Updates

  • John Walker posted an update in the group Group logo of UpdatesUpdates 14 hours, 9 minutes ago

    2018 October 18

    Researching approaches to mitigation of login storm denial of
    service attacks brings home just how idiotic the PHP-FPM
    architecture is for a Web application such as WordPress.  The
    most obvious approach to blocking login storms is that used by
    timesharing systems since time immemorial: introducing a delay,
    say five or ten seconds, after login attempts which failed due
    to a bad user ID or password.  (Often, the delay is only imposed
    after a number of failed login attempts.  This is easy to do in
    a timesharing system but more challenging in WordPress where
    requests are…

    [Read more]

  • John Walker posted an update in the group Group logo of UpdatesUpdates 1 day, 14 hours ago

    2018 October 17

    Well, as of 11:42 UTC the denial of service/login crack attacker
    seems to have given up or at least taken a break.  This is after
    a total of 20326 packets dropped by the firewall.  I'm going to
    leave the block in place just in case he comes back.  This is
    now almost ten times as intense as any denial of service attack
    we've experienced since the site was launched.
    
  • John Walker posted an update in the group Group logo of UpdatesUpdates 2 days, 14 hours ago

    2018 October 16

    The available memory warning installed on 2018-10-11 sprung for
    the first time, reporting free memory of 1412804, below our
    threshold of 1500000.  Looking at the log, it turns out we were
    under a denial of service / password cracking attack from
    179.60.146.13, which the whois information places in the UK,
    although the country code in the domain registration is "SE"
    (Sweden). I firewalled the IP address which, of course,
    continues to bang on the door.  I'll watch the trend in
    available memory to see if it recovers normally as processes
    time out and kill themselves.
    
    I…

    [Read more]

  • John Walker posted an update in the group Group logo of UpdatesUpdates 5 days, 14 hours ago

    2018 October 13

    The Really Simple SSL 3.1.1 update doesn't appear to have broken
    anything, so I committed the changes (Build 209).
    
    The Plugins Garbage Collector plug-in was originally installed
    on 2017-12-25.  It is supposed to scan the database and allow
    you to clean up tables orphaned by deactivated and deleted
    plug-ins, but it works so poorly and is so hideously dangerous
    it has been deactivated almost all the time since installation
    except when it was activated briefly on 2017-04-26 and reported
    nothing to do.  Now that we know how to clean up debris left
    around by deleted…

    [Read more]

  • John Walker posted an update in the group Group logo of UpdatesUpdates 6 days, 14 hours ago

    2018 October 12

    Today, at 13:00 UTC, the probe I put in on 2018-09-24 to dump
    comments considered spam by Akismet sprung.  Akismet used to
    have a test page which let you experiment with whether comments
    would be bounced, but in the interest of total opacity this has
    now been discontinued, so there's no easy way to determine why
    it thought a comment was spam.  It must have been the content,
    since the commenter is a user who has been a member for 182
    days, was using the same account and IP address, and has never
    had a comment bounced before.  If I had to guess (and I have to,
    since…

    [Read more]

  • John Walker posted an update in the group Group logo of UpdatesUpdates 1 week ago

    2018 October 11

    Published the Build 208 changes (clock in the administration
    toolbar) to GitHub.
    

    Added a CRON job: /server/cron/watchMem.pl which runs every 10 minutes at 3 minutes into the 10 and checks the "avail Mem" (available physical memory) field from "top". If it's less than the $DANGER threshold (defined within the program), output is generated consisting of a warning message followed by a run of top in batch mode with the "-o %MEM" option, which sorts in descending order by memory usage. The goal is to provide warning for and help track down the cause of incipient…

    [Read more]

  • John Walker posted an update in the group Group logo of UpdatesUpdates 1 week, 1 day ago

    2018 October 10

    Around 09:15 UTC on 2018-10-10 we started to get 500 errors due
    to "Out of memory" from PHP-FPM.  This is probably due to a
    denial of service attack which I will investigate once I'm done
    putting out other fires.  I restarted php-fpm and it's running
    fine now with 2865760 free memory (was less than 2500 during the
    500 errors).
    
