Game 51, Mariners at Angels

May 31, 2009 · Filed Under Mariners · 239 Comments 

Olson vs Santana.

I’m still looking forward to seeing Ichiro’s season spun into a negative story about him. Suggestions:
– Ichiro’s consistent hitting puts undue pressure on other players to perform, and they’re pressing at the plate, causing the team’s offensive woes, and he refuses to go 0-fer to let them relax.
– Ichiro’s speed and smart baserunning makes other players look comparatively worse, forcing them to worry about getting good leads and not being thrown out, distracting them and causing them to take bad leads and get thrown out.
– Ichiro’s (and the outfield’s, for that matter) consistent fielding are making the pitchers concentrate on trying to get fly balls, which takes them away from pitching to their strengths and makes them more prone to giving up home runs.

Good luck with that!

Griffey done and an anchor of the lineup

May 31, 2009 · Filed Under Mariners · 35 Comments 

(and that’s your 09 lineup for you)

The bait we were supposed to bite on this off-season, fixed to hook by Griffey’s agent, was that Griffey’s hitting struggles of late came from his (possibly un- or semi-)disclosed knee injury, but he’d be great now that the knee was better.

I was pretty skeptical. A lot of people were skeptical. And here’s where we are now:

He’s taking a ton of walks. 16% of his plate appearances. More walks than any time in his career except the shortened 1995 season. And he’s got no power.

Now, he’s not in Vidro territory…
Griffey 09: .213/.336/.369
Vidro 08: .234/.274/.338
… though it’s a little depressing to think the husk of Vidro’s career was a better contact hitter than Griffey is now.

While we’re looking at lines
Griffey 09: .213/.336/.369
AL 09: .268/.339/.428

But here’s his batting average on balls in play, a good measure of how hard he’s hitting the ball, from Fangraphs:

BABIP:

And here’s his raw power for a second look at that:

ISO:

Yeah, Griffey’s been injured on and off, but that’s the normal curve of a player getting old. They take more pitches, both from experience and because they can’t make swing and make good contact on more pitches than before.

BB%

Here’s the problem, though: this version of Griffey, a patient low-contact hitter with minimal power against right-handers, who we’re really pulling to finish the season hitting .250/.360/.420… he’s the third-best hitter on the team.

Behind Ichiro! who is awesome and Branyan, who as Dave notes has had his share of luck so far. And Branyan might still get traded. And Endy Chavez, not far behind, is another likely trade candidate. Wlad’s not hitting lately. Beltre should start hitting any minute. Like now would be good. No rush. Please? Seriously, Adrian, we’ve been manning the barricades for you for years, and our resolve is waning.

The good thing is DH is pretty easy to solve. You want a LH bat? Call up Clement. If the M’s want to hang in the race, they’re going to have to figure out how to get production out of that position for the fourth time since Ibanez moved back to left field after 2005 (though the 07 Vidro was at least above league average).

Saturday

May 30, 2009 · Filed Under Mariners · 41 Comments 

Game 50, Mariners at Angels

May 30, 2009 · Filed Under Mariners · 159 Comments 

Felix v Palmer. Betancourt’s at #2 again, Rob Johnson is… playing and despite being so bad you might plausibly DH for him instead of Felix if you were allowed, he’s batting #7 ahead of Chavez and Gutierrez. I don’t get it, but whatever, right? Go team!

USSM get-together in NC – last reminder

May 30, 2009 · Filed Under Mariners · Comment 

Sunday, May 31 in Durham at Champps Sports. You can watch the Mariners game at 3:35 in the private dining area. Dave says he’ll be there an hour or so before, and apparently there’s been a Jeff Shaw sighting. No admission fee, just whatever you eat and drink (tip generously, your server’s in a recession too).

What with all the USS Mariner folks in North Carolina, it’s a shame the move of two teams from the California League to the Carolina League didn’t work out, or they could see the Mariners’ Class-A squad all the time and let us know how Aumont’s doing. That, plus anything to get us out of High Desert.

The 12h USSM spam-a-thon on behalf of our Russian overlords

May 29, 2009 · Filed Under Site information · 20 Comments 

I found it.

