Surgery Complete

The patient is recovering from the operation and doing well, we’re surprised is held up to that attack. The bullets were removed, and the surgeon decided to do a little liposuction while he was operating. Now that the patent is all sewn up, it’s time to step back and look at what happened.

The server suffered a massive attack sometime between the 26th of October and the first week of November. Many blogs hosted by were affected by the attack, which involved SQL injection as mentioned in the previous post. This attack was a spam sort of attack, not a delete/drop tables attack. Though the damage was extensive, not every blog was affected. Additionally, the attack was not limited to the WordPress blogs hosted by, some of the old Moveable type blogs were affected as well. This means some some passwords were compromised, due to this global password changes may be coming later this week. JD, when looking at the extent of the damage was surprised the database server survived the attack (it was that bad, and that many malicious entries).

What the attack did was enter iframes to which used the css value display:none; to hide them. These appeared at the bottom of every page, and were also cleverly added to some blogroll links by adding a fake and hidden <a href after itself to keep the HTML valid. is a know mailware site, that preys on users of Internet Explorer. Since Firefox and other modern browsers are not affected by this site, the Russian owners started showing them a fake 404 page that they ripped from Google. Hopefully, the owners of that site will meet an untimely death.

But, the storm is not over yet, someone with malicious intents has been searching Google with the query:

intext:”leave a reply” intext:”Mail (will not be published) (required)” intext:”Responses to” site:us

This is a quick and dirty way to harvest many sites that run WordPress. I have little doubt that the intents of the individual that submitted that query are malicious (either intent to spam or hack). Thus that IP address will be blocked in the firewall indefinitely.

-John Havlik

[end of transmission, stay tuned]


  1. Pingback: Order of the Bath » Blog Archive » I wuz hacked

  2. Pingback: Again, So Soon? : truegrit

4 thoughts on “Surgery Complete

  1. This is scary stuff. ADMC runs WordPress installations, and if I got hacked, I wouldn’t begin to know how to fix it.

    I continue to enjoy following your academic career. It is SOOOO much like all the hopes, dreams, and concerns that I had following that very same path fifty years ago. Only difference is you are EE and I majored in physics, but the courses are pretty much the same.

    I had calculus out of Thomas (the text by the great math teacher) and thirty years later my daughter, who also majored in physics, also used Thomas! Wonder what you are using?

    I’ve been looking for some breadcrumb code, but not sure how to integrate it into ADMC. Right now I’m working on a major revision to get us out of the frames.

    Keep the faith, and my best wishes go with you.

  2. Thanks, we’re still working out the details on how the attack happened, which our main page suffered another one this past week, this time it utilized JavaScript, and brought even Firefox to its knees.

    We are using the Marsden/Tromba text published by Freeman for vector calculus (the book is a second edition). I really do not think too highly of it (Nothing has yet to compare to the course guides that professor Miracle writes for the lower calculus classes (prec-alculus through calculus 3))

    Breadcrumb NavXT is really easy to integrate into a WordPress based website, and has an administration interface for changing setting.I’m working on the next version of it, 2.0, which I’m going to have a beta out for in a few minutes.

Comments are closed.