I’m not a blogger, although it sounds fancy to be one. I just hold this blog up to gather spam comments. (for some reason, spam bots do enjoy this blog and I get a lot of fresh new samples every day).
Anyway, this Monday I received a lot of emails from friends saying ha ha!, you got your blog defaced (btw, thanks for the emails everybody. I rarely visit my blog, so I would have probably noticed next week). What could I say… me? You sure? I’m a targeted victim now? Wow… I’m famous 
.
Well, they were right, this is what I saw when I entered my blog…..
So, after replacing the index.php with an empty index, I started to check the apache logs to see what happened.
Turns out that, if you bing for “ip:208.109.78.139 powered by wordpress” like the bad guys did (http://www.bing.com/search?q=ip%3a208.109.78.139+powered+by+wordpress&go=&scope=web&qs=n&sk=&sc=1-39&first=31&FORM=PERE2) you will get all the wordpress blogs hosted at that IP, which turns out to be a godaddy server according to the whois information.
So, now that they know that this blog is a wordpress blog hosted on a godaddy server, let’s see what the apache logs indicate:
“GET blog.catalincosoi.com/wp-content/themes/2/style.css HTTP/1.1″
“GET blog.catalincosoi.com/ HTTP/1.1″
“GET blog.catalincosoi.com/wp-content/themes/2/print.css HTTP/1.1″
“GET blog.catalincosoi.com/wp-content/themes/2/img/header.jpg HTTP/1.1″
“GET blog.catalincosoi.com/favicon.ico HTTP/1.1″
“GET blog.catalincosoi.com/wp-login.php HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/css/login.css?ver=20091010 HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/css/colors-fresh.css?ver=20091217 HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/button-grad.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/logo-login.gif HTTP/1.1″
“GET blog.catalincosoi.com/favicon.ico HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/button-grad-active.png HTTP/1.1″
“POST blog.catalincosoi.com/wp-login.php HTTP/1.1″
“GET blog.catalincosoi.com/wp-includes/js/thickbox/thickbox.css?ver=20090514 HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/load-styles.php?c=1&dir=ltr&load=dashboard,plugin-install,global,wp-admin&ver=17aa35fdf22036c3f75256fc16b16184 HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/ HTTP/1.1″
“GET blog.catalincosoi.com/wp-includes/images/blank.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/media-button-image.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/wpspin_light.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/media-button-video.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/media-button-music.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/media-button-other.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/load-scripts.php?c=1&load=jquery,utils,quicktags&ver=b64ae9a301a545332f1fcd4c6c5351b4 HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/wp-logo.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/fav.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/visit-site-button-grad.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/fav-arrow.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/menu.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/load-scripts.php?c=1&load=hoverIntent,common,jquery-color,wp-ajax-response,wp-lists,jquery-ui-core,jquery-ui-resizable,admin-comments,jquery-ui-sortable,postbox,dashboard,plugin-install,thickbox,media-upload&ver=e7dd2696b99d6664702753286996fc2d HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/menu-bits.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/menu-dark.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/menu-arrows.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/screen-options-left.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/screen-options-right.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/gray-grad.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/white-grad.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/icons32.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-includes/js/thickbox/loadingAnimation.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/index-extra.php?jax=dashboard_incoming_links HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/index-extra.php?jax=dashboard_primary HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/index-extra.php?jax=dashboard_secondary HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/index-extra.php?jax=dashboard_plugins HTTP/1.1″
“GET blog.catalincosoi.com/wp-includes/js/thickbox/thickbox.css?ver=20090514 HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/themes.php HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/load-styles.php?c=1&dir=ltr&load=global,wp-admin&ver=4198bec071152ccaf39ba26fd81dcd63 HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/load-scripts.php?c=1&load=jquery,utils&ver=d24248fe4b0cd62086633fd42ef1019b HTTP/1.1″
“GET blog.catalincosoi.com/wp-content/themes/3/screenshot.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-content/themes/connections/screenshot.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-content/themes/bluehorizon/screenshot.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-content/themes/2/screenshot.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-content/themes/classic/screenshot.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/load-scripts.php?c=1&load=hoverIntent,common,jquery-color,thickbox,theme-preview&ver=7cccc49e3f8148675288b56f5fb521e5 HTTP/1.1″
“GET blog.catalincosoi.com/wp-content/themes/1/screenshot.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-content/themes/default/screenshot.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/theme-editor.php HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/load-styles.php?c=1&dir=ltr&load=theme-editor,global,wp-admin&ver=82cd6abb819d7fe96521a25504995eeb HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/load-scripts.php?c=1&load=hoverIntent,common,jquery-color&ver=975a66473369e28f12fa81a4deb3836d HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/theme-editor.php?file=/themes/2/index.php&theme=blackview&dir=theme HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/button-grad-active.png HTTP/1.1″
“POST blog.catalincosoi.com/wp-admin/theme-editor.php HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/theme-editor.php?file=/home/content/c/a/t/catalinus/html/blog/wp-content/themes/2/index.php&theme=blackview&a=te&scrollto=12331 HTTP/1.1″
“GET blog.catalincosoi.com/wp-login.php?action=logout&_wpnonce=f7ab117f9b HTTP/1.1″
“GET blog.catalincosoi.com/wp-login.php?loggedout=true HTTP/1.1″
If I’m reading this corectly, it happended like this:
- search for wordpress blogs hosted at that godaddy address
- log in
- modify the theme’s index.php
- log out
Which means 3 things:
- I am not the only victim (bing for the same IP + the hackers name and you can find other defaced blogs)
- They knew my (and the others) password -> will look further into this one!!!!
