Problems with my blog… blank gallery (photo) pages
I was doing some work on my server today and noticed some errors in my logs of the following form: Feb 23 16:04:45 kgadams httpd: PHP Fatal error: Call to…
Blogging about blogging
WordPress SQL injection hack: watch for=> %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/
If you are running a WordPress based blog like I am and suddenly notice your post URLs have something “extra” appended (see the subject line), your blog has been hacked.
You can read more about it here (thanks, UCLABoyz, thanks schang!), where you will also find guidance regarding cleaning the problem up. Unfortunately, it appears that the hack works on all versions of WordPress up to and including the most recent.
I have BadBehavior installed on my blog, and so it was rejecting the URLs with this addition which I *think* would be thwarting the hackers involved: they hadn’t been able to create an administrative user. Unfortunately, it also meant none of my blog posts were working properly until I noticed the problem and corrected it.
Hopefully WordPress will issue a fix for this soon- in the mean time, keep an eye on your URLs, WordPress bloggers!
UPDATE: Another link to a lengthy thread regarding this hack on the WordPress.org site. What is interesting here is the apparent vector: a weakness in the WordPress code, apparently up to and including the most recent release, that permits an ordinary subscriber (i.e.: not an administrative user) to run some administrator features e.g.: changing the permalinks.
UPDATE #2: it appears that updating to the most recent version of WordPress (2.8.4) removes the “double slash” vector for running some admin commands (notably permalink.php). This fix was apparently added somewhere between WordPress version 2.8 and 2.8.4.
I’ve included some extracts from my server logs and further thoughts below…
I have Gravatars?
I installed a new Wordpress theme several weeks ago. I noticed a couple of days ago that posts had funny looking "blank portrait" images beside them. I right clicked on…
Shifting my Twits around
I’ve moved my Twitter feed from the right side to the left side navigation area on this page. The “balance” was starting to bug me (i.e.: too much vertical “stuff” on the right versus the left), and for some reason it just seems to make more sense under “recent comments” then above my photo gallery block.
I have not yet really slowed down my rate of “tweeting” yet: by the way, I prefer calling individual Twitter posts “twits”, but apparently that is bad form- sorry. I started on May 14th, and I’m posting somewhere around six to eight updates per day. if you look at my follow cost I seem to have stabilized at just below 400 milliscobles. I’m not feeling any compulsion to tweet: I just do so when something catches my eye and I think other folks might want to hear about it. Probably my main “vanity” when tweeting is that I respond to a few people like badastronomer (Phil Plait) and wilh (Wil Wheaton) on occasion. In part I do this because I’m hoping they might say something back- but generally I actually *do* have a question, I just probably would never have the courage to ask them to their face.
Cat banner…
I have added a cat banner which will appear periodically at the top of this page, along with my various tree and flower images. Here is a teeny tiny version…
New layout more or less settled
The Atahualpa theme has been active here on the site now for several days. I haven’t received any positive or negative feedback, but I’m happy enough with it now that I’ve made a few minor tweaks.
- The banner pictures at the top are now my own photos: I plan on adding in a few cat pictures at some point, but the format requires some fiddling so it may take me a while
- I’ve corrected some problems that prevented my archives from showing up
- I have managed to get a twitter feed working that doesn’t require the Flash plugin
.
(more…)
Experimenting with a new look
No doubt you were shocked just now if you are one of my regular visitors. Yes, the site looks weird at the moment: I'm experimenting with a different WordPress theme,…
Site upgrade Complete
I’m upgrading the WordPress engine that delivers this blog to the latest version. The site will be somewhat “broken” until I’m done: my apologies for the inconvenience! The upgrade is complete, but not without the usual “oh dang, that’s broken now” moments.
Apparently my Gallery had NSFW comments..
Google sent me an email the other day telling me that my site had “inappropriate” content:
As stated in our program policies, AdSense publishers are not permitted to place Google ads on pages with adult or mature content.
Adult? Mature? On *my* site? Hmmm, this required some further investigation. It didn’t take long to find the problem- Google even gave me a sample URL. Apparently, sometime in the last few weeks some comment spammer bot found my photo gallery and started spewing link-farm comments in random spots throughout. And of course, the only person who has to do more work in this process is me.
Longest outage of my site in five years
Kelly’s World has been down since I left on vacation on Wednesday. Of course my faithful readers (Hi Mom!) have my sincere apologies. From what I can see, my main network switch crashed within hours of us getting in my car. I have no real explanation for the failure other than some sort of digital empathy relating to the buyer’s remorse I feel regarding the DI-LB604 I bought a couple of months or so ago. I am wondering if the firmware update I did on that switch a few days before we left is at the root of the failure. Sometime soon I’m going to write a blog entry regarding my fun during the past few months regarding my network configuration, but today is not the day to start that…