Uncomplicated Firewall (UFW) is not blocking anything

Posted on 28 December 2024 by Pirate Bonny

I inserted a rule into UFW to block an IP and the logs show that they are ALLOWED in the logs. I’m not sure UFW is working. I’m puzzled UFW shows a blocked IP is allowed in. Is UFW blocking?

You will need iftop. If using Ubuntu 24.04 or 22. than just do a apt install iftop

UFW has a weird way of logging and in my opinion, in-spite of the name, the logging is confusing and makes it dam hard to monitor threats.

One thing I notice with UFW, is in their logs, after blocking an IP or range of IP’s using 0/24 that the logs continue show or display ALLOW DPT=XXXX. You scratch head wondering is the firewall UFW working. Logs show ALLOW for the IP xxx.xxx.xxx.xxx. I blocked the IP and UFW (uncomplicated firewall) logs continue to show ALLOW to the blocked IP.

When you understand the way UFW logging works, when UFW displays ALLOW it just means that in the firewall rules you have set for example: ufw allow 80,443/tcp. So UFW is telling you that the IP, even though blocked and is trying to access a port you opened such as 80 or 443. What UFW should say in the logs is BLOCkED denied IP to ALLOWED port xxxx] when logging enabled. Hey, what ever.

What you need to do when blocking an IP to an open port (allow) and want UFW to log that IP attempts to gain access to the open (allowed) port is use the following command:
ufw insert 1 deny log from 80.94.95.239 comment “BAD person” Note the word “log”. Now, when the blocked IP tries to access the allowed port you will see in the logs UFW BLOCK that IP address.

Using the above method instructs UFW to display in the logs UFW BLOCK. It’s a great way to assist while debugging to look for suspicious activity.

More examples of having UFW “log” a BLOCK in the logs for IP addresses attempting access to ports you have opened for web or mail server .

ufw insert 1 deny log from 80.94.95.239 comment “Annoying bot”
ufw insert 1 reject log from 80.94.95.239 comment “BAD person”
ufw insert 1 deny log from 80.94.95.0/24 comment “Lots of bad bots”
ufw insert 1 deny log from 80.94.95.239

Always use the insert 1 rule… That places them above your allowed ports such as http, https, smtp 80, 443, 22, 25 and so on. You can use any number in the “insert”, as long as it is number lower than the ports you want to block an IP from. For example, if port 443 is at position 75 on the firewall list and you want to block an IP from https than insert 74 would place that block rule above https and successfully block it. But, that’s not a good idea, you’re leaving yourself exposed to human error, hence, best using insert 1. Saves time and reduces the likely hood of error.

For more peace of mind, to assure yourself you have indeed blocked the bad IP address you can use iftop (IFTOP). If using Ubuntu and don’t have iftop installed just: apt install iftop. iftop is an excellent peace of software for Linux systems. It monitors traffic inbound and outbound to all IP addresses connected to your server and what port the connection is on.

IFTOP displays all connections to your server showing both inbound and outbound traffic and you have options to have iftop, display source and destination ports. When iftop shows data coming in and no data going out it means that source IP address is either blocked by the firewall or they are connecting to a port that is either closed or not monitored by any software on your server. You can even filter what ports IFTOP displays.

For example, if you just want to monitor SSH traffic press “l” (lowercase L) than type ssh followed by enter, and iftop just displays connections to port 22. If you have SSH on another port than instead of entering “ssh” enter the port number you use for SSH.

After blocking an IP address with your firewall (UFW) open iftop and monitor that IP addresses outbound traffic. You will notice over 40 seconds it will begin to display 0 for outbound. Don’t be overly concerned seeing inbound. It just means the bot or human hasn’t figured out you blocked it. The inbound traffic means it’s trying to communicate with your server. Apache web server for example or mail or SSH. The fact no traffic is going out means the communications sent by the blocked IP address is not being received by your web server, Apache for example. UFW, your firewall is doing the job for you and protecting your server by blocking that IP address.

