Blog post replaced by spam

A check of your server logs should show you how it was done. First check your mail server logs for any messages sent to the wordpress account. Then check your web server logs for any suspicious activity.

Also, regardless of what happened, change all the passwords. The WordPress passwords, the passwords on the database, your FTP account passwords, everything.

Search your blog carefully as I found more. Take a look at the post Merry Christmas from Dec28, 2006 and then look at the source code.

I would love a full list of your plugins (the actual names of the plugins), your plugin directory is browsable but some of them are unidentifiable.

Someone, somewhere, has to start looking at the commonalities between the recent 2.3.2 attacks. Ive even been tempted to set up a wordpress honeypot.

If you follow jeremy’s advice, the output of this would also be helpful:

cat access_log | grep -r 'wp\-*?\?*?=https://'

and youre really only interested in the last 10 or so lines of output if there happens to be alot.

Thanks for the quick replies. Although I am not good at reading these access.logs, it seems like somebody with a russian speaking version of Firefox has been inside my wp-admin area, posting and editing posts.

213.184.224.30 – – [30/Jan/2008:18:09:06 -0800] “GET /wp-admin/post.php?action=edit&post=19 HTTP/1.1” 200 5390 “https://www.morshus.com/” “Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11”

Gee thanks LenK – I was actually wondering why that post (19) was mentioned in the access log!

I have these plugins activated: Akismet 2.1.3, Executable PHP widget 1.0, Extended Comment Options 1.1, FAlbum 0.7.1, Google Sitemaps 2.7.1, , wp-cache 2.1.2

thats a start, if you like I would LOVE a copy of your access logs.. ANYHTHING you have available.

Ill go through them with a fine tooth comb.

Feel free to zip them up and send them off to whoo AT whoo.org

thanks whooami, the log from that particular day should be in your inbox by now. I unfortunately don’t know how to do that cat access_log thing.

yes I got it thanks.. Ill email you back privately with anything I find, and obviously let anyone else know if theres something that looks specifically “WP suspicious”

fwiw, theres nothing in those logs that point to HOW your password was retrieved, ie, there arent any odd gets or posts, or calls to unusual files.

I suspect that there might be more info in the previous logs..

and also, that IP .. its a proxy, not surprisingly.

FYI, my admin password was the one I got from the system when I created the blog. Old, but not incredibly easy to figure out.

I don’t keep the password it gives. It only uses lower-case letters and numbers. Create a new one with something odd, like spaces or punctuation. Make it a complete sentence, or even a mathematical formula.

Otto, so Im looking through 5 days of logs, I see 2 attempts at RFI attacks.. the server returns a 503 on both

seconds later, theres a hit to /wp-login.php?action=register with no additonal http_gets tacked on, and then a few seconds after that a hit to /wp-login.php?action=lostpassword

all the same IP, another proxy.

sure would like to know what the content of the http_post was.

this person looked around too, browsed the images, spent about 5 minutes on the site.

Forward me the relevant piece of the log, whoo. otto at ottodestruct.

By the way, I don’t think it has anything to do with the “Post via e-mail” function. I forgot when writing the initial post here, that my “Post via e-mail” address also forwards to another e-mail address of mine, which has received no e-mails lately. I tried to send a test e-mail right now, and yes it forwarded it as expected.

fwiw, I have started logging ALL $_POST variables sent to my blog (with some obvious filtering of sensitive data).

IF there is something being sent that way, Im sure to catch it.