backwp.php in Twenty Eleven Theme

Some of you know that my blog was under attack a few months back. I started taking care of my blog’s security as much as I can since then. One of the things that I did is that I installed WP-Malwatch to scan the suspicious activities on my blog everyday. That plugin is kinda useful tho.

I received a notification from that plugin saying that it’s suspecting some viruses on my blog this morning so I quickly logged in and scanned my current template manually on dashboard. I found one new file called backwp.php inside the theme folder.

I’m guessing that it might be the back-up file of Twently Eleven them but I couldn’t find any information from theme download page so I posted a question about that file on forum and am still waiting for the answer. Let me know if you have any idea about this file. For the time being, I deleted this file and tested my blog. It’s still working. I think that it’s very safe to delete that file.

Another weird thing which is happening since I started using “Twently Eleven” theme is that I’m getting this error often when I’m playing around in dashboard area. I tried contacting with people behind this theme and no reply from them.

This theme is awesome and it was created by the official wordpress.com team but after using it for a while, I realized that this theme comes with quite a few problem as well.. Maybe, it’s time for me to look for new theme..

I’m back!!

Good evening guys! Yeah. I’ve been away from blogging for several months. I’m so sorry about that. I tried writing some posts during these days but I couldn’t manage to finish them and they are still lying on my draft lists. Anyway, I’m glad that I am finally able to come back to this blog and update you guys about what I’ve been doing during my absence.

Elena Sync

First of all, I’d like to introduce you to my first baby. Her name is Elena Sync and she is 8th months old now. She has big cute eye. :) I’ve been playing with her most of the time.

Fitness/Dance

As a software guy, I’ve been spending so much time in front of computer, staying late and eating junk food and drinking beer at the middle of the night during past a few years. As a result, I was getting a lot of weights and it affected my health as well. so, I decided to join a local gym called FitnessFirst and hired a personal trainer to train me hard. After that, I managed to lose around 18 kg (of course, after spending a lot of times and money ). ^^

I also joined Melbourne Shuffle class at R! studio and used to attend Yoga class in Fitnessfirst as well.

New Job

I worked as a Solution Architect for developing brain training games/applications with Silverlight/Windows phone 7 at Memolife. Due to some reasons, I resigned from Memolife and joined Alex Golesh‘s company called Sela International ( and Simulation Software and Technology ) in Singapore. (Thanks to Alex!)  I will be participating in giving training, consulting and making the training materials for Sela. I’m pretty excited about this job. Wish me luck!

 

Silverlight Guys, What should we do next?

A couple of months back, my boss went back from Norway and UK. He met with one guy from Google. That guy told my boss that HTML 5 is the future and we should be more focusing on HTML 5 than Silverlight that we are currently using. When my boss back to the office, the first question that he asked me is whether we should move to HTML 5 instead of Silverlight for our next products. To me, this question is NOT something new because I know that it’s just a matter of time. Someone will ask this question sooner or later. I even asked myself a lot of times since long time back. I’m working with Silverlight but I’m also watching HTML 5, CSS 3 and ECMAScript 5 (JS 1.8.5) very closely and I even subscribed to HTML 5 working group mailing list so I guess I know what’s happening in both Silverlight world and HTML 5 world.

Coincidently, what top guys from Microsoft said at PDC 2010 makes a lot of noise in Silverlight community and etc so we got a bit of tiny noisy in our office as well. So, I’m writing this post to share how we can simply answer this kind of question and some of my thoughts about “Silverlight Vs HTML 5″ debate. If you are running a company and having some doubts in investing money on Silvelright for your future products then I hope this post might help you to clear some of your doubts. But of course, I’m not a big guy from any giant company and I have no control over both Silverlight and HTML 5 (and also, any other technology.. :-) ) so I don’t mind if you think this post is crap. :) All I can say here is that I’m just a guy who loves cool technologies so this post is nothing to do with Microsoft or any other company. All are purely based on my personal point of view.

