Lee Kelleher’s Weblog

After all the excitement of last Friday’s attempted hack on my travelblog, and the subsequent upgrade to WordPress 2.6 – I thought everything was under control.  Boy was I wrong!

A few hours ago I received a blog comment (from a Mr Andrew Wong) on the travelblog:

http://www.lee-and-lucy.com/travelblog/index.php?p=5817
check this out!!

I clicked the link, my jaw dropped!  It wasn’t an attempted hack, it was a very successful hack… I felt violated -in a digital sense.  The threat was far from over!

From looking through the WordPress management screens, I couldn’t find a blog post with the ID #5817.  I opened up phpMyAdmin to see if it was in the database; nope, nada, nothing!

I wanted to see the extend of the problem, so I googled “site:lee-and-lucy.com“, and found a “lot” of pages… oh yes, LOTS OF SPAM!

To say the least, I was furious!  I wanted to; a. resolve this asap; b. find out how this happened; c. cause pain to this would-be hacker!  Obviously, option c. goes against my good karma nature, but they digitally violated my site; sticking spam in places that spam should never go!!! Furious I tell you!

Digging through my WordPress files, I find a PHP script in my theme folder called “simple.php“; it contains a nested “eval(gzinflate(base64_encode()))” string.  Very suspect. I try to manually decrypt the string, (replacing the eval with an echo), but it’s nested a few levels deep… so I found a snippet of code that would easily decode/decrypt it.

The script turned out to be a modified version of c99madshell, specifically focused on WordPress hi-jacks.  The script tries to inject a small trojan code into one of the core WP files (for me it was the “wp-blog-header.php“).  I removed the hi-jacked code, along with the “simple.php” file (from my theme folder) – then re-upgraded to the latest WordPress (2.6) … just to overwrite any other tampered files.

Hopefully this should be the end of this matter (until next time) ….  I’ll be keeping a careful eye on my WordPress installations now on.

After reading Dave’s post about Twitter being the new Facebook yesterday, I decided to give Digsby a go. (I’d heard of it previously, but I was semi-scared off by all the twittermania – it’s a bit like marmite).

Since I was only following a few tweeters there wasn’t of a flow – so I added a couple more higher profile tweeters, like Jeff Atwood’s Coding Horror.

This morning Jeff tweeted:

I hate #region so much. DIE #REGION DIE!

I quite like #region in VS.NET, (it makes my code look/feel tidy). I was curious to why Jeff had a problem with it, so I tempted to reply to his tweet. But I stopped – thinking it was a bit of a fan-boy thing to do. Also I’m sure someone else would have asked the same question… which got me thinking how do you follow a conversation on Twitter?

I came across Summize (a search engine for Twitter) the other day, so tried that to see if anyone mentions #region or @codinghorror – which they do, but it’s a tad disjointed. I couldn’t follow a conversation.

So I turned to my old friend Google (how to follow conversations on twitter), and found Quotably!

Now I can follow the conversation: http://quotably.com/codinghorror/statuses/811735028

Quotably is powered by Summize, with some extra jiggery-pokery (and human intervention).

Update (03/01/2009): Quotably has now closed it’s doors. If anyone knows of a good alternative resource, please let me know in the comments.

I’ve just installed Operator – a Firefox extension that highlights microformatted data on web pages.

So far I haven’t noticed any performance issues, and it’s been playing nicely with all my other Firefox extensions.

As a web developer, Operator makes me want to add more semantic mark-up to my websites, (which I already try to do). This extension will make it easier for testing purposes.

I decided to read more about the extension on the developer’s blog – to which I was pleasantly surprised to find that it uses my Category Cloud widget (plug-in for WordPress). Along with a kudos-link back to my personal website. (Thanks Mike!)

A while ago I was curious to how many people were using my Category Cloud widget plug-in, so I added an opt-out “powered by” link. This way I could check my referrals or Google results count for “Powered by Category Cloud”.

I’ve been amazed by the outcome of this. I honestly thought that everyone would opt-out of the link, yet they didn’t! So now my PageRank has increased; I’m in the Technorati Top 10K (which I definitely don’t deserve!); and I get a steady flow of traffic (low, but consistent).

I’ve tried to support the Category Cloud widget as best I can… so maybe it’s good karma?

