A cryptocurrency-mining bot brute-forced into my WordPress site

Someone brute-forced into a client’s WordPress site and added cryptomining js. Good thing they knocked down an HTML div on their way out!

Yesterday, at my parents’ cabin outside Stockholm, me and my father were having an office session after breakfast. Me procrastinating thesis work, him doing whatever he was doing. At one point he needed to check something on the website of FactWise, a company where he is involved.

The website didn’t appear as it should. The carousel in the footer was broken and the subsequent contact details bar had been pushed off to the side.

Broken design

The FactWise website is one of the first I’ve made, at least counting those which are still up and running today. Dad had a friend do the design, and I turned the PSDs into a WordPress theme and set it all up on shared hosting. It’s not beautiful but it works – kind of.

When dad showed me the buggy appearance, I was running out of other things to do instead of studying, so I started looking into it immediately. My first guess was that a stylesheet ref was broken. I looked through the Network tab in Firefox Developer Tools to find any 404s, but what I found was something else.

From the Network tab

A few lines stood out and called for my attention: resources named “proxy” and “worker.wasm” on a domain called “”. The unfamiliar domain name immediately put my mind on cryptocurrency. After a few minutes googling on the leads, I noticed that the fan in my laptop was running wild. A CPU usage check revealed that a certain Firefox tab was using up all cores. Bitcoin mining.

How was the brain of my laptop being hijacked? How did the intruder gain access to the website, and what kind of access? I closed the tab and continued searching. I looked at the HTML source code, the Developer Tools network tab again, and the WordPress admin pages. The following points sum up my findings:

  • The intrusion was likely by brute force (trying different passwords one by one)
  • The theme editor was used to add obfuscated js containing binary sequences to footer.php
  • Client-side, the js probably fetched and executed cryptocurrency mining code through a proxy at
Obfuscated js
Part of the mining code

Fortunately, the second step in this procedure had been conducted a bit sloppily. A few lines of HTML were removed from footer.php for no reason. This is what messed up the appearance, which made my dad react and notify me.

So I removed the js and restored the missing lines in footer.php, changed the passwords of the website users and renamed the admin user. While I was at it, I added a favicon and enabled SSL.

I suppose the intruder has broken into and installed the mining code on a vast number of websites, and is making quite a pretty penny with this trick. On my end, I’m actually rather thankful that they didn’t erase the database or redirect visitors to scamming websites.


Fix SSH backspace coming out as “^?”

When using SSH at FS Data, pressing backspace in Vim were coming out as ^? so editing files was a hassle. (I am on a Linux workstation btw.) mistyped

I found a solution in the Vim documentation, via a Stack Overflow post. I just opened ~/.vimrc and added the following:

:if &term == "xterm-256color"
:  set t_kb=CTRL-V<BS>

Here, xterm-256color is whatever came out when I ran :echo &term inside Vim. CTRL-V<BS> is not those literal characters, but the key combination Ctrl+V followed by Backspace. It comes out on the screen as ^?, like in the screenshot below.vimbs

Duplicated id="x" in WP Meta Boxes

I am building a very minimalistic calendar plugin for WP (an idea that doesn’t seem to turn out very well so far), and I got a cryptic JS error when adding JQuery datepicker saying “a is undefined”. I debugged this for a good two or three hours, until today I tried replacing the minified datepicker.js file with source code.

The error turned out to be caused by the same HTML id being assigned to a meta box div as well as to a custom field.

function transparentcalendar_add_meta_boxes() {
    add_meta_box( 'transparentcalendar-time', __( 'Calendar', 'transparentcalendar' ), 'transparentcalendar_meta_box_time', 'post' );

function transparentcalendar_meta_box_time( $post ) {
    $time_current = transparentcalendar_post_get_time( $post->ID );

    echo '<div class="form-field">
        <label for="transparentcalendar-time">' . __('Time', 'transparentcalendar') . '</label>
         <input id="transparentcalendar-time" name="transparentcalendar_time" type="text" size="20" value="' . $time_current . '" class="datepicker">';

I have learned these two simple things:

    • Get a HTML validator browser plugin, thus I might have noticed the duplicated id earlier
    • Use a dev version of WP when developing, as it uses non-minified JS

Customer-specified price in Drupal 7 Commerce

Today, I spent several hours messing about with the Rules UI and googling Commerce docs and forums, trying to figure out how to provide a field where the customer can freely choose the price of a donation-style product. In the end, I found pointers to a method which turns out to work pretty well.

My use case

Donation as a Drupal 7 Commerce product. Donation amount can be chosen freely, above a fixed minimum. The customer/donor receives a reward (but that is not actually relevant here).


