Lee Kelleher’s Weblog

After all the excitement of last Friday’s attempted hack on my travelblog, and the subsequent upgrade to WordPress 2.6 - I thought everything was under control.  Boy was I wrong!

A few hours ago I received a blog comment (from a Mr Andrew Wong) on the travelblog:

http://www.lee-and-lucy.com/travelblog/index.php?p=5817
check this out!!

I clicked the link, my jaw dropped!  It wasn’t an attempted hack, it was a very successful hack… I felt violated -in a digital sense.  The threat was far from over!

From looking through the WordPress management screens, I couldn’t find a blog post with the ID #5817.  I opened up phpMyAdmin to see if it was in the database; nope, nada, nothing!

I wanted to see the extend of the problem, so I googled “site:lee-and-lucy.com“, and found a “lot” of pages… oh yes, LOTS OF SPAM!

To say the least, I was furious!  I wanted to; a. resolve this asap; b. find out how this happened; c. cause pain to this would-be hacker!  Obviously, option c. goes against my good karma nature, but they digitally violated my site; sticking spam in places that spam should never go!!! Furious I tell you!

Digging through my WordPress files, I find a PHP script in my theme folder called “simple.php“; it contains a nested “eval(gzinflate(base64_encode()))” string.  Very suspect. I try to manually decrypt the string, (replacing the eval with an echo), but it’s nested a few levels deep… so I found a snippet of code that would easily decode/decrypt it.

The script turned out to be a modified version of c99madshell, specifically focused on WordPress hi-jacks.  The script tries to inject a small trojan code into one of the core WP files (for me it was the “wp-blog-header.php“).  I removed the hi-jacked code, along with the “simple.php” file (from my theme folder) - then re-upgraded to the latest WordPress (2.6) … just to overwrite any other tampered files.

Hopefully this should be the end of this matter (until next time) ….  I’ll be keeping a careful eye on my WordPress installations now on.

A couple of hours ago I received an automated email from our Travelblog site, saying that we had a new user registration; which was strange, since we disabled that feature a long time ago!  Great! We’ve just been hacked!

I put my hands up in the air, I’d been running an old version of WordPress (2.2) … which I’ve been meaning to upgrade for a long time; but hey, I’ve bought a house, had a baby and build my business during that time! It’s not been at the top of my priories.  So yes, I’m aware of the security holes/risks, etc.

Needless to say, WordPress 2.2 has an ugly security hole which allows hackers to remotely inject SQL statements into the database.  I’d heard about this at the time, but thought I was covered because it relied on the hacker having a valid username/password (see the trac ticket). Well it seems they don’t!

Within a minute of receiving the new user registration email, I deleted the user account, changed our passwords and upgraded to WordPress 2.6 - which came with it’s own set of problems (i.e. all the category names disappeared).

Here are the details of the would-be hacker, so others know about him:

Username: sidon
E-mail: Dimka@hotmail.com

When WordPress.com introduced Snap Preview on our blogs (or is that their blogs?) at the end of 2006, I wasn’t impressed - it felt intrusive - like a JavaScript pop-up for Web 2.0! (Just given a different name). So I disabled it straight-away.

A few days ago, the WP.com team introduced a new feature “Possibly Related Posts“. At first I thought this was a great idea for finding similar content - but then I realised that it could become a mechanism for sploggers to inject links on your blog. (Obviously this feature is restricted to WP.com blogs only - which itself raises a few questions).

The other week I had a bit of a rant about how Skype sneakily installed a Firefox Extension and that they should have provided an opt-in. There has been a similar backlash about this new WP.com feature!

The blogosphere’s very own Saraswathi, the wise Lorelle has wrote about her feelings on the matter and how to disable this new feature.

To turn off the new related post feature on WordPress.com blogs:

1. Go to the Administration Panels > Design > Extras.
2. Check Hide Related Links.
3. Click Update.

I’ve just installed Operator - a Firefox extension that highlights microformatted data on web pages.

So far I haven’t noticed any performance issues, and it’s been playing nicely with all my other Firefox extensions.

As a web developer, Operator makes me want to add more semantic mark-up to my websites, (which I already try to do). This extension will make it easier for testing purposes.

I decided to read more about the extension on the developer’s blog - to which I was pleasantly surprised to find that it uses my Category Cloud widget (plug-in for WordPress). Along with a kudos-link back to my personal website. (Thanks Mike!)

A while ago I was curious to how many people were using my Category Cloud widget plug-in, so I added an opt-out “powered by” link. This way I could check my referrals or Google results count for “Powered by Category Cloud”.

I’ve been amazed by the outcome of this. I honestly thought that everyone would opt-out of the link, yet they didn’t! So now my PageRank has increased; I’m in the Technorati Top 10K (which I definitely don’t deserve!); and I get a steady flow of traffic (low, but consistent).

I’ve tried to support the Category Cloud widget as best I can… so maybe it’s good karma?

