I was out beveraging yesterday with special guests (more on that in another post), when Ms. Karen let me know via Facebook that my blog had been hacked.

Again.

Well crap.

Again.

Luckily I have the ability to FTP into my webserver from my iPhone, so I put my blog in maintenance mode so any visitor would at least be greeted with a message of my choice other than “This site has been HACKED”.

When I awoke this morning, I killed a couple of plugins that I think potentially could have allowed the hackers in, then restored my blog from a clean backup. I guess time will tell if those plugins were the door in. If I get hacked again, that is.

Damn script kiddies.

Christ on a cracker. My site got hacked again. Somehow, the hackers are creating a new text widget that’s causing most of the changes, as well as changing the title of the blog.

Must figure out how.

I’m annoyed.

I come home tonight to find this has happened to my blog:

Seriously?

Lucky it didn’t appear to be to serious. Or so I hope. Someone had managed to replace my theme widgets with something that overwrote my header and made it display that mess.

*sigh*

I changed the both the wordpress database, wordpress login, and FTP passwords to even more complex password than I used before. Here’s hoping that’s all it was. Which in itself is worrisome.

*double sigh*

And apparently the fucker(s) who did it has been busy. Just Google for “hacked by yilm4z.tr” and look at all the sites that come up.

According to the log files I keep, options were updated in my database at around 6:46pm. Luckily, I was able to unmodify what was changed.

So if any of you came to my blog around that time or later, you would have seen that mess.

This has not been my week.

This showed up on wpbeginner today: WordPress Brute Force Attacks, and What You Need to Do About it. My webhost, MacHighway, also posted similar information this afternoon. For those of you who are self-hosted WordPress (or Joomla) bloggers, I suggest you read it and follow the suggested changes.

And do what I posted too, as an added measure. 😉

I had a crapload of comment spam hit my blog today. And by crapload, I mean Oprah on a bender crapload.

So I started looking through the server log files and noticed a few patterns. Four different browser user agents were showing up on these spam entries.

So I nuked them in my .htaccess file with the following bit of code.


########## Block Old Browsers used in Facebook spam assault, 2013.04.10 ##########

RewriteEngine On
RewriteBase /
# Firefox 3.0.5, 3.0.10, shows up repeatedly
RewriteCond %{HTTP_USER_AGENT} ^.*(?:Firefox/3\.0\.10).*$ [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(?:Firefox/3\.0\.5).*$ [NC,OR]
# Opera 8.01, shows up repeatedly
RewriteCond %{HTTP_USER_AGENT} ^.*(?:Opera/8).*$ [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(?:Opera\s8).*$ [NC,OR]
# MSIE 6.0, shows up repeatedly
RewriteCond %{HTTP_USER_AGENT} ^.*(?:MSIE\s6).*$ [NC]
RewriteRule .* - [L,R=404]



I’m sure my regex is horrible. But it works. And I am returning a 404 instead of a 403, because with the 404 they will think the resource is no longer there.

Of course, this will just work until the script kiddies change the user agent. But they tend to be pretty lazy.

I’ll have to analyze the logs a bit more when I get the chance. It’s an interesting attack coming from random IP addresses. Which means more people aren’t using protection. On their computers.

I posted this just in case anyone else is having this problem.

Off to bed I go. Long day. Before I even noticed this mess.