A cryptocurrency-mining bot brute-forced into my WordPress site

Someone brute-forced into a client’s WordPress site and added cryptomining js. Good thing they knocked down an HTML div on their way out!

Yesterday, at my parents’ cabin outside Stockholm, me and my father were having an office session after breakfast. Me procrastinating thesis work, him doing whatever he was doing. At one point he needed to check something on the website of FactWise, a company where he is involved.

The website didn’t appear as it should. The carousel in the footer was broken and the subsequent contact details bar had been pushed off to the side.

Broken design

The FactWise website is one of the first I’ve made, at least counting those which are still up and running today. Dad had a friend do the design, and I turned the PSDs into a WordPress theme and set it all up on shared hosting. It’s not beautiful but it works – kind of.

When dad showed me the buggy appearance, I was running out of other things to do instead of studying, so I started looking into it immediately. My first guess was that a stylesheet ref was broken. I looked through the Network tab in Firefox Developer Tools to find any 404s, but what I found was something else. Continue reading “A cryptocurrency-mining bot brute-forced into my WordPress site”

Fix SSH backspace coming out as “^?”

When using SSH at FS Data, pressing backspace in Vim were coming out as ^? so editing files was a hassle. (I am on a Linux workstation btw.) mistyped

I found a solution in the Vim documentation, via a Stack Overflow post. I just opened ~/.vimrc and added the following:

:if &term == "xterm-256color"
:  set t_kb=CTRL-V<BS>

Here, xterm-256color is whatever came out when I ran :echo &term inside Vim. CTRL-V<BS> is not those literal characters, but the key combination Ctrl+V followed by Backspace. It comes out on the screen as ^?, like in the screenshot below.vimbs

Duplicated id="x" in WP Meta Boxes

I am building a very minimalistic calendar plugin for WP (an idea that doesn’t seem to turn out very well so far), and I got a cryptic JS error when adding JQuery datepicker saying “a is undefined”. I debugged this for a good two or three hours, until today I tried replacing the minified datepicker.js file with source code.

The error turned out to be caused by the same HTML id being assigned to a meta box div as well as to a custom field.

function transparentcalendar_add_meta_boxes() {
    add_meta_box( 'transparentcalendar-time', __( 'Calendar', 'transparentcalendar' ), 'transparentcalendar_meta_box_time', 'post' );

function transparentcalendar_meta_box_time( $post ) {
    $time_current = transparentcalendar_post_get_time( $post->ID );

    echo '<div class="form-field">
        <label for="transparentcalendar-time">' . __('Time', 'transparentcalendar') . '</label>
         <input id="transparentcalendar-time" name="transparentcalendar_time" type="text" size="20" value="' . $time_current . '" class="datepicker">';

I have learned these two simple things:

    • Get a HTML validator browser plugin, thus I might have noticed the duplicated id earlier
    • Use a dev version of WP when developing, as it uses non-minified JS

Customer-specified price in Drupal 7 Commerce

Today, I spent several hours messing about with the Rules UI and googling Commerce docs and forums, trying to figure out how to provide a field where the customer can freely choose the price of a donation-style product. In the end, I found pointers to a method which turns out to work pretty well.

My use case

Donation as a Drupal 7 Commerce product. Donation amount can be chosen freely, above a fixed minimum. The customer/donor receives a reward (but that is not actually relevant here).


This is how I did it:

  1. Install Commerce Customizable Products
  2. Add price field
    1. Add a line item type at admin/commerce/config/line-items. It is created with a bunch of default fields, which you cannot change.
    2. Add a field of the Price type (TODO: Figure out how to set a minimum)
  3. Make it visible
    1. At the field display settings of your product display content type (something like admin/structure/types/manage/product-display/display), edit the settings for the product reference field. Change Add to Cart line item type to your new line item type. Click Update and Save.
  4. Make it count
    1. Add a new rule at admin/config/workflow/rules. Choose the event Calculating the sell price of a product.
    2. Add an Entity has field condition with commerce-line-item for Entity and your price field for Field.
    3. Add a Set the unit price to a specific amount action with commerce-line-item for Line item and something like commerce-line-item:field-donation-price:amount for Amount.

PhpStorm keymap in Ubuntu

I am used to using PhpStorm on a Mac, but now I am with Ubuntu on a ThinkPad so the keymapping is all off. I want to use the Mac OS X keymap, but contrary to my expectation, pressing the Windows key does not produce the Meta symbol so I cannot access half the shortcuts. I tried to find out how to make that happen, but to no avail. For now, I’m settling with the Eclipse keymap, with some modifications for my most habitual shortcuts.

Easy SSL on NearlyFreeSpeech

There is a technology that encrypts your internet traffic. It’s called SSL and it prevents third parties from snooping on what you submit on web pages – passwords and other data. If the website address you’re visiting begins with https, the site is SSL-enabled. Your browser will probably also show a padlock icon near the address.

I must admit I never quite got the hang of how it works. Not the encryption itself, but also not the creation, nor the nature, of those certificates that apparently are an integral part of the SSL technology. You need one for the website you want to enable SSL for, and they are something you have to pay someone for. That’s my vague conception.

Until I found out, just now, that my go-to web host NearlyFreeSpeech (NFS) thas a one-line command that just does all that for you. That there is a project called Let’s Encrypt that (somehow) provides certificates for free, and NFS cooked up a script that sets it all up automatically. I literally ran the command and then it worked.

My conception about SSL is as vague as before, but at least I know it can also be really very easy.

Single-machine dev mail setup

I sometimes work on websites where sending email is a central task. To be able to efficiently test my code on my Ubuntu development machine, I have created a simple setup from the following requirements:

  1. No mail should reach the internet
  2. I should be able to quickly read every message that is “sent” from PHP

The strategy is to use Postfix to catch and save messages (and enable mail() at all), and Mutt to read them without any fluff. Continue reading “Single-machine dev mail setup”

Re-map obtrusive PrtSc key to take a webcam snapshot

I just switched from a MacBook Pro to a Lenovo ThinkPad, where I had Ubuntu installed. Switching OS is not too much of a problem, as I am already used to Ubuntu from before. What’s causing more irritation is the new input devices, i.e. the trackpad and the keyboard.Thinkpad Print Screen key placement

One of the more annoying features is the overly accessible Print Screen key, positioned right between AltGr and Ctrl. I have accidentally pressed it at least three times during the last few days, which on Ubuntu triggers a camera shutter noise and a dialog for the newly captured screenshot. It’s easy enough to ignore it and learn to simply press Esc and continue working, but I decided to do something more fun about it: When the key is pressed, take a photo with the webcam. Continue reading “Re-map obtrusive PrtSc key to take a webcam snapshot”