Wordpress Exploit Nails Big Name Seo Bloggers

82 comments

Right now when I goto http://www.wolf-howl.com/ I am getting a 200 response to http://fuckingpirate.wordpress.com/j00z-43-b33-4/

Edit: 17:08:00

I now see the guy has targeted tons of seo sites and as you can read below in comments has already started owning some of them.

http://fuckingpirate.wordpress.com/ for the full list

I am on the list as well and will be keeping a close eye out for suspicious activity.

Comments

i just pm'd him about that,

i just pm'd him about that, though i doubt he needs a headzup. reading the garbled message on the redirect content, it's hard to say if this is a hack or linkbait.

Tried to find a contact addy

Tried to find a contact addy - LinkedIn says I have to upgrade the account to do so, and MyBlogLogs doesn't have the feature - and MySpace keeps crashing.

As with RC, hard to tell if a hack or linkbait. :)

To be honest, not seen a hack redirect to another site like this. I mean, Wordpress?? Seen a lot of hacked sites, and they usually leave the calling card on the front of the domain - "freedom for Palestine" and all that sort of jazz.

I am thinking dns h4x

due to the response code of 200 and after doing some dns checks it looks like the dns servers are open and could be spoofed...

http://www.dnsreport.com/tools/dnsreport.ch?domain=wolf-howl.com

Todd Malicoat's gone AWOL

Todd Malicoat's gone AWOL too:
http://www.stuntdubl.com/

CSS is gone on main page, then click on a topic and it's to the same Wordpress hack announce.

Wouldn't think they're team tagging, unless it's a major new feature of link baiting.

>I mean, Wordpress?? Yeah,

>I mean, Wordpress??

Yeah, and combine that with some of the 'evil alter-ego' text and a few other seo sites listed, I came away thinking it was linkbait.

V7n too

I was just going to report http://blog.v7n.com/ got nailed too.

>dns servers are open and

>dns servers are open and could be spoofed

New ballgame, then. I'll sit back and wait before venturing another guess.

Check out the list on the

Check out the list on the Wordpress site:
fuckingpirate.wordpress.com/the-list/

Does that look like a hackers list? A list of SEO interest sites?

Only Mike and Todd are down at present.

What People Won't Do for Attention

You know, I saw that this had happened to the v7n blog and thought, "Gosh, I hope no one links to that Pirate site," because then it will be giving the link whore exactly what they want, attention.

Of course the LinkBait jaded me thought "I wonder if this is an elaborate hoax by all the sites on the list?" See what too much LinkBait can do to a girl :).

have you seen

Natasha im sure matt cutts has lots to gain by being on the list... have you seen it? Before you say all the sites on the list are in on some hoax maybe you should look at the list =P

I will tell you right now no bullshit I know of no hoax.

Shoemoney: I looked at the list an hour or so ago

when I saw "Hello World From FuckingPirate!" in my RSS Reader. And I thought that a few of the sites on the list (such as Matt Cutts and the Hacker site) were on there to throw off that big stink of LinkBait that is coming from that site. But I could be wrong.... ;)

Added: I guess the bigger problem then is that LinkBait seems to desensitize the reader after a while, to the point where everything seems like LinkBait including a legitimate hacking...

No offense to you Natasha

No offense to you Natasha but honestly how many times have you seen someone stage anything? Especially on the criminal level?

Yep - plenty of authority

Yep - plenty of authority sites in the mix. Link any good link list should have.

Genuinely hoping this isn't an attempt at linkbait.

I suspect that the hacker is

I suspect that the hacker is affiliated with at least one of the sites on the list. That's one way to get his link / traffic / attention from the SEO community.

What do we do?

You guys see that list right? Isn't there a way wordpress can track his IP and he can get sued?

Thank you

..

More like an Ass Pirate...

Added: I guess the bigger

Added: I guess the bigger problem then is that LinkBait seems to desensitize the reader after a while, to the point where everything seems like LinkBait including a legitimate hacking...

I am proud if I have even made a small contribution to this phenomenon.

"You're ruining it for the rest of us!!!!!!!!"

I'd suggest you all upgrade

I'd suggest you all upgrade wordpress boys n gals it aint very secure atm. Many / most on that list have one thing in common.

hacking via script kiddy stuff not via DNS abuse

LOL

No offense taken Shoemoney.

how many times have you seen someone stage anything

Countless. On the criminal level... never and hopefully this isn't the first time. Though "How I broke the law for links, Confessions of a LinkWhore" or "Beg, Borrow, Steal and Hack your way to Links" have a nice LinkBaity ring to them.

BTW: Andy you and NickW set the high watermark for linkbait aka: you ruined it for everyone else :)

Based on the Irish WP?

