Coomey.net

Who turns a whopping 32 years old today. Get your order in for Cialis now, buddy.

If you've noticed that Coomey.net has been gone for the past few days, there is a pretty good reason for it. I'd been hacked. By Pakistani terrorists. Here's the scoop:

On Tuesday night, I got home from work and my cable Internet connection was shut off. I called Charter and they told me that they had received a complaint that my IP address had been serving phony PayPal phishing pages. After talking with Charter's incident response dude, the turned my connection back on. I did a quick scan of the webroot of my web server (YDL Linux 4.1) and didn't see any signs of mischief. I figured that at worst my DNS was temporarily hijacked and my domain name was pointing to some bad guy's machine.

Fast-forward to Wednesday night. This time I get home and my dynamic DNS provider (ZoneEdit) had suspended my service. Here we go again. Paypal had sent details of this PayPal phishing issue to ZoneEdit. I dug a little deeper into my webroot...

...and found a 'hidden' directory called .tikiwiki (note to self: always use a -a flag when doing an ls). Sure enough, someone had indeed hacked the box and placed all kinds of phony paypal forms on my machine. A scan of the Apache logs proved that some folks were indeed tricked and submitted their personal information via my website to an unknown scammer. Yikes, this is bad.

I quickly removed the offending files and did a comprehensive scan of the source code of the phony forms which are are all unsophisticated PHP scripts. Essentially they fake people into entering all their credit card info and then email the informatio to an email address. A hard-coded email address even: chinioti@gmail.com. I did a quick Google search on this email address, and it looks like this character is a Pakistani (probably about 15 years old in my opinion from his 'Net ramblings) who is part of a hacking group called Whackerz Pakistan (have as much fun with that name as you see fit ) that has been ver busy defacing Western websites in the name of Islam after the whole Danish cartoon affair. It's scary that these folks did not deface my site. They most certainly wanted nobody to know they were there. Creepy.

Still, I have no idea how they got in. Looks like they didn't brute-force and SSH login which I originally thought. Perhaps a security hole in the blog engine Serendipity? If anyone has any ideas on how they could have gotten in, I'd be extremely grateful.

Happy birthday to Chris. You are turning what... 27 today? Jesus. I promise not to give you a night at the rifle range as a gift.

Little Tristan had a wee accident and broke a bone in his leg on Friday. Get better big guy!

I ran across a really good blog entry by Clay Loveless (of Feedster fame) yesterday that really cut to the heart of what it means to call yourself a software developer. In his words: discipline. I highly recommend everyone who considers themselves a developer to give this a read and check his bullet points against their own development methodologies. Here's some of my favorite points from his blog entry:

• You must be disciplined enough to write well-documented code.
  Yes, functionality counts, but if you're hit by a bus (or trampled by
  your fan club at an ego-rally) tomorrow, someone else has to take over
  your stuff and make sense out of it. For a pro, documentation isn't
  grunt work left to the community, or the peons. The pro just does it
  because it's what pros do.
• You must be disciplined enough to write code with error reporting (by whatever name your language of choice calls it) cranked to the max. use strict error_reporting(E_STRICT) on PHP5 or error_reporting(E_ALL) on PHP4, whatever: these modes of development
  weren't created to annoy you, they were created to save your ass and
  hopefully help you evolve into a better developer. Writing new code
  under something as sloppy as 'error_reporting(E_ALL ^ E_NOTICE)' should
  be an absolute last resort.

Enjoy.

Somehow I missed this news back when it was announced, but Zend (the PHP Company) has announced the PHP Collaboration Project. The aim of this project is to leverage the power of some really big hitters in the IT world (IBM, Oracle, Intel and others) to drive PHP into the enterprise market and the future. If there is one trend when it comes to PHP (as well as other open source web app languages like Ruby), it is that it has been seeing steady uptake in the enterprise, by leaps and bounds over the last few years. Look out .Net and J2EE.

The most interesting development from this project I think is the announcement of a forthcoming Zend PHP Framework. What's a framework do you ask? Simply put, a framework is a re-usable set of code, or library, that is engineered to perform the common tasks that almost all web apps do like database connectivity, ldap directory searches, security, user management, etc. For instance, I've created several apps using PHP at work. All of them do these common things, and I had to re-write or re-tool the same code over and over again. With a framework, I've got this stuff already built to begin with. I don't have to worry about the plumbing, framing and infrastructure of an application, I just have to build the house around it.

Sure there are lots of PHP frameworks out there like PRADO, Symfony and others. I myself was seriously looking into using the absolutely fantastic, enterprise-grade Cerebral Cortex framework. (The maintainer, Davey Shafik has since stopped development of Cortex and has moved to the Zend PHP Framework team. Congrats, Mr. Shafik!)

The future is bright for the PHP community. Hang on to yer hats.