EyedMax's Pit » Wordpress

What to do if your blog was hacked by evil eval

eyedmax — Sat, 05 Sep 2009 00:44:23 +0000

Weird things happens. Mostly in WordPress. One morning you see that your permalinks became a something like this:

blah/%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/

Or this:

“/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_EXECCODE%5D))%7D%7D|.+)&%

Or your feed crapped like this:

error on line 22 at column 71: xmlParseEntityRef: no name wordpress

Do not panic – you’re hacked. And there is three steps to get rid of it.

1) Restore your permalinks
Go to Admin panel -> Settings -> Permalinks.
Set your permalink structure to whatever it was earlier. If you don’t even imagine what it was – you can always ask google for it – just like this: site:yourblogurl.com – and you’ll see the answer in the links to your site.

2) Kill the intruder(s)
Go to your preferred mysql administration tool (say, MySqlAdmin) and run this code in the SQL window:

SELECT * FROM `wp_usermeta`
WHERE `meta_value` LIKE '%script%'

You’ll see the list of records, write down user_ids of those guys.
Go to Admin panel -> Users -> Authors & Users, copy the edit link for any user, it’ll be somethings like:

http://yourblogurl.com/wp-admin/user-edit.php?user_id=14&wp_http_referer=%2Fwp-admin%2Fusers.php

Then paste it into address line, and change user_id=XX to the first user_id you wrote. Go.
Replace First name with whatever you want (for example “z”), insert “motherfncker@test.com” into Email field (or whatever, but remember it, you’ll need it later) and set the Role into Subscriber. Push Update user. Then repeat with the next one in your user_ids list. After you finished – just type in into the search line word “motherfncker” (or whatever you set emails to). Now – just delete bastards!

3) Defend the base
Just upgrade your wordpress. If you will do it periodically – there will be no such problems at all!

If you do not have ability to use some SQL tool – you can try to blind find bastards:
Go to Admin panel -> Users -> Authors & Users
Note the number of Admin users (right under “Users” header). One of them is you, all others – bastard ones
Try to find max. user_id in the list by hovering your mouse over links. Then copy the edit link of the user with topmost ID, insert it into address line, change it to next number and go. Did not work? Try the next number. Or previous one. You can even loop through all IDs not in use. And when you’ll find him – you know what to do!

Star Wars image experiment

eyedmax — Sat, 17 Jan 2009 16:06:43 +0000

Now I’m ready to test something.
Someone can think that picture is offensive somehow – I assure you that is not.
At first, Ahsoka isn’t child, she seems so only next to Skywalker. At second she’s a freekin cartoon character – she have no age at all.

WordPress Dashboard problem fix

eyedmax — Sat, 03 Jan 2009 04:41:37 +0000

Heh. I’ve got “dashboard problem” in admin area. For long. ))

Now it’s over.

When you see 404 page instead of your dashboard – and somethings like “admin.php?page=index.php” in your addressbar – you just need to go to your wp-content/plugins/ directory and rename index.php there to index.html

P.S. BTW WP2.7 adminpanel looks really great! Upgrade ASAP.

And what happened to Google?

eyedmax — Wed, 05 Dec 2007 20:21:34 +0000

Can’t you see? Or it’s just my problem?

I don’t think so. I’ll tell you more – many people feeling fucky nowdays. Today they’re webmasters, but times when guy behind a browser will feel himself fucky – it’s a not-so-far-away future.

Put on Fire in the Fox’s ass!

eyedmax — Thu, 16 Aug 2007 15:33:11 +0000

Make sure that you have this browser:

Do you know FireFox well?

And how about advanced settings page? And how about direct access to it? OK, just type “about:config” into the address bar and hit return. Just like this:

Now, what do you see?

It’s your advanced settings, basically you can’t reach most of them in other way…

How To Speed Up Your FireFox

Look for the following entries:
network.http.pipelining
network.http.proxy.pipelining
network.http.pipelining.maxrequests

They looked just like this:

Now,
Set network.http.pipelining to true
Set network.http.proxy.pipelining to true
Set network.http.pipelining.maxrequests to 10 (or 15)
Right-click, select New->Integer, name it nglayout.initialpaint.delay, set value to 0
Restart Firefox.

What we’ve done?

We allowed to make up to 10 (15) connections at once. Make sure not to set it higher than 20.
Also we allowed to act with received information with zero waiting time.

BlogJet

eyedmax — Mon, 30 Jul 2007 23:46:17 +0000

BlogJet is a commercial blog client for Windows. And I made this and previous posts using this software. Hmmm. BlogJet is much better than BlogDesk one…. But I still need to edit the post after posting is done. Where are papagraph styles? Where are h1 h2 h3 h4 etc… ?? Where is real WYSIWYG editor? Where is image properties editing after I inserted it? Where human-readable image naming (check this out – in previous post image on my HDD named arch-enemy-2007-rise-of-the-tyrant-promo.jpg became some kind of non-seo non-human non-anyone set of letters)?

