Category Archives: Wordpress

Has my blog got hacked again?!

I was checking my email when all of a sudden I saw this email “New WordPress Blog”. I didn’t remembered adding, updating or doing anything with my blog. I thought about it yesterday though. Could it be that WordPress is so smart and read my mind.

Something was fishy, I’ve already experienced the fact the WP can be hack-able sometimes. I rushed to backup and remove the blog, before the hackers will start messing with me and my visitors.

I was already FTPing when it came to me, even if it was really hacked no need to rush about it, I’ll try to find out what happened.

And indeed google gave the quick answer that if the option database table get corrupted, somehow it gets, WP behave as a new install.  You only need to repair it from the phpMyAdmin, that’s it %)

Anyway it’s time to redo things in my blog, but without the rush.

The moral is always “google it” before you jump to any assumptions.

The biggest terrorists in the world are… Flex bloggers

Adrian Parr, a Flex blogger mostly known for his post listing of AS3 frameworks got hacked by some political lamers. The whole blog is replaced with common and lame hacker page. The allegedly hackers came from this Arab security forum, m4r0c-s3curity.cc.

What is the relation of this blog to your “war on terror”?! Leave your political BS where it belongs.

My blog has been hacked

The first part of an hacker’s job would be to gather some information about her target, server, technology and software that runs on the desired target. With Worpress all is needed is viewing the html source to see the “<meta>” tag that describes what version of WordPress is currently running and how vulnerable it is. Attackers scan/google this automatically along with other parameters to see what blogs they likely want to hack.

I have always saw the updates in the Worpress dashboard and always stupidly ignored it, thinking, who would want to hack my blog?! I should have known that a PR of 7 is very appealing to the spammers. But even if you don’t have any PR or have very low traffic it doesn’t mean that you’re safe from being hacked and it’s been reported that very new and unpopular blogs has been hacked as well.

The attackers have managed to use an old exploit in my blog, a very old one, and polluted my blog with thousands of spamming pages, all hidden in some obscure folders. One of the first things I’ve noticed was some strange traffic is going into my blog, mostly from unrelated blogs which showed no indication of linking to me. Only when looking inside their HTML source I saw its hidden links to me. I’ve realized that I’m part of a zombie network of hacked blogs and splogs all for the sake of generating spam money. I’ve informed some websites that they were probably hacked as well, and I still found new websites that have hidden links to my blog and probably been controlled as part of this spammer network. This is an indication that the attackers work is far from perfect and probably not fully automatic, as they still don’t know I’m out of it, and still link to me.

Servers these days have become (relatively) very secure, securing it has become mostly a plug and play, you plug your firewall, you plug your security software suit and your almost done. (I don’t wanna disregard any IT and their hard work, but you get the point). Attacks vectors needed to be changed into exploiting the developer’s code and the end user, as these are the most error prone areas these days. As such, it became the developers responsibility to not only write a compiling code but also write a secure code. As for the users, they still shouldn’t be expected much and allowed to be very dumb. Its not sure yet if developers can be expected to always produce a safe code, WordPress is created by highly talented developers and still all of it’s security flaws were due to insecure coding. I’ve heard this being compared with an old development problem, which is, producing optimized code, that problem was never completely solved. Currently developers don’t have sufficient tools and resource to overcome these problems. One can only hope that in the same way that viruses has lost their strength over the years this will be the same for these kind of attacks. We can only wonder what will be the next generation of attackers, maybe the end users will become the only reasonable target.

The first lesson here is to always upgrade your blog. Although this can be tiring process, with updates coming all the time, it is must be done. The WordPress update process itself is very easy and fast and I really encourage you to do it the minute a new version is available. You might want to be assisted by this auto upgrade plug-in.

What is described here is mostly about the WordPress blog platform but this is far from being the only massively used and attacked open-source web application.

Finally I would like to try and coin a new phrase. The same way we were introduced by the developer who can also be a designer named – Devinger. I think it time to introduce the Safeloper. The Safeloper is a developer that has the tools and knowledge to produce secure programs. ;)

I guess we should always expect to be hacked and always backup.

