Archive for the “Webmaster” Category

I’ve seen in within my two years of JS progamming some weird things, about browser behaviour. But the one I’ve discovered yesterday tops them all. Some JS class uses in the Init function the document.createElement function. The Script is working fine built in within one Website even with IE. But when the Script is added to another Website, IE complaints that document.createElement isn’t supported by this Object. An alert directly before the call is executed shows:
function createElement() {
[native Code]
}

But it still doesn’t work in IE.
Someone ever encountered that problem? I’m currently missing a solutin except the try to manually create the HTML-Node.

Tags: none

Tags: document.createElement, IE, Js

Comments 2 Comments »

I’m proud to announce that the latest Version of PhBad Behave is now available. Anyway the changes are quit minor and are limited to the changed Bad Behavior Script Version which is now 2.0.12. With this Version some possible problems on Webserver with PHP5 should be gone. As well as the latest problem with locking out legit Users from the Backend(or in general) should be gone as well. Delicious is although no longer blocked by Bad Behavior, but that shouldn’t be much of a problem for a Forum if it would be so.

You can get the latest version as Usual, here.

Some last point I want to mention: I’m planning to stop the support of PhBad Behave for phpBB 2, as the latest version of phpBB is already available, which offers alot more features and security. Therefore I recommend everyone to switch to phpBB 3. Anyway it may be possible that I release some newer Version of PhBad Behave if I think it’s worth the time.

Tags: none
Tags: Bad Behavior, Update

Comments No Comments »

Problems

I just checked my Blog today and what did I notice? At First my Template was set back to the default one, don’t know what caused that…but mostly it has the same reason as the cause of this MySQL error:
WordPress Database Error: WordPress isn’t able to create the following temporary SQL file #sql.2076.txt
or something like that was the Message. I was surprised, as well as I had no clue what the cause was. So I started a search on my Server to find some tmp folders, and luckily I found some. I changed to the /tmp dir, and there was already some #sql file in it. After I dropped the file everything was working fine again. The reason for this issue was mostly caused by the latest Server restart, maybe it was restarted after the file was created, but before the file was dropped again…At least that would it explain for me, as the file wasn’t there any more although after several visits of my website.

New WP version

Since one day there’s a new WordPress Version of the latest trunk available, the version 2.3.2 fixes a possible XSS attack, as well as several information leaks are closed. One of the biggest surprises(positive ones) is that WordPress Error messages are now only displayed if your Blog runs in WP_DEBUG mode, so it’s now by default not so easy to gain Informations about your Database structure in order to perform successful SQL Injection attacks on your Website.

So anyone who runs already WP 2.3 should upgrade to the latest release in order to have the biggest possible Protection. For everyone who uses an earlier version, should run BlogSecurity’s bs-wp-noerrors to have this feature as well.

Download WordPress 2.3.2

Tags: none
Tags: BlogSec, release, Security, Wordpress

Comments No Comments »

The last few days I had problems to enter the Backend of my WordPress account. I just read what the reason was.
Michael dropped some Blacklist from his Server, so every checked IP was reported as bad one, and therefore blocked, although legit Users and the Site owner as well. I fought that problem by disabling the Plugin as I wasn't able to locate the reason of the problem.

Anyway I just read a post where the cause is explained and where a new Version is made public which fixes the Problem. Mostly it will as well influence the usage of phBadBehave(although I can't verify it as I don't run any phpBB 2.x board anymore) Although I planed to stop the Support for phBad Behave, I'm releasing another Version which will fix the problems, but that will mostly be the last Version for phpBB 2.x.

As phpBB 3.0 is now finally available, I'm starting the offical work on the BadBehavior Port for this Version, I hope that I can release a first version soon. But as I'm currently quite busy with my studies and other stuff it could take a while, but I'm optimistic.