89.149.253.13 - - [29/May/2009:04:52:23 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 200 29385
89.149.253.13 - - [29/May/2009:04:52:25 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 18393
89.149.253.13 - - [29/May/2009:04:52:26 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 302 -
89.149.253.13 - - [29/May/2009:04:52:30 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 91359

(oh, how I wish our current layout expanded the center column smoothly)

Those are, if you’re curious, the only requests from them that day. They didn’t request the theme-editor page. They didn’t even request any pages in a normal use page of that page, including the other components of that page. It looks to me like they pounded a peg right through that hole. But anyway, I’m not sure exactly what happened, but viola! We’ve got a new footer with many, many links.

So I wonder… has this person ever visited before?

Yes!

89-149-253-13.internetserviceteam.com - - [25/May/2009:11:23:38 -0700] "GET /?feed=rss2 HTTP/1.0" 200 38516
89-149-253-13.internetserviceteam.com - - [25/May/2009:11:23:42 -0700] "GET /wp-includes/js/tinymce/wp-mce-help.php HTTP/1.0" 200 10958
89-149-253-13.internetserviceteam.com - - [25/May/2009:11:23:43 -0700] "GET / HTTP/1.0" 200 38516
89-149-253-13.internetserviceteam.com - - [25/May/2009:11:23:44 -0700] "GET /wp-register.php HTTP/1.0" 302 -
89.149.253.13 - - [25/May/2009:11:23:45 -0700] "POST /wp-login.php?action=register HTTP/1.0" 302 -
89.149.253.13 - - [25/May/2009:11:24:45 -0700] "POST / HTTP/1.0" 200 38373
89.149.253.13 - - [25/May/2009:11:24:46 -0700] "POST /wp-login.php HTTP/1.0" 302 -
89.149.253.13 - - [25/May/2009:11:24:47 -0700] "POST /wp-admin//options-permalink.php HTTP/1.0" 200 9639
89.149.253.13 - - [25/May/2009:11:24:47 -0700] "POST /wp-admin//options-permalink.php HTTP/1.0" 200 9792
89.149.253.13 - - [25/May/2009:11:24:48 -0700] "POST /xmlrpc.php HTTP/1.0" 200 122
89.149.253.13 - - [25/May/2009:11:24:49 -0700] "POST /wp-admin//options-permalink.php HTTP/1.0" 200 9720
89.149.253.13 - - [25/May/2009:17:28:46 -0700] "POST / HTTP/1.0" 200 38075
89.149.253.13 - - [25/May/2009:17:28:47 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 200 29385
89.149.253.13 - - [25/May/2009:17:28:48 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 18402
89.149.253.13 - - [25/May/2009:17:28:49 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 302 -
89.149.253.13 - - [25/May/2009:17:28:50 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 18393
89.149.253.13 - - [29/May/2009:04:52:23 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 200 29385
89.149.253.13 - - [29/May/2009:04:52:25 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 18393
89.149.253.13 - - [29/May/2009:04:52:26 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 302 -
89.149.253.13 - - [29/May/2009:04:52:30 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 91359

Not much on reading, huh? So let’s check out who registered then….

+------+--------------+------------------------------------+--------------------------+----------+---------------------+---------------------+-------------+---------------+---------------------+--------------+
| ID | user_login | user_pass | user_email | user_url | dateYMDhour | user_activation_key | user_status | user_nicename | user_registered | display_name |
+------+--------------+------------------------------------+--------------------------+----------+---------------------+---------------------+-------------+---------------+---------------------+--------------+
| 7671 | chelentanoxl | $P$BzVoIOZOWiBIQkCIx05ZGXigSEEj9E0 | ...@mail.ru | | 0000-00-00 00:00:00 | | 0 | chelentanoxl | 2009-05-24 04:17:28 | chelentanoxl |
...
| 7677 | JohnyWhite | $P$BGo8PSqsq2oYUcesd0ncnDgAPH9GRg0 | wordpressuser2@gmail.com | | 0000-00-00 00:00:00 | | 0 | johnywhite | 2009-05-25 18:23:45 | JohnyWhite |
+------+--------------+------------------------------------+--------------------------+----------+---------------------+---------------------+-------------+---------------+---------------------+--------------+

(the clock’s different)

Ding! The tail end of a whole run of suspicious Russian and free emails… and there he is. Hi, wordpressuser2@gmail.com!

Unfortunately, no comments from our good friend. I’d have been interested in that.

What’s particularly odd (to me, anyway) is that there’s no record of incorrect actions in the error log. They register, four days later they’re back and without generating any weird attempts against nonexistent URLs, they do a couple of posts and they’re off to the races.

