Category: Just Saying …

Reports in a couple places about some really sneaky attacks if you do on-line banking. The attacks will steal your credit card info (with your help), make unauthorized charges, then remove those charges from your on-line statements. Pretty clever, actually.

Here’s a couple of links about this: http://redtape.msnbc.msn.com/_news/2012/01/06/9986119-new-virus-raids-your-bank-account-but-you-wont-notice and http://nakedsecurity.sophos.com/2012/01/05/spyeye-bank-trojan-hides-its-fraud-footprint/ .

Your defense? Those four things we mentioned here http://cellarweb.com/securitydawg/?p=56 : Windows updates, application updates, anti-virus updates, not browsing as an administrator. Those would be a great start.

Some updates to the WordPress software is in order. Seems a security bug was found that could be easily exploited. So had to take care of those updates on the pile of sites that I maintain.

And the 30th birthday of our son, Jason. Long-time readers (yes, the both of you in the back there) will recall that Jason took his life almost 5 years ago.

We still miss him. Some of our memories are at the memorial web site — www.jasonhellewell.com .

Spent some time doing WordPress updates on a pile of WordPress sites I manage. There is a 3.3.1 update that fixes a couple of security holes in version 3.3.0. Some theme updates are also required, which I will get to later.

But the important point here is that if you manage or own a web site, you got to make sure that you keep the site current with the latest updates.

Nice to have a three-day weekend. Slept in this morning, then in the middle of watching the original “Mr Dillon” series (the precursor to “Gunsmoke”). Missed the first 4 episodes, but fun again to watch Chester (Dennis Weaver) and the rest of the gang.

Cold again outside, but a clear blue sky. Planning on going to the movies today with Pam — either the war horse movie, or the one with a guy jumping out of a perfectly good skyscraper. Either way, there is overpriced popcorn and sodas in my future.

I forgot to take a full nap yesterday, so only stayed up last night until midnight EST …. I am in MST. Decided that the loss of sleep was the thing to do. And it wasn’t too noisy around my neighborhood. A few fireworks (they are legal in Utah on New Year’s Eve), but  at 24F it was too cold to go outside to try to find some to look at.

A bright Sunday morning today: not as cold as the prior weeks; we might get up to 40F today. No snow in the forecast; all I can see is brown lawns and weeds. Today’s sky is a bright blue.

As usual, working on a web site or two while watching football. This new one is supposed to be ready by Feb 1st, so need to get it working. Some code recycling is in order to make the pages work right.

Changed over to 9am church meetings. So home by noon, a turkey/cranberry sandwich with some chips for lunch. Pork chops or grilled steaks for dinner. Just the two of us today, so a quiet afternoon and evening is in store.

You wouldn’t know it by the paucity (look it up) of posts here, but I have been somewhat busy at home (along with at work).

I’ve been re-employed at a local county government agency in the IT dept (where else). Working on a new Content Management System that is a replacement for their existing system. My part is to take care of the hosting environment (servers, setup, etc). My responsibilities also include the web infrastructure (servers, IIS, etc) for all of their web sites, along with some other related tasks. That keeps me mostly busy. I just passed the one-year mark there, and the yearly review was very positive. I enjoy the work, the commute is much easier than in CA (although more miles, it’s usually at ‘freeway speeds’ on the freeway part). And it keeps me out of the house (much to the delight of Pam).

Besides the one-year anniversary at work, Pam and I celebrated our 36th wedding anniversary. That’s pretty significant. I’m a lucky guy.

After work hours, I have been working on several web-related projects. One is the redesign of Dr. Jerry Pournelle’s web site (www.jerrypournelle.com/chaosmanor), which was started last April and went live in June. Things have settled down there, so it’s mostly monitoring things and performing updates as needed. I’ve also been involved in helping out with converting some of his science fiction books to ebook (Kindle and Nook) format. You can find a list of his ebooks on his site (one of my favorites is “Lucifer’s Hammer”).

This last month I have been working on converting the Manufactured Homeowners Association domain to WordPress-based format. That one just went live today (www.mhoaa.org ).

