became somewhat popular. The owner of a competing site got his panties in a twist over the fact that my site was doing better and he started to DDOS my site. I changed the IP of my site and put it behind cloudflare, which worked fine- it totally mitigated the attack.

    But...when you sign up to the site it sends a confirmation email to the user...and the headers in that email contain the IP that the site is currently sitting on. For a few days I worried that this scum-sucking asswipe would figure that out and begin his attack again but he apparently he lacked the brain power to realize he could find the IP that way.

    The only way to get around this would be to have the target site route the outgoing mail through another IP or domain to mask its actual origin. I don't know if cloudflare has added some mechanism to do this or not, but confirmation emails are potentially a big hole in the service, and I'd guess that it's true of all such services similar to cloudflare.

    FWIW, I recommend cloudflare for this kind of thing as well as general traffic management and mitigation of malicious probers, bots, and similar problems. Using cloudflare in conjunction with a bot-screening service like StopForumSpam or BotScout can stop a lot of this kind of shit dead in its tracks.

  21. Re:Big Sister is watching on There Is No .bro In Brotli: Google/Mozilla Engineers Nix File Type As Offensive · · Score: 3, Funny

    I propose .cnt for the new extension.

  22. Re:Big Sister is watching on There Is No .bro In Brotli: Google/Mozilla Engineers Nix File Type As Offensive · · Score: 4, Insightful

    I wish the dried up crones working in tech could get bent an loosen up a bit. This type of loser catering is about offending the majority to preserve the feelings of the minority / mentally disabled.

    Yep, it's SJW's to the rescue, the perpetually offended casting about for anything to get their XXXX-Large sized panties in a twist over.

    Seriously, when they start complaining about files extensions, my response is simply, "FUCK OFF!"

  23. Re:Posting Anonymous Coward on See the Sketches J.R.R. Tolkien Used To Build Middle-Earth (wired.com) · · Score: 1

    at 33 13/rpm .... >pop<
    at 33 13/rpm .... >pop<
    at 33 13/rpm .... >pop<
    at 33 13/rpm .... >pop<

    But notice how warm and rich the 'pops' are! Can't do that with a CD, now can ya? ;)

  24. Re:Posting Anonymous Coward on See the Sketches J.R.R. Tolkien Used To Build Middle-Earth (wired.com) · · Score: 0

    Why are these articles being posted? This is not tech news.

    Agreed. This is just filler and fanboy crap. WHAT DOES THIS HAVE TO DO WITH TECHNOLOGY?

    Fucking thing was drawn with a crayon, what does this have to do with anything related to technology?

  25. Stuff that matters on See the Sketches J.R.R. Tolkien Used To Build Middle-Earth (wired.com) · · Score: 1, Funny

    "Stuff that matters"....indeed.

    I could have sworn this was a site about technology at one time....

    What's next, a review of Bristol Palin's Wordpress blog?