The 12h USSM spam-a-thon on behalf of our Russian overlords
I found it.
89.149.253.13 - - [29/May/2009:04:52:23 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 200 29385
89.149.253.13 - - [29/May/2009:04:52:25 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 18393
89.149.253.13 - - [29/May/2009:04:52:26 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 302 -
89.149.253.13 - - [29/May/2009:04:52:30 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 91359
(oh, how I wish our current layout expanded the center column smoothly)
Those are, if you’re curious, the only requests from them that day. They didn’t request the theme-editor page. They didn’t even request any pages in a normal use page of that page, including the other components of that page. It looks to me like they pounded a peg right through that hole. But anyway, I’m not sure exactly what happened, but viola! We’ve got a new footer with many, many links.
So I wonder… has this person ever visited before?
Yes!
89-149-253-13.internetserviceteam.com - - [25/May/2009:11:23:38 -0700] "GET /?feed=rss2 HTTP/1.0" 200 38516
89-149-253-13.internetserviceteam.com - - [25/May/2009:11:23:42 -0700] "GET /wp-includes/js/tinymce/wp-mce-help.php HTTP/1.0" 200 10958
89-149-253-13.internetserviceteam.com - - [25/May/2009:11:23:43 -0700] "GET / HTTP/1.0" 200 38516
89-149-253-13.internetserviceteam.com - - [25/May/2009:11:23:44 -0700] "GET /wp-register.php HTTP/1.0" 302 -
89.149.253.13 - - [25/May/2009:11:23:45 -0700] "POST /wp-login.php?action=register HTTP/1.0" 302 -
89.149.253.13 - - [25/May/2009:11:24:45 -0700] "POST / HTTP/1.0" 200 38373
89.149.253.13 - - [25/May/2009:11:24:46 -0700] "POST /wp-login.php HTTP/1.0" 302 -
89.149.253.13 - - [25/May/2009:11:24:47 -0700] "POST /wp-admin//options-permalink.php HTTP/1.0" 200 9639
89.149.253.13 - - [25/May/2009:11:24:47 -0700] "POST /wp-admin//options-permalink.php HTTP/1.0" 200 9792
89.149.253.13 - - [25/May/2009:11:24:48 -0700] "POST /xmlrpc.php HTTP/1.0" 200 122
89.149.253.13 - - [25/May/2009:11:24:49 -0700] "POST /wp-admin//options-permalink.php HTTP/1.0" 200 9720
89.149.253.13 - - [25/May/2009:17:28:46 -0700] "POST / HTTP/1.0" 200 38075
89.149.253.13 - - [25/May/2009:17:28:47 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 200 29385
89.149.253.13 - - [25/May/2009:17:28:48 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 18402
89.149.253.13 - - [25/May/2009:17:28:49 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 302 -
89.149.253.13 - - [25/May/2009:17:28:50 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 18393
89.149.253.13 - - [29/May/2009:04:52:23 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 200 29385
89.149.253.13 - - [29/May/2009:04:52:25 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 18393
89.149.253.13 - - [29/May/2009:04:52:26 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 302 -
89.149.253.13 - - [29/May/2009:04:52:30 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 91359
Not much on reading, huh? So let’s check out who registered then….
+------+--------------+------------------------------------+--------------------------+----------+---------------------+---------------------+-------------+---------------+---------------------+--------------+
| ID | user_login | user_pass | user_email | user_url | dateYMDhour | user_activation_key | user_status | user_nicename | user_registered | display_name |
+------+--------------+------------------------------------+--------------------------+----------+---------------------+---------------------+-------------+---------------+---------------------+--------------+
| 7671 | chelentanoxl | $P$BzVoIOZOWiBIQkCIx05ZGXigSEEj9E0 | ...@mail.ru | | 0000-00-00 00:00:00 | | 0 | chelentanoxl | 2009-05-24 04:17:28 | chelentanoxl |
...
| 7677 | JohnyWhite | $P$BGo8PSqsq2oYUcesd0ncnDgAPH9GRg0 | wordpressuser2@gmail.com | | 0000-00-00 00:00:00 | | 0 | johnywhite | 2009-05-25 18:23:45 | JohnyWhite |
+------+--------------+------------------------------------+--------------------------+----------+---------------------+---------------------+-------------+---------------+---------------------+--------------+
(the clock’s different)
Ding! The tail end of a whole run of suspicious Russian and free emails… and there he is. Hi, wordpressuser2@gmail.com!
Unfortunately, no comments from our good friend. I’d have been interested in that.
