Forcing WordPress Admin to use “secure” cookies

In this page I will teach you to do something you should never do. But .. sometimes needs must and the insane reason you are doing it should never be asked about.

In the situation I needed to do this I had a client who:

-Did not want to move from their (very low cost) web hosting.
-Could not enable HTTPS on their low cost web hosting.
-Needed or wanted their website to be https / ssl.

The usual easy way to add SSL to a website where the hosting or server can’t have an SSL certificate is to… chuck Cloudflare in front of it and tell cloudflare to upgrade all connections to https and set the origin server policy to relaxed/flexible.

Anything other than wordpress will work great. BUT! WordPress will start doing never ending redirects and the admin page will start responding:

Error: Cookies are blocked or not supported by your browser. You must enable cookies to use WordPress.

What happens is the origin server, your server without https, serves the request and tells wordpress that the request came in via http.. cloudflare upgrades the request to https to the visitors browser. BUT.. the “set-cookie” header sent by wordpress contains a “nonsecure” cookie which the browser will throw away as it’s now a secure website.

The solution is to find a way to force wordpress to add “secure” to the end of the set-cookie header.

wp-config.php may also need the following lines added (I know I need it as I set my “WordPress Address” and “Site Address” to not have http or https:

set-cookie
	wordpress_test_cookie=WP%20Cookie%20check; path=//www.example-wordpress-site.com/

The set-cookie header is missing “; secure” at the end so the browser ignores the cookie. The only way I could find to override this behaviour was to directly edit one of the WordPress files. I expect my modification will get undone the next time WordPress updates but I’m also not skilled enough at WordPress to know how to make a persistent plugin or similar.

In “wp-includes” edit the file “load.php” and find the line “function is_ssl() {” and replace the function block with:

function is_ssl() {
 return true;
}

This forces WordPress to always think it is in https / SSL mode even if the request came in to the server via http. This now causes WordPress to always do “secure” cookies!

set-cookie
	wordpress_test_cookie=WP%20Cookie%20check; path=//www.example-wordpress-site.com/; secure

You might be fine at this point but my setup had one further problem…
You can see the “path” is corrupted, probably because wordpress doesn’t know how to handle a site url without http or https so puts the //www.example-wordpress-site.com/ as the path. This means the browser STILL throws away the cookie.

define('ADMIN_COOKIE_PATH', '/');
define('COOKIE_DOMAIN', '');
define('COOKIEPATH', '');
define('SITECOOKIEPATH', ''); 

This causes WordPress to instead send the set-cookie without the path:

set-cookie
	wordpress_test_cookie=WP%20Cookie%20check; secure

Job done.. until something undoes my load.php modification.

The far better solution is to move to some better hosting which allows LetsEncrypt!

Fully disable IPv6 on OpenWRT

While a bad idea, there are some instances where disabling IPv6 is required.
In my instance I installed a new OpenWRT router on a network as a replacement to their old ISP router.. I already have a DHCPv6 server on the network but also no actual IPv6 setup or upstream connectivity. The OpenWRT DHCPv6 server handing out it’s own DNS servers was really messing up the Active Directory connectivity for clients on the LAN.

Rather than attempt to fix the DHCPv6 and experiment and hope it works correctly I am afraid that stability was important for this site. I had to take the lazy option of making sure there was no DHCPv6 (or even IPv6) on the OpenWRT router.
There are many pages and sites on how to do it, most don’t work. Some tell you to untick some options in the LAN interface settings but I couldn’t get this to work.

The instructions which did work for me were found on this site:
https://3os.org/infrastructure/openwrt/disable-ipv6/
(Archive.org link for good measure too).

