Safety…

207.112.14.99
That is the IP address of the fuckwit who screwed up Root’s blog. Instead of being responsible when the apparent error appeared, fuckwit played – and then he had the nerve to post teasingly about it, and then when he thought he could be found out he started over all apologetic. Twat. I have the server logs and even this morning it is still poking around looking for files on Root’s site.
Here’s some info:
207.112.14.99 - - [01/May/2005:18:05:48 -0500] "GET /blog/wp-admin/install.php HTTP/1.1" 200 1574 "http://www.wp-blogger.com/blog/" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-ca) AppleWebKit/312.1 (KHTML, like Gecko) Safari/312"

For what it is worth, I have deleted install.php, install-helper.php, all the import.php files and the 3 upgrade files. I did this a few weeks ago when I was tidying – it won’t break your blog to do the same.

16 thoughts on “Safety…

  1. IP address …because it shouldn’t have done it, because we might eventually find out who did it, because I have the information, because I can and because sometimes I’m a vengeful bastard :)

    That about covers it.

  2. Poor Root, no one deserves this, least of all him. But what I really can’t get is that this ignoramous is still poking around his site! What gives.

    I got that need to run install.php thing again just now, too. This is just such a mess.

  3. If you have more logs, please pass them on. I’ve read over the code again just now, and there is no way I can see anyone’s blog can be damaged by a GET request for install.php. An attack or exploit usually will be a POST or a GET request with strange arguments in the query string. I think the guy who ran install.php was just an innocent passer-by. I’ve been to Root’s blog and seen the install message a few times. Something else is afoot.

    Also, if it were a hacker that just wanted to delete things and cause trouble, you would think they would target a much more high-profile blog like one of the developer’s or download.com.

  4. Once I have migrated I will return to this subject in more detail. I have an outline in my mind. I am not sure that this is necessarily a coding thing to that extent I agree with Matt, but if security breakdowns occur – for example – as a result of user error – or – when a rare but possible set of circumstances occur – they are equally serious, and just as devastating. But I mention in passing that the last action on the excellent and intuitive install of TXP is to DELETE SETUP PHP.
    I also mention – that the default mindset for WP users including myself; is that multiple installs do not require multiple dbs. They simply have different table prefixes. That is not the way a Fantastico install works.

  5. If they are coming from the same IP address everytime take every instance from the raw logs, write it up and send it to: abuse@primus.ca because as far as I can tell if they’re a Primus customer they are in breach of the published AUP.

    Primus Telecommunications Canada Inc.
    Etobicoke, CA
    Range: 207.112.0.0 – 207.112.127.255

  6. Gary – they did indeed come from the same IP and that abuse address has a mail from me in their inbox. Not my site so that could prove tricky but I do have the log – Matt also has a copy.

    My advice also remains the same: although the reason for this happening may have been some freak server behaviour, the simple fact is that if install.php was not there, then the blog could not have been trashed. So it needs deleting.

  7. Good advice, but regardless of that if they were poking where they shouldn’t have been it’s a breach of AUP. The excuse of ‘I was just reading the blog and it broke’ won’t wash. That company seem to have a pretty good AUP when considered against some others I’ve looked at so maybe you’ll get some joy out of it. Shouldn’t matter that it isn’t your site – raw logs and a commentary is all they should need.

    Now must go double check those files still aren’t sitting on my server ;) They won’t be, but can you say paranoia? ;)

  8. I have to agree Mark, whether it was a flaw in install.php or something more of a fluke type – the point’s still the same. Frankly if it was a fluke that makes me less comforted, not more. Weird and strange things do and will happen, but the famifications of something so simple just make me incredibly uneasy. I’ve always made it a point to delete installation files, whether instructions tell me to or not…definitely will be continuing that practice!

Leave a Reply

Your email address will not be published. Required fields are marked *