I Love My Blog

Filed under:Blogging — posted by Anwyn on June 28, 2010 @ 10:11 pm

Lack of posting is more to do with a consuming offline life. I’m at a crossroads and trying to figure out which way to go. Once I do, I’ll have a lot to say about whatever route I pick. Meanwhile, some unrelated (to that or to each other) lines:

This here blog is a must-read for anybody who loves TV: The Masked Scheduler.

I fired up a movie I TiVo’d a few weeks ago, The Ladykillers, thinking it was an old one, only to realize by the lighting and the stylization that it is Coen Brothers, 2004. Favorite part so far: Black gospel preacher “…and the Lord smote them. Y’all know what smote is? … It is GOING UPSIDE THE HEAD, because sometimes, brothers and sisters, that is the ONLY WAY.”

Leaving for Indiana tomorrow for a couple of weeks. It’s gonna be hot.

I can’t wait to take a photography class.

That is pretty much all, except that of Portland beers, I recommend Bridgeport IPA and find Full Sail Amber to be “meh.”

“Have You Got Anything Without Spam?”

Filed under:Blogging — posted by Anwyn on July 14, 2009 @ 9:53 am

A Guest Post by Spam Killer Daddyman

Spam is usually very straightforward to manage in WordPress blogs. Almost all of it arrives in the form of comments and is quickly (we hope!) dispatched by the admin (either manually or by her spam filter). Some spammers are more devious, exploiting security holes in WordPress or mysql to embed their nastiness directly within the blog.

This blog recently began to show spam in its RSS feed. Interestingly enough, the spam didn’t show up when viewing the feed directly–only when viewing it through a reader like My Yahoo! or Google Reader. The blog had clearly been infected by some sort of malware.

RSS feeds typically deliver a short summary of WordPress posts, either inline (as in Google Reader) or when you hover the cursor over a link (as in My Yahoo!). The symptoms of this particular malware infection are that only the most recent post contains any summary text at all, and rather than displaying an article summary, it recommends the reader “Buy Aristocort…” or some other nonsense.

We searched through the WordPress files and mysql database but found no trace of the spam. We updated WordPress to the latest version, but still the spam persisted. (Anwyn aside: Therefore, the problem had to be in files that were not updated–either in the WP theme files or in the mysql database itself. Gulp.)

After quite some time of sifting through a mysqldump, I finally stumbled across something suspicious in the wp_options table: a string, hundreds of characters long, that looked like a data dump of some kind. The epiphany came when I saw the following characters toward the end of the string:

[…]cfJ3byJXZ”(edoced_46esab(lave[…]

Alter your perception a bit and read that string backwards:

[…]eval(base64_decode(“ZXJyb3Jfc[…]

This is php code. Base64 is a conversion format commonly used to send binary attachments via email. It’s also a great way to hide malicious code. I’ve seen trojans use it before, but I’ve never seen it coded backwards.

Decoding this, we discovered the php code that has been affecting the RSS feed. We also found other bits that were monitoring cookies, collecting system information and other dangerous things like login information.

So how does this backwards code get executed? Well, the answer to that lies in the Akismet plugin directory. In a file named .akismet.cache_< date >.php, there was code with a strrev() function. This instructs the code in the database to reverse itself and become readable. It appears, although I can’t tell definitively without fully deconstructing the code, that this malware leverages the Akismet spam-filter plugin to do its dirty work. I’m sure the author took great pleasure in that.

Why is this only seen in things like Google Reader and My Yahoo? It turns out there’s a regular expression match done for key sites:

if(preg_match(“/bot|google|slurp|bing|msn|charlotte|crawl|yahoo|search|spider|inktomi|ask|alexa|seek/”,$_SERVER[“HTTP_USER_AGENT”])&&sizeof($_COOKIE)==0){

(Anwyn aside: In addition to the RSS readers, the Googlebot also sees the damaged code. Thus when I advance-googled for “aristocort” only on my site, Google turned up page after page that it said had that word–but if you clicked on a link, you got an entire category page where, of course, there was no mention of the spam words. Clever.)

