Website Publisher Blog

The FastCGI and the Furious

February 25th, 2010 by Chris

Let me start by saying I am not a server management or Apache guru, I’m not. I’ve been working with it on my own servers for about a decade now, but I am not a guru. I’m the guy who wears many hats. The graphic hat, the css hat, the programmer hat, the SEO hat. I’d consider myself guru quality in SEO and in generic Internet business management, but the rest I’m just a jack.

So, anyways, I’ve struggled for many years to get my literature site to run smoothly. I think there are three articles on this site about caching php pages that were born out of me needing to do that. The site is my oldest, 10 years, and very popular, with unique monthly visitors measured in the millions, but it is also a beast to run.

Currently it is on a pretty high end dual dual-core (thats 4 total cores for you math majors) server with 12 GB of ram. And it was still having problems. All the heavy hitting non-forum non-search page was cached as plain HTML, and it was still having problems, then I cached all the deep content pages as well, and it was still having problems.

Awhile back I had it set to use Apache’s worker module, as opposed to pre-fork, because I heard it was better, I believe I was told so in a vbulletin.com forums server optimization thread. Regardless, still problems. Though, I’m not entirely sure, the new configuration of Apache 2.2 in cpanel servers is a little more confusing to handle how all the config files are spread out and the need to distill and whatnot (Sorry if you have no idea when I mean with that last line).

Now, PHP was compiled as an Apache module. I’ve done this and requested this for years going back to when I was first doing search engine friendly URLs (and popularizing the practice through my articles on Sitepoint about it). I always thought PHP as CGI ran slow, and more specifically it had a bug where a few of the search engine friendly URL methods would fail. That was in 2001, and in the intervening years no one had bothered to change my mind, and, because I’m not an Apache guru, I don’t keep up on developments unless I have a problem I need to solve.

Then last Thursday and last Friday night my site started crashing every 2 hours. Looking into the log files I couldn’t detect anything weird except that I would get a warning about Max Clients being reached and it’d crash. The thing is though that Friday the site gets about half as much traffic as any other day of the week. So it made no sense.

Looking at current activity it seemed like MSN and Yahoo (why do they both need to crawl still?) and an obnoxious VoilaBot were all crawling my site at the same time, that might have done it, but I banned VoilaBot and throttled the other two and it was still crashing every two hours.

I still don’t know for sure what was causing the problems, but in my search to find a solution I came upon some information about when to use Apache’s worker module, and when to use pre-fork, and how worker really isn’t helpful when PHP is compiled as an Apache module, and how running PHP as CGI, specifically FastCGI (or fcgi) is better in a multiprocessor environment (such as I have). The reasons are a little more technical than I want to go into, but maybe someone who IS an Apache Guru will comment and explain if they like, I don’t want to because I’m afraid I’ll get it wrong.

So, I load up cPanel’s EasyApache (Apache configuation and upgrade utility) which is wonderfully easy to use (cPanel is so much better than other server management software I’ve tried), and make the selections.

Now my server runs differently. Instead of PHP existing within Apache, it exists apart from it, and so when I check current processes and performance data I can see PHP’s usage outside of Apache (turns out, it must have been the lion’s share of Apache resource usage). This, I believe, lets me monitor things better.

But more importantly, the site is as fast as I ever remember it being, like wicked fast. The change was immediate, and awesome. The crashes stopped.

Traffic increased 15%, thats right, 15% more visitors & page views a day, roughly. It is not apples to apples because February 22nd was not exactly February 18th. But my site is typically very consistent (and on a large sample size) and I can see no other reason for the higher traffic plateau I’ve seen this week. I also noticed active forum users on at any one time has increased (a faster forum means more engaged users). Additionally, of course, over time more traffic will beget even more traffic like compounding interest works on your bank account.

The server isn’t even crashing in the middle of the night when it does the MySQL backups (which are huge, and which used to almost always cause a 10 minute “crash” (not really a crash, but unresponsiveness).

This setup is definitely working for me. So, if you’ve got a similar problem, try giving it a go.

Posted in: Website Management by: Chris | 2 Comments »

Selling one of my sites

February 4th, 2010 by Chris

I’m selling one of my sites, for various reasons.

My coupon site was once my highest earner, pulling in over $1000 a day. One month’s revenue was the down payment on my house. Then I lost my rankings due to Google algorithm changes which favored a breadth of incoming links instead of a few really strong ones. My competitors starting making spam sites and using other methods to create tons of really low value incoming links. I did not want to compete like that. Unfortunately for me during my heyday of popularity I didn’t do something which I now consider to be a rule for all of my sites: build a forum. Because if you can get to critical mass with a forum your search rankings become less important, people will still come.

Additionally, at almost the exact same time, the ecommerce side of my business took off, doing $4000 a day in gross revenue in December of 03. So I shifted gears really. I’ve been very lucky, I’ve had so much success, and not just at one thing, I’ve had multiple ideas or sites become successful independently.

In the intervening years the industry changed and while it is still probably the single most profitable niche for a an affiliate content site (IMO) it is more competitive and requires a larger software investment and time investment. New coupon sites with innovative Web 2.0 features were launched, mine stayed the same because was focused on other things.

Last year I paid someone to reprogram the site and incorporate some Web 2.0 features, they did the work, but I never did the finishing touches I intended to (like a better design, automatic importers, launching the forum, etc). Meanwhile, I feel pulled in too many directions. I have a baby now, I have a todo list that is quite long, on sites I’d rather work on than a coupon site, and my ecommerce businesses keep growing and growing.

