Shoemoney.com Hacked?

efeezy · Jan 22, 2010

Was going to check out his photos from ASW, but the site is getting redirected to a Torrent site by the looks of it. Check it out.

ShoeMoney® - Its Like Fishing With Dynamite

I'm sure it will be fixed at some point...but I doubt he even knows about it.

barman · Jan 22, 2010

Hellrot · Jan 22, 2010

I wonder how much of their 10k+ visitors a day come from their hacking efforts.

godfly · Jan 22, 2010

definitely hacked. or maybe it's deliberate. dunno.

Corey · Jan 22, 2010

It looks like he fixed it now.

high risk · Jan 22, 2010

efeezy said:
I'm sure it will be fixed at some point...but I doubt he even knows about it.

well he does now that you spoiled it :1orglaugh:

bullet-ride · Jan 22, 2010

Fixed now. Any screenshots?

ShoeMoney · Jan 24, 2010

It was pretty crafty how it was done. I sent over the exploit to wordpress and they said they are investigating it. I have been able to douplicate it on 2 fresh installs so.... watch your rpc file. Newest version of wordpress is vulnerable.

Good timing on their part as most of my team with access to fix it was in the air traveling to vegas again.

For those asking for screenshots it wasnt defaced or anything... a meta refresh was injected in every post on shoemoney.com.

To fix we immediatly made mysql read only and investigated until we found the source. Then restored sql from a backup.

kblessinggr · Jan 24, 2010

ShoeMoney said:
It was pretty crafty how it was done. I sent over the exploit to wordpress and they said they are investigating it. I have been able to douplicate it on 2 fresh installs so.... watch your rpc file. Newest version of wordpress is vulnerable.

Good timing on their part as most of my team with access to fix it was in the air traveling to vegas again.

For those asking for screenshots it wasnt defaced or anything... a meta refresh was injected in every post on shoemoney.com.

To fix we immediatly made mysql read only and investigated until we found the source. Then restored sql from a backup.

So somehow someone exploited the the database via the XML-RPC remote publishing?

MDSandB · Jan 24, 2010

Chinese/Russians - who do we blame for it?

kblessinggr · Jan 24, 2010

MDSandB said:
Chinese/Russians - who do we blame for it?

If it were my box, I wouldn't blame the chinese as I have all of China and Korea blocked from my server. (lol, less of course the proxy from somewhere else, but most automated attacks don't).

ShoeMoney · Jan 25, 2010

kblessinggr said:
So somehow someone exploited the the database via the XML-RPC remote publishing?

ya the rpc.php file is probbaly the source of 99% of the hacks that do sql injections. I normally run mod_security which drastically helps but doesnt fix these sploits.

kblessinggr · Jan 25, 2010

ShoeMoney said:
ya the rpc.php file is probbaly the source of 99% of the hacks that do sql injections. I normally run mod_security which drastically helps but doesnt fix these sploits.

I'd remove it and just condition one's self to actually log into the site to post/update.

tainted · Jan 25, 2010

If it were my box, I wouldn't blame the chinese as I have all of China and Korea blocked from my server. (lol, less of course the proxy from somewhere else, but most automated attacks don't).

Not gonna help you. Most of the Chinese shit we deal with at work comes from either Turkish or Mexican proxies. Can't block those countries since they are our main customers =/

omgyams · Jan 25, 2010

kblessinggr said:
I'd remove it and just condition one's self to actually log into the site to post/update.

In addition it's also responsible for pingbacks and trackbacks.

Edwin · Jan 26, 2010

Is there anything you can do using .htaccess to protect the rpc.php file?

igl00 · Jan 26, 2010

only thing u can do is have bnewest version that fixes bugs.. but the bug has to be found somehow aka somebody has to be hacked

ShoeMoney · Jan 26, 2010

Edwin said:
Is there anything you can do using .htaccess to protect the rpc.php file?

You could use allow and only allow certain ips to hit it... or you can rename it... but if you use any 3rd party stuff they will break

FYI Techcrunch got hacked this morning with the same thing exact thing

TechCrunch Hacked

We sent them our fix.

Still no response from wordpress although techcrunch getting hacked puts it on the board =P

The crazy thing about TC getting hacked is all the sites that syndicate TC posts (washington post, WSJ, Businessweek) all were redirecting to the torrent and port sites too.

amanda11 · Jan 26, 2010

Cool story bro

bprimeelite · Jan 26, 2010

Wordpress has a habit of updating every 2-3 weeks with stupid features while always leaving huge security exploits especially when you use plugins where the developers can't upgrade to the new system fast enough.

Shoemoney.com Hacked?

Well-known member

New member

New member

The Widow's Son

True Blood Quote Here.

game of global domination

minor internet superstar

New member

PedoBeard

Compbizz.com

PedoBeard

New member

PedoBeard

New member

WF Premium Member

New member

Elite Blackhatter

New member

Hustle hard

New member