Tags: none
Tags: Bad Behaviour, phBad Behave, release

Comments 2 Comments »

Ever got Comments you don’t understand, because they’re in some language you’re not able to speak? Ever asked why someone writes a Comment in Russian to some post, which is let’s say written in english, german, french or whatever( at the same time I want to notice that I don’t talk about Comments made to some .de, .fr, .ru Blog, in the depending language where the owner of the Blog is able to speak that language as well. Where a commenter could believe it would be better to write in their native language as possible missunderstandings could be avoided because of better knowledge of this language).
What could be the reason to behave like that? In general they should be able to write some basic text in english, german, french, as it seems that they’re able to read the text, quite good enough to be able to add their own comment/opinion. So why don’t they do so?

Let’s try to get behind the reason. Following I’ll show you how I handle comments in languages I don’t understand, with an example I received the last day:

The Comment

So let’s take a look at the given Comment(to avoid contribution to this Spammer/Hacker, I replaced some Data):
1000 Ñ„?¾Ñ€Ñƒ?¼?¾?² 2 ?´?¾?»?»?°Ñ€?° 5000 Ñ„?¾Ñ€Ñƒ?¼?¾?² 8 ?´?¾?»?»?°Ñ€?¾?² 10000 Ñ„?¾Ñ€Ñƒ?¼?¾?² 13 ?´?¾?»?»?°Ñ€?¾?² 50000 Ñ„?¾Ñ€Ñƒ?¼?¾?² 50 ?´?¾?»?»?°Ñ€?¾?²
?‘?¾?½ÑƒÑ? ?¿Ñ€?µ?´?»?¾?¶?µ?½?¸?µ ?´?»Ñ? Ñ‚?µÑ… ?ºÑ‚?¾ ?·?°?º?°?¶?µÑ‚ 20000 Ñ„?¾Ñ€Ñƒ?¼?¾?² ч?µÑ€?µ?· ?½?µ?´?µ?»ÑŽ ?¿?¾?²Ñ‚?¾Ñ€?½?°Ñ? ?¾Ñ‚?¿Ñ€?°?²?º?°
? ?µÑ„?¿Ñ€?µ?´?»?¾?¶?µ?½?¸?µ: ч?µ?»?¾?²?µ?º ?º?¾Ñ‚?¾Ñ€Ñ‹?¹ ?¿Ñ€?¸?²?µ?´?µÑ‚ ?¼?½?µ ?º?»?¸?µ?½Ñ‚?° ?±Ñƒ?´?µÑ‚ ?¿?¾?»ÑƒÑ‡?°Ñ‚ÑŒ 10% ?¾Ñ‚ ?·?°?º?°?·?° ?º?»?¸?µ?½?º?°!!!
?ž?±Ñ€?°Ñ‰?°Ñ‚ÑŒÑ?Ñ? ?² ?°Ñ?ÑŽ 3?¿Ñ?Ñ‚ÑŒ3-8ш?µÑ?Ñ‚ÑŒ7-0?½?¾?»ÑŒ1 ?¼Ñ‹?»?¾ mymail(?³?°?²)example.com

That one made me curious as there are quite some numbers added, as well as an additional email is added which doesn’t fit to the input in the Email field. Let’s check that Comment by translating it in our native language or some language we understand.

Translating the Comment

In general I can recommend to translate it into your native language, as you mostly understand that one best. On the other hand the chosen translator, has maybe your language not available(or the dictionary is quite limited), or it’s not possible to translate between these languages directly.

You should avoid to have the text translated more than once before it’s in some language you understand, as the general problem with automatic translations are: that not the best sentence structure and word choosing is done. So you could end upon two or three translations steps within some nonsense text(that wouldn’t be better). The best way maybe, to let it translate to English, and if you don’t understand some english words let them be translated to your native language.

for the example above we would get something like that:
1000 forums 2 dollars of 5000 forums of 8 dollars of 10000 forums of 13 dollars of 50000 forums of 50 dollars the Bonus the offer for those who will order 20000 forums in a week repeated sending ? ?µÑ„?¿Ñ€?µ?´?»?¾?¶?µ?½?¸?µ: the person which will result to me the client will receive 10 % from the order ?º?»?¸?µ?½?º?°!!! To address in ?°Ñ?ÑŽ 3»nÃ?ý3-8ÞÑßÃ?ý7-0¡«½ý1 soap mymail (?³?°?²) example.com
That makes now quite more sense, doesn’t it? It seems as that’s the pricelist for Spamming of Forums, we even see that we get 10% of the profit from something!