I saw on DaveN's site about the Irish WP issue...perhaps it gave someone an idea.

Agree that it not likely to be link-bait at all, as this is a criminal offense. Was he serious about trying for hackers org? That's like trying to knock off a gun store with a pocket knife.

He is certainly enjoying this

Just posted on FP -

You guys link fast…

Anyways, I just started the first hacking cruzade… The easy targets (Wordpress blogs with register_globals=on) using a custom PHP script based on this code

The easy ones where blog.v7n.com, www.boogybonbon.com, www.stuntdubl.com & www.wolf-howl.com.

At least there is something

At least there is something fun to talk about eh?

of you guys on the list

of you guys on the list anyone seen any weird activity from this ip

64.228.136.115

I am not sure if its this guy but it maches some of the querrys this python script puts out.

In order for this guys python script to work he has to figure out your admin Id. Mine is a weird one so maybe that is why I did not get owned...

I can see the attempts to guess it here..

64.228.136.115 - - [15/Jan/2007:14:42:01 -0600] "GET /wp-admin/user-edit.php?user_id=1 HTTP/1.1" 302 - "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.8) Gecko/20060911 SUSE/1.5.0.8-0.2 Firefox/1.5.0.8"

By default it will guess userid #1 that is what wordpress defaults to on install.

Basically the person has to go through the ids until its revealed which one is live then he tries to get your hash then execute sql commands

told ya he was a script

told ya he was a script kiddie

v7n was first

then Todd (his trackbacks now go to fuckingpirate.wordpress.com), then GrayWolf. At first I thought they might be pulling a prank on their own sites, but now I don't think so.

I'm not on the target list, but being mentioned in the intro was enough for me to batten down the hatches (so to speak).

Shoe, we will be going

Shoe, we will be going through the server logs and I'll get back to you, but at the moment I don't see that IP on our server.

john can I get a copy of

john can I get a copy of your logs? pm me.

I got hacked last week and

I got hacked last week and until I reported my site to Google it was ranking extremely well for ringtones and viagra. Shoemoney seems to know too much about this stuff.

>Shoemoney seems to know too

>Shoemoney seems to know too much about this stuff.

After 7 years of attack and penetration experience testing on web applications for some of the worlds largest financial institutions you should know a thing or 2 about web security ;)

Yeah, I thought that too,

At first I thought they might be pulling a prank on their own sites, but now I don't think so.

Yeah, I wondered that too, especially with GW's recent posts, but looks weirder than that. Wouldn't think Todd would be up for it either after his negative "sell your soul" comments on baiting.

All I'm sure of is that this is a very ugly event, and I wouldn't want to be anywhere near that list because of the sh!t that could get thrown at everyone on it.

2c.

Wordpress 2.0.7 now

Wordpress 2.0.7 now released:
http://wordpress.org/download/

Wordpress.com took him out

for violating TOS.

WP finally canned

his blog. He can run, but can he hide?

added: copyblogger beat me to it.

Turning register_globals to OFF.

Instructions found here:

Wordpress Security Update

maybe the fucking pirate got

maybe the fucking pirate got haxed =P

Agreed Jason

Quote:
hacking via script kiddy stuff not via DNS abuse

Raw DNS is returning different sites - therefore it has to be on the subject IP.

Small screen Cap

Small screen cap of the hackers site can be found:

http://www.jason-roe.com/blog/stuntdubl-marketing-consulting-hacked-seos-a-target/

Shoe I also found that IP in my logs .. my guess is he came to check the trackback link that my blog sent him. No sign of the exploit being run.

everyone should grep their

everyone should grep their logs for "/wp-trackback.php?p=" and other stuff in that python script. The querys should be super simple to spot

Anyone know a guy...

... removed comment ...

Serious question for

Serious question for shoemoney - How far do you go to exploit "gray areas" for ringtones?

I would love to know who has been playing around and ranking pages from a sub directory on my site. I am not talking about page #3 in Google, I am talking about the top positions for MANY phrases related to ringtones and viagra. Someone was using the weakness in Wordpress to make some BIG $ and doing VERY well in Google. Glad I removed the directory in time, bet there are thousands of other sites out there that are not aware of the SEO/hacker connection but maybe that is how it is played today? Can someone enlighten me?

I can answer the question

>>Serious question for shoemoney - How far do you go to exploit "gray areas" for ringtones?

Well first off ringtones was so 6 months ago ;) I have not done anything new in that niche since June/July.

I can answer the question pretty easy. I am never into doing stuff that would be criminal.

I can go into more detail and explain the difference between hacking/cracking and how it relates but I really do not want to be taken out of context.

The bottom line is I am never a part of anything against the law.