As the internet is often quite fleeting and sites sometimes do not last long.. I’m also posting an archive of the commands here:

Follow the following steps to disable IPV6 on your OpenWrt router:

uci set 'network.lan.ipv6=0'
uci set 'network.wan.ipv6=0'
uci set 'dhcp.lan.dhcpv6=disabled'
/etc/init.d/odhcpd disable
uci commit

Disable RA and DHCPv6 so no IPv6 IPs are handed out:

uci -q delete dhcp.lan.dhcpv6
uci -q delete dhcp.lan.ra
uci commit dhcp
/etc/init.d/odhcpd restart

You can now disable the LAN delegation:

uci set network.lan.delegate="0"
uci commit network
/etc/init.d/network restart

You might as well disable odhcpd:

/etc/init.d/odhcpd disable
/etc/init.d/odhcpd stop

And finally you can delete the IPv6 ULA Prefix:

uci -q delete network.globals.ula_prefix
uci commit network
/etc/init.d/network restart

As mentioned above. I DID NOT AUTHOR THESE INSTRUCTIONS. I have taken an archive because the internet often “forgets stuff” and websites become unavailable.

Sensible date formats in ls

Mainly for my own reference in the future but if you want sensible formatted dates and times for files in the ls command..

ls -l --time-style=long-iso

Source: https://mastodon.social/@Edent/112122426537045159

vs

“Ezy Domains” and scam renewal invoices

Summary: It’s almost certainly a scam, do not pay and report it and the bank account they are requesting payments to, to ActionFraud.

Today is a rare and interesting one. A customer forwarded a message:

The message is from “Ezy Domains” and sent via a cloud accounting service address “delivery@invoicely.com”.

It references domain renewal at an extortionate rate of £180 for 2 years of a .co.uk domain! It isn’t from the company who the customer currently uses for their domain. They’ve had no prior contact with the scam company either.

There are scant contact details on it. The address used is a mailbox / company registration service and the email address referenced for contact is on a “parked” domain with no website on it. “renewals@easidomains.com”

Payment was requested to
“Nash Digital Ltd”
Sort Code: 23-14-70
Account Number: 16476777
A bank account at “wise payments”. The second result down on google is a similar scam involving a wise payments account. Seems like they are not very good at due diligence and fraud prevention.

Removing a stuck Contact from an AOR on Asterisk

This is mainly for my reference in the future but may help others.

Consider: You have an Asterisk server using PJSIP, the server hosts accounts (extensions?) such as 203.
You accidentally register two devices against 203. This means you see two Contact entries when you do “pjsip show aors”. For some reason you need to remove the accidental registration without waiting for it to time out.
These instructions are what you need!

(This is NOT instructions to unregister your asterisk server from a remote server.)

In my example I see two entries against extension 200.. I need to remove one:

phonesystem*CLI> pjsip show aors

      Aor:  <Aor..............................................>  <MaxContact>
    Contact:  <Aor/ContactUri............................> <Hash....> <Status> <RTT(ms)..>
==========================================================================================

      Aor:  200                                                  2
    Contact:  200/sip:200@192.168.1.240;transport=udp      9511ebbed5 Unavail         nan
    Contact:  200/sip:200@192.168.1.170:5060               a88df67525 Avail         8.405

      Aor:  201                                                  2
    Contact:  201/sip:201@192.168.1.166:5060               e809d41dd7 Avail         8.662

      Aor:  202                                                  2
    Contact:  202/sip:202@192.168.1.114;transport=udp      b00d5e390d Avail        25.241

      Aor:  203                                                  2
    Contact:  203/sip:203@192.168.1.169:5060               c082161b2d Avail         7.712

      Aor:  204                                                  2
    Contact:  204/sip:204@192.168.1.165:5060               657f0aaf73 Avail        11.754

      Aor:  205                                                  2
    Contact:  205/sip:205@192.168.1.115;transport=udp      5db1d55f4b Avail        24.247

      Aor:  aaisptrunk                                           0
    Contact:  aaisptrunk/sip:+441111111111@voiceless.aa.ne b158676072 Avail        13.283