I currently have a pesty Brazilian hacker coming into my site on port 443 (https) from multiple IP addresses. He pounds my server around 3,000 hits per hour for several hours a day. It soon became clear this is no ordinary person. I believe the attack is coming from the Brazliian government, private organisation or organised crime syndicate. The reason I wonder this is, the attack comes from 10s of thousands of Brazilian servers. Quite a claim for me to make but, Brazil is a poor country and an individual could not possibly own over 10’s of thousands of servers. Unless he or she is a very smart hacker taking control of them. Or he’s quite stupid. Or, what is his interest in my server? Why is it so important he break in. The perseverance is so strong and mind blowing. He comes in daily with 1024 different IP addresses, when blocked, the following day another 1024 servers. It’s like he owns Brazil!

This has been going on since December 6th 2024 and, today, January 6th 2025 the desperation become more desperate with him this past 24 hours, or the organisation. After I block the 1024 servers, he comes in again a couple of hours later with another 1024 servers. During the past 24 he has come in from over 8,000 servers. It’s like this dude is very desperate and seemingly deep pockets of cash or, has control of Brazil. What the hell is on my server that could be of interest? This server he attacks is nothing more than a mail server. No secrets on there, no customer user database, nothing of value to anyone except me.

I have 3 servers, they are attacking one, the mail server. Unknown to them, their IP addresses are instantly sent to the other 2 servers to add to the firewall block list. It appears for now, this server of mine is now more than a mail server, it’s now harvesting the IP addresses of the Brazilian attackers and sharing that data with my other servers.

He or the organisation are so bad, special software was written to auto detect within seconds the attack and auto block.

These are the steps to follow before you block an IP or IP range with UFW (uncomplicated firewall) and if you follow these steps it will give you peace of mind.

In my example we are going to first monitor port 443 (https) to see if Apache is responding to the pesty retard from Brazil.

run iftop
press “p” which displays PORTS accessed on your server
press “l” (lowercase L)
type in http than (enter) this filters and display access to port 443 (https) only
You will see the pesty dim wit attacking or probing the port https
Monitor the “outgoing traffic” on the IP, not the incoming traffic
You will see Apache is responding with data going out which means not blocked by UFW
This means, that the IP is allowed and Apache responds as one expects.
Now press n that will display their IP address not dns name as some hide IP by showing IP like 123-123-123-123.somebraindead.br and your fooled thinking the 123 is their IP.
copy the IP address from iftop
press ctl c to exit iftop
now type:
ufw insert 1 deny from xxx.xxx.xxx.xxx comment “Pesty Brazilian”
now go back into iftop
while monitoring iftop you will see that there is NO outbound traffic to the blocked IP address
This means UFW has indeed blocked that IP address even though in the UFW logs it will show ALLOW DPT=443 to the blocked IP. Remember, I mentioned earlier, if you want UFW to log an IP is being blocked you must use the command including the log in the rule. ufw insert 1 deny log from xxx.xxx.xxx.xxx comment “BOT or Individual hacker” OR ufw insert 1 deny log from xxx.xxx.xxx.0/24 comment “BOT or Individual hacker” to block 256 in one go.

You would do the same with your mail server or SSH server when you are unsure if UFW is actually blocking. Using iftop with UFW will help you monitor the activity. iftop will confirm by displaying, no data out than UFW is working, or if data going out, something is wrong, UFW not working or the block rule you have UFW is incorrect or not inserted to the top of the list. Remember step 3 above and you press “l” lowercase L and typed http well if you had a pest on port 22 or ssh you would type ssh or 22.

Keep in mind, don’t trust all of the data you see in UFW logs. Your best friend is iftop which tells you IF and WHAT traffic is coming IN or OUT from your server and to WHO what remote IP address.

My advice is use DENY in UFW and not REJECT. From experience, I find when you DENY which is “silence is golden” the pesty IP goes away and when you use REJECT they continue to pound your server like a randy dog. Using DENY, your server gives no response at all when the come. Think of it this way.

“DENY” When someone knocks at the door of your home and you keep very quiet and don’t respond and wait for them to go away… They have no idea whether you are home or not. That’s what DENY is on a UFW firewall. They have no idea whether there is a server there or not…… Unless your server responds to a PING request 😉

“REJECT” When someone comes to your home knocking and you scream out “Go away you moron!” or yell, they know you are there! If you REJECT with UFW the pesty moron hacker is 100% sure there is a server there and will keep on returning.

UFW creators, great firewall but the logs are pretty weak. I’m being polite! Try showing in logs for example port 80 open (allowed) and BLOCKED banned IP. Easy as spreading butter on bread!

Written by Jeff, AKA pirate ms Bonny!