Then there is the rewrite of the FileHurl site (www.filehurl.com ) to PHP from ColdFusion. (FileHurl is a way to send files to someone else without the limitations of email attachment limits. It’s totally free to use, and pretty easy to use.) The site was hosted by GoDaddy, but they are discontinuing ColdFusion support, so that required a total rewrite of the code into PHP/MySQL. That is almost done, some minor code work needed to finish that up. That site should be ready to go live by next weekend. (The www.filehurl.com link is still live, running under the old ColdFusion code.)

A new site was created as a response to Dr. Jerry Pournelle’s detailing of some of the silly things that our government spends my money one. Did you know that the FDA has regulations and licensing requirements for people that raise rabbits for use by magicians? It’s true! So, I created the Bunny Inspectors site (www.bunnyinspectors.com ) where that silliness can be documented. You look at the items on that site, and then you understand why the federal budget is so screwed up. (Although some states are just as bad.) The site name amused me, the domain name was available, so off I went to register and create the site.

That happens a lot. I get a silly idea, and a web site usually results. There’s “Mad Because” (www.madbecause.com ) and the companion “Glad Because” (www.gladbecause.com ). The Pragmatica site to help inspire greatness (www.thepragmatica.com ).

And then the BBQ/Food related sites, starting with “The BBQ Grail” site for my friend Larry Gaian (www.thebbqgrail.com ) – who is the inventor of “MOINK Balls” (a great BBQ appetizer, BTW). The FoodieFeeds site (www.foodiefeeds.com ), which is a way to find the latest posts from various food-related sites. And others.

Not all the sites are successful – they do get visitors, some more than others, but I am still waiting for the one that will go viral. Maybe it will be the next site I am thinking about.

But all of them keep me entertained.

I’ve been doing a bit of work lately killing off the “TimThumb” attack in some WordPress blogs, which was due to the TimThumb image manipulation program that is installed in some WordPress themes and plugins. I’ve found it in the “IGIT Related Posts” plugin on the sites I have worked with, but it can be used in themes and other plugins. It’s not a fault in WordPress itself, but in the plugins and themes that have the vulnerability.

I use the Atahualpa theme in all of the WordPress blogs that I set up, and I know that the TimThumb code is not used in that theme. I did see one site where the owner had been using the IGIT plugin, which puts a ‘related posts’ at the bottom of a post.

The first indication that the owner found was when he was getting an ‘header already sent’ error while trying to log into the WP admin page. Here’s a list of things that I found helpful in finding and getting rid of the problem. Some of these are a bit technical, so tread carefully. And this list is not complete, as the attack is changing daily.

What to look for

1) Look for error messages when you try to get to your WordPress admin login page.

2) Do a View Source of your main/home page, and look at the end of the file for anything that is after what your normal footer looks like.

3) Look at your index.php file in the root of your WordPress site. And page through the entire file. I found one with lots (2000+) of blank lines then the viral code then more blank lines.

4) Look at the wp-config.php and wp-settings.phps file for anything out of the ordinary.

5) Look for any file called ‘timthumb.php” throughout your web site folders.

6) Scan your web site with the tool located here: http://sitecheck.sucuri.net/scanner/  

Some remediation that I have done

1) Disable then delete the “IGIT” or “Tom Thumb” plugins. Make sure you delete the files.

2) Change your administrative-level passwords.

3) If you have a user called ‘admin’, change that password. Then create a new administrative-level user, log in as that new user, and then delete the ‘admin’-named user.

4) Update all plugins

5) Update your WordPress files to the latest version (this may fix the added code in index.php and other files.

6) Consider changing the WP database user/password (this is a bit complex, and if you do it wrong, you can break your blog).

7) Change the password for your host login

8) Change the user/password for any FTP accounts (get rid of any extra FTP accounts)

This attack is a bit widespread; at the moment it is not damaging, but that can change. There are some other security things you can do to lock down your WordPress site, some of them more technical than others.

But, all important.