What’s particularly odd (to me, anyway) is that there’s no record of incorrect actions in the error log. They register, four days later they’re back and without generating any weird attempts against nonexistent URLs, they do a couple of posts and they’re off to the races.
To the site, which I’ll call hacksoft for purposes of this post. Created 5/18, but interestingly they updated their info 5/27. They’re hosted in Russia by Masterhost.ru, and their whois data is pretty obviously fake:
Chesoft
John Smith chehost@gmail.com
+352985897 fax:+352985897
Flaiming road 87/45
Beaverton NA 352
us
The site in its current form appears to have been generated apx 2-3 hours before they attacked us. Which makes me think they had the exploit (or whatever) in their back pocket, set up hacksoft, and then did it.
Not a lot for us there.
Look then at internetserviceteam.com. Actually… here’s the google search for them. They’re bad news.
That’s awfully weird. Going through the logs, they’ve been doing a ton of content scraping, which is always nice, and user registrations… which is not so much nice. But combined with everything else we know…
Timeline of events
- internetserviceteam.com spends a lot of time scraping USSM and registering users but not doing anything that attracts particular attention*
(then these two can happen at any time)
- bam! they figure out how to use the theme editor to post code directly into the footer / they create their spammy SEO-bait site
- they hit the site, changing footer.php
- they do it twice more in rapid succession
- they don’t touch it again
- I wake up, go to work, and at three get tipped off that something’s seriously wrong
There’s no evidence they looked at or touched anything else, which indicates this wasn’t anything more serious than that (though of course they could have tried some malware injection, which will probably keep me up tonight). The backups all look good, there’s no evidence this has ever been used before on us, and there’s no evidence of similar attacks.
What’s the damage, as far as I can tell?
Known:
- for about 12 hours, there was a massive amount of spammy links on the site
- I wasted about six hours finding the exploit they used and closing it
- Brief USSM outage when I had to restart something to fix something
Possible: I haven’t been able to find file revision info on their first try. It’s possibly they had something fairly lethal in the footer (though it seems more likely that was the proof-it-works, followed immediately by the spam delivery)
What’s the fix?
- I removed the theme editor file they pounded that code through
- I nuked all the russian-address accounts. There were ~300 and only three of them ever made any comment. I’d have done it manually but I’m in a really, really shitty mood.
- I’m IP-banning these internetserviceteam jokers, which I’m sure won’t stop them.
What’s next?
- I’m going to look at the theme and try and talk to the Wordpress folks about whether there’s a potential exploit using that page (I have no idea, really)
- I am powerless to otherwise prosecute or retaliate against them.
Good times. Go M’s.
* which says something about the behind-the-scenes headaches that I (we) can’t pay attention to catch stuff like this, but anyway….
Site mal-age
Hey all. About 12h someone changed our footer.php to include a vast number of hidden, spammy links, and I’ve been chasing it since. I just blew away the footer entirely, sooo uh we’ll see. That said, I’ve got zero experience at forensics and I’m still unsure exactly how this happened. I’ll spend some more time on this later, or throw up my hands and sell my shares to Rupert Murdoch or something.
New Season, Same Rules
As we go into a new season, it’s apparently time to remind people of the rules. All new commenters are expected to read, understand, and abide by the rules set out in the comment guidelines and USSM Orientation, as well as utilize common sense.
Your first few comments are viewed as an audition; try to contribute something positive.
In particular, sexist comments aren’t welcome here. This isn’t a sports bar.
Questions can be directed to the email address linked under Contact Us.
Site info: logins
Hey all, I’ve been collecting scattered reports of login issues, and I’m working on it.
Podcasting, hypothetically
If, say, we were going to try this, and we really had zero experience and were finding internet recommendations for simple things like microphones etc plentiful, contradictory, and confusing, what would you, the USSM reader with some experience in this area, point us to?
Under fifty spots left for the Jan 10 Q&A
Really.
Site update note for Jan 7
Hey, I moved USSM to the newest Wordpress version late last night/early this morning. You shouldn’t have seen any problems, but I noticed there are 315 comments now marked as “spam” which show up as not visible, going back for ages… and some of them I know were live before. And we don’t have a spam filter since everyone’s registered. I don’t know what the deal is. I’m looking into it.
Jan 10 event update
I’m working through the invites and trying to resolve the guest list today. This thing’s filling up pretty fast. Jeez.
Okay, so quick notes from today’s work:
- If you don’t want to pay through Paypal for whatever reason (including “want to cause Derek pain”) email us and we’ll work something out. Yes, Paypal is evil and horrible, and they’ve screwed us too, but it makes this thing 100x easier.
