Removing and blocking Monero Crypto-currency-mining WordPress Malware

This is a quick note about how to remove and block Monero crypto-currency mining WordPress malware.

Symptom: You run WordPress on your Linux web server and its CPU is at 100% but it should not be.

Logging into the system, and looking at running processes, you see this:

The cron.php is allowing a backdoor to let bots run mining malware on your server. The /tmp/phprScAj0_j3oku523wjamvhep program is a Monero crypto-currency miner, making money for someone who broke into your system.

The temporary file /tmp/phprScAj0.c contents looks like this:

Kill the processes (replacing the process ids with the ones on your system):

Now remove the malware and secure your system:

  1. Install the Sucuri WordPress plugin – you can do this from WordPress plugins page by doing Plugins > Add New > (search for Sucuri)
  2. Download a new copy of WordPress and copy the new files over the infected ones listed by the plugin – via the command line
  3. Remove all non-Wordpress files listed by the plugin
  4. Install the iThemes Security WordPress plugin – you can do this from the WordPress plugins page by doing Plugins > Add New > (search for iThemes Security)
  5. Disable XML-RPC using the iThemes Security > Settings > WordPress Tweaks page
  6. Remove all php files from wp-content/uploads (these will be named like WordPress system files, but they are not):
  7. Disable PHP execution in the wp-content/uploads directory
  8. Now examine all your theme code for backdoors. You are looking for something like this:

    If you do the following you can rapidly page through all the php code looking for strange things like a big block of numbers like the above example:

    Remove the file or the offending block of code.

  9. Another way to find the files is the following:

    If the file only contains malware (a large eval block) just delete it.
  10. Find and remove files of the form favicon_0c57fe.ico – the letters and digits after the underscore can be different:

    These are not ico files, they have a php back door embedded in them.
  11. Look in wp-config.php for any weird looking includes – maybe including an ico file like the ones listed above. If you find any, remove them.
  12. You are done! – Watch your CPU graphs to make sure you really deleted it and it doesn’t come back.

I am not sure all the steps are needed, but this worked for me and keeps the bots out. I hope it helps someone else.


Google Analytics for WordPress and Shopp eCommerce plugins

I noticed that Google Analytics for WordPress has Shopp eCommerce plugin support that enables conversion tracking, but it doesn’t work on Shopp v1.2.9, the version I have.

I have a fix for this problem – I applied this fix and it works on my site.

You need to change the two lines in the Google Analytics for WordPress plugin file frontend/class-frontend.php function shopp_transaction_tracking that read:

to this:

I submitted this to the plugin author, Joost van de Valk via Yoast.com but he hasn’t gotten back to me, so I’m posting this in case it helps someone else.


Flickr get all image sizes bookmarklet

This is a bookmarklet that gives one-click access to all the Flickr image sizes on the new Flickr site. To use, click the bookmarklet when viewing an image. To install, copy the code, make a new bookmark, edit it, and paste the code into the bookmark’s address field. This has been tested on Chrome, Firefox, and Safari:


Building an Orone Mini part 2: solder paste stencils using gerber2graphtec

This is part of a series of posts about building an Orone Mini, a Maple Mini clone that is designed to be easier to build by hobbyists. It primarily uses surface mount technology, and there are a couple of fine-pitch (0.5mm) devices, so it’s not easy to solder by hand. This means I need to use a solder stencil.

I want to make my own stencils, since I want faster turnaround time. But how to do it? Adafruit has a great tutorial on making SMT stencils, but the final output step uses a laser cutter. I don’t want to buy a laser cutter, since they’re in the thousands of dollars – making my own laser stencil cutter is cool, but right now I don’t have the time for it. Making aluminum stencils also sounds cool but I don’t want to mess around with muriatic acid and other chemicals each time I want to make one.

On Hack A Day I heard about using a vinyl cutter to cut stencils which linked to Peter Monta’s wonderful program gerber2graphtec.

This is a command line program that takes gerber files output by an EDA program (in my case, Eagle) and turns them into something that the inexpensive Silhoutte Cameo stencil cutter can understand. You can get more info on Peter Monta’s SMT Stencil Cutting blog post, or this one at DM Studios on stencil cutting.

Here’s what worked for me:

  1. Graphtec Silhouette Cameo stencil cutter bundle – $270 as of the writing of this blog post, much less expensive than a laser cutter.
  2. 3M PP2500 overhead transparency film
  3. Avery 5353 full-sheet labels
  4. Citrasolv citrus solvent
  5. Dental pick
  6. Wide-field microscope (about $180; I also use it for SMT joint inspection) or magnifying glass

This is pretty much exactly as Peter Monta explains in his SMT stencil cutting blog post. I tried some of the other ways he thought might work – using the cutting mat instead of the full sheet label, or using spray-on removable adhesive. But these weren’t as successful – I think the Avery labels stick well and keep the plastic film from bending while the cutting is going on.

