While doing research for the WordPress Security Suite ( Prevent Bot Registrations, Prevent bots, scrapers and other badness on your WordPress blog ) I needed some tools to pull agents, user requests and ip numbers from my log files and just give me a list of the unique ones of each.
So I wrote 3 PHP scripts to do just that.
Download the scripts, put your access-log in the same directory and run them from a command line or just load those pages in a directory on your webserver and view them. ( Be sure to block them in robots.txt if you have them on a public webserver. )
Download log parsers
Tags: php · security · tools
I. Take your site offline.
You can do this with a temporary redirect in your .htaccess file.
RewriteCond $1 !site-offline\.html$
RewriteRule ^(.*\.php)$ http://www.yourwebsite.com/site-down-message.html [R=302,L]
2. Download everything on your website to a safe computer at home. You will want to see what went wrong and it’ll serve as an emergency backup.
3. Check all your CMS ( content managment software ) for new versions and load new, clean versions on to the site.
4. If you have a clean back up of your site upload it now, taking care not to over write the new CMS.
5. Check everything, then check it again. Make sure everything is clean and you’ve prevented future attacks by what ever method the attacker entered.
6. Check Google Webmaster tools to see if you’ve been banished and check Stop Badware. Let them both know your site has been attacked, cleaned, and it back up again.
— Many of the newer attacks plant things in your MySQL database to reinfect your site once you’ve cleaned it so be sure to wipe them too.
— But since no one is ever thinking I’ll be hacked today I think I’ll do a back up, you might not have a clean backup. Contact your hosting company, they might if you don’t.
— If there are no clean back ups you’ll have to do it by hand. This means you must find a corrupted file and see what the attacker added. Usually it will be in an iframe. If you have a Mac or Linux box you can go to the root directory of the website files and type
grep -R ‘iframe badStuff’ *
and get a list of every file that has the bad stuff in it. Replace badStuff with what ever string the attacker placed in your files. Do this also with the directory holding your MySQL backups. MySQL backups are text files and easily edited by hand.
If you have Windows you will need to download a copy of grep from WinGrep.
If you use
grep -Rn ‘bad stuff’ *
it will also give you the line number the bad stuff is found on each file.
Keep grepping for corrupted files and cleaning until you have a clean copy of your website.
Next check with all the content management systems you are using for updates. Very likely there has been an update to what ever software was hacked. Upload new, clean copies of the blogging, photo or other software. Then upload your cleaned files and restore your cleaned databases.
Download everything and check again to make sure you were not re-infected.
Now if you can run cron jobs on your webhost you will want to run the following script daily
find . -mtime -1 -print | ls -lt
And have it email you the results. This will send you a list of every file that has been changed in the last 24 hours. This way you can keep a close eye on your site until you are sure everything is locked down and secure.
And remember you can’t have too many backups.
More information:
Know your enemy: web application threats
Tags: security · things you should know
I’ve been using this theme on my websites long enough that it’s been tweaked and gotten crufty and it’d be a major pain to change it.
But I really like the new image gallery browsing in WordPress 2.5.1.
Turns out all you need to do is to add one file ‘images.php’ to your theme. You can download image.php.txt and just drop the .txt off it. Upload it to the directory of your current theme. It should work on all themes.
Example: BirdsTX
Or just cut and paste the text below into a file named images.php in your current theme gallery.
<?php get_header(); ?>
<div id="content" class="widecolumn">
<?php if (have_posts()) : while (have_posts()) : the_post(); ?>
<div class=”post” id=”post-<?php the_ID(); ?>”>
<h2><a href=”<?php echo get_permalink($post->post_parent); ?>” rev=”attachment”><?php echo get_the_title($post->post_parent); ?></a> » <?php the_title(); ?></h2>
<div class=”entry”>
<p class=”attachment”><a href=”<?php echo wp_get_attachment_url($post->ID); ?>”><?php echo wp_get_attachment_image( $post->ID, ‘medium’ ); ?></a></p>
<div class=”caption”><?php if ( !empty($post->post_excerpt) ) the_excerpt(); // this is the “caption” ?></div>
<?php the_content(’<p class=”serif”>Read the rest of this entry »</p>’); ?>
<div class=”navigation”>
<table><tr>
<td><?php previous_image_link() ?></td>
<td><?php next_image_link() ?></td>
</tr></table>
</div>
<br class=”clear” />
</div>
</div>
<?php comments_template(); ?>
<?php endwhile; else: ?>
<p>Sorry, no attachments matched your criteria.</p>
<?php endif; ?>
</div>
<?php get_footer(); ?>
Tags: wordpress template
I started using Awstats to track website activity. It came with cPanel and does a nice job.
However it was tracking my IP number as well. So I read the Awstats directions which tell you to put your *.conf file in your /etc directory. That doesn’t work. You must put your *.conf file in /tmp/awstats.
Ok so we got that far but every night the *.conf files were overwritten by Awstats removing the
SkipHosts=”111.111.111.111″
entry.
It turns out you must also change the file permissions to 0444 to prevent Awstats from overwriting your file each night.
So
1) edit your config file and change the SkipHosts=”" to contain your IP number
SkipHosts=”111.111.111.111″
2) Put this file in /tmp/awstats
3) Chmod the file to 0444
Tags: how to