Objects found: 7

database show registrar/contact

This will return a list of devices registered against all your aors (extensions). Sadly I have not found a simple way to limit the results to just the extension you need.
You may find it easier to copy and paste the results into a notepad or some other external application so you can ctrl+f and locate the extension you need.
My response looks like this:

phonesystem*CLI> database show registrar/contact
/registrar/contact/200;@9511ebbed5533d99c7dac7bd43865275: {"via_addr":"192.168.1.240","qualify_timeout":"3.000000","call_id":"322e39fb5f481427","reg_server":"","prune_on_boot":"no","path":"","endpoint":"200","via_port":"0","authenticate_qualify":"no","uri":"sip:200@192.168.1.240;transport=udp","qualify_frequency":"30","user_agent":"Vtech Vesa VSP726A 2.0.7.0-0","expiration_time":"1706031618","outbound_proxy":""}
/registrar/contact/200;@a88df67525bb1157140ab2759f569fe2: {"via_addr":"192.168.1.170","qualify_timeout":"3.000000","call_id":"852311744-5060-1@BJC.BGI.B.BHA","reg_server":"","prune_on_boot":"no","path":"","endpoint":"200","via_port":"5060","authenticate_qualify":"no","uri":"sip:200@192.168.1.170:5060","qualify_frequency":"30","user_agent":"Grandstream GXP1628 1.0.7.56","expiration_time":"1706032133","outbound_proxy":""}
/registrar/contact/201;@e809d41dd742e64374d9fce521b22523: {"via_addr":"192.168.1.166","qualify_timeout":"3.000000","call_id":"1352415149-5060-1@BJC.BGI.B.BGG","reg_server":"","prune_on_boot":"no","path":"","endpoint":"201","via_port":"5060","authenticate_qualify":"no","uri":"sip:201@192.168.1.166:5060","qualify_frequency":"30","user_agent":"Grandstream GXP1628 1.0.7.56","expiration_time":"1706033744","outbound_proxy":""}
/registrar/contact/202;@b00d5e390dab1ba7e88dd16bf2e1568d: {"via_addr":"192.168.1.114","qualify_timeout":"3.000000","call_id":"49bea306c7f7d4fa","reg_server":"","prune_on_boot":"no","path":"","endpoint":"202","via_port":"0","authenticate_qualify":"no","uri":"sip:202@192.168.1.114;transport=udp","qualify_frequency":"30","user_agent":"Vtech Vesa VSP726A 2.0.7.0-0","expiration_time":"1706033788","outbound_proxy":""}
/registrar/contact/203;@c082161b2dd8dabbe8627c2930bdcf84: {"via_addr":"192.168.1.169","qualify_timeout":"3.000000","call_id":"162684605-5060-1@BJC.BGI.B.BGJ","reg_server":"","prune_on_boot":"no","path":"","endpoint":"203","via_port":"5060","authenticate_qualify":"no","uri":"sip:203@192.168.1.169:5060","qualify_frequency":"30","user_agent":"Grandstream GXP1628 1.0.7.56","expiration_time":"1706032885","outbound_proxy":""}
/registrar/contact/204;@657f0aaf730e4eaaf4112108f79924f9: {"via_addr":"192.168.1.165","qualify_timeout":"3.000000","call_id":"779693131-5060-1@BJC.BGI.B.BGF","reg_server":"","prune_on_boot":"no","path":"","endpoint":"204","via_port":"5060","authenticate_qualify":"no","uri":"sip:204@192.168.1.165:5060","qualify_frequency":"30","user_agent":"Grandstream GXP1628 1.0.7.56","expiration_time":"1706034644","outbound_proxy":""}
/registrar/contact/205;@5db1d55f4bd9672e47011757542b5684: {"via_addr":"192.168.1.115","qualify_timeout":"3.000000","call_id":"5bc7fe7676a1f674","reg_server":"","prune_on_boot":"no","path":"","endpoint":"205","via_port":"0","authenticate_qualify":"no","uri":"sip:205@192.168.1.115;transport=udp","qualify_frequency":"30","user_agent":"Vtech Vesa VSP726A 2.0.7.0-0","expiration_time":"1706033356","outbound_proxy":""}
7 results found.

