So, OK, I’ve updated the blog (after lots of procrastination and hesitation, after checking it would work on a local copy of the latest WordPress – thanks, MySQL+Apache+PHP on the Powerbook).
Why? Because there are rip-roaring security holes in older versions of WordPress. And because the spam (and other) hackers are getting really busy.
For instance, after updating, I came across a posting by Matt Mullenweg, linked from the WordPress dashboard (which is a panel on your blog which shows you what’s going on in your blog, and has select bits of news from blogs relevant to WP).
Basically, he’d noticed people’s blogs had been invisibly hacked, so that the text wouldn’t show up when you looked at the site, but through the magic of CSS, would to Google. And of course to your newsreader: the hacked invisibly spam-laden text would, to your web server, be “updated”, and so would refresh in your newsreader. When that happens, it’s a good sign that the blog you’re looking at has been hacked.
And that’s not the end of it. As my web admin pointed out, there are people out there who’d like to get control of the whole shebang. So they attack the comments section using SQL injection, trying to post stuff like .. some stuff I’ve just deleted so I can post this.
Here’s what the code exploit would have done. First it turns off or deletes the server’s history file (so the exploit won’t show); moves to the temp directory; makes a directory in it; moves to that newly-created directory; then tries to download PhPMyAdmin, which lets you control databases remotely; then makes that executable by the web server.
In other words, via a comment posting, take over your web server, and install and change anything that they want. (The attempt came from 72.51.42.84, which is operated by some bunch of jokers called Serverbeach in Texas – though presumably it’s a bot there.) Happily, my webhost’s security was more than equal to the task of spotting it, but having holes of any sort is something you don’t really want.
Which is why I risked breaking the blog. Have you?
Friday 20 October 2006 at 6:56 pm
Why, no: that’s why I run MT, which breaks it for me…
But that is a horrifying story. I have noticed an uptick in spam recently, both to the blog, and in the trail of angry bounce messages to addresses like xrcrfxyy/ at / thewormbook/ dot /com: there seem to be at least fifty attempts to spam helmintholog every day. It looks as if the domain has got onto the books of some botnet controller. Still, I doubt that MT is vulnerable in quite the same way as a completely PHP based system like WordPress.
Friday 20 October 2006 at 11:13 pm
> “the text wouldn’t show up when you looked at the site, but through the magic of CSS, would to Google”
Technically (and I’m being really fricking nitpicky here), it’s the other way around. The magic of CSS makes the text disappear in the browser, but Google still sees it as it knows nothing of CSS. (Although I believe Google has said it may look at CSS-based tricks like this, and possibly penalise relevance accordingly.)
Friday 20 October 2006 at 11:44 pm
I know I don’t want to hear the answer – but what about fee systems like blogger?
Saturday 21 October 2006 at 5:40 pm
The Horror, nowadays double ( feed/source ) checks are NECESSARY. [edited for URL, spelling and sense – CA]