Cleanup Procedure

If you’re seeing spam in your WordPress blog’s RSS feed and you have any dotfiles in your Akismet plugins directory (.akismet.cache.php, .akismet.cache_< date >.php, etc), then you’re probably suffering the same affliction as this blog. The fix:

1. Back up your WordPress files. This is just to be on the safe side.

2. Back up your WordPress Database. Again, just to be on the safe side.

3. [Disclaimer by Anwyn: We didn’t actually install Akismet on any other blog to double-check that the following affected files were not normally present in a healthy Akismet install. We just nuked them from orbit, and my blog and spam filter do not seem to be suffering. However, if you have more than one of these suspect files, you might want to search each of them for this string: strrev. This is the dangerous command and thus the dirty file. Daddyman googled for these kinds of files related to Akismet and found nothing normal–only warnings of spam exploitation–so you’re probably safe to delete them all, but we don’t know with 100 percent certainty.) Clean up WordPress by deleting any akismet dotfiles (.akismet.*) in the wp-content/plugins/akismet folder.

4. Clean up the database by removing all affected wp_options lines. The easiest way to do this is with phpmyadmin. Select your database, browse the wp_options table, and look for rows that have an option name of rss_< something >. Do not delete any of the following rows: rss_excerpt_length, rss_use_excerpt, rss_language. Delete any rows which have an option_name of rss_< long string of numbers and letters (hexadecimal) >. For example, in our installation an entry beginning with “rss_f541…” contained the base64_decode() string. You can delete any rows that have a name with a similar format, whether or not you see obviously malicious code; it will not harm your RSS.

5. Create a new post and verify that your RSS feed is now displaying correctly. Google Reader does a good job of refreshing on demand. The My Yahoo homepage doesn’t refresh promptly even if you select the refresh option, so you may need to wait a while before getting confirmation there.

6. Delete cookies in the browser(s) which you use to administer your site. This is just to be safe.

7. Change your WordPress password! You may also want to change your main database password. If you do that, be sure to also update it in wp-config.php.

8. Enjoy a spam-free, fully functional RSS service!

Staying Spam-Free

Here are two maintenance steps to help keep your blog clean and performing well:

1. Harden your WordPress installation! An ounce of prevention is worth a pound of cure.

2. Periodically purge spam comments from your database. When you classify a comment as spam, it disappears from sight, but the actual data remains in your database. In the case of this blog, which has been up for several years, 75 percent of the database (or about 9MB) was old spam comments. (Anwyn aside: Good Lord.) A simple sql command, run periodically, will remove all of that cruft and help optimize your database. The sql magic can be run either from phpMyAdmin or directly via the mysql CLI. Just connect to your database and execute the following statement:

delete from wp_comments where comment_approved=”spam”;

There are also some WordPress plugins, such as “Delete Spam Daily,” which profess to make this an even simpler process. I haven’t tried them, so be careful.

–Daddyman

(Anwyn aside: I hadn’t updated WordPress since it was first installed on this host, years ago. If I had, no doubt whatever back door the spammers came in through would have been eliminated.)

The Next Top Post

Filed under:Blogging — posted by Anwyn on July 12, 2009 @ 8:42 am

Another test. We’ve deleted what we think is reams of nasty code directly out of my database. If Daddyman really has cracked this problem, he might be able to document it for people like him who googled and found only that “yes, this problem exists, what’s happening here?” but no answers.

NASTY code, people. Reams of it. You better not be seeing any more of it on the feed to this post. Let me know …

Test Post

Filed under:Blogging — posted by Anwyn on July 11, 2009 @ 10:55 pm

Be vewy, vewy quiet. I’m hunting spammers.

How’s the Feed?

Filed under:Blogging — posted by Anwyn @ 10:21 pm

Still bad? Still spammy? I upgraded to WP 2.8.1 tonight (chorus of angels sings HA-LE-LU-JAH) and we seem to have at least a remnant of the old RSS problem. Sing out if you typically view my RSS feed and are seeing spam in it. Kthxbai.

Of All the Editors in the World

Filed under:Blogging,Need a Good Editor?,Politics,Priorities — posted by Anwyn on January 8, 2009 @ 2:41 pm

…I never thought I’d have much respect for one at the Huffington Post. I read this post taking Al Gore to task for spreading the nonsense that is human-inflicted global warming climate change last week and was duly shocked that the HP ran it–shocked, surprised, and pleased.

Now Arianna huffs, in an effort to retain her cred with her peeps:

When Ambler sent his post, I forwarded it to one of our associate blog editors to evaluate, not having read it. I get literally hundreds of posts a week submitted like this and obviously can’t read them all — which is why we have an editorial process in place. The associate blog editor published the post. It was an error in judgment. I would not have posted it. Although HuffPost welcomes a vigorous debate on many subjects, I am a firm believer that there are not two sides to every issue, and that on some issues the jury is no longer out. The climate crisis is one of these issues.

