Tales of a WordPress Trojan

A couple of nights ago, as I was browsing the web, I got a pop-up message from Zone Alarm Anti-virus telling me that it had found and quarantined the Trojan-Clicker.JS.Agent.h trojan in my Firefox cache.

Now the problem with the Firefox cache is that the files in there aren't indexed by URL name so I had no idea which site I'd gotten that trojan from. The only two sites that were open in my browser at that time were Google Reader and this here blog of mine. This blog, by the way, is installed on my own website which, in turn, is hosted on a shared web hosting server in the US. A server that is expertly managed by my web host's very competent systems administrators. My website, therefore, is very secure. My blog is also secure since my version of WordPress is almost always up-to-date. This, then, was strange since neither of those sites should really have had a trojan or virus or anything else malicious on them.

Since Google Reader was the less likely trojan-hosting candidate, I thought I'd check my blogs's HTML page source to see if I could figure out what was going on. However, when I tried to check it through Firefox, the page came up "missing". That was not a good sign. This meant that it was indeed my blog that contained the trojan since it was this page's local copy (in the cache) that Zone Alarm had quarantined. To double check, I navigated away from and then came back my blog's home page. Immediately, Zone Alarm popped-up another quarantine notice. Yep, the trojan was in my blog [1].

Bugger.

Time For Some Research

I then went to the web to learn all I could about the trojan which, strangely enough, wasn't much at all. This trojan was (and still is) rather new to the 'net and, therefore, has been minimally catalogued in all the online virus databases. It was, however, mentioned on a few message boards. Unfortunately, the relevant posting on Zone Alarm's message board was incredibly useless while the message boards that really seemed to be discussing it actively were all in Russian. Google Translate helped a bit with that but, ultimately, I couldn't learn anything from those pages either.

All I ended up learning from the web was that this is a JavaScript trojan (hence the JS in the middle of its name) that either opens up a pop-up ad, places a cookie in your browser's cache, creates a connection to a couple of sites on the 'net, and/or re-directs your browser to a particular page. I wasn't sure which of these this trojan did because it never got the chance to run on my computer. I also learnt that this trojan was, for all intents and purposes, pretty harmless. The virus databases listed its threat level as low and, really, if no one had even bothered to document it in any detail on the 'net, how bad could it be?

Still, a trojan is a trojan. So I set about trying to fix the problem myself.

Do-It-Yourself

The first thing I then did was some more research. I started by checking the WordPress site for security documentation. I learnt quite a bit from there. I then went and did all the things they suggested you do to 'harden' your WordPress installation. These were things I hadn't done earlier and that was probably how the trojan had gotten into my blog in the first place.

Next, I went and downloaded (through FTP) all the files from my blog installation to my local hard drive. All the files (mostly PHP files) got downloaded just fine but one of them immediately got quarantined by Zone Alarm. "A-ha", I thought, "that must be the file that contains the trojan. I must look at this file." Unfortunately, Zone Alarm wouldn't let me (duh!).

Fortunately, this was a file that I could look at from inside WordPress' administrator's interface. Unfortunately, again, most of what was in that file was gibberish. It contained a few JavaScript functions that were weirdly named (a seemingly-random string of numbers instead of a descriptive name) and some code within those. Now, since I didn't want to mess with WordPress' code, I though I'd compare this file's code with the corresponding code from Nadia's blog installation (which, according to Zone Alarm, was trojan free). Nadia's version of this file was, indeed different from mine. As I tried to tweak the code in my version of the file, however (i.e. change my file's code to make it look like Nadia's), I must have mistyped something because the next time I tried to view the blogs they had both crashed. That is, every time I tried to load them, I got a 500 Internal Server Error error.

Bugger.

It All Falls In To Place

Fortunately, our blogs eventually came back online (did I mention that my web host's SysAdmins were really good?) and, this time, I wasn't getting any trojan pop-up messages from Zone Alarm when I visited them. However, the next day, the trojan quarantine messages were back. Oh, and now they were coming from both blogs. It was then that it occurred to me: "Dammit! The reason my code editing didn't work the first time was because I was trying to make my trojan-ridden code look like another kind of trojan-ridden code!" That is, I wasn't actually removing the trojan from my blog, I was merely changing it to look like the trojan on Nadia's blog. What I should have done was compare my version of the file to a perfectly clean version of the same file.

