2011 August | LittleKendra.com

Archive | August, 2011

My site got hacked. And it was kinda fun.

by Kendra Little on August 19, 2011

Programmpower.ru said: FU

I recently got a direct message on twitter from the fantastic Karen Lopez (b|t), who let me know my blog was redirecting to another site — a site called ‘programmpower.ru’.

I don’t know about you, but there’s something strange and just icky about that URL.

Karen is super savvy, so she let me know right off that she was only seeing this when using Firefox when she didn’t specify the www. So while ‘http://littlekendra.com’ was up to no good in Firefox, ‘http://www.littlekendra.com’ was standing strong, and other browsers weren’t having the issue.

Where do you start?

It’s been a while since I’ve worked with stuff like this, but it was a fun challenge.

The first thing I wanted to verify was whether or not people were getting to my site at all when the issue occurred. Were they actually getting to http://www.littlekendra.com and then being redirected afterward? Or were they not even getting there?

This was probably my first question because I know from experience that it’s very easy to answer.

I decided to crack open Fiddler, my favorite old http debugging proxy. “Http debugging proxy” may sound pretty fancy, but this is really just a simple, friendly little tool you can open up which will show you everything your internet browser is hitting.

Then I realized that Fiddler only runs on Windows. I was sad, but this is clearly the very definition of a first world problem (nerd edition). A little searching and I found a Firefox add-in called TamperData that’s quick, free, easy, and did the trick on my Mac.

TamperData said: you’re getting to www.littlekendra.com before you get redirected off to the land of evil.

Oh my. I’ve been hacked.

Maybe I’m getting older and wiser. Maybe once you break something enough times you just stop getting upset. (My description of someone who’s an MCM is “someone who’s gotten into trouble, and then had to fix it. A lot.”) But I didn’t really mind.

These things happen— if you have a website long enough, it’ll probably get hacked. And these things are usually pretty easy to fix with a little searching.

Is it JavaScript?

If the issue was happening after reaching my site and only with one browser, I thought perhaps there was some JavaScript being executed that was only impacting Firefox. Well, that’s easy to check too– just disable JavaScript in Firefox and see if you can reproduce the issue. Thanks, Rob Farley! (b|t)

I did that, and the issue still happened.

I guess it’s time to ask the internet…

Sure enough, I did a little more searching and I found that I was very likely the victim of an .htaccess hack.

This is a very powerful little file that you can do all sorts of tricks with. And people can play tricks on you with it. The most common hack is to add a bunch of spaces after what looks like the end of the file, and then to put in a bunch of code that redirects traffic— down where you’ll never think to look. Oh, how devious.

But how did it get there?

Before I fixed the issue fully, I wanted to try to make it difficult for it to happen again. It wasn’t a super-emergency (there aren’t THAT MANY of you reading this live– I know you love your RSS feeds), so I spent a little time looking at fixing the root cause before the issue itself. Normally I’d do the opposite order in a production environment, but it’s my own website so I do what I want!

I checked with my theme provider, and sure enough there’s a recent fix for a vulnerability that can allow this kind of hack to happen– the Woo Themes Timthumb bugfix. In no time at all I got my site updated by following the guide to update the Woo Framework and my theme.

How do you confirm if it’s a .htaccess hack?

You need to take a look at your .htaccess file. You can’t look at this through the WordPress UI in a web browser, you need to either log onto the host (if you’re running your own), or just connect via the magic of FTP.

I fired up my trusty FireFTP add-on, and got to the difficult task of remembering my user name and password for FTP access. This was easily the hardest part of the fix.

After you connect with FTP, save yourself a little frustration by enabling your FTP program to show hidden files. in FireFTP this is under Tools/Options on the General tab.

Then head on down to the root of your website. This can be configured in different ways, but it may be at web/content. Just cruise on around until you find a .htaccess file, which will probably appear to be grayed out because it’s a hidden file.

FTP that file down to a place on your local system and open it to give it a look. Don’t forget that hacks of this file normally put in a bunch of white space, making it look like the file is normal— scroll down to the end of the file. If this is your issue, you should see a bunch of redirects down there.

How’d I fix it?

First, I saved a copy of the file under a different name. Any time you make a change like this, you want to keep a copy if you can just in case things go from bad to worse.

Then I cleared out all the evil redirecty code and saved the file on my local machine.

I then overwrote the file in my root directory with the modified copy.

Presto-chango— after clearing the cache in Firefox, I could no longer reproduce the issue. The whole thing took less time than it took to write this blog post. And strangely, it really was kinda fun!

Don’t forget to back that up

Now’s a good time to export all your WordPress content (Tools -> Export), dontcha think? I think I’ll go change some passwords for fun, too.

Update

It looks like I missed a step! Here’s a handy WordPress.org FAQ: My Site Was Hacked. There’s a sequence you should follow in your cleanup:

Change your passwords;
Regenerate Wordpress keys and update them in your wp-config.php file (details on how to do this in the FAQ linked above);
Then change your passwords again.

