Ho John Lee’s Weblog

I just noticed that my Wordpress installation got hacked by a search engine spam injection attack sometime in the past few weeks. This particular one inserts invisible text with lots of keywords in footer.php. The changes to the file were made using the built-in theme editor, originating from ns.km20725.keymachine.de, which is currently at 84.19.188.144. The spam campaign automatically updates the spam payload every day or so. The links point to a variety of servers that have also been hacked to host the spam content. Here is a sample: http://www.nanosolar.com/feb3/talk.php?28/82138131762.html
I’ve sent an e-mail to Nanosolar, so they’ll probably have that content cleaned up before long. But the automated SEO spam campaign updates the keyword and link payload regularly, so any affected Wordpress sites will be updated to point at the new hosting victims.

I had been trying to arrange my schedule to get to the Future of Web Apps workshop this week in London, but sadly things didn’t work out. Actually, I didn’t even manage to get to last night’s SearchSIG to see edgeio’s first public demo here in the Bay Area, so perhaps it’s not surprising I couldn’t get a trip to the UK sorted out.

The good news is, there’s a conference wiki with lots of presentation notes, including comments on del.icio.us, discussions on how Flickr evolved, some thoughts on approaches to building discoverable URLs for data, the merits of Ruby on Rails. and a detailed discussion on the implementation approach and specific costs for the DropSend service.

It looks like someone’s launched a new referrer spam campaign today, there’s a huge uptick in traffic here. The incoming requests are from all over the internet, presumably from a botnet of hijacked PCs, but it looks like all of the links point to a class C network at 85.255.114 somewhere in the Ukraine.

It’s interesting to think a little about link spam campaigns and what opportunity the operators hope to exploit. Two major types of link spam on blogs are comment spam and referrer spam. My perception is that comment spam is more common. Most blogs now wrap outgoing links in reader comments with “rel=nofollow” to prevent comments links from increasing Google rank for the linked items, but the links are still there for people to click on.

I just got off the phone with VoicePulse, my current VOIP service provider. They are demonstrating how not to manage a web service feature transition today, by both turning away new customers and annoying their existing ones.

I’ve been relatively happy with VoicePulse, having signed up with them a few months ago for commercial US PSTN access. The voice quality and stability has been OK, and they also offer IAX access which I was thinking about using for future integration with our Asterisk implementation.

All day today I’ve been trying to add a new device and a new number to my existing account. The sign up process requires entering the serial number and MAC address from the VOIP adapter (in this case, a SPA-2002 I picked up a few days ago), selecting a telephone number, and providing contact and billing information. I noticed that since I signed up for my account a few months ago they’ve started collecting E911 contact information, and added some verbiage explaining the limitations of VOIP’s 911 service (i.e. they don’t really have any idea at all where you are).

In case you were wondering where the site went, the past 24 hours or so has been a day of random issues with Dreamhost.

Yesterday afternoon they were having connectivity problems, which took all their customers offline for a few hours.

This morning, I discovered that this site was running, but all Dreamhost sites were unreachable via SBC/PacBell here in the Bay Area. From the logs it looks like Comcast and a variety of overseas networks were still able to connect. The Google proxy hack mentioned this morning on O’Reilly provided another quick path for looking at the web site from a different network to verify that connectivity was still working, at least from the Google data center.

A couple of hours ago I got what I thought was a response to my e-mail regarding the network connectivity problem, but which turned out to be one of the CPU utilization warning letters that have been going out lately:

I’ve added a local tag cosmos, which shows a tag cloud for posts on this site. Unfortunately, I’m also using tags and bookmarks scattered across del.icio.us, Flickr, Technorati, and other services, which aren’t integrated into the cloud, but this provides a different view of what’s been posted here since I’ve started tagging things.

I’m still evolving my personal use of tags. You can see that I’ve started tagging some posts with “web2.0“, although I’ve been reluctant to turn it into a site category. I don’t like the label, but I recognize that it’s the most popular tag for a lot of “new” stuff at the moment. So exposing the tag makes it more findable.

I just wasted 10 minutes getting this to work correctly, so I thought I’d write it down…

Here’s what you need to use mod_rewrite to implement a permanent 301 Moved HTTP response when you move a web site from a subdirectory on one domain to a new top level domain.

(Assuming you’re on a hosted service, and can use .htaccess):

RewriteEngine on
RewriteBase /
RewriteRule ^olddir/?(.*)$ http://new-domain.com/$1  [R=permanent,L]

where the old content was originally in a subdirectory called “olddir” and is getting moved to a new directory on a different server.