Translate unknown words

Now we know quite surely that this is a Spam comment, but as you can see as well, we have some not translated words, like ?º?»?¸?µ?½?º?°(these can be sometimes important) so let’s have them translated as well, don’t we want to know how to receive our 10%?

If you’re using some good Translator, you should have the option to have unknown words transliterated into the target language. So for our ?º?»?¸?µ?½?º?° we would get something like:klienka that sounds like client. Let’s guess that we receive 10% of the Money the client pay for his contract.

Deciding dropping or keeping?

Now you should have enough information to decide if it’s a Spam comment or some legit one. If it’s Spammy it shouldn’t be hard to decide, if it’s some legit Comment I advice to keep the initial comment and add below it the translation. If you like you can as well improve the comment, but note explicit where you made changes!

Some good online Translators

Where can I get my text translated to some other language?
Just search for some Translate/Translation From-Language to-language and you should find some useful result. A good translator is PROMT, there you’re able to translate some texts as whole(no word for word translations) of some languages, or Babelfish. If you need to get some words translated into your language search for some dictionary for the given languages.

Conclusion

As you see, it’s better to prove comments of other languages as well(these will often pass Spamfilter) for Spam. If you can’t get the comment translated, it’s mostly better to keep the comment back or to drop it. From my point of view it’s better to have one or two legit comments less than to have one Spammy.

Tags: none
Tags: approve, Comment, Language, SPAM

Comments No Comments »

As Spam is a real big Problem within the Internet, today nearly no one gets around it, as Internet consumer(someone who doesn’t offer own communication platforms) you may not notice that Problem too much, maybe you didn’t even noticed it really. But it’s definitely a real Problem, Spam is everywhere.
You get it with your Daily Emails, already when you input your Email once to some untrustworthy Mailing list or application, and from that date it never will stop again. If you’re lucky that’s everything where you get into contact with Spam, as soon as you own some Blog/Forum aso. your Spam contact will be much bigger. How can I now prevent these platforms from Spam?

Registered Users only

One Option which is widely used is to allow Postings only to registered Users. This keeps out every Spambot who doesn’t have a routine to register to this platform(or to register in general). Additional many registering processes require that the email is validated, if that doesn’t happen the account will not be able to use this Account. Again that will prevent many Spambots from Posting Spam, as many Bots do have some registering routine, but they don’t use valid Email Accounts and/or don’t do the needed steps to activate the platform account.

What’s the reason that they don’t do this?

Mostly it’s the reason that there are enough platforms outside who still doesn’t use such a protection mechanism. Sadly that method may take away some Users, who would like to post some Comment/Post, but they’re not willed to create therefore some Useraccount just for one or two single contributions. The reason why they’re not willed to do so is,(you will know it mostly as you’ll surely think similar) is that they’re afraid of getting Spammed on their Email. And that only because he registered at some small website who delivers your Email to some Spam mailer.

Fortunately there’s a way to receive Contributions from non-Members, and that without a big level of Spam you’ll have to fight with.

Spamblock and -labeling

One reason wasn’t mentioned above explicit, but you could read it between the lines. Maybe you, the platform owner, want although to catch the users who don’t want to register at your site just for a single post. But this position don’t needs to be negative for you. There are many solutions out who are really nice and widely used, so proved to work well.

In general I see three different kinds of applications, who mostly differ between what needs to be done in future by yours:

Install and care yourself about

These kinds of Software is just installed, then the User needs to add what words will block the user contribution, that kind of blocking was more commonly in the early days of spam, where no services where available to Check Messages for Spam. You have to take care of the filter list, as the spam messages get changed regularly. At some point you’re within a dead end, the spam messages doesn’t contain any words you can block without blocking potentially legit posts. This kind of App, isn’t doing too well any more as Spam gets changed regularly, and sometimes don’t even appear a human to be Spam on the first moment. The mentioned problem is more likely to happen on Websites which handle common Spam themes like Real Estate, Pharmacy and so on.

