Sitemaps assist hackers

It didn’t take long to identify whom gets the most benefit from web site sitemaps. It’s not you, it’s not us. The sitemap.xml and sitemap.html are a primary target for the queens, slave hacker that scouts around the world 24/7 looking for sitemaps.

It became evident, Google had very little interest in the sitemap file. We set up 2 sites, one with sitemap and the other just a robots.txt. Both sites had identical content and each located on separate servers, in separate states. By identical content it means, one had WordPress with sitemap and the other had identical content but not created using WordPress, however, it did contain a fake WordPress login page which I discussed later how it was used to spy on what the hackers were up to.

We found within 12 hours, the web site having the sitemap.xml was aggressively attacked by hackers from all over the globe targeting dummy web pages we knew would interest hackers. One Example, we created a fake wp-login.php that intercepted the data being sent by the hackers. Data I collected, the details the amateur hackers posted into the fake wp-login.php page . Unknown to the hackers, the fake page collected useful data from the amateur hacking attempts. The only response our page gave was….. No response at all. Meanwhile we gathered data, their location, the user names they posted, passwords given and so on.

The web site without the sitemap.xml and sitemap.htm sat for a few days before the hackers came in for the kill.

Both sites listed equally in the Google search system.

Our conclusion: We found that, Google took very little interest in the sitemap. We also found that a sitemap made no difference in your search ranking. We found, a sitemap, serves no purpose other than providing a fantastic road map for hackers to quickly identify whether your web site would make a good target for aggressive attacks and if so, what to target.

During our monitoring of hackers, sitemap.xml and WordPress we noticed additional, unexpected things happening. Hackers would troll the WordPress images downloading all our content. It seems, WordPress makes it very easy for hackers to scan through your content and, clone, and steal it.

On our other site, the one without WordPress or a sitemap, the hackers didn’t troll and download the images. In-fact, our content seemed very uninteresting to them, or maybe, because the hackers aren’t professionals, it was just too dam hard for them to scan the content and opting out for targeting the WordPress site that puts everything out on a silver lining for them. That would require more research and will do that after xmas.

The PHP code used to intercept hackers login attemps and log the details they post.

This is a working sample PHP that uses json to extract country, city, state and organisation information from a persons (hackers) IP address and log that data into a file. Very useful for finding out what user name and password combinations hackers are using on your WordPress web site. Of course, this can be adapted to work on any platform.

After using the code I was surprised how close they were to knowing my user name. Close, is not good enough and shows hackers aren’t that smart. but, unknown to the hackers my password length is 120 characters in length consisting of random characters. So, even if they got my username correct, the Earth would no longer exist and, they still with brute force never get the password.

<?php
/*
This is the code I placed into a fake wp-login.php page.
You can place it at the beginning of a real wp-login page
and record the posted login attempts made by hackers.

It can be used to see if they know your user name
and, are they getting close to your password.
If your smart and have password consisting of random
characters and 20 or more long don't worry, the
school girl hackers will after trillions of years
never guess it! I refer to them as school girl hackers simply because they only know how to exploit and don't know how be a real hacker. Take no offence school girls, you're certainly smarter than most of them.
*/

$IP=trim($_SERVER['REMOTE_ADDR']);
date_default_timezone_set('Australia/Brisbane');
$PATH="/var/log/";

$login = date("d M Y h:i A");

$token = "-SECRET-";
$ipinfo = file_get_contents("https://ipinfo.io/" . $IP . "?token=" . $token);
$json = json_decode($ipinfo);
$country = $json->country;
$state = $json->region;
$city = $json->city;
$org = $json->org;
$amazon = strpos($org,"Amazon");
$location = $country.":".$state.":".$city." : ".$org;

// write the data posted by hackers to a file
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$outfile = fopen($PATH."hacker.log", "a") or die("Unable to open file!");
fwrite($outfile, ""."\r\n");
fwrite($outfile, "====== ".$IP." ===== ".$login."\r\n");
fwrite($outfile, $location."\r\n");
foreach ($_POST as $key => $value) {
$out="Field ".htmlspecialchars($key)." is ".htmlspecialchars($value)."\r\n";
fwrite($outfile, $out);
}
fclose($outfile);
}

/*
Rule 1: Never respond to a hacker "Silence is golden"
Just quietly exit the page OR if adding to start of
a real wp-login page let the login continue.

I'll write tips on how to silently and cleanly exit pages you don't want Google indexing and hackers to view later on.

remove the exit(); and ?> below if you're placing at the start of a real wp-login page
to monitor hacker activity.
*/
exit();
?>

* WordPress User Page
*
* Handles authentication, registering, resetting passwords, forgot password,
* and other user handling.

Log output generated by the above code

====== 203.124.33.211 ===== 22 Nov 2024 01:24 PM
Hacker location: Country: PK City: Rawalpindi State: Punjab
Organisation: AS7590 Commission on Science and Technology for
Field log is bonny
Field pwd is covert-gadgets123
Field wp-submit is Log In
Field redirect_to is https://covert-gadgets.com/wp-admin/
Field testcookie is 1

====== 134.209.249.86 ===== 22 Nov 2024 01:46 PM
Hacker location: Country: DE City: Frankfurt am Main State: Hesse
Organisation: AS14061 DigitalOcean, LLC
Field log is bonny
Field pwd is covert-gadgets1234
Field wp-submit is Log In
Field redirect_to is https://covert-gadgets.com/wp-admin/
Field testcookie is 1

====== 157.245.131.229 ===== 22 Nov 2024 02:29 PM
Hacker location: Country: US City: North Bergen State: New Jersey
Organisation: AS14061 DigitalOcean, LLC
Field log is bonny
Field pwd is 1234covert-gadgets
Field wp-submit is Log In
Field redirect_to is https://covert-gadgets.com/wp-admin/
Field testcookie is 1

====== 135.125.183.119 ===== 22 Nov 2024 02:51 PM
Hackers location: DE City: Frankfurt am Main State: Hesse
Organisation: AS16276 OVH SAS
Field log is bonny
Field pwd is bonny!!!!!!
Field wp-submit is Log In
Field redirect_to is https://covert-gadgets.com/wp-admin/
Field testcookie is 1

As you can see the passwords they use are pathetic. You can clearly see the hacker is an amateur trying to exploit those using silly passwords.

Seeing that in the logs, my mind is at rest knowing they are not professionals and pose no threat.

Leave a Reply

Your email address will not be published. Required fields are marked *