The first thing that I consider is the status of HTML 5. What is the current status of HTML 5? HTML 5 is still under (heavy?) development and it will take a few more times to get the final version.. Let’s forget about when the browser guys will finish the implementation.  The standard recommendation document itself has not been finalized yet. So, when will HTML 5 be finished? I think nobody knows the exact date of HTML 5 release at the time of writing. According to the WHATWG FAQ, they are no longer working specifically on HTML5. Initially, the editor estimated that they’d reach Last Call in October 2009, Candidate Recommendation in the year 2012, and Recommendation in the year 2022 or later but they also said that they are no longer working on it so we don’t really know what it will be finished as well. Let’s take a look at how many browser supports how many percentages of HTML 5′s new features now. (Note that there might be a lot of ways to test those new features in browsers but a simple guy like me uses very simple “Acid for HTML5” website in this comparison. )

  • Google Chrome (version : 7.0.517.41 beta) :  231 and 12 bonus points
  • Safari (on Windows) (version: 5.0.1 (7533.117.8) : 207 and 7 bonus points
  • Opera (version: 10.63) : 153 and 7 bonus points
  • Mozilla Firefox (version: 3.6.10)   : 139 and 4 bonus points
  • Internet Explorer 9 (version:9.0.7930.16406) : 27 and no bonus points

Note: According to the IE Test Center, there are a lot of tests and IE 9 is the top one among other browsers. I’m not really sure about those tests and I don’t know the differences between “Acid for HTML5” and IE Test Center. Please feel free to drop a comment if you know the differences. Thanks.

As you can see, each browser has different scores for HTML5′s new features. Can you guess how long it will take to have all browsers support all new features of HTML 5? Do you remember the time when we were in Ajax world and we did suffer a lot for implementing different tricks for different browsers?

If you look at Silverlight world, we are hitting the version 4 already.  Silverlight works perfectly the same in the following browsers.  So, it will save a lot of times for implementing a lot of hacks for different browsers.

  • IE 6 (SP1. SP2), IE 7, IE 8 and IE 9
  • Firefox 3
  • Safari
  • Google Chrome

But I didn’t say that both Silverlight and HTML 5 are cross-browser thing. Well, we started learning Silverlight because MSDN mentioned that it’s the cross-browser but the truth is that the term “Cross Browser” can be different from person to person. Does “cross browser” means it works in each and every browsers and on each and every platforms?  Trust me, there is no such a thing that works in all browsers on all platforms. So, does it mean all major browsers and major platforms? Well, Microsoft doesn’t support Linux platform officially until now.  So,  Let’s be realistic. how many browsers supports all features of Silverlight and all features of HTML 5? As I mentioned above, there is currently no browser that supports all features of HTML 5 (and nobody knows what the all features of HTML 5 are until WHATWG releases the recommendation. ). For Silverlight, there are four browsers that officially support by Microsoft and all of Silverlight features will work the same on all supported browsers. Do you see the big differences?

What about tools and languages? HTML 5 is everything. It’s just a markup language so you will have to use at least Javascript and CSS in order to develop HTML 5 websites or applications. Sometimes, we may even want to use any server-side script like C# or Java or Php or etc. If you are using Silverlight, you can use the managed code like C#, VB.NET and etc. But one thing for sure is that there is no good or bad thing in choosing languages. Some developers love Javascript and some prefer C#. It’s all about personal preferences. I love both C# and Javascript. But For our company, we already have the applications which are developed in Silverlight. So, converting all applications to HTML 5 with Javascript is a huge thing to do for us and it has no big value for us to do that as well.

As of now, HTML is damn hot because the most of us are assuming that all browser guys will be supporting HTML 5 in all browsers so once we develop one application in HTML 5 then it will be able to run on each and every browsers or platforms. one shot, all bird dies! nice, huh? But wait, does all browsers support HTML 5 now? Nope. I already mentioned the comparison above. Is all browsers going to support HTML 5 very soon? Not likely. I’m pretty sure that it will take some time.. maybe. 1 or 2 years..  4 or 5 years.. or even more..

