Sinister code in comments (held for moderation)

  • Don’t know if this is a coincidence, but just upgraded one of my blogs from 2.5.0 to 2.5.1 earlier and noticed about the same time, this appeared in comments being held for moderation:

    ‘ AND 1=0) UNION SELECT 1 FROM wp_users WHERE user_login=’admin’ and substring(reverse(lpad(conv(substring(user_pass,1,1), 16, 2),4,’0′)),1,1)=’1′ /*

    and this as well:

    Bill527326335′,’[email protected]’,”,’163.107.166.154′,’2008-06-06 18:56:17′,’2008-06-06 18:56:17′,”,’0′,’lynx’,’comment’,’0′,’0′),(‘0’, ”, ”, ”, ”, ‘2008-06-07 18:56:17’, ‘2008-06-07 18:56:17’, ”, ‘spam’, ”, ‘comment’, ‘0’,’0′ ) /*

    Since comments are moderated, no harm done, right? But what was he up to? Is it coincidence this happened around the time of the upgrade? And is this something to be concerned or alarmed about?

Viewing 6 replies - 1 through 6 (of 6 total)

  • thats an exploit attempt that goes back to the early 2.0.x branch, best I can tell.

    Thread Starter jonimueller

    (@jonimueller)

    So he’s a day late and a dollar short. I won’t worry about it too much then. I banned his IP and we’re on 2.5.1. ??

    oh crap, thats you, I didnt even notice .. let me make absolutely sure about what I just wrote.

    Im going to back out of that statement — while It looks like the old utf/chaset exploit for 2.0.5 — that used a trackback.

    And strangely enough, when I googled a particular string in what you pasted, I ended up clicking a link through google that wanted to redirect me to anyresults.com

    sound familiar??

    Just found another via google —

    do you have my postlogger plugin installed, I would LOVE to see the output of the $post vars for that, if you do.

    /me runs off to check all the blogs I have access to that have that installed

    Going through google’s cache of some of those sites — theyre pretty much all running older versions of wp (geee, who woulda guessed) .. I dunno, better safe than sorry

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Sinister code in comments (held for moderation)’ is closed to new replies.