I’m on Mac OS X using Homebrew (rather than the MacPorts that Monta uses). Here’s the steps I went through.:

  1. Install the non-Python dependencies for gerber2graphtec:

  2. Make a Python virtual environment to hold the Python dependencies
  3. If you don’t have Python and pip, install them. (Using brew to install Python installs pip.)

  4. Install virtualenvwrapper and make a Python virtualenv to keep the Python dependencies separate from your global libraries (this step is optional):

  5. Install the Python dependencies:

  6. Clone the gerber2graphtec project

  7. Use an EDA tools to produce the solder stencil layer (tcream layer in Eagle) gerber files as in the Adafruit SMT stencil tutorial. I use a 1-mil shrink – that is, I shrink all the pads by 1 mil so the solder paste doesn’t overflow too much. This is a compromise – I’d really like to shrink by 3 or 4 mils, but the stencil cutter doesn’t produce perfect holes if I shrink the fine-pitch pads that much, and the solder paste I’m using (lead-free Kester NXP) doesn’t go through the small holes that well. 1-mil shrink seems to work fine.
  8. Check the gerber2graphtec options to get ready to convert your gerber to something the Cameo will understand:

  9. Process the tcream gerber file to make a file that can be sent to the Silhouette Cameo (.gtec file). These settings are for a 0.5 inch bounding box around the board outline; gerber2graphtec calculates the border from the bounding box of the stencil, which may not be the edge of the board. I’m adding an offset so the stencil is cut into the right edge of the sheet.

    I’m using 3 passes with increasing force – with three passes I can get almost perfect cut-outs of the fine-pitch pads.

  10. Attach a full sheet label to the transparent overhead film – make sure there are no bubbles and the film is firmly attached
  11. Set the 45 degree cutting blade to setting 1. (With the Avery 5353 labels stuck to the PP2500 film, I found blade length setting 1 perfect using 3 passes, first pass at force 8, second at force 15, third at force 29.)
  12. Load the film+label as media (without the cutting mat)
  13. Send the gtec file to the Cameo cutter:

  14. Unload the media, peel off the stencil:
  15. Remove paper from stencil by running under water and rubbing – this picture shows the stencil with the adhesive gunk still on it:
  16. Remove adhesive using Citrasolv and sponge
  17. Rinse with clean water and dry
  18. Examine under microscope or magnifying glass – remove chads that are still stuck using the dental pick

  19. Using the 3-pass progressively harder pressure, on a fresh sheet with no other stencils cut out of it, I can get almost perfectly square holes even on the fine-pitch pads. The picture above shows a 2-pass run I did on sheet that had other stencils cut out of it. I think the fine-pitch TQFP pads are distorted on this one because the Orone Mini has the STM32 fine-pitch TQFP part laid out on a diagonal – when I cut the test coupon that had fine pitch pads layed out straight, the fine-pitch pads came out almost perfectly:

    When I went to the 3-pass using a fresh sheet, my fine-pitch diagonal pads look like this too. Success!

  20. You are done!

(Part 1: Introduction)


Building an Orone Mini: part 1, introduction

I’m building a Maple Mini clone called the Orone Mini S8H as practice for building an Open Source EEG board. The Orone Mini is a board designed by Garry Bulmer in the UK. It’s software compatible with the Maple Mini but designed to be more easily made at home by hobbyists – it’s a two-layer board, and mainly uses larger 1206 size SMD components, on one side of the board only. Here’s a couple of articles about it: Improving the Maple Mini Part 1, Improving the Maple Mini Part 2. Here’s the Maple Mini specifications.

I got the boards made at the fabulous OSH Park:

This board uses a different mini-USB connector than the Maple, with a couple of tabs that make the board connection sturdier. I forgot to pick the right connector variant in Eagle when I submitted the board – so instead of slots for the connector’s tabs, there are a couple of plated holes that the connector won’t fit into. I had to get out the Proxon Micromot (Dremel-like tool) to router out two slots:

I’ll post updates on my progress here as I go along – so stay tuned!

(Part 2: solder paste stencils using gerber2graphtec)


WordPress botnet protection for websites on Apache 2

There’s a botnet out there that’s attacking WordPress sites, trying to brute-force guess their admin passwords. I recently got alerted there was a traffic spike on my website, which is unusual. I looked at the server access logs, and indeed, there was something trying to access my WordPress login page over and over. This is output from a tail /var/log/apache2/mysite-access.log:

So what to do? I looked around for an article on how to protect myself from the botnet, but didn’t find any good ones. So that’s why I’m writing this article.

WordPress security plugins

If you only have one or a few WordPress sites to protect, as the article I link to above mentions, it looks like you can install a plugin to protect you. Both these will automatically block logins from IPs after a certain number of failed login attempts. I haven’t tried either yet.

Apache mod_security

I wanted a solution that would work for all the WordPress sites on my server. That meant something at the Apache configuration level, or in the OS. I’m running Ubuntu 12.04. Here’s what I did, and it seems to work – this solution will block all attempts to log into WordPress except from a whitelisted IP address.