To get a clean version of that file, I went back to the WordPress site but couldn't find it there. I figured I'd have to go into the actual PHP source code (maintained by WordPress' developers) to do that...but that wasn't something I really wanted to get into. Then I realized that I did have easy access to a clean version of that file: I could simply install another copy of WordPress on my own website. Since this would be a new install, all of its files would be perfectly clean and trojan-free. I could then compare my file to that installation's version of that file. So I went ahead and did just that. And guess what? All of the JavaScript code in my file was trojan code. That is, the original version of the file didn't contain any JavaScript code at all [2].

Removing that was easy and now, finally, our blogs are completely trojan-free. If all now goes well, and with the help of a much more secure WordPress installation, our blogs will stay trojan-free from now on as well. Here's hoping.

Footnotes

[1] While my web host's SysAdmins are responsible for maintaining the web server itself, they aren't responsible for the stuff you install on your site. That is, the fact that my blog had a trojan in it, wasn't their fault. It wasn't entirely my fault, either. Nor was it really the fault of the people who made WordPress. It was basically the fault of the hackers who had found a way to exploit a vulnerability in WordPress that let them attach this trojan to it. That's usually how it happens anyway.

[2] Which, in retrospect, is obvious since it was a PHP file that really shouldn't have had any JavaScript in it anyway.

Tech Stuff: Screen Savers, TinyURL, UC Berkeley, Careers

A lot of people have written about a lot of good/fun tech stuff over the last few weeks. Here are some of the things I found interesting:

The excellent Smashing Magazine did a good roundup of the best screen savers available online. And, in case you missed it, they recently did a good roundup of desktop wallpapers (my favourite wallpaper site for the last few years has been Vlad Studio, by the way) and, some time ago, an extensive roundup of over 40 books for professional design and development. Pretty awesome.

Scott Rosenberg wrote about the Terror of TinyURL. I'm someone who rarely, if ever, clicks on a URL that he can't see in the browser's status bar so I know where he's coming from. And while I do understand the need for TinyURL, it does scare me.

CNET reports that UC Berkeley has now started posting entire course lectures online on YouTube (at http://youtube.com/ucberkeley). And while the are the first to do so, they certainly won't be the last. This should be fun.

Finally, Marc Andreessen has been giving lots of excellent advice about career planning on his blog. He's written three installment (plus introduction) so far, and though he comes from a high-tech, Silicon Valley background, it makes a really great read for everyone:

Enjoy :)

Connolly in Potter, Fry on the Web

Monsters & Critics is reporting that comedian Billy Connolly will be playing Zenophilious Lovegood (Luna Lovegood's father) in the upcoming Harry Potter movie 'Harry Potter and the Half-Blood Prince'! That's brilliant because Connolly is an exceptionally funny actor who has just the right amount of wackiness to play this particular role.

It's cool how, despite the fact that they're playing mostly bit parts, this franchise has gotten a whole bunch of seriously talented actors and actresses [1] to act in this series of movies. All of them are perfect for their roles [2], of course, though one wishes one could see more of them. Oh well.

Fry on the Web

Speaking of fantastic comedians (which is how we started), Stephen Fry now has a blog. His first (and, so far, only) entry is about the iPhone. Apparently, he's a huge PDA fan ("I have never seen a SmartPhone I haven't bought"). Who'd've thunk? Anyway, it makes a great read and, hopefully, he'll be an active blogger. Now wouldn't that be awesome.

Footnotes

Yes, I have footnotes in a blog posting. Want to make something of it?

[1] Or, if you want to be more politically correct (Hollywood style), just "actors".

[2] Like Alan Rickman as Serverus Snape, Kenneth Branagh as Gilderloy Lockhart, Maggie Smith as Minerva McGonagall, Emma Thompson as Sybill Trelawney, Helena Bonham Carter as Bellatrix Lestrange, Gary Oldman as Sirius Black, and Ralph Fiennes as Lord Voldemort.

Analyzing The Ongoing Communications Revolution

The last two or three generations have all gone through some form of communications revolution or the other. From the introduction of the telephone, to the early days of the "wireless", the widespread availability of low-cost printing, the ubiquity of broadcast media, all the way to the modern day proliferation of mobile phones, computers, and the Internet. And those are only a few of the technologies that have continued to further empower, enable, and connect people around the world. There are many more.

