Akismet caught a trackback from a spam blog hosted at kouragethekowardlydog.adoption23.info. The trackback was an excerpt of one of my previous posts, prefaced with “Check it out! While looking through the blogosphere we stumbled on an interesting post today. Here’s a quick excerpt:”

An Unexpected Party

The Lyceum blog that existed there (and at dozens of other subdomains on adoption23.info) was populated with thousands of similarly stolen posts, written a hundred at a time by a user named “garry”. I’m not sure what motive there is behind copying the poorly-written content of the blogosphere, and maybe it’s fair use, but this site was definitely up to no good.

The first thing to do in this situation is to figure out who operates the site. Firing off a WHOIS request gave me the following information:

Name:	Garry Thompson
Street:	125 Franklee Lane
City:	Allentown, PA 18109
Phone:	(484) 519 0150
Email:	garrylthompson0@gmail.com

Great, just send off an e-mail asking this guy to kindly stop, right? Not so easy, considering the address doesn’t exist and the phone number is not in service. (Have to give him credit for using the right area code, though!) Time to file a WHOIS Data Problem Report and move on.

I considered writing a DMCA takedown notice to the host, but the IP address (74.50.109.2) mapped to the hosting company Noc4Hosts, now HiVelocity.net, which seems to have a history of being patronized by spammers. I’d be surprised if they would have acknowledged it.

On the Doorstep

Thanks to Lyceum, I was able to set up my own blog on the server and look around from a new vantage point. There wasn’t too much to see, but the Lyceum plugin management screen began to give me an idea how the site was operated:

The plugin WP Autoblog parses a list of RSS feeds and reposts their contents to a blog. However, the version run on adoption23.info was modified to use a variety of feed aggregates offered by services like Technorati.

http://a9.com/$keyword?sel=0 http://bigfeeder.com/rss/tag/$keyword?subdomain= http://del.icio.us/rss/tag/$keyword http://feeds.technorati.com/feed/posts/tag/$keyword http://ma.gnolia.com/rss/full/tags/$keyword http://news.search.yahoo.com/news/rss?p=$keyword&sm=Yahoo%21+Search&toggle=1&cop=&e i=UTF-8&eo=UTF-8 http://rss.findory.com/rss/Blogs?q=$keyword http://blogsearch.google.com/blogsearch%5Ffeeds?hl=en&q=$keyword&btnG=Search%2BBlogs&scoring=d&num=10&output=rss http://rss.topix.net/search/?q=$keyword&list=1&xml=1 http://rss.waypath.com/query.xml?mode=best&qs=$keyword http://scuttle.org/rss.php/all/$keyword http://search.infocious.com/q?fmt=xml&s=$keyword http://search.msn.com/results.aspx?q=$keyword&format=rss&FORM=R0RE http://www.blogdigger.com/media/rss.jsp?q=$keyword&media=video&media=audio&sortby=date http://www.blogpulse.com/rss?sort=date&operator=and&query=$keyword http://www.connotea.org/rss/tag/$keyword http://www.feedsfarm.com/s/$keyword&format=rss http://www.feedster.com/search/category/blog/$keyword http://www.findarticles.com/p/search?qf=all&tb=art&x=21&y=12&pi=rss&qt=$keyword http://www.flickr.com/services/feeds/photos_public.gne?format=rss_200&tags=$keyword http://www.goarticles.com/cgi-bin/rss-search.cgi?search_content=$keyword&l=20&s=1&c=non e&D1=advanced http://www.icerocket.com/search?tab=blog&q=$keyword&rss=1 http://www.rocketnews.com/news/RocketinfoXML.jsp?must=$keyword&age=0 http://www.rocketnews.com/news/RocketinfoXML.jsp?must=$keyword&age=4 http://www.sphere.com/rss?q=$keyword&datedrop=1&lang=en&x=0&y=0 http://www.wired.com/support/search.html?query=$keyword&src=wirednews&num=10&first=0&format=rss http://www.vaporum.com/cgi%2Dbin/rss%5Fsearch/flo.pl?query=$keyword

I later learned that the search queries it was using were words like “the” and “be,” intended to catch every blog post that hit the ‘net — and doing a pretty good job at it too.

I wasn’t sure what Blog Cloaker was doing, other than adding this options page which didn’t seem to do anything.

Thief in the Night

Once I understood how the site was getting my content, I began looking for ways to stop it. After many hours of digging through source code looking for vulnerabilities, I finally found one in WP Autoblog: When requesting a feed on a secure HTTP server, the plugin invokes cURL via the command line, but doesn’t sanitize the input:

exec($this->curl_path." -D \"/tmp/$headerfile\"".$cmdline_params." ".$URI,$results,$return);

As such, I could have the remote system execute any shell command by adding a feed starting with https://google.com/; to Autoblog’s list.

After toying around with it for a while, I managed to get the source to the Blog Cloaker plugin (download). The goal seems to be to bring visitors to a splash page while showing search engine bots the swiped content, but the plugin is so poorly written that it in fact does nothing.

I also got the database login that Lyceum was using, lyceum/indianseafaring551 and the MD5 hash of the owner’s password (8ee2a30872178a8f4f1321fd28a587ca), but didn’t manage to extend my reach any.

The Clouds Burst

After I got my shell and started testing its limits, I discovered that phpMyAdmin is running unprotected on the server, and things became less fun

At any rate, the site’s down, but I’m feeling better… In retrospect, I think it would have been better to flood the box’s HDD so that they got charged extra.

This entry was posted Monday, December 24th, 2007 at 12:52 am and is filed under Security. You can leave a response, or trackback from your own site.