Tortoise IT

Homepage of Sean Barton, a freelance website developer from Cheshire

Archive for the ‘News’ category

Wordpress sites hosted by Rackspace Cloud hacked!

June 18th, 2010

I spent the best part of last night helping someone sort out their hacked sites. An interesting problem really… it’s a hack that has been effecting Wordpress sites hosted with Rackspace Cloud and early speculation suggests it’s to do with an outdated version of PhpMyAdmin that someone had managed to break into. Rackspace have, apparently, been keeping quiet about it and have been logging into peoples servers and removing the appropriate files and records (so i’m told).

What does it do?

The hack causes a file to be uploaded to one of your plugin directories and masks itself as a language template file (pot). So far I have seen it hiding within All in one SEO pack and Si Captcha plugins but there are more! Within the file is a huge amount of garbage that looks to be rubbish. In actual fact it’s all valid php code but nonsense in the form of massive nested ternary IF statements using Hex codes as the condition and action parts. The point is, of course, to make the file look encrypted whilst actually masking a single function. This function simply calls a single row from the wp_options table, selects a portion of the data, reverses it runs it.

The second part of the hack is as follows… The database row that the above file decodes is stored on wp_options with an option_name of rss_ followed by a long number… again an attempt to make it look genuine. Within the row is a serialised string containing what looks like valid data but with a huge encoded section in the middle. To the trained eye it’s known to be a base64 encoded string, however, the twist is that the string and corresponding ‘eval’ statement are reversed and therefore running base64_decode won’t work out of the box.

When reversed and run, it’s a chunk of php with yet more base64 encoding inside but this time the correct way round! The end result is that it’s both a shell and a mysql browser allowing anyone knowing the correct URL parameters to gain access to both your file system and database(s).

Scary huh! Anything else…

Sadly yes! Most sites are reporting a new user in their users table with administrative rights sometimes called ‘amin’, other times having a … in it and other times completely hidden. I have read that the username is actually a huge amount of JS code which hides itself. Fairly clever to give the author of this hack credit where it’s due!

Next other sites are reporting some dodgy iFrames showing up in their posts. This is, apparently the extent of the problem however with complete access to your database and file structure they could be a lot more malicious.

Is there a fix?

Yep… Rackspace are, apparently, doing their best to fix the problem whilst not (at the time of writing and to my knowledge) taking responsibility for the problem. I am told that the site setup has been blamed and permissions of 777 have been mentioned. Again, all speculation so best go read up at more official sources.

So other than Rackspace sorting it you can do any of the following…

Remove any spurious rows from wp_options where there is a large encoded block in the value field. You should be looking for anything with an option name of rss_…. where … is a large number.
Remove the user ‘amin’ or anything with ‘…’ inside it from your database and change any passwords. The hack can NOT give the hacker your admin password so don’t worry but it’s best to change it just in case. There are always ways!
Check your plugin files for anything that looks odd. The file that I have seen has the ending .H.bak.pot or something similar. Bear in mind that .h is a library file, .bak is a text backup file and .pot is a language file. Neither .h nor .bak have any business on a Wordpress site.

How can I stop this sort of thing from happening again?

You technically can’t but there are a couple of things to help you out…

Backup your site files and database regularly (where regularly is more frequent than once a month or just relying on your provider to do them!)
Turn off PHP commands like EXEC and EVAL. Anything that gives the PHP script access to your filesystem. It will definitely cause problems with plugins and sites but it’s the price we pay for safety
Make sure your permissions are all correct and check them regularly.
Check plugins before uploading them, a simple check in files for eval or exec should do it but it depends on how fussy you want to be!

That’s it for me… there are loads of blogs about detailing more about the problem and I understand the threat to be several days old now. Still worth knowing isn’t it!

No comments »

Posted in Bug Fixes, Important!, News, PHP, Troubleshooting, Wordpress

NewMedias get’s it’s third musketeer!

May 21st, 2010

Those of you who know me from the NewMedias Your Members project will remember that for years it has been a two man band. Some were sceptical about the future of Your Members and whether it was just going to fizzle away like so many other Wordpress plugins. I am pleased to now tell you that actually no, we aren’t going anywhere and in fact will be trying to get things moving again with help of the latest member of the team, Glenn Pegden. Glenn has a varied background, likes long walks on the beach and candle lit dinners. I understand he also knows a thing or two about sales and therefore he will be kicking myself and Tim Nash into shape to get the plugin(s) updated, pretty and unmissable!

