After trying out my .htaccess scheme to protect my WordPress installation I was running into an endless pop-up of authentication pop-ups.

I searched around and found a post by DianeV on the WP forums: http://wordpress.org/support/topic/113881#post-546028

She links to a post she made back in 2007 (yikes) entitled:
WordPress admin password protection 404 http://developedtraffic.com/2007/05/27/wordpress-admin-password-protection-404/

She points to a support issue with the TextPattern CMS http://textpattern.com/faq/173/password-protected-directories-with-htaccess which happens to give a solution.

It turns out that some servers need to be told explicitly where the error pages are, especially those for 401 and 403 errors, in order for .htaccess authentication to work properly.

After my WordPress website was hacked into, I began to look into all the options and advice for setting it up securely.
http://codex.wordpress.org/Installing_WordPress

Step 1: Getting the Latest WordPress Version

I like to use the shell for this since it saves on downloading it on one of my computers and then transferring it onto a remote server. Login to your file hosting server with the shell account you assigned to your domain. Navigate to a directory where you want to work from, keeping in mind that it doesn’t have to be the directory that is set to be public on the Internet (i.e. where the files placed here can be reached via a browser). At the prompt, run: wget http://wordpress.org/latest.tar.gz

The above link will always download the latest release. Now you need to decompress this archive, run: tar -xzvf latest.tar.gz

In your current directory, you should now have a directory called wordpress that you can rename to anything. You will be pointing your URL address to this folder as your root.

Delete readme.html from the wordpress root directory as this will tip off the exact version you have installed to possible attackers.

Step 2: Changing the wp-config.php File

Fill in the information related to the database you’ll be using in the following defines: DB_NAME, DB_USER, DB_PASSWORD, DB_HOST

You should always change the default database table prefix from wp_ to something a bit harder to guess. In most installations, people will have one database devoted strictly to WordPress, so you don’t even have to prefix the tables with wp_; just create a random alphanumeric string (about 4-6 characters long) and use that as your prefix.

$table_prefix  = 'wp_';
$table_prefix  = 'rRe342_';

Pay attention to the Authentication Unique Keys section and be sure to get a new generated set from the WP secret-key service https://api.wordpress.org/secret-key/1.1/ as it says in the comments area.

A good discussion of other wp-config.php options is found here: http://codex.wordpress.org/Editing_wp-config.php

Step 3: Creating Directory-Level Password Checks

htpasswd -cm /home/<username>/<website>/.htpasswd <new username you want to create a password for>

use the -m for MD5

Step 4: Changing the DreamHost Server Settings to Point to Your New WordPress Installation

To run the WordPress install script, you will need to change the settings of the server to point to your WP root directory (the one created during the decompressing of the archive in Step 1). For DreamHost Web Panel users, head to Manage Domains found either through the Toolbox shortcut or under the Main Menu Domains heading. Find the domain (or sub-domain) name you want WordPress to be shown from and click on its Edit button. Now fill out the Web Directory textbox to map onto the WP root directory.

It may be handy to have phpMyAdmin open and ready for the database you’ll be using as you’re going to want to modify a few things.

I was looking over some settings on my website earlier and I just happened to check on my Google Webmaster Tools account where I discovered that something was not quite right. Google’s site crawler was reporting that there were 24(?) unlinked pages on one of my WordPress pages. I clicked through to find that there was an entirely new directory (/pdd) on my website that linked to a radio podcasting site from the Netherlands. But that directory didn’t exist! Here’s the worrisome part: whoever managed to hack into my account was able to change my root .htaccess file. So they created a new rewrite rule to route the tiago.kamots.net/pdd requests through another vector.

The Altered .htaccess File:
RewriteEngine On
RewriteRule pdd/(.*)/(.*)/(.*)/$ /wp-admin/includes/?post=$3|$1|$2 [L]
RewriteRule pdd/$ /wp-admin/includes/ [L]
RewriteBase /

Whatever changed the .htaccess file was smart enough to create the new rewrite rules near the top of the file for full effect. Had it simply been appended, it would not have worked.