    Examined the log around the 500 errors and found no obvious
    denial of service attack.  We'd only been up 9 days since the last
    reboot, so it may be there's something in there that's causing
    PHP-FPM to leak memory faster than it usually does.…

    [Read more]

  • John Walker posted an update in the group Group logo of UpdatesUpdates 1 week, 2 days ago

    2018 October 9

    Implemented an experimental clock which displays in the
    administration toolbar at the top of the page (but not in
    administration pages, where our local styles and JavaScript are
    not loaded).  The code to generate the toolbar is emitted by a
    new function rb_add_clock_toolbar_menu() in:
        ~/theme/functions.php
    which patches it into the admin_bar_menu at priority level 95,
    which makes it appear to the left of the notification bubble.
    The generated code executes a JavaScript function,
    RB_wind_clock() in ~/theme/js/functions.js, which calls
    RB_update_clock() to edit the…

    [Read more]

  • John Walker posted an update in the group Group logo of UpdatesUpdates 1 week, 4 days ago

    2018 October 7

    Committed the change to .htaccess from 2018-10-02 to block
    access to ~/rb/xmlrpc.php (Build 207).  It seems to be blocking
    password guessing attacks as intended with no deleterious
    consequences.  Published Builds 206 and 207 to GitHub.
    
  • John Walker posted an update in the group Group logo of UpdatesUpdates 2 weeks, 2 days ago

    2018 October 2

    Enough is enough.  These xmlrpc.php attackers are getting on my
    nerves: there was another overnight from Portugal with 983
    hits.  I firewalled that one, but manually plugging each leak
    isn't going to work.  I added:
        {Files xmlrpc.php}
        Order Deny,Allow
        Deny from all
        Allow from REDACTED
        {/Files}
    to ~/rb/.htaccess, which will whack these guys with a 403, log
    the attempt, and keep them from getting further into the
    server.  Whether this will deter them from mindlessly pounding
    on the door remains to be seen.
    

    Note that disabling xmlrpc.php also blocks…

    [Read more]

  • John Walker posted an update in the group Group logo of UpdatesUpdates 2 weeks, 3 days ago

    2018 October 1

    I'm finished.  I hereby acknowledge defeat, and I quit.
    
        A man's not finished when he's defeated; he's finished when
        he quits.
            -- Richard M. Nixon, Remarks to reporters 1960-11-11
    
    There is simply no way to achieve the reasonable goal of making
    the home page display posts based on age rather than a fixed
    number of posts without massive surgery in the tangled and
    putrescent guts of WordPress and local code all over the place
    which will create a maintenance burden until the end of time
    with which I cannot responsibly burden future maintainers of
    this…

    [Read more]

    • Good choices. Thanks again, very much. Your work on our behalf is keeping the fun in Ratburger.org.

  • John Walker posted an update in the group Group logo of UpdatesUpdates 2 weeks, 4 days ago

    2018 September 30

    CometChat is coming up for renewal in December, and they've
    bumped up their initial bait subscription prices to something
    that's unjustified by our use of the service (nil) and its
    quality (the last five updates have failed to install).  Time to
    get rid of this. Note that since this is proprietary software,
    it has never been included in the GitHub repository, so it can
    be deleted purely on the server.  It looks like what we need to
    delete is:
        ~/plug/cometchat        # BuddyPress plug-in integration
        ~/rb/cometchat          # Main application
    We also need to…

    [Read more]

    • Um, OK

    • The goal is not that everybody (or anybody) understands it, but that every change to the site be documented in detail on the date that it is made. This is not only important to users who wonder “what changed” (for example, today, what happened to the chat room?), but also developers, down the line, who need to understand how the site came to be what it is.

      A site without a development log is a site without a future. A site without a public development log is not oriented toward customers, whether or not any of them ever read it.

    • I understand John. I kid because I love.

  • John Walker posted an update in the group Group logo of UpdatesUpdates 2 weeks, 5 days ago

    2018 September 29

    Looking deeper into yesterday's stack trace, at:
        #4 wp-content/themes/ratburger_devel/index.php(39): get_template_part
    the list of posts to be displayed has already been prepared.
    

    Where does this happen? My guess is in #6: wp-blog-header.php where at line 16 there's a call: // Set up the WordPress query. wp();

    That's another rabbit hole into which to descend.

