Intrusion detection with Perl

There has been a lot of hype lately concerning WordPress security and vulnerabilities that are out in the open. This is an open source project so the big advantage is that (and i will quote):

Luckily, the entire WordPress community has our backs.  Several folks in the community dug deeper and discovered areas that were overlooked.  With their help, the remaining issues are fixed in 2.8.3

This is the heart of any open source project. Since the code is out there in the open, many can take a look and, therefore, discover any potential issues.

Now, i know that many users think that, whenever a new version comes out, they should let other people do the upgrade, check it out and then, they will go on with it. This might be the case with major versions (for instance 2.7.1 -> 2.8.3 as we speak) but it is definitely not the case when we have security patches and fixes (for instance 2.8.1 -> 2.8.2). In these situations, if you don’t upgrade, it means that your WordPress installation is compromised to an outside attack and you shouldn’t be surprised if that happens.

But, does being updated to the latest version, mean that you are absolutely exploit-free? Unfortunately, not. You can never be sure. Not with open source, not with closed source. Never. You never know what someone can come up with to bring down your service. Being updated minimizes that to the absolute minimum, but there is still a chance that it may happen.

Focusing back on WordPress, a very popular exploit is that of the hacker adding his own chunk of code to the core of your installation, hiding it fine. The privilege of that is that they can insert anything they want, for instance, an affiliate link of theirs or a link to a site that contains malicious software, thus their code will be downloaded and executed by every visitor of yours. This is not the only thing an attacker can do, of course, but it is a large portion of the consequences (see this example).

(more…)

Search feature on static HTML sites – The smart way

You all must have stumbled on static HTML sites. Either you created them or you found them around. The purpose of those sites today is simplicity. Not everybody needs dynamic content and thus not everybody needs complex CMS’s with huge back end administration panel. So, what is more easy than putting together a few simple HTML pages. But what if you want to incorporate a search feature into that? Well, when a developer first thinks of search, the second thing that hits his mind is “database“. If you fall for that, then there goes simplicity and fast loading. You are already on a war path.

I’ve been challenged to that and here is what i came up with. I created a small PHP script that actually searches the HTML files! The simplicity in the thought is what makes me happy about this. You just get a search term, open the HTML files up, pattern match for it and then echo the results with links back to the original static files. So, you have a dynamic search feature with static content! And what’s even better is that if you make any changes in the HTML files, those will be reflected on your search just like it would happen using the classic database way.

I have created the script and included it with a small example here: Dynamic search for static HTML (258) The only requirements to run this example is a web server with PHP installed. Here is how to check it out:

• Download and extract the folder “search_test” into a place accessible from the web.
• Hit the URL “http://place.of.folder/search_test/search.php?s=ipsum“

As you can see, the above URL will search for “ipsum” in the .htm and .html files and show you the results. If you want to play a little bit with the parameters of the script you can open it and check the global variables on the top (recursive search, highlight etc).

One thing that could be improved is cached search. This would decrease the load on the server for each search. I can help you do it if you need to. I just didn’t go on with it because i didn’t want to over-complex my script.

As you can imagine, this is just the skeleton of the script. You should configure it to fit your needs. If you have any problems or need any help don’t hesitate to leave a comment or contact me!

EDIT: I forgot to mention that this will work for text that is wrapped around a “<p>” (paragraph) tag. In order to make it work with more or be more flexible, you will need to edit the regular expression at the “preg_match_all” call on the script.

Another plugin of mine: YANewsflash

The past couple of days i had a hype for newsflashes. First i wrote this article on how to do a newsflash without any plugin and now i am releasing one! I know, paranoia, but still i figured that it would help people out. For this plugin, i used the options table provided by WordPress. This has a bonus: most of the variables in that table are preloaded when WordPress initializes. So, retrieving data from that table does not cost any extra query. It’s just a few more CPU cycles. I think that people that don’t want to mess around with their theme and get on all this trouble, can spare those.

I will be also entering this plugin to the WordPress plugin competition. I know that i have no chance there since most of the plugins submitted are extraordinary but still i figure i have nothing to lose to let people know about my work.

So, if anyone finds the need for newsflashes this is the way people. Check out the plugin’s page here and the WordPress repository.

Writing a simple web crawler in Perl

A few weeks back i posted on why our mailboxes are full of spam. I mentioned there that i had created a small and very simple perl script to crawl the internet and fish for plain text emails. It was a pretty easy task since Perl is designed for being easy on text manipulation.

The procedure i used was as follows:

1. I had a MySQL database for storing links to visit and emails.
2. I connected to the database.
3. Selected a link to visit.
4. Make sure it’s not an image / pdf / google page / amazon page. If so i jumped back on step 3.
5. Download the page.
6. Pattern match for emails.
7. Get the links within the page.
8. Insert emails and new links on the database.
9. Back to step 3.

This is roughly the idea. You can see below a small flowchart to get the general idea.

I would like to demonstrate how it’s done with perl. In order for you to run it, i’d suggest you have a machine with Perl installed (preferably Linux). If you don’t have Linux then you probably have to download a perl binary for Windows. Check out this page for furhter info.

(more…)

The big one: TweetScribe.me

So, you all remember a few days back when i said i have a big project going on? Well, this is it! Tweetscribe.me is a new service i created around twitter. In a nutshell think FeedBurner meets twitter and some more. Here is the idea. You subscribe to your favorite blogs and each time a post is made you are DM’ed. Moreover, through the blogging list that is created, with blogs that have enlisted their selfs, you can find out about more blogs that might interest you and “follow” them. It’s a new way of following… Blogs instead of users.

Moreover, no need for a subscription! As long as you have a twitter account and follow the user @twscribe you can log in! I require that you follow this user because this is the only way that the service can DM you. I feel this is a revolutionary idea on how you can follow blogs around. For webmasters and blog owners this can be a perfect opportunity to give their readers a nice way to follow them around plus promote their blog / site.

The integration with WordPress is as easy as one-two-three. I have created a small plugin that will take care of the whole process. You just download and install. Then visit the Settings->TweetScribe panel and fill in your twitter username and password. Uppon saving, the plugin will contact TweetScribe, enlist your blog and get the API key needed. As simple as that. Then just make a post For the future, i am also planning of adding the feature of following post comments also. Something like “subscribe to posts” but with TweetScribe. Cool huh?

It also has a nice and simple API. For now, the only available plugin is for WordPress. I intend on creating some more though, to support even more platforms like Joomla, PHPBB and a few other. If you feel like contributing i’ll be more than happy to hear from you!

If you want to learn more about TweetScribe, why not check out the video tour i made for the service. It’s the first time you will get to hear my voice anyways.

So, what do you think? Are you going to use TweetScribe on your blog? How about writing a nice review about it I am counting on all my readers to promote this, provided they feel the same way i feel about it too.