I don’t actually like affiliate marketing that much, mostly because I don’t like affiliate programs. Merchants move offers, change offers, expire offers. Many do not adopt standard methods of automatic communication (more need to use RSS). Programs will get terminated without warning, or maybe just you will be. So to run a website that in the end is just an organization of affiliate offers is not what I prefer to do. I prefer to do ecommerce, or strict content sites. I like to write, I like to publish, I like content that I can publish once and let it earn for me forever. I do like some affiliate programs, but with a coupon site you need to manage hundreds, and that is not my favorite task.

I’ve actually had this site up on the market for awhile, but only passively, I decided to give Flippa a try though and see if I’d move it actively. I figured with my taxes likely going up soon it’d be better to move it now, than a year from now.

In less than a day I’ve already had some private interest, perhaps I should have put the minimum offer higher. It looks like it’ll probably sell, only question is to whom and for how much.

If you’re interested, the listing is here.

Posted in: Uncategorized by: Chris | 5 Comments »

Interspire Shopping Cart 5.5 Review

January 29th, 2010 by Chris

Interspire has gone through a couple interations of updates since I last reviewed them about 7 months ago (on 5.0). My original review can be read here: Interspire Review, and I wish to provide you with updates regarding the issues I encountered. If you didn’t read the original review, you should, I’m going to be referencing it a lot.

First let me say that Interspire has been fairly proactive in addressing the concerns raised by my original review.

Pricing

They have changed their upgrade policy to allow you free upgrades for 1 year regardless of upgrade type (previously you had to pay for major upgrades) after one year you can renew at 50% the original cost of your licence.

This pricing scheme is more in line with other software vendors out there, and is an industry standard. While Interspire is still expensive compared to many other carts, their upgrade policy is now inline and shouldn’t be a source of complaints.

Installing, Upgrading, Importing

I’ve done more upgrades of the software since my original review, and all went off without a hitch, except the most recent one, which to fix I merely had to uninstall and reinstall my template (two clicks). They’ve also added more templates.

I am annoyed though at the lack of persistent data though some of the template changes. For instance, welcome text at the top of the homepage. I have to re-insert it every time I upgrade a template. It would not be that difficult to provide a field that persists through template changes for that sort of thing, or footer text, etc. In fact, stick them all over, they’re really simple to do. vBulletin finally caught on a few releases ago and stuck option advertisement templates all over the software so when upgrading you could have those templates persist and not have to redo all your advertising.

Order Summary

What I said previously:

Why is it so hard for some carts to provide a printable receipt after checkout? Honestly, Cubecart doesn’t, OScommerce doesn’t, what is the deal?

Interspire does not do it either when you select payment of check or money order (mail order form) they provide this sentence: “Mail a check or money order in US funds, along with a printed order summary, to:” But don’t actually provide the order summary. I guess you have to wait for the email and print it out? What if you don’t get it? Why not just put the order summary on that page?

When you pay with a credit card through authorize.net Interspire provides a link for the order summary, but again, why not put the order summary on that page? There is a ton of whitespace on it, fill that space up!

The email summaries they send are nice, put that content on the page seen after checkout.

Still holds true. No fix there.

Categories & SEO

My issues with the category setup on the menu in regards to SEO and headings as mentioned in my first review are still there. I would like to be able to have more control over the category listing, perhaps giving prominent locations to products or categories I wish to promote more, I can’t. I would also like the ability to section off my menu.

Images

They now allow more than 5 product images. I would still like a lightbox to display them on product pages instead of a popup. Popups are old technology, take longer to load, and can be blocked.

Product Variations

What can I say? They’re trying.

5.5 included a new product variation handling tool and other upgrades.

Firstly, they paginated the product variation screens. So it will no longer crash your browser from information overload if there are tens of thousands of form fields (very possible).

Secondly they implemented a bulk variation editor. This, unfortunately, is almost worthless. It is like they just don’t get it. Let me explain.

Their tool allows you to filter variations and then edit the cost. Suppose you sell engagement rings available in silver, gold, and platinum. Each ring can be sized from 5-15, and can include a .5, 1, or 2 carat diamond.

Their tool allows you to replace existing values, which is not very useful at all. Say you have the following prices:

Gold .5 carat = $500
Gold 1 carat = $1000
Gold 2 carat = $2000

So suppose you need to increase the cost of your gold jewelry because gold prices increase at the wholesale level. You use the filter to select “gold” and then select say “add $30″ and instead of adding $30 to each gold ring, it finds every ring option that involves “gold” and replaces the value of that combination to $30. So now, instead of having rings costing $530, $1030, and $2030, you have rings costing just $30. Oops!

The solution is to go back and select gold and .5 carat and input $530, then gold and 1 carat and input $1030 and so on. Doing each combination individually. Which begs the question, I thought this was supposed to save time?

It does save time, if you’re only dealing with combinations that do not affect the price. Like suppose there was no price change depending on ring size. Then you could do a gold price change for all ring sizes at once. But the second you add a second price-affecting variable, you screw the system up.

This is true whether you’re editing or doing the initial setup of your product variations.

The solution would be simple, create a toggle to indicate whether you want to increment or replace existing values. If you did so and selected “increment” it would still filter out all combinations involving “gold” and then instead of saying “cost = $x”, it would say “cost = $current_cost + $x.”

