Christian Heilmann

Posts Tagged ‘wordpress’

H4xx0r3d! – how I found out that I am running a spam blog

Wednesday, March 3rd, 2010

Yesterday, actually ten minutes before I had to leave for Kilburn to give my talk at ignite I had a shocking moment. I found in one of the sub-folders of my vast server a blog that offers cheap OEM software:

Phantom OEM blog on my server

All of these links sooner or later redirect to which is owned by someone in Russia and hosted by GoDaddy.

Don’t make folders writable to the world

What happened is that I had a very old guestbook script I had written once still running in this folder. The trick back then (and advocated by a lot of PHP tutorials as it is much easier that way) was to chmod a folder to 777 (read/write/execute permission for all) to store flat files in it. That was good enough for me back then (around 2000) and guess what? It was good enough for the spammers to store their blog.

Static page generation – in bulk

The blog was set up quite craftily in terms of SEO: Search Engines love static pages, so instead of accessing a DB - which wasn’t compromised – they simply created static pages for all the search queries that came in. After all this is about showing links and Google juice, not about delivering content. In the end, I found that I had 23487 HTML files advertising spam. Thank god for SSH access as this would have taken some time to delete over SFTP.

I investigated last night and I am happy to say that this is all that happened. If I found a folder to store whatever I pleased into I’d have also tried to read other files, including the wp_config.php for example.

Google Reader as a whistle blower

The interesting part about this is how I came to find out about it: Google Reader. I have a Google blog search RSS feed in my reader that notifies me every time someone links to – I found this much more useful than trackbacks which seem only to be used by spammers these days anyways:

In this feed I got a lot of posts from

lots of weird links back to my blog in Google Reader

I thought at first that this is because of – after all it is timely for that. When I looked at the source code of this site, however, I found that just before the closing BODY tag spammers had injected links to different sites advertising OEM software:

width:100%; height:20px; z-index:1; visibility: hidden”>
[... lots of links interspersed with random HTML …]

At first I sniggered about them linking to a folder on my site I know that doesn’t exist but when I clicked the link and found the blog my smile vanished quickly.

See the whole stuff on pastebin – as you can see, all in all eight sites were attacked the same way.

What I find curious is that the links on vancouverisawesome are hidden and seem to still be indexed by Google – I remember being almost kicked out of AdSense once for absolutely positioning ads. Also, the links might be on the top of the screen but in the document are way down the tree, and vancouverisawesome is quite packed with links already.

I’ve cleaned up my server and I have contacted the maintainers of the other seven sites (and got a lot of “thank you” for that). I also contacted vancouverisawesome about them having spam links in the bottom. This is a pretty common attack (we had it on, too) targeted at WordPress installs.

How to avoid all this (and how to detect it)

So in order to make sure that this doesn’t happen to you:

  • Do not leave folders writable to the world – if a piece of software tells you that you need to do this tell them to change it – it is inviting spammers like a dog turd invites flies.
  • Do monitor your incoming links – if I hadn’t had the blog search RSS feed running I probably wouldn’t have found the blog until it really showed up in my traffic stats.
  • Always upgrade your WordPress install – this is automated now and takes a second – there is no excuse not to.
  • Redirect or – in the most extreme case – delete old things on your server that you don’t maintain any longer.

TTMMHTM: Hardening WordPress, hard research in space, Pacman text adventure and AOL accessibility competition

Monday, January 26th, 2009

Things that made me happy this morning (already adjusting my time to India, where I am flying tomorrow):

We’re looking for ideas for applications to assist computer and Internet users with disabilities – and we’re going to build them through the competitions of the 2009 TopCoder Open.
Now, we’ve extended the Sensations Developer Challenge Idea Generation contest for two more days, and we’ve thrown some bonus prizes into the mix!
In case three trips to the TCO in Las Vegas and $7,500 in prizes wasn’t enough, AOL will be giving an iPod Touch to five submitters to this contest, selected at random after the new deadline Tuesday, January 27th at 2pm ET.

