burstcollective

restarted our blog after a month of being down from various (unknown to us) phishing schemes, only to find these exact same queries showing up in our hit logs today….

have no idea where to find this junk to eliminate it for good. Help?

okay, I figured a couple things out…

there’s a few strange looking databases in my phpadmin area, most look similar to this :

“rss_1f6c214c60d29cacd0400469cc53ff37”

and then, inside those, there’s RIDICULOUS lines of code filled with all sorts of link bait and queries I’ve been seeing hit my blog.

So I’m going to delete them now. I figure I have a backup of te whole database so if I break something I can restore it… but I’m feeling pretty confident here since inside those entries I’m seeing all sorts of evil looking copy and links :

O:9:"MagpieRSS":17:{s:6:"parser";i:0;s:12:"current_item";a:0:{}s:5:"items";a:1:{i:0;a:3:{s:5:"title";s:16:"No results found";s:11:"description";s:43:"No results were found for https://burst/blog";s:7:"summary";s:43:"No results were found for https://burst/blog";}}s:7:"channel";a:10:{s:9:"generator";s:15:"Technorati v1.0";s:9:"webmaster";s:43:"support@technorati.com (Technorati Support)";s:4:"docs";s:37:"https://blogs.law.harvard.edu/tech/rss";s:3:"ttl";s:2:"60";s:4:"tapi";a:3:{s:6:"result";s:5:"
    ";s:10:"result_url";s:17:"https://burst/blog";s:19:"result_rankingstart";s:1:"0";}s:6:"result";s:16:"

";s:5:"title";s:23:"Technorati Search for: ";s:4:"link";s:17:"https://burst/blog";s:7:"pubdate";s:29:"Thu, 01 Jan 1970 00:00:00 GMT";s:7:"tagline";N;}s:9:"textinput";a:4:{s:5:"title";s:17:"Search Technorati";s:11:"description";s:43:"Search millions of blogs for the latest on:";s:4:"name";s:1:"s";s:4:"link";s:32:"https://technorati.com/search.php";}s:5:"image";a:3:{s:3:"url";s:50:"https://static.technorati.com/pix/logos/logo_sm.gif";s:5:"title";s:15:"Technorati logo";s:4:"link";s:21:"https://technorati.com";}s:9:"feed_type";s:3:"RSS";s:12:"feed_version";s:3:"2.0";s:5:"stack";a:0:{}s:9:"inchannel";b:0;s:6:"initem";b:0;s:9:"incontent";b:0;s:11:"intextinput";b:0;s:7:"inimage";b:0;s:13:"current_field";s:0:"";s:17:"current_namespace";b:0;s:19:"_CONTENT_CONSTRUCTS";a:6:{i:0;s:7:"content";i:1;s:7:"summary";i:2;s:4:"info";i:3;s:5:"title";i:4;s:7:"tagline";i:5;s:9:"copyright";}}

but how do you edit those database fields? I think this is where I need to make a final sweep for miscreants.

here’s two lines of code from the stats log sql file that I managed to grab (I have no idea what any of this tells me but it’s two examples of hits of the kind I’m talking about) :

INSERT INTO wp_slim_stats VALUES (334398, 1024236612, '', 'jp', 'www.moeside.net', 'www.moeside.net/weblog/', '', '/index.php?p=3668.html', 1, 9, '6.0', 1208837318) ;

INSERT INTO wp_slim_stats VALUES (334645, 1241913519, '', 'us', '', '', '', '/index.php?p=2034.html', -1, 34, '', 1208841425) ;

So I went through those links and searched for phantom .txt files, backed up the db, reinstalled a brand new WP 2.5… only to still be inundated with hits for :

/index.php?p=XXXX.html

where X, the number, is seemingly random. Mostly three or four digits.

I don’t get it. What the hell are these mystery pages, and how can I get rid of them from my installation of WP? I’m completely stumped.

whooami, where can I find that ro8kfbsmag.txt file? Or can I search for it across my directories so I can send it to hell where it belongs?

I’ve upgraded to 2.5 since my blog was hacked, but want to be sure I’m not leaving a backdoor into my database, as I think you’re alluding to as being a possibility.

I shall never wait to upgrade again.
I shall never wait to upgrade again.
I shall never wait to upgrade again.

by “live hits” I mean pages that are obviously spam for drug companies, etc., but I can’t find any post/page that is numbered 4019 (to use the above example) to delete.

It seems like this is the type of attack we’ve suffered, as well, but we still get live hits when adding “/?p=4019.html” to the end of our blog URL (https://blog.burstlabs.com).

Any ideas? I’m so frustrated and stumped right now. Argh.