We’re currently in the midst of fending off a simply disgusting amount of comment spam from people trying to sell knockoff shoes, etc. (I think I’ve gotten rid of something on the order of 100 comments in the last few days)

Until it subsides, please understand that any comments from a new user go into the moderation queue specifically to help keep things like this under control; this means that if you are a new user, your posts won’t show up until an author or mod has a chance to go in and flag you as not being an automated spam robot.

This isn’t anything NEW per se, but I’ve seen a couple of legitimate comments get lost in the flood and I wanted to make sure that you all understand it’s nothing personal.

I’m leaving comments disabled to have one less comment thread I have to delete spam from; if you have questions or comments, send us an email.

Thanks!

-- This post came from: U.S.S. Mariner, and is copyright by the authors. This RSS feed is intended for the personal use of readers and not, for instance, spam blogs.

New Users: Please Be Patient

-- This post came from: U.S.S. Mariner, and is copyright by the authors. This RSS feed is intended for the personal use of readers and not, for instance, spam blogs.

Mobile’s up

89.149.253.13 - - [29/May/2009:04:52:23 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 200 29385
89.149.253.13 - - [29/May/2009:04:52:25 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 18393
89.149.253.13 - - [29/May/2009:04:52:26 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 302 -
89.149.253.13 - - [29/May/2009:04:52:30 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 91359

(oh, how I wish our current layout expanded the center column smoothly)

Those are, if you’re curious, the only requests from them that day. They didn’t request the theme-editor page. They didn’t even request any pages in a normal use page of that page, including the other components of that page. It looks to me like they pounded a peg right through that hole. But anyway, I’m not sure exactly what happened, but viola! We’ve got a new footer with many, many links.

So I wonder… has this person ever visited before?

Yes!

89-149-253-13.internetserviceteam.com - - [25/May/2009:11:23:38 -0700] "GET /?feed=rss2 HTTP/1.0" 200 38516
89-149-253-13.internetserviceteam.com - - [25/May/2009:11:23:42 -0700] "GET /wp-includes/js/tinymce/wp-mce-help.php HTTP/1.0" 200 10958
89-149-253-13.internetserviceteam.com - - [25/May/2009:11:23:43 -0700] "GET / HTTP/1.0" 200 38516
89-149-253-13.internetserviceteam.com - - [25/May/2009:11:23:44 -0700] "GET /wp-register.php HTTP/1.0" 302 -
89.149.253.13 - - [25/May/2009:11:23:45 -0700] "POST /wp-login.php?action=register HTTP/1.0" 302 -
89.149.253.13 - - [25/May/2009:11:24:45 -0700] "POST / HTTP/1.0" 200 38373
89.149.253.13 - - [25/May/2009:11:24:46 -0700] "POST /wp-login.php HTTP/1.0" 302 -
89.149.253.13 - - [25/May/2009:11:24:47 -0700] "POST /wp-admin//options-permalink.php HTTP/1.0" 200 9639
89.149.253.13 - - [25/May/2009:11:24:47 -0700] "POST /wp-admin//options-permalink.php HTTP/1.0" 200 9792
89.149.253.13 - - [25/May/2009:11:24:48 -0700] "POST /xmlrpc.php HTTP/1.0" 200 122
89.149.253.13 - - [25/May/2009:11:24:49 -0700] "POST /wp-admin//options-permalink.php HTTP/1.0" 200 9720
89.149.253.13 - - [25/May/2009:17:28:46 -0700] "POST / HTTP/1.0" 200 38075
89.149.253.13 - - [25/May/2009:17:28:47 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 200 29385
89.149.253.13 - - [25/May/2009:17:28:48 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 18402
89.149.253.13 - - [25/May/2009:17:28:49 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 302 -
89.149.253.13 - - [25/May/2009:17:28:50 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 18393
89.149.253.13 - - [29/May/2009:04:52:23 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 200 29385
89.149.253.13 - - [29/May/2009:04:52:25 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 18393
89.149.253.13 - - [29/May/2009:04:52:26 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 302 -
89.149.253.13 - - [29/May/2009:04:52:30 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 91359


Not much on reading, huh? So let’s check out who registered then….