This allows you to move the content to a new, separate domain and/or server without breaking your existing links.

link: more on .htaccess and mod_rewrite in the Apache documentation

You may have that this site has been slow at times lately.

It’s currently running on shared hosting account at Dreamhost. Most of the time the load average is pretty reasonable, around 2 to 6, but in the past week or so I’ve seen it spike above 50 or even 100 a few times.

This morning I’m seeing the highest load average yet, and the site is effectively offline for the moment. The server is still keeping the connections open, but nothing is actually coming back.

[lira]$ uptime
11:21:52 up 19 days, 22:25, 10 users, load average: 583.32, 695.46, 271.13
[lira]$ uptime
11:22:53 up 19 days, 22:26, 9 users, load average: 1004.16, 957.32, 387.55

I’m not sure if this is related to recent software upgrades on their end or if there’s a new customer on this server with an application that’s behaving badly.

…30 minutes later…

Looks like they’ve rebooted the server. Still not looking too happy though.

12:02:05 up 12 min, 5 users, load average: 155.32, 66.01, 29.54

Andrew Wooldridge has built a web application which will instantly generate a web2.0 buzzword-compliant startup name and concept.

Web Two Point Oh!
Create your own Web 2.0 Company

Below you will find a pre-created VC friendly Web 2.0 company just for you!

Hit reload to create another potential million dollar idea

Some of the candidates I got were:

• Rieeent - rss-based dating via ajax
• Riink - rss-based blogs via Ruby on Rails
• zVonowy - community apps via microformats
• Tripkoent - greasemonkey extension for photos via bittorrent
• Tripya - social news on the desktop
• Yahonomodoo - web-based search engine via api mashups
• Tripelihub - social apps via microformats

Just to be safe, he adds an editorial footnote:

Note: this is just a little programmatic satire. Any semblance to an actual company is purely accidental and not intentional! It’s supposed to be funny

Before too long, someone may start to automatically generate examples of these on Ning or something along those lines…

Pithy comments in Charlie O’Donnell’s post I’m off eHubwatch! and a followup:

“I think the web-based features that are appearing all over the place will be the home pages of this new era — many will be abandoned by their developers and left to die a slow death once the developers realize that they don’t have many long-term users. And others will be cultivated and slowly grow into businesses. In that respect, I think Ning is the new GeoCities.” - Scott Moody

“…that sounds right on. And it looks like Squidoo will be the new About. This whole web 2.0 thing is getting pretty retro….” - Pete Cashmore

There has always been a place for speculative ideas and proposals. The difference is that now, many of the ideas can be tried out with relatively little time and money, specifically, those that relate to consumer-ish web services. These can achieve the appearance of depth and capabilities that they may not actually have yet, or ever, though…

Jeremy Zawodny posted a summary of his October search referral statistics, and I thought I’d take a quick look at mine.

Nearly all of the search referrals here come through Google. I also have a relatively large number of “Other”, some of which (I think) are various Chinese search engines.

Jeremy says:

The gap between Google and Yahoo! is hard to interpret, since it doesn’t come close to matching the publicly available market share numbers. The same is true of the numbers for MSN and AOL. They should be higher.

There are two ways I can think to explain this:

1. People who use Google are more likely to be searching for content that’s on my site.
2. The market share numbers are wrong. Google actually generates more traffic than has been reported and MSN and AOL have been over-estimated.

For some time, I’ve been wanting to update the site layout and generally clean things up.

This evening I’m trying out a new 3-column layout, which should behave better on 800×600 and 1024×768 displays, and moves more information to the top of the page.

If you’re like me and usually read through an aggregator, please click through and let me know what you think, and particularly if you’re having problems. It seems to works on IE6 and Firefox.

There’s still a fair number of loose ends, but I should be able to deal with them incrementally for a while.

I have a temporary fix for blocking the referrer spam that started a couple of weeks ago. The volume of referrer spam here has steadily been increasing since then, and the number of source IP addresses is also continuing to expand.

The main problem I’m having is that the conditional rewrite rules I want to use in .htaccess don’t seem to be working on my current Wordpress setup at Dreamhost. Regular rewrites seem to work fine, but none of the conditional ones are working for me. The initial IP blocklists stopped most of it for a few days, but new spam IP addresses are appearing more quickly now than a few days ago.

In the meantime, the Dreamhost support knowledge base suggests using SetEnvIfNoCase to define patterns to be blocked. This does work at Dreamhost, and I’ve blocked most of the current spam run with the following:

Here’s a list of IP addresses that have been sending me referrer spam this week. I haven’t a major attack like this past week before, I’m currently getting something like 10,000 per day since last week.