Now that I’ve found my new best friend (the sourcecode short-code), I want to put it to good use now.

Here’s a quick Unix shell script that I use to upgrade my WordPress installations:

#!/bin/sh
# WordPress Update Script
# Written by: Lee Kelleher
# Released: 2008-04-23
# Email: lee # at # vertino # dot # net
# Released under GPL

echo "Downloading current version of WordPress..."
wget http://wordpress.org/latest.tar.gz

echo "Uncompressing WordPress archive..."
tar -zxvf latest.tar.gz

echo "Removing downloaded archive..."
rm -f latest.tar.gz

echo "WordPress Upgrade complete!"

It’s a very very basic script… if you’re looking for something more user-friendly, (with back-ups), then either take a read of the WordPress Codex article, or download a better Unix shell script.

My version suits my purposes nicely.

I feel like a complete n00b … I’ve only just found out how to mark-up source-code snippets on WordPress.com

It’s in their FAQs: How do I post source code?

Essentially you use the short-code: [sourcecode language='css']…[/sourcecode]

Here’s an example:

// A "Hello World!" program in C#
class Hello
{
   static void Main()
   {
      System.Console.WriteLine("Hello World!");
   }
}

I knew about WP.org plugins that did this, but I’ve been scratching my head on how do this on WP.com for ages now!

Bodenko and Crush Design have just launch the new website for, Porsche Supercup champion, Richard Westbrook.

We built the site with WordPress (2.5) to take advantage of it’s blogging framework and also to be totally buzzword-compliant! Read the rest of this entry »

I’ve finally started work on my zeitgeist page. My personal projects have been on the back-burner, as I’ve (obviously) had other things to think about!

Personal Zeitgeist is very easy to get up and running, although I have been making a lot of tweaks - mostly to satisfy my own coding preferences; for example: renaming the *.inc files to *.inc.php - so that nobody else can view the source-code. (That’s been one of my long-term gripes with, the otherwise brilliant, SimplePie).

I’ll most likely do a lot more customisation to the zeitgeist template/theme before I set it as my default web-page.

Here are a few of the things I want it to do:

• Act as my OpenID delegate (I haven’t yet decided who to use as my default OpenID provider - most likely be WordPress.com)
• Display a set of links to all my external web-profiles (i.e. flickr, last.fm, etc.) - along with corresponding favicons, XFN and OPML. (Actually it’s probably easier to store them as OPML in the first place.)
• I’m also considering adding some tag cloud functionality - just to quench my thirst for tagging.
• Develop a few functions; specifically an email obfuscator (most likely lift the code from wp-includes)

Who knows when I’ll be able to do all this… especially when my other commitments are quite demanding!

Earlier this week I’d heard that Bookninja had been hijacked, they needed some help to get their WordPress back in working order. Mark suggested that I offered my services, so I did.

George explained what the problems since the hijack:

1. Unable to publish blog posts and pages; (a blank page appeared when he tried to publish)
2. All the pages had been delete, or disappeared.
3. Akismet was turned off… opening the floodgates to lots of unwanted casino and porn comment spam!

Previously, Bookninja was running an earlier version of WordPress - one that had a known exploit/vulnerability - so George quickly upgraded to the latest version. (This is all beside the point now).

George sorted out the comment spam and got Askimet back up and running.

The blank page after publishing took a while to figure out, but I got there in the end! (It was a rogue URL in the notification/ping-list).

With the mysteriously vanishing pages (as opposed to posts), my initial reaction was that they had been deleted from the database. I was about to break the bad news to George, but I thought I’d take a quick look at the database to make doubly-sure.

Low-and-behold, I found them! But something weird had happened… All the WordPress pages had been converted into blog posts! This caused an issue because the permalink structure was using “?page_id=” querystring - which meant that all the page links would be broken.

I needed to find a way of bulk converting them back to proper “pages”. Good old Google pointed me towards a blog post by Jesse Caulfield that had a bit of SQL that would Convert a Post to Page.

I adapted the SQL to fit my needs:

UPDATE wp_posts SET post_type = "page" WHERE guid LIKE "%?page_id=%";

With that, Bookninja was back to normal… George has dubbed me “The Bookninja Messiah“! [Cue: Monty Python gag]

Now the hunt is on for the hijacker!

Whilst I was helping out Bookninja earlier this week, I came across a strange problem in WordPress.

Every time we tried to publish a new blog post (or page), there would be a pause, then the page would go blank.
(This was on the “post.php” page)

I spent a long time trying to figure out what the issue was… even longer googling it!

Several pages into the Google results, I found the answer! Thank you Sean Deasy!
WordPress posting issue solved at last

It seems that Bookninja’s hijacker added a rogue URL to the notification/ping-list (http://www.newsisfree.com/RPCCloud), who knows why it was put there, but it was definitely the cause of the blank “post.php” issue!

After removing the rogue URL, everything was working fine again!