WordPress Plugin to add Yahoo Keywords to your posts

Friday, November 14th, 2008

Continuing my playing around with Yahoo BOSS, I’ve put together a quick WordPress plugin to add keywords to any of your blog posts.

Simply Download the plugin unpack it to your plugin directory and activate it.

Once activated you can use two commands in your blog posts:

[ yahookeywords:parisweb]

This will be replaced by a list of keywords – an HTML list of 10 terms with a CSS class called “yahoo-keywords”.

[ yahootags:parisweb]

This will be replaced by the same list, but each of the terms will be linked as a tag back to your blog.

Live examples:


SlideShare List WordPress Plug-In

Monday, June 30th, 2008

I wanted to give a list of all my presentations on SlideShare right here on the blog and started playing with the SlideShare API in earnest. As I failed in just including my results in the blog, I wrapped them in a WordPress plug-in in case you also feel like listing your SlideShare achievements.

You can see the plugin in action on the presentations page and here’s a screenshot:

screenshot of my list of presentations created with the slidesharelist plugin for wordpress

Notice that I am offering a link to Easy SlideShare as an option so that blind users can only go to the transcript instead of having to try to understand the Flash embed. The API actually has a transcript element, but there is no content in there right now. Would be cool to see it enabled :)

Update: The Plugin now also allows you to copy and paste the “WordPress” code from SlideShare into any WordPress blog running this plug-in.

Simply copy and paste the wordpress code provided by slideshare into any blog post running this plugin to have a fancy display

This screenshot shows what the inital state of a post (with some CSS) looks like:

screenshot of a SlideShare presentation shown with this plugin (closed state)

When you click the “here and now” link you get the “normal” SlideShare experience:

screenshot of a SlideShare presentation shown with this plugin (display state)

The plug-in is open source, BSD licensed and if you want to use it you need to get a developer key from SlideShare

Once you have those, simply change the variables in the slidesharelist-config.php file accordingly. Say SlideShare gave you a key of “minor” and a secret of “I really like Weird Al Yankovic” then you’ll have to change:

$key = ‘YOUR KEY’;
$secret = ‘YOUR SECRET’;
$apiurl = ‘’;

to the following:

$key = ‘minor’;
$secret = ‘I really like Weird Al Yankovic’;
$apiurl = ‘’;

That’s all you need to do, simply FTP the whole folder over to your plugin directory of WordPress and activate the plugin inside WordPress.

All you need to display your list of presentations in a blog post or page is to add the following:


For example the following would show my latest 5 slides:


The other option you have is to copy and paste a single presentation into the blog post. You can either use the following syntax:


An example would be my “Creating Happy Little Web Sites” presentation:


Alternatively you can use the copy and paste code slideshare offers you for blogs hosted on slideshare from the SlideShare presentation page itself. For example my presentation “Yahoo is Open for Developers” from the Ankara Open Source event:

[*slideshare id=477388&doc=opensourceankara-1213971414957829-9&w=425]

This is taken from:

New in 1.10:

As requested in the comments below, you can now also list slideshows for tags and groups. The syntax is the following:


For example:


And if you want to see slides for a certain tag:


For example:


wp-super-cache cached too far for me (and others)

Thursday, November 8th, 2007

Having just upgraded this wordpress to the new one I wanted to have the whole goodness and installed wp-cache to have static pages of my posts. However it seems that the newly released wp-super-cache plugin for WordPress had some nasty vulnerabilities.

The first to report that to me was Chris Messina on twitter followed by Stefanie Sullivan reporting about Tiffany Brown having the same issues. Checking the folders created I found the same two injection attempts Tiffany mentioned. The caching allowed code injected as txt urls via “i” or “s” parameters to be executed.

In my case I found that half my server was mirrored into the supercache folder in the plugin’s cache folder. Not good.

I was happy to see that my etc folder and other more interesting bits were not reached yet before I deactivated the plugin. Right now I am playing grepmaster to see if there are some injections left. My action: deactived and deleted all caching plugins and their cache folders (best via SSH as FTP is a PITA with so many files).