Otherwise, all that they’ve done is created a new way to do things one at a time, which defeats the purpose entirely.

Also, it is far too easy to destroy thousands of existing variations. With the system as is you can easily accidentially not set a filter then hit submit and zero out or otherwise change all of your carefully done, perhaps 100,000 total, product options. That sort of devastation demands a confirmation step. I would strongly recommend Interspire code in a simple “Are you sure?” check, it will save someone’s butt sometime.

Finally, there is still no display of prices next to product options on the actual product pages customers will see. Almost every other cart will display the options, why? Because customers don’t like having to play “guess the price.” There are a couple Interspire hacks and modifications that address this, but so far, no support from the actual company. It should be a really easy change too.

Authorize.net Integration

I complained about their Authorize.net integration in my last review. They left out customer emails, they left out the entire block of shipping information, and they did not appropriately use the description field (to list the actual products sold, rather than just repeat the order# information).

They’ve fixed everything except the description field.

Shipping

Still no support for dimensional weight with UPS.

Reporting

They have added a monthly sales tax report, which was my main complaint.

Other bugs

They now allow you to use an SSL domain, but you can’t set it to be your same domain, perse. For instance many sites use http://www.example.com as their catalog, but drop the “www” for their SSL domain, you can’t do that with Interspire. Not a huge deal, but there.

They have also fixed the annoyance of not letting you know your current version in the admin area.

Order Management

Order management has gotten better, customer messaging is now included in all versions of the cart as I requested. However, the messaging system still just emails people to tell them they have a message, it does not actually email them the message, creating a second unnecessary step.

Final Thoughts

My thoughts on 5.5 are pretty much the same thing as my thoughts on 5.0. The cart is a Ferrari without tires. However, I see mechanics working in the shop putting tires on some wheels and so I am optimistic. The people at Interspire are listening to feedback, even here on my blog, and they are making changes based on that feedback. That is moving in the right direction, even if we are not yet at our destination.

As far as the product variations go, I still can’t fully recommend it for sites needing complex variations, but they’re getting closing, one more small change (the increment setting mentioned above) and they’re about there. In the meantime, my script that helps setup new products that need variations is always available. For other sites though, especially when you have a site owner not that adept at skinning, Interspire is attractive.

Also, apparently in their next version they plan to include the ability to print UPS labels directly from the cart, which would be stellar.

Coming soon will be my review of X-cart (almost done), and my review of the newest CRE Loaded (almost started).

Posted in: Ecommerce by: Chris | 8 Comments »

Why Yahoo is the worst company on the Internet

December 1st, 2009 by Chris

So I got an email today, saying that Yahoo has decided to terminate Rightmedia, which it purchased not to long ago.

Perhaps terminate is the wrong word, they’re basically going to end all existing Right Media services for small publishers, which is most of what the company offers.

Coming on the heels of their implosion of YPN I suppose I shouldn’t be surprised, but I am. YPN, of course, no longer exists really, Yahoo is going to completely farm out all advertising to Microsoft in a recent deal.

Does anyone take Yahoo seriously as a company anymore? Let us look into the past and see how Yahoo has innovated and improved, or perhaps not.

1. Yahoo starts company as a web directory, the first, becomes one of the most popular websites on the Internet, directory is manually edited by humans.
2. Yahoo starts charging for directory submissions, makes a gold mine. Search results are based on on directory listings primarily, making directory listings important for ranking well, everyone buys one.
3. Yahoo deemphasizes directory listings in their search results, but still links to matching categories, less people buy them.
4. Yahoo stops even linking to directory categories in search results, “Directory” doesn’t even get a main tab. No one buys listings anymore, nearly impossible to justify the $300 yearly fee with the paltry traffic received, only the most profitable sites should do it.
5. Meanwhile, Yahoo purchases Inktomi, an early search pioneer, to power their search results. Yahoo eventually also absorbs Lycos, Fast (Alltheweb), and Altavista, all early pioneers, all at one time the most popular search engine on the Internet, Yahoo kills them all like so many wives of Henry the VIII.
6. Yahoo inks a deal with Microsoft for search, effectively exiting the search business, all the money spent on acquisitions could have been saved if they just partnered long ago.
7. Meanwhile, Yahoo had purchased Overture, formerly Goto.com, the original PPC search engine.
8. Despite buying the creator of PPC search, Yahoo allows itself to be out manuevered and out innovated by Google.
9. Google PPC ads get smarter, like Google’s search index. Google launches Adsense PPC ad syndication platform, eventually syndicated PPC ads account for something like 85% of Google’s ad dollars.
10. Yahoo plays catchup, launches YPN, perpetually in-beta ad network sputters along through mismanagement after mismanagerment. Yahoo lets in large publishers of spammy sites but doesn’t allow advertisers to opt-out, sites make good money, for a short period of time, but advertise ROI plummets, advertisers flee. Yahoo keeps crappy partners in network, but kicks out good ones for sending international traffic, which every other network on the Internet has no problem just filtering out. Network never leaves beta, network dies.

11. Yahoo buys Right Media, an innovator in small publisher advertising. Creator of an exchange to match up small publishers with small advertisers. Does some innovative things like allowing “R-Rated” sites (and labeling them as such), something most networks do not touch (but should, look at how much money R-rated movies can make). Eventually, Yahoo kills Right Media, reasons unknown.
12. Meanwhile, Yahoo inks deal with Microsoft to outsource all PPC advertising, effectively killing the original PPC search engine.

