Strange comment posted with SQL in

  • Has anyone else had a comment like this show up and know what is it’s intended effect? I assume an SQL injection attempt but it seems pointless to inject a comment?

    Gen Drebery’,'[email protected]’,”,’63.2.12.45′,’2008-01-24 23:06:25′,’2008-01-24 23:06:25′,”,’0′,’Internet Explorer’,'comment’,'0′,’0′),(’0′, ”, ”, ”, ”, ‘2008-01-25 23:06:25′, ‘2008-01-25 23:06:25′, ”, ’spam’, ”, ‘comment’, ‘0′,’0′ ) /*

    The comment was posted from IP 69.31.80.66

    Googling “Gen Drebery” implies it has been posted as a comment on 700+ WordPress-powered blogs but none of them actually show the comment.

Viewing 9 replies - 1 through 9 (of 9 total)

  • That’s certainly spam.

    Are you using Akismet Spam filter? I’m interested if this got by Akismet.

    Thread Starter pitofdarkness

    (@pitofdarkness)

    I have moderation on for all non-registered users (not that I expect many comments anyway as my blog is just me messing around writing and keeping a few friends up to date on my stuff) so it was sat in the moderation queue..

    I looked in the Apache log for the IP address and found this additional oddness:

    69.31.80.66 - - [24/Jan/2008:15:06:19 -0800] "POST /wp-trackback.php HTTP/1.0" 200 454 "-" "Python-urllib/1.17"
69.31.80.66 - - [24/Jan/2008:15:06:20 -0800] "GET /wp-trackback.php?p=207 HTTP/1.0" 200 438 "-" "Python-urllib/1.17"
69.31.80.66 - - [24/Jan/2008:15:06:21 -0800] "GET /wp-login.php?action=logout HTTP/1.0" 200 980 "-" "Python-urllib/1.17"
69.31.80.66 - - [24/Jan/2008:15:06:22 -0800] "POST /wp-trackback.php?p=207 HTTP/1.0" 200 397 "-" "Python-urllib/1.17"
69.31.80.66 - - [24/Jan/2008:15:06:23 -0800] "POST /wp-trackback.php?p=207 HTTP/1.0" 200 1098 "-" "Python-urllib/1.17"
69.31.80.66 - - [24/Jan/2008:15:06:24 -0800] "POST /wp-trackback.php?p=207 HTTP/1.0" 200 1098 "-" "Python-urllib/1.17"

    thats just normal spam attempts.

    Hey,

    I’ve had the same comment by Gen Drebery. I’m using the Akismet Spam filter, but this comment was not catched, so it ended up in my moderation queue.

    Possibly not related, but I just discovered that my blog has been compromised. One spam link was found in the content of a post. (Could be an SQL injection? But into the wp_posts table?) The other was a link inserted into my theme’s index.php file. (Yikes. I disabled ftp, and chmodded the hierarchy and changed my password after that.)

    Just found the same thing am running Akismet. Going to check the database.

    Thread Starter pitofdarkness

    (@pitofdarkness)

    Have had a look at the post the comment was on and a couple of other posts, as well as the users, comments and options tables and couldn’t find anything odd. Also checked the .php files for my themes and no odd links there either.

    Googling Gen Debrery now shows nearly 5000 WordPress-powered sites.

    Maybe the idea is to try to SQL inject a comment so that the blog can be comment-spammed in future using that name if it has “Comment author must have a previously approved comment” enabled? (unsure if that would even work).

    Is this a security hole in WordPress that’s been exploited before? I also have seen this, and I noted that the comment was caught not by Akismet, but ended up in my moderaton queue, but is it possible that the damage as already been done at this point?
    Screenshot

    Seems Gen is everywhere – this from my blog

    Gen Drebery’,’[email protected]’,”,’63.2.12.45′,’2008-01-30 20:06:50′,’2008-01-30 20:06:50′,”,’0′,’Internet Explorer’,’comment’,’0′,’0′),(’0′, ”, ”, ”, ”, ‘2008-01-31 20:06:50′, ‘2008-01-31 20:06:50′, ”, ’spam’, ”, ‘comment’, ‘0′,’0′ ) /* | None | IP: 124.217.231.53

    None…

    None…

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Strange comment posted with SQL in’ is closed to new replies.