To the site, which I’ll call hacksoft for purposes of this post. Created 5/18, but interestingly they updated their info 5/27. They’re hosted in Russia by Masterhost.ru, and their whois data is pretty obviously fake:

Chesoft
John Smith chehost@gmail.com
+352985897 fax:+352985897
Flaiming road 87/45
Beaverton NA 352
us

The site in its current form appears to have been generated apx 2-3 hours before they attacked us. Which makes me think they had the exploit (or whatever) in their back pocket, set up hacksoft, and then did it.

Not a lot for us there.

Look then at internetserviceteam.com. Actually… here’s the google search for them. They’re bad news.

That’s awfully weird. Going through the logs, they’ve been doing a ton of content scraping, which is always nice, and user registrations… which is not so much nice. But combined with everything else we know…

Timeline of events
– internetserviceteam.com spends a lot of time scraping USSM and registering users but not doing anything that attracts particular attention*
(then these two can happen at any time)
– bam! they figure out how to use the theme editor to post code directly into the footer / they create their spammy SEO-bait site
– they hit the site, changing footer.php
– they do it twice more in rapid succession
– they don’t touch it again
– I wake up, go to work, and at three get tipped off that something’s seriously wrong

There’s no evidence they looked at or touched anything else, which indicates this wasn’t anything more serious than that (though of course they could have tried some malware injection, which will probably keep me up tonight). The backups all look good, there’s no evidence this has ever been used before on us, and there’s no evidence of similar attacks.

What’s the damage, as far as I can tell?

Known:
– for about 12 hours, there was a massive amount of spammy links on the site
– I wasted about six hours finding the exploit they used and closing it
– Brief USSM outage when I had to restart something to fix something

Possible: I haven’t been able to find file revision info on their first try. It’s possibly they had something fairly lethal in the footer (though it seems more likely that was the proof-it-works, followed immediately by the spam delivery)

What’s the fix?
– I removed the theme editor file they pounded that code through
– I nuked all the russian-address accounts. There were ~300 and only three of them ever made any comment. I’d have done it manually but I’m in a really, really shitty mood.
– I’m IP-banning these internetserviceteam jokers, which I’m sure won’t stop them.

What’s next?
– I’m going to look at the theme and try and talk to the WordPress folks about whether there’s a potential exploit using that page (I have no idea, really)
– I am powerless to otherwise prosecute or retaliate against them.

Good times. Go M’s.

* which says something about the behind-the-scenes headaches that I (we) can’t pay attention to catch stuff like this, but anyway….

Game 49, Mariners at Angels

May 29, 2009 · Filed Under Mariners · 112 Comments 

Vargas v Lackey. Sorry for terseness.

Site mal-age

May 29, 2009 · Filed Under Site information · 6 Comments 

Hey all. About 12h someone changed our footer.php to include a vast number of hidden, spammy links, and I’ve been chasing it since. I just blew away the footer entirely, sooo uh we’ll see. That said, I’ve got zero experience at forensics and I’m still unsure exactly how this happened. I’ll spend some more time on this later, or throw up my hands and sell my shares to Rupert Murdoch or something.

Who’s the real Jose Lopez?

May 29, 2009 · Filed Under Mariners · 11 Comments 

Yuniesky Betancourt has been a frequent target for criticism this year, but in terms of wins, Jose Lopez is hurting us even more. The M’s are 1.7 wins below replacement level in the middle infield so far (-1.0 for Lopez, -0.7 for Betancourt). Even with Betancourt’s terrible defense and complete lack of clue at the plate, Lopez has been the worst player on the team so far.

Last year, Lopez made significant progress offensively, encouraging many of us who’ve believed in his potential. While he wasn’t going to be more than average defensively, he was still relatively young and cheap, an above-average hitter for his position, and maybe he could still add some power as he matured. This year, he’s fallen off a cliff. So what’s happened?

There are a lot of ways to look at this, each of which is just one part of the puzzle. But put together, they suggest why replacing Lopez needs to be just as much a priority as replacing Betancourt.