For all these reasons, I hereby crown Yahoo, the worst company on the Internet.

Posted in: Ad Networks, General by: Chris | 4 Comments »

Watchout: eWeb Financial, Work from Home Opportunity

November 17th, 2009 by Chris

Have I become the guardian of Internet get rich quick gimmicks and or misleading business promotion opportunities? Apparently, I guess, since so many of my recent blog posts deal with such. I suppose this has something to do with the recession, people are out of work and other people are looking to prey on those out of work.

I am reminded all the time of that episode of “That 70’s Show” where Jackie falls for a modeling agency scam getting her to pay $200 for headshots and consulting. Jackie only realizes it is a scam when the agency gives Donna the same pitch (Jackie believes she is far better looking than Donna and if the agency is also interested in Donna, it must be a scam). Funnily enough my brother and his wife fell for this same scam in real life.

Anyways, I digress, late last night and then again today a company called eWeb Financial called me about a work from home business opportunity. They said I filled out a survey saying I was interested in such things, when pressed they could not answer where or how I filled out said survey. They called my home number in an obvious violation of the do not call registry which I am on. Of course, I know I would never fill out such a survey, I already happen to make quite a bit of money. I decided to be a little snarky and rather than just hangup I laid the sarcasm on the salesman pretty thick explaining how successful I am and he kept pushing, saying “You can always have another poker in the fire.” and whatnot. It was funny, really, how hard he was working, and I was just messing with him.

Anyways, doing a little research with Google I find their website, ewebfinancial.com, which is a great example of frontpage-template-quality design. And a few other complaints such as this one here.

As near as I can tell this company sets up turnkey affiliate shop sites and then charges you a few hundred dollars for them. For anyone interested in this work from home opportunity let me set a few things straight for you.

Marketing thin-affiliate sites no longer works, hey, I used to do it myself, I made… I don’t know… $40 or $50,000 doing it over the years, but it hasn’t worked in awhile. It worked for a little bit when only a few people were doing it either because only a few people knew how to do it or a few people had the technical knowledge to do it. There is even a tutorial on this site on setting up Amazon.com affiliate sites. But then, everyone started doing it, and the search engines reacting by hitting all sites doing it with bans and penalties, and algorithm shifts, and now it just doesn’t work.

Even if it did work, these aren’t the types of sites you can just “build and they will come” you have to have some way to direct traffic and link-weight too them. Ask yourself, do you already have link-weight you can send to such a site? Do you even know what link-weight is or how to get it? If so, you have no business even trying these things. But, of course, they don’t work anymore anyways.

If you want to make money with affiliate merchant datafeeds you gotta do something other than just duplicate the product catalog on a dummy site. You need an angle, and there are only so few, and most require advanced programming.

I figure if these guys call me twice in an 18 hour period, they gotta be hitting up others too, so let me save you some money, just say no. There are far better, easier, cheaper, and more reliable ways to make money online. Pick a topic, get a free blog from wordpress or blogger, and start writing.

Just remember this, if there is an easy way to make money online, a million Indians and Chinese are ALREADY doing it, and they’re willing to do it for a few dollars of profit, you will never compete.

Posted in: Website Management by: Chris | 5 Comments »

Steal of a Deal on New vBulletin

October 26th, 2009 by Chris

Internet Brand’s, vBulletin’s new owners, annoyed some people when they rolled blog & CMS functions into a new vbulletin suite with project tools as well.

Most license owners felt like they were being forced to pay for software that they’ll never need or use (project tools, and maybe CMS), just to continue using their blog software.

It is a valid complaint, project tools are a niche product that only applies to work environments, most communities are not work environments.

However, they have since seemingly fixed thing, smoothed things over. For one, they changed the licensing scheme, probably for the better. You now only buy the license once, and it is good until the next major release. So if you have a vb 3.1 license, and two years later 3.9 comes out, you can upgrade. Currently you need to renew yearly. So instead you’re just renewing if you have 3.1 and 4.0 comes out (major release).

Now…they could do what Interspire has done in the past and make major releases that aren’t seemingly major and force you to upgrade, and that wouldn’t be good, but I’ll give them the benefit of the doubt for now.

Secondly, until Oct 30th they’re running a big sale on licenses. Just go here and get your 4.0 VB Suite license for only $130 (if you have an existing license) that is cheaper than a standard forum license, and it includes the CMS and blogs and whatnot, and that gives you free upgrades for the life of 4.x. But only until Oct 30th. Not a bad deal at all.

Posted in: Website Management by: Chris | 2 Comments »

Things I dislike about Elance

October 23rd, 2009 by Chris

So, I post a project on elance, and I get many responses, and they’re all the exact same.

“We are pleased to introduce ourselves as programmers and coders…”

They’re all the same, they’re all from India, even the ones that say they’re from the US are from India, which annoys me to no end.

I’m not xenophobic, but I prefer to work with people from more developed countries. I don’t know if it is a cultural thing or what, but in my experience most Indian programmers lack intuition to do small things that are needed to improve efficiency and user friendliness. They also seem to have a problem grasping the big picture, or understanding what your goal is for what you need. The end result is needing to micromanage them to the nth degree, which requires so much time you might as well do it yourself.

