Where am I?

I was in Washington DC for the occasion of O. Eric’s 40th birthday, which entailed excellent wine and a good time all around. Along the way, we dropped by the cherry blossom festival.

It’s a good thing I packed winter clothes: rumors of Stockholm’s early Spring are much exaggerated. But at least there’s Dilmah.

Throughout the week leading up to Easter, the weather was mercurial. The thermometer never dipped much below freezing, but there was enough wind-chill to cut through several layers of clothing.

The weekend in Stockholm was interesting. I went to the historic museum, the national museum, and… a pillow fight outside the central train station.

On the way back to Frankfurt, my Lufthansa flight was designated “City of Würzburg” - nice!

“Oh, you like beer and you’ve been to Germany? Did you visit Bamberg?” Fine - it’s only an hour from Würzburg; I’ll go.

It was worth the trip.

Today I noticed some link-spam and wp-stats iframes in my last three posts. After removing it, I went looking for the culprit. I suspect that there’s a flaw in xmlrpc.php, and that’s how my site was compromised.

219.204.252.200 - - [25/Jan/2008:07:11:30 -0800] “POST /wordpress/xmlrpc.php HTTP/1.0″ 200 2736 “-” “Opera/9.01 (Windows NT 5.0; U; en)”
62.65.159.182 - - [25/Jan/2008:07:12:37 -0800] “POST /wordpress/xmlrpc.php HTTP/1.0″ 200 163 “-” “Opera/9.01 (Windows NT 5.0; U; en)”
222.122.148.83 - - [28/Jan/2008:08:25:55 -0800] “POST /wordpress/xmlrpc.php HTTP/1.0″ 200 3042 “-” “Opera/9.01 (Windows NT 5.0; U; en)”
121.144.82.209 - - [28/Jan/2008:08:26:44 -0800] “POST /wordpress/xmlrpc.php HTTP/1.0″ 200 163 “-” “Opera/9.01 (Windows NT 5.0; U; en)”
201.0.51.181 - - [28/Jan/2008:08:27:43 -0800] “POST /wordpress/xmlrpc.php HTTP/1.0″ 200 163 “-” “Opera/9.01 (Windows NT 5.0; U; en)”
222.122.148.83 - - [28/Jan/2008:08:25:55 -0800] “POST /wordpress/xmlrpc.php HTTP/1.0″ 200 3042 “-” “Opera/9.01 (Windows NT 5.0; U; en)”
121.144.82.209 - - [28/Jan/2008:08:26:44 -0800] “POST /wordpress/xmlrpc.php HTTP/1.0″ 200 163 “-” “Opera/9.01 (Windows NT 5.0; U; en)”
201.0.51.181 - - [28/Jan/2008:08:27:43 -0800] “POST /wordpress/xmlrpc.php HTTP/1.0″ 200 163 “-” “Opera/9.01 (Windows NT 5.0; U; en)”

POSTs to xmlrpc.php seem like an odd thing, especially since these IPs are nothing special.

Name: softbank219204252200.bbtec.net
Address: 219.204.252.200
62.65.159.182 does not exist (Authoritative answer)
222.122.148.83 does not exist (Authoritative answer)
121.144.82.209 does not exist (Authoritative answer)
Name: 201-0-51-181.dsl.telesp.net.br
Address: 201.0.51.181
222.122.148.83 does not exist (Authoritative answer)
121.144.82.209 does not exist (Authoritative answer)
Name: 201-0-51-181.dsl.telesp.net.br
Address: 201.0.51.181

For the moment, I’ve disabled xmlrpc.php entirely. Let’s hope that fixes the problem.