What is important and relevant to us these days (and to this posting, of course) is the communications revolution that we're going through right now. And, as with every communications revolution, it's not just about the technology, it's about what people are doing with that technology. That is, for example, while it Internet itself is really quite remarkable, what's even more remarkable is what people are doing with it, what they're using it for, and the content they're creating on it.

Recently, Wil Wheaton wrote a good article about all this in his weekly 'Geek in Review' on the Suicide Girls website. He writes:
Communication empowers people, and an empowered people are very, very scary to the powerful upper class who hope that we’ll just go away, right after we buy a lot of crap from them that we don’t need. And holy shit are they scared right now. The revolution may not be televised, but it’s being blogged, YouTubed, MySpaced, Facebooked, Dugg and Netscaped.

The follow-up discussion about that article on his blog is good too.

Phil Plait from the Bad Astronomy Blog then carried the discussion forward by talking about the problems we face when going through revolutions:
Old media (especially movies and radio) are dying, but their death throes are damaging new media too. Wil makes this point about DRM, the RIAA, and other hurtful acronymicious things. They are scared of teh ‘tubes, so they try to make them knuckle under. It’s not working well.

And there's much more discussion about all this on the comments to his posting as well.

My own take on all this mimics what Wil and Phil are saying, of course, but I just wanted to add something that Isaac Asimov wrote in one of his essays (I don't remember which one). He said that it's cool to be living in an age in which you can actually follow the evolutions and revolutions in technology that take place in your own lifetime. Before this, things happened over a number of generations. Nowadays, Moore's Law holds.

And the awesome thing is that, the people who are able to follow these evolutions and revolutions (i.e. those who learn from the past, live in the present, and create the future -- like Phil and Wil), what do they do? They blog, they make websites, they write articles on those websites, they record and freely distribute audio and video netcasts...basically, they use all of these revolutionary technologies to, well, further the revolution. And it's not the technology revolution they're furthering, it's the social one. The one that talks about equity, fairness, honesty, peace, justice, kindness, and so on and so forth. And that, really, is what it's all about.

Seven Wonders of the IT World

I have a lot of small bits of information to share today. I guess I'll do it in bits and pieces (i.e. in separate blog postings). Here's the second tech-related one of the day.

CIO Magazine recently published an article on the Seven Wonders of the IT World and it makes and interesting read. A couple of the wonders are more "what a cool place for a computer to be" type wonders: the computer closest to the north pole and the computer farthest from the Earth. Three have to do with raw processing power: one of Google's data centers, the largest grid computing project, and the world's fastest supercomputer. One has to do with smallness: the smallest computer to run Windows Vista. And one has to do with computing: the paradigm change brought about the Linux kernel. They're all truly wonders (or, at least, CIO's definition of what makes a "wonder") and, like I said earlier, the article is good to read.

Have you noticed, though, that more and more we like readings things that have are neatly listed, categorized, and ranked -- basically, things that we can digest quickly and easily...like, er, chicken nuggets. Oh well.

Broadband Ho!

After using a dial-up Internet connection for about a year, we finally got a broadband (ADSL) connection at home yesterday. And boy is it a relief to browse at those speeds again. At home, that is -- I'm not counting my blazingly fast work and university Internet connections. Anyway, dialup was really, really starting to get on my nerves. Especially when coupled with my horse-and-cart speed laptop. Though, to be fair, my laptop on its own isn't really all that bad. The two together, however, do not make for a happy Ameel. So: one down, one to go. Of course, I'll have to wait for about another year before I can even begin to think of upgrading my laptop. Such is life.

Three other fun tech-related things happened yesterday. First, we got a wireless router at home so, not only are we connecting to the 'net at broadband speeds, we're wireless as well. Second, I got my laptop a USB wireless LAN adaptor (duh!). And third, I got a USB hard drive enclosure for my previous laptop's hard drive. That is, having already stripped my previous laptop of its RAM, I am now going to remove its hard drive (a good, 5,400RPM, 60GB hard drive) which I will then start using as an external hard drive (for current data backups, etc.). That last thing is quite a relief, actually, since my only other data backup is on my iPod. Once again, bless Nadia for having the foresight to get me a 60GB iPod a couple of years ago! Anyway, I now need to find some good backup software to use. I guess I'll start by exploring the one that came with the enclosure and then hit the 'net. At broadband speeds. Hee.