How to display Hologram Texture Above a Prim

Posted on 19 December 2024 by Pirate Bonny

How creating a hologram image above a prim is a very easy thing to do and doesn’t require a timer event….

Rez a prim
Create an LSL script inside the prim
Edit the script and past the following code
Compile / Save the script
Place a texture into the prim

The script will use the texture and display it above the prim as a hologram. Why use a hologram? A hologram texture above a prim will allow it to be seen by other avatars from any angle.

LSL is the Linden Labs SecondLife scripting language and can be used on Opensim grids, Osgrid and Kitely grids.

// OFFSET is distance above / below object generating Hologram
// Adjust this to suit
float OFFSET = 1;

// The width of the hologram :)
// If a square image you will have to set Width and Height same value
// because there is no method in LSL to get dimensions of an image
// to do automatically at this time

float Width = .55;
// The Height of the Hologram
float Height = 1.85;
/*
There are 2 ways to display the texture for the Hologram
1) Place the texture inside of the object
2) Obtain the UUID of the texture from you inventory
If choosing UUID method it can be seen only within your grid.
*/

// If you know the UUID and for this grid only
// string Texture = "69064cf6-155d-4a46-9c3a-c01f58639238";

// Replace TEXTURE NAME with the name of texture inside the prim
string Texture = "TEXTURE NAME";

DISPLAY_HOLOGRAM(){
    integer Count;
    
// Will auto get name of 1st texture if in the object
// IF you didn't set the texture name from default
if (Texture == "TEXTURE NAME" ){
    llSetText("",<1,1,1>,0);
       Count = llGetInventoryNumber(INVENTORY_TEXTURE);
        if(Count > 0) Texture = llGetInventoryName(INVENTORY_TEXTURE,0); else {
        llSetText("No Texture inside me",<1,1,1>,1);
        }
    }
         llParticleSystem([
            PSYS_PART_FLAGS,PSYS_PART_INTERP_COLOR_MASK,
            PSYS_SRC_PATTERN, 4,
            PSYS_PART_START_ALPHA, 0.50,
            PSYS_PART_END_ALPHA, 0.50,
            PSYS_PART_START_COLOR, <1.0,1.0,1.0>,
            PSYS_PART_END_COLOR, <1.0,1.0,1.0>,
            PSYS_PART_START_SCALE, <Width ,Height,0.00>,
            PSYS_PART_END_SCALE, <Width,Height,0.00>,
            PSYS_PART_MAX_AGE, 1.20,
            PSYS_SRC_MAX_AGE, 0.00,
            PSYS_SRC_ACCEL, <0.0,0.0,0.0>,
            PSYS_SRC_ANGLE_BEGIN, 0.00,
            PSYS_SRC_ANGLE_END, 0.00,
            PSYS_SRC_BURST_PART_COUNT, 4,
            PSYS_SRC_BURST_RADIUS, OFFSET,
            PSYS_SRC_BURST_RATE, 0.10,
            PSYS_SRC_BURST_SPEED_MIN, 0.00,
            PSYS_SRC_BURST_SPEED_MAX, 0.00,
            PSYS_SRC_OMEGA, <0.00,0.00,0.00>,
            PSYS_SRC_TEXTURE, Texture]);   
}

default
{
    changed(integer change){
        // This will update hologram image when you
        // add or remove an image
     if(change & CHANGED_INVENTORY) DISPLAY_HOLOGRAM();   
    }
    on_rez(integer i){
    // When object rezzed it will display it
     DISPLAY_HOLOGRAM();
    }
    
    state_entry()
    {

    // when you compile the script will display it
     DISPLAY_HOLOGRAM();
    }
}

AWS Servers Hacker Orgy

Posted on 17 December 2024 by Pirate Bonny

The Amazon servers are an orgy for hackers and probing. Thousands of AWS have been hacked and are used to probe and hack other servers, Even Edison mail….

effethemes.com silently pestering your server like a slithering Brazilian twat

Posted on 17 December 2024 by Pirate Bonny

Trojan Alert: effethemes.com (Brazilian Server) WordPress themes contain a trojan. Definition of a trojan is a piece of code that does something malicious. The theme links your site to thousands of BR hacker scanner sites that scan/probe your server thousands of times an hour. Form of mentally challenged Brazilian DOS attack, low grade attack.

