The 12h USSM spam-a-thon on behalf of our Russian overlords
I found it.
89.149.253.13 - - [29/May/2009:04:52:23 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 200 29385
89.149.253.13 - - [29/May/2009:04:52:25 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 18393
89.149.253.13 - - [29/May/2009:04:52:26 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 302 -
89.149.253.13 - - [29/May/2009:04:52:30 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 91359
(oh, how I wish our current layout expanded the center column smoothly)
Those are, if you’re curious, the only requests from them that day. They didn’t request the theme-editor page. They didn’t even request any pages in a normal use page of that page, including the other components of that page. It looks to me like they pounded a peg right through that hole. But anyway, I’m not sure exactly what happened, but viola! We’ve got a new footer with many, many links.
So I wonder… has this person ever visited before?
Yes!
89-149-253-13.internetserviceteam.com - - [25/May/2009:11:23:38 -0700] "GET /?feed=rss2 HTTP/1.0" 200 38516
89-149-253-13.internetserviceteam.com - - [25/May/2009:11:23:42 -0700] "GET /wp-includes/js/tinymce/wp-mce-help.php HTTP/1.0" 200 10958
89-149-253-13.internetserviceteam.com - - [25/May/2009:11:23:43 -0700] "GET / HTTP/1.0" 200 38516
89-149-253-13.internetserviceteam.com - - [25/May/2009:11:23:44 -0700] "GET /wp-register.php HTTP/1.0" 302 -
89.149.253.13 - - [25/May/2009:11:23:45 -0700] "POST /wp-login.php?action=register HTTP/1.0" 302 -
89.149.253.13 - - [25/May/2009:11:24:45 -0700] "POST / HTTP/1.0" 200 38373
89.149.253.13 - - [25/May/2009:11:24:46 -0700] "POST /wp-login.php HTTP/1.0" 302 -
89.149.253.13 - - [25/May/2009:11:24:47 -0700] "POST /wp-admin//options-permalink.php HTTP/1.0" 200 9639
89.149.253.13 - - [25/May/2009:11:24:47 -0700] "POST /wp-admin//options-permalink.php HTTP/1.0" 200 9792
89.149.253.13 - - [25/May/2009:11:24:48 -0700] "POST /xmlrpc.php HTTP/1.0" 200 122
89.149.253.13 - - [25/May/2009:11:24:49 -0700] "POST /wp-admin//options-permalink.php HTTP/1.0" 200 9720
89.149.253.13 - - [25/May/2009:17:28:46 -0700] "POST / HTTP/1.0" 200 38075
89.149.253.13 - - [25/May/2009:17:28:47 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 200 29385
89.149.253.13 - - [25/May/2009:17:28:48 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 18402
89.149.253.13 - - [25/May/2009:17:28:49 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 302 -
89.149.253.13 - - [25/May/2009:17:28:50 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 18393
89.149.253.13 - - [29/May/2009:04:52:23 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 200 29385
89.149.253.13 - - [29/May/2009:04:52:25 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 18393
89.149.253.13 - - [29/May/2009:04:52:26 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 302 -
89.149.253.13 - - [29/May/2009:04:52:30 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 91359
Not much on reading, huh? So let’s check out who registered then….
+------+--------------+------------------------------------+--------------------------+----------+---------------------+---------------------+-------------+---------------+---------------------+--------------+
| ID | user_login | user_pass | user_email | user_url | dateYMDhour | user_activation_key | user_status | user_nicename | user_registered | display_name |
+------+--------------+------------------------------------+--------------------------+----------+---------------------+---------------------+-------------+---------------+---------------------+--------------+
| 7671 | chelentanoxl | $P$BzVoIOZOWiBIQkCIx05ZGXigSEEj9E0 | ...@mail.ru | | 0000-00-00 00:00:00 | | 0 | chelentanoxl | 2009-05-24 04:17:28 | chelentanoxl |
...
| 7677 | JohnyWhite | $P$BGo8PSqsq2oYUcesd0ncnDgAPH9GRg0 | wordpressuser2@gmail.com | | 0000-00-00 00:00:00 | | 0 | johnywhite | 2009-05-25 18:23:45 | JohnyWhite |
+------+--------------+------------------------------------+--------------------------+----------+---------------------+---------------------+-------------+---------------+---------------------+--------------+
(the clock’s different)
Ding! The tail end of a whole run of suspicious Russian and free emails… and there he is. Hi, wordpressuser2@gmail.com!
Unfortunately, no comments from our good friend. I’d have been interested in that.
What’s particularly odd (to me, anyway) is that there’s no record of incorrect actions in the error log. They register, four days later they’re back and without generating any weird attempts against nonexistent URLs, they do a couple of posts and they’re off to the races.
To the site, which I’ll call hacksoft for purposes of this post. Created 5/18, but interestingly they updated their info 5/27. They’re hosted in Russia by Masterhost.ru, and their whois data is pretty obviously fake:
Chesoft
John Smith chehost@gmail.com
+352985897 fax:+352985897
Flaiming road 87/45
Beaverton NA 352
us
The site in its current form appears to have been generated apx 2-3 hours before they attacked us. Which makes me think they had the exploit (or whatever) in their back pocket, set up hacksoft, and then did it.
