## The best chicken article I’ve read in awhile.

Actually this might be the only chicken article I’ve read now that I think about it. It’s long but really good. Did you know the Egyptians “mastered the technique of artificial incubation”? I did not.

Oh, and don’t forget, chickens are basically the descendants of dinosaurs which is awesome.

## Timeline of the far future

On a similar topic to my previous post about the scale of the universe, I’ve been enjoying Wikipedia’s Timeline of the far future for equal amounts of mind-boggling scale. Really, once you hit 1020 years from now the numbers are pretty much meaningless to realistic human comprehension. But when you start hitting the exponents of the exponents? Like 10^10^50 (or to steal Wikipedia’s image: $10^{10^{50}}$)  then all you can really do is quote:

Although listed in years for convenience, the numbers beyond this point are so vast that their digits would remain unchanged regardless of which conventional units they were listed in, be they nanoseconds or star lifespans.

## The Scale of the Universe

I realized I missed posting in April entirely(!), and I don’t like the look of the gap in the archive calendar, so I’m back-dating this entry.

And you need to check this out, a Flash-animated Scale of the Universe that is simply mind-boggling. From the smallest structures known (quantum foam, the Planck length) to the largest (the size of the observable universe), that you can zoom in and out on, and it’s all to scale (relative to the zoom level). The coolest thing I’ve seen online lately.

## Anatomy of a blog hack

So, last weekend I found out that my blogs had been hacked.

Actually, it wasn’t just my blogs, nothing personal involved or anything like that: the shared server space my sites were hosted on was compromised, and a good number of other sites and files were hacked as well. Based on what I can piece together, here’s what happened:

There were a number of sites on this hosting space that were running out-of-date versions of WordPress, and some that also had various other PHP code installed (NetOffice, Gallery 2, a few others). Any software that is outdated is potentially at risk to known exploits, but more worryingly, I found an old bit of PHP code on the server that was set up to run arbitrary PHP code for (I presume) some back-end admin processing, and ultimately I think this was what had been exploited.

And until I had found and killed this code, the exploit happened at least 3 times even as I was cleaning up the server.

The exploit itself, once I knew what to look for, was fairly simple:

• In PHP files that were writable to the Apache webserver process, the code was altered so that any line containing an opening PHP tag (which tells the server to start executing the code after it as dynamic PHP until the closing tag is reached) looked something like this:
From `<?php .....`
To: `<?php     eval(base64_decode('malicious code encoded here')); .........`
• When I copied this code to a sandboxed PHP environment and decoded it, it contained fairly simple instructions:
• If the visitor to the site was coming from a Referrer—in other words, if they had clicked on a link from another site like Google search results, Facebook, someone else’s blog—they were redirected instead to a completely different site that presumably contained spam, or malware, or whatever.
• If the visitor was coming to the site directly—they had typed the URL directly into the browser’s Location bar, or clicked on a bookmark—then they were passed on through to the site.
Because I normally type in URLs to my blogs directly, or click the “recently visited” link in Chrome’s list, I didn’t see the exploit at first. But as I was writing a blog post on The Brew Site on Friday the 20th, I was searching out a link to a previous blog post (gotta love Google for that) and when I clicked that link to pull up the earlier post, I was redirected to some site in Poland (or at least, with a Polish country code for the top-level domain).

Fortunately, I don’t believe this hack was in place for long, since I often search out links in this manner and would have noticed sooner: Sometime in the wee hours of the morning of January 19th was when the files were first modified is the earliest I can determine.

It took me a bit of time to figure out the exploit (at first I was thinking it was the Google 302 hijacking exploit), but once I did I was cleaning up files on my blogs by Saturday morning. I hadn’t yet had the chance to address the (many) other files and old sites on the server hosting space, so unfortunately my blogs got re-infected at least once more before I was able to kill the old files and update others. Most of my weekend (and part of the following week) was spent updating, fixing permissions, cleaning, and deleting files and sites.

