Skip to content
 

What Is This? A WordPress Attack Using “PLM”

One of my sites had this very odd entry in it’s log from overnight: (actual URL changed)

http://www.example.com/2005/06/24/title-in-here/%2B%25255bPLM=0%25255d%2BGET%2Bhttp:///2005/06/24/title-in-here/%2B%25255b0,16925,26735%25255d%2B-%25253e%2B%25255bN%25255d%2BPOST%2Bhttp:/wp-comments-post.php%2B%25255b0,0,349%25255d

If you do the hexadecimal recoding a couple times you end up with:

http://www.example.com/2005/06/24/title-in-here/+[PLM=0]+GET+http:///2005/06/24/title-in-here/+[0,16925,26735]+->+[N]+POST+http:/wp-comments-post.php+[0,0,349]

And if you assume the plus marks are actually spaces:

http://www.example.com/2005/06/24/title-in-here/ [PLM=0] GET http:///2005/06/24/title-in-here/ [0,16925,26735] -> [N] POST http:/wp-comments-post.php [0,0,349]

What is this trying to do? The only software I can find referring to PLM is Fred’s ImageMagick Scripts, which I don’t think is right.

Updated information 2008-03-29 11:55am

There have been a lot of requests like this. The first request was on March 7th, 2008 at 11:39:46, and the most recent (the one listed above) was March 29, 2008 at 03:43:01. From these IP addresses:
1 125.93.180.155
1 198.136.32.82
2 212.35.107.52
1 216.171.98.77
1 218.75.120.75
1 24.179.9.153
1 60.247.100.2
1 61.180.239.250
1 71.107.24.99
3 75.127.78.171
1 77.108.76.170
1 78.39.204.114
1 82.198.250.80
1 82.236.218.101
1 85.5.237.228
1 98.25.110.0

The user agent is also varied:
3 “Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; .NET CLR 1.1.4322)”
5 “Mozilla/4.0 (compatible; Powermarks/3.5; Windows 95/98/2000/NT)”
6 “Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050224 Firefox/1.0+”
4 “Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.3a) Gecko/20021207 Phoenix/0.5”
1 “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0”

Is this actually not an attack, but just some web browsing tool or toolbar that is doing funky things?

Updated information 2008-03-29 12:05pm

Hmmm, another of of my sites also has this type of request in its log.

6 Comments

  1. David Kaspar says:

    I got this recently as well, you are first on Google for PLM 😉

    The referrer is simpy URL encoded, you can use http://meyerweb.com/eric/tools/dencoder/ to decode it.

    I am pretty sure it is an automated way of submitting spam. There must be an error in the configuration because it should not leave such a juicy trail in the referrer field!

    First it tells some script to get an URL, then it instructs to post to an URL (it is easy to block spam that POSTs directly without getting first).

    The numbers could be relating to what spam message(s) to post (think of it as indexes in a spam DB).

    The qeustion is, can we block it easily with RewriteCond %{HTTP_REFERER}?

  2. jason says:

    Wow another wordpress attack? Why not just use google blogspot?

  3. Annie Keys says:

    Jason there are a lot of reasons not to use blogspot depending on what you are trying to accomplish and the flexability you would like to have in your blog. If neither of those matter to you and you just want to write about getting up early in the morning and drinking your coffee, then you have nothing to worry about. Go ahead and use blogspot otherwise you might want to consider using WordPress.

  4. Sriki says:

    Is blogger more secure than wordpress? I always prefer blogger.Now the latest improvements to blogger is amazing.Thousands of free inbuilt gadgets and a brand new look to dashboard.What else do you need.Remember it’s all FREEE!!

  5. Mike says:

    I have heard that WP is not all that secure, but there is really not contest between WP and Blogspot if you’re wanting true control.

    I’m wanting to know: Did you find out what this was, an attack or what? I ask because I see weird things in my logs sometimes and I never know whether to be suspicious or if I’m just paranoid. Please update if you can

  6. I never found out what this was, but you need to track down “weird” things in your logs. Running your own site/server means you need to be a bit paranoid.

    Comments on this post are now closed due to the insane amount of comment spam it is attracting.