Do I have SoapSoap in my WordPress?

Apparently, 100,000 WordPress sites have been compromised by this nasty. It injects redirect code in to WordPress themes.

According to an analysis posted by  Tony Perez on his blog, it’s going to be easy to spot if you’re a server administrator as in injects the code:

php function FuncQueueObject()
{
wp_enqueue_script("swfobject");
}
add_action("wp_enqueue_scripts", 'FuncQueueObject');

In to wp-includes/template-loader.php

So,

find / -name template-loader.php -exec grep {} swfobject \;

should do the trick. I’m not a PHP nut, but I don’t think swfobject is common in that file.

Update: 06-Jan-2015

The web site linked to above has an on-line scanner that’s supposed to check for this problem, so I’ve just run it against this blog. It found something here. False positive, methinks! I’ve written to them pointing out that the search may be a little naive given the subject matter of that post! Fair play for providing such a tool free of charge though. It’s a little hard to see how such a scanner could work at all, but not pick up text lifted from a compromised site.

 

Email addresses used by comment spammers on WordPress

On studying the behaviour of comment spammers I became interested in the email addresses they used. Were they genuine and where were they from? Well of course they’re not likely to be genuine, but it is possible to force them to register with an address if they want their comments to appear – even if they don’t. Here’s what I found:

When the spammers were required to register, these are the domain names they registered with:

Domain Percent
hotmail.com 25%
mailnesia.com 19%
Others (unique) 16%
gmail.com 7%
o2.pl 7%
outlook.com 5%
emailgratis.info 4%
gmx.com 2%
poczta.pl 2%
yahoo.com 2%
more-infos-about.com 1%
aol.com 1%
go2.pl 1%
katomcoupon.com 1%
tlen.pl 1%
acity.pl 1%
dispostable.com 1%
live.com 1%
mail.ru 1%
se.vot.pl 1%
acoustirack.com <1%
butala.htsail.pl <1%
cibags.com <1%
eiss.xoxi.pl <1%
justmailservice.info <1%
laposte.net <1%
pimpmystic.com <1%
twojewlasnem.pl <1%
wp.pl <1%

Where the authenticity of the address is more questionable, although the sample a lot larger, the figures are as follows:

Domain Percent
gmail.com 40%
yahoo.com 11%
Other (unique) 6%
hotmail.com 6%
aol.com 4%
ymail.com 2%
googlemail.com 2%
gawab.com 2%
bigstring.com 1%
zoho.com 1%
t-online.de 1%
inbox.com 1%
web.de 1%
yahoo.de 1%
arcor.de 1%
live.com 1%
freenet.de 1%
yahoo.co.uk 1%
comcast.net 1%
mail.com 1%
gmx.net 1%
gmx.de 1%
outlook.com <1%
live.cn <1%
hotmail.de <1%
msn.com <1%
livecam.edu <1%
google.com <1%
live.de <1%
rocketmail.com <1%
gmail.ocm <1%
wildmail.com <1%
moose-mail.com <1%
hotmail.co.uk <1%
care2.com <1%
certify4sure.com <1%
snail-mail.net <1%
1701host.com <1%
cwcom.net <1%
maill1.com <1%
wtchorn.com <1%
chinaadv.com <1%
noramedya.com <1%
o2.pl <1%
vegemail.com <1%
vp.pl <1%
24hrsofsales.com <1%
kitapsec.com <1%
peacemail.com <1%
whale-mail.com <1%
wp.pl <1%
aim.com <1%
animail.net <1%
bellsouth.net <1%
blogs.com <1%
email.it <1%
mailcatch.com <1%
rady24.waw.pl <1%
titmail.com <1%
fastemail.us <1%
btinternet.com <1%
harvard.edu <1%
onet.pl <1%
yahoo (various international) <1%
akogoto.org <1%
concorde.edu <1%
freenet.com <1%
leczycanie.pl <1%
mail15.com <1%
speakeasy.net <1%
yale.edu <1%
123inholland.co.nl <1%
SolicitorsWorld.com <1%
apemail.com <1%
buysellonline.in <1%
email.com <1%
help.com <1%
ipad2me.com <1%
ismailaga.org.tr <1%
live.fr <1%
myfastmail.com <1%
mymail.com <1%
ngn.si <1%
redpaintclub.co.uk <1%
stonewall42.plus.com <1%
traffic.seo <1%
xt.net.pl <1%
a0h.net <1%
accountant.com <1%
alphanewsroom.com <1%
att.net <1%
auctioneer.com <1%
brandupl.com <1%
canplay.info <1%
charter.net <1%
cluemail.com <1%
darkcloudpromotion.com <1%
earthlink.com <1%
earthlink.net <1%
eeemail.pl <1%
emailuser.net <1%
excite.com <1%
fastmail.net <1%
gmai.com <1%
gouv.fr <1%
h-mail.us <1%
hotmail.ca <1%
hotmailse.com <1%
hotmalez.com <1%
imajl.pl <1%
jmail.com <1%
juno.com <1%
live.co.uk <1%
mac.com <1%
mailandftp.com <1%
mailas.com <1%
mailbolt.com <1%
mailnew.com <1%
mailservice.ms <1%
modeperfect3.fr <1%
mymacmail.com <1%
nyc.gov <1%
op.pl <1%
peoplepc.com <1%
petml.com <1%
pornsex.com <1%
qwest.net <1%
rosefroze.com <1%
sbcglobal.net <1%
ssl-mail.com <1%
t-online.com <1%
thetrueonestop.com <1%
turk.net <1%
virgilio.it <1%
virginmedia.com <1%
windstream.net <1%
yaahoo.co.uk <1%
yahoo.com.my <1%
yazobo.com <1%
yopmail.com <1%
zol.com <1%