Not a lot for us there.
Look then at internetserviceteam.com. Actually… here’s the google search for them. They’re bad news.
That’s awfully weird. Going through the logs, they’ve been doing a ton of content scraping, which is always nice, and user registrations… which is not so much nice. But combined with everything else we know…
Timeline of events
– internetserviceteam.com spends a lot of time scraping USSM and registering users but not doing anything that attracts particular attention*
(then these two can happen at any time)
– bam! they figure out how to use the theme editor to post code directly into the footer / they create their spammy SEO-bait site
– they hit the site, changing footer.php
– they do it twice more in rapid succession
– they don’t touch it again
– I wake up, go to work, and at three get tipped off that something’s seriously wrong
There’s no evidence they looked at or touched anything else, which indicates this wasn’t anything more serious than that (though of course they could have tried some malware injection, which will probably keep me up tonight). The backups all look good, there’s no evidence this has ever been used before on us, and there’s no evidence of similar attacks.
What’s the damage, as far as I can tell?
Known:
– for about 12 hours, there was a massive amount of spammy links on the site
– I wasted about six hours finding the exploit they used and closing it
– Brief USSM outage when I had to restart something to fix something
Possible: I haven’t been able to find file revision info on their first try. It’s possibly they had something fairly lethal in the footer (though it seems more likely that was the proof-it-works, followed immediately by the spam delivery)
What’s the fix?
– I removed the theme editor file they pounded that code through
– I nuked all the russian-address accounts. There were ~300 and only three of them ever made any comment. I’d have done it manually but I’m in a really, really shitty mood.
– I’m IP-banning these internetserviceteam jokers, which I’m sure won’t stop them.
What’s next?
– I’m going to look at the theme and try and talk to the WordPress folks about whether there’s a potential exploit using that page (I have no idea, really)
– I am powerless to otherwise prosecute or retaliate against them.
Good times. Go M’s.
* which says something about the behind-the-scenes headaches that I (we) can’t pay attention to catch stuff like this, but anyway….
Comments
20 Responses to “The 12h USSM spam-a-thon on behalf of our Russian overlords”
Leave a Reply
You must be logged in to post a comment.
Just goes to show you how much money you wasted outfitting Colorado high schoolers against these commie bastids.
My ideal career: To be an agent in an international task force that tracks down the most notorious spammers, and beat them with rubber hoses before carting them off to a tribunal.
Unfortunately no entity like that exists, though perhaps Interpol might be open to the idea.
NetDirect and Internet Service Team are in Frankfurt.
From another site:
You might also try to block dnspro.de, unless you are deeply concerned about the traffic from our German friends.
Link to IST’s info
*clapclapclap*
Well done, DMZ. Things like that make me thank god I don’t run websites anymore…
go have one of those fine beers we like to send you.
In Soviet Russia, Internet spams you!
Another list of IPs to block
This happened to me 3 days ago on my main site and my two other sites I manage, long nights of drinking and cussing. Not a big fan…….
Yay, another Yakov Smirnoff fan!
I think you’re both vastly underestimating how irritable I am right now.
Go Rambo on their asses!
“Who do you think DMZ is? God?”
“No God would have mercy”
There are a number of posts on the forum at wordpress about various hacks in the past.
http://wordpress.org/support/topic/220840
It almost always boils down to loose or guessable passwords, leading to sql injections.
DMZ-
Thank you for all the efforts in making this site safer- I know this has got to be (or had to be) three shades of royal bitch to deal with.
Unfortunately, some people just love to wreak havoc on whatsoever they can find.
I won’t speak for anyone else normally, but I think it’s safe for me to say we all appreciate everything you do around here.
Fortunately, it seems Henryv (thanx for the birthday holler, Henry!!)and JSA might be able to offer some assistance- if it’s me, I’m hopelessly out of my league on blocking spammers and viral attacks.
Don’t forget about the “Donate” link on the left to buy him a beer.
Now I am A) scared once again about Internet security and I don’t even have a hard drive (MSNTV2, it’s a ways behind the tech curve but safe in that respect) and B) amazed at the time and effort you guys put in here. Apparently it’s not just the baseball side of things either.
If you don’t have a hard drive, there’s not really too much to worry about.
Derek and Dave do a lot of hard work behind the scenes that you guys don’t see that helps keep this place going.
No of course not, but my credit union, Yahoo, work computer, etc. all do have hard drives and modems. Scary.
Some days I like to fantasize about being a vigilante who goes out at night in a funny costume and beats the holy living hell out of internet criminals who think they’re beyond the reach of justice.
I wrote a somewhat cathartic short story about how cloud computing technology would inevitably result in anti-spammer vigilante actions last night. It’s surprisingly good a day later, though it obviously needs some work.
I wonder if this is related to the Storm botnet.