- I’m not that famous
Obviously, since they had admin access, they could have done whatever they wanted besides just defacing.
Now, I got to see where they have the passwords from. I googled for godaddy server hacked and found plenty of links to start from, but they all state that godaddy isn’t very helpful…. I’ll send them an email also.
So… disappointed that I wasn’t the targeted [famous] victim, I’ll start searching for a new WP theme (it was about time to change it, I sort of got bored of all that black) and will also see what exactly happened with these passwords.
Will be back!
PS: also created a new category
How the hell did I miss this one?
)
“They knew my (and the others) password” – Since they managed to hack other WordPress blogs as well, my guess is that they might have infiltrated the server somehow… As far as I can see, the access log doesn’t seem to contain anything relevant. I’m really curious to find out how they managed to pull off this attack. You don’t seem like the kind of person who uses ’123′ for a password
You should see the conversations I had with their support. The first one was offering me some hints of how a strong password looks like and the second one was suggesting to move from FTP to SSH.
Also, Unfortunately, we would not be able to discuss any vulnerabilities on a hosting account if there was one or say if the hosting account was indeed hacked. We know of no known WordPress exploits at this time.
I was just trying to help, not blame
I just love the people from support when they are clueless
they sure do…You know what was funny..I saw the alert and said what the heck and purchased some when it was below a penny..My patience grew thin but i just held on too it not paying attention..THen on monday i checked it and it was up 100%..I couldnt believe it so i sold right there and then..THen yester she was blowing up big again..She was at around .5 or close to it, so i put in a bid at .3 and i got it,,then it shot up to .6..I held it over night and now im curious to see what happens at the opening bell..
Great blog! I actually love how it is easy on my eyes as well as the details are well written. I am wondering how I may be notified whenever a new post has been made. I have subscribed to your rss feed which need to do the trick! Have a nice day!
I really like your site. Very good posts! Please continue posting such awesome cotent.
I am grateful to you for this fantastic content. You actually did make my day :
Saved your site. Appreciation for discussing. Surely well worth time clear of my personal tests.
Would have been more exciting to hear a teaser clip of the engine than this picture.
I couldn’t resist commenting.
Make an impact on, a real world-wide-web entrepreneurship tailors web page ! They come across you the best coders at very best charges telecom and voip, cellular programming, web improvement, desktop application programming
Numerous people think which understand with regards to the article that they discover but really they are not. I found quite a few users simply not understand what the author attempting to supply and conclude that the write-up is useless. As what I think all content content articles posted ought to be only treated like a reference, as a reader we nevertheless have to use our mind to think to comprehend what’s right and what’s inappropriate.
I’ll gear this review to 2 types of people: current Zune owners who are considering an upgrade, and people trying to decide between a Zune and an iPod. (There are other players worth considering out there, like the Sony Walkman X, but I hope this gives you enough info to make an informed decision of the Zune vs players other than the iPod line as well.)
I randomly browse blogs on the internet, and I discover your article to be very informational. I have already bookmark it on my browser, in order that I can view your blog publish once more later. Additionally, I’m wondering whether or not your weblog is open for link exchange, as I really want to trade links with you. I do not normally do that, but I hope that we will have a mutual hyperlink exchange. Let me know and have an ideal day!
Interesting post reminds me of another gem. – God heals and the doctor takes the fee. – Benjamin Franklin 1706 – 1790
could never just turn on our nintendo & play it…We had to blow out our nintendo cartridges to get them to work