In my example I wish to remove the entry containing Vtech from extension 200. From the output of the database show command I take the ID which looks like this from the line containing Vtech:
“200;@9511ebbed5533d99c7dac7bd43865275”

Then run the command

database deltree registrar/contact 200;@9511ebbed5533d99c7dac7bd43865275

And that is it, the contact is now removed!

Hope this helps.

“nathanappliance.com”, “ihenrys.com” and “retailia.co.uk” electronics goods scam 2023.

Hi everyone!

It has been quite some time.. I’ve been busy but also BACS transfer changes (recipient name matching) in the UK made this scam much more difficult.

I’ve seen a few where they abuse Stripe accounts since.. but none on the scale of the previous electronics good scams I have looked at in the past.

A recent comment ( https://thecomputerperson.wordpress.com/2023/03/13/ipr-protection-com-and-ipr-protection-org-spam/#comment-17633 ) pointed me towards what looks like a persistent scam operation running once again.

Well made, professional looking websites have appeared recently selling electronics goods. The images on the about page are unique and can’t be attributed to stock photography.. they’ve used an AI image generator to make the images – which in turn makes identifying scam sites even more difficult.
Take a look at the family photo.. how many fingers on some of the hands!

The scam I am writing about also uses card transactions – which is good news for victims – where obtaining a chargeback (refund) is much, much easier than the previous bank transfer scams.

Known scam sites:
-jhenrys.co.uk (Registered 4th December 2023).
-joneshenry.com (Registered 7th December 2023).
-retailia.co.uk (Registered 26th June 2023).
-rinotech (Unknown what exact domain name they used).
-nathanappliance.com (Registered 11th December 2023).
-theobarker.com (card transaction named “E-com shopping”) (Registered 27th December 2023).

Related people and organisations.. (though note that some of these may be genuine people who have had their stripe account compromised!):

-synned.com (A long standing domain since 2009 but site content only appeared earlier this year and the “cleaning company” only registered with the uk companies registrations system in September 2023. Likely to be a genuine looking company and website in order to register for a Stripe account.)
-fastcssltd@proton.me
-UK phone number +447495727233 (number allocated to EE/BT Mobile or one of their virtual operators [1pmobile etc.])

-omaemi.com (As above, possibly a compromised website of a genuine online store being used to process fraud transactions via Stripe card processor.)
-techbluemonkey@gmail.com
-UK phone number +447537170595 (virtual number not likely to be tied to a physical or eSIM card)

-Fake company name “Retail Sales Ltd.” Company Number 14475250 (a company number for a different genuine company).

-Company name “Pushtech Ltd.”, which interestingly seems to have a real company registration: 14897781 but may be the scammers using a recently registered genuine company as their own cover name.

-cargolineservices.com (An intermediate between the compromised cleaning company website and the scam site. I have previously seen “cargo” related domains in this shop scam.)

-process.fpd24.com seems to have replaced cargolineservices as of yesterday. (Registered 12th December 2023).

More information will be posted here once I have researched it.

Unrelated to the above group but a similar scam:
-tysmarket.com (Registered in 2019 but only recently launched in September. Previously known as “Reebox”)
-oldschoolelectronics.com (Same website as above but different domain name)
-newelectronicsgadget.com
-justclickshopping.com (Also previously known as “Porto Commerce” or “Porto eCommerce”).
-garden-online-store.co.uk (Also previously known as Kartpul)
-fitnesselectronics.com (Also previously known as “Bakan”, “EXGASTORE”, “EXTRAMEGASTORE”)
-apekstore.com (Also previously known as “WOOSTROID”)

ipr-protection.com and ipr-protection.org spam.

A customer received the following spam today:

From: IPR Protection info@ipr-protection.com
Sent: 13 March 2023 RE:DAC
To: REDACTED
Subject: Trademark registration for REDACTED

Dear Sir/Madam,

Yesterday we received an application for the trademark registration of REDACTED. This application was not filed by you or your company, but by a third party, as we observed from the application forms.