+------+--------------+------------------------------------+--------------------------+----------+---------------------+---------------------+-------------+---------------+---------------------+--------------+
| ID | user_login | user_pass | user_email | user_url | dateYMDhour | user_activation_key | user_status | user_nicename | user_registered | display_name |
+------+--------------+------------------------------------+--------------------------+----------+---------------------+---------------------+-------------+---------------+---------------------+--------------+
| 7671 | chelentanoxl | $P$BzVoIOZOWiBIQkCIx05ZGXigSEEj9E0 | ...@mail.ru | | 0000-00-00 00:00:00 | | 0 | chelentanoxl | 2009-05-24 04:17:28 | chelentanoxl |
...
| 7677 | JohnyWhite | $P$BGo8PSqsq2oYUcesd0ncnDgAPH9GRg0 | wordpressuser2@gmail.com | | 0000-00-00 00:00:00 | | 0 | johnywhite | 2009-05-25 18:23:45 | JohnyWhite |
+------+--------------+------------------------------------+--------------------------+----------+---------------------+---------------------+-------------+---------------+---------------------+--------------+

(the clock’s different)

Ding! The tail end of a whole run of suspicious Russian and free emails… and there he is. Hi, wordpressuser2@gmail.com!

Unfortunately, no comments from our good friend. I’d have been interested in that.

What’s particularly odd (to me, anyway) is that there’s no record of incorrect actions in the error log. They register, four days later they’re back and without generating any weird attempts against nonexistent URLs, they do a couple of posts and they’re off to the races.

To the site, which I’ll call hacksoft for purposes of this post. Created 5/18, but interestingly they updated their info 5/27. They’re hosted in Russia by Masterhost.ru, and their whois data is pretty obviously fake:

Chesoft
John Smith chehost@gmail.com
+352985897 fax:+352985897
Flaiming road 87/45
Beaverton NA 352
us

The site in its current form appears to have been generated apx 2-3 hours before they attacked us. Which makes me think they had the exploit (or whatever) in their back pocket, set up hacksoft, and then did it.

Not a lot for us there.

Look then at internetserviceteam.com. Actually… here’s the google search for them. They’re bad news.

That’s awfully weird. Going through the logs, they’ve been doing a ton of content scraping, which is always nice, and user registrations… which is not so much nice. But combined with everything else we know…

Timeline of events
- internetserviceteam.com spends a lot of time scraping USSM and registering users but not doing anything that attracts particular attention*
(then these two can happen at any time)
- bam! they figure out how to use the theme editor to post code directly into the footer / they create their spammy SEO-bait site
- they hit the site, changing footer.php
- they do it twice more in rapid succession
- they don’t touch it again
- I wake up, go to work, and at three get tipped off that something’s seriously wrong

There’s no evidence they looked at or touched anything else, which indicates this wasn’t anything more serious than that (though of course they could have tried some malware injection, which will probably keep me up tonight). The backups all look good, there’s no evidence this has ever been used before on us, and there’s no evidence of similar attacks.

What’s the damage, as far as I can tell?

Known:
- for about 12 hours, there was a massive amount of spammy links on the site
- I wasted about six hours finding the exploit they used and closing it
- Brief USSM outage when I had to restart something to fix something

Possible: I haven’t been able to find file revision info on their first try. It’s possibly they had something fairly lethal in the footer (though it seems more likely that was the proof-it-works, followed immediately by the spam delivery)

What’s the fix?
- I removed the theme editor file they pounded that code through
- I nuked all the russian-address accounts. There were ~300 and only three of them ever made any comment. I’d have done it manually but I’m in a really, really shitty mood.
- I’m IP-banning these internetserviceteam jokers, which I’m sure won’t stop them.

