In a previous post, I discussed what could be learned from web erver logs. Of late, I've been spotting something different in the logs: the tell-tracks of some of the net's shadier denizens. So I thought I'd take a look to see what I can learn from their footprints and leavings.

The hack

This was your garden variety SQL injection attack, which is quite common, and typically relies on a web page that has poorly designed validation. The evil-doer introduced a specially crafted string of characters into a function on the web page that is intended to be executed against the database. In the attack on my blog, an SQL statement was passed as a parameter to a page instead of the expected page name:

-99999/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users/

If my blog had been susceptible, then it would have sent this string to the database, which would have interpreted it as two queries, the first, a request for page -99999 (which doesn't exist) and the second which would have returned a list of user names and passwords, granting the attacker administration access to my blog. This particular attack is an exploit of a WordPress plugin that I'm not actually using, so I was never at risk. This time.

The exploit

Closely related to the SQL injection attack is this exploit that also involved poorly validated input. This differs in that it relies on a weakness in a particular plugin, by passing it specially formatted input in the form of a long string of directory changes providing access to important system files on the webserver:

main.php?pg=../../../../../../../../../../../../../../../../etc/profile%00

The idea behind this one is to move up the directory chain to the root folder, then to access the profile command (on Linux machines), giving the attacker the ability to upload an executable to the web server and open or execute any file that the web server has access to. Like the previous example, this only affects a specific plugin which again, I am not using.

The cheats

I've been seeing a lot of these guys lately: spammers. I'm new to the blogging game and I got my first spam message a couple of days after my blog went live. I was suspicious at first, but I decided to approve for display thinking that it couldn't do any harm. I had no idea how wrong I was. First though, I'd like to share a couple of examples, the sort of things you should be keeping watch for if you run a blog or forum. Sometimes the spam is nonsense:

Everything dynamic and very positively!

Other times it's a generic message that could be applied to any post:

Thanks for posting about this, I would like to read more about this topic.:

And then there are the blindingly obvious ones:

wow nice blog!Please visit back my blogthank you :)

Each of these messages came with a link that pointed at a scam website. The reason the message was posted on my site was that the cheats are trying to boost the Page Rank of their site by leeching hard earned page rank from my site (if I had any!). The way Google calculates the rank of a web site is complicated, but two of the more important measures is who the site links to and who it receives links from. By allowing these spammers to post their links on my site, I am vouching for their honesty. After a while, Google will cotton on to the fact that these sites are scams and demote them accordingly, and because I'm linked to them, Google will assume that my site is in on the scam and my blog would be demoted too. There's more information on how Google calculates page rank on Matt Cutts' site. I did leave out one little thing and that's WordPress' "no follow" policy for comments, but that's a discussion for another time.

Protection

So, how do you avoid getting hacked or exploited? Obviously, keep your blog and plugins up to date, which WordPress makes easy with it's alerts. Don't ignore them. As for the spammers, short of Googling every comment (which shows if any other blog got the same exact message), I would recommend using Akismet. So far it's been pretty accurate at spotting the cheats and quarantining them in my experience. It needs a WordPressl.com API key to activate, which you can get by signing up at WordPress.com, and you can get a key even if your blog isn't hosted there.