Access logs and Wordpress 2.0.1

Someone I know mentioned people on myspace and xenga were regularly inlining images from his server. It made me wonder if anyone was doing that to my images. I did some log analysis for photos.xythian.com and whatcartoon.

A few people were or are inlining my images. I was surprised to see someone inlining a whatcartoon — some guy with a snake store inlined the snake twister one. When I see this kind of thing, it tempts me to insert some special bonus rewrite rules to do something — add a credit line to the image or rewrite the image to something different or something. It’s irritating when people inline with no credit. I suppose it’s even more irritating when people copy and use, which is probably also happening. I did some more log “analysis” to expand the scope of my inquiry beyond myspace and xenga. zcat access*.gz | awk ‘{print $12, $8}’ | sort | uniq

I paged through the resulting report, growing increasingly horrified at the sheer number of attempts to explot one PHP program’s hole or another. I saw a couple random web forums had posts with a few of my images inlined. I couldn’t read either one of them — one required a login and the other was all in some language I couldn’t read. The images inlined were both coastal bird photos. The forum post I could see had many coastal bird shots inlined from all over the place, so I imagine that was the theme. Anyway, all the PHP horror finally convinced me I should upgrade to a more recent WordPress. It may not be any more secure, but at least the holes haven’t been quite as thoroughly discovered by script kiddies yet. Judging by the URLs in my log that looked like exploit attempts, PHP programmers trust query string arguments entirely too much. Virtually all of them appeared to expect someone to include or exec a query string.

There were also plenty of people looking for an awstats install to exploit.

There was exactly one attempt that I saw where someone manually (or using a fairly clever script) attempted to convince Singleshot to include some random PHP exploit using the ?in= argument to a view photo page. Of course, Singleshot is neither written in PHP nor willing to trust random query string arguments.