Current plans include a whole new website just for the Your Members plugin to house things like… wait for it… documentation and a proper list of the things it can actually do! We have recently released YM version 1.6 which is the best version yet! We hope to get some feedback and tweets to the new YM Twitter account for things that you, the community, would like to see and then get the next version out to you sometime in the next couple of months.

Any questions about the plugin, the project or Glenns vital statistics then you can get in touch with us at newmedias.co.uk or use my site contact form and we shall get back to you.

No comments »

Posted in News, Personal Blog, Statements and Rants, Wordpress, Your Brand

Why buy from an ugly website?

February 3rd, 2010

I have been thinking a great deal recently about the work I do and how much of it is purely functional before someone else goes away and ruins it with their bad design choices. I attended ThinkVisibility 2 last September and it was a real eye opener with regard to the talks I was subjected to. One was to do with eye tracking and we were shown an example of a number of users’ browsing patterns for different sites. I never realised how predictable users can be with the way they look at some sites.

However, one of the sites we were shown was Amazon and it shows the users having trouble getting around. I have to ask myself exactly how on earth Amazon makes money at all when people are obviously struggling to find what they want, or worse, find what they want but can’t work out how to pay for the thing!

I have started looking at websites in a new light now and often refuse to buy anything from a site that I deem to be unworthy of my custom. It sounds a little bit odd for me to say that but I honestly do think twice about getting out my wallet if it takes me longer than I want to spend finding the items in the first place.

I would almost be inclined to start a black list of sites that, in my opinion, were badly designed but before long it would be unmaintainable

What, however, I will do is comment on a few sites that I do get along with and tell you why…

#1 Google
I was introduced to Google in 2001 when I was at college and my lecturers suggested they use it because of the distinct lack of advertising. This, of course, has now changed and Google has a colossal advertising network. Let me ask you this though… does it get in the way of your browsing? I say no it doesn’t and the clean cut and fast interface they provide is exactly what I want to see.

#2 eBay & Paypal
I have been using eBay and Paypal for years as I am sure most of Europe and the US have been as well. I find the interface on eBay inkeeping with the ‘fun’ theme of the dutch auction and the clean lines of Paypal when you come to actually hand over your money a refreshing contrast. Would you really want to hand over your card details on a site that looks like a child has written it? eBay offers a good and intuitive search functionality but also excellent browsing and viewing product pages.

#3 Apple
I may be criticised for saying this but I think that apple also have the right idea with regard to their site design. Design, of course, is something that Apple have grown up with and have continued to excel at through the ages. I find the homepage to be a no nonsense view of what they want you to see (which at the moment is the new iPad (a big iPod in my opinion.. not a great deal of product design elaboration there!)). The shop is non contentional but you always manage to find your product and get it into your shopping cart with no problems.

#4 Facebook
To start, I hate facebook… It is one of those sites that just ropes people in to basically live until the shelf life runs out and they move onto something else. They are managing to keep ahead of (or in conjunction with) Twitter quite well at the moment but then the sites have somewhat different core strengths. However, my hatred aside, you really have to give it to them that the design of the site, the navigation and the speed are all pretty good indeed. The use of Ajax and Javascript are a credit to the site and the user experience is a good one indeed.

#5 Bing
I don’t use the search engine at all to be honest as I am firmly a Google man (stubborn really if anything else) however, one has to appreciate the front page of Bing. Instead of going the Google route and showing nothing or the Yahoo route and showing everything they have shown interesting bits of information about random things. The picture in the background changes frequently (much like Googles header image) and the hotspots on the image give interesting information about the scene and it’s contents. I like this method of not being forced to swallow news (or worse, wait for it to load!) that I don’t want to see but providing me with an interesting picture with the opportunity to easily get more information. Well done Microsoft on your first half decent search engine page!

The list could go on and on but I have things to do. Please do feel free to add your own likes and dislikes to my list. The point was to highlight the fact that design and placement of a website is often not as important to some people as it should be. These examples are sites whom I think have done it properly. Copying them is not the best thing to do at all but use them as an inspiration to guide you in making the right decisions for your own homepages.

7 comments »

Posted in Events, News, Personal Blog, SEO, Shameless Plugs, Statements and Rants, Usability

Tags: blacklist design Usability