Game 52, Orioles at Mariners
Hill vs Washburn, 7:10 pm.
So, as you probably know, the Orioles have this center fielder who is having a pretty good season. Unless he falls apart in June, there’s a pretty decent chance that Adam Jones will make his first All-Star team this summer at the ripe old age of 23. He’s one of the core pieces of the Orioles rebuilding process, and if the M’s wanted to get him back, they probably couldn’t, even if they offered up the entire farm system and the deed to Mt. Rainier. He’s that valuable. And, but for some really terrible decision making, he could have been ours.
But you know what? I’m happy for Adam Jones, but I’ve moved on. The people responsible for making the worst trade in franchise history got fired, and the team brought in the front office we’ve always wanted. The people who publicly supported the deal have basically all issued mea culpas, and the most prominent of them has become a supporter of the value of defense. The folks who were oh so wrong about that move have either lost their jobs or learned their lesson.
So, to everyone who wants to use Jones’ return as an opportunity to rub it in and play “I told you so”, please don’t. There’s no point. The deal is done and the lessons have been learned. Let’s all just be happy for Adam that he’s on his way to a terrific major league career, root for Zduriencik to fleece some other GM when we move Bedard this summer, and stop acting like there are still battle lines being drawn here.
Besides, if you really want to judge the trade by the results since it went down (not that you should), then you might want to consider that the Bedard deal was basically the final nail in the coffin of the Bavasi era. It sucks that it took a soul crusher of a trade to provide the impetus for the necessary organizational changes, but it did, and those changes took place.
I guess what I’m saying is that I’m happier as a Mariner fan with Jack Zduriencik and my GM and Franklin Gutierrez as my center fielder than I would be with Bill Bavasi as my GM and Adam Jones as my center fielder. Trying to pretend there’s a mythical world where we could have had both is not going to do anyone any good. I’ll root for Jones to play well, but not when he’s playing the Mariners. Tonight, I hope Jarrod Washburn makes him look stupid.
You’re Welcome
On May 15th, I wrote the Should The M’s Trade Ichiro? piece. Since I hit publish, he’s 31 for 71 with nine extra base hits, for a nifty .437/.467/.648 line.
He’s now been worth +1.8 wins in 43 games, which is about a +6.5 win pace for a whole season.
Coming tomorrow, a “should the team trade Rob Johnson?” post. I expect similar results, Rob.
Minor League Wrap (5/25-31/09)
The top three catchers in the system are all still hitting well, which is good for whenever we get that situation figured out, though I should warn those of you anticipating Moore’s arrival that he has a pretty bad passed ball problem. I don’t have much to work with this week, so I ended up writing about three-quarters of a page on Liddi because it seemed like a good idea at the time. It’s partially to provide a soft letdown for the bad news that follows.
To the jump!
Read more
Game 51, Mariners at Angels
Olson vs Santana.
I’m still looking forward to seeing Ichiro’s season spun into a negative story about him. Suggestions:
– Ichiro’s consistent hitting puts undue pressure on other players to perform, and they’re pressing at the plate, causing the team’s offensive woes, and he refuses to go 0-fer to let them relax.
– Ichiro’s speed and smart baserunning makes other players look comparatively worse, forcing them to worry about getting good leads and not being thrown out, distracting them and causing them to take bad leads and get thrown out.
– Ichiro’s (and the outfield’s, for that matter) consistent fielding are making the pitchers concentrate on trying to get fly balls, which takes them away from pitching to their strengths and makes them more prone to giving up home runs.
Good luck with that!
Griffey done and an anchor of the lineup
(and that’s your 09 lineup for you)
The bait we were supposed to bite on this off-season, fixed to hook by Griffey’s agent, was that Griffey’s hitting struggles of late came from his (possibly un- or semi-)disclosed knee injury, but he’d be great now that the knee was better.
I was pretty skeptical. A lot of people were skeptical. And here’s where we are now:
He’s taking a ton of walks. 16% of his plate appearances. More walks than any time in his career except the shortened 1995 season. And he’s got no power.
Now, he’s not in Vidro territory…
Griffey 09: .213/.336/.369
Vidro 08: .234/.274/.338
… though it’s a little depressing to think the husk of Vidro’s career was a better contact hitter than Griffey is now.
While we’re looking at lines
Griffey 09: .213/.336/.369
AL 09: .268/.339/.428
But here’s his batting average on balls in play, a good measure of how hard he’s hitting the ball, from Fangraphs:
And here’s his raw power for a second look at that:
Yeah, Griffey’s been injured on and off, but that’s the normal curve of a player getting old. They take more pitches, both from experience and because they can’t make swing and make good contact on more pitches than before.
