I spent several hours today disinfecting my other website (Speaking of Clouds, also reachable as GeoffArnoldConsulting.com) after a WordPress hack attack. As is often the case, I was saved by the incompetence of the hackers, who had modified my .htaccess files in such a way that it created an infinite redirection loop. (Hint: you’re not going to get far if your URL begins with “htttp:”.) This loop meant that the site became inaccessible, which was immediately noticed by Montastic, the service I use to monitor all of my sites. (Highly recommended.)
Unlike this blog, Speaking of Clouds is hosted at DreamHost. This is not particularly significant: DreamHost has always provided excellent service, and their customer service guys were immediately responsive when I contacted them. However I’m running on a multiuser system, rather than in my own virtual machine or zone, which meant that certain diagnostic and troubleshooting tools weren’t available. I couldn’t restart the Apache process, or compare logs across multiple websites.
The eventual cleanup was relatively straightforward. Ssh in to the host. Take a recursive listing of the entire filespace, so that I could tell what was changed when. Back up everything. Examine logs. Clean up all of the .htaccess files. Change the keys. Log in to the dashboard. Reinstall WordPress 3.4.1. Identify all of the bogus PHP and HTML files (made easier by the atrocious spelling and grammar of the hackers). Change all the passwords. Reinstall all the plugins and themes. Delete (rather than disabling) everything I’m not actually using. And then back everything up. And all the while, I had three terminal windows tailing the relevant log files.
UPDATE July 12, 2012:
This story continues to develop. Yesterday I received an email from a Russian Lithuanian company (evuln.com), advising me that my site appeared to be hacked, and providing a little bit of more-or-less accurate advice on cleaning it up. The email concluded:
If you are not able to fix this “redirect” problem on your own then we will be glad to help you for a reasonable price.
Oddly, the description that they gave of how I was hacked was slightly inaccurate, and so I ssh’d back into speakingofclouds.com to check. Sure enough, it had been hacked again. I cleaned up as before; this time I touched every file in my WordPress subtree, so that any changes would be immediately apparent.
This morning, I logged back in, and found that my .htaccess files had been changed again. This time I was able to match the modification time to the exact HTTP log entries, and this is what I saw:
So somehow an executable PHP file had been hidden away in my uploads directory, and was being used to inject stuff into my WordPress configuration. I quarantined the file, then looked around to see if this was a known exploit. I only came across one blog reference, here.
It seems like one really obvious security fix for PHP would be to prevent it from executing hidden files. A quick check suggests that this hasn’t been implemented, though.
UPDATE December 11, 2012:
I’ve received several emails from eVuln.com complaining about this blog piece:
I am concerned about your blog post. It influence our online reputation. I’m sorry about our letter, we just wanted to inform you about security issues in your website.
Since I did no more than state the facts, accurately, I’m not sure what they’re complaining about. In the unlikely event that anyone actually reads this piece and cares about what I wrote, I encourage you to visit the eVuln Labs website and draw your own conclusions.
If you are reading this at geoffarnold.com (directly or via RSS feed), you can ignore it. Nothing to see here, move along, etc.
However there is a good chance that you’re seeing this text in some other blog or feed. There are many sites which monitor blogs for posts meeting certain criteria and then repost them, in whole or in part. I find that most of them cue off the “Atheist” in my tag line (or the fact that this blog is include in many atheist blog-rolls); others scan the posting for keywords like “Android” or “smartphone”.
None of this should be surprising, so why am I even bothering to write this? Well, I just came across a blog which reproduced an entire posting of mine (minus the formatting, links, and Creative Commons license) without any attribution whatsoever. The site in question is “In God We Lust dot com”. (I’m not including the actual URL; you can work it out.) I decided to write this posting simply to see how mindless the scraping bot is at that site. I’m including a statistically improbable phrase – strontium warhorse eaters – to make it easy to search for non-attributing scumbags.
So if you’re reading this and you don’t see a link back to geoffarnold.com, you now know what kind of site you’re looking at.
[UPDATE, 12 hours later] Looks like this scraper site is even more dumb than I thought. It’s pulling stuff off PlanetAtheism (which reposts my stuff with attribution) and reposting it twice. And it is possible to get back to my site: the link looks like a PlanetAtheism FeedBurner, but through some kind of magic it leads back to my original.
Speaking of PlanetAtheism, I would prefer it if they would post excerpts, with clear links, rather than reproducing full articles. I don’t rely on advertising, but many people do.
