Cleaning up after a hack

I spent several hours today disinfecting my other website (Speaking of Clouds, also reachable as after a WordPress hack attack. As is often the case, I was saved by the incompetence of the hackers, who had modified my .htaccess files in such a way that it created an infinite redirection loop. (Hint: you’re not going to get far if your URL begins with “htttp:”.) This loop meant that the site became inaccessible, which was immediately noticed by Montastic, the service I use to monitor all of my sites. (Highly recommended.)
Unlike this blog, Speaking of Clouds is hosted at DreamHost. This is not particularly significant: DreamHost has always provided excellent service, and their customer service guys were immediately responsive when I contacted them. However I’m running on a multiuser system, rather than in my own virtual machine or zone, which meant that certain diagnostic and troubleshooting tools weren’t available. I couldn’t restart the Apache process, or compare logs across multiple websites.
The eventual cleanup was relatively straightforward. Ssh in to the host. Take a recursive listing of the entire filespace, so that I could tell what was changed when. Back up everything. Examine logs. Clean up all of the .htaccess files. Change the keys. Log in to the dashboard. Reinstall WordPress 3.4.1. Identify all of the bogus PHP and HTML files (made easier by the atrocious spelling and grammar of the hackers). Change all the passwords. Reinstall all the plugins and themes. Delete (rather than disabling) everything I’m not actually using. And then back everything up. And all the while, I had three terminal windows tailing the relevant log files.
I must say that I would rather been slogging through the mud at Silverstone, though….
UPDATE July 12, 2012:
This story continues to develop. Yesterday I received an email from a Russian Lithuanian company (, advising me that my site appeared to be hacked, and providing a little bit of more-or-less accurate advice on cleaning it up. The email concluded:

If you are not able to fix this “redirect” problem on your own then we will be glad to help you for a reasonable price.

Oddly, the description that they gave of how I was hacked was slightly inaccurate, and so I ssh’d back into to check. Sure enough, it had been hacked again. I cleaned up as before; this time I touched every file in my WordPress subtree, so that any changes would be immediately apparent.
This morning, I logged back in, and found that my .htaccess files had been changed again. This time I was able to match the modification time to the exact HTTP log entries, and this is what I saw: - - [12/Jul/2012:05:45:44 -0700] "POST /wp-content/uploads/.cache_000.php HTTP/1.1" 200 365 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"

So somehow an executable PHP file had been hidden away in my uploads directory, and was being used to inject stuff into my WordPress configuration. I quarantined the file, then looked around to see if this was a known exploit. I only came across one blog reference, here.
It seems like one really obvious security fix for PHP would be to prevent it from executing hidden files. A quick check suggests that this hasn’t been implemented, though.
UPDATE December 11, 2012:
I’ve received several emails from complaining about this blog piece:

I am concerned about your blog post. It influence our online reputation. I’m sorry about our letter, we just wanted to inform you about security issues in your website.

Since I did no more than state the facts, accurately, I’m not sure what they’re complaining about. In the unlikely event that anyone actually reads this piece and cares about what I wrote, I encourage you to visit the eVuln Labs website and draw your own conclusions.
More anon.

Imitation is the sincerest form of flattery – unattributed copying, not so much. Keywords: evil, religion, Android

If you are reading this at (directly or via RSS feed), you can ignore it. Nothing to see here, move along, etc.
However there is a good chance that you’re seeing this text in some other blog or feed. There are many sites which monitor blogs for posts meeting certain criteria and then repost them, in whole or in part. I find that most of them cue off the “Atheist” in my tag line (or the fact that this blog is include in many atheist blog-rolls); others scan the posting for keywords like “Android” or “smartphone”.
None of this should be surprising, so why am I even bothering to write this? Well, I just came across a blog which reproduced an entire posting of mine (minus the formatting, links, and Creative Commons license) without any attribution whatsoever. The site in question is “In God We Lust dot com”. (I’m not including the actual URL; you can work it out.) I decided to write this posting simply to see how mindless the scraping bot is at that site. I’m including a statistically improbable phrase – strontium warhorse eaters – to make it easy to search for non-attributing scumbags.
So if you’re reading this and you don’t see a link back to, you now know what kind of site you’re looking at.
[UPDATE, 12 hours later] Looks like this scraper site is even more dumb than I thought. It’s pulling stuff off PlanetAtheism (which reposts my stuff with attribution) and reposting it twice. And it is possible to get back to my site: the link looks like a PlanetAtheism FeedBurner, but through some kind of magic it leads back to my original.
Speaking of PlanetAtheism, I would prefer it if they would post excerpts, with clear links, rather than reproducing full articles. I don’t rely on advertising, but many people do.

Quote of the day: Kirk on populism

Bloggers of all stripes have been toasting or roasting Andrew Sullivan on the occasion of the (approximate) tenth anniversary of the Daily Dish. There have been some sparkling contributions as well as several powerful indictments (sometimes in the same posting), but I particularly liked this bit from Stephen Bainbridge:

Today, Andrew is leading the fight to oppose those who are trying to morph conservatism into populism. Russell Kirk wrote that “Populism is a revolt against the Smart Guys. I am very ready to confess that the present Smart Guys, as represented by the dominant mentality of the Academy and of the Knowledge Class today, are insufficiently endowed with right reason and moral imagination. But it would not be an improvement to supplant them by persons of thoroughgoing ignorance and incompetence.” [My emphasis-GA.]

The costs of indirection

A friend of mine recently asked me if I’d like to add a badge to my blog, linked to a promotion/monetization system. I thought my email reply was worth sharing here. I’ve anonymized things a bit….

