So that’s what that was.
One night, a few weeks ago, I noticed that a large number of Xanga posts started appearing on Planet Xavier with the title “xangas admin owned you.” I promptly added a regex filter to Planet’s configuration file that automatically blocked all instances of that phrase, the same way I got Planet to ignore any posts with
PLANET_GO_AWAY in them. I figured it was probably some script kiddie finding their way into a bunch of student blogs, à la Gene, but didn’t think much of it.
Today, via Niall Kennedy, I found out at the Washington Post the reason why LiveJournal recently gave everyone second-level URLs, a feature that users had to pay for in the past. A group of hackers got together and found a way to steal the passwords of over 900,000 accounts there.
LiveJournal’s change caused me a little bit of trouble the other day, when scores of ancient LiveJournal posts made their way to the top of pX, forcing me to temporarily block each and every LiveJournal from the service.
That Post article made the link that I hadn’t: LiveJournal was now the third major blogging service affected by a large-scale scripting attack. I already knew of the first incident, when a prankster wrote an Ajax worm that added over a million users to his friends list. The second, however, sounded quite familiar:
Following in the footsteps of fellow blog provider MySpace, Xanga.com appears to have been infected with some kind of worm that compromises the accounts of blog users and replaces content on the sites in order to replicate.
Infected sites can easily be recognized by the following text:
xangas admin owned you.
I didn’t have to read further. I’ve since removed the filter for the Xanga worm, since Xanga has apparently long since taken care of the problem, but it kinda feels good to know that I was able to help control the spread of this particular worm with one line of code:
exclude = xangas\sadmin\sowned\syou\.