break_up-2438

Karma for What? (Or, How Does One Sell an Engagement Ring?)

I’m sure many people can relate to the situation I was in just a few short weeks ago.  Been dating someone for years, feeling safe, comfortable, and solid in your relationship.  Get in to a sort of “routine” where you do the same things daily, hanging out together, going to bed together, watching your TV shows every week.  Hell, even get a dog that you both love and take care of together.

So you do what everyone else does when the relationship is going great and you are completely in love…you go have a ring custom designed and hand made to her exact specs.  You make plans to go talk to her parents for permission to propose, and you make the final arrangements to do an amazing proposal straight out of a movie on your upcoming vacation to Cancun.

And what do you get for all that?  You get told that apparently there are some issues that are too big to resolve that have now rendered you incompatible.  You get broken up with a few days before your 29th birthday and your 2 year anniversary.  Instead of spending those 2 awesome days celebrating, you spend them alone, miserable, with a set of rings you can’t bear to look at.

There are some things that can’t be forgiven.  This is one of them.  I can’t ever look at someone again who could do this to me.

I guess there’s still a good reason I tattooed “Better Off Alone” on my arm.  That’s pretty fucking emo, but hey, it’s true.

And seeing this from my never-to-be Mother in Law to my never-to-be sister in law really twisted the knife a bit

😥

hacked11copy

WordPress TimThumb.php Exploit is a complete Bitch to Remove!

So I hate to admit it, but most of the sites that we host were affected by what is to-date the gnarliest wordpress exploit I have ever seen.  We have been harrassed a few times by script douches who dick around with the most common wordpress exploits (namely, outdated versions of the software), but we just recently went through and made sure that ALL instances of WP were running current versions.  Well out of nowhere we realize that most of our sites are redirecting to russian spam porn URL’s from search engine results.  If you go directly to the site URL’s, however, they resolve fine.

Upon some investigation into the .htaccess files, it turns out there was tons of malicious code being added to control the redirects.  The first thing I thought was: easy, just remove this junk code and we’re good.  So I spend 30 minutes editing .htaccess files on all my instances, and think that the problem is solved.  I come back a few hours later to find that ALL of my changes have been overwritten, and the malicious code is back in place.  Fucking frustrating!

Now Evan and I spent hours and hours digging through blog posts, and wordpress forums to find some help here.  even our web host (hostmonster) was absolutely no help, and most of the forum posts were just people referring others back to the same typical bullshit “how to clean your hacked wordpress site” posts that share the same general logic but don’t address the specific issue here.

So, back to more and more digging.  Couldn’t find anything on the specific URL we were redirecting to.  Grepp’d all of our sites to find it and its only mentioned in the .htaccess files.  Then, I stumble across a sliver of information that mentions the redirect is being handled by a script that may reference “Web Shell by oRb” OR a script called “FilesMan“.  I set to grep’ing for these references, and what do you know – we found FilesMan.  It was hidden in a php file hidden deep in a Joomla install (/modules dir if I remember correctly) and was called something like wp-12487372.php.

This little bastard had all of the code in it to handle the redirects and rewrites of EVERY .htaccess file on my server.

After finding that, we resolved the issue by deleting the file, and cleaning out every .htaccess file back to their original states (backups!) and installing a wordpress plugin on every site that addresses the TimThumb.php vulnerability.  Its called Tim Thumb Vulnerability Scanner, and I suggest you use it.  It will find any instance of the file and upgrade them to the latest versions that don’t have the exploit.  Then I started installing the Bulletproof Security WordPress Plugin that pretty much locks down your .htaccess files.  I’m determined to make sure this never happens again!

Here are some additional notes that I found from researching across the web on ways to resolve this .htaccess redirect issue:

  • These dirtbags will leave backdoors so that they can re-infect you hours after cleaning this out in the form of the following files: _wp_cache.php sm3.php or wp.php.  If you look at these files you'll see they start with something like this:
  • <?php # Web Shell by oRb
    $auth_pass = "";
    $color = "#df5";
    $default_action = 'FilesMan';
    $default_use_ajax = true;
    $default_charset = 'Windows-1251'
  • In my particular case, I had to search for “FilesMan” in order to find it.  YMMV
  • So the prudent thing to do would be to scan all .php files(or all files in general if yuo were really wanting to be careful) and search for something unique about this file, ie: Windows-1251 or Web Shell by oRb like so:  find . -name “*.php” -exec grep -H ‘Web Shell by oRb’ ;\ -exec rm {} \;
  • Use that TimThumb plugin to fix all your vulnerabilities!  OR:
  • Grab the updated timthumb: wget http://timthumb.googlecode.com/svn/trunk/timthumb.php
  • find . -name “*thumb*.php”  -exec grep -H timthumb {} \; -exec cp timthumb.php {}

A few other resources to help in your un-hacking 🙂

http://www.hacksparrow.com/wordpress-hacked-getting-forwarded-to-distributioncorporate-ru-solution.html

http://blog.netflowdevelopments.com/2011/10/13/timthumb-exploit-causing-plethora-of-sites-to-redirect-to-russia/

apple-skull-thumb-500x499

WTF Apple actually has great customer support!

Since I recently reclaimed my iPod Touch from someone whose name I never want to mention again, I had to unfortunately interact with iTunes and try to use the deadfful app store.  So I plugged in my iPod and fired up iTunes in order to install the Siruis app on my ipod.  When I click “download”, I get the message that my apple account has been deactivated.  WTF I never use the damn thing!  So I go to the apple support page and try to reset my account.  I reset the password 14 times but still nothing seems to be working.  Finally I send an email in to Apple support:

I get the following message when trying to download apps from the app store:

Your Apple ID has been disabled.

Contact iTunes Support at http://www.apple.com/itunes/storesupport/ for assistance.

I have reset my password multiple times.

Please help!

Expecting to not hear back for a couple of days, I go on about my business.  A few hours later I receive the following message:

Dear Ian,

Welcome to iTunes Store Customer Support. My name is Tanzeem and I am glad to assist you.

I understand that you are unable to purchase from the iTunes Store as you are getting message about your account “icgrist@gmail.com” being disabled. I know how eager you are to have your account re-enabled. I will surely help you with this.

Ian, I investigated your account and found that your iTunes Store account was disabled due to a chargeback from PayPal. Those charges have been cleared, so I have reenabled your account. You should now be able to sign in to the iTunes Store using your account name and password.

If you no longer have the password for your account, you can reset it via Apple’s iForgot website:

http://iforgot.apple.com

Thank you for your understanding and for being a valued iTunes customer. We want your iTunes experience to be as enjoyable as possible.

Have a good day, Ian!

Sincerely,

Tanzeem
iTunes Store/Mac App Store Customer Support

Wow!  The actually quickly identified and fixed my issue!   I was pretty stoked at this point, and wrote back saying thanks and how much I appreciated their quick attention to my problem.  Tanzeem quickly wrote back the funniest message of all:

Greetings Ian,

It’s Tanzeem again from iTunes Store Customer Support.

Ian, I just wanted to say that you are welcome. I am glad to hear that the issue has been resolved. I know first hand, how great it feels to get what you need, and to have things run smoothly.

If you have any further questions, feel free to contact us and we will be happy to assist you.

I wish you all the best and have a wonderful day, Ian!

I found this to be pretty funny, as I really didn’t expect great customer service from Apple, especially since I’m not a hipster sitting at Starbucks writing a screenplay on my macbook air, but their Indian support team was surprisingly helpful.  It was great to deal with someone who “knows first hand, how great it feels to get what you need, and to have things run smoothly”.

Way to go Apple!