I transferred a part of the Kamots Network from Netfirms to DreamHost on January 15, 2010, and I originally thought that it was during this small window that the attack was made. But I was wrong. I checked back on the Netfirms servers and there were several files with a last modified timestamp of interest (November 15, 2009). They are (using relative pathnames):

WordPress root directory represented as ~
~/.htaccess [Last Modified: 2009-October-23]
~/wp-includes/class-read.php [8 KB]
~/wp-includes/common.php [0 bytes]
~/wp-includes/wp-common.php [69 KB]
~/wp-includes/wp-vars.php [0 bytes]
~/wp-includes/wp-version.php [105 bytes]

When transferring these files to my desktop computer, my Norton Antivirus detected a High severity PHP.Backdoor.Trojan in wp-common.php. It turns out that this file was written by a “security group” in China, which is also where 90% of my spam messages on WordPress originate from. You can download this toolkit off of this group’s website so there is a strong chance it was used as part of an automated/scripted attack by another entity entirely.

Running a Hidden Website Within a WordPress Installation

What interests me is how this attack was able to implant 46 hidden pages within my WordPress installation. For example, this URL:

http://tiago.kamots.net/pdd/41/hoor/hoorspelcast-raquo-gezocht/

actually gets redirected through the .htaccess rule into:
tiago.kamots.net/wp-admin/includes/?post= hoorspelcast-raquo-gezocht |41|hoor

But none of those 46 pages are anywhere in my database or file structure! What an ingenious exploit, and it’s been known since at least 2008 which is the date that this wp-common.php Trojan file was written.

This was quite a learning experience.

Netfirms
You may need to look into your file system security. And shouldn’t you have an antivirus scan of some sort running on your servers? Also, your FTP users are limited with passwords of only 6 characters. That’s way too small! Since you randomly generate them for your customers, you may as well go all the way and have longer (and more complicated) passwords created.
Good References
http://ocaoimh.ie/did-your-wordpress-site-get-hacked/
http://enthusiasm.cozy.org/archives/2010/01/argh-blog-hacked
http://www.askapache.com/htaccess/htaccess.html

At TheUltimateSteal.ca, the Windows 7 Professional Upgrade is listed at $39.99 (in Canadian dollars)! Granted, that’s only for the digital download but you can have them ship you the official DVD for $13 (includes shipping and you don’t even pay tax).

To order your copy, visit TheUltimateSteal.ca or through Microsoft’s longer URL: www.microsoft.com/student/discounts/theultimatesteal-ca/

Since this is an Upgrade, you will most likely have to have an existing genuine license for another Windows product (Windows XP and Vista only). There was a loophole with Windows Vista Upgrades where you would not need to enter in your existing key, but that they may be fixed in this new version. If in doubt, do a search for more information.

Enjoy the next step of PC evolution; thumbs up and thanks Microsoft.

From an updated version of Office 2007 SP1, it was 350.3 MB on my Windows Vista PC. That’s a lot of ones and zeros.

What’s great about this Service Pack is that it adds full support for OpenDocument Format (ODF) and saving as Portable Document Format (PDF) and XML Paper Specification (XPS). No more having to download external add-ins for this. I’m noticing more and more that Microsoft is allowing a lot more open source interoperability in their products, but I don’t think it’s Big M “caving in”; on the contrary, they’re giving you more reasons to stay with their products.

Oh, and they also added an interface to program against to extend what formats Office 2007 is capable of working with. From their patch notes:

Extensible File Formats: Word, Excel, and PowerPoint now include a converter interface that lets you plug third-party custom file formats into these Office programs. A developer can create a converter for files of a particular extension. When this converter is installed on a user’s computer, the custom file format effectively behaves like a built-in file format. Specifically, users can open files of this format and save them by using the Open or Save UI. They can even set the custom format as their default file format. For more information, visit the following MSDN Web site.

I’m interested to see where this goes.

