WordPress.org

Forums

Sinister code in comments (held for moderation) (7 posts)

  1. Joni
    Member
    Posted 6 years ago #

    Don't know if this is a coincidence, but just upgraded one of my blogs from 2.5.0 to 2.5.1 earlier and noticed about the same time, this appeared in comments being held for moderation:

    ' AND 1=0) UNION SELECT 1 FROM wp_users WHERE user_login='admin' and substring(reverse(lpad(conv(substring(user_pass,1,1), 16, 2),4,'0')),1,1)='1' /*

    and this as well:

    Bill527326335','636919450billy@msn.com','','163.107.166.154','2008-06-06 18:56:17','2008-06-06 18:56:17','','0','lynx','comment','0','0'),('0', '', '', '', '', '2008-06-07 18:56:17', '2008-06-07 18:56:17', '', 'spam', '', 'comment', '0','0' ) /*

    Since comments are moderated, no harm done, right? But what was he up to? Is it coincidence this happened around the time of the upgrade? And is this something to be concerned or alarmed about?

  2. whooami
    Member
    Posted 6 years ago #

    thats an exploit attempt that goes back to the early 2.0.x branch, best I can tell.

  3. Joni
    Member
    Posted 6 years ago #

    So he's a day late and a dollar short. I won't worry about it too much then. I banned his IP and we're on 2.5.1. :)

  4. whooami
    Member
    Posted 6 years ago #

    oh crap, thats you, I didnt even notice .. let me make absolutely sure about what I just wrote.

  5. whooami
    Member
    Posted 6 years ago #

    Im going to back out of that statement -- while It looks like the old utf/chaset exploit for 2.0.5 -- that used a trackback.

    And strangely enough, when I googled a particular string in what you pasted, I ended up clicking a link through google that wanted to redirect me to anyresults.com

    sound familiar??

  6. whooami
    Member
    Posted 6 years ago #

    Just found another via google --

    do you have my postlogger plugin installed, I would LOVE to see the output of the $post vars for that, if you do.

    /me runs off to check all the blogs I have access to that have that installed

  7. whooami
    Member
    Posted 6 years ago #

    Going through google's cache of some of those sites -- theyre pretty much all running older versions of wp (geee, who woulda guessed) .. I dunno, better safe than sorry

Topic Closed

This topic has been closed to new replies.

About this Topic