A few words of warning here. First, these figures are taken from comments that made it through the basic spam filter. Currently 90% of comments are rejected using a heuristic, and even more blocked by their IP address, so these are probably from real people who persisted rather than bots. They’re also sorted in order of hits and then alphabetically. In other words, they are ranked from worst to best, and therefore zol.com has least, or equal-least, multiple uses.

It’s interesting to note that gmail was by far the most popular choice (40%) when asked to provide a valid email address but when this was used to register this dropped to 7%, with Hotmail being the favourite followed by other freemail services popular in East Europe and Russia (many single-use and counted under “Other”). Does this mean that Gmail users get more hassle from Google when they misbehave? The use of outlook.com had an even bigger reduction in percentage terms – again suggesting it’s a favourite with abusers.

Another one worth noting is that mailnesia.com was clearly popular as a real address for registering spammers, but was not used even once as a fake address. This is another of those disposable email address web sites, Panamanian registered – probably worth blacklisting. emailgratis.info is also Panamania registered but heads to anonymous servers that appear to be in North Carolina.

Where you see <1% it means literally that, but it’s not insignificant. It could still mean hundreds of hits, as this is a sample of well over 20K attempts.

If you have WordPress blog and wish to extract the data, here’s how. This assumes that the MySQL database your using is called myblog, which of course it isn’t. The first file we’ll create is that belonging to registered users. It will consist of lines in the form email address <tab> hit count:

Please generate and paste your ad code here. If left empty, the ad location will be highlighted on your blog pages with a reminder to enter your code. Mid-Post

echo 'select user_email from wp_users ;' | mysql myblog | sed 1d | tr @ ' ' | awk '{ print $2 }' | sed '/^$/d' | sort | uniq -c | sort -n | awk '{ print $2 "\t" $1}' > registered-emails.txt

I have about a dozen registered users, and thousands of spammers, so there’s no real need to exclude the genuine ones for the statistics, but if it worries you, this will get a list of registered users who have posted valid comments:

select distinct user_email from wp_users join wp_comments where not comment_approved='spam' and ID=user_id;

To get a file of the email addresses of all those people who’ve posted a comment you’ve marked as spam, the following command is what you need:

echo "select comment_author_email from wp_comments where comment_approved='spam';" | mysql myblog | sed 1d | tr @ ' ' | awk '{ print $2 }' | sed '/^$/d' | sort | uniq -c | sort -n | awk '{ print $2 "\t " $1}' > spammer-emails.txt

If you want a list of IP addresses instead, try:

echo "select comment_author_IP from wp_comments where comment_approved='spam';" | mysql myblog | sed 1d | sort | uniq -c | sort -n | awk '{ print $2 "\t " $1}' > spammer-ip-addresses.txt

As I firewall out the worse offenders there’s no point in me publishing the results.