During our screening, we noticed that you have a similar company name, but in a different sector.

Given the fact that your company was the first to be registered, you have the first option of registering this brand name.

If you would rather not have the other party use this brand name, please let us know. In that case, you can register the trademark for yourself.

If you want to register the trademark in the UK, the costs are £550.00 excluding VAT. Your registration will be processed within 24 hours. An European (£1249.00) or international registration (£1775.00) is also available.

Please let me know within three business days whether you wish to make use of this offer. If you do not respond or are not interested, we will approve the other party’s application, which means that they will obtain the trademark rights to REDACTED.

Kind regards,

Jack Walsh
IPR Protection
http://www.ipr-protection.com

Unsolicited and also includes an unsubscribe link in the disclaimer at the end of the email which links to an email marketing campaign application MailWizz. Seems like a strange way to send one off “warnings of application” emails, using mass mailing software!

Their website doesn’t have any postal address, doesn’t give a company registration number

Digging into it more.

IPR-PROTECTION.COM and ipr-protection.org were only registered 28th December 2022.
They only pointed it at a valid website server on 1st January 2023.

However! Things on their website (files uploaded) are dated as far back as March 2022.
Most of the photos uploaded appear to be headshots of people but show high graphical artefacts to suggest the photos have been generated by an AI website “this person does not exist”:

Note the way stray hairs have turned into unusual creases in the background and that the earring doesn’t appear to be quite right.

Going further it appears in March 2022 they went under the name “EU Brand Protection” “eubrandprotection.com” and the EU Intellectual Property office write an article on their website about them:
https://euipo.europa.eu/ohimportal/en/misleading-invoices

Also highly likely to be related:
ieobenelux.com
trademarkbenelux.com
ids-norway.com
dns-austria.com
dns-eu.net

Also highly likely to be related:
ieobenelux.com
trademarkbenelux.com
ids-norway.com
dns-austria.com
dns-eu.net
dns-eu.org
dns-osterreich.com
dnsna.org
ukraine-donation.org – known scam run from the same web server

Going by some of the language used in their code.. I think the actors behind this spam are Dutch.

I’m no lawyer but it seems unusual to me that a company supposedly offering trademark registrations would issue another company trademark of a brand they ALREADY know is in use! (as they are emailing the victim to ask if its ok).

Plus the AI generated photos of the people on their website, plus the historic company also involved with misleading invoicing / practices.

I would block, report and delete the email and ignore you’ve received it. Certainly do not pay them. If you do want to register your trademark, do it directly with the government at around £170…

Fake Bitcoin investment sites: billkoin.com, swancoins.net, orchidcoin.net, lidocoin.net etc.

These sites are unusual. They are spread by unsolicited emails claiming to be updates to an account or someone who needs to recover an account. It gives a username and a password.
2024-03: The most recent incident I’ve seen of this uses the excuse that a friend of yours found a wallet on the ground and in the wallet was the bitcoin login, and asking how you cash out.

These sites are unusual. They are spread by unsolicited emails claiming to be updates to an account or someone who needs to recover an account. It gives a username and a password.

The username isn’t unique. When you sign in you are asked to set a password. This is used along with the username to identify you as a victim.

They then ask you to use a mobile number and they use an API or web service to trigger an SMS or call to the number. (This costs the scammer).

Once you’ve validated the account you are then shown a page claiming you have a bitcoin wallet or investment with a large balance. There are options to pay in or withdraw.

There are two modes of operation. One it forces you to send bitcoin to them for the annual account fee before you can do anything. The aim here is to just steal that fee.

The other mode is to error when you try to withdraw a large amount. They then say you need to withdraw a tiny amount (around US$2) as a test transaction before you can withdraw the remaining.
What is unusual about this is, the payment actually gets made. If you game this scam you can get $2 in bitcoin for free.

