Category Archives: vulnerability

fixes malicious create_function() in wp_head (goro spam)

This is quick patch for goro spams it will disabled the goro header spam links (as seen on blake ross, al gore & matt heaton WordPress blogs recently).

 * Remove create_function action hook 
 * append on wordpress wp_head filters
 * @author     Avice De'véreux <>
 * @copyright  Copyright (c) 2006 Avice De'véreux
 * @version    1.0
 * @license GNU Lesser General Public License
 * @link
function remove_create_function_action()
{ global $wp_filter;

	$action_ref	= 'wp_head';	
	$filter 	= $wp_filter[$action_ref];
	$_lambda	= array();
	foreach(range(1,10) as $priority){
		if (isset($filter[$priority]))
			foreach($filter[$priority] as $registered_filter ){
				$callback = (string) $registered_filter['function'];
				if ( preg_match("/lambda/", $callback) ) {					
		   	 		$_lambda[$priority][] = $callback;
	if ( count($_lambda) >= 0 ){
		foreach($_lambda as $priority => $callback) {
			if ( has_filter($action_ref,$callback) ){
				remove_filter($action_ref, $callback, $priority, 1);


more on this → “wordpress spam goro header injection



Filed under injection, OWNED, vulnerability, wordpress

Statcounter Workaround (ip2location Informations Leak)

The server where the backup’s log of the last three days are situated is badly set. The access for all directory by server is free, include “utils” directory that contains one script file called “” inside of which are situated the user and password to enter and download the database log from ~ excerpt from Giani Amoto

There is workaround for statcounter ip2location informations leak
check out this posts at kakkoi → Statcounter Vulnerability Fixes

Quick workaround

add the following htaccess code in statcounter /utils/ directory.

#deny access to any file with *.sh filetypes
<Files ~ "^\.sh">
 Order allow,deny
 Deny from all
 Satisfy All

#Deny request for *.log & comment files
<Files ~ "^.*\.([Ll][Oo][Gg]|[cC][oO][mM][mM][eE][nN][tT])">
 Order allow,deny
 Deny from all
 Satisfy All

Leave a comment

Filed under statcounter, vulnerability

Bluehost Hostmonster CEO Hacked Again

This is the third time Matt Heaton wordpress blog got hacked. View it for yourself (noscript enabled) or try google cache (Jan 28 2008 10:10:05 GMT).


More on this at kakkoi → Matt Heaton Bluehost Hostmonster CEO Hacked Again – Strike II – Blackhat SEO Spamdexing LocalRank .


Filed under Blog, bluehost, hack, hostmonster, injection, OWNED, vulnerability

Matt Heaton (Bluehost and Hostmoster CEO) wordpress blog Hacked by Mick Jagger from Moscow remote spam injection, Matt’s heaton unaware that he uploaded the backdoor himself. Check his wordpress footer.

Matt Heaton (Bluehost and Hostmoster CEO) got Hacked by Mick Jagger

Full cache on google will not show the spam link (cloaking) used text-only cache.
As of this time of writing he’s still using WordPress 2.0.

While you are on  footer check out the “Comment (RSS)” links. The “RSS” part is misleading. its redirect to instead of the Comments Feeds. go figure

What this got to do with Mick jagger?

lol i knew u asked that, read it all at kakkoi.


Filed under bluehost, hack, hostmonster, injection, vulnerability, wordpress