More on the hacker who briefly brought baldie enterprises to a shuddering halt the other day. The problem is now fixed and I haven’t got time to investigate properly, but I no longer have any reason to believe that the attack was purely permissions-based, exploiting the tendency of most of us to 777 /wp-content/ directories. Instead this is roughly what I think happened:

1. 2007/10 “Adolfo Daine” registers as a subscriber with username adol77dai51 and email adolfodaine77@gmail.com over at the Libro Verde micro-site
2. Sometime in 2008, possibly 2008/04/11, “Adolfo Daine” uses his registered user role to exploit user security weaknesses in WordPress (versions prior to 2.5.1?), creating an additional directory /.rifled in /libro-verde/wp-admin/
3. 2008/06/02 at around 21:00 British time, long after I will have forgotten the user registration, this triggers Javascript injections into php and html files in the /libro-verde/ directory and elsewhere on the site, causing all WordPress pages and some others to cease to render.

Who is “Adolfo Daine”?

WordPress support lists a user name apparently belonging to http://www.marksaves.com, which is begging spam masquerading as political news, run by a poisson who describes himself as Mark Taylor PhD, claims to be interested in SEO, and appears to have been installing WordPress himself in September or October 2007.

Assuming this hypothesis, who else is at risk?

“Adolfo Daine” has registered for no apparent reason on WordPress sites worldwide in a variety of languages. Here are some of his targets: Demi-Fantasy, in Vietnamese, The Lair of the Cubelodyte, absoluteperplex, in German, and hundreds of others. Interestingly, none of these registrations seem to be older than September 2007.

Does “Adolfo Daine” need, like, some technical assistance?

I presume “Adolfo Daine” or “Mark Taylor” or whoever’s intention is to hijack pages, filling them with spam links, so I find it hard to understand why the string injected was sufficient to draw attention to its existence–and thus facilitate its removal–but insufficient to achieve its purpose. Does “Adolfo Daine” or “Mark Taylor” need a bit of help?

[
I'm interested in the human aspect of this, so if whoever's doing it wants to tell me more on a confidential basis of some nature, please get in touch via the contact form quoting the day in October on which you registered on the Libro Verde site.

If Mark Taylor exists, actually has a PhD, and is really engaged in legitimate business, it would be interesting to hear his public account of how he came to be mixed up in all this. If he doesn't want to go public, I know a couple of people in Atlanta who would be most happy to come and visit him.
]

Tags: markets
Categories: Les bourgeois, The law court

RSS: post comments, blog comments, blog posts

You can leave a response, or trackback from your own site.

1. Tom
   June 4th 2008 17:22

   I wasn’t sure whether I should find that picture of Dr Mark Taylor sexy or not.Then I realised that I was supposed to… check out the filename!

   That site is awesome. Even better is the associated http://www.usa180.org/ which contains a long email written by someone who appears to have been smoking meth. Truly fascinating. The italics and bold are, I believe, the computer equivalent of purple ink in a letter to ‘er Maj, I reckon. Bookmarked.

2. A Nun
   June 4th 2008 17:58

   If Dr. Tom says a site is as good as smoking meth I suppose we’ll have to believe him.

3. Trevor ap Simon
   June 4th 2008 18:00

   I don’t think he did say that, but one day he might.

4. Tom
   June 5th 2008 18:05

   No site is as good as smoking meth, so far as I know.