Upon arriving at the basement room, I found only a handful of people sitting around a table chatting. I was greeted by Cameron McKay (the president of CIPS Toronto) and Jeff Knetchel. I also remember Adam Cole being there, but I did not remember everyone else’s name. I was the only student there and, by far, the youngest.

Cameron had brought along a large microphone to record the talk in hopes of turning it into a podcast. It started as a roundtable discussion where Cameron would ask a question and then go around the table asking the other people (around 10 at this point) what their thoughts or experiences were. I tried to contribute a few times, but I think I only really spoke at any length maybe three times. I asked a question of the others since they all seemed fairly successful and it was very enlightening to hear their experiences and advice on how to manage the balance in our lives. Hopefully the podcast is put up on the CIPS Toronto website.

Environment

• Operating System: Microsoft Vista Ultimate 64-bit
• Microsoft Internet Explorer 8 is the default browser
• using Mozilla Firefox 3.0.x

Preconditions

While doing research for my white paper, I was using the InfoTrac General Science eCollection database to pull up some articles. One of the options available is to download the articles as an HTML document. Upon clicking the Download link, it tries downloading an HTML document and prompts me if I would like to Open with or Save File. The default program for the Open with dialog is Internet Explorer, but I decided to change it. Firefox, however, was not listed as an alternative; I ended up having to navigate to the Firefox executable (File: firefox.exe). As soon as I pressed OK, I got the following error:

Firefox is already running, but is not responding. To open a new window, you must first close the existing Firefox process, or restart your system.

Possible Explanations of Error

• Firefox cannot handle opening an HTML document as a download within itself
  • tries to execute another instance of Firefox, but that clashes with already-open instance
• Since the default browser on the system is Internet Explorer, it originally tried to open the HTML document with that and it worked. When I tried to change it to Firefox I encountered the problem above.
  • How would this be handled if Firefox were the default HTML document viewer?
  • Does this behaviour exist when opening an HTML document from a local filesystem (via double-clicking and letting Windows run with the associated program)?
• Desired Functionality
  • To open a New Window in the currently running instance of Firefox with the document.
  • Prompting to run in:
    • a new instance of Firefox, possibly with an option to choose which Profile
    • a new tab in the originating Firefox window
    • a new window from the originating Firefox instance

Download the OpenSolaris Build presentation [in PDF format]

I have installed the following Sun-related software:

• VirtualBox 2.1.4 on my Windows Vista Ultimate 64-bit PC
• created a virtual machine from an OpenSolaris 2008.11 DVD I had received via mail by Sun for free using VirtualBox
• had to download Sun Studio 11 in my OpenSolaris install since it came completely bare (no compilers, nothing.)

After that, I had to download the OpenOffice.org source code that I would be using (DEV300_m42) which was made open source by Sun too.

I had some previous experiences with virtualization:

• VMware Workstation [Was just becoming free around the time I tried it]
  • Option overkill for what I wanted. Since this was the first time I had used virtual machines it scared me away a bit. VMware is the gorilla of virtualization from what I’ve seen and heard from smart people.
• Microsoft Virtual PC [Free from Microsoft]
  • The easiest setup-and-play experience for any Windows-friendly operating system (Windows, DOS, OS/2). Running Windows within Windows is amazing on this; you have complete clipboard sharing, native display settings, shared folders, host device usage (printers, USB, etc.)… it’s pretty sweet. But it wouldn’t cut it for OpenSolaris. To be fair, things may have changed and perhaps OpenSolaris would’ve worked on Virtual PC but I wanted to try something new.

Reading some information about OOo development and OpenSolaris made me aware of another Sun project called VirtualBox. I did some research into it and it turns out to be a fantastic virtualization product. So I downloaded it (version 2.1.4) and began setting up  OpenSolaris 2008.11 from the DVD I had received. Bad idea.

One of the benefits of using virtualization software is that you can “cheat” through various means when installing a guest operating system. Instead of using optical media (CDs, DVDs) you should opt to mount an ISO image (usually files with the .ISO extension) from a hard drive. This will save you a lot of time. (At the least, some time. Your mileage may vary.) It took me just under 60 minutes to perform a default install of OpenSolaris.