I’m not a blogger, although it sounds fancy to be one. I just hold this blog up to gather spam comments. (for some reason, spam bots do enjoy this blog and I get a lot of fresh new samples every day).
Anyway, this Monday I received a lot of emails from friends saying ha ha!, you got your blog defaced (btw, thanks for the emails everybody. I rarely visit my blog, so I would have probably noticed next week). What could I say… me? You sure? I’m a targeted victim now? Wow… I’m famous 
.
Well, they were right, this is what I saw when I entered my blog…..
So, after replacing the index.php with an empty index, I started to check the apache logs to see what happened.
Turns out that, if you bing for “ip:208.109.78.139 powered by wordpress” like the bad guys did (http://www.bing.com/search?q=ip%3a208.109.78.139+powered+by+wordpress&go=&scope=web&qs=n&sk=&sc=1-39&first=31&FORM=PERE2) you will get all the wordpress blogs hosted at that IP, which turns out to be a godaddy server according to the whois information.
So, now that they know that this blog is a wordpress blog hosted on a godaddy server, let’s see what the apache logs indicate:
“GET blog.catalincosoi.com/wp-content/themes/2/style.css HTTP/1.1″
“GET blog.catalincosoi.com/ HTTP/1.1″
“GET blog.catalincosoi.com/wp-content/themes/2/print.css HTTP/1.1″
“GET blog.catalincosoi.com/wp-content/themes/2/img/header.jpg HTTP/1.1″
“GET blog.catalincosoi.com/favicon.ico HTTP/1.1″
“GET blog.catalincosoi.com/wp-login.php HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/css/login.css?ver=20091010 HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/css/colors-fresh.css?ver=20091217 HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/button-grad.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/logo-login.gif HTTP/1.1″
“GET blog.catalincosoi.com/favicon.ico HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/button-grad-active.png HTTP/1.1″
“POST blog.catalincosoi.com/wp-login.php HTTP/1.1″
“GET blog.catalincosoi.com/wp-includes/js/thickbox/thickbox.css?ver=20090514 HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/load-styles.php?c=1&dir=ltr&load=dashboard,plugin-install,global,wp-admin&ver=17aa35fdf22036c3f75256fc16b16184 HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/ HTTP/1.1″
“GET blog.catalincosoi.com/wp-includes/images/blank.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/media-button-image.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/wpspin_light.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/media-button-video.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/media-button-music.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/media-button-other.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/load-scripts.php?c=1&load=jquery,utils,quicktags&ver=b64ae9a301a545332f1fcd4c6c5351b4 HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/wp-logo.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/fav.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/visit-site-button-grad.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/fav-arrow.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/menu.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/load-scripts.php?c=1&load=hoverIntent,common,jquery-color,wp-ajax-response,wp-lists,jquery-ui-core,jquery-ui-resizable,admin-comments,jquery-ui-sortable,postbox,dashboard,plugin-install,thickbox,media-upload&ver=e7dd2696b99d6664702753286996fc2d HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/menu-bits.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/menu-dark.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/menu-arrows.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/screen-options-left.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/screen-options-right.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/gray-grad.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/white-grad.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/icons32.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-includes/js/thickbox/loadingAnimation.gif HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/index-extra.php?jax=dashboard_incoming_links HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/index-extra.php?jax=dashboard_primary HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/index-extra.php?jax=dashboard_secondary HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/index-extra.php?jax=dashboard_plugins HTTP/1.1″
“GET blog.catalincosoi.com/wp-includes/js/thickbox/thickbox.css?ver=20090514 HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/themes.php HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/load-styles.php?c=1&dir=ltr&load=global,wp-admin&ver=4198bec071152ccaf39ba26fd81dcd63 HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/load-scripts.php?c=1&load=jquery,utils&ver=d24248fe4b0cd62086633fd42ef1019b HTTP/1.1″
“GET blog.catalincosoi.com/wp-content/themes/3/screenshot.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-content/themes/connections/screenshot.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-content/themes/bluehorizon/screenshot.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-content/themes/2/screenshot.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-content/themes/classic/screenshot.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/load-scripts.php?c=1&load=hoverIntent,common,jquery-color,thickbox,theme-preview&ver=7cccc49e3f8148675288b56f5fb521e5 HTTP/1.1″
“GET blog.catalincosoi.com/wp-content/themes/1/screenshot.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-content/themes/default/screenshot.png HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/theme-editor.php HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/load-styles.php?c=1&dir=ltr&load=theme-editor,global,wp-admin&ver=82cd6abb819d7fe96521a25504995eeb HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/load-scripts.php?c=1&load=hoverIntent,common,jquery-color&ver=975a66473369e28f12fa81a4deb3836d HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/theme-editor.php?file=/themes/2/index.php&theme=blackview&dir=theme HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/images/button-grad-active.png HTTP/1.1″
“POST blog.catalincosoi.com/wp-admin/theme-editor.php HTTP/1.1″
“GET blog.catalincosoi.com/wp-admin/theme-editor.php?file=/home/content/c/a/t/catalinus/html/blog/wp-content/themes/2/index.php&theme=blackview&a=te&scrollto=12331 HTTP/1.1″
“GET blog.catalincosoi.com/wp-login.php?action=logout&_wpnonce=f7ab117f9b HTTP/1.1″
“GET blog.catalincosoi.com/wp-login.php?loggedout=true HTTP/1.1″
If I’m reading this corectly, it happended like this:
- search for wordpress blogs hosted at that godaddy address
- log in
- modify the theme’s index.php
- log out
Which means 3 things:
- I am not the only victim (bing for the same IP + the hackers name and you can find other defaced blogs)
- They knew my (and the others) password -> will look further into this one!!!!
- I’m not that famous
Obviously, since they had admin access, they could have done whatever they wanted besides just defacing.
Now, I got to see where they have the passwords from. I googled for godaddy server hacked and found plenty of links to start from, but they all state that godaddy isn’t very helpful…. I’ll send them an email also.
So… disappointed that I wasn’t the targeted [famous] victim, I’ll start searching for a new WP theme (it was about time to change it, I sort of got bored of all that black) and will also see what exactly happened with these passwords.
Will be back!
PS: also created a new category
