BlueLayerMedia - Creative Web Services

Over the last several weeks we’ve worked on several jobs that had to do with malicious iframe code being inserted in to their websites and the trend doesn’t seem to be slowing one bit.

In fact, some years ago I website that I helped run fell victim to the same type of attack. Today we’ll cover why someone would want to do this, what to do about it once it happens, how did it happen in the first place and finally how to prevent future attacks.

1. Why someone would want to do this to you:

Out of all the jobs we’ve worked the code that was added to the site was generally along the lines of <iframe ‘more code here’ visibility=’hidden’</iframe>. In short what the code ends up doing is displaying an unauthorized ad to your visitors generating them revenue at your cost. If you use FireFox with the NoScript addon you’re less likely to see the ads as well. Which is why on your own sites it is always a good practice to allow all the scripts to run and ads to display so you can see exactly what your visitors are seeing.

2. What to do once it happens:

Where the code is injected in to your files and how many times is left completely up to the ‘hacker’ adding the code in. If all works in your favor a minimal amount of your files will be modified. We worked on a job recently where hundreds of the files had been modified, with different snippets of code and in different places in the files. It made for one lengthy cleanup job. If you are familiar with HTML/PHP it is just a matter of going through your files, looking for the malicious iframe code and removing it. A word of caution to those unfamiliar with HTML/PHP, be careful with what you are removing. PHP is especially picky when it comes to its code and if you happen to remove a single ‘<’ or ‘{‘ by accident, you’ll quickly see an error once you reupload your cleaned file.

Your other alternative would be to hire someone, such as us (I know, shameless plug) who can go in and clean up your files for you without removing unnecessary code by accident.

3. How did this happen in the first place:

Probably the most important question to ask and get an answer to. Most of these occurrences happen when someone uses an open source type of web script such as Joomla, Vbulletin, Invision Power Board, Oscommerce, etc. Some of these platforms are more likely to be exploited than others which are really good with staying on top of found exploits. Two that seem the most common are Joomla and Oscommerce. The main reason behind these two being more exploited than others is not because of the core files themselves but the amount of free addons coded by anyone and everyone with varying levels of knowledge on how to prevent exploits.

An eye opening experience is to take a look at this website: www.milw0rm.com. Go to the top of the page and type in ‘Joomla’ in the search function and you can see the massive list of found exploits, most having to do with third party addons.

Once someone figures out that you’re running Joomla in this particular example and an addon that has an exploit, they simply take the POC (Proof of Concept) code, modify it to their needs and run it on your site. In most cases this will give them unchecked access to your site via the admin backend or another way. Once they’re inside 9 times of out 10, a shell script is uploaded which provides them more details on your hosting environment, how much space is available, ability to open new ports and of course, modify as many files as they’d like. All without you ever knowing. That is until Google notifies you that your site is considered malicious by them.

4. How to prevent this from happening again:

As the saying goes: “Where there is a will, there is a way”. Meaning, if someone truly wants in your site, they probably can after a great deal of effort and time. Sites that run on an open source script with countless addons are far easier to get inside of than say a custom coded site or a web script that keeps itself updated upon finding new exploits.

For those of you that are currently stuck with using an open source script instead of going with something custom coded, my advice would be to check the main site of the script for new security updates as well as addon author’s sites for security updates. If you find that you really don’t need a plugin/addon, get rid of it instead of leaving it on your site unused. You never know, that one could be just the backdoor someone was waiting for.

As web programming advances, it is imperative for the end user to do some research to see what options are available to them and how it could affect you and your coder. Let’s start with choices of forums. The two that I will be covering are Invision Power Board (IPB) and Vbulletin (VB).

I have used both and was equally impressed with the amount of features they contain for both end user and administrator. However, there is one significant difference that we need to talk about. The way they handle adding on themes and addons is completely different.

Let’s start with how each forums handles addons (aka plugins). IPB requires that you ‘hack’ or manually modify the PHP files in order to have the plugin work. Here’s a few reasons why I personally dislike this method:

• After installing a plugin(s) upgrading your forums to a newer release more than likely will render your installed plugins useless. You’ll have to go in and re-add the plugin by hand once again.
• Most plugins provide good instructions for installation for even those with zero PHP knowledge can install them with minimal error. However, missing a single “;” or “{” when copying and pasting from the instructions can render your site completely useless until the error is fixed.
• Some plugins require that you replace code *cringes*. Not only is this worrisome in itself but if you try to install another plugin that looks for the original code, you could find yourself pulling your hair out trying to get everything to work.