With any claim, just like reporting a bug I need to provide data that enables anyone to replicate my findings.

If you’re using Ubuntu you will need iftop. If you don’t have than apt install iftop

First run iftop
while running press “p” for ports display and than “l” < lowercase L and type http and press enter
Monitor who’s connecting to https
Install wordpress theme. Zummo Prime By Effe Themes
Activate it, if you dare!
While using iftop monitor what’s happening to your https connections

Within 24hrs you will find from multiple connections to your https from one of the following IP ranges all of which come from BR (Brazil) and, you will notice, the creator of Zummo Prim By Effe Themes is also Brazilian (BR)

Note. Apache will not log anything in the logs, even with debug activated (I find Apache is lacking in log data making it very hard for webmaster to monitor suspicious activity)

The list of Brazilian IP ranges that started hitting my my web server none stop with 160 to 240 hits per hour. They will come multiple ip addresses spread over a number ranges and after you block them, the next day, come in with new IP addresses.

I’ve made it easy for you and listed all of the addresses collected so far in 2 sections. section 1 bare format and section 2, nice and easy copy and past already formatted to go into your UFW firewall.

The list is updated daily. (Last update January 6th 2025 Australian EST) For obvious reasons I can’t disclose how they are auto detected by my servers and immediately blocked via firewall. For now lets say, they’re not a smart bunch.

Section 1 – Bare listing of BR IP addresses (Brazil)

103.77.224.0/24
104.234.224.0/24
131.255.228.0/24
131.255.229.0/24
131.255.230.0/24
131.255.231.0/24
138.99.48.0/24
138.99.49.0/24
138.99.50.0/24
138.99.51.0/24
170.231.28.0/24
170.231.29.0/24
170.231.30.0/24
170.231.31.0/24
177.38.41.0/24
177.40.203.0/24
179.108.31.0/24
179.51.178.0/24
179.51.179.0/24
179.51.180.0/24
179.51.181.0/24
186.227.20.0/24
186.227.21.0/24
186.227.22.0/24
186.227.23.0/24
189.127.187.0/24
191.242.220.0/24
191.242.221.0/24
191.242.222.0/24
191.242.223.0/24
31.255.228.0/24
45.152.46.179
45.164.202.0/24
45.164.203.0/24
45.174.0.0/24
45.174.1.0/24
45.174.16.0/24
45.174.17.0/24
45.174.18.0/24
45.174.19.0/24
45.174.2.0/24
45.174.3.0/24
45.176.36.0/24
45.176.37.0/24
45.176.38.0/24
45.176.39.0/24
45.179.108.0/24
45.179.109.0/24
45.179.110.0/24
45.179.111.0/24
45.179.48.0/24
45.179.49.0/24
45.179.50.0/24
45.190.160.0/24
45.190.252.0/24
45.190.253.0/24
45.190.254.0/24
45.190.255.0/24
45.233.107.0/24
45.89.30.0/24
216.98.208.0/24
216.98.209.0/24
216.98.210.0/24
216.98.211.0/24
179.108.31.206
177.23.109.0/24
177.23.108.0/24
177.23.111.0/24
177.23.110.0/24
45.227.44.0/24
45.227.46.0/24
45.227.45.0/24
45.227.47.0/24
168.232.222.0/24
168.232.221.0/24
168.232.223.0/24
168.232.220.0/24
45.177.133.0/24
45.177.134.0/24
45.177.132.0/24
45.177.135.0/24
191.96.81.0/24
177.10.172.0/24
177.10.174.0/24
177.10.175.0/24
177.10.173.0/24
205.210.31.177

Section 2 – Ready to go formatted for UFW firewall of BR IP addresses

Brazilian hacker dumb enough to walk off a cliff

Best to use DENY. The Brazilian’s are not the full quid. Even while blocked they still come for several hours. A smart hackers code knows its blocked and moves on to another target. I think these Brazilians would drive off a cliff even when there is a road block! (Maybe these hackers are government employees and if so, explains the lack of intelligence)

