Kaizeku Ban » Black Hat

goro spam injection patch

ck — Sat, 14 Jun 2008 18:58:51 +0000

Since early 2007 I been monitoring this famous WordPress spam injection that only target high PR wordpress blogs like Al gore, blake ross, bluehost CEO to name a few.

PHP create_function()

The new variant from wordpress.net.in & qwetro.com used the “anonymous PHP create_function” to append their spam links on their victim blog. Below is quick patch to disabled the mischievous “create_function” injection on wp_head.

The below code will look for “�lambda_n” function inside wp_head wp_filters array and remove the action hook silently. I assume that any sane developer will never used this unstable PHP function.

/**
 * Remove create_function action hook
 * append on wordpress wp_head filters
 *
 * @author Avice De'véreux <ck@kaizeku.com>
 * @copyright Copyright (c) 2006 Avice De'véreux
 * @version 1.0
 * @license http://www.gnu.org/licenses/lgpl.html GNU Lesser General Public License
 * @link http://blog.kaizeku.com/wordpress/goro-spam-injection-wp-head-patch/
 */
function remove_create_function_action()
{ global $wp_filter;

	$action_ref	= 'wp_head';
	$filter 	= $wp_filter[$action_ref];
	$_lambda	= array();

	foreach(range(1,10) as $priority){

		if (isset($filter[$priority]))
		{
			foreach($filter[$priority] as $registered_filter ){

				$callback = (string) $registered_filter['function'];

				if ( preg_match("/lambda/", $callback) ) {
		 	 		$_lambda[$priority][] = $callback;
				}
			}

		}
	}

	if ( count($_lambda) >= 0 ){

		foreach($_lambda as $priority => $callback) {
			if ( has_filter($action_ref,$callback) ){
				remove_filter($action_ref, $callback, $priority, 1);
			}
		}
	}
}

add_action('init','remove_create_function_action');

note: This method only disabled the spam link from showing on your blog header. it wont fixed your blog vulnerabilities. your blog still owned thought. Tips → http://wordpress.org/download/

Download

Note: There is a file embedded within this post, please visit this post to download the file.

Co-Founder of Mozilla Project

ck — Thu, 28 Feb 2008 19:46:07 +0000

Blake Ross WordPress blog is being run by wordpress.net.in goro spam injection.

Who's Blake Ross

Excerpt from wikipedia

Blake Aaron Ross is a software developer who is known for his work on the Mozilla web browser; in particular, he started the Mozilla Firefox project with Dave Hyatt, as well as the Spread Firefox project with Asa Dotzler while working as a contractor at the Mozilla Foundation.In 2005, he was nominated for Wired magazine’s top Rave Award, Renegade of the Year, opposite Larry Page, Sergey Brin and Jon Stewart. He was also a part of Rolling Stone magazine’s 2005 hot list.

Image Source, The cover for issue #13.02 (the February 2005 edition) of Wired magazine featuring Blake Ross holding a Firefox globe as part of the lead article, The Firefox Explosion, about the browser’s development history.

HTML Source & ScreenGrab

WordPress Vulnerability

Outdated WordPress
- WordPress 2.0.4 Exploit & Vulnerability
  - Blake’s is running on WordPress 2.0.4 first release on Jul 29th, 2006.
  - wp-db-backup.php directory traversal Rev.4226
  - Mark Jaquith on WordPress 2.0.5 Changelog
- µ Proxy Cached: blakeross.com WordPress Version (feed)

WordPress Core Directory & Plugins Informations Leak

View blakeross.com WordPress Core Directory Listing

Index of /wp-includes

 Name Last modified Size Description

[DIR] Parent Directory 25-Dec-2006 01:14 -
[ ] cache.php 03-Sep-2006 23:52 11k
[ ] capabilities.php 03-Sep-2006 23:52 11k
[ ] class-IXR.php 03-Sep-2006 23:52 27k
[ ] class-pop3.php 03-Sep-2006 23:52 21k
[ ] class-snoopy.php 03-Sep-2006 23:52 37k
[ ] classes.php 03-Sep-2006 23:52 51k
[ ] comment-functions.php 03-Sep-2006 23:52 31k
[ ] default-filters.php 03-Sep-2006 23:52 5k
[ ] feed-functions.php 03-Sep-2006 23:52 4k
[ ] functions-compat.php 03-Sep-2006 23:52 3k
[ ] functions-formatting..> 03-Sep-2006 23:53 34k
[ ] functions-post.php 03-Sep-2006 23:53 30k
[ ] functions.php 03-Sep-2006 23:53 71k
[ ] gettext.php 03-Sep-2006 23:53 11k
[DIR] images/ 03-Sep-2006 23:50 -
[DIR] js/ 03-Sep-2006 23:55 -
[ ] kses.php 03-Sep-2006 23:55 22k
[ ] links.php 03-Sep-2006 23:55 20k
[ ] locale.php 03-Sep-2006 23:55 3k
[ ] pluggable-functions.php 03-Sep-2006 23:55 17k
[ ] registration-functio..> 03-Sep-2006 23:55 4k
[ ] rss-functions.php 03-Sep-2006 23:55 21k
[ ] streams.php 03-Sep-2006 23:55 4k
[ ] template-functions-a..> 03-Sep-2006 23:55 5k
[ ] template-functions-c..> 03-Sep-2006 23:56 13k
[ ] template-functions-g..> 03-Sep-2006 23:56 21k
[ ] template-functions-l..> 03-Sep-2006 23:56 15k
[ ] template-functions-p..> 03-Sep-2006 23:56 15k
[ ] template-loader.php 03-Sep-2006 23:56 2k
[ ] vars.php 03-Sep-2006 23:56 3k
[ ] version.php 03-Sep-2006 23:56 1k
[ ] wp-db.php 03-Sep-2006 23:56 10k
[ ] wp-l10n.php 03-Sep-2006 23:56 2k 

