Divide and Conquer » Open Source http://www.divideandconquer.se David's Software Development Blog Thu, 24 Jun 2010 13:47:00 +0000 http://wordpress.org/?v=2.8.4 en hourly 1 WordPress crack attempt this morning! http://www.divideandconquer.se/2008/04/16/wordpress-crack-attempt-this-morning/ http://www.divideandconquer.se/2008/04/16/wordpress-crack-attempt-this-morning/#comments Wed, 16 Apr 2008 08:12:50 +0000 David http://www.divideandconquer.se/2008/04/16/wordpress-crack-attempt-this-morning/ When I got to work and viewed this blog I noticed that Sidebar Widgets was disabled. I thought "That’s weird!"

When I tried to login to the administration interface I was told that my WordPress database needed upgrading. I thought "That’s weird!"

Some further investigation revealed that someone managed to upload a PHP script called ro8kfbsmag.txt (MD5 sum df3b74cd38c717d9d7bbf0cd1910baa1) to my /tmp directory. It starts like this:

<?php
/*Magic Include Shell by Mag icq 884888*/
//TODO: ñëèòü ôàéëî íà ñâîé ôòï (!)
$ver='2.1';
if(isset($_GET[pisun233]))
{

This gave me enough information too start googling. A must-read is Detailed Post-Mortem of a Website Hack Through WordPress & How To Protect Your WordPress Blog From Hacking, as it describes a very similar attack. There is also a support thread at wordpress.org: Weird and Dangerous : ro8kfbsmag.txt.

The attack vector on my server looked like this, originating from 78.109.21.80 with HTTP/1.0 as protocol version and "Opera" as User-Agent. I wish I logged POST data!

POST /wp-admin/options.php
POST /wp-admin/upload.php
POST /wp-admin/options.php
POST /wp-admin/options.php
POST /wp-admin/inline-uploading.php?post=-1&action=upload
POST /wp-admin/options.php
POST /wp-admin/options.php
POST /wp-admin/upload.php?style=inline&tab=upload&post_id=-1
POST /wp-admin/upload.php?style=inline&tab=upload&post_id=-1
POST /wp-admin/options.php
POST /wp-admin/options.php
GET /wp-admin/upgrade.php?step=1

Needless to say, I have restored a backup and taken certain precautions to prevent this from happening again.

]]> http://www.divideandconquer.se/2008/04/16/wordpress-crack-attempt-this-morning/feed/ 2 SourceForge.net Marketplace spam http://www.divideandconquer.se/2008/02/02/sourceforgenet-marketplace-spam/ http://www.divideandconquer.se/2008/02/02/sourceforgenet-marketplace-spam/#comments Sat, 02 Feb 2008 09:11:04 +0000 David http://www.divideandconquer.se/2008/02/02/sourceforgenet-marketplace-spam/ I’ve been a member of a number of SourceForge projects since 2001 and I can’t recall that I’ve had any previous complaints about their services to the Open Source community, but I’ve been getting “Turn your skills into cash at SourceForge.net Marketplace” mails for a while now and my annoyance keeps growing. Some DNS checks on marketplace.sourceforge.net shows that a company called ExactTarget is running the business. I previously tried to change my e-mail address in their “Profile Center” to me@privacy.net but on Thursday I got another of the mails. This time I think I managed to unsubscribe. Unsurprisingly, I’m not the only one annoyed by this venture from SourceForge.

]]> http://www.divideandconquer.se/2008/02/02/sourceforgenet-marketplace-spam/feed/ 2 Web design and SimpleSidebar http://www.divideandconquer.se/2008/01/26/web-design-and-simplesidebar/ http://www.divideandconquer.se/2008/01/26/web-design-and-simplesidebar/#comments Sat, 26 Jan 2008 08:32:08 +0000 David http://www.divideandconquer.se/2008/01/26/web-design-and-simplesidebar/ I found a suitable initial web design for The Project at Open Source Web Design. That’s a really great site!

Now I’m learning about layouts in Ruby on Rails. As suggested in the Midnight Oil blog (Beds are burning?) article SimpleSidebar – If you have sidebars, you need this plugin I now use SimpleSidebar in The Project. At first it didn’t work at all, but updating config.plugins in config/environment.rb was an easy solution! :-)

]]> http://www.divideandconquer.se/2008/01/26/web-design-and-simplesidebar/feed/ 0