Rev. Voodoo

Well, recently after doing some major upgrades on the theme here on my blog, I tried to port the theme over to the shop.  It didn’t work so well, seems I can’t get the path info quite right on some special items using a routed subdomain.  So I looked into some solutions, and dreamed up a pretty good one.  With WordPress’ recent release of 3.0, lots of cool things became available….custom post types, better taxonomy control, etc.  So I decided to sit down and see what I could accomplish.  After a few hours of coding I’m pretty happy with the outcome.  So I’m incorporating the shop right here on my personal site.  That gives me even less sites to take care of, which is very cool.  So now we have my blog, the forums, and the shop all wrapped up here on www.rvoodoo.com.  The shop isn’t open yet….you can play around, but not buy anything yet.  I’ll open the doors real soon here.

Join the forum discussion on this post

You may not even be able to tell, but the VoodooEmpire3 WordPress theme that is used on this very site is very near to completion after a fun day of coding.  The integration of many new features was seamless!  Everything looks the same, but it doesn’t have to anymore!  We’ve added a full featured admin menu onto the theme.  You can now swap out the background, the header image, the footer image, all the icons in the footer, all the links in the footer (including the copyright info), you can specify default thumbnails to be used in titles and posts if no ‘featured image’ is selected, you can swap out RSS feeds for a feedburner feed, you can even upload your own ttf or otf fonts and then assign them to various areas of the site.  Plus, if you swap out the header for your own, you can specify a new logo to drop on, and give it a link.  The only thing left to do is graphical.  We want to give you choices!  So soon, you will be able to pick from a variety of colour schemes!  And you can do this all from a menu system, how cool is that?  Just keep your eyes out for the official release of the theme, coming soon!

Join the forum discussion on this post

Here it is, the official announcement…. head to your dashboards and get your upgrade on!  Or if you prefer, do the manual by downloading here.  However you do it, it’s time to upgrade.  WordPress 3.0 is out!  No reason to wait, why have an insecure blog that misses out on so many great features?  This site was upgraded in seconds without a hiccup.  Time to finish upgrading the rest of the sites around here.  Don’t forget to keep your eye out after upgrade, many plugins and themes will be upgrading over the coming days.  And if you like to do your own themes, well you may have some work ahead of ya!  I know I’m about to dive into the new menu system right now!

Join the forum discussion on this post

Well, we’ve had the wordpress twitter tools plugin installed here for a long time.  Ever since it was installed, it’s only ever half worked.  And that was fine really.  All the posts from here were sent to Twitter, which got them to Facebook, and that was all cool.  The plugin also had an option to create a weekly or daily digest of all our tweets and auto post them here.  That feature never worked, and I didn’t really care too much.  That is until recently.  I haven’t been tending to the site too much the past week or so, and I logged on here to discover the plugin had gone crazy, and there were a tonne of posts up here.  I went ahead and cleaned up the numerous duplicate posts, and adjusted the settings…..it’d be pretty cool if the plugin ends up working perfectly now.

Join the forum discussion on this post

Well, been working on the finishing touches here at The Voodoo Empire.  You are looking at the final product.  We wanted to get the theme finished before the release of WP3, which will start the process all over!  Already in the plans are a new menu system for just under the header.  The one in place (the internal WP text links, not the external image based nav) is a bit dated, but WP3 is going to have a new menu system, so we are waiting to overhaul that.  We just refinished overhauling the sidebar, and touching up just a bit of the typography…things like spacing in the titles, leading caps, etc. 

But as far as WP2.x goes, we’re going to consider this a final theme.  It’ll stick around here a while finally.  This is probably the 3rd major theme change, with countless edite to themes and verious overhauls.  But we’ve finally got things pretty much where we want them.  Hope ya like it!

Join the forum discussion on this post

Well, we’ve decided to make the leap.  In trying to simplify my life….I’ve decided to switch over all of The Voodoo Empire’s online assets to being WordPress based.  It’s just what I understand better.  I was having too many problems with the previous forums….and once I did get things fixed, I realized it was too hard to keep relearning various pieces of software.  I know WordPress well enough to be able to fix any trouble….and its user friendly, and just plain works.  I’m pretty active in their support forums trying to help folks whenever I can, and I know I can get the help there I need if I ever do!  So here we have it, The New Voodoo Forums.  The theme isn’t totally complete yet, I’m pretty busy at work…..when I get some time, I’ll finish it up, but it looks pretty good now, and definitely works great!  Hope you enjoy!

Join the forum discussion on this post

I have received some requests from WP users about how exactly to use access logs to track down rogue php files on their server which can be used to reinfect their blogs after they thought they were nice and clean.  This write-up is from my experience using Godaddy as a host, but the process would be nearly identical on any host where you have access to your access logs.

I unfortunately did not save a copy of my access log from when I was hacked.  However, I can try to describe a bit better what I did/found.  I had never seen an access log before being hacked either, and so it was a bit daunting.  But here is what I found. 

First off, here is a sample line from an access log (This is a legitimate log entry, not from a hack….I’m just using it to try to explain what you are looking at a bit):

208.106.281.6 – - [01/Mar/2010:02:26:53 -0700] “POST www.rvoodoo.com/empire/wp-cron.php?doing_wp_cron HTTP/1.0″ 200 0 “-” “WordPress/2.9.2; http://www.rvoodoo.com”

So that’s a possible line from an access log.  First in that line is an IP address (208.106.281.6) you can kind of ignore that for now, it’s not important to this investigation.