An example Can be get here for phpBB

Human or Bot Tests

Some quite well working approach is to decide upon a Message, is Spam or not, is to ask for something which is only doable by a human. The best example is the CAPTCHA, the user is asked to type in some Letters and Numbers from a picture in order to be able to post the Message(or tagging it as no-Spam). But you need to be careful, there are already some Bots out who can read early CAPTCHAs or weak ones. On the other hand there are newer CAPTCHAs out which are quite hard to solve even for no handy caped people(just imagine how hard it would be for handy caped ones). Some good CAPTCHA method was developed by Microsoft you’re given 9 Photos of Dogs and Cats and you have to select only the Cats/or Dog ones. The project is called Asirra(Animal Species Image Recognition for Restricting Access) and is powered with photos by Petfinder.com

Then you have some Checkboxes you need to click if you’re a human(this is nowadays no problem for Bots any more, as they fill in every field). Another idea is to ask to calculate two values together through some addition, subtraction. This one is quite hard to solve for them, a newer version of it is to ask some questions which needs to be answered.

Spamlabeling as Service

Nowadays you’re served with Webservices who check your Email/Comments. These are used by many users and do catch the latest Spam quite fast, every User is able to improve the Ruleset as he can report false positives or not caught Spam. The best Example would be the well known Akismet.

These services are mostly the future of Spamblocking as your work is quite low at all, and you have a real good rate of false positives to catched Spam.

Conclusion

Spam is a really heavy Problem, since some years and will mostly stay another few years as long as no worldwide antispam act is done, so the Spammer can be suit everywhere one the world. But you have since the start some really good Protect mechanism, and fighting Spam was never easier before with Services like Akismet. Don’t belong to the People who loose time and money through Spam. Fight it, you’ll not regret it!

Tags: none
Tags: fight, SPAM

Comments No Comments »

I never thought about such an step by myself, maybe as I never encountered such a thing upto date.
But if you run your own Webspace you should never steal any ones content or bandwidth. Then as soon as he notice it you can get some real problems, maybe he starts a lawsuite against yours(you maybe ignored some copyright laws, you caused some additional costs for him(bandwidth)). What does happen if he simply replaces the content/redirects your website to something which does harm your visitors, or does blame you?

On the Following WordPress Topic you’ll can read that someone linked to some JS of Website_A. This JS is the Output of some public free available WP Plugin, the JS code even mentions that it’s generated by some Plugin. But somehow the owner of Website_B was too lazy, or wanted to save some bandwidth that he simply linked to this JS file, on Website_A.
After the owner of Website_A recognized that someone was stealing his Bandwidth he created some mod_Rewrite Rule which redirected the Request from this JS to some other JS file, which contained an alertbox which appeared in front of the Visitor and told him that this Website steals some Traffic from another one. After one month the owner of Website_B discovered that JS change and removed the JS.

But it’s important to say that theoretically the owner of Website_A could have written any JS code into that file. So he could steal some Cookies of the Users of Website_B or anything else he would like, he could even start some Phishing attack.
The owner of Website_B made his website vulnerable because he was to lazy to get the script itself.

Every good Webmaster/Site owner does not steal any content, as this is unethical and maybe more important dangerous!

Tags: none
Tags: mod_Rewrite, Steal, Webmaster, Wordpress

Comments 1 Comment »

As there’s currently some discussion ongoing if WP 2.3 should send your plain URL to WP.org (while checking for some newer versions of your plugins you use), or not.
I would like to mention one alternative, at the same time I’ll cover some lacks of this one as well.

WP-Plugins DB

The WordPress Plugins DB is quite new, but already some big resource for Plugin Versions. It’s created and managed by Sugan Shan. You need to install some additional Plugin from the Website in order to use this Website, you can grab your copy here. After you activated that Plugin you can let your Plugin Versions be checked for the latest release, by visiting the Plugin admin page.

