fixes malicious create_function() in wp_head (goro spam)

This is quick patch for goro spams it will disabled the goro header spam links (as seen on blake ross, al gore & matt heaton WordPress blogs recently).

/**
 * Remove create_function action hook 
 * append on wordpress wp_head filters
 *  
 * @author     Avice De'véreux <ck@kaizeku.com>
 * @copyright  Copyright (c) 2006 Avice De'véreux
 * @version    1.0
 * @license    http://www.gnu.org/licenses/lgpl.html GNU Lesser General Public License
 * @link       http://blog.kaizeku.com/wordpress/goro-spam-injection-wp-head-patch/
 */ 
function remove_create_function_action()
{ global $wp_filter;

	$action_ref	= 'wp_head';	
	$filter 	= $wp_filter[$action_ref];
	$_lambda	= array();
	
	foreach(range(1,10) as $priority){
		
		if (isset($filter[$priority]))
		{
			foreach($filter[$priority] as $registered_filter ){
				
				$callback = (string) $registered_filter['function'];
				
				if ( preg_match("/lambda/", $callback) ) {					
		   	 		$_lambda[$priority][] = $callback;
				} 
			}
				
		} 
	}
	
	if ( count($_lambda) >= 0 ){
		
		foreach($_lambda as $priority => $callback) {
			if ( has_filter($action_ref,$callback) ){
				remove_filter($action_ref, $callback, $priority, 1);
			} 
		}
	}	
}

add_action('init','remove_create_function_action');

more on this → “wordpress spam goro header injection

2 Comments

Filed under injection, OWNED, vulnerability, wordpress

Blake Ross (The Co-Founder Mozilla Project) WordPress Blog’s Hacked

Blake Ross hacked by Blackhat SEO Spammer, blakeross.com is running WordPress 2.0.4 on Apache 1.3.39; its like waiting to be hacked.
Digg it → Co-Founder of Mozilla Project WordPress Blog’s Hacked

Screenshot

blake-ross-com-280208.png

Note: There is known directory transversal exploit for WordPress 2.0.4 #4226

External Links

  • How to fix wordpress.net.in Goro Spam
  • WordPress 2.0.5 Changelog
  • Apache 1.3 Vulnerability
  • 1 Comment

    Filed under OWNED, security, wordpress

    Statcounter Update.sh Workaround (ip2location Informations Leak)

    The server where the backup’s log of the last three days are situated is badly set. The access for all directory by server is free, include “utils” directory that contains one script file called “update.sh” inside of which are situated the user and password to enter and download the database log from ip2location.com ~ excerpt from Giani Amoto

    There is workaround for statcounter update.sh ip2location informations leak
    check out this posts at kakkoi → Statcounter Update.sh Vulnerability Fixes

    Quick workaround

    add the following htaccess code in statcounter /utils/ directory.

    #deny access to any file with *.sh filetypes
    <Files ~ "^\.sh">
     Order allow,deny
     Deny from all
     Satisfy All
    </Files>
    
    #Deny request for *.log & comment files
    <Files ~ "^.*\.([Ll][Oo][Gg]|[cC][oO][mM][mM][eE][nN][tT])">
     Order allow,deny
     Deny from all
     Satisfy All
    </Files>
    

    Leave a comment

    Filed under statcounter, vulnerability

    More Cheese – Happy Chinese New Year

    2008 is the year of the Rat. Happy Chinese new year

    cheesy-year.jpg

    2 Comments

    Filed under Blog

    Bluehost Hostmonster CEO Hacked Again

    This is the third time Matt Heaton wordpress blog got hacked. View it for yourself http://www.mattheaton.com (noscript enabled) or try google cache (Jan 28 2008 10:10:05 GMT).

    ScreenGrab

    More on this at kakkoi → Matt Heaton Bluehost Hostmonster CEO Hacked Again – Strike II – Blackhat SEO Spamdexing LocalRank .

    2 Comments

    Filed under Blog, bluehost, hack, hostmonster, injection, OWNED, vulnerability

    Firebug for Firefox 3 (beta)

    Firebug 1.1.0b10 compatible with Firefox 3.0 beta 1 & 2. download it at fireclipse. more on this at Kakkoi firebug for firefox 3.0b+.

    1 Comment

    Filed under Add-ons, Mozilla Firefox