What Is This? A WordPress Attack Using “PLM”
One of my sites had this very odd entry in it’s log from overnight: (actual URL changed)
http://www.example.com/2005/06/24/title-in-here/%2B%25255bPLM=0%25255d%2BGET%2Bhttp:///2005/06/24/title-in-here/%2B%25255b0,16925,26735%25255d%2B-%25253e%2B%25255bN%25255d%2BPOST%2Bhttp:/wp-comments-post.php%2B%25255b0,0,349%25255d
If you do the hexadecimal recoding a couple times you end up with:
http://www.example.com/2005/06/24/title-in-here/+[PLM=0]+GET+http:///2005/06/24/title-in-here/+[0,16925,26735]+->+[N]+POST+http:/wp-comments-post.php+[0,0,349]
And if you assume the plus marks are actually spaces:
http://www.example.com/2005/06/24/title-in-here/ [PLM=0] GET http:///2005/06/24/title-in-here/ [0,16925,26735] -> [N] POST http:/wp-comments-post.php [0,0,349]
What is this trying to do? The only software I can find referring to PLM is Fred’s ImageMagick Scripts, which I don’t think is right.
Updated information 2008-03-29 11:55am
There have been a lot of requests like this. The first request was on March 7th, 2008 at 11:39:46, and the most recent (the one listed above) was March 29, 2008 at 03:43:01. From these IP addresses:
1 125.93.180.155
1 198.136.32.82
2 212.35.107.52
1 216.171.98.77
1 218.75.120.75
1 24.179.9.153
1 60.247.100.2
1 61.180.239.250
1 71.107.24.99
3 75.127.78.171
1 77.108.76.170
1 78.39.204.114
1 82.198.250.80
1 82.236.218.101
1 85.5.237.228
1 98.25.110.0
The user agent is also varied:
3 “Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; .NET CLR 1.1.4322)”
5 “Mozilla/4.0 (compatible; Powermarks/3.5; Windows 95/98/2000/NT)”
6 “Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050224 Firefox/1.0+”
4 “Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.3a) Gecko/20021207 Phoenix/0.5″
1 “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0″
Is this actually not an attack, but just some web browsing tool or toolbar that is doing funky things?
Updated information 2008-03-29 12:05pm
Hmmm, another of of my sites also has this type of request in its log.
If you're new here, you may want to subscribe to my RSS feed. This allows you to read my newer articles without having to visit the site again. Thanks for visiting! Mike
Use my RSS feed to stay up to date
April 10th, 2008 at 7:20 am
I got this recently as well, you are first on Google for PLM
The referrer is simpy URL encoded, you can use http://meyerweb.com/eric/tools/dencoder/ to decode it.
I am pretty sure it is an automated way of submitting spam. There must be an error in the configuration because it should not leave such a juicy trail in the referrer field!
First it tells some script to get an URL, then it instructs to post to an URL (it is easy to block spam that POSTs directly without getting first).
The numbers could be relating to what spam message(s) to post (think of it as indexes in a spam DB).
The qeustion is, can we block it easily with RewriteCond %{HTTP_REFERER}?
April 19th, 2008 at 5:33 pm
Wow another wordpress attack? Why not just use google blogspot?