Multi-day site outage: back on line again
The power supply in my web server failed last week. The old chassis was a "compact" Antec case with a specialized power supply that I couldn't find a replacement for.…
Blogging about blogging
It’s full of post_content…
My site has been plagued by odd characters in some of my old posts for a rather long time. The most common is the seemingly random appearance of  characters in the midst of some of my posts.
I know the basic cause: one of my WordPress / MySQL updates in ancient times (circa 2008) ended up producing a character set mismatch. I long ago fixed the cause, but all the existing bad characters persisted. Until today… I hope
Stupid spam robots…
You may notice that the “furballs coughed up… #### today alone!” number in the header of this blog seems oddly inflated. Your observation would be correct: I suspect no more than a couple hundred humans visit this site in a given day. However, the spam robots visit in vast, unending waves.
Server OS Upgrade
I shut down the site over the weekend and upgraded / migrated to a new server operating system. Kelly’s World was running on Mandriva 2008.1 prior to today. As of now, the site is live on a Fedora 16 server. My main reason for performing the migration was to get an OS in place that could be updated more consistently.
A million visitors in 8 years
I looked at the banner of my site today and see that Kelly’s World has broken the 1 million hits mark. Whoopee, and so forth.
I would like to imagine that this number represents some count of real people visiting, but the reality is less pleasant. I’d guesstimate that about 99% of the visits to my site are some combination of spambots and web crawling robots. For those of you reading this who can comprehend what I’m saying: thanks for being a real human being taking an interest in something I have to say.
Getting tough on spam users…
I run a simple little blog here. I don’t make any money off of my site even, although I’m not adverse to doing so as long as it isn’t obtrusive. I don’t sell anything, nor do accept submissions other than comments. The posts here are my own: they aren’t scraped, syndicated from, or re-posted from anywhere else. Mostly, this site is a vanity site, like a billion others on the Internet.
Despite the complete lack of commercial value to my site, it gets spammed. Comment spam was a problem a few years ago, and I’ve managed that via Akismet and Bad Behavior plugins for WordPress. There are still about about 100 spam comments a day hitting my site, but only one or two make it through my watchdogs. Lately, however, there has been a new irritant: spam users.
Site updates in progress…
UPDATE: I’ve completed the WordPress upgrades, including an update to the site theme and correction of a problem with my “Archives” page. I’m expecting to find some problems over the course of the next day or two but, for now at least, it appears that the basics are all working
Hooking Facebook into my Blog
I’ve been using Facebook (or “Bookface”, as my nephew Shane calls it) fairly regularly lately. Today I decided to see what could be done to integrate my blog and Facebook a bit. I read the “how to” guide by Thiemo Fetzer, and now I have Yet Another WordPress Widget in the left nav of my site.
Nothing has changed for “normal” users of my site. For folks who regularly use Facebook, however, you now have an option. You can click on the “Login using Facebook” option, and your authentication will be handled via Facebook (i.e.: you log in using your Facebook credentials). KellysWorldBlog will be added to your application list once you’ve logged in once. Assuming I understand the application correctly, you won’t automatically receive anything from my site simply by using your Facebook login. I (or any visitor) can, however, click the “facebook share” icon to share individual blog posts on my wall.
What benefits does this give? Well, I guess you don’t need to remember your ID on my blog any more, and your Facebook icon will now appear next to the comments you post. But the main thing this does is allow for easy sharing of my blog posts with your friends.
Problems with my blog… blank gallery (photo) pages
I was doing some work on my server today and noticed some errors in my logs of the following form: Feb 23 16:04:45 kgadams httpd: PHP Fatal error: Call to…
WordPress SQL injection hack: watch for=> %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/
If you are running a WordPress based blog like I am and suddenly notice your post URLs have something “extra” appended (see the subject line), your blog has been hacked.
You can read more about it here (thanks, UCLABoyz, thanks schang!), where you will also find guidance regarding cleaning the problem up. Unfortunately, it appears that the hack works on all versions of WordPress up to and including the most recent.
I have BadBehavior installed on my blog, and so it was rejecting the URLs with this addition which I *think* would be thwarting the hackers involved: they hadn’t been able to create an administrative user. Unfortunately, it also meant none of my blog posts were working properly until I noticed the problem and corrected it.
Hopefully WordPress will issue a fix for this soon- in the mean time, keep an eye on your URLs, WordPress bloggers!
UPDATE: Another link to a lengthy thread regarding this hack on the WordPress.org site. What is interesting here is the apparent vector: a weakness in the WordPress code, apparently up to and including the most recent release, that permits an ordinary subscriber (i.e.: not an administrative user) to run some administrator features e.g.: changing the permalinks.
UPDATE #2: it appears that updating to the most recent version of WordPress (2.8.4) removes the “double slash” vector for running some admin commands (notably permalink.php). This fix was apparently added somewhere between WordPress version 2.8 and 2.8.4.
I’ve included some extracts from my server logs and further thoughts below…