This is how I did it:

  1. Install Commerce Customizable Products
  2. Add price field
    1. Add a line item type at admin/commerce/config/line-items. It is created with a bunch of default fields, which you cannot change.
    2. Add a field of the Price type (TODO: Figure out how to set a minimum)
  3. Make it visible
    1. At the field display settings of your product display content type (something like admin/structure/types/manage/product-display/display), edit the settings for the product reference field. Change Add to Cart line item type to your new line item type. Click Update and Save.
  4. Make it count
    1. Add a new rule at admin/config/workflow/rules. Choose the event Calculating the sell price of a product.
    2. Add an Entity has field condition with commerce-line-item for Entity and your price field for Field.
    3. Add a Set the unit price to a specific amount action with commerce-line-item for Line item and something like commerce-line-item:field-donation-price:amount for Amount.

Lenovo K5 Quick Review


  • Cheap
  • Nice physical interface
  • Decent battery life


  • Poor camera picture quality
  • Headphone sound quality poor when not loud (e.g. quieter parts of songs)
  • Low speakers
  • Internal storage not huge
  • Moving apps to SD card is something I sometimes have to redo for the same apps
  • Apps sometimes have their icon duplicated when they’re updated (maybe related to the point above?)

PhpStorm keymap in Ubuntu

I am used to using PhpStorm on a Mac, but now I am with Ubuntu on a ThinkPad so the keymapping is all off. I want to use the Mac OS X keymap, but contrary to my expectation, pressing the Windows key does not produce the Meta symbol so I cannot access half the shortcuts. I tried to find out how to make that happen, but to no avail. For now, I’m settling with the Eclipse keymap, with some modifications for my most habitual shortcuts.

Easy SSL on NearlyFreeSpeech

There is a technology that encrypts your internet traffic. It’s called SSL and it prevents third parties from snooping on what you submit on web pages – passwords and other data. If the website address you’re visiting begins with https, the site is SSL-enabled. Your browser will probably also show a padlock icon near the address.

I must admit I never quite got the hang of how it works. Not the encryption itself, but also not the creation, nor the nature, of those certificates that apparently are an integral part of the SSL technology. You need one for the website you want to enable SSL for, and they are something you have to pay someone for. That’s my vague conception.

Until I found out, just now, that my go-to web host NearlyFreeSpeech (NFS) thas a one-line command that just does all that for you. That there is a project called Let’s Encrypt that (somehow) provides certificates for free, and NFS cooked up a script that sets it all up automatically. I literally ran the command and then it worked.

My conception about SSL is as vague as before, but at least I know it can also be really very easy.

Single-machine dev mail setup

I sometimes work on websites where sending email is a central task. To be able to efficiently test my code on my Ubuntu development machine, I have created a simple setup from the following requirements:

  1. No mail should reach the internet
  2. I should be able to quickly read every message that is “sent” from PHP

The strategy is to use Postfix to catch and save messages (and enable mail() at all), and Mutt to read them without any fluff. Continue reading “Single-machine dev mail setup”

Inviger äntligen min hemgjorda Kimchi

Min pappa är galen i att syra grönsaker, och jag har länge velat prova själv. Jag ringde och frågade om ett recept på kimchi, och fick ungefär följande instruktioner. Notera att framförhållning och en lufttät burk är viktiga beståndsdelar. (För intressanta utläggningar om kimchi och annan fermenterad mat hänvisar jag till valfri Wikipediaartikel, livsmedelsguru eller kökshipster.)

Recept (i teorin)

  • salladskål (aka kinakål)
  • daikon (kan ev ersättas med rättika eller rädisa), mellan 1/10 och 1/5 av den totala mängden
  • ingefära, ett par tsk per kg
  • vitlök, 2 klyftor per kg
  • 1,5-2 viktprocent salt
  • chilipulver (gärna koreanskt), ett par msk per kg (önskad mängd varierar förstås kraftigt med pulvrets styrka)

Continue reading “Inviger äntligen min hemgjorda Kimchi”

Re-map obtrusive PrtSc key to take a webcam snapshot

I just switched from a MacBook Pro to a Lenovo ThinkPad, where I had Ubuntu installed. Switching OS is not too much of a problem, as I am already used to Ubuntu from before. What’s causing more irritation is the new input devices, i.e. the trackpad and the keyboard.Thinkpad Print Screen key placement

One of the more annoying features is the overly accessible Print Screen key, positioned right between AltGr and Ctrl. I have accidentally pressed it at least three times during the last few days, which on Ubuntu triggers a camera shutter noise and a dialog for the newly captured screenshot. It’s easy enough to ignore it and learn to simply press Esc and continue working, but I decided to do something more fun about it: When the key is pressed, take a photo with the webcam. Continue reading “Re-map obtrusive PrtSc key to take a webcam snapshot”