So with that in mind, here is why I like using VB:

• VB’s plugin system makes installation errors nearly a thing of the past by using hooks. The way you install a plugin is browse to the file on our computer and upload it. Once you activate it you’re good to go, nothing else to worry about.
• If you need to upgrade your forums, you don’t have to worry about rendering every plugin you installed useless. Only the ones that are not compatible will no longer work.

Let me move on to two other scripts that are not identical in operation, but I think after reading you’ll understand the point I’m attempting to make.

WordPress has to be the most popular blogging script on the market right now. Conversely, Oscommerce is another popular e-commerce script. Both are free and widely used all over the internet. Let’s do some vital comparisons between the two from a coder’s standpoint shall we?

Let’s take a look at WordPress:

• WordPress uses a system similar to that of VB. If you want to install one of the many free plugins available all you have to do is download it, and either upload it manually via FTP or through the admin backend. Activate it and you’re off and running. Even updating plugins is a snap with how the backend will alert users a new plugin is available and an option to upgrade them automatically.
• WordPress’s codex is available online for all to see and use. WordPress’s codes makes creating plugins relatively easy from a coding standpoint as well.

Now on to Oscommerce:

• Oscommerce is similar to IPB in they way it uses plugins or “contributions” as they’re called. Each contribution must be manually added in by modifying existing PHP code.
• Oscommerce’s handling of templates is by far my least favorite. Each template is hard coded in to the core files and includes images. The only benefit to this is, it makes for a straightforward installation. After installation is complete your new shiny site doesn’t need any additional work. The downside is this particular method makes upgrading your site, adding modules difficult and at times impossible.

As you can probably see, by using “hooks” software makers allow the open-source community to add useful features and options to the software without all of the headaches. I truly believe in the future web scripts will follow the path of WordPress and Vbulletin to make installing plugins, and upgrading your site easy. So for your next site, pay attention to the ways in which templating and plugin installation is done as it could cost you in the long run.

These days, everyone is trying to do things faster and more efficiently and the same principles apply to PHP development. And if you’ve ever looked into speeding up your PHP development or application you may have come across PHP frameworks. Yet, with all of the options and information about frameworks floating around the web, you may be confused about exactly what they are and how they can benefit you. We’ll try to layout a super simple, easy to understand overview of what they are and why it maybe something you require on your next job.

The first thing to know about frameworks is that the majority of them apply the MVC concept. I know…I know, another acronym. MVC stands for Model, View & Controller. Here’s an overview:

Picture three different folders in your head. Each are named Model, View and Controller. All of our ‘model’ files will go in to the Model folder, ‘view’ files in to the View folder and ‘controller’ files in to the Controller folder. The view files handle what is being displayed to the end user. The best way to describe model files is if you pretend they’re a link in a chain. They typically handle database queries and controllers control them, and view files utilize them. Controller files are the brains of the operation. These files will typically contain various functions which can be called by model files.

Confused yet? Don’t be. Let’s try this explanation. Let’s say we have ABCXYZ blog site. This site is not using a framework. It’s coded in traditional PHP. Our “users” page is called users.php and contains several functions, sql queries and of course quite a bit of HTML for output on to the screen.

Well, what if I told you that by using a framework that one file would be chopped in to let’s say three separate files. Users.php (controller), users_model.php (model) and users_view.php (view). And by doing this you could increase the overall performance of your site and…yes AND if your coder is fluent in using frameworks have the site built in half the time.

Now I have your attention right?

The advantage to the coder is frameworks such as CodeIgniter have built in functions and shortcuts which help us save a heck of a lot of time while using functions which are completely optimized to begin with. The advantage for the end user is instead of having all this PHP one on file and it all being loaded, only certain portions are loaded depending on the request of the user. In the end, this provides you with a very lightweight and fast application.

PHP frameworks are not for every application though. The best example I can give you is our latest WordPress plugin we released. It is coded in traditional PHP/HTML as using a framework was not practical, especially with the built in shortcuts in WordPress.