Most of the bad referrers point to”.go.to”, “.drop.to”, “.hey.to”, “.dive.to”, “.come.to”, “switch.to” and other “.to” TLD sites. The originating IPs are all over the internet. The typical pattern seems to be a few requests from each IP, rather than a stream from a single IP. The user-agent strings are all different, so perhaps these are individual PCs that have been hacked into a botnet for spamming purposes.

If your IP address is on this list, you’re temporarily blocked here, and your computer probably needs to be checked for viruses.

24 Hour Laundry decloaks:

Ning is a free online service (or, as we like to call it, a Playground) for people to build and run social applications. Social “apps” are web applications that enable anyone to match, transact, and communicate with other people.

Our goal with Ning is to see what happens when you open things up and make it easy to create, share, and discover new social apps. These might include for any city, your own take on Craigslist…for any passion, your own take on Match.com…for any interest, your own take on Zagat…for any event, your own take on Flickr…for any school, your own take on the Facebook…for any topic, your own take on del.icio.us…for any mammal, your own take on Hot or Not or Kitten War.

I’ve noticed in the server logs that many readers here are from non-English speaking countries.

You can now read an automatically translated version of this site by clicking on one of the flags over in the sidebar. Translation into Spanish, French, German, Portugese, Italian, Japanese, Korean, and Chinese is provided by Google, using Angsuman’s Automatic Machine Translation Plugin.

Machine translation can sometimes create silly output, but I’ll try this out for a while and see how people like it.

This afternoon, I’ve noticed there’s a steady stream of HTTP referrer (aka referer) spam originating from a few IP addresses, so I’m finally getting around to making some updates to reduce the volume of spam traffic. In the past I’ve been getting a few spam referrers here and there, but today there are thousands in just a few hours, and these changes are a bit overdue.

Here are the IP addresses sending me spam today:

64.193.62.232
70.84.211.130
69.28.242.87

All of the HTTP requests are HEAD only, not GET. Here’s a typical one:

64.193.62.232 - - [02/Oct/2005:14:34:34 -0700]
    \"HEAD / HTTP/1.1\" 403 - \"http://cheap-vicodin.none.pl\"
    \"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\"

Notice the 403 Forbidden status code. That’s because I’ve added a section to .htaccess to block referrers with spammy keywords, and also to manually block IP addresses. Here’s an abbreviated version:

If you’re not interested in Reblog, Refeed, or PHP-CGI, I recommend you skip this post.

Lately I’ve been working with various combinations of aggregators, tagging, ranking, and presentation systems. Here are some fixes for anyone who is trying to get Reblog / Refeed 1.3 running on a hosted web service.

I’m mostly using Dreamhost, which is presently running PHP 4.3.10, and offers a choice of PHP as an Apache module or PHP-CGI. These installation problems are likely to occur for anyone running Refeed in a PHP-CGI environment. The initial symptoms are that the HTTP authentication dialog will pop up when you try to view the Refeed control panel, independent of whether credentials are defined in init.php.

The main issues:

I’ve generally been satisfied with hosting services at Dreamhost, which provide a lot of capabilities at a modest cost. However, yesterday’s power outage in Los Angeles shut down Dreamhost and a number of other sites in data centers that were supposed to have hardened power and redundant network connections. An obvious question is: what happened to the backup power?

One of the main points of using a hosting or colocation service is having better connectivity, environmental controls, and power. In Dreamhost’s case, the latter would be the backup UPS and diesel generators which are supposed to start up when the power grid goes offline.

There is a series of posts on the Dreamhost blog on yesterday’s outage. Looks like the upstream network providers (Level 3, Global Crossing, and Mzima) failed while DH still had power from their backup system, then a few minutes later the backup power failed.

We’re using the Wordpress WP-ContactForm plugin by Ryan Duff and Firas Durri on some of our sites. During the past few weeks, there has been an increasing volume of attempted spam e-mail through the contact form. The latest update (1.3) has additional validation on the form input to prevent the injection of MIME enclosures, additional mail header fields, etc.

Here’s a recent discussion thread on the Wordpress support forum. Firas says:

For those curious, the spamming/attaching is done via injecting extra headers alongwith the ‘From’ field. It’s not done using the actual html interface, but via other agents posting to the script.

The update announcement is here; the latest version is available on the plugin project page.

If you’re running an earlier version of the Wordpress Contact Form plugin, this update should block the latest round of spam agents attempting to abuse the older version.