The WordPress Pharmacy Hack

A number of WordPress blogs around the world have been hacked (or cracked, whichever word you prefer) and a "pharmacy" subdirectory have been injected below the WordPress root. I know of these victims at the moment:

azin.se
benniboedker.dk
www.blog-celeo.com
www.digitalrights.gr
www.toscaninelmondo.org
www.vdomck.org
www.yerbastory.pl

The injected web pages are advertised by fooling Yahoo! search to make a weird GET request to a totally different web site, resulting in log lines like this:

74.6.17.184 – – [29/Aug/2008:04:03:50 +0200] "GET /\"//example.com/blog/pharmacy/spam.html\" HTTP/1.0" 404 15145 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; //help.yahoo.com/help/us/ysearch/slurp)"

I really recommend every WordPress user to add at least one extra level of protection to their wp-admin subdirectory. It’s not safe.

Amazon Web Services used for ssh login attempts

I get ssh login attempts almost daily, mostly from DSL, asian or eastern european IP addresses but this one caught my eye:

 Illegal users from these:
    75.101.221.220 (ec2-75-101-221-220.compute-1.amazonaws.com): 210 times
       admin/password: 16 times
       test/password: 15 times
       tester/password: 15 times
       testing/password: 15 times
       guest/password: 14 times
       adm/password: 6 times
       administrator/password: 5 times
       .
       .
       .

It comes from Amazon Web Services! I thought that "cloud computing" for these attackers meant "bot network", but maybe that is not the case?

Let’s see what their abuse support says!

 

Domain-name based ssh login attempts

The last few weeks I have noticed some illicit ssh login attempts that uses parts of the reverse DNS domain name as user name when it tries to login. The last attempt looked like this in my LogWatch summary:

Illegal users from these:
    195.38.107.55 (aquila.euroexpert.tvnet.hu): 9 times
       root/password: 4 times
       cenara/password: 2 times
       ip-83-209-13-88/password: 2 times
       ip-83-209-13-88.cenara.com/password: 1 time

As you can see, the secondary and tertiary domain name, along with the full domain name, was tried as user name when attempting to login. I guess that the attack script tries with a blank password and also with the same password as user name.