Update: Is It A Virus? 2017-05-28
Here we are, more than four years later and there are still plenty of hits at p=741. So, I guess I'll just put this post here and redirect to it. I suspect that plenty of the hits that get redirected will not pickup the .css file, showing that they are really just bot traffic and not real browsers. Why anyone would keep an URL in their hack junk for so long I have no idea. Losers.
Is It A Virus? 2013-09-26
WordPress is a set of PHP scripts that can be used to create a blogging web site. It uses MySQL to store usernames & stuff and it provides a fancy interface for editing your posts. It has numerous plugins that change functionality, add features or improve security. It has millions of installations and is probably one of the most popular ways for people to make blogs or just have a regular web site.
So as boring as this may sound, I occasionally go looking through my log files from my web server... and recently I noticed a lot of traffic that was going to "/s=" and "/?p=741" on my site. So I started going back through my logs and it seems that this has been going on for a while. I went back through my log files and found that the first instance was the morning of 2013-03-13 from IP address 184.108.40.206 which belongs to Xeex Communications.
220.127.116.11 – - [13/Mar/2013:10:34:57 -0500] "GET /?s= HTTP/1.1" 200 35151 "/?p=741" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
On it's own, this kind of entry would normally be ignored. The /?s= URL is essentially a blank search which is something a human probably wouldn't do on a web site but it is a valid URL. And as you can see, the user-agent looks like a reasonable browser to be using (assuming that you are okay with running Internet Explorer). Over the months this URL has been hit many times with a wide range of user-agent strings and it generally blended in pretty well with the other entries around it – so it went unnoticed. Until I started seeing a LOT of traffic hitting this URL with a user-agent string of
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36"
Now I don't take much issue with people wanting to run Mac computers, but I had a really hard time believing that my rants were that interesting to Mac users. I ended up making a post at the wordpress.org forums and another post at webmasterworld.com but I still wasn't quite sure what was actually causing the traffic… until this morning. I have been doing all kinds of crap to figure out how to stop this traffic and finally today I tried browsing to one of the sites like this, and it gave me an Apache Test Page. I tried a few others and a bunch of them gave me Apache Test Pages. What is interesting about them, is that almost all of them were CentOS Apache Test Pages. I swear I had tried this before but was getting "can not connect" errors (which would mean a web server is not even running on the machine). I must have been using IP addresses from back in March or something. Anyways, obviously there is something in the mix that is vulnerable to some kind of attack.
Is it WordPress on those systems? Is it CentOS itself? It is a specific build or distribution of CentOS that hosting providers seem to be using? Is it just a particular WordPress plugin? Beats my ass, I'll have to keep digging… but at least I have an idea of where to look.