ufw insert 1 deny from 103.77.224.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 104.234.224.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 131.255.228.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 131.255.229.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 131.255.230.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 131.255.231.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 138.99.48.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 138.99.49.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 138.99.50.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 138.99.51.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 170.231.28.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 170.231.29.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 170.231.30.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 170.231.31.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 177.38.41.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 177.40.203.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 179.108.31.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 179.51.178.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 179.51.179.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 179.51.180.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 179.51.181.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 186.227.20.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 186.227.21.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 186.227.22.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 186.227.23.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 189.127.187.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 191.242.220.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 191.242.221.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 191.242.222.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 191.242.223.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 31.255.228.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.152.46.179 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.164.202.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.164.203.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.174.0.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.174.1.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.174.16.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.174.17.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.174.18.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.174.19.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.174.2.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.174.3.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.176.36.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.176.37.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.176.38.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.176.39.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.179.108.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.179.109.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.179.110.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.179.111.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.179.48.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.179.49.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.179.50.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.190.160.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.190.252.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.190.253.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.190.254.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.190.255.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.233.107.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 45.89.30.0/24 comment "Wordpress pesty BR"
ufw insert 1 deny from 216.98.209.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 216.98.210.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 216.98.211.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 179.108.31.206 comment "Wordpress Brazil secret service IP address"
ufw insert 1 deny from 177.23.109.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 177.23.108.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 177.23.111.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 177.23.110.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 45.227.44.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 45.227.46.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 45.227.45.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 45.227.47.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 168.232.222.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 168.232.221.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 168.232.223.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 168.232.220.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 45.177.133.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 45.177.134.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 45.177.132.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 45.177.135.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 191.96.81.0/24 comment "Wordpress Brazil president private IP address"
ufw insert 1 deny from 177.10.172.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 177.10.174.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 177.10.175.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 177.10.173.0/24 comment "Wordpress Brazil"
ufw insert 1 deny from 205.210.31.177 comment "Wordpress Brazil"

I contacted the creator of the WordPress theme and received no response. When you don’t respond to me, that’s admission of guilt and grants me permission to go public. If he had of responded with an acceptable response you would not be seeing this.

Summing up, I like giving people the benefit of doubt and he maybe unaware this is happening. It’s probable the server where he develops the theme has been hacked and his development code has been modified, unknown to him by hackers. Hence, he is uploading to WordPress for distribution. Should this be the case, it strongly suggest WordPress do not filter themes for malicious code!

Are you concerned about Edison Mail with what is being done with your password?

Is Edison mail sharing my password and email address? Yes
Who are Edison mail sharing my password with? I’ll show you further down!
I’ve noticed someone logging into my email account and don’t know who. Are you using Edison mail (email)?
There are dozens of unauthorised logins to my mail server, email hosting provider. Have you installed Edison mail?
I’ve noticed strange login to multiple accounts? Do you use Edison Mail?

After installing Edison mail onto my Android it soon became evident something isn’t quit right.

When you use an app or desktop software for email you, provide your email hosting details, password, email address and access and send emails without any issues. The email app stores your login information on your device or computer. You don’t expect the app to steal your password, login details and store on a foreign country and use it themselves.

After installing and configuring Edison mail it didn’t take long to know something mysterious and unlawful was taking place with my email account and password. Edison, sent a copy of my password and email and contacts to their server and shared with dozens of other servers based on AWS (Amazon servers) leased to anyone. How do I know that happened? Read on.

Within a day multiple people from America were using my password to login to my email account and sifting through my inbox and sorting through who sent me the messages, who I sent messages to and so on.

As Edison mail was the only app/software I gave my password to, I immediately stopped using and removed the Edison mail app. I changed the password on my email account.

I monitored the mail server logs after changing the password to see if the logs would then start displaying: Password error. The logs began showing that from Edison servers there is indeed a password failure during login. I than configured the server for debug mode. In debug mode, when a person enters wrong password the mail server records the password in the logs that was provided. Sure enough, the Edison servers were issuing the password I gave them during the setup process. Obviously the app needs the password so that the “App” can sign into my email account. The App didn’t say it would share my password for others to login to my account.

It is a breach of a persons email provider terms to share and allow a third party to use your details to login to your email account! You need to give the app your password, but, you didn’t know, the app was sharing your password with dozens of servers that in effect, placing you in the position of breaching your email providers terms of use.

Edison mail has made you breach the terms of service with your email service provider! Your TOS clearly state you are not allowed to share your details with a third party. Edison has transferred a copy of your password, without your knowledge, without your consent, to his servers and is using those details to login to your email provider or worse, could be trying to login to other accounts you have that use your email address as login. Hopefully, you use a different password with all of your accounts.