Now we reach already some currently big problem of that Project. It’s managed fully by Sugan, so if he hasn’t enough time to update the Plugin versions, you may think you run the latest version, while you don’t do. Maybe it doesn’t even needs to be a lack of time, from what he suffers. He may only don’t know about some never Version of a given Plugin. You can create as well your own Developer account on that Website, but it doesn’t offer the features WP.org does, nor what WP-Plugins.org does.
But this fact doesn’t need to mean anything as the project is quite new, and many exciting features may come with the time.

WP 2.3 Build-in

As mentioned above WP Plugins DB, suffers under the lack of some features, which are offered on WP.org for Plugin developers. Maybe it’s not intended to be anything like WP.org or WP-Plugins. So you can’t keep track upon your Plugin Downloads and you’re not able to compare them with your competitors. But the Plugin doesn’t sends anything home, except your Plugins name and Version, and mostly that data isn’t even stored. Where WP.org does store your URL as well, in plain text. So that may be the biggest pro for that Plugin. Matt doesn’t even know for what these URL data could be useful, so why don’t he add that step if it would be needed(or at least useful)?

How to get rid of it

So if you don’t like to have your Blog URL stored on WP.org and don’t want to use that function at all you can disable it, by doing some change to one WP core file. The file you need to edit is wp-admin/includes/update.php.
After you opened the file move to this line of code:

43 function wp_update_plugins()

Now add after that line this one:


return false;

Save the file. Now your blog doesn’t use the Update Checker from WP any more(as long as you apply the change to every newer Version of that file).

If you only want to prevent it from submitting your real Blog Url, change this line from the same file:
85 $http_request .= 'User-Agent: WordPress/' . $wp_version . '; ' . get_bloginfo('url') . "\r\n";
To something like:
85 $http_request .= 'User-Agent: WordPress/' . $wp_version . '; http://example.com \r\n";

Why WP suffers too

Anyway WP.org repository of Plugins, isn’t anything near to be a complete snapshot of all WP Plugins out there. As only Plugins get added who are under a GPL compatible license released.

And even that isn’t a guarantor to be added.
So it may be that you be better with using WP-Plugins Tracker than the build-in WP function.

Conclusion

So as you see there’s no perfect Solution available currently which covers every area fully. But from my point of view the WP-Plugins DB is the better way for it as everything can get added, equal under which license it’s published or if there’s a commercial Pro Version of it. And why should security checking stop by borders like license or Money?
As the Plugins DB isn’t perfect at it’s current state, we maybe need to use both versions in order to keep track with our Plugins and security.

Update:I just found these Plugins which disable the Core Update and Plugin Update functions.

Tags: none
Tags: Auto Update, Phone Home, Plugins, Security, Wordpress

Comments No Comments »

I just recognized by checking some parts of WPIDS that it does as well block some Spam entries from getting posted to your Website. As PHPIDS checks for HTML tags, unsanitized ones, within the strings it removes these Requests…The only problem is that this applies as well for legit comments who hold allowed xhtml tags…Let’s see maybe we can get around that problem…Anyway a nice feature and when no xhtml tags are allowed within your Blog it’s even better as it only blocks SPAM comments :)
One thing which is for sure is that Akismet has a bit less to do than before :)

Tags: none
Tags: Akismet, PHPIDS, SPAM, WPIDS

Comments No Comments »

It taked me ages to get my server updated to PHP5. I’ve tried multiple ways to get it working as well compiling the sources itself…(Yeah I’m quite new to Linux and it’s install behaves and blame me if you like, but I like the easy way not the hard one)
But I got none working except I found today that post, it’s quite short but it is totally enough. I’ve got everything I need to run my PHP now under the Version 5.
Ok it wasn’t exactly as in the Post stated, I had to install as well php5-mysql, to get the database running again and I didn’t needed to create softlinks to php5.conf & php5.load, but it still was quite easy no need to compile the source code yourself…
With that post I’m adding as well some New Category Webserver where I take notes for everyone Public, but mostly they’re for my personal usage for the case that I should need them again.

Tags: none
Tags: Debian 3.1, dummies, install, PHP5

Comments No Comments »

Bad Behavior has blocked 1250 access attempts in the last 7 days.