How to find out if you’ve been hacked:

As opposed to old school Internet hacking, where the attacker main goal was to make a name for herself and that the attack would be known and published. In this new kind of hacking the attackers main goal is to make money through spam, and as such their last intention is that the owner of the hacked website will have any clue that she’s been compromised. You might get weird increase or decrease in traffic and the google PR might drop a bit, but, you won’t see anything completely different unless you’ll look for it.

Simple as that, view source and search for spam words like cars, montage, pharmaceutical, etc’.

look at traffic to your blog – If you see some strangely unrelated blogs linking to you there is a good chance you’ve been hacked and used as a splog. Go to the suspect blog and view its source for hidden spam links to you.

Look at the google search traffic to your blog – The latest exploit, also known as the anyresult.net hack, is a way to steal google result of your blog. Clean all cookies, search yourself in google, if a link to your blog is redirecting to another web-site then you’ve been hacked. Clean your cookie again and do this a few times to be sure.

Make Sure Your WordPress is Not Hacked – some more info.

What to do if you’ve been hacked

I would suggest to backup everything from your blog including all the file folders and database and then do a fresh install of the new WordPress (Currently 2.5.1). To backup the folders use an FTP client, the DB backup is generally done from the website’s control panel or from the WP admin. Only after the fresh install, start adding all the customized stuff like themes and plug-ins checking each and every one as you add it, you should even check the images. When it comes to the plug-ins your better off re-downloading it.

Change your blog password and all of the blog registered users passwords, make sure all the users are valid and not some hacker created. It’s better not to use WP for user registration as this is a source for a lot of the previous exploits.

How to prevent your blog from future hacks

Always install updates – It’s fast and easy

Remove the Generator Meta tag – WP shows its version number inside the HTML. If existed it’ll help the hacker to know how vulnerable you are.

Put empty index.html files inside the WP pligins folder and any other folder that don’t have an index file. it won’t stop anyone, but, will give the attacker a harder time understanding the structure of your blog and what plug-ins you have installed.

Monitor your files for changes or use some kind of script firewalls

Install only trusted plug-ins

More Resources:

Did your WordPress site get hacked? – More info about the structure of the Wrdpress attacks and how to prevent them, written by one of the WordPress people.

Patching the WordPress AnyResults.Net Hack – Describes how to fix the latest WordPress exploit, which is found on WP 2.5 or earlier, it was fixed on WP 2.5.1 but, updated blogs aren’t automatically fixed if it were already exploited. This exploit redirect search engine results of your website to anyresult.net. More, more and more.

File change notifications for your WordPress blog on Linux – A good explanation on how to monitor files changes on your blog. This way you’ll know when a hacker have managed to change or add files. The problem with it, is that it’s recommended not to monitor the cache folder, because it’s constantly being written by WordPress. Hackers are also aware that this folder is difficult to monitor and it’s where they put their malicious files.

Firewallscript WordPress Firewall – Commercial (85$) firewall that runs on the php script level without the need of installing it on the server itself, and hence good for shared hosting. It’ll monitor files for changes and more.

Munin A PHP application firewall – The same as above just free and open-source.

WordPress exploit: we been hit by hidden spam link injection – More information on how to deal with hidden spam link injection

Won’t publish posts anymore – A less common hack that prevent you from publishing into your own blog.

How to Protect Your WordPress Site

9 easy ways to secure your WordPress blog

10 Ways to Secure your WordPress Install

Almost Perfect htaccess File for WordPress Blogs

When Patches are the Problem – Apparently automatic security updates isn’t a perfect solution either.

Security through visibility: The secrets of open source security – WordPress is open source, is it really make it less secure?

My new blog – Human VOIP

Writing a blog is not a simple task, writing a good blog is very difficult. I’m not sure I’m the kind of person who can handle more then one blog, I’m not Lee Brimelow :), but, I’ll give it a try anyway.

My new blog name is, Human VOIP, it’s supposed to be mainly about telephony related stuff, but, somehow Flash seem to sneak in ;)

Call me now! Jajah new Flash widget

We’ve just released the Jajah Buttons which enables you to receive calls from your website, blog, online community, email, etc’ directly to your phone and all that without revealing your phone number. Check it out, call me now.