So, what should we do next?

Well, it’s very obvious that it’s still safe for us to use Silverlight for our products. Did Microsoft’s strategy and focus shift to HTML 5? We don’t know.  Bob Muglia, President of the Server and Tools Division at Microsoft, mentioned that Silverlight is very important and strategic to Microsoft and they will be working hard for next release of Silverlight in his post. But he didn’t mention that the strategic didn’t shift. So, we can also assume that the strategic might has been shifted but will be still investing money on Silverlight.. Nobody knows it is going to be less investment or not. However, I’m very sure that Silverlight still have big future… Silverlight is not just for web after all. We can use it for developing the out-of-browser applications and Windows Phone 7 applications as well.

But of course, as a developer, we can’t totally depend on one technology only. So, it’s better if we should keep our eye open for other interesting things including HTML5/CSS3/JS1.8, Node.js, Google Go and etc as well so we can use it when we need it. :)

What do you think? :)

My blog was under attack

Bad news! guys.. My blog was under attack for several times during this year. (Thanks to my readers who informed me about the problem.) I have successfully removed the injected script from my blog so it’s safe for you guys to read my blog again. (Actually, It was safe for you guys because the domain in the injected script is in the blacklist so the browser will automatically block you from accessing it. ) In this post, I will inform you about the injected script and the list of changes that I did to prevent this from happening again.

The attacker was targeting the footer.php file in the current theme that I’m using. The following script was injected in footer.php file.

The Injected Script

Fig 1: The injected script

Analyzing the Javascript

By looking at the script, I knew that that person was using Javascript function “unescape” to decode his encoded string. But I couldn’t say what he wrote in that encoded text. So, I used the online JavaScript Escape/Unescape Converter tool to decode the string.

I copied the whole text and paste it in “escape text” textbox and click on “Complete Unescape” button.

Here is what I got for the first conversion.

Fig 2: The decoded script - part 1

As you can see, the text was encoded twice so I copied the text between unescape brackets and converted it again in converter webpage.

Here is the second part of the decoded script.

Fig 2: The decoded script - part 2

But there are some % and number (e.g. %62 ) in the URL but it’s very easy to figure out what it is.  I went to the “HTML URL Encoding Reference” page and I got the ASCII character for four numbers.

  • %20 = {whitespace}
  • %62 = b
  • %65 = e
  • %63 = c

The purpose of this script is that when user access my blog then it will show this site below in iframe. But luckily, this site is in black list so the most of browser will warm you or refuse to show that site so the attacker will not get what he wanted.

Fig 3: Black website

I thank to him for not deleting any data or etc. It encourages me to take good care of my site even I’m very busy. :)

What did I change to prevent this?

I changed the following things but honestly, I have no idea whether it will work or not. I will have to wait a few months or year to see the result. I’m posting this because if you are facing the same problem as I had and you don’t know what to do then you can probably try doing the same thing like I did. Please feel free to let me know if you have any better idea or suggestion.

Tips

  1. Ensure WordPress and all plugins are up-to-date.
  2. Delete all unnecessary plugins or themes that you are using in your blog. If you have other extra files in your host, do delete them as well.
  3. Disable unused accounts in your host and change the password of current account that you are using.
  4. Use auto-backup software or plugin or etc to back-up all files (including images, samples) and database.
  5. Double-check the security setting of your blog (You can read the best practice for WordPress Security in this link Hardening WordPress ) If you are not familiar with those things then you should ask your hosting provider to help you or get someone to do this.
  6. Install some security plugins. I installed the following plugins for security in my blogs

Well, That’s all that I did. Like I mentioned, let me know if you have any better way to secure the wordpress blog. Thank you all for reading.. :)

Related ~

Updates

Good morning! I hope you guys are doing well. I’m doing all right. I’ve been so busy lately and was not able to update anything on my blog for long time. I’m very sorry about that. The problem with me is that I want to know or experiment a lot of things so I keep on taking more tasks even I already have a lot of things in my hand. At the end, I always end up working late or working on weekends. I know this is definitely not a good way of living.. I will have to manage my time carefully and need to put more efforts on planning.