Next up, we have the timestamp ([01/Mar/2010:02:26:53 -0700]) this is pretty important, it’ll help you match things up, I’ll explain that in a minute

Next up, the method (POST), it’ll be HEAD, POST, or GET……frequently for a hack, you are looking for the POST method

Then we have the url of the file being affected (www.rvoodoo.com/empire/wp-cron.php?doing_wp_cron ) – this is important, helping us find things which I’ll explain momentarily

Then there is this stuff between the urls, which isn’t so important for us, its user agents and whatnot (HTTP/1.0″ 200 0 )

And finally, the second url, (WordPress/2.9.2; http://www.rvoodoo.com) this tells us which file is doing the action, it’s also important…..this could point to your rogue file if you have one

So now you have a pretty basic understanding of what the lines in your access log look like, and how to read them…..how to use this info to investigate for rogue files?

It’s pretty simple really.  When your files get hacked, some code is added to them…..well, when  that happens…the timestamp of the file changes in your godaddy file manager.  So, find a file that has been hacked.  Check the timestamp.  Now, open your access log for that date.  Cross reference in your access log for the time and date that your hacked file was changed.  Especially look, at that date and time, for any requests using the POST method.  Then, in the first url find the path to your file that was changed.  When you find the url to the file that had been changed, take a look at the second url in that line of your log.  The second url will be the path to the file which was used to change the hacked file.  For instance for me it was (http://www.rvoodoo.com/shop/includes/products/2008/06/images/settings.php).  This file is totally outside of my WordPress install, but it was accessing my WP install for some reason.  When I went to that folder and took a look at the code from that file from within Godaddy’s file editor, it was just a bunch of gibberesh.  So I deleted the file, and along with the other cleanup steps in the reading links I provided, that took care of my problem!

Hopefully this can help you track down whether or not you have any rogue files sitting around, or at least give you a bit of a better understanding on how to use your access logs!  Good luck!

Join the forum discussion on this post

Seems like more and more, I see people having a terrible time with their WordPress installs being hacked.  While I’m no expert on the internets, or security, or anything like that….I did suffer through 2 rounds of attacks here on The Voodoo Empire, and recovered fully….and learned a lot.  So here is the process I went through.  The first time I wasn’t thorough enough, and that is how it happened again.  I’ve been clean for months now, after doing things properly the second time.  Before I describe my process, here are some great reads that pretty much set me straight and got me going on the cleanup process.

• http://codex.wordpress.org/FAQ_My_site_was_hacked
• http://ocaoimh.ie/did-your-wordpress-site-get-hacked/
• http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
• http://www.snipe.net/2010/01/when-wordpress-gets-hacked/

These got me going through the cleanup process, and one other good link, after you get everything cleaned up:

• http://codex.wordpress.org/Hardening_WordPress

So that’s the required reading out of the way….now onto my process.

I first noticed some gibberesh (the base64 stuff) showing up in my theme’s files when I went in to do some editing.  It had been months since I had worked on my theme, so who knows how long the spam had been in there.  I deleted all the rogue code from all my theme’s files and thought I was golden.  Until it showed up again, I layed the find and delete game for some time…..but it kept coming back.  Then I started to dig around some more…..The Voodoo Empire has 5 WordPress installs, and at the time we had Drupal, Joomla, ZenCart, MediaWiki, and many other software packages.  This totals up to a few thousand php files on the server.  Each and every php file had the base64 stuff in it.  So next up, every php file was either cleaned, or replaced.  I thought I’d had it beat.  A month later it was back.  I’d developed the habit of viewing my source code from within my browser each time I visited my websites now to look for bad stuff.  But this time, even though there was spam in my source code, there wasn’t any files altered.  So I dug and dug, and finally found a php file that didn’t belong buried about 4 level deep.  It was inserting spam links.  I deleted it and thought I was good.  But alas, it was too good to be true…..soon, all my php files on my server got altered again.  This time though, I did some research and finally cleaned up properly.

First thing I did was change all my passwords.  FTP, WP (and all other programs), all DB passwords, etc.  After I changed all my passwords, I took a look at one of the files that had been altered, and checked out it’s timestamp.  My host (GoDaddy) offers server access logs to peruse at my leisure (if you’ve never seen an access log, they are scary).  I had no idea what was in a log, I’d never seen one, but I decided to dive in.  I checked my access logs agains the times that the altered files had last been changed and found that a rogue php file buried way deep in the 2008 uploads folder of a different WP install was affecting my main WP install.  Upon further investigation, I found another rogue php file that was altering my other files.  So I deleted the rogue php files.  I then reinstalled every single software package on my server.  Then I went in and manually cleaned the rest of the php files that didn’t get replaced (WP theme files, wp-config file, etc).  After that it was on to plugins.  I deleted all plugins and installed from clean downloads.  So now every php file on my server was accounted for, and clean.  No rogue php files existed anywhere.  No rogue code was added on to any of my existing php files. 

It was time to finish thing up….on to the database.  I manually scanned through exports of my database looking for any suspicious code that I found, and ran some basic sql queries on my existing database looking for suspicious code, and got my database all squeeky clean.  And now, with everything nice and clean, I changed up all my passwords once again.

There you have it!  My long and painful travel to a clean WP.  Keep everything up to date, WP installs, themes, plugins, etc.  Check your source code often. Maybe install some of the various security plugins that are out there (none of them stopped my attacks, but they do have a use).  And if you do get hacked…..be thorough.  If you are not, you are just wasting your time!  Remember, server access logs can be your friend!  Hopefully you can avoid being hacked, if you are reading this because it happened to you, I hope I helped you just a little, be patient, be thorough, and good luck!

Check out my post here if you are looking for more information on rogue files, and using your access logs to find them.

Join the forum discussion on this post