I immediately blocked all IP addresses associated with Edison mail and gone back to using webmail.

I contacted Edison mail about my concerns demanding to know why they have my password and why they are logging into my email account sifting through my personal correspondence. His response, it is needed for push notifications. What a load of bullshit. Logging into my account without my express permission did not aid push notifications any better than any other app. In-fact, it was slower. An email app or any app does not require to logging from dozens of servers throughout the day from America, into your email account for the purpose of push notifications. Perhaps, Edison is a front for the US government to spy on your email communications or, used by organised crime1

If you notice security breaches on any web accounts you use your email address as login details, and, not prudent to use multiple passwords, and have Edison mail on your PC or phone, you might want to consider changing all of your passwords.

If you find in your mail server logs the following connections from the list of IP addresses below, you will find they belong to Edison mail. This business, is logging into your email account, dozens of times a day sifting through your emails.

If you work for the military or a government department, or use email to communicate sensitive information I strongly urge you to stop using Edison mail and any mobile phone app for email communications. Ask yourself, would you give Edison mail, a total stranger the key to your home? Would you feel comfortable he is going though your personal belongings without your consent and knowledge? You’re allowing them to login to your email 24/7 going through your private mail, images, videos sent and received…

List of the Edison Mail IP addresses logging into your email account

These are the known IP addresses of servers based in the United States where strangers to you are logging into your email provider sifting through your private correspondence.

ufw insert 1 deny from 3.80.29.130 to any comment "Edison mail"
ufw insert 1 deny from 3.85.137.46 to any comment "Edison mail"
ufw insert 1 deny from 3.87.152.254 to any comment "Edison mail"
ufw insert 1 deny from 3.95.241.244 to any comment "Edison mail"
ufw insert 1 deny from 18.209.13.98 to any comment "Edison mail"
ufw insert 1 deny from 18.234.60.129 to any comment "Edison mail"
ufw insert 1 deny from 34.224.99.135 to any comment "Edison mail"
ufw insert 1 deny from 34.236.150.165 to any comment "Edison mail"
ufw insert 1 deny from 35.175.179.43 to any comment "Edison mail"
ufw insert 1 deny from 44.220.144.156 to any comment "Edison mail"
ufw insert 1 deny from 44.222.212.145 to any comment "Edison mail"
ufw insert 1 deny from 34.230.86.97 to any comment "Edison mail"
ufw insert 1 deny from 52.201.240.190 to any comment "Edison mail"
ufw insert 1 deny from 54.91.110.78 to any comment "Edison mail"
ufw insert 1 deny from 54.91.216.244 to any comment "Edison mail"
ufw insert 1 deny from 54.163.55.72 to any comment "Edison mail"
ufw insert 1 deny from 54.174.130.20 to any comment "Edison mail"
ufw insert 1 deny from 54.196.148.146 to any comment "Edison mail"
ufw insert 1 deny from 54.226.231.255 to any comment "Edison mail"
ufw insert 1 deny from 98.81.77.124 to any comment "Edison mail"
ufw insert 1 deny from 107.20.85.9 to any comment "Edison mail"

Partnership

Posted on 14 December 2024 by Pirate Bonny

We will have partnerships enabled on the grid later this weekend. The web developer had a serious fall on Friday resulting injuries requiring laid back rest for a few days. Expect on Monday, work will continue to include the addition of adding a partner to your avatar.

It will be an easy process where you add a partner, the request will be sent to the other avatar and once they confirm the other party accepts your proposal to be their virtual world partner it will be connected to your profile. Congratulations, on your virtual marriage.

Don’t forget to visit other worlds such as Osgrid and Kitely grid where you are able to obtain items for your inventory, your avatar and your land. Opensimworld is a great place for tips and tricks and opensim setting up.

Change Avatar Name

Posted on 11 December 2024 by Pirate Bonny

Account management fully operational. You’re now able to change password, email and avatar name. No longer are you committed to an avatar name. At Jacobs Bonny Grid Premium members are able to change the name of their avatar anytime they choose.

Australian Politicians Little Foresight

Posted on 10 December 2024 by Pirate Bonny

The possibility of owning your own home in Australia has become just a dream. Todays politicians lack foresight, and need the balls to stand up to the UN. The Labor party, once the working glass party, no more. leaving many homeless, record numbers unable to buy a home, many more unable to even find a place to rent.