For reference, a handy pattern for detecting this code in grep is:

`grep -R -l 'eval(base64_decode(' *`

(This should always work because you should never have similar PHP running in your legitimate code…)

Now, I keep my WordPress blog software (and installed plugins) up-to-date pretty religiously, and I try to keep permissions set appropriately. But a good number of files in each blog were infected even so—how? It turns out, even though a fair number of the core files that were originally installed (manually) had the correct Unix group (“<account>:users”) and permissions of 644 (rw- r– r–) and were untouched, I was also making liberal use of WordPress’s built-in auto-updating feature, along with automatic plugin installation, and at some point the files that WordPress were updating got set to the “nobody:users” group—the Apache webserver process. It was these files that were exploitable to the “nobody” Apache process that was being exploited by the other code on the server. (Along with the few files I had set to group-writeable as well.)

So, lesson learned. I’ve battened down the hatches, fixed the permissions on all the files in my sites, and have decided to forgo WordPress’s auto-installing and update features for now for good measure. And, I’ve finished up a (long overdue) move of my blogs to a new webhost with none of the legacy code possibilities that were extant on the original server. (Nothing against the original web hosting provider, I just needed a clean break with an affordable price.)

Of course, you all let me know if you still run into any problems, okay?

## The best thing I’ve seen lately

Just in time for Halloween!

I figure I need to clean up my @chuggnutt Twitter account (and probably the @hackbend and @brewsite ones as well).

Not that I have an extraordinary number of followers, or people I’m following—522 and 425, respectively—but I realized there’s a fair amount of “noise” on what amounts to my personal Twitter account and there are accounts I’m also following on either @hackbend or @brewsite, and I don’t really need to see redundant tweets.

So I’ll be going through my personal Twitter account and weeding out accounts I’m following, and figure if anyone’s using something like who.unfollowed.me and gets offended that I unfollow them, I can at least point to my criteria:

• If the account hasn’t had an update in 2 months or more, unfollowed.
• If I’m also already following that account on @hackbend or @brewsite, I’ll unfollow on @chuggnutt.
• Unless it’s someone I know personally, or have interacted with on @chuggnutt more often, then I’ll keep the (redundant) follow.
• Of course there are accounts I just find interesting even if I never interact with them, so I’ll keep following those.
• If the account seems spammy, or keeps posting repetitive tweets, unfollowed.
• If the account is something like a brewery that I’m not already following on @brewsite—or a Bend business or similar I’m not already following on @hackbend—I’ll follow on those respective accounts and unfollow on @chuggnutt.

I’m not too worried about the followers to my account; it’s been awhile since I’ve had to do a bot/porn sweep and block accounts, and I haven’t really seen any I’d consider blockable come through lately.

…I should probably go through and clean up my Facebook sometime, too.

## Pandora

The last several weeks I’ve been checking out Pandora, the “Internet Radio” site that lets you build custom stations of music based on your personal preferences (and provides a live stream of said music). You can give it artists or genres to choose from, and from there—and based on what you tell it you like and dislike in real time, as the music plays—it figures out other music to play for you.

So far it’s remarkably good. It’s like magic.

(Yes, I am well aware that by writing about Pandora now, in 2011, I’ve missed out on something like four or five years of its existence. One might say I missed the boat, and am now late to the show. I’m all right with that.)

Now, I’m not a big music guy—most of the time I listen to whatever’s on the radio in the car while driving to or from work, and I’ll play the occasional CD (I do own a few). I like music, it’s just more of a background to my life, and I don’t invest a lot of time into it. But with Pandora, it tweaks just the right buttons—I’m as interested in the algorithm behind what it will pick for me next as in the music itself. So I’ve been letting it play in the background at work and generally marveling at it.

I’ve only created one station thus far, but since it lets you create different stations I’m fascinated by the potential for creating other, vastly different ones based on mood (for instance).

It’s kind of cliché to say, but this is one of those internet technologies that just works, works well, and makes me feel like I’m living in the future.