Two days ago I added Google friends connect to my blog and at first all seemed to be ok. So feeling confident I proceeded to add the Social bar, you may have seen it on some sites/blogs. Like the one pictured bellow.

socialbar-preview as displayed by google

Looks good, no? So I thought. But now I believe that unknowingly I opened a doorway for a hacker to get in. Yesterday at around 20:30hrs I published my last post “Make Money Blogging” and around 20:45 I thought I’d take a look at my site to see how things are shaping up only to be greeted by a “403 Forbidden you have no access to this server” message, I was baffled!

First thoughts were to check via the admin dashboard and see if I can see what the problem is, once again I was greeted by the same message. Around the same time I received an email from my host that read:

We have detected that your hosting package (bloginstallationservice.com) is running a
permanent server process. This is against our terms and conditions and may affect the web servers performance. Scripting has been disabled on this package, but FTP remains enabled. Please contact our support team to resolve
this issue.

On raising a ticket I received a reply stating:

This means that a process on your site was running permanently and being picked up as a Daemon, which is something we do not allow on our shared servers.

Here is the system information regarding the permanent process,

SYSTEM – 2009-05-02 21:40:01: Daemon: 9514 bloginstallationservice.com “php5-cli” (/usr/bin/php5-cli) (154 s)
(/usr/bin/php5-cli wp-cron.php )
Scripting disabled.
Not many evil-looking GETs; falling back to POSTs
bloginstallationservice.com 82.17.87.72 – - [02/May/2009:20:44:20 +0100] “POST /wp-admin/admin-ajax.php HTTP/1.1″ 200 211 “http://www.bloginstallationservice.com/wp-admin/post-new.php“ “Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)”
bloginstallationservice.com 82.17.87.72 – - [02/May/2009:20:45:20 +0100] “POST /wp-admin/admin-ajax.php HTTP/1.1″ 200 211 “http://www.bloginstallationservice.com/wp-admin/post-new.php“ “Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)”

I would suggest having a look at the plug-ins you have for your site as these maybe causing the issue. I have re-enabled scripting so you can investigate.

From the above the problem seemed to lie with the “post-new.php” file so I took a look at it, at first I could not see anything out of the ordinary. So I asked my host to reactivate the site to enable me to investigate the problem. Once that was done I decided to start with my last action which was publishing my last post and it ties in with the post-new.php. On editing my last post I hit the publish/update button and boom up popped the 403 forbidden message again – there was my culprit!

So I thought,  it must be the cause of and linked to the problem. I took a second look at the post-new.php script again but this time compared it to a fresh copy from a newly downloaded WordPress 2.7.1 copy. Visually again there seem to be no additions to the files but  I noticed that the text in the original did not align with the new copy – everything seemed to have moved a couple of space as if there was an addition but by one character? that’s odd I thought to myself.

5 attempts later I was still getting the same error even though I replaced the post-new.php and post.php with fresh copies. I deactivated all plug-ins with no resolution is sight. Then it dawned on me, the problem must embedded deep either in the core code or worst still in the database. Not having the time to go through the core code or the database I decide to ask for a reactivation, and this time I just backed up both the DB and WP to my desktop.

I deleted the entire site and dropped the Db and to be on the safe side I deleted it altogether to start afresh. Set up a new DB this time changing the prefix from the default of wp_ to something unique, imported my backed up posts and comments into my new setup. Now everything is working perfectly

Did Google FriendConnect compromise my blog? I believe it did. I believe there is flaw in the code which is prone to exploitation by hackers. I don’t lay the blame entirely on GFC script alone, am sure at least one of the plug-ins and the not so secure Db prefix contributed to the problem somewhat. I have php5 and MySQL set up on one of my old PC so when I get some free time will be setting it up with WordPress on localhost, dump the backed up Db and the xml file of contents and see if I can see where the point of attack was. I’ll be sure to post something should I be able to decipher it.