Okay. Let me update you guys on what I’m doing lately.

Changes in my blog

I managed to spent some times for changing a few things in my blogs today. I wanted to make those things since long time back but it took quite a while to finish the whole things so I ended up rolling back my changes after I’ve done here and there. Finally, I finished changing almost everything that I want for my blog. I’m very happy about it. :)

1. New Theme

I’ve been using the WordPress theme called “Fluid Solution 1.0″ created by Viktor Persson in my blog for long time. I forgot to blog when I changed that theme so I don’t remember how long my blog has been wearing it. (BTW, if you are interested in viewing my old blog themes, you can check them here,  here and here. ) I’m glad that I finally found new awesome theme created Shlomi Noach in wordpress theme directory and I’m going to start using it for my blog.

2. Feedburner

I accidentally removed my feedburner image when I switched my theme from Freshy to Fluid Solution. I got some feedbacks from my reader saying that they used to have problem in finding my RSS feed so I re-added my feedburner image that I used to have earlier. Now, you can click on Feedburner image to subscribe my feed. Or, please click here you can also subscribe me by email address.

I added one more widget that you can subscribe my feed by email address in right-bar…

3. Social network sharing

I added three plugins that can help you for sharing your favorite posts in your social network or with your friends. For me, I used to use the browser plugins or copy the URL manually to share something that I like in social network.

  • AddThis plugin : This is an official plugin from AddThis team and it supports 305+ social networking services.

  • Easy Retweet : I added this plugin as well for retweeting your favorite post on twitter. Note that you will be able to see this in individual posts only, not in home page or list..

  • TweetMeme Retweet Button : This plugin is pretty cool. very stylish and well-written plugins. But I feel like Easy Retweet and TweetMem are a bit overlapped. I can’t decide which one will work best for you guys. Feel free to give me the feedback for this. I will see whether I should keep it both or remove either one based on your feedback.

  • Kouguu FB Like : If you are a facebook user like me, you might want to share your favorite thing with your facebook friends. That’s why I added “Kouguu FB Like” plugin in my blog so that you guys can simply click on “Like” button that you used to do whenever you feel like to share my articles with your friends.

  • Wickett Twitter Widget : Well, this is not really a sharing plugin but it will show you what I tweet on twitter. I hope this plugin will be useful when I can’t update my blog so often so my reader can read my twitter. By the way, my twitter id is @michaelsync in case you didn’t know..

I installed a few plugins like Fast and Secure Contact Form, WP Security Scan, WP-MalWatch and etc as well. That’s all for my blog.

Job

I’m sure that you guys already know that I left Xuenn last year. And then, I joined Consistel and worked for WPF projects for 7 months. After that, I recently joined Memolife as a Solution Architect to develop/refactor their Silverlight games. Don’t ask me why I moved one company to another so quickly. :) I will probably write about this in different post. Memolife is a interesting startup company and they are focusing on developing Silverlight games that can help users to increase the memory capacity and help them to memorize more things. We are currently refactoring our games and we will be using the following interesting things ~

  • Silverlight 4
  • Silverlight for Phone 7
  • Managed Extensibility Framework
  • Unity
  • Visual Studio Test Framework/Silverlight Test Framework
  • Moq
  • Enterprise Library or CLog (We haven’t decided it yet )
  • Scrum for managing project and some Xp practices

Yeah. Those are pretty cool stuffs. But of course, we are going to have a lot of challenges as well.

Education

I enrolled Master of Information Technology course in University of Southern Queensland a few months back. I’m currently taking two modules per semester since I couldn’t study full time. I need to complete 12 modules to get the master degree and I hope that I will be able to complete this course next year.

Okay.. That’s all from my side. Now, you guys tell me what you are doing lately.. :)