bondageradio

upgraded to v3.0.3 of wordpress (now 3.0.4) and plugin no longer works.

this was a popular addon for my users, but it’s now non functional.

please help

I don’t really understand why you can’t just make the whole dashboard ‘Theme’able

You have Themes which tons of people contribute to, to fit various needs and tastes. Why not have dashboard-themes in wp-content right along with buddypress-themes or members-themes or whatever it’s been changed to?

This could also change a BIG question a lot of admins have as to why cant they theme the Login/Profile and dashboard sections of their blogs for subscribed users?

The work you’re doing is great! But if you keep focusing on all these here trees, the forest is gonna come along and ya’ll will miss it.

-Radio-

Has this issue been solved?

WPMU will be at the 2.6.5 level for some time yet and I’d like to be able to offer my users another shopping solution for their blogs.

Bits of information, some of it helpful.

Combinations of attacks have been around since the ole ‘One-Two punch’ and will continue to be around till the end of time.

There are two questions here, not just one.

1. How did they gain access to your site?
This is the initial security concern. What door was open? Do you have a compromised plugin? a tool to allow users to upload photos? a really lax registration policy? (new users become admins) or a piece of compromised code in the wp install, it’s self?

The most common form of open door comes from older installations and/or week plugins that are vulnerable to “SQL Injection” attacks.

In these attacks, crackers attempt to trick php scripts that accept inputs to execute code in your sql server, dumping the output to their screen. They send requests to the scripts with encoded sql scripts in the post variables. Once they find a vulnerable script, the whole SQL system is open to them, they can reset passwords at will, create new admin users, change passwords, etc.

Once that is done, they can then gain access through more traditional WordPress features such as the admin dashboard. Using the edit and upload abilities of wordpress they can hide more back doors in the system for later use. In the worst cases, crackers even modify themes to include back door code so all they have to search for, are theme specific references in google to find your site, which is already wide open.

The second question is; How Can I Secure My Server?
If you have already been attacked, you may want to sanitize your site. Unfortunately in some cases the only way to tell that you have been compromised is by going through all of your directories and looking for files that should not be there. /tmp/ directories and /uploads/ directories are the most frequent targets. However files can be hidden in wp-admin, wp-content, and other locations without your knowing it.

This has been a small bit of information… I hope it has been helpful.

Or you could wait till the web host replaces the dead blade in the server.

This plugin is a wordpress front end for the well known CGI:IRC chat client, the only information exchanged between the server and the plugin is user name, referring page and desired channel to join.

We have now added the capability of staying AWAY from the Adult server and connecting to freenode.net (the same irc server Automatic uses for their chat rooms)

The CGI application does still run on our servers but this can be changed by a simple code change to point the plugin at your own CGI:IRC installation and interface. The code for the proprietary interface is not included in the plugin package, it is however maintained on our server as a courtesy.

MOST hosts see connecting to IRC as an additional service for which they charge extra, or as a TOS violation due to the proliferation of file sharing bots passing out warez and pr0n, so installing the CGI on your own host may result in issues.

The plugin *WAS* distributed as *T-Shirt Ware* but no one seemed to like the idea that you actually got something BESIDES free software for your donation. Instead a single button sized advertisement was included in the CGI, and the donate link points to our Project Wonderful location to purchase Ad Space in the chat window, for $1 a day.

I was deliberately vague on my connection information, I’ll admit that much.

As for contacting my providers, it was they who first notified me about the DDoS attack on the chat server, by telephone.

When the notice/warning/threat had come in, I was asleep … the attack started at 1 am.

Back Tracking the information and compiling it for whomever would listen I found out all I could about the kid who made the threat and his server and his host’s information.

I would publish that info here, but most would say that’s just bad taste.

When I could not get through to his host on their contact form or their help chat, or even the phone number they have listed on their site and in their domain whois, I found out a little more about what was going on.

It turns out that the address they list as their address in the whois information reaches back to an empty parking lot (Google Maps Lookup, satalite view) in IL.

A reverse phone number lookup revealed that the toll free number they published several places, including on their domain whois, network node info and on their website, dials through to a Urologists Office in California.

One section of their site, reveals that for $150/month this same network provider will offer you protection against DDoS attacks, even if you are not on their network. (How exactly does THAT work again? Protect me from attacks by NOT attacking Me.)

The next step was going up the network food chain to both Above.net and Level3.com to gain access to their Abuse and or Technical contact information.

Find a published phone number, e-mail address, or contact form to fill out, when you are under DDoS assault. Try… please…

I finally wrote to every e-mail address I could find published on their site (mostly sales) until I got to one sales person with an email-auto-responder that listed his Home number… I called him at home (I could hear his kids in the background) and he directed me to the VP of Network Operations, and gave me the unlisted numbers to both tech support and his direct line. (Tech Support?… unlisted?… what?)

As soon as I got this information I called, it was 6PM and he was going out the door, done for the day.

I talked with him for 2 hours and then he finally said “Oh!!! Distributed Denial of Service… wow, those are tough to track down.” (Vice President Of Network Opperations? Who did you sleep with?)

I wanted to kill some one.

Long story shorter… a week later I’m still getting hammered and then the hacker pointed at my main SQL server.

48 MILLION HITS in 4 HOURS

I don’t care what network or firewall you have… your site is going down. 3 million hits in a day is a SLOW day for most sites with a pr 5 or better. I’m a pr 3 site… 5000 hits in a day is average.

I pointed at the FBI because I didn’t want my servers CATCHING FIRE.

I hid behind the guys with the guns and badges, and where with all to make headway against that kind of assault.