There’s a bit a functionality on one of the projects that I’m working on where I need to do a lookup. The data I’ve been given is in an Excel spreadsheet – which I needed to convert to XML (as ultimately the data will be stored in a CMS that handles XML better).

I’ve done a lot of projects where I need to convert XML to Excel (via CSV), but not many where I need to convert the other way.

I first saved the Excel as an “XML Spreadsheet” – which spat out all sorts of extra MS Office namespaces, styles, etc. Which is fine if I want to re-open the data in Excel. But I wanted the data to be cleaner (and more semantic).

I exported the Excel out as a CSV; then looked for a way to convert it to XML.

Then I found this very useful web-app tool: CSV to XML Converter by Creativyst

It did exactly what I needed! The tool has a 100Kb limit – which was great, because my CSV was 96Kb!

The outputted XML was around 450Kb – which got me thinking… if a lot of developers use that tool the way I did – then that’s a lot of load on their web-server! Maybe that’s where the new Google App Engine could come in handy?! They have the processing power and bandwidth to handle high usage!

I’d love to see other online text conversion utilities … you never know, maybe they could be all centralised on Google Apps?

Earlier this week I’d heard that Bookninja had been hijacked, they needed some help to get their WordPress back in working order. Mark suggested that I offered my services, so I did.

George explained what the problems since the hijack:

1. Unable to publish blog posts and pages; (a blank page appeared when he tried to publish)
2. All the pages had been delete, or disappeared.
3. Akismet was turned off… opening the floodgates to lots of unwanted casino and porn comment spam!

Previously, Bookninja was running an earlier version of WordPress – one that had a known exploit/vulnerability – so George quickly upgraded to the latest version. (This is all beside the point now).

George sorted out the comment spam and got Askimet back up and running.

The blank page after publishing took a while to figure out, but I got there in the end! (It was a rogue URL in the notification/ping-list).

With the mysteriously vanishing pages (as opposed to posts), my initial reaction was that they had been deleted from the database. I was about to break the bad news to George, but I thought I’d take a quick look at the database to make doubly-sure.

Low-and-behold, I found them! But something weird had happened… All the WordPress pages had been converted into blog posts! This caused an issue because the permalink structure was using “?page_id=” querystring – which meant that all the page links would be broken.

I needed to find a way of bulk converting them back to proper “pages”. Good old Google pointed me towards a blog post by Jesse Caulfield that had a bit of SQL that would Convert a Post to Page.

I adapted the SQL to fit my needs:

UPDATE wp_posts SET post_type = "page" WHERE guid LIKE "%?page_id=%";

With that, Bookninja was back to normal… George has dubbed me “The Bookninja Messiah“! [Cue: Monty Python gag]

Now the hunt is on for the hijacker!

Whilst I was helping out Bookninja earlier this week, I came across a strange problem in WordPress.

Every time we tried to publish a new blog post (or page), there would be a pause, then the page would go blank.
(This was on the “post.php” page)

I spent a long time trying to figure out what the issue was… even longer googling it!

Several pages into the Google results, I found the answer! Thank you Sean Deasy!
WordPress posting issue solved at last

It seems that Bookninja’s hijacker added a rogue URL to the notification/ping-list (http://www.newsisfree.com/RPCCloud), who knows why it was put there, but it was definitely the cause of the blank “post.php” issue!

After removing the rogue URL, everything was working fine again!

I feel like I’ve been living under a rock for the last couple of months.  I’ve only just heard about Mozilla’s Prism – and it’s already changing the way I use web-apps.

Prism, (previously called WebRunner), is essentially a Site Specific Browser (SSB) – meaning that it’s a desktop application designed to host a single web-application.  This is good for many reasons, foremost it causes less distractions.

So far, I have prisms set-up for most of the Google apps that I regularly use: Google Mail, Google Calendar and Google Reader.   Now each of these web-applications are not open as separate tabs in my Firefox, but as individual desktop applications.  (Now I don’t have to worry about finding my Gmail tab in Firefox, nor about browser-crashes.)

It reminds of Microsoft attempted to do with HTA – but it seemed more difficult to interface them with external web-applications.

You can read more about Mozilla Prism on their Lab’s blog. [http://labs.mozilla.com/2007/10/prism/]