Marco Luthe Online!

As some of you might have noticed, this site has been down for the last two days due to an unscheduled maintenance. I came across the nice “Maintenance Mode Plugin” that shows a message to the visitors, adds a “503 Service Unavailable” header and is a really handy tool.

The reason for the sudden maintenance: my WP installation has been hacked!

So, what actually happened is that some “evil bot” used a known exploit in the (I admit: very not-up-to-date) version 2.1.3 that I was still using. Fortunately, not so much damage was done. Only some fields in “wp-options” table were altered (e.g. active_plugins) and all the pages were converted to posts – no files were harmed, no password was changed. Those who like to know more should take a look at the forum on wordpress.org or google for “ro8kfbsmag.txt”.

I’d like to add that the exploit mentioned above seems to be fixed in the current version. Nevertheless: with the help of my provider (all-inkl), I put some code into the .htaccess which prevents the wp-pass.php from being used to redirect URLs – here’s the code (put it directly under “RewriteBase /”):

# Prevent external sites from gaining access via wp-pass.php
RewriteCond %{REQUEST_URI} (.*)wp-pass.php(.*) [NC]
RewriteCond %{QUERY_STRING} !(.*)_wp_http_referer=http://(www\.)?yourdomain(.*) [NC]
RewriteCond %{QUERY_STRING} (.*)_wp_http_referer=http://(.*) [NC]
RewriteRule ^(.*) - [F]

This actually does the following:

1. If the current URL contains “wp-pass.php” and
2. the query string “_wp_http_referer=” does not contain a link to yourdomain but
3. the query string ” _wp_http_referer=” is included and links to an external site
4. then show a 404 error page.

This seems to work fine.

Well, I took this “hack attack” as a sign and upgraded to the current version 2.3.3 of WordPress – which was a lot easier than I thought. Only some slight changes had to be made in the theme (i.e. different template tags), and – of course – some plugins had to be updated.

Here are three nice plugins I stumble across while getting familiar with the “new” WordPress and which give you back some features missing in the new WP version:

• Nusuni Technorati Links: brings back the good old “Technorati Incoming Links” section on the dashboard instead of the not-so-well-working “Google Blog Search” links.
• Preview Frame: missing the preview frame while writing posts? This plugin brings it back.
• Simple Tags: almost gives you that nice UTW feeling.

Oh, there was also this one issue that – after upgrading – some characters in the posts were shown differently. For example, the “Registered Trademark” sign –>®<— was shown as a diamond with a question mark in it –>�<–. I googled this and found out that the collation of the WP table fields changed with WP 2.2 – before, it was latin1_swedish_ci.

I don’t know what this is all about, but I followed some links and finally found a plugin that does the conversion automatically for you: UTF-8 Database Converter.

Attention: Be careful with this plugin! It might not have been tested with your version of WordPress. Read the readme-file and follow the instructions carefully!

Well, it seemed to have worked with my installation… anyway, you know you should always have a backup ready, right?

If you want to know more about this whole collation thing, here are some more links I’d consider helpful to understand this whole collation issue:

• wordpress.org/support/topic/128145
• wordpress.org/support/topic/121303
• codex.wordpress.org/Converting_Database_Character_Sets

I really hope that this is it for now and that I can continue blogging without any further big interruptions.

Stay upgraded!

[Update from 2008-03-31]

I have to mention that YES, files had been altered (by the “evil bot”): my header.php and footer.php contained some strange HTML-code (spam links) that I only noticed while validating my site – because the code wasn’t (X)HTML-valid.

[Update from 2008-04-01]

Damn… the upgrade and that converter damaged my wp_comments table! As I have some German friends who like to leave a comment in their native language, there were some “Umlaute” (ä, ö, ü) in the comments… after upgrading and converting to UTF-8, the content ended at the first “Umlaut”. As I had no clue how to reintegrate them via Backup and SQL, I just typed them in manually inside the “comments” section of the admin panel… The content of the posts seems to be fine, though…