Here’s the problem, though: this version of Griffey, a patient low-contact hitter with minimal power against right-handers, who we’re really pulling to finish the season hitting .250/.360/.420… he’s the third-best hitter on the team.
Behind Ichiro! who is awesome and Branyan, who as Dave notes has had his share of luck so far. And Branyan might still get traded. And Endy Chavez, not far behind, is another likely trade candidate. Wlad’s not hitting lately. Beltre should start hitting any minute. Like now would be good. No rush. Please? Seriously, Adrian, we’ve been manning the barricades for you for years, and our resolve is waning.
The good thing is DH is pretty easy to solve. You want a LH bat? Call up Clement. If the M’s want to hang in the race, they’re going to have to figure out how to get production out of that position for the fourth time since Ibanez moved back to left field after 2005 (though the 07 Vidro was at least above league average).
Saturday
Game 50, Mariners at Angels
Felix v Palmer. Betancourt’s at #2 again, Rob Johnson is… playing and despite being so bad you might plausibly DH for him instead of Felix if you were allowed, he’s batting #7 ahead of Chavez and Gutierrez. I don’t get it, but whatever, right? Go team!
USSM get-together in NC – last reminder
Sunday, May 31 in Durham at Champps Sports. You can watch the Mariners game at 3:35 in the private dining area. Dave says he’ll be there an hour or so before, and apparently there’s been a Jeff Shaw sighting. No admission fee, just whatever you eat and drink (tip generously, your server’s in a recession too).
What with all the USS Mariner folks in North Carolina, it’s a shame the move of two teams from the California League to the Carolina League didn’t work out, or they could see the Mariners’ Class-A squad all the time and let us know how Aumont’s doing. That, plus anything to get us out of High Desert.
The 12h USSM spam-a-thon on behalf of our Russian overlords
I found it.
89.149.253.13 - - [29/May/2009:04:52:23 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 200 29385
89.149.253.13 - - [29/May/2009:04:52:25 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 18393
89.149.253.13 - - [29/May/2009:04:52:26 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 302 -
89.149.253.13 - - [29/May/2009:04:52:30 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 91359
(oh, how I wish our current layout expanded the center column smoothly)
Those are, if you’re curious, the only requests from them that day. They didn’t request the theme-editor page. They didn’t even request any pages in a normal use page of that page, including the other components of that page. It looks to me like they pounded a peg right through that hole. But anyway, I’m not sure exactly what happened, but viola! We’ve got a new footer with many, many links.
So I wonder… has this person ever visited before?
Yes!
89-149-253-13.internetserviceteam.com - - [25/May/2009:11:23:38 -0700] "GET /?feed=rss2 HTTP/1.0" 200 38516
89-149-253-13.internetserviceteam.com - - [25/May/2009:11:23:42 -0700] "GET /wp-includes/js/tinymce/wp-mce-help.php HTTP/1.0" 200 10958
89-149-253-13.internetserviceteam.com - - [25/May/2009:11:23:43 -0700] "GET / HTTP/1.0" 200 38516
89-149-253-13.internetserviceteam.com - - [25/May/2009:11:23:44 -0700] "GET /wp-register.php HTTP/1.0" 302 -
89.149.253.13 - - [25/May/2009:11:23:45 -0700] "POST /wp-login.php?action=register HTTP/1.0" 302 -
89.149.253.13 - - [25/May/2009:11:24:45 -0700] "POST / HTTP/1.0" 200 38373
89.149.253.13 - - [25/May/2009:11:24:46 -0700] "POST /wp-login.php HTTP/1.0" 302 -
89.149.253.13 - - [25/May/2009:11:24:47 -0700] "POST /wp-admin//options-permalink.php HTTP/1.0" 200 9639
89.149.253.13 - - [25/May/2009:11:24:47 -0700] "POST /wp-admin//options-permalink.php HTTP/1.0" 200 9792
89.149.253.13 - - [25/May/2009:11:24:48 -0700] "POST /xmlrpc.php HTTP/1.0" 200 122
89.149.253.13 - - [25/May/2009:11:24:49 -0700] "POST /wp-admin//options-permalink.php HTTP/1.0" 200 9720
89.149.253.13 - - [25/May/2009:17:28:46 -0700] "POST / HTTP/1.0" 200 38075
89.149.253.13 - - [25/May/2009:17:28:47 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 200 29385
89.149.253.13 - - [25/May/2009:17:28:48 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 18402
89.149.253.13 - - [25/May/2009:17:28:49 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 302 -
89.149.253.13 - - [25/May/2009:17:28:50 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 18393
89.149.253.13 - - [29/May/2009:04:52:23 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 200 29385
89.149.253.13 - - [29/May/2009:04:52:25 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 18393
89.149.253.13 - - [29/May/2009:04:52:26 -0700] "POST /wp-admin/theme-editor.php HTTP/1.0" 302 -
89.149.253.13 - - [29/May/2009:04:52:30 -0700] "POST /wp-admin/theme-editor.php?file=/themes/revolution_blog_split-10/footer.php&theme=Revolution+Blog+Split HTTP/1.0" 200 91359
Not much on reading, huh? So let’s check out who registered then….