UTF-7 exploit

shoemoney, I did parse through my logs and saw a guy at this IP in Utah: 155.97.203.200 on the 11th. I doubt it's related as I get lots of unsuccessful hack attempts.

Relocated

seems like he has re-located to http://fuckingpirate.blogspot.com/

another site down

looks like seopedia is down too...
and that this person likes SEOMoz too....

hmmm... I guess they have a lot of time on their hands to be playing games like this, instead of using the time to make money ....ah well we all have our priorities! :)

It's not down. I was doing

looks like seopedia is down too...

It's not down. I was doing the update (just to be on the safe side).

Thanks for clarifying Shoe,

Thanks for clarifying Shoe, you might want to also be aware that whomever hacked my site was also targeting your interview with comment spam related to ringtones, hehe strange but true. :-)

Storyspinner - The SEO hacking dude says that anyone who is a "self proclaimed SEO guru" is fair game. I have to admit that I get a kick out of that, cuz some of us could learn to be a little more humble. ;o)

>>The SEO hacking dude says

>>The SEO hacking dude says that anyone who is a "self proclaimed SEO guru" is fair game

That bothers me I always say I suck at SEO =(

Maybe I should start saying I am the SEO KING!!!

My blog didn't got owned,

My blog didn't got owned, and the little bastard had me on his intial list.

I updated to 2.0.7 anyway.

not impressed

He has only hit sites where the exploit wqs big enough to drive a truck thru.

.

.

matts blog is not down...

matts blog is not down...

Matt's site not down

It smells of attention

It smells of attention getting, linkbaiting whatever you want to call it. But interesting none the less. It most likely is someone on the list but there are notables not on it as well. So it could be someone very close to one of those self proclaiming seo king personas.

Hack Not Linkbait

Those names on the list aren't exactly starved of attention.

It's not linkbait. It's a criminal offense.

Not linkbait

Ironically enough - I was sitting in "Mustang Sally's" in NYC with Michael - when after a nice lunch chat before our im-ny.org meeting, I had several mails on my phone that had the subject of "hacked?" (while reading my pda - I thought to myself "this can't be good", chuckled, and proceeded to mustang harry's") - thank you to all the folks who bothered to mail me. No thanks to the folks who thought it was linkbait (are we really that fickle that you think I'd lie to people for links to my BLOG?), and to the schmuck who decided to publicly display my security flaw (as usual the cobbler's kids has no shoes).

Should hopefully have a report by morning, and and a restored site - currently on the train back to albany after a wonderfully pleasant evening with a great group of new yorkers, and nearby fellow sem folks.

hacked

It's a real hack I was actually in the city having dinner with Todd when we found out about it.

Jeremy shot you the logs let me know

Up late working on this crap sigh ...

thanks to the people who emailed and called to let me know

People, it has been a long

People, it has been a long day and I have worked a lot... I will stop
defacing for a couple of days and I'll work in something for Digg.com

http://fuckingpirate.blogspot.com/

Southwest Connecticut

From http://fuckingpirate.blogspot.com/ :
"...a local coffe shop called Margarita's Coffe Shop"

Might be a decoy but "Margarita's Coffe Shop" is in Southwest Connecticut.

thanks littleman

*grumble grumble*

Sharing the Intellegence

If you were hacked drop me an email I have some string I'd like you to check for in your logs, different from the one's shoemoney is onto.

Not a python script

Shoe: The pirate himself said he basically wrote a php script based off of that python code. I looked at the code, wouldn't be too hard to port over to php.

wrong

The blogsphere (God I hate that word) is filled with countless "SEO blogs" syndicating what other "SEO blog" syndicated from another "SEO blog" that syndicated some bullshit guru

It's wrong what he did and I'm sorry for the targets, but he does make a good point about the many many so called SEO blogs out there that are nothing more than linking to Matt Cutts with a sentence like, "Matt Cutts discusses supplemental results", or even worse pointing to an SEO blog that points to Matts blog.

Booted ...

Looks like he got booted from Blogspot too :)

I'm still seeing his

I'm still seeing his blogspot pages (fuckingpirate.blogspot.com).

making a point

Quote:
he does make a good point about the many many so called SEO blogs

Other people have highlighted the large amount of redundancy in SEO commentary but have done so in a far more civilised fashion.

Me? I'm more worried about the threat to the security of my websites posed by people like this dude than I am about a few SEOs padding out their blogs with fluff pieces.

Register globals

Register globals was highlighted as a security hole in PHP a long time ago, and was unset by default in PHP 4.2, way back in 2002.

From what I can see, the Wordpress fix just compensates for amateurish or ancient PHP setups.

