Dave’s not here

Frank Zappa once defined rock journalism as “people who can’t write, interviewing people who can’t talk, for people who can’t read.”

I think there’s a related phenomenon for bloggers who blog about blogging, and so I try to avoid that.  Today’s an exception, though if you don’t have a blog of your own you can skip and come back another day.  (I’m nearly ready for another post on Ten Steps to Complex Learning, which has taught me that “step” is a very flexible concept.)

Wired, but not in a good way.Sometime on Sunday, my blog was hacked.  And really hacked–more that a dozen of the behind-the-scenes files were altered, with code inserted in them that ended up taking orders from a server in Latvia.  (There are over 600 files that make up WordPress–a lot of scenery to hide behind.)

At least on my own computer, that led to random redirects: I’d click a link in Google and jump past the target to some crummy aggregation site, from which I’m sure hacking-through-Latvia folks were getting reimbursement.

I found some other malware on my own computer, though I don’t know if it’s connected to the blog hack or just a depressing coincidence.  As a result, I’ve spent the best past of two days doing search-and-destroy (or search-and-feel-befuddled), along with a lot of testing and attempts at cleanup.

This is the dark side of the networked, interlinked world: we take our tools for granted, the way we don’t think about counterweights in elevators or the airframe on our flight to Dallas.  And the confluence of complexity with multiple vendors and extreme specialization means that when things go wrong, it’s damned hard to figure out where, let alone how to resolve it.

Like this advice:

The easy way to [protect your MySQL database] is to put the database access passwords in a file with a .inc.php extension (such as config.inc.php), and then place this file in a directory which is above the server’s document root (and thus not accessible to surfers of your site).  Then, refer to the file in your PHP code with a require_once command.

I actually understand about 85% of that, which is more than I can usually say for household wiring.  Still, it leaves me pessimistic; working with PHP code is like working with that wiring, where I’m thrown as soon as I find three wires rather than just two (and, no, I’m not counting the ground wire).

Caveat blogger.

CC-licensed wiring photo by playbeasy.

3 thoughts on “Dave’s not here

  1. After another frustrating day wrestling with formatting a website, I read your blog and really felt for you. And I understood 0% of your protective measure;->

    My sympathy! Hope you get it sorted out soon.

  2. Thanks, Joan. I’m not the only person this has happened to–you and I have some mutual friends who ran into something similar earlier this year.

    I once had a car subject to complete discharges of the battery. It was in the shop more than some of the service guys. Try this, replace that, test the other thing.

    This is similar, with the complication that I only know enough about the wiring to know how little I understand.

    This isn’t a good time for this (when is?), and so I’ve taken the short route–thanks to my backup paranoia, I have a copy of my WordPress files from before the breakin. I’ve restored those, though in my example that’s like putting in a new battery…until I do something more detailed, it could get drained again.

  3. Kia ora Dave!

    And ouch! I empathise and sympathise. Though it’s never happened to my blog, it happened to my PC.

    Might it be a case of caveat emptor?

    Catchya later

Comments are closed.