The 12h USSM spam-a-thon on behalf of our Russian overlords

DMZ · May 29, 2009 at 9:02 pm · Filed Under Site information 

I found it. - - [29/May/2009:04:52:23 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 200 29385 - - [29/May/2009:04:52:25 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 18393 - - [29/May/2009:04:52:26 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 302 - - - [29/May/2009:04:52:30 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 91359

(oh, how I wish our current layout expanded the center column smoothly)

Those are, if you’re curious, the only requests from them that day. They didn’t request the theme-editor page. They didn’t even request any pages in a normal use page of that page, including the other components of that page. It looks to me like they pounded a peg right through that hole. But anyway, I’m not sure exactly what happened, but viola! We’ve got a new footer with many, many links.

So I wonder… has this person ever visited before?

Yes! - - [25/May/2009:11:23:38 -0700] "GET /?feed=rss2 HTTP/1.0" 200 38516 - - [25/May/2009:11:23:42 -0700] "GET /wp-includes/js/tinymce/wp-mce-help.php HTTP/1.0" 200 10958 - - [25/May/2009:11:23:43 -0700] "GET / HTTP/1.0" 200 38516 - - [25/May/2009:11:23:44 -0700] "GET /wp-register.php HTTP/1.0" 302 - - - [25/May/2009:11:23:45 -0700] "POST /wp-login.php?action=register HTTP/1.0" 302 - - - [25/May/2009:11:24:45 -0700] "POST / HTTP/1.0" 200 38373 - - [25/May/2009:11:24:46 -0700] "POST /wp-login.php HTTP/1.0" 302 - - - [25/May/2009:11:24:47 -0700] "POST /wp-admin//options-permalink.php HTTP/1.0" 200 9639 - - [25/May/2009:11:24:47 -0700] "POST /wp-admin//options-permalink.php HTTP/1.0" 200 9792 - - [25/May/2009:11:24:48 -0700] "POST /xmlrpc.php HTTP/1.0" 200 122 - - [25/May/2009:11:24:49 -0700] "POST /wp-admin//options-permalink.php HTTP/1.0" 200 9720 - - [25/May/2009:17:28:46 -0700] "POST / HTTP/1.0" 200 38075 - - [25/May/2009:17:28:47 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 200 29385 - - [25/May/2009:17:28:48 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 18402 - - [25/May/2009:17:28:49 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 302 - - - [25/May/2009:17:28:50 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 18393 - - [29/May/2009:04:52:23 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 200 29385 - - [29/May/2009:04:52:25 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 18393 - - [29/May/2009:04:52:26 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 302 - - - [29/May/2009:04:52:30 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 91359

Not much on reading, huh? So let’s check out who registered then….

| ID | user_login | user_pass | user_email | user_url | dateYMDhour | user_activation_key | user_status | user_nicename | user_registered | display_name |
| 7671 | chelentanoxl | $P$BzVoIOZOWiBIQkCIx05ZGXigSEEj9E0 | | | 0000-00-00 00:00:00 | | 0 | chelentanoxl | 2009-05-24 04:17:28 | chelentanoxl |
| 7677 | JohnyWhite | $P$BGo8PSqsq2oYUcesd0ncnDgAPH9GRg0 | | | 0000-00-00 00:00:00 | | 0 | johnywhite | 2009-05-25 18:23:45 | JohnyWhite |

(the clock’s different)

Ding! The tail end of a whole run of suspicious Russian and free emails… and there he is. Hi,!

Unfortunately, no comments from our good friend. I’d have been interested in that.

What’s particularly odd (to me, anyway) is that there’s no record of incorrect actions in the error log. They register, four days later they’re back and without generating any weird attempts against nonexistent URLs, they do a couple of posts and they’re off to the races.

To the site, which I’ll call hacksoft for purposes of this post. Created 5/18, but interestingly they updated their info 5/27. They’re hosted in Russia by, and their whois data is pretty obviously fake:

John Smith
+352985897 fax:+352985897
Flaiming road 87/45
Beaverton NA 352

The site in its current form appears to have been generated apx 2-3 hours before they attacked us. Which makes me think they had the exploit (or whatever) in their back pocket, set up hacksoft, and then did it.

Not a lot for us there.

Look then at Actually… here’s the google search for them. They’re bad news.

That’s awfully weird. Going through the logs, they’ve been doing a ton of content scraping, which is always nice, and user registrations… which is not so much nice. But combined with everything else we know…

Timeline of events
– spends a lot of time scraping USSM and registering users but not doing anything that attracts particular attention*
(then these two can happen at any time)
– bam! they figure out how to use the theme editor to post code directly into the footer / they create their spammy SEO-bait site
– they hit the site, changing footer.php
– they do it twice more in rapid succession
– they don’t touch it again
– I wake up, go to work, and at three get tipped off that something’s seriously wrong

There’s no evidence they looked at or touched anything else, which indicates this wasn’t anything more serious than that (though of course they could have tried some malware injection, which will probably keep me up tonight). The backups all look good, there’s no evidence this has ever been used before on us, and there’s no evidence of similar attacks.

