Safety…
15:27 Monday 2 May 05
207.112.14.99
That is the IP address of the fuckwit who screwed up Root’s blog. Instead of being responsible when the apparent error appeared, fuckwit played – and then he had the nerve to post teasingly about it, and then when he thought he could be found out he started over all apologetic. Twat. I have the server logs and even this morning it is still poking around looking for files on Root’s site.
Here’s some info:
207.112.14.99 - - [01/May/2005:18:05:48 -0500] "GET /blog/wp-admin/install.php HTTP/1.1" 200 1574 "http://www.wp-blogger.com/blog/" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-ca) AppleWebKit/312.1 (KHTML, like Gecko) Safari/312"
For what it is worth, I have deleted install.php, install-helper.php, all the import.php files and the 3 upgrade files. I did this a few weeks ago when I was tidying – it won’t break your blog to do the same.
1
I just noticed that the wp install notice is showing up again at roots domain.
16:37 Monday 2 May 05
2
It is yes…. thankfully that will 404 and I’ve emailed Root but something very odd is going on..
16:41 Monday 2 May 05
3
Poor Root. :(
16:53 Monday 2 May 05
4
Its sad that so much crap can befall one person. It looks like Root has packed his WP bags and moved to Textpattern.:mad:
“Stupid people buy Macs too.” Point proved.
17:11 Monday 2 May 05
5
Mark,
I sympathise with Root. I do. However, I’m not sure what good posting the ip address of the anatagonist will do.
17:23 Monday 2 May 05
6
IP address …because it shouldn’t have done it, because we might eventually find out who did it, because I have the information, because I can and because sometimes I’m a vengeful bastard :)
That about covers it.
17:29 Monday 2 May 05
7
…I just hope I stay on your good side:smile:
17:32 Monday 2 May 05
8
Poor Root, no one deserves this, least of all him. But what I really can’t get is that this ignoramous is still poking around his site! What gives.
I got that need to run install.php thing again just now, too. This is just such a mess.
18:46 Monday 2 May 05
9
If you have more logs, please pass them on. I’ve read over the code again just now, and there is no way I can see anyone’s blog can be damaged by a GET request for install.php. An attack or exploit usually will be a POST or a GET request with strange arguments in the query string. I think the guy who ran install.php was just an innocent passer-by. I’ve been to Root’s blog and seen the install message a few times. Something else is afoot.
Also, if it were a hacker that just wanted to delete things and cause trouble, you would think they would target a much more high-profile blog like one of the developer’s or download.com.
20:03 Monday 2 May 05
10
Once I have migrated I will return to this subject in more detail. I have an outline in my mind. I am not sure that this is necessarily a coding thing to that extent I agree with Matt, but if security breakdowns occur – for example – as a result of user error – or – when a rare but possible set of circumstances occur – they are equally serious, and just as devastating. But I mention in passing that the last action on the excellent and intuitive install of TXP is to DELETE SETUP PHP.
I also mention – that the default mindset for WP users including myself; is that multiple installs do not require multiple dbs. They simply have different table prefixes. That is not the way a Fantastico install works.
21:19 Monday 2 May 05
11
If they are coming from the same IP address everytime take every instance from the raw logs, write it up and send it to: abuse@primus.ca because as far as I can tell if they’re a Primus customer they are in breach of the published AUP.
Primus Telecommunications Canada Inc.
Etobicoke, CA
Range: 207.112.0.0 – 207.112.127.255
11:46 Tuesday 3 May 05
12
Gary – they did indeed come from the same IP and that abuse address has a mail from me in their inbox. Not my site so that could prove tricky but I do have the log – Matt also has a copy.
My advice also remains the same: although the reason for this happening may have been some freak server behaviour, the simple fact is that if install.php was not there, then the blog could not have been trashed. So it needs deleting.
11:55 Tuesday 3 May 05
13
Good advice, but regardless of that if they were poking where they shouldn’t have been it’s a breach of AUP. The excuse of ‘I was just reading the blog and it broke’ won’t wash. That company seem to have a pretty good AUP when considered against some others I’ve looked at so maybe you’ll get some joy out of it. Shouldn’t matter that it isn’t your site – raw logs and a commentary is all they should need.
Now must go double check those files still aren’t sitting on my server ;) They won’t be, but can you say paranoia? ;)
12:16 Tuesday 3 May 05
14
I have to agree Mark, whether it was a flaw in install.php or something more of a fluke type – the point’s still the same. Frankly if it was a fluke that makes me less comforted, not more. Weird and strange things do and will happen, but the famifications of something so simple just make me incredibly uneasy. I’ve always made it a point to delete installation files, whether instructions tell me to or not…definitely will be continuing that practice!
18:41 Wednesday 4 May 05
15
[...] event the same thing from happening to the rest of us, Mark gave his opinion on the matter here, and it was discussed in the forums here. So [...]
14:06 Friday 13 May 05
16
[...] Root had a security issue resulting in a complete wipeout of his database. He wrote about it here, IfElse (Phu) suggested we do some directory housekeeping to prevent the same thing from happening to the rest of us, Mark gave his opinion on the matter here, and it was discussed in the forums here. [...]
21:45 Tuesday 24 Jan 06