1)  If you haven’t already, download and install VirtualBox.

2) Download the Askozia disk image that you want to use. I’m using the latest Linux port release at the time of writing (r1161)

3) Uncompress the image, and then convert it to a Virtual Disk Image

gzcat askozia-pbx-generic-pc-x86-i486-uclibc-r1161.img > test.img
VBoxManage convertdd test.img test.vdi --variant Fixed

4) Load up VirtualBox and create a new virtual machine. Use whatever name you want, and select “Other” as the operating system. Allocate some memory (I used 256MB), and then choose the virtual hard disk that you created in the previous step as the boot hard disk (primary master). Click Finish.

5) Select your new virtual machine and go to Settings > Network. Specify Intel Pro/1000 MT Desktop, Bridged Adapter, and then en0: Ethernet in the three drop down boxes. Click OK to save. This will join the virtual machine to the same network as your host machine is on. We have DHCP configured on our network, so the virtual machine should pick up an IP address from that.

6) Start your virtual machine.

Once the virtual machine has loaded it should tell you what IP address it has been assigned at the terminal. You can then access the control panel from a web browser by going to that IP address using admin/askozia as the login details.

In this post I am going to look at ways you can tell if your blog has been hacked, suggest some ways to fix it, and then discuss techniques to prevent being hacked again.

Before we start, the most important thing you can do to prevent being hacked in the future is to regularly update your blog software. The easiest way is to use subversion. I’ve written how to upgrade your blog with subversion in an earlier post.

Symptoms

So firstly, you’ll probably want to find out if your blog has been compromised. There are a few things to look out for:

Unauthorised Admin Users

Disable JavaScript in your web browser, then navigate to the Users page in the WordPress admin panel. If you see some additional administrator users there that you didn’t expect, you have probably been hacked. They sometimes use an e-mail address like www@www.com

Strange Files in the Uploads Folder

Strange files may also appear in your WordPress uploads folder, including ones that have hidden PHP code inside them (try grepping for “events or a cale” or php).

grep -R -l "php" wp-content/uploads/

The files might have random names like:

faceboutique-spot-less-150×150.bak.php
mandseyeshadowpalette.bak
cliniqueblusher_old.jpeg
.wp-cache.cache.php

The uploads folder is writeable by apache, so hackers use this area to save malicious code to your server. They may then include such code as a plugin.

Strange Records in the Database

Check for suspicious data in wp_options by running the following queries:

SELECT *
FROM  `wp_options`
WHERE  `option_name` LIKE 'active_plugins';

Hackers use the plugin system to include their rogue scripts. You may see some strange files being listed as a plugin. You can delete this row and manually re-activate any plugins via the admin.

SELECT *
FROM  `wp_options`
WHERE  `option_name` LIKE  'permalink_structure';

This will show you the permalink structure – the most recent vulnerability modified this so look out for anything abnormal.

SELECT *
FROM  `wp_options`
WHERE  `option_name` LIKE  '_transient_rewrite_rules';

You can delete this row if it exists (it should be rebuilt dynamically)…. it may contain cached

SELECT *
FROM wp_posts
WHERE post_content LIKE  '%iframe%' OR post_content LIKE  '%noscript%' OR post_content LIKE  '%display:%';

This will look for posts that contain iframes, or hidden links.

Fixing a hacked WordPress Installation

The cleanest way is to re-install WordPress, re-import your posts and comments via the import tool and then to copy in any files that you know are safe…

• Back up your database and site code.
• Export your posts, comments, tags and categories in a WordPress WXR File (Tools – Export).
• Set up a new mysql database, username and password. Ensure the user only has access to the WordPress db.
• Install a fresh copy of the latest version of WordPress (with the correct permissions), and configure it to point at the new db.
• Delete any files that include PHP from the uploads folder.
• Import your posts, comments etc from the WordPress WXR XML file. There is an option to get WordPress to fetch image uploads, but I haven’t had that much luck with this. To get it to work, you will need to install your new blog in a parallel location so that it can access the old blog. When I tried, it seemed to grab the files, but not update the location urls in posts, thus requiring a script to update the urls in the db. Instead, you might find it easier to just copy your uploads folder across – but they won’t then show in the media gallery. Neither route seems ideal!
• Re-install your themes and plugins.
• Move the old blog to a location outside your web root as a backup, or delete it all together.
• Set up new WordPress users with secure passwords.

It’s not a fun job!

