Blog Hack – a bit more info.

The security team at my ISP (dreamhost) found yet more infection in my blog.  The appearance of a wordpress blog can vary by installing different themes.  In the directory of one of these themes they found a file containing tool for giving a remote user a shell prompt (there is a version of the script  here).  The theme in question is not a standard wordpress theme; it is a variant I wrote up a while back.  I used it for a while a long time ago.  Which means the URL to access this was obscure.

I only retain logs for a month.  But on Jan 13th  84.3.40.172 pulled it once; notably that visit didn’t include a user agent making me think it was only enqueuing me for futher work.
On the 14th    86.106.170.114 came to visit (his user agent string was “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5”) and he proceed to:

…php
…php?d=/home/<myusername>/enthusiasm.cozy.org/
…php?d=/home/<myusername>/enthusiasm.cozy.org/&ef=wp-settings.php&edit=1
…php?d=/home/<myusername>/enthusiasm.cozy.org/&ef=wp-settings.php&edit=1
…php?d=/home/<myusername>/enthusiasm.cozy.org/&e=wp-settings.php
…php?d=/home/<myusername>/
…php?d=/home/

I assume that last step was to check if other users on the server might happen to have left their directories unprotected.
My current somewhat baseless guess is that this has been infecting my installation since April of 2008.  So, it is not unlikely that I brought the infection with me when I moved to Dreamhost in Oct 2008.

Leave a Reply

Your email address will not be published.