If you find out any interesting stats, do leave a comment.

WordPress ends up with wrong upload directory after moving servers

If you’ve moved WordPress from one server (or home directory) to another, everything looks fine until you come to upload a file. It then complains that it can’t write to the upload directory. Something like:


Unable to create directory /usr/home/username/wp-content/uploads/xxx/yy. Is its parent directory writable by the server?

A search through the PHP config files doesn’t reveal a path to the upload directory, and if it’s possible to change it from the Dashboard I’ve yet to find where.

The only remaining option was the mySQL database, and fishing around in the likely sounding wp_option table I found a option_name of “upload_path”. A quick query showed this was the home directory.

To save you fishing, here’s the SQL needed to set things right. Obviously select the appropriate database with “use” first!


update wp_options
set option_value='<path-to-your-wordpress-installation>/wp-content/uploads'
where wp_options.option_name='upload_path';

This is how you do it using straight SQL from the command line. If you’re using some sort of restricted web hostinig account “See your system administrator” and point them here.

Comment spam from Volumedrive

Comment spammers aren’t the sharpest knives in the draw. If they did their research properly they’d realise that spamming here was a stupid as trying to burgle the police station (while it’s open). You’ll notice there’s no comment spam around here, but that isn’t to say they don’t try.

Anyway, there’s been a lot of activity lately from a spambot running at an “interesting” hosting company called Volumedrive. They rent out rack space, so it’s not going to be easy for them to know what their customers are doing, but they don’t seem inclined to shut any of them down for “unacceptable” use. For all I know they’ve got a lot of legitimate customers, but people do seem to like running comment spammers through their servers.

If you need to get rid of them, there is an easy way to block them completely if you’re running WordPress, even if you don’t have full access to the server and its firewall. The trick is to over-ride the clients Apache is prepared to talk to (default: the whole world) by putting a “Deny from” directive in the .htaccess file. WordPress normally creates a .htaccess file in its root directory; all you do is add:

Deny from bad.people.com

Here, “bad.people.com” is the server sending you the spam, but in reality they probably haven’t called themselves anything so convenient. The Apache documentation isn’t that explicit unless you read the whole lot, so it’s worth knowing you can actually list IP addresses (more than one per line) and even ranges of IP addresses (subnets).

For example:

Deny from 12.34.56.78
Deny from 12.34.56.89 22.33.44.55
Deny from 123.45.67.0/24

The last line blocks everything from 123.45.67.0 to 123.45.67.255. If you don’t know why, please read up on IP addresses and subnet masks (or ask below in a comment).

So when you get a a load of spammers from similar IP addresses, look up to see who the block belongs to using “whois”. Once you know you can block the whole lot. For example, if you’re being hit by the bot using Volumedrive on 173.208.67.154, run “whois 173.208.67.154”. This will return:

NetRange: 173.242.112.0 - 173.242.127.255
CIDR: 173.242.112.0/20
OriginAS: AS46664
NetName: VOLUMEDRIVE
NetHandle: NET-173-242-112-0-1
Parent: NET-173-0-0-0-0
NetType: Direct Allocation

<snip>

If you don’t have whois on your comptuer (i.e. you’re using Windoze) there’s a web version at http://www.whois.net/.

In the above, the CIDR is the most interesting – it specifies the block of IP addresses routed to one organisation. I’m not going in to IP routing here and now, suffice to say that in this example it specifies the complete block of addresses belonging to volumedrive that we don’t want – at least until they clean up their act.

To avoid volumedrive’s spambots you need to add the following line to the end your .htaccess file:

Deny from 173.242.112.0/20

If this doesn’t work for you the the web server you’re using may have been configured in a strange way – talk to your ISP if they’re the approachable type.

I have contacted Volumedrive, but they declined to comment, or even reply; never mind curtail the activities of their users.

This isn’t a WordPress-only solution – .htaccess belongs to Apache and you can use it to block access to any web site.

Perhaps there’s some scope in sharing a list these comment spambots in an easy-to-use list. If anyone’s interested, email me. This is a Turing test :-)