The UN should be held jointly accountable for the homelessness’ of Australian children, and the physical and emotional abuse they suffer as a consequence of family pressure to pay for a home, let alone get one. The security council is also partly responsible for the rising juvenile crime, the consequence of family pressures of housing struggles. Today, the UN are nothing more than dictators, do as we demand or suffer our wrath of economical disruption (abuse against children), have laid the foundations, to housing shortages in Australia. In my opinion, the security council think of themselves and their own country before considering the consequences of their actions against children of other countries.

Australia must stop taking in refugees until we have enough housing for our own people, our own children, our future generations. I’m sick in the stomach when I see a refugee driving a nice car, living in a lovely home financed by Australian tax payers, and an an Australian family of 5 with 2 toddlers living in a rust bucket car because they can’t get a home. Because the selfish United Nations security council, don’t care about Australian children!

The United Nations pressures us to fill our sinking ship with buckets of water. We don’t need the UN. They need us! They are a cancer to our country. Our government must start saying no whenever the UN pressures us to do do things that have a negative impact on our people, our children. Charity starts at home Australia! Grow a pair of balls!

You can, own your own virtual reality land and home here, at Jacobs grid. Join today, select your land and move in. No Australian politician can say that! Join today When the population of this grid grows to a point land availability is beginning to get low we sill stop taking in new members. Thank goodness the UN cannot put economical pressure on us for doing that! (tongue in cheek). This is an Australian only grid. Nothing you can do about that UN so suck my…… United Nations!

Sitemaps assist hackers

Posted on 8 December 2024 by Pirate Bonny

It didn’t take long to identify whom gets the most benefit from web site sitemaps. It’s not you, it’s not us. The sitemap.xml and sitemap.html are a primary target for the queens, slave hacker that scouts around the world 24/7 looking for sitemaps.

It became evident, Google had very little interest in the sitemap file. We set up 2 sites, one with sitemap and the other just a robots.txt. Both sites had identical content and each located on separate servers, in separate states. By identical content it means, one had WordPress with sitemap and the other had identical content but not created using WordPress, however, it did contain a fake WordPress login page which I discussed later how it was used to spy on what the hackers were up to.

We found within 12 hours, the web site having the sitemap.xml was aggressively attacked by hackers from all over the globe targeting dummy web pages we knew would interest hackers. One Example, we created a fake wp-login.php that intercepted the data being sent by the hackers. Data I collected, the details the amateur hackers posted into the fake wp-login.php page . Unknown to the hackers, the fake page collected useful data from the amateur hacking attempts. The only response our page gave was….. No response at all. Meanwhile we gathered data, their location, the user names they posted, passwords given and so on.

The web site without the sitemap.xml and sitemap.htm sat for a few days before the hackers came in for the kill.

Both sites listed equally in the Google search system.

Our conclusion: We found that, Google took very little interest in the sitemap. We also found that a sitemap made no difference in your search ranking. We found, a sitemap, serves no purpose other than providing a fantastic road map for hackers to quickly identify whether your web site would make a good target for aggressive attacks and if so, what to target.

During our monitoring of hackers, sitemap.xml and WordPress we noticed additional, unexpected things happening. Hackers would troll the WordPress images downloading all our content. It seems, WordPress makes it very easy for hackers to scan through your content and, clone, and steal it.

On our other site, the one without WordPress or a sitemap, the hackers didn’t troll and download the images. In-fact, our content seemed very uninteresting to them, or maybe, because the hackers aren’t professionals, it was just too dam hard for them to scan the content and opting out for targeting the WordPress site that puts everything out on a silver lining for them. That would require more research and will do that after xmas.

The PHP code used to intercept hackers login attemps and log the details they post.

This is a working sample PHP that uses json to extract country, city, state and organisation information from a persons (hackers) IP address and log that data into a file. Very useful for finding out what user name and password combinations hackers are using on your WordPress web site. Of course, this can be adapted to work on any platform.

After using the code I was surprised how close they were to knowing my user name. Close, is not good enough and shows hackers aren’t that smart. but, unknown to the hackers my password length is 120 characters in length consisting of random characters. So, even if they got my username correct, the Earth would no longer exist and, they still with brute force never get the password.