- If you’re bringing a guest, email us with the name you donated under and your guest’s name.
- If you paid through PayPal via check, you don’t show up on the list until the check’s cleared. This takes a while. Please do not email us about this. We can’t make checks clear faster.
- If you paid and your donation doesn’t show up instantaneously, please do not email us about this. Give it some time.
- If something went horribly wrong, email us.
Dave’s promotional post follows
–
We told you hold the date – now we tell you why. On Saturday, January 10th, we’re hosting the latest USSM/LL event. The guests for the afternoon are Mariners Asst. GM Tony Blengino and Mariners scouting director Tom McNamara. These are the two guys that Zduriencik brought over from Milwaukee – Blengino is the guy behind the Department of Baseball Research that is being established and the one pushing the organization into the 21st century of baseball analysis. McNamara is the top scout in the organization, and will be running the amateur draft this summer. They’re both going to be a lot of fun to talk to.
The event is at the downtown Seattle Central Library from 1:30 to 5:30 on Saturday, January 10th. We won’t be providing food, so we’ve lowered the price to $10, which just goes to defray the costs of the room rental. We’re trying to improve the whole registration/payment process for these things, so if you want to attend, click on the button below and donate $10.
Do not click the anonymous button, as we need your name to show up on the list of donaters -that will be the list we use at the door to let people in. If you’re paying for multiple people, send an email to the USSM account with the names of the people you’re bringing so that we can make sure everyone is on the list. And if you’re totally anti-paypal, send us an email too and we’ll work something out.
But, yea, January 10th, four hours of baseball talk with Derek, the LL gang, and two of the big wigs in the M’s new front office. It’s going to be a lot of fun, so I encourage you guys to go.
Donate to the USSM Dave scholarship
Dave lost out in the internet polling for the $10k fund, which obviously I regard as a pretty huge injustice in the world. If that org wants to award based on clicks though, it’s their money. Still, Dave ran up over 11,500 votes before the last day, when his candidacy got any attention for non-baseball reasons, and I’ve been asked here, elsewhere, and via email, to try and set something up for direct college donations.
I think this is a great idea: Dave is newly married, awesome, the money will make a huge difference, and I have every faith that he’ll do good works with his economics degree, here and elsewhere.
So, I give you the 2008 USSM Scholarship Fund. All contributions go to Dave except what Paypal skims. I’ll match the first $500 myself.
If you want to give Dave some cash directly, email us and we’ll work something out. Contributions are not tax-deductible because I have no idea how to arrange that on short notice.
Updated: hey, it’s a pledgie badge! I have no idea if or how this works, but check it out.
Two things to note: this doesn’t count my $500, which you managed to match in apx ten seconds (brief digression: when that happened, I stared at the monitor with a huge grin of surprise on my face for a good half-minute). And it doesn’t count the not-in-Pledgie donations.
Moderation PSA
I always recommend a glance at the comment guidelines if you want to chime in. I’m sure plenty of people haven’t, and still do just fine because they know how to behave themselves anyway. But should you run afoul of the moderators, give it a read, and if you have questions, email. We do believe civility is compatible with healthy debate. Make arguments, not insults.
One of the things that occasionally trips people up is spelling. Look, we make occasional mistakes and will happily tolerate yours, but there has to be at least a modicum of effort to follow conventions of spelling and punctuation. Comments should be readable, and if we can’t read them, they’ll get moderated.
The spelling thing goes for names too, including the mildly challenging ones. If you’ve got something to say about Rizzs, for example, but can’t be bothered to spell his name right, no thanks. Most of the roster’s pretty easy to spell right now anyway, or has handy nicknames like Yuni or Tui, but historically this has included getting it right on Piniella or Pineiro.
So practice along with me – Zduriencik. Z-d-u-r-i-e-n-c-i-k. Along about the winter meetings at the latest, we’re going to expect people to get it right. If all else fails, you can always go with Jack instead (this assumes he doesn’t hire McKeon as his manager, or trade for the likes of Cust or Wilson).
As a shorthand, Z works fine, one letter shouldn’t be hard to remember. I’d stay away from initials, just because we already have an author who uses initials and has an unusual last name starting with Z. Witty variations are okay, but often they’re not nearly as clever or original as you think they are (I don’t know how many forms of “Richie Sux” we’ve seen). And just so we’re clear, Jay-Z is a rapper, end of story.
USSM uses and recommends