Securing WordPress

• Ensure you have the right permissions set on your WordPress scripts. Only the uploads folder should be writeable by the web server.
• Use a separate database, db username and db password for WordPress.
• Add an additional layer of authentication above the WordPress admin area, e.g. http authentication in Apache. NB: When I did this, it seemed to stop uploads from working with the flash uploader (gave a HTTP ERROR), so I had resort to using the basic browser uploader.
• Some people also recommend removing the default “admin” user, and setting up an administrator with a new name – to make it harder to brute force crack your passwords.

Further Information

Here’s some of the pages I read while researching this article….

• http://blog.4rev.net/2009-09/wordpress-hacked-eval-base64_decode-_serverhttp_referer/
• http://groups.google.com/group/google-reader-troubleshoot/browse_thread/thread/39a7eef288c65dd0/c057b39d2f6e7455?pli=1
• https://support.mayfirst.org/ticket/2291
• http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
• http://www.teohuiming.name/blog/wordpress-exploit
• http://linux.byexamples.com/archives/397/wordpress-exploit-we-been-hit-by-hidden-spam-link-injection/

We’ve also released this as a wordpress plugin. You can install it via subversion if you prefer using the instructions below.

Installing the WordPress Plugin via Subversion

From the command line, navigate to your WordPress plugins folder and then edit the svn externals for the folder.

cd wp-content/plugins/
svn propedit svn:externals .

This should open the file in your favourite text editor (I use vim). You should add a line like:

futube http://svn.wp-plugins.org/futube-video-player/trunk/

Save and exit, then run:

svn update

At current prices, an installed 2 KW PV system costs around £12,000 (£6 per installed watt), and it’s estimated you would save / earn around £830 a year with the new subsidy (15 year pay back, 6.9% return). There is also currently a £2,500 grant available (expiring April 2010) which would bring the overall cost down to £9,500 (12 year pay back, 8.7% return).

This estimates are based on electricity costs of 13.95p / KWh (which is also roughly what I am currently paying with EON on their online saver tariff once you’ve averaged out the various rates and daily fees).

It’s very likely that over time electricity prices will rise, especially in the UK where we have not built enough capacity to replace our Nuclear plants as they shut down. As prices rise, the effective ROI will increase, but for this to become really popular I think we need to see returns of closer to 20%.

The government is also considering green mortgages, where you would be lent up to £10,000 to make energy efficiency improvements to your house (such as double glazing, energy efficient white goods, insulation), and then this would be paid back via your electricity bills – the cost of which should be covered by the savings you make. The charge would be against the property rather than the owner, and so would be transferrable if you move house in the future.

GovTalk is a set of standards for interacting electronically with government services.

In the future we will extend the class to work with individual government API’s such as Companies House, and HMRC. This will then be used on a number of projects, including our online accounting product, Clear Books.

We welcome contributions from other developers in the community, so if you want to help please contact any of the project admins.

Furnish.co.uk, as it’s name suggests, is a new way to find and buy luxury home furniture online. The site acts as a shop window for a variety of boutique stores and exclusive designers, allowing you to compare a huge range of options in one place. So if you were decorating a new bedroom, and wanted to find the perfect bedside lamp, Furnish.co.uk would let you drill down to the exact style you wanted – you can filter by price, colour, material, and size.

Furnish is aimed at the mid to high end of the furniture market and includes products you won’t typically find in the major high street retailers. They are adding more products every day, and hope to include over 100 stores over the course of the next few months, so keep checking back!

Google Sync 

Here are some of the main things you need to remember to do:

1. Make sure you have enabled Google sync for mobiles in your Google Apps account. From your Google Apps Dashboard, click the Mobile link. Then tick the Enable Google Sync box on the next page and press save.
2. Set up Google Sync on your iPhone to sync calendars and contacts from Google. Basically you just add a Microsoft Exchange account with your google apps login details, and then select calendars and contacts in the syncing options.
3. You must also choose which calendars you want to sync to your iPhone via the Google Mobile website. Visit http://m.google.com in Safari on your iPhone.

iCal

You can set up iCal to subscribe to your Google Calendars via a caldav url. First you add a new account under preferences, and then under the delegation tab you select the calendars you wish to subscribe to.

Sharing Google Calendars 

You can share a calendar with other users in your google apps domain, or external users on other domains. There are various ways to do this such as sending a link to the ical url or sending an invite within the calendar sharing pages on the Google Calendar website.

It’s taken me a while, but I’ve finally found out how to do it!

NB: Before you do anything, make sure you have backed up your phone in case something goes wrong!