+------+--------------+------------------------------------+--------------------------+----------+---------------------+---------------------+-------------+---------------+---------------------+--------------+
| ID | user_login | user_pass | user_email | user_url | dateYMDhour | user_activation_key | user_status | user_nicename | user_registered | display_name |
+------+--------------+------------------------------------+--------------------------+----------+---------------------+---------------------+-------------+---------------+---------------------+--------------+
| 7671 | chelentanoxl | $P$BzVoIOZOWiBIQkCIx05ZGXigSEEj9E0 | ...@mail.ru | | 0000-00-00 00:00:00 | | 0 | chelentanoxl | 2009-05-24 04:17:28 | chelentanoxl |
...
| 7677 | JohnyWhite | $P$BGo8PSqsq2oYUcesd0ncnDgAPH9GRg0 | wordpressuser2@gmail.com | | 0000-00-00 00:00:00 | | 0 | johnywhite | 2009-05-25 18:23:45 | JohnyWhite |
+------+--------------+------------------------------------+--------------------------+----------+---------------------+---------------------+-------------+---------------+---------------------+--------------+
(the clock’s different)
Ding! The tail end of a whole run of suspicious Russian and free emails… and there he is. Hi, wordpressuser2@gmail.com!
Unfortunately, no comments from our good friend. I’d have been interested in that.
What’s particularly odd (to me, anyway) is that there’s no record of incorrect actions in the error log. They register, four days later they’re back and without generating any weird attempts against nonexistent URLs, they do a couple of posts and they’re off to the races.
To the site, which I’ll call hacksoft for purposes of this post. Created 5/18, but interestingly they updated their info 5/27. They’re hosted in Russia by Masterhost.ru, and their whois data is pretty obviously fake:
Chesoft
John Smith chehost@gmail.com
+352985897 fax:+352985897
Flaiming road 87/45
Beaverton NA 352
us
The site in its current form appears to have been generated apx 2-3 hours before they attacked us. Which makes me think they had the exploit (or whatever) in their back pocket, set up hacksoft, and then did it.
Not a lot for us there.
Look then at internetserviceteam.com. Actually… here’s the google search for them. They’re bad news.
That’s awfully weird. Going through the logs, they’ve been doing a ton of content scraping, which is always nice, and user registrations… which is not so much nice. But combined with everything else we know…
Timeline of events
– internetserviceteam.com spends a lot of time scraping USSM and registering users but not doing anything that attracts particular attention*
(then these two can happen at any time)
– bam! they figure out how to use the theme editor to post code directly into the footer / they create their spammy SEO-bait site
– they hit the site, changing footer.php
– they do it twice more in rapid succession
– they don’t touch it again
– I wake up, go to work, and at three get tipped off that something’s seriously wrong
There’s no evidence they looked at or touched anything else, which indicates this wasn’t anything more serious than that (though of course they could have tried some malware injection, which will probably keep me up tonight). The backups all look good, there’s no evidence this has ever been used before on us, and there’s no evidence of similar attacks.
What’s the damage, as far as I can tell?
Known:
– for about 12 hours, there was a massive amount of spammy links on the site
– I wasted about six hours finding the exploit they used and closing it
– Brief USSM outage when I had to restart something to fix something
Possible: I haven’t been able to find file revision info on their first try. It’s possibly they had something fairly lethal in the footer (though it seems more likely that was the proof-it-works, followed immediately by the spam delivery)
What’s the fix?
– I removed the theme editor file they pounded that code through
– I nuked all the russian-address accounts. There were ~300 and only three of them ever made any comment. I’d have done it manually but I’m in a really, really shitty mood.
– I’m IP-banning these internetserviceteam jokers, which I’m sure won’t stop them.
What’s next?
– I’m going to look at the theme and try and talk to the WordPress folks about whether there’s a potential exploit using that page (I have no idea, really)
– I am powerless to otherwise prosecute or retaliate against them.
Good times. Go M’s.
* which says something about the behind-the-scenes headaches that I (we) can’t pay attention to catch stuff like this, but anyway….
Game 49, Mariners at Angels
Vargas v Lackey. Sorry for terseness.