Support » Fixing WordPress » possible hack?

Viewing 8 replies - 1 through 8 (of 8 total)
  • it’s kind of strange.. I got home from work today, and noticed someone posted a comment on 1 of my posts… on a freshly installed blog no one knows about… .. only 1 comment..
    but if i load up the comments table in mysql.. it shows 31 comments posted… all along the same lines…

    eg.
    1)
    Name: online poker | E-mail: lilo@suddenenlightenment.us | URI: http://www.I'm_a_stupid_spammer.com | IP: 62.39.107.121
    God not only plays dice. He also sometimes throws the dice where they cannot be seen. by online poker
    Posted Oct 26, 3:22 PM
    2)
    Name: free online poker | E-mail: lilo@suddenenlightenment.us | URI: http://www.I'm_a_stupid_spammer.com IP: 203.113.29.3
    �A cucumber is bitter.� Throw it away. �There are briars in the road.� Turn aside from them. This is enough. Do not add, �And why were such things made in the world?� by free online poker
    Posted Oct 26, 3:22 PM
    3)
    Name: online poker | E-mail: lilo@suddenenlightenment.us | URI: http://www.I'm_a_stupid_spammer.com | IP: 62.183.198.60
    A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools. by online poker
    Posted Oct 26, 3:21 PM
    in total they spent about 30 minutes adding comments… but yet.. there is only the 1 visable from my main page..
    [Moderated – URL’s removed]

    btw… i am running cvs “1.3-alpha-4”

    here are the apache logs… doesn’t show too much, nothing weird or strange.. just those ips accesing the page.

    [root@x log]# grep -i "216.17.211.9" httpd/access.log
    216.17.211.9 - - [26/Oct/2004:14:44:22 -0400] "POST /wp-comments-post.php HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"
    216.17.211.9 - - [26/Oct/2004:14:44:23 -0400] "GET /index.php?p=1 HTTP/1.1" 200 3962 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"
    216.17.211.9 - - [26/Oct/2004:15:18:43 -0400] "POST /wp-comments-post.php HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"
    216.17.211.9 - - [26/Oct/2004:15:18:44 -0400] "GET /index.php?p=25 HTTP/1.1" 200 3962 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"
    [root@x log]# grep -i "62.39.107.121" httpd/access.log
    62.39.107.121 - - [26/Oct/2004:15:22:32 -0400] "POST /wp-comments-post.php HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"
    62.39.107.121 - - [26/Oct/2004:15:22:36 -0400] "GET /index.php?p=31 HTTP/1.1" 200 3962 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"
    [root@x log]# grep -i "203.113.29.3" httpd/access.log
    203.113.29.3 - - [26/Oct/2004:15:22:00 -0400] "POST /wp-comments-post.php HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"
    203.113.29.3 - - [26/Oct/2004:15:22:01 -0400] "GET /index.php?p=30 HTTP/1.1" 200 3962 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"
    203.113.29.3 - - [26/Oct/2004:15:22:02 -0400] "GET /print.css HTTP/1.1" 404 280 "http://www.x.org/index.php?p=30" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"
    203.113.29.3 - - [26/Oct/2004:15:22:02 -0400] "GET /wp-atom.php HTTP/1.1" 200 1098 "http://www.x.org/index.php?p=30" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"
    203.113.29.3 - - [26/Oct/2004:15:22:02 -0400] "GET /wp-rss2.php HTTP/1.1" 200 1102 "http://www.x.org/index.php?p=30" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"
    203.113.29.3 - - [26/Oct/2004:15:22:02 -0400] "GET /wp-rss.php HTTP/1.1" 200 632 "http://www.x.org/index.php?p=30" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"
    203.113.29.3 - - [26/Oct/2004:15:22:03 -0400] "GET /?m=200410 HTTP/1.1" 200 7734 "http://www.x.org/index.php?p=30" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"
    203.113.29.3 - - [26/Oct/2004:15:22:03 -0400] "GET /xmlrpc.php HTTP/1.1" 200 42 "http://www.x.org/index.php?p=30" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"

    He’s been hitting a lot of WP blogs lately. Somehow this guy wrote a script that hits the target blog with a bunch of comments to posts that don’t exist yet……
    I swear….. if we catch this guy…… grrrr….
    TG

    It spams wp-comments.php with random post ID’s, so it’s completely random on which posts it appears. You can rename wp-comments.php to solve the problem, or blacklist him 🙂

    cool, thanks for the inputs guys!

    Lookie, lookie, I cursed! Looks like a bit of a misdirect of my own minor frustration with comment spamming (though I hope the point is not missed on future posters). Dang, now I’ll have to wash my hands with soap.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘possible hack?’ is closed to new replies.