Category Archives: vulnerability

fixes malicious create_function() in wp_head (goro spam)

This is quick patch for goro spams it will disabled the goro header spam links (as seen on blake ross, al gore & matt heaton WordPress blogs recently).

/**
 * Remove create_function action hook 
 * append on wordpress wp_head filters
 *  
 * @author     Avice De'véreux <ck@kaizeku.com>
 * @copyright  Copyright (c) 2006 Avice De'véreux
 * @version    1.0
 * @license    http://www.gnu.org/licenses/lgpl.html GNU Lesser General Public License
 * @link       http://blog.kaizeku.com/wordpress/goro-spam-injection-wp-head-patch/
 */ 
function remove_create_function_action()
{ global $wp_filter;

	$action_ref	= 'wp_head';	
	$filter 	= $wp_filter[$action_ref];
	$_lambda	= array();
	
	foreach(range(1,10) as $priority){
		
		if (isset($filter[$priority]))
		{
			foreach($filter[$priority] as $registered_filter ){
				
				$callback = (string) $registered_filter['function'];
				
				if ( preg_match("/lambda/", $callback) ) {					
		   	 		$_lambda[$priority][] = $callback;
				} 
			}
				
		} 
	}
	
	if ( count($_lambda) >= 0 ){
		
		foreach($_lambda as $priority => $callback) {
			if ( has_filter($action_ref,$callback) ){
				remove_filter($action_ref, $callback, $priority, 1);
			} 
		}
	}	
}

add_action('init','remove_create_function_action');

more on this → “wordpress spam goro header injection

2 Comments

Filed under injection, OWNED, vulnerability, wordpress

Statcounter Update.sh Workaround (ip2location Informations Leak)

The server where the backup’s log of the last three days are situated is badly set. The access for all directory by server is free, include “utils” directory that contains one script file called “update.sh” inside of which are situated the user and password to enter and download the database log from ip2location.com ~ excerpt from Giani Amoto

There is workaround for statcounter update.sh ip2location informations leak
check out this posts at kakkoi → Statcounter Update.sh Vulnerability Fixes

Quick workaround

add the following htaccess code in statcounter /utils/ directory.

#deny access to any file with *.sh filetypes
<Files ~ "^\.sh">
 Order allow,deny
 Deny from all
 Satisfy All
</Files>

#Deny request for *.log & comment files
<Files ~ "^.*\.([Ll][Oo][Gg]|[cC][oO][mM][mM][eE][nN][tT])">
 Order allow,deny
 Deny from all
 Satisfy All
</Files>

Leave a comment

Filed under statcounter, vulnerability

Bluehost Hostmonster CEO Hacked Again

This is the third time Matt Heaton wordpress blog got hacked. View it for yourself http://www.mattheaton.com (noscript enabled) or try google cache (Jan 28 2008 10:10:05 GMT).

ScreenGrab

More on this at kakkoi → Matt Heaton Bluehost Hostmonster CEO Hacked Again – Strike II – Blackhat SEO Spamdexing LocalRank .

2 Comments

Filed under Blog, bluehost, hack, hostmonster, injection, OWNED, vulnerability

Matt Heaton (Bluehost and Hostmoster CEO) wordpress blog Hacked by Mick Jagger from Moscow

wordpress.net.in remote spam injection, Matt’s heaton unaware that he uploaded the backdoor himself. Check his wordpress footer.

Matt Heaton (Bluehost and Hostmoster CEO) got Hacked by Mick Jagger

Full cache on google will not show the spam link (cloaking) used text-only cache.
As of this time of writing he’s still using WordPress 2.0.

While you are on mattheaton.com  footer check out the “Comment (RSS)” links. The “RSS” part is misleading. its redirect to http://cwings.ulmb.com/alexa.php?c=bluehost.com instead of the Comments Feeds. go figure

What this got to do with Mick jagger?

lol i knew u asked that, read it all at kakkoi.

5 Comments

Filed under bluehost, hack, hostmonster, injection, vulnerability, wordpress