Mikkel his blogspot account

Mikkel his blogspot account is still active.

littleman's link was screwy,

littleman's link was screwy, now fixed. And the blogspot site's still up.

It's not a register_globals problem

jetboy it's more than a register_globals thing. The flaw is in the PHP core, having to do with an assumption about data types. It has been fixed in the current versions of 4 and 5.

The flaw creates a problem for some PHP routines, including unset(). The register_globals issues was "solved" by some software coders (including phpBB and Wordpress teams), by using unset() to clear variables that might be untrustworthy due to register_globals being left on. That way the app wouldn't care if register_globals was on or not. BUT... the flaw is potentially a problem for all PHP code, not just web masters who have register_globals on.

Wordpress and phpBB are early targets for which working exploits were published within a week or so of the revelation by the hardened PHP team that this flaw existed and could be exploited. The flaw in PHP left opportunities, and the coding within the apps created exploit possibilities. Each app potentially creates a different, unique opportunity for an exploit to work. You don't need to have register_globals on to be vulnerable. You just need to have PHP < 4.whatever or PHP 5 < 5.whatever.

Graywolf and Todd didn't have to have insecure setups to be hacked like this. They could have been hacked because they were using an older (but not old) version of PHP, and they were using Wordpress < 2.0.7. Like most everybody else.

What can really bake your noodle is thinking about your vulnerability as a user of the Wordpress platform. If a flaw is discovered, you are vulnerable and can't do a thing about it, as hackers target one of the largest communities in web world (Wordpress sites). BUT... wordpress dev Mark Jaquith posted an update within hours of first notice, and a full upgrade was released shortly after even though the Wordpress dev team is pushing out a new version with a deadline of the 22nd.

If you were on a custom platform, how long before you knew how the PHP flaw was a factor based on how your app was coded, and then how long before your coders could fix the problem and provide a patch? I bet you count that in weeks at best. So how do you manage the risk...exposure via platform footprint vs. time to detect and fix? If you were a target (as these guys were) then exposure was a given, and time to fix was the key. Better to be using Wordpress.

So if you use Wordpress, go to Manage/Backup and email yourself a backup. Then go donate to the Wordpress cause, or buy something on Mark Jaquith's amazon wish list. That's just my opinion, but I think it's better than rationalizing why you were and are not at risk.

Screw Mark Jaquith. I'm Going to the John Andrews' Wishlist.

My boy is wicked smaaaaht!

Damn nice.

Have to give kudos to Mark

Have to give kudos to Mark Jaquith, though -- for a quick fix that didn't require zillions of WordPress users to ask their web hosts what version of PHP was on their servers, and then possibly demanding that it be upgraded.

@ scoreboard

Terrific reference!

@John Andrews: Would you

@John Andrews:

Would you even be a target if you were using a "custom platform"? The hack requires you to know the variable names you are using in your code, so you'd need access to the source to make it worth bothering attacking a custom installation.

Obscurity is no security, but consider this: If you had found a generic exploitable flaw in PHP, would you a) spending 10 hours attacking a single custom site or b) spend 1 hour attacking a few thousand WordPress sites?

If you had found a generic

Quote:
If you had found a generic exploitable flaw in PHP, would you a) spending 10 hours attacking a single custom site or b) spend 1 hour attacking a few thousand WordPress sites?

depends on the goals of the hacker.

Just another reason...

... NOT to host your own blog!

I have enough trouble fighting off the rest of the idiots out there without having to worry about kiddies attacking my blog.

Guess some people have plenty of free time to reformat servers and update software, must be nice! ;)

Sure Bill

On the other hand, tech support for my servers is guaranteed available - it's sitting in my seat right now.

Problem with blog

Got this when I went to the blog
This blog has been archived or suspended for a violation of our Terms of Service.

They should have there internet blog access blocked for good.

Cheers

Blog is gone

I just checked and found the same thing as Keith, looks like it is gone.... hopefully for good. And I agree, they should be banned.

Behind the times?

His newest blog is at blogspot and it is still there. They don't seem to want to kill it.

>> Edited to not give the guy more reads than he has.

..

Please stop feeding the Moron.

Update your security.

Remove his links and his site name from your blogs and forget about him...

Added>>>>
Hey WilliamC are you promoting this guy? Why put up the site name? It would have been just as good to say his site was back up at another URL, and you would not have been promoting this feeble minded moron.

Agreed Lots0

let's let this die the death it should. I only wish that it had actually been linkbait as opposed to a real hacking as that would have gotten my vote as the best Linkbait Caper of all time. I apologize if anyone (ShoeMoney, GrayWolf, Stuntdubl, etc.) took my statements personally. It's a real shame that I actually thought it was linkbait - I guess I'm just immune to real news because of all the linkbait out there.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.