Whereas people from western cultures, you can tend to tell them what you want to accomplish, and they can fill in a lot of the blanks without input from you.

I tend to only consider Indian programmers (or other foreigners) for tiny jobs then, things that I can very discretely define. I have a job right now, directory website, very simple, small, and they’re having the hardest time getting it. Additionally, I’ve gotten 30+ Indian bids, but not one from North America, normally I get more than that. I post a very very specific brief, and they come back with a list of features (shopping cart? Hello?) I didn’t even ask for. It is almost as if they assume I want a directory just like their last job, whatever that may have been. Or perhaps they simply don’t care enough to read my brief and instead are just replying to as many as possible in hopes of finding work.

The problem is there is just so many of these misunderstanding bidders, that I am just completely turned off from Elance at this point and am just thinking about doing it myself. I did a little php last night and this morning, and it was nice to do that again, I haven’t programmed in awhile. Fun even. I could probably crank this job out in 8 hours or less, of course with the Baby that equates to 3 days, but still, I could do it.

Maybe I will, but I think it’ll be awhile before I post on Elance again. If I wanted a bunch of form letters from foreigners wanting to do business with me I could just open up my junkmail folder.

Posted in: Website Management by: Chris | 4 Comments »

Hi I’m Chad and I’m calling from Google, erm… no, Global Market Exposure

September 24th, 2009 by Chris

My Netbiz post was pretty popular. So when some guy named Chad called me today feigning to be a customer so I’d call him back I decided that I’d give “Global Market Exposure” the same treatment.

The call started out somewhat funny.

Him: “I was just on your website and I’m actually calling from Google.”

Me: “So you work for Google?”

Him: “Well, I’m calling from Google and….globalmarketexposure.”

Me: “So you’re calling from Google.”

Him: “I work for Global Market Exposure, we’re an adwords qualified company working on behalf of Google” (finally, half-truth!)

Me: “Did your company used to be called Netbiz?”

Him: “No, we’re much better than Netbiz, we can get you uploaded to the first page of Google within an hour. We-” (Did they choose to inappropriately use the word “upload” to sound more technical? I was so impressed with his masterful use of Internet jargon!)

Me: “You don’t actually work for Google, you just setup adwords ads for people, something they can do themselves. ”

The call degenerated rather quickly from there on.

Why doesn’t Google weed out companies like this that use confusing sales tactics? Quite frankly I think it gives Google a bad name. It is also highly unethical to represent ads as search placements, they’re not, they’re ads.

For the record, companies like Netbiz or this new outfit, Global Market Exposure, place advertisements through Google Adwords. Adwords is an auction based advertising system whereby the highest bigged gets slot 1, the second highest slot 2, etc. With each bid being modified through internal Google systems that judge quality and click through rate (a high bid no user will ever actually click on because the ad sucks isn’t going to do Google any good). Anyone can do this yourself for free.

This advertising differs 100% from Search Engine Optimization. Which is the practice of painstakingly building and tweaking your site so that it ranks better naturally in the unpaid main search results. There is no quick fix for search engine optimization, and as a general rule if someone says they can give you a top listing automatically or within hours, they’re talking about placing adwords advertisements, not doing SEO for you.

Using one of these companies is akin to using someone to put an ad in the phone book for you. Maybe the person is an expert at phone book ads, and maybe you’re too busy and don’t have the time. But you could probably do it yourself, and you could also probably setup your own adwords advertisement yourself. Plus, since you’ll not be using a middleman, you’ll be spending less money and so more easily obtain a positive ROI.

Caveat Emptor.

On an unrelated note the company uses the domain google-placement.com looks to me like a trademark violation. Anyone want to place a wager on how long that lasts? Anyone know a Googler to forward that juicy tidbit to?

Posted in: Search Engine Optimization by: Chris | 5 Comments »

Best of the Web Directory Submission Coupon

September 13th, 2009 by Chris

Best of the Web is, in my opinion, one of the top three web directories for promotion. I use it, I recommend you use it. Directory submissions as link popularity builders aren’t as powerful as they once were, the rise of blogs and the rise of cheap useless directories (plus the malaise at DMOZ and Yahoo) has seen to that. But they still help, and while it costs money, for certain sites, such as ecommerce sites, your one time fee can be earned back on a single sale. So, I do recommend it.

Anyways, you can use the coupon code “SINCE94″ to get 20% off your order through the end of September.

Posted in: Search Engine Optimization by: Chris | No Comments »

Aftermath: Results of a Hacker Attack

August 27th, 2009 by Chris

My literature site was one of the tens of thousands infected by a worm recently. This new type of attack works by not attacking insecurities on your site, initially I was worried it was from a backdoor or other weak script on my server, but rather it attacks webmasters at home by infecting work PCs and then sniffing for FTP passwords on that PC or on another PC on the network.

I am not sure if it was my network/PC that provided the entry, or that of someone who was doing work on the site at the time, but entry was gained via FTP. Luckily, since each user FTP account is restricted to their own directory, no system files were affected.

However, let me start at the beginning.

In late July I was told by my host that my server was dying. The hard drive was on it’s last leg and needed to be swapped out. They could give me a new hard drive, but then I’d be responsible for moving sites over, and there would likely be some downtime, I don’t like downtime, it costs me money. I argued with them asking why they could not merely mirror the drive, they said they didn’t do that sort of thing. Finally I settled on just getting a new server, but since I had paid for some serious upgrades to the current one I was worried about getting railroaded on the price on the new one.