Gizmodo has the text of the new TSA regulations. Note that the order expires on December 30, which suggests that this was simply rushed out to persuade people that Someone Is Doing Something About It, and that we can expect revised (and hopefully more sensible) regulations to follow. Don’t hold your breath, though.
There’s a Twitterer that I follow called @denyreligion. Most of his tweets are quite interesting, but every night my Twitter client is inundated by a string of posts of the following form:
Thanks for the RTs and discussion! @XXX, @YYY, @ZZZ….
In other words, every Twitterer who mentioned @denyreligion during the day gets acknowledged. This gets pretty boring: Twitter isn’t (shouldn’t be) a popularity contest in which people score points for being mentioned. So I responded:
@denyreligion You need a different way of handling your gratitude. A page full of these “Thanks for the RTs” just makes me want to block you
And you can guess what happened, can’t you? Sure enough, the next night I receive:
Thanks for the RTs and discussion! @XXX @YYY @geoffarnold @ZZZ…
I’ve been trying to decide whether I trust myself to comment on the current state of affairs in my favourite sport, but reading Only In America‘s amusing but information-free rant persuaded me to offer a few thoughts.
For those who haven’t been following things, here’s my analysis of the situation. First, the players:
The FIA: the governing body of motor sport, with self-described non-Fascist Max Mosley in control.
Formula One Management (FOM), the company that runs the business, wheels and deals with the teams, picks and discards circuits to race at, and generally does whatever Bernie Ecclestone’s Napoleon complex dictates.
The teams: Ferrari, McLaren, Brawn, Williams, Red Bull and so forth. Most are members of FOTA, the Formula One Teams Association. Each builds its own car (nominally independently), and gets engines from one of the…
Engineering power-houses: Mercedes, Renault, Toyota, BMW, Fiat. Some own teams; some supply engines to one or more teams; some do both.
The drivers: the stars that we all know and love (or hate). Each is under contract to a team; playing games with supposedly binding contracts is a popular pastime.
The circuits: the venues where the races are run. There are classics like Monza, Monaco and Silverstone, and new built-for-TV extravaganzas like Bahrein and Turkey.
The fans. Though it might not be obvious, the vast majority of these live in Italy, Germany, France, England and Japan. (There are plenty of fans in the US, too, but Bernie doesn’t like dealing with American motorsports businessmen because they than play the game of divide-and-exploit even better than he can.)
Next, supply and demand. There is an oversupply of circuits, so Bernie can play them off against each other and dump anyone, like Silverstone, that doesn’t toe his line. There is an undersupply of money, which means that although there are more drivers and teams that want to take part, the wannabees can’t afford to join. This is because there’s an oversupply of technology, which has two causes. First, the engineering powerhouses want to leverage F1 for promotional purposes: their investments really come out of the advertising budget. Second, Mad Max and a few others are worried about the image of gas-guzzling racing cars at a time of high fuel prices and environmental sensibility, so they browbeat the engineers into building esoteric things like Kinetic Energy Recovery Systems.
(It would be nice to say that this was necessary to promote R&D that would benefit everyday cars; in fact the R&D has already been done and cars like the Toyota Prius use KERS everyday. It makes sense in commuter stop-and-go; not so much at 148MPH around Silverstone.)
The recent crisis was provoked by Mad Max declaring that he was going to change the rules to save money, with preferential rules for new teams so that they could participate on the cheap, and that all of the other teams had damn well better sign up immediately, even though the rules weren’t fully worked out. The idea that savvy commercial players like Toyota, Mercedes and BMW would sign up without even knowing what they were agreeing to is… well, delusional. And they didn’t. So yesterday FOTA called Max’s bluff and declared that they were going to participate in an alternative championship series next year. Of course this has provoked threats of lawsuits all round.
Speaking as one of the fans, which I have been since 1964, here’s my opinion. The fans care about three things:
That’s it. The fans appreciate the role that the engineering powerhouses play, and they are glad when the business is run well enough that they can attend races where possible and see the others on TV. But they love the drivers: the heros of today, like Button, Hamilton, and Vettel; the giants of the recent past, like Schumacher and Senna; and the legends like Moss, Clark, Fangio and the Hills (Phil and Graham). They follow the teams, like Ferrari, McLaren and Williams, with the family feeling that football supporters accord to the teams they support, and they remember the legendary teams of the past, like Lotus and Tyrrell. And they appreciate the importance of the circuits, because, like tennis fans, they understand that each circuit makes special demands on the skill of the driver and the engineering talent of the team. (This is, perhaps, why the rash of new circuits are so uninteresting: they all seem to test the same skills.)
