Jason Cosper

Category: Geekery

  • WordPress, remv.php and You

    While hacked sites happen, the hacks are fairly benign.  Normally, folks with hacked sites see a few spam links at the bottom of their pages.  That sort of thing can normally be cleaned up with an upgrade.  When I have to deal with them, it also involves a rap on the knuckles and a lecture on the importance of staying on top of upgrades.

    I’ve never seen a hack crop up with the tenacity of “remv.php” tho.  Seriously, it’s kind of scary.

    I haven’t really had time to go over what all the “remv.php” script does, but I do know that it can be harnessed to send out DDoS (Distributed Denial of Service) attacks to unsuspecting sites.  How do I know this?  Well, about an hour after tossing in “They Live“, I hear Kitchen typing furiously and ask him what’s going on.

    There’s a site’s getting DDoS’ed — but the attack is coming from predominately from our own servers.

    Shit.  Was it a nasty 0-day worm?  Not so much.  Just a bunch of zombie blogs banging away at this poor bastard’s site.  And what did all those blogs have in common?  “remv.php” was hanging out in their “wp-content/themes” directory.

    So in the interest of spreading the word, I’ve got a quick and dirty guide to dealing with sites infected with this nasty little script.

    1. Check to see if your WordPress install has “remv.php” in its “wp-content/themes” directory.  This can be accomplished by adding “wp-content/themes/remv.php” to the end of your blog’s URL.  If you see “Access Denied – your host is not allowed to access this page.”, congratulations — you’re part of the problem.
    2. If you come up as clear on the previous step, you can always double check by FTP’ing into your server and navigating your directories manually.  The file always seems to show up at “wp-content/themes/remv.php”.  If it’s not there, you’re probably safe — but you should upgrade your WordPress install if it’s not the latest and greatest in order to defend yourself fully.
    3. Should you see the file after going over either of the first two steps, go delete “remv.php” while FTP’ed into your server.  Keep the client open tho.  You’re not done.
    4. Upgrade your WordPress install.  At the time of this post, the latest stable version is 2.7 and can be acquired directly from WordPress.org.  That’s sure to change as the years roll on tho, so just try to upgrade to whatever the site lists as “stable”.
    5. Go to your host and change the MySQL password that coincides with your WordPress database.  If you don’t know how to do this, contact the support staff of your host and have them walk you thru it.
    6. Modify the line in your “wp-config.php” file that reads:
      define('DB_PASSWORD', 'myoldpassword');
      There, replace “myoldpassword” with the new MySQL password.
    7. Log in to your WordPress admin area and visit “Users > Authors & Users” (that’s what it’s called in version 2.7).  From there, you can edit your users and set new passwords for all of them.  That’s right all of them. No slacking here!  If you stay on top of updates, this shouldn’t happen again.
    8. Go back to your FTP client (from step 3) and rename “wp-content/plugins” to something like “wp-content/plugins.bak”. Why you’re doing this should become apparent in the next step.
    9. While still in your WP admin interface, visit “Plugins > Installed” (again, this is the name for it in 2.7).  It’ll complain that it can’t find your plugins (because you renamed the directory) and deactivate them for you.  Once it’s deactivated them, use your FTP client to name the directory back to “wp-content/plugins” , refresh “Plugins > Installed” and upgrade all out-of-date plugins before re-activating them.
    10. You’re done!  Well, so long as you have only one infected WordPress blog.  If you’ve got more of them, then repeat these steps until everything is happy once again.

    If it seems like a lot of crap to go thru, just remember that this wouldn’t be an issue if you kept on top of security patches and made sure your plugins were up to date.  If you really want to avoid doing this again, subscribe to the WordPress Development Blog‘s feed and check it religiously.

    If you have any more info on “remv.php”, let me know in the comments and I’ll do what I can to keep this entry up to date.

    Update: It looks like “remv.php” is phpRemoteView.  Apparently, it’s pretty popular with the script kiddies, but it’s not the actual exploit that’s being used.  Still, it’s a bad thing that needs to be removed if you find it in your WordPress install.  If you’re interested in getting the gist of what the script is capable of, check out this page translation.

  • Going Feral

    While reading Jori Finkel’s piece in the New York Times on Machine Project’s LACMA invasion, I was struck by something that Margaret Wertheim said:

    I don’t know of any city other than L.A. with so many feral groups.

    Now while she was referring to the Los Angeles art scene, this sort of applies to the tech scene here as well. There are plenty of folks trying to make this city relevant when it comes to tech. A streamlined, less paunchy version of Silicon Valley that does yoga and drinks wheatgrass. And that’s fine. They can keep doing that. But to lift a quote from Chuck Palahniuk’s Fight Club, “Sticking feathers up your butt does not make you a chicken.”

    I’m not really talking about them tho. Honestly, the most interesting shit that is going on in this sprawl is on the fringe. Groups like Dorkbot SoCal & Betalevel and meetings like Mindshare are where people are doing the really sexy, fun, creative stuff. Well, the stuff that’s worth paying attention to at least.

