The patient is recovering from the operation and doing well, we’re surprised is held up to that attack. The bullets were removed, and the surgeon decided to do a little liposuction while he was operating. Now that the patent is all sewn up, it’s time to step back and look at what happened.
The Weblogs.us server suffered a massive attack sometime between the 26th of October and the first week of November. Many blogs hosted by Weblogs.us were affected by the attack, which involved SQL injection as mentioned in the previous post. This attack was a spam sort of attack, not a delete/drop tables attack. Though the damage was extensive, not every blog was affected. Additionally, the attack was not limited to the WordPress blogs hosted by Weblogs.us, some of the old Moveable type blogs were affected as well. This means some some passwords were compromised, due to this global password changes may be coming later this week. JD, when looking at the extent of the damage was surprised the database server survived the attack (it was that bad, and that many malicious entries).
What the attack did was enter iframes to googlerank.info/counter which used the css value display:none; to hide them. These appeared at the bottom of every page, and were also cleverly added to some blogroll links by adding a fake and hidden <a href after itself to keep the HTML valid. Googlerank.info is a know mailware site, that preys on users of Internet Explorer. Since Firefox and other modern browsers are not affected by this site, the Russian owners started showing them a fake 404 page that they ripped from Google. Hopefully, the owners of that site will meet an untimely death.
But, the storm is not over yet, someone with malicious intents has been searching Google with the query:
intext:”leave a reply” intext:”Mail (will not be published) (required)” intext:”Responses to” site:us
This is a quick and dirty way to harvest many sites that run WordPress. I have little doubt that the intents of the individual that submitted that query are malicious (either intent to spam or hack). Thus that IP address will be blocked in the Weblogs.us firewall indefinitely.
-John Havlik
[end of transmission, stay tuned]