Although Mad Max is the instigator of the latest and greatest stupidity, I actually blame Bernie more than Max. It has been Bernie who has treated Formula One as his personal plaything, cutting deals which pay little attention to the teams and none whatsoever to the fans. In a way, Max is reacting to the bloated state of Bernie’s cash machine. but he is responding by trying to out-Bernie Bernie, to be even more dictatorial than Napoleon.
I want Formula 1 to continue and succeed. Frankly the only group that seems to have a clue is FOTA, and thankfully the drivers seem to be supporting FOTA 100%.
One final thought, thinking about tomorrow’s British Grand Prix at Silverstone. Back in the day – specifically between 1964 and 1986 – the British Grand Prix alternated between Silverstone and Brands Hatch. I really liked that scheme: both circuits had their own distinctive features, and it seemed like the ideal compromise. I’d prefer that the race remained at Silverstone, but if Bernie really wants to include Donington perhaps we could alternate once again.
A lot of that going around; seems to be pretty much the last-ditch line of defense nowadays for muddleheads trying to hold out against the assault of the Evil Dawkhitch Stormtroopers. Often involves the truly brain-dead confusion of religion with religiously-inspired art.
And no, itâ€™s not possible to engage productively with such manifestations of severe cognitive impairment.
So I was in New York the other day, and was offered a copy of Eagleton’s book, and took the first step in my imminent doom by accepting it. Then I tried to fly home on Saturday, one of those flights that was plagued with mechanical errors [...] Thus was my fate sealed.
I was trapped in a plane for 8 hours with nothing to read but Eagleton and the Sky Mall catalog.
This is an account of my day of misery.
When life gives you lemons, make lemonade. This essay is a long glass of cool refreshing reason. Recommended.
I’ve always thought that a few British journals were outstandingly good at conveying complex ideas in an accessible and well-written manner. The Economist did it for economics – even if they have lurched to the right politically – and the New Scientist did the same for science.
How have the mighty fallen.
The once-respected New Scientist has gone completely off the deep end. First, they ran their misleading/pandering “Darwin was wrong” issue. Next they run – and then censor – a perfectly sensible piece on the agenda of pseudo-scientists. And now they’re trying to use their recent “image” as part of their self-promotional material – to say, in effect, “this is who we are”. As Jerry Coyne suggests, it’s time for a boycott to register our disapproval. PZ agrees:
When New Scientist ran their misleading “Darwin was wrong” cover, we hammered at them and pointed out that they were doing us no favors â€” they were giving ammunition to creationists who would never read the contents, but would wave that cover at school board meetings. And they did. We chastised the editor, Roger Highfield, and we had the impression that he was penitent, but it turns out we were completely wrong.
New Scientist is now using that same cover again in their promotional material to flog magazines.
When politicians use mutually incompatible arguments to attack the same proposal, it’s safe to say that they are more interested in scoring political points than actually participating in a meaningful debate. Here’s Andrew Sullivan on RNC posturing about the stimulus bill:
On the one hand, they seem to be saying (a la McCain) that this is long-term spending, not stimulus; then they are complaining it’s a short-term stimulus that will not create long-term jobs (a la Steele). One can only presume this is mainly about politics, not governing. Like so much of the last eight years.
Daniel Larison, himself deeply skeptical of any stimulus proposal, skewers the consistency of the RNC’s stupidity:
During the bailout debate, the House Republican leadership voted for creating the TARP, which was also bad policy, and they were oblivious to the political toxicity of that measure among their own constituents. Itâ€™s not as if the leadership had some deep reservoir of populist credibility before the bailout. Even if the TARP had been a good idea and even if it had already had some success, it would still be perceived as nothing more than the scam and the giveaway to banks that it actually was. Even though the stimulus bill will probably have no desirable effects and will add vast sums to the debt, the stimulus and its supporters are going to continue to be perceived as acting on behalf of the public. Boehner and Cantor have twice managed to put themselves on the wrong side of public opinion on major pieces of legislation in the last five months, so again I have to wonder why it is they remain in the leadership. I have to assume it is because the members of the conference are as politically clueless as they are.