Kudos to The Planet they didn’t railroad me at all. Instead they offered me a better server for about $100 less per month. Needless to say I took it, but that added a large deal of work for me to do in securing the new server, doing setups, moving files over, etc.

I had server hardening done by a company I had used in the past and proceeded to move most of the server files over. I got all of the static site files move, shut down the forums on the old servers, copied over the SQL databases, turned the forums on at the new servers, and tossed .htaccess files on the old server to redirect all requests to the new IP to cover the period of DNS uncertainty following a move.

Then I bought a rental property, and doing the negotiations with the realtor coupled with my wife going back to work and me becoming the primary daytime caretaker of my then 10 or 11 week old son (since I work from home), I was quite busy. After arranging our purchase agreement for the property my brother and I spent two days straight, working dawn to bedtime, gutting and renovating the upstairs unit. It was on Monday, the first day of our two day blitz, that the hackers attacked.

That weekend prior I had noticed a script not working under MySQL 5 (old server had MySQL 4, it was a left join issue). The script creator, a friend, whom I have an arrangement with (he handles the software, in exchange I provide him with content), was told and started working on it, and an hour or so after he started the hackers hit.

Hundreds of IP addressed logged into the server and started replacing index files, this was in the wee hours of Monday morning, I didn’t notice. I went to work at the rental building the next day also without noticing. I didn’t notice in fact until 3 AM on Tuesday morning when I got up to feed the baby. I was just too damn tired on Monday to notice and because there was no Apache downtime, I didn’t get any alerts as I would have in such a situation.

So I stayed up until 6 or 7 AM on Tuesday fixing the problem, that was a rough night. This hacker attack inserted iframes into index pages that would initiate a drive-by-download when users visited. Unfortunately for them, they failed. Their goal is to stealthily insert the code and then have it go unnoticed for weeks or months, in my case it was easy to see, and I would have noticed it easily had Monday been a normal day.

See, they inserted their iframe into a block of PHP code on my index page, oops. All they did was break the PHP causing the index page to throw a parsing error. No infected page was served to users, and the homepage of the site was effectively down. Now, you never like having your homepage go down, but this site gets almost all of it’s entry traffic through subdirectories, and having the homepage break for a day, thus informing me of the attack, would be better than having nothing happen and having me not notice it.

So, 3 AM on Tuesday morning I notice the site broken. I think it’s odd for me to have left a parse error like that on a life page without double checking, so I pull up the file, check it, see the malicious iframe, and immediately go into defense mode. First step, change all passwords. Second step, fix the index page. I SSH’d into the server and scanned for other changed files, using linux’s timestamps they were easy to find. They had changed about 50 or so index.php files (50 may seem like a lot, but the site has 4000+) in subdirectories. However, those files were all deprecated, the site switched to using cached plain index.html files awhile ago, so again, no infected files were served to users.

At this point I still didn’t know how access had been gotten, I was worried about script vulnerabilities most of all, and I looked, and looked, and looked, and couldn’t find anything. I was especially doubtful it was a script vulnerability because nothing was inserted into a MySQL database, and the php files that were edited could only be edited by root. I knew they didn’t have root, both because I was confident in the security of my root access, and also because only one site on the server was compromised (likewise, none of my other sites on any server were compromised).

I also suspected, though I did not yet know, that a keylogger on my own PC could have been the culprit, so I installed a few new AV programs and did a lot of scans to make sure my system was clean.

Eventually I figured out it was an FTP attack, but I felt fine about it. Passwords had been changed, logs checked and they didn’t FTP to get any important files, they didn’t touch any of my backend files where the database work is done, just those handful of index.php files with the iframes that never got served to visitors.

So, like two weeks later, I get a notice from one of my forum members. When visiting some of the pages on the site they were warned by Google it had malicious code. So I go check Google Webmaster Central where I have an account with this site verified, and yes, they report malicious code on many pages as recently as the current day. They’re also supposed to email you when that happens, I never got the email. They had apparently had parts of the site flagged for 10 days or more. Additionally, they had pages flagged that the hackers never touched. Had I not been busy with baby and business I may have noticed traffic plummeting, but I normally get traffic dips this time of year between school semesters, so I’m not sure I would have (though, this is now the lowest traffic has been in nearly 8 years probably).

So for the last few days I’ve been wracking my brain trying to figure out how Google is seeing malicious code on pages where I have gone over them, again and again, with a fine tooth comb. I even rebuilt apache entirely on the server. I could find nothing, and Google kept reporting seeing it.

So today I was going to finally cancel the old server, I had left it up because stupid search engine crawlers don’t update their DNS quickly enough. Regular ISPs will do it in hours, but for some reason search engines can go weeks without updating DNS. So I SSH’d to the server to check things out, I checked netstat and sure enough, a bunch of Yahoo Slurps and a few Googlebots were still poking around on it. I thought, this is stupid, I know I setup an .htaccess redirect, why isn’t it working? So I go and read the .htaccess file.

Bingo.

I had never checked the old server after the attack, I never changed the password on it. Turns out both the new and old servers had been attacked simultaneously, and while the new server had the attack stopped quickly, the old server let the attackers keep on coming for weeks. Eventually they replaced my redirecting .htaccess with one of their own which redirected visitors to their spam site, this in effect infected all URLs on the site.