Ooh, and one more thing. Being in Australia, I am finally reaping the benefits of the excellent electronic funds transfer system that they have here. All of the hardware we've recently bought was from an online store (Discount Junction) that saved us quite a bit of time, money, and hassle. Most cool.

In other news: Nadia and I are going to watch Die Hard 4.0 (a.k.a. Live Free or Die Hard) tonight. I'll have more on that over the next few days. We're also going to the Cure concert on Sunday. Yes, life is good these days :)

[Aside: Hmmm...I still haven't posted my Harry Potter blog entry. I started it a week ago and have been saving it as a draft since then. I shall work on that next, I think.]

Near-Term Goals for This Here Blog

There is a lot that I want to blog about.

For example, I have recently watched the following movies:

Read the following interesting articles:

Read or re-read the following awesome books:

  • Frank Herbert's first Dune trilogy: "Dune", "Dune Messiah", and "Children of Dune"

  • JK Rowling's "Harry Potter & the Deathly Hallows"


Started listening to some really good netcasts on TWiT, including:

Discovered a couple of really good musicians:

Bought tickets to a couple of great concerts:

  • The Cure: 12 August, 2007 at the Rod Laver Arena

  • The Police: 26 January, 2008 at the Melbourne Cricket Ground


All of which are blog-worthy items. I have also recently started extensively using the moste excellent Google Reader which is something that I really want to blog about.

Finally, aside from everything already listed above, I am now formally declaring the following topics as future postings of mine for this here blog:

  • Facebook (and social networking in general)

  • Living in Australia

  • Why blog?

  • The problem with this blog


All of which I will about write soon. I hope.

Huh?

Why have I just written all of this? Well, all this is thanks to first item on Web Worker Daily's '10 Ways to be Productive with Your Blog' which is: "Post goals". Tthat's step one done with. Let's see how the others go :)

Oh, and I have also recently added a new page to my website called '(Much) More About Me', the title of which is rather self explanatory.

Firefox Add-ons

Firefox Add-ons are awesome.

For blog postings specifically, I love the fact that I have the British English dictionary add-on installed. It spell-checks everything that I type into text boxes (such as the one I'm typing into now).

Other Extensions (which is an Add-on sub-type) that I can't live without are:

  • Google Toolbar, which just makes life so much easier

  • FlashGot, for letting me choose which program I want to use for downloading something

  • DownThemAll!, for letting me download multiple links/elements in a web page

  • PDF Download, for letting me choose between displaying or downloading PDF files when I click on a .pdf link

  • Web Developer, for letting get into the nitty gritty of websites

  • ColorZilla, for letting me identify any colour that I see in the browser window

  • MeasureIt, for letting me measure (in pixels) anything that I see in the browser window

  • Tabbrowser Preferences, for letting me control my Firefox tabs better


Oh, and the Long Titles extension, which lets me read long lines of alternate text (for images), is also useful for websites like xkcd.

Actually, you know what? Firefox itself is awesome :)

Ninety Degrees of Randomness

I didn't think I wanted to start a blog. And then, when I signed up for a Yahoo! 360-degrees account (I'm a long time Yahoo! user), I found that I already had one (as part of the whole 360-degree package). Now this was a dilemma. I don't usually sign up for things I don't use so I went ahead and made a token entry:
So here I am, typing my first blog entry. Do I really expect to maintain this blog and/or use it regularly? No, that is most unlikely. In fact, I probably won't even visit this site very often. I just don't have time for writing blogs and maintaining pages such as these, unfortunately. Such is life.

Still...I might just. Who knows? :)

That, I thought, was that.

And then, while flicking through channels on TV, I watched a bit of Terminator 3: Rise of the Machines. Now, I really like the Terminator series (yes, even part three) but, since Nadia hasn't seen it, I can't talk to her about how cool I think it is. And that's when it occurred to me: when I don't have someone (such as my sister, Maliha) to talk to about the many, many different kinds of movies that I love, I can blog about it instead! (Yes, the word "blog" can be used as a verb). Talking out loud (on the Internet, at least) even though no one might be listening sure beats talking to no one instead. And so I started blogging every now and then on my Yahoo! page.

However, since Nadia I have gone through all this effort to make our own website, it makes so much more sense for us to host our own blogs here (she had a temporary blog elsewhere too). And so here we are.