But… what they hope for is the victim then, after the test transaction works, tries to withdraw the remaining balance. Their system then fake errors and says you need a higher balance to withdraw. The scammers hope victims send a larger amount of bitcoin back to the scam site to increase the balance and allow withdrawal of the full amount.

They troll the victim into believing the site is real, they respond to online tickets like a normal organisation would.

Needless to say if you send bitcoin back to them, you won’t see any of it ever again.

It’s a sophisticated scam. The scammers send money, the scammers pay for a SMS and Phone one time code verification service! The scammers appear to be running multiple brands and sites. They look like they have a central operation to automate payments of bitcoin but multiple “agents” to scam victims. The agents are given a cut of the income which they can cash out every so often.

Other names they’ve gone under in the past:

bitforte.net
billkoin.com
orchidcoin.net
coinlux.net
coinforte.net
gokoins.com
coinstapro.com
coincrow.net
cryptoncoin.net
stackscoin.net
koincrest.com
nextkoin.com
fortcoin.net
coinloaf.net
koincrate.com
coinomac.com
heliumcoin.net
horizencoin.net
coinrow.net
coinfist.net
paxcoin.net
securecoins.net
orbitcoin.net
tatcoin.net
coins45.com
rendercoin.net
swancoins.net
koinlane.com
serumcoin.net
pdcoin.net
protoncoin.net
koinpulse.com
koinrise.com
bitcount.net
astarcoin.net
coinfolds.com
bitmantic.com
binancial.io
golemcoin.net
qtumcoin.net

To effectively game the site and get free money you would need lots of mobile numbers, lots of bitcoin wallets and lots of IP addresses. They also check for common VPN and Onion exit IP addresses.

The main person behind it appears to be in Nigeria as do the majority of the “agents”.
To date (2023-02-20) across all the agents since mid 2021 they’ve been paid $25,000 worth of bitcoin. The total losses from victims is likely much higher as I suspect the agents only get a percentage of the overall theft.

NReco.PdfGenerator “Exit with code 1 due to network error: ContentAccessDenied”

Took me ages to work this one out. HtmlToPdfConverter.GeneratePdf causes the error mentioned in the title.

Looking at the iis trace in process monitor produced no mention of it attempting to access anything at all.

A few years ago someone posted the same issue on stackoverflow https://stackoverflow.com/questions/56289916/how-i-can-generate-pdf-document-with-nreco-pdf-generator
As with the issue I was troubleshooting, I could get the code to run ok on an old server and also when running it via IIS Express in Visual Studio but the moment you deployed it to the main IIS it would error when generating a PDF.

It took hours of messing around but eventually I figured out the Exit Code was a message produced by another component, “wkhtmltopdf.exe” (which I’ve used in the past with my own process running wrapper). Seems NReco just runs a 3rd party application “wkhtmltopdf.exe” but with command lines to write to a system temporary folder.

"D:\website\mainroot\App_Data\wkhtmltopdf\wkhtmltopdf.exe"  -q  -s A4  "C:\WINDOWS\TEMP\pdfgen-cex1sm4a.zbf.html"  "C:\WINDOWS\TEMP\pdfgen-ioeaohqn.wvq.html" 

You don’t see this as a user of NReco PDFGenerator, you just see the error. It gives you no indication of which folder it is failing to access.

My instance was solved by adding Authenticated Users to have full permissions over the c:\windows\temp folder:

Hours of time could have been saved if the error output from the component was more coincide or if it was clearer that the .net component just runs a .exe to perform the conversion, this would make it clearer that temporary files must be being used somewhere.
It appears there is no way to set the temporary file NReco PDF Generator uses either. This restriction will be an unfixable issue for deployments on shared servers where you won’t be able to change the permissions on the windows system temp folder!

Required OpenVPN modifications for Grandstream phones.

Just for my future reference as normal..

Using a standard setup from this script: https://github.com/angristan/openvpn-install

Comment out the tls-crypt line

add a log line:

log /var/log/openvpn/log.log

Turn off LZO on phone. Configure, then reboot phone.