The Jajah button let’s you determine when, where and to whom you are available for calls. It also give you a permanent short link that leads people straight to your phone. You can always reach me with this url – jajah.com/guy

The Flash widget is completely customizable in size, colors, supports multiple languages and have a unique look and feel. The widget was developed in Actionscript 2.0 mainly for compatibility reasons, it was intended to be released some time ago, before the Flash 9 Player reached 90%. Over that time it was overdeveloped with many features and a complete set of controls that were developed from scratch. Many of these features did not make it to the final (first) release, but, are ready to be put back in when the time is right, so stay tuned if you’re interested in this kind of stuff.

The Jajah Button graphics were designed by the uber talented crew at Ichiban.

Jajah widget colors

Call animation:

Jajah widget call animation

Developing Actionscript 2.0 controls is a tiring and unappreciated task. Show it to a non-flash developer and they’ll tell you – “thats nice but I have that in HTML also, I simply write an input tag…”, they simply can’t see the difference. This strengthen my feeling that some people, mainly developers, are color blind and can’t differentiate between a circle and a box ;). If Microsoft is expecting these guys to do something appropriate with Silverlight, then they shouldn’t, cause it ain’t gonna happen.

Using the macromedia’s V2 components, as always, didn’t seem right. The Flash CS3 Actionscript 3.0 component set, although modest, looks like something that is more reasonable to inherit from. To complete your set, take a look at yahoo’s Flash components.

This is the code I used to embed the Jajah flash widget inside this post using the Kimily Flash Embed wordpress plugin. There are more parameters you can add to make its colors look more like your style, check the editor for that. The Jajah Buttons Editor also gives you the code snippet suitable for your needs.
[code] [/code]

Screenshots from the editor:

Customize colors and size

Editor - Customize colors

Set your availability

Editor - Availability 1

Countries you wanna get calls from

Editor - Availability countries

Callers blacklist

Editor - Availability blacklist

For more info go here…

Akismet has saved my blog from over 100,000 spam comments

Since I’ve installed Akismet last year it saved my blog from 100,425 spam comments. It seems to me like an insane amount of spam for an easy going blog like mine, and though I haven’t counted it, I guess only a few hundreds have managed to passed through its defenses. Over that year I kept on reading about other spam plugins and it doesn’t seems to me that there is a better solution yet for bloggers. If you run a wordpress blog or any other comments driven website then you should install it, it’s fast and easy.

Stop WordPress comments spam with Akismet !

About 1.5 months ago my blog started to receive a relatively massive amount of comments spam. First I thought I will fight it manually on my own, but, after a few days it defeated me.
I went on a search for the best WordPress anti spam solution. After reading some reviews it looked like Akismet is a good one, so I started with it, to see if it’ll keep its promise. Indeed, in about 1.5 months Akismet has stopped 575 spam comments, and only 4 have passed through its defense. The 4 comments who infiltrated were very modest, with only 1 link in the name and with a non offensive looking URL. Akismet can stop most of these modest looking spam too.

Akismet is installed automatically on WordPress-2 and above, and it said to support WordPress-1.5.2 and above. But, a friend of mine has reported, from experience, that it can be used also in WordPress version 1.5.0 with minor limitation.

In order to activate Akismet you need a WordPress API Key. You can simply get an API Key by signing for an account at wordpress.com, get yourself a blog account like http://guya.wordpress.com/ and you’ll be able to use the API Key you’ll get on any given WordPress blog, no matter where it’s hosted.

I just wonder, if my little humble blog gets 575 spam comments in 1.5 month, how much the big blogs get, 5750, or maybe 57,750 ?

Download Akismet.
Good luck with your war on spam.

Easiest way to embed Flash inside WordPress

I was embedding my Flash inside the WordPress posts with the html <object> tag. It was not only messy but also made it incompatible with the FireFox browser. My blog was completely unreadable in FireFox.

Luckily I stumbled across this WordPress plugin called “Kimili Flash Embed for WordPress” which make flash embedding as simple as writing this line:

[code][/code]
Thats all that is needed to embed the flash movie.swf with width of 550 and height of 400.

The plugin is based on flashObject and as such it takes advantage of many of it’s features, listed here.

I found that if you embed the same flash twice in the same post, or the same flash in two different posts that show together in the same page you’ll only be able to see one of it, the first from above.