Author may talk about money, work to be done, “how he make controls that were snatched by microsoft”, and some mental shit, but I must say one thing. BlogJet is crap. Just like BlogDesk. Please note that BlogDesk is free to use, when BlogJet’s author wants $39.95. I’ll put them both in one place – and it will be /dev/null.

The official site says

BlogJet 2.0

Blog editor on steroids.
Now better than ever.

1. Remember, kids, steroids are bad. And this piece of binary crap proves it.
2. If this is better than ever – what’s bad?
3. Why 2.0? Did you anything for it? NO! It must be 1.99 – and so on – 1.100, 1.101.

BlogDesk software

eyedmax — Sat, 21 Jul 2007 14:26:38 +0000

Hi there.

Today I’ll test a software called BlogDesk. Here is their icon , and here is their web-site.

~~BlogDesk is the offline weblog client, features WYSIWYG editor, ImageWizard, Thumbnails creator etc.~~

~~For example I inserted a program’s screenshot, and as you can see, thumbnail generation works wery well~~

~~Seems I’ll try to use it for more time, maybe it’s an editor-of-my-dreams….~~

Seems like BlogDesk is crap. I edited all the links and srcs. Without editing – they all was pointed to “file:// ” (i.e. to my local hard drive).

Now I don’t know if I try this toy anymore.

War Against SPam – step two!

eyedmax — Fri, 20 Jul 2007 15:55:47 +0000

Second step – it’s use of Simple Trackback Validation plugin by Michael Woehrer.

Many spam messages is come through trackbacks.

This plugin eliminates spam trackbacks by:

checking if the IP address of the trackback sender is equal to the IP address of the webserver the trackback URL is referring to and
by retrieving the web page located at the URL used in the trackback and checking if the page contains a link to your blog.

Plug has options page. Everything seems pretty good – and again – wait for more info.

404 in logs

eyedmax — Fri, 20 Jul 2007 12:22:16 +0000

I hate 404s. I use awstats to watch my logs, and I hate when it shows some 404s…

I can tolerate some virus-generated URLs but when I see this “/feed%3Ahttp%3A//eyedmax.com/feed/“or search bot asking me for robots.txt or favicon.ico (and I haven’t one) – I can blow up.

My advices to all webmasters are following:

put all common files (including index.html, robots.txt and favicon.ico) to your site
validate the code for “strange” URLs
analyze log files
use the automatically generated site map

Don’t trouble Google ’till Google troubles you!

War Against SPam – WASP!

eyedmax — Fri, 20 Jul 2007 11:58:12 +0000

Hi there!

I’ve been thinking of getting post done (about smart MySQL sorting techniques), but when I logged on….

A bunch of spam comments – about meds, about autos, about porn (of course) and all the bloody stuff around this bloody world…

So – I proclaim the War Against SPam (WASP).

The first step in WASP strategy – it’s a set of plugins. I’ll try some, and you’ll be informed about the hostilities.

First in the line will be Math Comment Spam Protection Plugin by Michael Woehrer. You can see its output under the comment form. Also I use the aggressive digits naming – like thr33 or f1ve

WordPress 2.2.1

eyedmax — Fri, 22 Jun 2007 02:11:55 +0000

Oops, WordPress 2.2.1 is out, and I’m still not ready!

Ok, I upgraded all the blogs with my plugs, and let’s see what happens.

New Wordpress

eyedmax — Sun, 20 May 2007 01:35:01 +0000

Hi again.
WordPress 2.2 Getz is pretty cool
Except one little thing.
Widgets.
They’re now in the core.
And (as always) one little annoying error in release code.
This bug prevents Otto’s ExecPHP from working. Another plugins that allows to run PHP code gone wild too.
No, actually they working, until you want 2 or more blocks…
Solution is CVS. You need to upload fixed version of widgets.php into your wp-includes folder.
You can take it .zipped – here.

Oh, and I think my plugs needs some widgetization too

EyedMax's Pit » Wordpress

What to do if your blog was hacked by evil eval

Related posts

Star Wars image experiment

Related posts

WordPress Dashboard problem fix

Related posts

And what happened to Google?

Related posts

Put on Fire in the Fox’s ass!

Do you know FireFox well?

How To Speed Up Your FireFox

What we’ve done?

Related posts

BlogJet

BlogJet 2.0

Related posts

BlogDesk software

Related posts

War Against SPam – step two!

Related posts

404 in logs

Related posts

War Against SPam – WASP!

Related posts

WordPress 2.2.1

Related posts

New Wordpress

Related posts