Weblog entry #473 for simonw
All those checked are (or were in the case of defaced ones) running Wordpress or Joomla.
This spammer has stuck PHP redirector names "yahooo.php" or "yahooocool.php" into all the sites they have compromised.
I've notified the worst affected hosting providers, but the list is clearly incomplete, so your absence doesn't mean you aren't compromised.
However it was enough to make me run 'find . -name "yahooo*php"' over our clients hosting space - just in case - fortunately nothing found.
I'd suggest it to those out there doing hosting of Wordpress or Joomla, especially any sites with Joomla 1.5 (or earlier - no surely not).
Joomla 1.5 was the long term stable release but support expired December last year. So presumably it is compromised, or has a common plugin is compromised. Probably a good time to upgrade if your site isn't owned already.
Wordpress versions include 3.4.2 and 3.5. I've asked a couple of those running recent Wordpress if they can tell me what happened.
I suspect old news in the vulnerability stakes - it usually is - but rare the spammers give you quite such a comprehensive list to someone who knows what it means, and since the spammers have been giving me such a hard time I figured I'd spend half and hour sharing it with those who need to know.
Comments on this Entry