    Seeing as how I’ve helped foster it along, why would I exclude BarCampLA from that tiny (and rather incomplete) list above? Well, first of all, my ego isn’t that big.

    Most importantly tho, it isn’t one of those feral members of the fringe anymore. Sure, it may have been a bit of a wild dog in the past, but as time goes on, it has become domesticated. With well over 300 people wandering in and out over two days and the schedule slowly seeing product pitches, SEO talks and social media chatter dominating the landscape, it’s sort of losing some of its original charm.

    Think I’m crazy for saying that? Consider BazCampLA. A “mad science only” event, their plan is to get together about two weeks before the next BarCampLA to make sure their technical talks are well tuned and ready for the big show. From the chatter that I’ve seen, they’re sort of worried that this will be seen as a condemnation of BarCampLA. A middle finger to its participants and the Los Angeles tech scene as a whole. But totally I get what they’re trying to do — and I admire their goals.

    Frankly, I hope the BazCampers either take the schedule at the next BarCamp over by force or they end up building a framework for a better event. Like one that would make BCLA obsolete and allow me to take a vacation. Lord knows that I could use the rest… ;)

  • History Hacker

    Ever since I’d heard about History Hacker, I’ve been geeked about it. Now, maker extraordinaire and super rad video blogger Bre Pettis, is getting a crack at the big leagues when his show airs on The History Channel this Friday at 8 PM.

    The pilot involves Tesla and his back and forth feud with Edison and has a style that seems like it was made for the ritalin set. So if the promo video above looks interesting at all, consider adding it to your DVR and checking it out.

  • Getting Some tr.im

    While there are a lot of URL shortening sites out there, I’ve actually grown quite fond of tr.im recently.  It’s a little thin on preferences right now, but there are three things that set it apart from the other services out there: 

    Automatic Twitter and Identi.ca Posting

    Whenever you shorten a URL — thru the bookmarklet or their site —  tr.im does the standard behavior and copies the output to your clipboard.  On top of that tho, it also offers you the opportunity to sign in to your favorite microblogging platform and post the URL directly from tr.im itself.  Removing the extra steps of opening up Twitter and pasting a link into the window makes me a very happy camper.

    Zero Account Creation

    Want to save your settings but don’t want to make another account?  No worries!  tr.im accepts both Twitter and Identi.ca logins.  Saving a couple minutes of my time by not having to sign up for yet another service is rad to me in a way that words can’t quite describe.

    Click Tracking

    If you’re signed in to tr.im, you actually get stats on the number of times a link has been clicked. So if you’ve direct messaged or emailed a friend with a link and want to know if they’ve given it a look, there’s no need to bug them about it.  Just load up the tr.im homepage and see if they have or not. Simple enough, right?

    It also has the added bonus of being a super short URL that isn’t abstract like is.gd or zz.gd are. Seriously dudes, what’s up with those names?  I mean, bravo for scoring a 4 character domain. That’s a feat in and of itself.  Still, if what your site does isn’t fairly obvious from the URL, it kind of fails for most passive users before it gets out of the gate.  tr.im actually manages to be nice and descriptive without being too heavy — and that, coupled with the reasons above, is why I like it.

    So give tr.im a try and see if it integrates with your workflow.  Even if you’re a bit skeptical about something as basic as a URL shortener, you might actually be pleasantly surprised at just how well it works.

  • That’s How I Roll Too…

    I’m not sure what I like more, the legibility rant or the use of the word “motherfucker”… [via]

  • Boba Fett = Pimp

    Every so often I feel like I miss out by not making the trek down to Comic-Con. This is one of those times.

  • Shuffling Around

    Sorry about the bit of downtime this morning and afternoon, folks! I’ve been trying to spread the hosting for my domains across a few users and I managed to take down my site in the process. Apparently I forgot about the quirks involved in running WordPress under mod_php. D’oh!

    Things are back up now tho — PHP as CGI FTW! — so no worries.

  • Macbook Air vs. Girl Talk

    As far as I’m concerned, this video is absolute genius.  Of course, I might be a bit partial due to the fact that I’m totally in love with the new Girl Talk album — but that’s really beside the point.

  • Planning A Jailbreak

    Now that it’s a given that I’m buying a 3G iPhone, I need to figure out how to use a jailbroken first gen iPhone to pull traffic data for my TomTom One.  It might take a little work tho as Google’s not turning up any solid results.

    Anyone on the LazyWeb have any ideas?

    P.S. It might be a wise idea to buy .Mac at Amazon (for $69.99) in the next few days if you don’t already have it. That way, when MobileMe replaces .Mac you’ll have saved $30 on your first year of service.

  • Embrace The Dork Side

    Being a nerd, which is to say going too far and caring too much about a subject, is the best way to make friends I know.

    Sarah Vowell, The Partly Cloudy Patriot