1. Download the latest firmware directly from Apple’s Content Delivery Network:
   • iPhone Original
   • iPhone 3G
2. The file may have a .zip extension, if so remove this by renaming the file so that it ends with .ipsw
3. Open up iTunes, and Option-Click the restore button. You should then select the ipsw file you downloaded.
4. Follow the on-screen instructions as it upgrades your firmware.

Warning – do this at your own risk. It may break your phone.

First, download the Yii Framework to somewhere sensible. I prefer to use subversion to check out the code:

svn co http://yii.googlecode.com/svn/branches/1.0 /usr/share/php/Yii

This will take a few minutes. Once it’s done, you can use the Yii Command Runner (yiic) to set up your web application:

/usr/share/php/Yii/framework/yiic webapp /var/www/html/appname

If everything went well, you should be able to access your web app with:

http://hostname/appname/

You should see a screen like the following one:

Configuring

Set up the config script to be able to connect to your database.

/var/www/html/webapp/protected/config/main.php

Uncomment the DB section, and add in your database connection details:

'db'=>array(
			'connectionString'=>'mysql:host=localhost;dbname=http_auth',
			'username'=>'root',
			'password'=>'d2x@1A1!aa!a!',
			'emulatePrepare'=>true
		),

UNFUDDLE

We’re going to be using Unfuddle to provide subversion hosting, project management and bug tracking.

• Create a free unfuddle account, e.g. Bytewire
• Set up your first project e.g. Street Crime
• Create a repository: http://bytewire.unfuddle.com/svn/bytewire_streetcrime/

LOCAL DOMAIN ON OSX

Set-up a local test domain on OS X

• Add it to the hosts file

printf "127.0.0.1\tstreetcrime\n" | sudo tee -a /etc/hosts

• This should now be accessible via http://streetcrime/

MAMP

MAMP is an excellent bundle of Apache, MySQL and PHP for use on Macs. These tools do come pre-installed with Leopard by default, but php in particular is missing a fair few modules which you can only really add by re-compiling – MAMP makes it a lot easier. It installs new versions of PHP, MySQL and Apache alongside the default versions (on different ports), so that both can be run at the same time.

• Download it from: http://www.mamp.info/en/downloads/index.html
• Once you have installed it, you can configure it to work with your local test domains.

1. • Create a folder where the site code will be placed, e.g. /Applications/MAMP/htdocs/streetcrime/http/
   • Open up /Applications/MAMP/conf/apache/httpd.conf with a text editor.
   • Uncomment the NameVirtualHost line, and add a couple of news lines to define the new virtual host. It should look like:

NameVirtualHost *

<VirtualHost *>
DocumentRoot /Applications/MAMP/htdocs/
ServerName localhost
</VirtualHost>

<VirtualHost *>
DocumentRoot /Applications/MAMP/htdocs/streetcrime/http/
ServerName streetcrime
</VirtualHost>

• Restart MAMP through the MAMP control applet or widget. You should then be able to access the site at http://streetcrime:8888/

INITIAL COMMIT OF CODE

• Make the trunk folder inside the repository where your site code will initially be kept.

svn -m '' mkdir http://bytewire.unfuddle.com/svn/bytewire_streetcrime/trunk/

• Check out the trunk to your project top level folder

svn co http://bytewire.unfuddle.com/svn/bytewire_streetcrime/trunk/ /sites/street-crime.com/

• Check through the folder structure and look for anything that should be excluded:

du -h --max-depth=1 /sites/street-crime.com/http/

• Edit the svn:ignore property

svn add /sites/street-crime.com/http/

svn propedit svn:ignore /sites/street-crime.com/http/

• List the files & folders that you want to ignore, and then save and quit.

PSD
gangster-game-forum
gangster-game-wiki
gangster-game-blog
logs
uploads

• Add the remaining files and commit (excluding uploads etc with svn:ignore)

svn add --force /sites/street-crime.com/http/

svn commit -m 'Importing main files'

CHECKING OUT CODE TO THE OSX DEVELOPMENT WORKSTATION

• Change directory to the folder you set up locally for development.

cd /Applications/MAMP/htdocs/streetcrime/

rmdir http

svn co http://bytewire.unfuddle.com/svn/bytewire_streetcrime/trunk/ .

TESTING THE SITE

• Visit http://streetcrime:8888/ – it showed a blank page for me. That would suggest error reporting is off, so enable in /Applications/MAMP/conf/php5/php.ini