What’s the damage, as far as I can tell?

– for about 12 hours, there was a massive amount of spammy links on the site
– I wasted about six hours finding the exploit they used and closing it
– Brief USSM outage when I had to restart something to fix something

Possible: I haven’t been able to find file revision info on their first try. It’s possibly they had something fairly lethal in the footer (though it seems more likely that was the proof-it-works, followed immediately by the spam delivery)

What’s the fix?
– I removed the theme editor file they pounded that code through
– I nuked all the russian-address accounts. There were ~300 and only three of them ever made any comment. I’d have done it manually but I’m in a really, really shitty mood.
– I’m IP-banning these internetserviceteam jokers, which I’m sure won’t stop them.

What’s next?
– I’m going to look at the theme and try and talk to the WordPress folks about whether there’s a potential exploit using that page (I have no idea, really)
– I am powerless to otherwise prosecute or retaliate against them.

Good times. Go M’s.

* which says something about the behind-the-scenes headaches that I (we) can’t pay attention to catch stuff like this, but anyway….


20 Responses to “The 12h USSM spam-a-thon on behalf of our Russian overlords”

  1. TomG on May 29th, 2009 9:33 pm

    Just goes to show you how much money you wasted outfitting Colorado high schoolers against these commie bastids.

  2. kenshabby on May 29th, 2009 9:35 pm

    My ideal career: To be an agent in an international task force that tracks down the most notorious spammers, and beat them with rubber hoses before carting them off to a tribunal.

    Unfortunately no entity like that exists, though perhaps Interpol might be open to the idea.

  3. henryv on May 29th, 2009 9:45 pm

    NetDirect and Internet Service Team are in Frankfurt.

    From another site:

    Blocking this range will eliminate this particular problem:

    inetnum: –
    netname: NETDIRECT-NET

    You might also try to block, unless you are deeply concerned about the traffic from our German friends.

    Link to IST’s info

  4. cdowley on May 29th, 2009 9:50 pm


    Well done, DMZ. Things like that make me thank god I don’t run websites anymore…

  5. msb on May 29th, 2009 9:54 pm

    go have one of those fine beers we like to send you.

  6. smb on May 29th, 2009 9:56 pm

    In Soviet Russia, Internet spams you!

  7. henryv on May 29th, 2009 9:58 pm
  8. Go Felix on May 29th, 2009 10:07 pm

    This happened to me 3 days ago on my main site and my two other sites I manage, long nights of drinking and cussing. Not a big fan…….

  9. kenshabby on May 29th, 2009 11:06 pm

    In Soviet Russia, Internet spams you!

    Yay, another Yakov Smirnoff fan!

  10. DMZ on May 29th, 2009 11:09 pm

    I think you’re both vastly underestimating how irritable I am right now.

  11. Slurve on May 29th, 2009 11:17 pm

    Go Rambo on their asses!

    “Who do you think DMZ is? God?”
    “No God would have mercy”

  12. jsa on May 30th, 2009 1:57 am

    There are a number of posts on the forum at wordpress about various hacks in the past.

    It almost always boils down to loose or guessable passwords, leading to sql injections.

  13. SonOfZavaras on May 30th, 2009 3:57 am

    Thank you for all the efforts in making this site safer- I know this has got to be (or had to be) three shades of royal bitch to deal with.

    Unfortunately, some people just love to wreak havoc on whatsoever they can find.

    I won’t speak for anyone else normally, but I think it’s safe for me to say we all appreciate everything you do around here.

    Fortunately, it seems Henryv (thanx for the birthday holler, Henry!!)and JSA might be able to offer some assistance- if it’s me, I’m hopelessly out of my league on blocking spammers and viral attacks.

  14. dchappelle on May 30th, 2009 6:24 am

    Don’t forget about the “Donate” link on the left to buy him a beer.

  15. wabbles on May 30th, 2009 9:41 am

    Now I am A) scared once again about Internet security and I don’t even have a hard drive (MSNTV2, it’s a ways behind the tech curve but safe in that respect) and B) amazed at the time and effort you guys put in here. Apparently it’s not just the baseball side of things either.

  16. Jeff Nye on May 30th, 2009 11:28 am

    If you don’t have a hard drive, there’s not really too much to worry about.

    Derek and Dave do a lot of hard work behind the scenes that you guys don’t see that helps keep this place going.

  17. wabbles on May 30th, 2009 12:15 pm

    No of course not, but my credit union, Yahoo, work computer, etc. all do have hard drives and modems. Scary.

  18. NBarnes on May 30th, 2009 2:27 pm

    Some days I like to fantasize about being a vigilante who goes out at night in a funny costume and beats the holy living hell out of internet criminals who think they’re beyond the reach of justice.

  19. DMZ on May 30th, 2009 3:06 pm

    I wrote a somewhat cathartic short story about how cloud computing technology would inevitably result in anti-spammer vigilante actions last night. It’s surprisingly good a day later, though it obviously needs some work.

  20. Typical Idiot Fan on May 30th, 2009 6:32 pm

    I wonder if this is related to the Storm botnet.

Leave a Reply

You must be logged in to post a comment.