Archive for the 'wordpress' Category

Test, test…

Tuesday, April 8th, 2008

1, 2, 1, 2…

So I decided to take a break from fucking a football[*] converting databases and upgrade the blog to WordPress 2.5. If anyone notices that anything done broke, try to leave a comment or pop me an email at static at this domain.

Now *that’s* old school

Friday, January 26th, 2007

A command-line interface theme for WordPress:
In the beginning was the Command Line...

Plone/Zope – spammer havens?

Saturday, August 19th, 2006

[update 22 Sept 2006 1155AM PDT – I’ve been remiss in noting that Plone has a new release out that fixes this problem and they have instructions on how to clean up the spammer-generated content. I do, however, think that the folks at Plone are being disengeous when they describe the scope of this vulnerability as being limited to high-visibility sites and when they downplay this as a security hole. Guys, if a spammer can upload arbitrary scripts to your site, that’s a security hole.]

This is an open note to the folks on the Plone and Zope projects: I don’t know if this is an exploit you’re aware of, but there’s a script or tool loose in the wild that makes it extremely easy for spammers to generate fake user IDs and bogus content for your systems.

As my regular readers will know, I’m involved with The Mystery of the Haunted Vampire, a quirky horror-ish blog. Lately, I’ve been more of an admin than contributor – and a lot of that has been checking the comment and trackback spam caught by the Askimet WordPress plugin.

So far, we’ve had no false positives and only one or two false negatives, which is definitely a hit ratio I can live with. I click on the “Administer Askimet” tab, give the spam a quick once-over, and select “delete all”. Boom, done. Not that big a deal… But a couple of days ago, something caught my eye – a bit o’ trackback spam that linked to a .edu domain instead of the usual .ru, .nu, .pl, .biz or .info domain.


So I checked it out using a text-only browser that sends a valid referrer-agent string (like IE or Mozilla) but displays the raw HTML and/or JavaScript behind a page. Turns out that the site is a homework/reading forum for a Comp Sci class, and the URL in the spam was a post to the forum that consisted solely of a JavaScript that immediately redirects you to a typical pill-spammer site (Gee, that’s where the .biz was hiding. Imagine that.). Figuring that a federally-funded institution didn’t want to be supporting illegal online pharmacies, I reported it to their helpdesk, and the sites were taken down in a day or two.

Well, yesterday we got another lovely chunk of pill-pushing spammy goodness – and almost every single link was to a .edu URL. We aren’t talking questionable schools, either – these were almost all subdomains on the sites of Ivy League, public Ivy, and Top 10 schools.

Real schools, all really well-known names, all harboring spammer redirects. Whoops.

When I went to look up the contacts for these sites, I noticed they were all running the exact same software: Plone and/or Zope. Plone & Zope are open-source content management systems (CMS isn’t my thing, but it looks like Zope is the foundation that Plone is built upon.) that provide an extensible, flexible framework for, well, community portals – very similar to the Comp Sci portal I initially saw. And every single site that spammer exploited was using pretty damn close to the exact same combination of tools.

So I guess you can also consider this an open note to all those academic and non-profit teams running open-source community portals like Plone: tighten up your security, and make sure you lock the damn site down if it isn’t live. One Ivy League school linked in that spam had thousands of spammer redirects on one of their sites – and it looked like the main site hadn’t been actively used in a couple of years. How’d you like to have Google results for pyramid schemes, skeezy refinance outfits, work at home ripoffs, illegal narcotics, and penis pills associated with your domain?

Yeah, I didn’t think so.

Petard. Own. Hoist.

Tuesday, July 18th, 2006

(Updated below)

Caught this tidbit from the WordPress news headlines – how to defeat sploggers, blackhat SEOs, and other kinds of content thieves by feeding them their own special RSS feed. If they’re going to use RSS to steal content, feed ’em crap, like, oh, their own WHOIS data or George Carlin’s words you can’t say on television (or whatever).

Good stuff. The code in the article will only work with WordPress, but in theory the concept could be (easily?) extended to other platforms. Also, it won’t work if your feed is being picked up by a service like FeedBurner, so YMMV. Still, any little thing to put some sand in their lube, eh?

19 Jul 06 6:58A PDT Update: Jonathan Bailey, the author of the linked piece, stopped by last night and pointed out that there is code in the article that utilizes the .htaccess file, which would work regardless of your blogging/forum/image gallery/other content-related software. He also pointed out that none of these solutions will work on the free ‘turnkey’ sites such as,, or any other fully-hosted services that keep the blogs inside pretty secure sandboxes.