<?php
/*
 This is the code I placed into a fake wp-login.php page.
 You can place it at the beginning of a real wp-login page
 and record the posted login attempts made by hackers.

 It can be used to see if they know your user name
 and, are they getting close to your password.
 If your smart and have password consisting of random
 characters and 20 or more long don't worry, the
 school girl hackers will after  trillions of years
 never guess it! I refer to them as school girl hackers simply because they only know how to exploit and don't know how be a real hacker. Take no offence school girls, you're certainly smarter than most of them.
*/

 $IP=trim($_SERVER['REMOTE_ADDR']);
  date_default_timezone_set('Australia/Brisbane');
   $PATH="/var/log/";

  $login = date("d M Y h:i A");

        $token = "-SECRET-";
        $ipinfo = file_get_contents("https://ipinfo.io/" . $IP . "?token=" . $token);
        $json = json_decode($ipinfo);
        $country =  $json->country;
        $state =  $json->region;
        $city = $json->city;
        $org = $json->org;
        $amazon = strpos($org,"Amazon");
        $location = $country.":".$state.":".$city." : ".$org;

        // write the data posted by hackers  to a file
if ($_SERVER["REQUEST_METHOD"] == "POST") {
        $outfile = fopen($PATH."hacker.log", "a") or die("Unable to open file!");
        fwrite($outfile, ""."\r\n");
        fwrite($outfile, "====== ".$IP." ===== ".$login."\r\n");
        fwrite($outfile, $location."\r\n");
        foreach ($_POST as $key => $value) {
    $out="Field ".htmlspecialchars($key)." is ".htmlspecialchars($value)."\r\n";
        fwrite($outfile, $out);
        }
        fclose($outfile);
}

/*
 Rule 1: Never respond to a hacker "Silence is golden"
 Just quietly exit the page OR if adding to start of
 a real wp-login page let the login continue.

I'll write tips on how to silently and cleanly exit pages you don't want Google indexing and hackers to view later on. 

 remove the exit(); and ?> below if you're placing at the start of a real wp-login page
 to monitor hacker activity.
*/
exit();
 ?>

 * WordPress User Page
 *
 * Handles authentication, registering, resetting passwords, forgot password,
 * and other user handling.

Log output generated by the above code

====== 203.124.33.211 ===== 22 Nov 2024 01:24 PM
Hacker location: Country: PK City: Rawalpindi State: Punjab
Organisation: AS7590 Commission on Science and Technology for
Field log is bonny
Field pwd is covert-gadgets123
Field wp-submit is Log In
Field redirect_to is https://covert-gadgets.com/wp-admin/
Field testcookie is 1

====== 134.209.249.86 ===== 22 Nov 2024 01:46 PM
Hacker location: Country: DE City: Frankfurt am Main State: Hesse
Organisation: AS14061 DigitalOcean, LLC
Field log is bonny
Field pwd is covert-gadgets1234
Field wp-submit is Log In
Field redirect_to is https://covert-gadgets.com/wp-admin/
Field testcookie is 1

====== 157.245.131.229 ===== 22 Nov 2024 02:29 PM
Hacker location: Country: US City: North Bergen State: New Jersey
Organisation: AS14061 DigitalOcean, LLC
Field log is bonny
Field pwd is 1234covert-gadgets
Field wp-submit is Log In
Field redirect_to is https://covert-gadgets.com/wp-admin/
Field testcookie is 1

====== 135.125.183.119 ===== 22 Nov 2024 02:51 PM
Hackers location: DE City: Frankfurt am Main State: Hesse
Organisation: AS16276 OVH SAS
Field log is bonny
Field pwd is bonny!!!!!!
Field wp-submit is Log In
Field redirect_to is https://covert-gadgets.com/wp-admin/
Field testcookie is 1

As you can see the passwords they use are pathetic. You can clearly see the hacker is an amateur trying to exploit those using silly passwords.

Seeing that in the logs, my mind is at rest knowing they are not professionals and pose no threat.

Osgrid returns

Posted on 7 December 2024 by Pirate Bonny

Osgrid is finally back online after a lengthy period of downtime.

Email verification

Posted on 6 December 2024 by Pirate Bonny

Email verification is up and operational. You are now able to automatically verify your email address thereby, upgrading your account to verified without my assistance,

Jacob's Bonny Grid

Your opensim virtual reality is here

Monthly Archives: December 2024