Dear Associate Blog Editor at HuffPo: Bravo. Even if you only did it to stir the pot, bravo anyhow. When Arianna fires or disciplines you, I hope you decide you’d rather retain your integrity than that job.

Via Hot Air headlines.

I Love My Lileks

Filed under:Blogging,Heh,Television — posted by Anwyn on December 30, 2008 @ 7:45 pm

At the end of a foamily descriptive discourse on shaving:

That first shave with a new brand is better than any other shave you ever get. It makes you wonder if there’s a whole different level of razor technology reserved for the uppermost elites, the Presidents and Premiers and 33rd degree Masons and Popes and Politburo poohbahs and everyone else who lives in the rarified air above. The job has to have some compensations. Obama’s first day in office will begin with the best shave he’s ever had.

Man, that’s incredible. Any other surprises in store today?

Yes, sir. After you receive the briefing on our strike on the Iranian ship bringing a nuclear device into the New York harbor, they will give you the second season of “Firefly.”

Ha ha ha. My dear man. The Pentagon keeps that locked up under three keys, none of which belongs to the president.

It’s That Time Again

Filed under:Blogging,Cool — posted by Anwyn on November 6, 2008 @ 4:15 pm

Time for any and all Portland- or Northwest-area like-minded blog-conscious conservative-stripe folks to get together for the proverbial drink. Last year’s effort was great fun–and in Portland, let me tell you, it is a huge relief to sit down for drinks with people who you already know won’t foam at the mouth if you dare mention the Name of Bush or announce you’re a racist by saying you didn’t vote for Obama.

A commenter at Ace’s, Rasputin, is putting this together. Email him for details at snitch20032@live.com and feel free to email me as well, anwynsnotes at gmail, to say you’re in. Hope to see you there!

PS

Filed under:Blogging,Television — posted by Anwyn on September 21, 2008 @ 8:05 pm

When I return, blogging shall return. You have been warned.

I mean, after all, Dancing with the Stars will be back.

I’m Still Alive

Filed under:Blogging,It's My Life — posted by Anwyn on September 18, 2008 @ 9:44 am

Just very busy.

No, seriously, where are you, because I’m about to drop you from my bookmarks.

A birthday for the Bean, a big family visit, there’s a lot going on. I’ll be back.

C’mon, I’m just emulating Xrlq by going for a one-to-one ratio of weeks to posts.

Actually, Xrlq’s been posting several times per day.

Well, see, then? He’s picking up my slack. And hey, I have made one crucial blog decision–I’m no longer going to code links that automatically open a new browser window. I figure you people are smart enough to right-click and pick “open in new window (or tab)” all by yourselves.

Well, thanks for that, the extra windows were driving me nuts.

You’re welcome.

There Are Days When Rachel Lucas Makes Me Want to Quit Blogging Altogether

Filed under:Blogging,Heh — posted by Anwyn on August 19, 2008 @ 5:05 pm

I know of nobody who can get more mileage out of a good rant than she does. And this after more or less giving up politics/news blogging. At the risk of propelling Anne the LifePundit into a flame war over the relative value of cats and dogs:

Can your asshole cat bite the nuts off a burglar? I think not.

Hey. At least I found something I wanted to blog today.

This One’s for Mr. Sippican

Filed under:Blogging,It's My Life,Music — posted by Anwyn on August 17, 2008 @ 1:07 am

Mr. Sippican Cottage, that is. Although I’m not sure it’s the kind of music he enjoys. But I love it, and it reminds me of the way Mr. Sippican writes about his wife, about his children, about his life in terms of them.

You know “Ashokan Farewell,” right? Unless you were living under a rock with no cable during the time of The Civil War, the mini-series, you know it. This is by the same composer, Jay Ungar. A cousin of mine who is a dead ringer for Loren Dean and I have talked about who would play me and various other cousins in our life story. The lady at the piano, Molly Mason, would have to be played by Stockard Channing–look at those cheekbones! (Cousin and I couldn’t come up with a satisfactory actor look-alike for me. Go figure.)

I played this in trio yesterday with a couple of great musicians I get to flute around with every few weeks–a fiddler and a guitarist. I flute as aforementioned and also sing–mostly old Peggy Lee songs that Mr. Sippican would probably approve of. “Lovers’ Waltz,” by Jay Ungar. Gorgeous.

She’s Baaaack

Filed under:Blogging,It's My Life — posted by Anwyn on July 24, 2008 @ 3:27 pm

… from The Longest Vacation Evah. Blogging shall resume. At some point.


next page


image: detail of installation by Bronwyn Lace