What’s next?
- I’m going to look at the theme and try and talk to the Wordpress folks about whether there’s a potential exploit using that page (I have no idea, really)
- I am powerless to otherwise prosecute or retaliate against them.

Good times. Go M’s.

* which says something about the behind-the-scenes headaches that I (we) can’t pay attention to catch stuff like this, but anyway….

-- This post came from: U.S.S. Mariner, and is copyright by the authors. This RSS feed is intended for the personal use of readers and not, for instance, spam blogs.

The 12h USSM spam-a-thon on behalf of our Russian overlords

-- This post came from: U.S.S. Mariner, and is copyright by the authors. This RSS feed is intended for the personal use of readers and not, for instance, spam blogs.

Site mal-age

Your first few comments are viewed as an audition; try to contribute something positive.

In particular, sexist comments aren’t welcome here. This isn’t a sports bar.

Questions can be directed to the email address linked under Contact Us.

-- This post came from: U.S.S. Mariner, and is copyright by the authors. This RSS feed is intended for the personal use of readers and not, for instance, spam blogs.

New Season, Same Rules

-- This post came from: U.S.S. Mariner, and is copyright by the authors. This RSS feed is intended for the personal use of readers and not, for instance, spam blogs.

Site info: logins

-- This post came from: U.S.S. Mariner, and is copyright by the authors. This RSS feed is intended for the personal use of readers and not, for instance, spam blogs.

Podcasting, hypothetically

-- This post came from: U.S.S. Mariner, and is copyright by the authors. This RSS feed is intended for the personal use of readers and not, for instance, spam blogs.

Under fifty spots left for the Jan 10 Q&A

-- This post came from: U.S.S. Mariner, and is copyright by the authors. This RSS feed is intended for the personal use of readers and not, for instance, spam blogs.

Site update note for Jan 7

Okay, so quick notes from today’s work:
- If you don’t want to pay through Paypal for whatever reason (including “want to cause Derek pain”) email us and we’ll work something out. Yes, Paypal is evil and horrible, and they’ve screwed us too, but it makes this thing 100x easier.
- If you’re bringing a guest, email us with the name you donated under and your guest’s name.
- If you paid through PayPal via check, you don’t show up on the list until the check’s cleared. This takes a while. Please do not email us about this. We can’t make checks clear faster.
- If you paid and your donation doesn’t show up instantaneously, please do not email us about this. Give it some time.
- If something went horribly wrong, email us.

Dave’s promotional post follows
–
We told you hold the date – now we tell you why. On Saturday, January 10th, we’re hosting the latest USSM/LL event. The guests for the afternoon are Mariners Asst. GM Tony Blengino and Mariners scouting director Tom McNamara. These are the two guys that Zduriencik brought over from Milwaukee – Blengino is the guy behind the Department of Baseball Research that is being established and the one pushing the organization into the 21st century of baseball analysis. McNamara is the top scout in the organization, and will be running the amateur draft this summer. They’re both going to be a lot of fun to talk to.

The event is at the downtown Seattle Central Library from 1:30 to 5:30 on Saturday, January 10th. We won’t be providing food, so we’ve lowered the price to $10, which just goes to defray the costs of the room rental. We’re trying to improve the whole registration/payment process for these things, so if you want to attend, click on the button below and donate $10.

Do not click the anonymous button, as we need your name to show up on the list of donaters -that will be the list we use at the door to let people in. If you’re paying for multiple people, send an email to the USSM account with the names of the people you’re bringing so that we can make sure everyone is on the list. And if you’re totally anti-paypal, send us an email too and we’ll work something out.

But, yea, January 10th, four hours of baseball talk with Derek, the LL gang, and two of the big wigs in the M’s new front office. It’s going to be a lot of fun, so I encourage you guys to go.

-- This post came from: U.S.S. Mariner, and is copyright by the authors. This RSS feed is intended for the personal use of readers and not, for instance, spam blogs.

Jan 10 event update