WordPress.org

Support

Hacked?

  • Hello y’all 🙂

    I do not know where to start to work this at this point so I try to post it here. Basically I am being exploited but a swbot or intentional spammer using my server to reach an open relay. During the course of my investigaitons I have found the perp to be at IP 95.65.31.32 and what he is doing is posting a HTTP POST to my wordpress site like so:

    95.65.31.32 – – [15/May/2012:16:17:32 +0200] “POST / HTTP/1.1” 200 32 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3”
    95.65.31.32 – – [15/May/2012:16:17:32 +0200] “POST / HTTP/1.1” 200 11 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3”
    95.65.31.32 – – [15/May/2012:16:17:43 +0200] “POST / HTTP/1.1” 200 32 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3”

    I have also enabled the mod_dumpio on apache to get the data collected but end up with stuff like in pastebin:

    http://pastebin.com/kZLSNP57

    This does not give me any good info and my efforts to decode the post-data has failed. Seems that it is posting to the root dir of the site though and at the end of the post there is a sendmail message confirming that this actually kicks off the email. I can also see from the sSMTP logs that this post correlates with the timing of the email.

    Currently I have pointed the sSMTP to a relay that fails due to SSL and user/pw requirements.

    I have upgraded apache to the latest version (2.2.22) and also upgraded everyting on my server to latest patch level (gentoo). Also I have upgraded all wordpress stuff to latest version, including plugins.

    What do I do next?

    Thanks for any pointers you could give!

    (also i have some trouble running tcpdump etc due to being in a virtual machine not having root access to the interface)

Viewing 10 replies - 1 through 10 (of 10 total)
Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Hacked?’ is closed to new replies.
Skip to toolbar