At BlueLayerMedia we use the PHP Framework, CodeIgniter for some of our larger applications and it has become our framework of choice.

Stay tuned for more in-depth coverage on Frameworks and more!

In the world of web development it is always a good practice to keep expanding upon your knowledge and skills. To help you, we’ve compiled a few tips that may help you with your next MySQL database design:

• If it is left in your hands to create your own database, try to stay away from categorically defining fields as NULL. Try to use an integer or empty string if possible. Why you ask? A column defined as NULL requires special processing and uses more storage space.
• When choosing a data type, go for the smallest one you think will work in your application. For example, don’t simply create forty VARCHAR if in some of those you’d be able to just fine with TINYINT. Why you ask? How about if we told you using data types such as TINYINT over VARCHAR uses less disk space, less memory and fewer CPU cycles? Pretty nifty huh?
• Last but not least, if you are using DATETIME might we encourage you to switch to using TIMESTAMP instead? Why you ask? How about half the storage when using TIMESTAMP over DATETIME.

The world of optimizing MySQL is vastly more in depth than I think many people truly realize, ourselves initially as well.

Stay tuned for more tips & tricks!

We’d like to introduce our first WordPress plugin, Random Testimonials.

With this plugin you have the ability to display a number of testimonials either in a page or post. The amount displayed is determined by you. We also created a submission form that you can include in a post or page in order to have people submit their testimonials to you. User submitted testimonials are added to a queue in your WordPress Admin for your approval.

Here is a quick set of instructions to get you going:

1. Install the plugin either via FTP or Admin backend
2. Activate the plugin
3. Go to the Random Testimonials Admin, under Settings
4. Add any testimonials you already have (yes, you could even make some up)
5. To have the testimonials show in a post use the following code: [show_testimonials limit="x"] and replace ‘x’ with the number of testimonials you would like displayed.
6. To have the testimonials submission form displayed in a post/page use the following code: [testimonial_form]

Don’t forget to check your queue every now and then to see if there any new testimonials waiting for your approval.

Below is the file for you to enjoy. If it worked out for you, feel free to leave a comment, we’d like to hear from you.

Wordpress Random Testimonial (120)

After much discussion and planning Erik, My BlueLayerMedia Co-Founder, and I decided to finally launch BlueLayerMedia. Together we have built many sites…some of which didn’t fair so well, while others have become permanent fixtures on the world wide web.

With about 7 years of various programming experience behind each of us, we have a plethora of skills and knowledge that we bring to the BlueLayerMedia.

With so many businesses already offering web services we knew it was going to be an uphill battle for us to attract new clients. With this in mind, we decided to sign up for RentACoder, an online freelance marketplace. We figured the jobs we would get there would be smaller and less profitable, but nevertheless it was a proving ground for us as a new business.

However, within a month’s time we managed to successfully complete over 30 jobs and maintain and excellent 9.88 rating out of 10 (currently). We have completed jobs ranging from installing a script to larger jobs like custom building websites from scratch. You can see what our clients have to say about us here.

We found the way to achieve this is by doing several simple things:

• Maintain a high level of communication
• Produce a high quality product that we’ll be proud of and our clients will enjoy
• Exceed their time frame expectations

By holding ourselves to these standards we have generated repeat clients, are invited to private bids and are busier than we could have possibly imagined at this stage.

Overall, we are ecstatic about our progress and are eagerly awaiting to see what the future has in store for us and our company.

We were recently worked on what one would consider the easy job of installing Prosper 202 in a shared web hosting environment. Our client happened to be hosted with Hostgator, the same as many people are.

The files were uploaded, database and database user were created. The simple ’5 minute’ install didn’t turn out to be so easy. Around step three of the installation there was an issue with SQL and partitioning. Hostgator does not support SQL partitioning at least on their shared hosting environments. You can see here, several other people were having the same issue.

What we did to fix the issue and get the script installed was modify the functions_install.php file, removing references to SQL partitioning.

The end result? It worked flawlessly. The script was installed and functioned as it should.

So, if you happen to be hosted with Hostgator and are installing Prosper 202 and are having the same issue, we have a fix for you.

Download and extract the attached file and overwrite your original file before installing the script.

Deprecated.  See other Prosper posts.