    To track down where all of these calls on WP_Query are coming from, I put a dump of the query string near the top of the function get_posts() in WP_Query (not to be confused with the eponymous…

    [Read more]

    • I enjoyed reading this update. I liked the line, “As you pursue this quest, pilgrim, you’ll eventually arrive at”

  • John Walker posted an update in the group Group logo of UpdatesUpdates 2 weeks, 6 days ago

    2018 September 28

    Another Russian spammer showed up in the Allow Request list with
    an IP from "Amsterdam Residential Television and Internet" with
    IP block 212.92.121.0/24.  This is about the tenth time we've
    seen spam from this source.  I firewalled and black listed the
    whole Class C.
    
    The "Recent Posts" widget in the sidebar defined "recent" based
    on a number of posts, not their actual age.  In cases where a
    flurry of "Tweet and chat" posts pop up, this may cause posts to
    scroll off the Recent Posts list even though they are less than
    a day old.  I added code to:…

    [Read more]

    • Thank you.
      Is there a minimum in the code? If only one post is posted in 36 hours does only one post show up?

    • The change is from a count of posts to a time. My understanding is that “recent” means time, not a number of posts. If we’ve only had one post in 36 hours, we might as well hang it up.

      People who desire more complicated definitions of “recent” are invited to code them from the source code published on GitHub and submit the changes for integration.

  • John Walker posted an update in the group Group logo of UpdatesUpdates 3 weeks, 1 day ago

    2018 September 26

    Went ahead and committed the changes to:
        ~/plug/akismet/class.akismet.php
    from 2018-09-24.  Even though the trap hasn't sprung for a spam
    detection, it doesn't seem to have broken anything else and the
    previous code was obviously wrong.  I don't want to carry this
    around as an un-committed change while I'm applying other
    updates (Build 203).
    
    Installed the version 4.46 update to the User Role Editor
    plug-in.  This is a minor update which shouldn't affect anything
    we use.  There is one change which is so "WordPressy" I just
    have to cite it verbatim:
    
      Update:…

    [Read more]

  • John Walker posted an update in the group Group logo of UpdatesUpdates 3 weeks, 3 days ago

    2018 September 24

    Last night we got another comment bounced by Akismet.  This
    shouldn't have happened because of the code we added on
    2018-08-10 to ~/plug/akismet/class.akismet.php to skip the
    Akismet comment test if the author has been a member for more
    than 7 days.  In this case the user had been a member since
    2017-12-14, so the test shouldn't have ever been applied.  Well,
    it turns out that the local code I added for this test was
    checking the response from the
    do_action('akismet_comment_check_response') call as
    $commentdata['akismet_result'] before the $result[1] field from
    the…

    [Read more]

  • John Walker posted an update in the group Group logo of UpdatesUpdates 4 weeks ago

    2018 September 20

    The "ready, fire, aim" crowd at UpdraftPlus have released an
    update, version 1.15.2, to their plug-in consisting of "fixes"
    and "tweaks" to the 1.15.0 release we installed on 2018-09-14.
    These involved modifying 94 files, deleting 5 existing files,
    and adding 10 new files.  Most of the changes were to silly
    features which we don't use.  We have no local code in this
    plug-in. As always, I'll defer committing the changes until it
    successfully runs the next scheduled backup.
    
    On 2018-09-09, I added a work-around for the nincompoop design
    in which Private is a post…

    [Read more]

  • John Walker posted an update in the group Group logo of UpdatesUpdates 1 month ago

    2018 September 18

    Updated the WP-UserOnline plug-in to version 2.87.2.  This is an
    utterly trivial update which corrects a few matters in the
    administration page.  We have no local code in this plug-in and
    never encountered any of the problems these fixes are intended
    to correct.  Committed the changes (Build 200) and published to
    GitHub.
    
  • John Walker posted an update in the group Group logo of UpdatesUpdates 1 month ago

    2018 September 16

    The "Use of undefined constant DB_USER..." message I discussed
    yesterday turns out not to be a quoting error in the code but
    rather an indirect symptom of some script kiddie trying to
    attack the site by executing the WordPress new installation
    script.  You can reproduce the error with the request:
        .https://www.ratburger.org/wp-admin/setup-config.php
    This returns an error, "The file wp-config.php already exists.",
    so no harm is done.  To further deter crackers and let them know
    we run a tight ship, I changed permissions:
        cd ~/rb/wp-admin
        chmod 600…

    [Read more]

  • Load More