WordPress.org

Support

Support » How-To and Troubleshooting » Sinister code in comments (held for moderation)

Sinister code in comments (held for moderation)

  • Don’t know if this is a coincidence, but just upgraded one of my blogs from 2.5.0 to 2.5.1 earlier and noticed about the same time, this appeared in comments being held for moderation:

    ‘ AND 1=0) UNION SELECT 1 FROM wp_users WHERE user_login=’admin’ and substring(reverse(lpad(conv(substring(user_pass,1,1), 16, 2),4,’0′)),1,1)=’1′ /*

    and this as well:

    Bill527326335′,’636919450billy@msn.com’,”,’163.107.166.154′,’2008-06-06 18:56:17′,’2008-06-06 18:56:17′,”,’0′,’lynx’,’comment’,’0′,’0′),(‘0’, ”, ”, ”, ”, ‘2008-06-07 18:56:17’, ‘2008-06-07 18:56:17’, ”, ‘spam’, ”, ‘comment’, ‘0’,’0′ ) /*

    Since comments are moderated, no harm done, right? But what was he up to? Is it coincidence this happened around the time of the upgrade? And is this something to be concerned or alarmed about?

Viewing 6 replies - 1 through 6 (of 6 total)
  • whooami

    @whooami

    Member

    thats an exploit attempt that goes back to the early 2.0.x branch, best I can tell.

    So he’s a day late and a dollar short. I won’t worry about it too much then. I banned his IP and we’re on 2.5.1. 🙂

    whooami

    @whooami

    Member

    oh crap, thats you, I didnt even notice .. let me make absolutely sure about what I just wrote.

    whooami

    @whooami

    Member

    Im going to back out of that statement — while It looks like the old utf/chaset exploit for 2.0.5 — that used a trackback.

    And strangely enough, when I googled a particular string in what you pasted, I ended up clicking a link through google that wanted to redirect me to anyresults.com

    sound familiar??

    whooami

    @whooami

    Member

    Just found another via google —

    do you have my postlogger plugin installed, I would LOVE to see the output of the $post vars for that, if you do.

    /me runs off to check all the blogs I have access to that have that installed

    whooami

    @whooami

    Member

    Going through google’s cache of some of those sites — theyre pretty much all running older versions of wp (geee, who woulda guessed) .. I dunno, better safe than sorry

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Sinister code in comments (held for moderation)’ is closed to new replies.