StatPress found forum=-99999
This seems to relate to WordPress Forums and an exploit on them. I found this in my StatPress info pages and wanted to look it up. It took a while to find what it was and it seems to be a hack attmept.
=============================
200.84.23.21 more info
Linux, Firefox 2
200.84.23-21.dyn.dsl.cantv.net
Mozilla/5.0 (X11; U; Linux i686; ru; rv:1.8.1.14) Gecko/20080604 Firefox/2.0.0.14
2009/07/23 01:22:54
forum=-99999 (and then a bunch more to the link address)
=============================
Just before the "forum=-999... it had my domain name. I found some explination at this page. I would copy that link and go to MegaProxy and then go to that site. This is on purpose. Those guys know a lot more than I do about getting your info, so better safe than sorry.
Also I translated a page from Turkey that seems to be distrubiting this stuff, I won't post the code here just the translation of how it works.
=============================
Exploit written in python Language Usage Exploit PC de python folder to the directory where py uzantili are saved as cmd then to (from MS-Dos) exploit to the directory where the command Geciyoruz python exploit the adi.py Site Links Only Members can see it .. i = (the site links only Members can see ..) etc etc. This shape.
#! / usr / bin / python # WordPress SQL / RFI / CGI scanner. SQL will check # for md5's in the source and RFI / CGI will use # http responses.
Links Only Members can see # in the site .. # d3hydr8 [at] gmail [dot] com
import sys, urllib2, re, time, the site links only members can see ..
# Bad HTTP Responses BAD_RESP = [400,401,404]
=============================
I did an antivirus scan and just plain put eyeballs on the site with ftp and found nothing on my site, but if you see this in StatPress, you might want to give your site the once over.
Vic