Let’s start with the “Lopez came into his own in 2008” theory. As Dave has frequently pointed out, you can’t just ignore his performance in previous years. A lot of people have wanted to excuse his horrible second half of 2007 because his brother died in June and he had a hard time concentrating on baseball after that. That wasn’t the real Jose Lopez, we thought. I admit to believing that myself a bit. Well, we’re far enough into the season that sample sizes aren’t quite so small anymore, and this Jose Lopez is a lot like that one:

Jose Lopez, post-ASB 2007: .213/.238/.281
Jose Lopez, 2009: .216/.259/.307

Pretty close, and if you added in his slightly-better-but-still-bad performance from mid-June (when his brother was killed) to mid-July 2007, the two are virtually the same. Some of that’s bad luck (identical .232 BABIP), but even allowing for some regression, it’s the real Lopez now and it was the real Lopez then. I’m not saying 2008 wasn’t real too, but it’s increasingly looking like Lopez’s peak, not something we can count on him to repeat year after year.

Other things are going on that are new this year, though. Here are some batted ball numbers for Lopez as a full-time player:

Season LD% GB% FB% HR/FB
2006 18.2% 48.6% 33.2% 5.7%
2007 17.0% 45.7% 37.4% 6.4%
2008 20.3% 44.1% 35.6% 8.2%
2009 19.9% 34.0% 46.2% 4.2%

He’s hitting line drives the same as always, but his groundball and flyball percentages have completely flipped. Meanwhile, those flyballs are turning into home runs at the lowest rate of his career. I’m not sure what’s going on here, but it’s as if last year convinced him to change his swing to go for more power, while at the same time the power itself has disappeared. We may still see some drift back to Lopez’s career norms, but in general these percentages tend to stabilize pretty quickly, and we’re approaching the point where we have to look at this as a meaningful change. I’m not saying the way for him to be successful is to beat the ball into the ground like Ichiro, but Lopez will never be a big power hitter. If he thinks he is, we’re in for a lot more fly balls to the warning track.

Meanwhile, there’s the question of his defense. His UZR/150 at second base:

2006: 5.0
2007: 1.4
2008: -4.8
2009: -11.8

You have to consider fielding metrics over multiple years, so we can’t just conclude that he’s as bad as it looks this year, but he’s certainly no better than average. And you definitely have to be worried about the appearance of a trend here (much like Betancourt). The real Jose Lopez is a below-average second baseman, and the sooner we can upgrade at that position, the better.

Zduriencik Speaks

May 29, 2009 · Filed Under Mariners · 27 Comments 

Former Seattle P-I writer Jon Paul Morosi got some quotes from Jack Zduriencik about the team and what his feelings are on the roster. Here’s the important quotes.

“We’re not in any hurry to do anything,” Zduriencik said earlier this week. “You talk to GMs all the time, just casual conversations. Most of the time, it doesn’t go anywhere. There haven’t been any offers on the table yet.”

“Erik’s been good — really good. I’ve been very happy with Erik Bedard. His stuff’s been really good, really crisp. … I wasn’t here (last year), so I don’t really know anything about that firsthand. He was in an organization (Baltimore) for a long period of time, had to switch, go all the way across the country, and then he wasn’t healthy. Those things worked against him. … But he’s real happy now. He’s got a smile on his face.”

“Right now, my investment is in this season,” he said. “We’re doing everything we can to keep ourselves in this race.”

Nothing overly surprising yet. The M’s aren’t going to publicly pull the plug on the team right as they head into Anaheim for a three game series. But, assuming this weekend doesn’t go perfectly for the M’s, Jack knows that he’ll wake up on Monday with a team that has a less than 10% chance of making the playoffs, and there are some teams out there getting antsy to make a deal for pitching. The first GM to agree to trade a starting pitcher is probably going to be the guy who wins this summer. Let’s hope Zduriencik is that guy.

Oh, and one other note on the article. Morosi throws this comment out there:

When the time comes, Seattle will probably look to acquire a young, power-hitting outfielder. Endy Chavez and Wladimir Balentien have formed the least productive left-field platoon in the majors by OPS, so that would be the obvious place to add a big bat.

This incorrect sentiment is echoed by John McGrath in his “blow up the M’s” piece for the News Tribune today, and will be repeated over and over all summer long, I’m sure. The last thing the M’s need to be trading for is an outfielder. As we mentioned this morning, Saunders is knocking on the door down in Triple-A, and the team is extremely likely to be drafting Dustin Ackley in two weeks. Beyond those two, Balentien’s still got some fans in the organization, and the team has outfielders coming out their ears at Double-A and below. It is the position of the most depth in the entire system.

The M’s do not need any more outfielders. They need infielders, specifically 2B/SS/3B, and pitchers. The team has more outfielders than they know what to do with.

Next Page »