I’m a great example of why badge-based blog monetization is a tough sell. I currently follow 208 different blogs (really – I just checked my OPML file) but I do so almost entirely through Google Reader, or one of the iPhone/iPad apps that transcode my Reader feed into a more suitable format. I only click through to the actual blog website in a few cases a day – where I want to see any comments, or when I need access to the original HTML for some purpose. (And the latter tends to be dictated by the blogging software being used by the author.)
So even though I have a number of favorite blogs, I’m never going to see a badge. [And of course I’m never going to see – or click through – on any advertising, which is a problem for the blogger.] Furthermore, I know that my blog is in the same boat: from blog-related email it’s clear that I have many more readers than those who show up on my site. (Perhaps if I started using Feedburner I could find out exactly how many….)
The only entity that knows what I read, and how much time I spend on each posting, and if and when I click through, is Google. And they’re happy to tell me – see the “Trends” section on the Reader home page. But nobody else gets a look-in.

Twitter automation run amok

There’s a Twitterer that I follow called @denyreligion. Most of his tweets are quite interesting, but every night my Twitter client is inundated by a string of posts of the following form:

Thanks for the RTs and discussion! @XXX, @YYY, @ZZZ….

In other words, every Twitterer who mentioned @denyreligion during the day gets acknowledged. This gets pretty boring: Twitter isn’t (shouldn’t be) a popularity contest in which people score points for being mentioned. So I responded:

@denyreligion You need a different way of handling your gratitude. A page full of these “Thanks for the RTs” just makes me want to block you

And you can guess what happened, can’t you? Sure enough, the next night I receive:

Thanks for the RTs and discussion! @XXX @YYY @geoffarnold @ZZZ…

This is just plain silly.

15 books in 15 minutes

Dan Ellard tagged me in the “15 books” meme.

Don’t take too long to think about it. Fifteen books you’ve read that will always stick with you. First fifteen you can recall in no more than 15 minutess.

I’m doing mine in my blog, so I don’t lose it in the bowels of Facebook:

  1. “Lord of the Rings” (J.R.R.Tokien)
  2. “Third Wish” (Robert Fulghum)
  3. “Consciousness Explained” (and everything else by Dan Dennett)
  4. “The Ancestor’s Tale” (and everything else by Richard Dawkins)
  5. “God is not Great” (Christopher Hitchens)
  6. “Godel, Escher, Bach” (and everything else by Doug Hofstadter)
  7. “I, Asimov” (Isaac Asimov – I like his novels, but prefer these essays)
  8. “H.M.S.Ulysses” (Alastair MacLean)
  9. “The Penguin Atlas of Ancient History” (and the others in the series by Colin McEvedy)
  10. “The Daughter of Time” (Josephine Tey)
  11. “Windscale 1957” (Lorna Arnold – my mother; also her books on the UK bomb)
  12. “The Demon-Haunted World” (Carl Sagan)
  13. “Risking Everything: 110 Poems of Love and Revelation” (ed. Roger Housden)
  14. “Level 7” (Mordecai Roshwald)
  15. “Swallows and Amazons” (Arthur Ransome – the whole series, please)


I’m pretty sure that this is the longest gap in my blogging since I started back in December 2003. So why the hiatus? A few reasons come to mind:

  • A lot of my off-the-cuff comments which would previously have shown up in my blog now wind up on Twitter. Some of this is because it’s trivially easy for me to post a Tweet from my iPhone, wherever I might be; more significant is that fact that many of the items that I used to comment on – from friends, from news sources – show up on Twitter first, and it’s easy to “RT” them with my comments. So there’s a reverse network effect taking place here.
  • Another factor is the current state of my life. I’m in the middle of job-hunting, and for obvious reasons I don’t want to broadcast the details. Perhaps some of my conversations are with companies that are officially in the middle of hiring freezes; it would be tacky to mention them. Or I might be talking to a stealth-mode start-up, where stealth is the key word. And then these processes always seem to take longer that one would hope, and I don’t really think that it would be appropriate for me to vent about the frustration which I occasionally feel. So that whole (important) area of my life is off-limits.
  • I’ve been posting most of the technical material that I might previously have published here on my new blog, Speaking of Clouds. And yes, that blog needs more material – see previous point.
  • My reviews – of books, music, movies, concerts, and gadgets – are reduced in frequency because I’ve been buying less stuff, and going out less. And Amazon Vine has been sending me fewer items that I want to review on my blog. (Until today, anyway.)
  • Above all, I have this persistent feeling that my life is about to change, dramatically and comprehensively. We’re talking about the what, where, and how. And so I find myself metaphorically holding my breath….

So bear with me. I expect my posting rate to increase really significantly – RSN!

Internet-Age Writing

Internet-Age Writing Syllabus and Course Overview

As print takes its place alongside smoke signals, cuneiform, and hollering, there has emerged a new literary age, one in which writers no longer need to feel encumbered by the paper cuts, reading, and excessive use of words traditionally associated with the writing trade. Writing for Nonreaders in the Postprint Era focuses on the creation of short-form prose that is not intended to be reproduced on pulp fibers.

(Via Ozan)

Communications breakdown

In the last week, I have used all of the following interpersonal communications technologies. By “used”, I mean actively participated, initiating and responding.

  • Voice: Cell phone, Skype VOIP
  • Real-time text: Skype IM, Facebook IM
  • Narrowcast messaging: Email, LinkedIn, Facebook
  • Broadcast messaging: LinkedIn, Facebook, Twitter, blogging (posting and commenting)

I can’t escape the feeling that a form of Gresham’s Law applies here. The worst part of it is that these technologies differ wildly on how device-neutral they are. Right now Facebook and LinkedIn are very poorly adapted to the iPhone. And any thought of having a “universal inbox” is right out of the window….