Apache/1.3.39 Server at blakeross.com Port 80

µ Proxy Cached: http://blakeross.com/wp-includes/

View blakeross.com WordPress Plugins Directory Listing

Index of /wp-content/plugins

 Name Last modified Size Description

[DIR] Parent Directory 27-Sep-2006 22:27 -
[DIR] akismet/ 03-Sep-2006 23:52 -
[ ] hello.php 03-Sep-2006 23:52 2k
[ ] wp-db-backup.php 03-Sep-2006 23:52 30k 

Apache/1.3.39 Server at blakeross.com Port 80

µ Proxy Cached: http://blakeross.com/wp-content/plugins

Hardening Wordpress?

There is 105,000 WordPress blogs leaking their plugins informations for BotNet to scan.

Blackhat SEO targeting High PR WordPress Blog

Blake Ross is not alone, there is similar Spamride cases for the past few months. Below is are few “High PR WordPress Blogs” with similar issues.

Others Popular Victim

Al Gore’s Blog
Bluehost Hostmonster CEO’s Blog
blog.indeed.com
thinkingphp.org
floaridablog.org

Socrates & Sophocles In Latest Spamming Trends

ck — Mon, 08 Oct 2007 16:28:37 +0000

I received many spams lately. Some of this deliberate spammer has many artificial technique ie predefine message, questionnaire, using a famous name, one liner etc… And surprisingly all the spammer has a commons things, there is no hyperlinks in their comments post. So this make it a trends in spam evolution. Here is some of my findings.

Predefine post

What a joy, they come in pair.

Questionnaire

What Daniel’s meant by interesting is actually more prosaic than the real meaning. he was hammering my blog for 4 days long with the same repetitive comments. I’d to quickly blocked him via .htacess and submit his particular details to spam reporting services.

One Liner

This type of spamming is redundant in my blog. Almost 80% of it is from CHINA. And that is very suspicious as this might be a forge address by Russian black-hat. Notice the famous name (Socrates & Sophocles). Its very noble.

How to identify a SPAM posts?

From my dictionary.

If the comment is ambiguous its a spam.
Giving out fake email address. A quick telnet will do the job
Looking up IP address for mx1.hotmail.com.
The IP address for mx1.hotmail.com. is 65.54.245.8sending HELO
response: 220 bay0-mc9-f23.bay0.hotmail.com Sending unsolicited commercial or bulk e-mail to Microsoft’s computer network is prohibited. Other restrictions are found at http://privacy.msn.com/Anti-spam/. Violations will result in use of equipment located in California and other states. Mon, 8 Oct 2007 08:49:24 -0700 250 bay0-mc9-f23.bay0.hotmail.com (3.4.0.37) Hello [xx.xx.xx.xx]sending RCPT TO vanessyto@hotmail.comresponse: 550 Requested action not taken: mailbox unavailable
Using the blog name for reference, as in my case the spammer used “Kaizeku Ban” as reference.
The author is using the same IP address with the target website. This is debatable, but still good points to check.

How to identify a spam website?

Most of spam websites register their domains under anonymous registrant. So be alert for this type of sites.

Protection against spam

Today’s email and blogging software (CMS) has standard a build in spam protections but it still not good enough as spammer is getting better and cunning at every turn. I think the best protections from spamming is for you to have a “white-list” of trusted network. As it will save you from writing endless filter. Just let the one you trust to contact you and let rest of the worlds in the waiting list.

At this time of writing there is 4 million search results for “stop spam” query on Google. This should make spam as an industry by itself. How many spam should we get in the next 10 years is all depend on how much profit it makes for spamming.

There wouldn’t be spam if there wasn’t money in spam.