So, for the handful of Googlebots that were using the old DNS (and anyone else), when they’d visit the site they’d see the infection and flag the URL, but since most Googlebots had the new DNS, they saw a clean site and that is why I was seeing inconsistencies.

I’ve lost a lot of money over this incident, probably over a thousand dollars in lost ad revenue because of the traffic loss, assuming I can get the Google warnings removed quickly now. Assuming there is no long term losses in traffic or search rankings I think I got off light. It is a lot of money, but it was an important lesson to learn. I never thought to check the old server. Money lost or not, I’m just happy to finally know the cause of the malware flags, and to know that I have corrected the issue. I’ll be able to stop stressing out over something I couldn’t figure out.

What follows is a list of IP addresses that were involved in the attack on my servers. Obviously these IPs are just infected members of the hacker’s botnet, but I thought it was worthwhile to block them in my firewall, and I include them here if any of you want to do the same. The first IP in the list has special significance, it was the IP that did the .htaccess modifications on the old server, all the other IPs just edited (over and over) index files.

212.117.164.85
79.117.20.249
79.117.20.249
218.102.203.55
174.0.202.134
79.115.111.54
66.189.113.177
89.47.41.13
86.2.107.229
219.251.167.197
77.81.33.229
24.32.80.111
89.47.41.13
201.246.80.142
218.175.218.242
58.172.225.247
117.193.32.240
92.63.17.24
217.132.80.147
80.74.58.154
114.59.25.79
123.237.147.83
86.2.107.229
78.84.101.159
200.92.154.43
24.37.224.241
98.237.167.233
66.67.145.171
24.128.185.92
200.30.207.250
67.70.160.208
86.100.84.188
83.84.102.137
213.51.101.16
87.97.33.212
59.17.170.15
116.99.19.240
89.33.147.213
210.4.59.12
4.131.2.15
117.200.67.134
74.216.76.39
94.101.234.207
86.2.107.229
219.77.28.170
217.16.130.127
24.128.185.92
24.91.170.95
115.133.119.124
59.99.0.56
93.148.114.46
117.193.32.240
200.30.207.250
201.246.80.142
213.113.5.186
190.191.108.130
89.40.58.2
124.188.229.40
85.196.181.195
62.245.99.95
78.39.33.15
75.116.238.110
24.128.185.92
85.196.181.207
117.195.11.176
123.201.79.131
93.118.208.51
79.112.159.102
24.128.185.92
219.240.89.41
94.178.111.77
190.192.202.241
58.8.229.11
68.53.52.68
124.120.117.7
75.116.238.110
94.213.136.251
189.221.147.103
78.228.180.5
82.46.37.118
117.204.98.14
78.137.181.247
76.95.67.241
190.173.202.44
85.120.190.198
84.3.130.240
99.250.37.243
124.121.93.27
88.222.209.25
115.128.37.245
114.123.92.101
62.85.76.27
89.43.90.104
202.164.39.27
216.164.169.81
82.217.39.212
201.132.64.193
61.244.86.209
88.236.24.246
92.115.37.89
24.65.84.90
114.41.174.129
78.106.110.177
190.192.202.241
85.66.12.104
120.32.24.229
95.25.80.124
74.65.241.133
68.40.132.230
76.178.95.161
213.222.161.229
91.145.132.128
117.192.200.17
86.127.244.177
86.124.193.126
123.236.90.19
87.97.33.212
62.85.76.27
69.139.222.57
84.245.204.191
78.97.134.135
85.66.12.104
114.59.25.79
190.191.108.130
92.114.126.25
219.251.167.197
82.239.132.43
59.104.169.214
78.0.145.184
116.74.97.161
94.159.217.86
79.117.27.233
94.21.107.50
140.109.91.195
78.30.157.53
123.237.106.19
189.221.147.103
124.121.93.27
79.234.49.163
95.25.80.124
212.182.40.23
81.111.195.148
86.5.51.95
91.72.218.29
82.44.0.6
87.18.87.8
79.70.41.175
83.222.189.153
203.217.42.46
114.123.92.101
190.49.126.205
173.24.63.82
75.17.203.209
59.93.93.83
79.37.241.252
87.176.233.74
219.88.34.178
92.114.230.8
92.114.230.8
85.216.196.162
85.65.13.175
62.240.90.77
85.10.80.228
78.58.9.118
74.65.241.133
193.230.181.240
82.0.124.188
117.199.126.190
84.229.188.125
94.28.183.122
74.79.17.32
62.24.73.188
61.223.1.62
210.89.55.225
201.246.80.142
59.97.185.139
188.36.193.184
86.127.57.103
114.42.130.233
213.113.196.137
94.54.53.52
77.126.144.52
82.46.37.118
77.38.136.233
88.216.28.20
213.91.218.202
63.19.178.177
87.207.95.104
95.180.136.132
91.73.249.218
87.97.4.194
91.146.134.141
84.3.252.31
69.221.155.131
186.40.45.6