  1. Install Apache mod_securitymod_security is an Apache module that helps prevent attacks like this, and does a lot of other cool security stuff.
  2. Make sure you follow the instructions in the article above to install the default rule set
  3. Find out your IP address of your home network – one way is to type “What is my IP address” into Google.
  4. Add the following rules into your /etc/modsecurity/modsecurity.conf file:

    Replace the 1.2.3.4 with your home IP address. You can have multiple lines like this if you access your WordPress site from multiple IP addresses.
  5. Restart Apache:
  6. You are done. If you want, you can check your Apache logs to see there’s now 403 error codes being returned for the botnet requests.

The solution isn’t perfect, since you still get lots of “403 – Forbidden” log entries, but it’s better than leaving your WordPress site vulnerable.

Update: after I whitelisted my home IP, the botnet seems to have given up – after about 15 minutes the requests stopped coming.

Update: I posted the question and answer to Stack Overflow, since that will probably get more traffic than this blog post: How do I protect my WordPress/Apache website from a brute-force botnet attack?


Amazon Library Linky – search any Bibliocommons library while viewing Amazon product pages

You can install the Amazon Library Linky Chrome extension from the Chrome Store.

I ported the Amazon SPL Linky Greasemonkey script to Chrome and made it a proper Chrome Extension. This extension can search any Bibliocommons library, and has an options page where you can select which library you want to search. All of the participating Bibliocommons libraries are supported (about 50).

[Update:] You can see the source code here: Amazon Library Linky on Github.

If you try it out, will you let me know how it works for you?

The following Bibliocommons libraries are supported:

Austin Public Library
Barrie Public Library
Boston Public Library
Burlington Public Library
Brantford Public Library
Burnaby Public Library
Cooperative Computer Services
Chinook Arch Regional Library System
Christchurch City Libraries
CLEVNET Library Cooperation
Daniel Boone Regional Library
Edmonton Public Library
Fort Saskatchewan Public Library
Fraser Valley Regional Library
Greater Victoria Public Library
Halton Hills Public Library
Hamilton Public Library
Johnson County Library
Markham Public Library
Milton Public Library
Multnomah County Library
New Westminster Public Library
North Vancouver District Public Library
New York Public Library
Oceanside Public Library
Omaha Public Library
Oakville Public Library
Orangeville Public Library
Ottawa Public Library
Perth East Public Library
Pickering Public Library
Princeton Public Library
Red Deer Public Library
The Richmond Hill Public Library
Santa Clara County Library
Strathcona County Library
The Seattle Public Library
Shortgrass Library System
Salt Lake City Public Library System
Santa Monica Public Library
Stratford Public Library
St. Albert Public Library
St. Marys Public Library
Tulsa City-County Library
Vancouver Island Regional Library
New Brunswick Public Library Service
Vancouver Public Library
Whatcom County Library System
Whitby Public Library
Windsor Public Library
Woodstock Public Library
West Perth Public Library
Yarra Plenty Regional Library


Chrome Extension: Making Browser Action icon open options page

Here’s how to make it so clicking the Page Action icon of a Chrome extension opens the extension options page. This code will open a new options page if one is not open, or switch to it if it’s already option.

You will need the “tabs” permission in your manifest.json:

Put this code in your background.js file:


Finding the durations of MP4 files without downloading the entire file

I wanted to find the durations of a bunch of MP4 files located out on the net – durations for the introduction videos for the top Kickstarter projects.

But I wanted to do this quickly. Downloading all those MP4 files would take too long. A little bit of research revealed that MP4 files files set up for streaming have their metadata (or moov atom) at the beginning of the file.

Now I need a way to read just the metadata, without getting the entire file.

More research reveals that I can use curl and dd to get the first bytes of a file. For some reason ‘curl -r’ doesn’t work.

So now we’re ready to go.

I made a file that had one Kickstarter project URL per line. Here’s a couple of them:

This script will load the Kickstarter project page, and get the URL-encoded download link for the project’s introductory video, if there is one:

Now we need to URL-decode the URLs:

Now we get the durations from the video urls, you’ll need Python, pip, and virtualenvwrapper installed. We make a Python virtual environment, and install hsaudiotag module to decode the mp4 metadata:

This code uses curl and dd to download only the first 512-byte block of the MP4 file.

Now we analyze the durations using a simple R script, I am on a Mac so I need to use Homebrew to install R:

Output for the top 100 Kickstarter technology projects (by amount raised) – all numbers are in seconds:

The average duration of the top 100 Kickstarter videos is 203.3 seconds, or just about 3.38 minutes.


Thanks to:


Welcome to my Notes blog!

This blog is a place for things that are off-topic to my main blog, which is on Enlightened Society, Greatness, and Teams. I wanted somewhere to post articles on random things, like software or projects I am working on, recipes, and pictures of cats. :-)