And… I checked… The Local Tampa office of the FBI still hasen’t gotten the complaint yet… no one called… and no, it’s not a crime to direct my DNS names to their IP addresses… so long as I don’t mind my visitors seeing their website.

So, it turns out, the phone call I got was a Social Engineering Hack, to get my DNS off the FBI IP’s, till the order to halt the attack propagated through their bot net.

Tampa Office is looking forward to reviewing the complaint.

-Still PO’d-

In a direct response to our ‘Concerns’ about DDoS ‘Issues’, The FBI and their Internet Crimes Unit contacted me by telephone to tell me they will ‘Look Into’ the issue.

However, My directing the attackers AT their computer system ‘May be construed as an Assault on the Federal Government’

They recommended that I return the IP addresses to normal and log all connections.

I simply responded “No problem, in the mean time, I want to see a log of every shooting victim in the DC area, with date and time of impact for every bullet. I’ll get around to capturing the shooters after I see the logs..” and then I hung up.

Our Tax Dollars at work.

Cross Posted from THIS THREAD

I found the same problem with one plugin that I have installed and update regularly on more than one blog; StatPress

The plugin is great, but with rapid development and frequent updates, the inability for OneClick (or the One Click Plugin Updater plugin for that matter) to handle the files being in a folder in the archive is annoying, but it isn’t an issue for OneClick, it’s for the other developers.

The FAQ on the wordpress SVN does make the suggestion to developers to leave thier files in the root/trunk and not in a separate directory root/trunk/folder. This is because the SVN builds the ZIP file dynamically from root/trunk into it’s own folder in the ZIP file.

I found the simplest solution, download the file to my computer, unzip it, move into the plugin directory and ZIP the interior folder.

I then use the new ZIP file with OneClick to install from my local copy, correctly zipped.

Asking to change OneClick, or the SVN for that matter, to alter their methods, because developers can’t or won’t follow standards, is like asking web designers to build two web pages, one for internet explorer, one for all of the other browsers which are standards compliant…

wait… bad example…

Please correct This Issue.

I found the same problem with one plugin that I have installed and update regularly on more than one blog; StatPress

The plugin is great, but with rapid development and frequent updates, the inability for OneClick (or the One Click Plugin Updater plugin for that matter) to handle the files being in a folder in the archive is annoying, but it isn’t an issue for OneClick, it’s for the other developers.

The FAQ on the wordpress SVN does make the suggestion to developers to leave thier files in the root/trunk and not in a separate directory root/trunk/folder. This is because the SVN builds the ZIP file dynamically from root/trunk into it’s own folder in the ZIP file.

I found the simplest solution, download the file to my computer, unzip it, move into the plugin directory and ZIP the interior folder.

I then use the new ZIP file with OneClick to install from my local copy, correctly zipped.

Asking to change OneClick, or the SVN for that matter, to alter their methods, because developers can’t or won’t follow standards, is like asking web designers to build two web pages, one for internet explorer, one for all of the other browsers which are standards compliant…

wait… bad example…

from the site:

All rights reserved and copyright ? 2007 Tribulant Software Inc.

That would seem to indicate that it is NOT GPL.

This is very upseting.

My Own plugin was denied listing, reasons were not given but I can assume it was because my homepage is an adult based site (which is fine, I’m moving the plugin to a G rated site soon and will re-list).

… but here is a guy BLATANTLY violating the terms, Charging $10 – $30 for plugins that have NO GPL LICENSE, and are violations of the GLP Licenses of others who’s work these plugins are based upon (He’s trying to make money on others GPL licensed work) …

And he gets MULTIPLE Listings in the repository?!?!

Color me TICKED OFF…

WordPress database error: [File ‘./blog/wp_bdprt_hits.MYD’ not found (Errcode: 13)]
SELECT COUNT(*) FROM wp_bdprt_hits WHERE time_of_hit>’1192556424′ AND ip_address=’24.241.62.103′

WordPress database error: [File ‘./blog/wp_bdprt_hits.MYD’ not found (Errcode: 13)]
INSERT INTO wp_bdprt_hits (ref_ident, browser_ident, ip_address, target_ident, time_of_hit) VALUES (‘4844’, ‘8422’, ‘24.241.62.103’, ‘3’, ‘1192556427’)

looks to me like there was some sort of stats counter (with a posible embeded code in the theme) I recognize “HITS” in the database Name and the IP address in the values…

The table name might hold a clue to the culprit plugin:
BDPRT “BadPort” “BDPrint” “Bob&Daves-PortRiverTavern”

Just a thought… If you look through the template files for the theme you really really like, and see a PHP reference to a BDPRT something or other, try commenting it out and see if your theme comes back into existance.

ahhh… as far as I am aware, the auto generated password is only sent out when the user fills out the forms provided in the default install.

You may be able to use a form processor to allow guests to sign up via a custom form, which would include assigning their own password.

Bit tricky on the coding, but it would basically be the same as Admin filling out the form on the user management page.

If the department is a part of the company, there should not be a problem of using the company’s servers.

but, stranger things have happened.

You can prevent the sending of e-mail passwords by disabling the function in the wordpress code… or by using a mail-by-smtp plugin and assigning a no-relay smpt server. (mail.example.org for instance)

you may wish to double check with your work as well, perhaps using the mail-by-smtp type plugin, you could use the company smtp servers, in compliance with the restrictions.

Similar to another thread.

Look at this plugin as well:
https://www.ads-software.com/extend/plugins/mail-from/

This thread has been addressed with Andrew Hamilton‘s plugin ‘Mail From’

Here is the plugin’s homepage:
https://labs.saruken.com/

You can download the plugin from here:
https://www.ads-software.com/extend/plugins/mail-from/