SMS Spammer

Didn’t see that one coming. Now that proxy dialers exist on the internet, it’s no surprise that some internet to SMS services exist now. The sad thing is they are being abused at the expense of the message recipient.

Back on the 24th of January, a spammer by the name of Giovanni@instantmash.com sent a text message to my cellphone advertising getwellwontyoust.com. Usually e-mail spam’s only cost is time and bandwidth, in which for the end user bandwidth is usually unlimited. For SMS, the cost is 50 cents per a message received, plus an additional 50 cents for connection (with Verizon as SMS is not part of my plan as I don’t text people). Luckily, I believe Verizon will be removing the charges as it was a Spam, otherwise I’ll use the WHOIS information for both the spammed address and the sender and send them a bill.

A quick Google search reveals that istantmash.com has been suspended and that getwellwontyoust.com is a sex spam site. Looks like the latter is registered to a one Natalie Wood, of Sacramento California. Natale Wood is most likely as pseudo name as the fax number is invalid (area code 555) and I have doubts on the legitimacy of the provide phone number of (916) 742-3301. Under federal law and a precedent set in the class action lawsuit Shen v. Distributive Networks LLC. No. 06 C 4403 the offender may owe me and any one else he or she SMS spammed up to 150USD in damages.

-John Havlik

[end of transmission, stay tuned]

One Regular Expression

i.?[:punct:]?.?f.?.?.?r.?.?.?a.?.?.?m.?.?.?e

That should find most iframe phrases when used in a SQL query, which I won’t lay out here (fairly easy to do with phpMyAdmin, it’s literally a copy and paste procedure in the “search” form just change the mode to the proper setting). I tested it against over a year and a half of my archives with some purposely planted and obscured iframes and it has no false positives. This will find any iframe obscured via methods found in attacks on Weblogs.us and it’s users. It may be advantageous to remember this for when Iframe-B-Gone is ready.

-John Havlik

[end of transmission, stay tuned]

Mtekk Iframe-B-Gone

Seems that the events of early last month did not stop. More and more WordPress users are having issues with malicious iframes being inserted into their blogs. Until now, there were no automated detection and removal tools. Iframe-B-Gone, it’s quick, it’s dirty, but it should do the trick. I’ll get a build up sometime this upcoming weekend, after Beta 3 of Breadcrumb NavXT.

What to expect from Iframe-B-Gone:

  • Scanning of the wp-posts and other WordPress database tables for Iframes.
  • Support for regular expressions for custom “evil” tag detection.
  • Notification of locations and option to not delete selected “results”.

Note that fixing hacked themes is beyond the scope of this plug-in, for that manual searching and removal is necessary, and those familiar with a the terminal shouldn’t have a difficult time figuring out the quick way of searching for stings in files contained within a folder.

-John Havlik

[end of transmission, stay tuned]

Run, and Hide

Someone, via a SQL injection, infected this blog with an iframe linking http://googlerank.info/counter on every one of the pages. The location was at the very bottom of the post, and thanks to a tip from a visitor this was discovered last Sunday. Additionally, an iframe was located in the link to A List Apart. These were all removed on Sunday as the investigation began. The fool that placed the code even placed it on drafts and protected pages, which is a clear sign of a SQL injection by a script (kiddy).

The logs are being checked, passwords changed, and software updated. Additionally, a nice CSS entry will now highlight any iframes on this page for anyone that isn’t using IE6 (IE7 should work). If you see a big red box with dashed black border on this site, let me know, as that is an iframe and should not be there. The kiddy will be caught and I’ll make sure his life is ruined.

-John Havlik

[end of transmission, stay tuned]

Mischievous Microsoft

So today I was looking at my website’s logs to check on any suspicious traffic that I may be receiving. It seems that something like 20 visitors a day are now claiming to arrive here by searching for Havlik in one of the major three search engines. I have never had that much traffic for that keyword, which instantly rose a red flag.

Digging further into the logs, I discovered a true gem. It looks like Microsoft is resorting to referrer spam for their Live search engine. How do I know? It’s fairly simple.

First, why in the world would my blog be on the first page of search results for the following terms: standards, WordPress, scripts, or university? Sure the referrer field is spoofed for these. But, many spammers do that, how can I link this to Microsoft? Easy, IP addresses. Why are users of Microsoft Corporate IP space (65.55.165.63, 65.55.165.72, 65.55.165.95, 65.55.165.12, or 65.55.165.116 to be exact) using Internet Explorer 7 and spoofing their referrer field? Anyone have an answers to this? Feel free to comment.

-John Havlik

[end of transmission, stay tuned]