I’m not sure that this has resolved my problem completely. I’m considering planning a time to reinstall cleanly. Since I have everything exported, I have the luxury of waiting a bit to see.

Comments { 1 }

SQLPASS Summit 2011: Meet New People

by Kendra Little on August 10, 2011

I’m really excited: I’m on the Orientation Committee for the SQL PASS Summit 2011. This means I have a group of eight people who I can help make the most of the SQL PASS Summit this year.

It's OK to be yourself. Even if you're this guy.

Want to meet new people?

If you’re returning the the SQL PASS Summit and would like to volunteer, send an email to OC_DL@sqlpass.org.

If you’re new to the SQL PASS Summit and you’d like a jump start on learning how to make the most of the conference and an opportunity to meet new people right away, drop a line to newcomer@sqlpass.org.

Know what? If it’s your second or third Summit, but you’ve mostly stuck to just going to sessions and you’re not sure how to branch out and meet new people— go ahead and email newcomer@sqlpass.org. This is all about helping people make the most of the conference, it’s not just helping people find the convention center.

How can you support the orientation committee?

If you don’t have time to volunteer, you can still help out. Share a story with me about how you found ways to break the ice and meet new people.

I’m going to do an online edition of orientation

I plan to blog here and follow along with the process. I won’t include every communication I send to my orientation team, but I’ll blog about what topics we’re talking about, what tools are available, and options for getting in on cool events.

In the spirit of getting started, here’s the first email I sent out to my team:

Hello!

I’m emailing you because you’re attending the SQL PASS Summit this year (hooray!) and you signed up for orientation for first-time attendees.

At least, I think you signed up. If there’s been some sort of confusion and you’re not interested in getting oriented for whatever reason (anything from “I meant to register for a sock convention” to “I just thought there’d be free food, I don’t want to read email*”), just let me know and I can unsubscribe you from my newsletter. No worries at all.

A Bit About Me
I’m Kendra Little and this will be my third SQL PASS Summit. I lived in Seattle for five years, so I mostly know my way around town– although I usually check a map to keep from getting lost. I’m a Microsoft Certified Master in SQL Server, a DBA and database developer of many years, a giant rabbit owner, and I love to draw. I’ll be a presenter at this year’s Summit (yahoo, Community Choice!) and I’ll also be attending sessions, catching up with old friends, and meeting new people. It’s going to be a really great time: it always is.

How can you get started?
You’ve done the perfect thing right off by joining orientation— this is a great way to start breaking the ice and meeting new people at the conference. Even if you already know lots of people in the SQL Server community, meeting new people can’t be beat. Great conversations make the best memories, and they also can produce the biggest results back at work.

Here’s what you can do now…

1) Respond and let me know if it’s OK to share your name and email address with this group. There are eight of you and one of me, so it’s a small group, but don’t feel pressured if you want to keep your info on the BCC. I’m not here to judge.

2) Send a quick biography for yourself. This doesn’t have to be anything fancy– just a couple of lines about what you’re looking forward to and where you’re from. You can include whether or not you’ve been to Seattle before. Bonus point: if it’s OK to share this with the group, let me know— that’d be fantastic.

3) Check out my Seattle 101 information to help with any questions about how to get downtown from the airport, where to get coffee, or good places to eat.

4) Send me any questions you have about the Summit, burning or otherwise. I should be able to either answer your question or help you find someone who can.

What can we do before the Summit?
My goal is to help answer your questions and help you plan your Summit experience. I’ll provide links and information to Summit events and planning tools and share which have been helpful for me.

Once we’re at the Summit, you can always come to me to help you figure something out. I’d also love to hear how your experience is going while you’re there.

Don’t have time to respond?
It’s OK. We’re all busy. I’ll be sending mails out prior to the conference and blogging and tweeting. Feel free to play along at home at whatever rate makes sense to you— you’re welcome at orientation even if you don’t have time to get connected before the conference.

Kendra

* There may or may not be free food– we’re going to have to wait and see. I *can* tell you how to score an upgraded breakfast, if nothing else.

Comments { 1 }

Free Webcast on SQL Server Isolation Levels: (NOLOCK) or YESFUN?

by Kendra Little on August 8, 2011

Tomorrow evening I will be presenting for the SQL PASS Application Development chapter. Stop by and say hello!

(NOLOCK) or YESFUN? The Right Approach to Transaction Isolation

Tuesday, Aug 9, 2011
8:00 PM Eastern / 7 PM Central / 5 PM Pacific

NOLOCK or YESFUN?

AppDev Virtual Chapter
Attendee URL: LiveMeeting Link

Understanding transaction isolation is critical if you want to write highly concurrent software, administer databases like a pro, and impress your neighbors. We’ll discuss the benefits and problems of each isolation level in SQL Server. We’ll talk about practical changes you can make to provide the right level of concurrency for your users. We’ll focus on how to identify applications which are good candidates for optimistic locking, and how to plan, execute, and monitor changes in your default isolation level. A poster will be available for download to keep your knowledge fresh after the session.

Comments { 0 }

M	T	W	T	F	S	S
« Jul				Oct »
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30	31

LittleKendra.com