72.39.16.207
79.199.98.18
186.9.45.220
84.131.71.114
88.174.28.147
92.115.23.131
115.98.198.229
86.38.42.149
79.125.236.81
68.103.141.179
92.48.32.141
114.59.196.88
210.89.55.225
117.200.148.0
74.160.2.158
188.16.1.97
89.45.5.220
206.174.245.219
70.48.113.216
68.113.46.200
79.117.216.118
93.118.208.51
85.216.196.162
84.127.16.132
84.69.207.158
80.56.249.47
77.238.195.201
93.123.6.38
85.122.61.56
89.136.80.51
147.31.141.101
114.123.92.101
77.76.131.129
118.136.231.67
94.21.107.50
77.29.181.103
61.224.216.98
119.234.170.146
75.70.63.10
84.1.181.20
24.201.228.235
92.229.80.15
79.163.135.35
92.80.248.19
94.83.88.156
190.9.221.56
59.99.0.56
193.230.181.240
77.28.63.247
196.206.81.227
116.75.115.201
81.183.66.70
81.22.136.238
58.172.225.247
78.106.110.177
206.174.245.219
70.176.81.61
82.192.42.183
219.81.234.175
93.136.25.164
80.200.127.165
98.222.169.222
76.251.220.58
89.45.5.220
92.114.14.193
91.146.134.141
61.60.222.236
89.168.155.224
211.135.120.9
116.49.20.238
75.199.98.145
117.200.57.53
62.85.122.186
83.222.189.153
68.106.182.30
206.174.245.219
89.138.86.118
89.45.5.220
92.114.37.191
81.233.189.78
119.152.84.235
91.146.166.215
124.8.244.102
77.56.237.180
124.8.244.102
93.172.43.59
85.66.12.104
24.81.105.1
85.226.34.45
81.104.86.28
116.99.19.240
201.132.64.193
98.229.93.175
219.73.29.142
94.213.136.251
190.173.202.44
78.106.110.177
99.235.39.126
190.173.215.73
117.195.163.217
200.85.202.141
78.185.132.204
92.50.44.220
98.209.226.87
75.70.63.10
87.205.211.216
69.140.197.106
81.104.86.28
66.141.139.87
78.106.110.177
124.8.244.102
112.201.14.4
92.81.81.30
218.166.196.70
205.189.22.10
195.174.72.34
173.88.160.160
91.4.101.16
216.164.169.81
68.96.121.18
24.190.26.208
212.73.52.124
190.173.202.44
118.42.146.27
117.203.0.159
84.68.17.194
62.245.99.95
115.43.126.186
89.25.108.25
75.67.100.77
89.133.139.125
117.200.145.126
188.36.193.184
85.65.4.90
78.97.204.60
89.42.254.37
95.180.136.132
87.97.96.113
190.16.52.114
77.81.227.59
88.187.212.141
92.46.214.208
85.132.231.228
89.39.198.119
85.216.196.162
85.65.4.90
68.106.143.104
66.189.113.177
82.33.22.132
24.201.228.235
218.175.218.242
77.238.195.201
118.46.119.43
87.110.86.110
84.110.237.25
79.163.21.91
220.139.63.82
140.109.91.195
82.27.243.35
89.216.170.53
83.213.5.31
18.205.1.16
75.116.238.110
89.138.86.118
79.117.20.249
74.192.204.157
81.22.136.238
117.204.68.218
92.50.44.220
202.86.181.243
69.140.68.112
195.249.88.183
125.203.156.185
77.28.146.49
76.178.95.161
77.81.39.125
59.99.19.95
114.38.113.247
69.140.68.112
82.72.119.165
93.84.84.2
92.114.126.25
218.175.218.242
213.231.32.245
120.88.36.144
123.236.174.228
211.135.120.9
78.97.196.155
69.143.67.95
75.60.202.176
92.114.117.75
92.114.14.193
89.214.105.243
79.119.124.141
124.125.105.198
158.108.12.41
190.158.40.13
91.72.218.29
89.135.160.24
202.164.39.27
117.204.224.99
94.21.196.169
88.187.212.141
81.182.91.113
118.160.17.35
190.190.119.162
115.128.65.23
79.121.132.204
99.226.253.67
84.3.239.2
74.72.219.152
92.81.183.57
218.148.224.221
79.118.146.17
117.195.161.76
92.40.43.31
221.27.12.174
82.181.171.237
212.96.62.1
24.45.254.191
79.121.132.204
78.97.196.155
58.9.246.48
99.129.19.139
92.114.117.75
74.14.3.164
88.174.28.147
41.201.213.135
59.95.21.123
89.136.75.70
59.149.112.223
92.81.183.57
125.203.156.185
92.114.76.145
213.37.176.154
58.107.225.103
81.235.238.196
85.231.73.148
217.16.130.220
89.103.48.81
190.173.202.44
78.185.132.204
85.216.10.151
200.85.202.141
116.75.115.201
87.18.87.8
203.218.231.97
188.2.225.51
92.40.73.219
89.229.193.227
116.68.240.48
77.81.227.59
213.66.16.31
212.233.233.173
68.52.60.99
86.127.57.103
76.29.227.242
88.165.89.233
92.41.63.25
69.144.132.7
190.18.171.4
213.231.32.245
89.41.249.39
89.103.48.81
90.231.107.150
88.132.7.212
119.234.32.159
75.66.155.50
77.99.113.103
94.249.23.187
76.185.179.239
84.175.248.58
89.78.97.67
77.208.79.98
68.39.77.58
118.46.119.43
92.82.124.163
213.114.121.206
88.114.126.173
87.97.4.194
211.30.246.220
69.24.162.96
142.217.107.109
92.2.0.99
68.225.218.234
61.216.115.43
79.136.58.83
114.76.215.16