This blog is NOFOLLOW Free!
Aug
16

My Wordpress blog, cracked today

Vladimir Ghetau internet, web development 20 comments

wordpress crackedMy blog started showing up an error today, Joseph reported it to me as soon as he saw the problem.

Problem was, when I tried to fix it, somebody else changed the code of my index.php file of my wordpress instalation.

The code introduced there, was a hidden iframe pointing to:

http://c9u.at:8080/ts/in.cgi?pepsi147

It seems I’m not the only one having this issue, the attack came from two different IPs according to Gupi, the owner of the server: 79.116.233.252 and 65.188.207.196.

The cracker already knew my password. Scanned for keyloggers, and trojans and my assumption is that passsword has been stolen by sniffing the network traffic. FTP is a plain text unsecure protocol, which let to this problem.

The attacked files were only the index ones from all over the public folder.

The script which is requested through the iframe can be anything which tracks the traffic of the targeted site, to a live source of IP addresses of new, potential victims.

I’m still trying to find how my password leaked…

, , , , , , , ,
Apr
30

Toata dragostea mea pentru diavola

Vladimir Ghetau Security 1 comment

…is a text in Romanian, and seems to be the user agent of a vulnerability scanning spider looking for an exploit specific to Roundcube Webmail service. You will notice this scanner checking the following addresses on your server:

  • /bin/msgimport
  • /webmail/bin/msgimport
  • /roundcube/bin/msgimport
  • /mail/bin/msgimport

The IP addresses of this vulnerability spider, detected by Jeromakay.com so far are:

  • 82.103.131.247 (Denmark)
  • 62.111.225.232 (Poland)

I’ve seen some other reports on the activity of this spider:

- Johann reported it here: http://johannburkard.de/blog/www/spam/effective-spam-bot-blocking.html (he reports requests coming from a different IP though: 85.239.254.57, in Czech Republic)
- Dmitry caught it checking for a login page here: http://dmitry-dulepov.com/article/toata-dragostea-mea-pentru-diavola.html (different IP here as well: 213.21.217.206, in Latvia)
- David posted about it on a forum: http://www.howtoforge.com/forums/showthread.php?p=161507 (ip used there by this scanner: 82.79.77.84, in Romania)

Based on this report here, other IPs used by this scanner are: 202.210.181.209 (Japan),  84.19.184.49 (Germany), 217.160.111.160 (Germany) and 114.141.15.22 (South Korea).

Seems like this malicious spider has ben placed on servers mostly from eastern Europe. Translation of the user agent is “All my love for the devil” (refering to a female devil).

, , , ,