MT comment spam hack

Published on:

Some moron using the IP address 61.181.5.80 (which resolves to "CHINANET Tianjin province network", needless to say that it's been banned now) has left a spam in a comment on one of my posts. At least it tasted like a spam (I don't write about or call for comments on pills and tits on this site) and looked like a comment (email notification, listed on the recent comments, etc.) but I soon realized that the entry body had completely been wiped out and replaced by that spam.

Weird.

Has anyone seen this before?

Update: I received an email from Ben Trott explaining it, and it's an unfortunate chain of events associated with a bug in Safari:

This is actually a bug in Safari (I assume that is what you're using? [yes]), unfortunately. What happens is this:



1) You go to edit a comment on the edit comment screen.

2) You delete the comment.

3) Your browser is redirected to the edit entry screen for the entry on which the comment was made.

4) The text of the entry is filled in with the text of the comment.

5) You save the entry to republish that entry, removing the comment from the public site.

The bug in Safari is #4 in the above steps--it seems that Safari will fill in form fields with the values from a form on the previous page, if the previous page has redirected to the current page. This is an awful bug, and I've emailed the Safari team at Apple (didn't get a response, but I assume they're rather busy). We've tried working around it by using Safari's suggested no-cache headers, etc., but that didn't help.

Just something to be careful of until it's fixed, I guess. Sorry about that. (But it's not a hack.)

I discovered another problem today, and that one may not be linked to a browser bug. I used the "search entries" form to find the troubled entry. I entered a few keywords in the search field and hit return, a rather natural way of using a search box. Except that MT performed a search and replace, replacing all occurences of those keywords in my entire site with nothing.