Ugh


You may have noticed that the site has been down for a while. We were hit with a combination of problems.

First, we have been plagued by this idiot script-kiddie, the registrant for usuc.us:

(Information erased: a call to the person to which the domain is registered reveals he has no idea what is going on. Does anybody know how to inform the domain name registry that it is registered under a false name and get it deleted?)

He has been running a bot that injects some javascript into a search string that redirects the scienceblogs main page to google, since the main page rather foolishly embeds the top search strings into the html. We’ve known about this for a few days.

Second, the sciencebloggers’ complaints about this have been effectively ignored by the management here (and I think many of us are getting more pissed about this neglect of an obvious problem than anything else.) Several of us have been running a rather kludgy and ugly workaround, inserting code on our pages that secretly runs searches, too, to displace Mr Sullivan’s hack from the list of top searches. This has caused performance problems—we’ve basically been trying to out-thrash the bot to keep it from taking over the main page. A more elegant way to fix this would have been to patch up the search display on the main page, but we don’t have access to that.

Third, in the midst of all the overwork to which we were subjecting MT and the server, MT ate a large chunk of the Pharyngula template code. Poof, my page disappeared. At least that absence reduced the server load so everyone else’s pages were running a little better.

Anyway, the bottom line is that right now the scienceblogs main page will occasionally whisk you off to google, the Pharyngula index page is a corrupt and broken shambles, and server performance seems to be up and down.

Comments

  1. quork says

    Are you sure he is the script-kiddy, or is it possible his machines have been subverted without his knowledge?

  2. ctenotrish says

    Ahh. Thanks for the info. I hope it is all fixed soon! I find that starting my day without a nice dose of Pharyngula, Scienceblogs, and Co. is much like starting my day without caffeine. It makes for a slightly cranky, not-on-the-top-of-her-game scientist. Off to double up on the coffee to make up for the temporary lack of blog . . . .

  3. says

    Good point, quork. When my identity was stolen (while on vacation!) I cursed the name that withdrew money from my bank, until my boyfriend pointed out that his identity had probably been stolen, too.

    Layers of evil!

  4. Mr.Prudent says

    Careful PZ! Unless they’re really stupid, in order to avoid tracing, the kiddies use other hijacked systems/networks as a launching pad for their attacks. Unless you’ve got definitive proof, it’s very likely Mr. Sullivan is also a victim here.

  5. says

    This explains a lot. I had automatic googl redirect problem quite a few times in the past week, and couldn’t figure out what was going on, or from which end the problem was originating. Good luck getting everything put back together!

  6. Steve_C says

    I dunno. Coincidence that he’s in Colorado Springs home of Focus on the Family?
    I would expect an anti-atheist anti-evolution attack to come from there.

    Until this guy says it’s not him and shuts it down… he’s to blame.

  7. J-Dog says

    We need a real old testament miracle here! Oh Lord, please smite this hacker, inflict him with boils on his butt, I mean MORE boils on his butt.. May Pat Robertson talk to him everyday and twice on Sundays! May DaveScott move next to him. May the hacker always be an ID proponent, and have little children laugh at him behind his back. May he always praise Buffalo Bill Demsbski and have adults laugh at him to his face.

    Thanks for the update, hope it gets fixed soon!

  8. HCN says

    This also explains the number of tracking cookies that have been found by SpyBot on the computer I use for Scienceblogs versus the one I actually work on (I do Scienceblogs on the kitchen laptop during breakfast).

  9. says

    Funny how un-anonymous the internet is. A message board I post on was attacked repeatedly a few months ago and we found who the guy was and convinced him to discuss this problems in the board instead of hacking it. He posted a few times and disappeared.

  10. Lazarou says

    Don’t take this the wrong way but I’m so glad to hear that’s what was happening. Underneath my tinfoil hat I’d started to think that redirect was happening because my bosses had rumbled my worktime reading and they’d put some script onto my machine to foil me.

    Best of luck fixing it though, sounds like a ‘throw-the-computer-out-the-window’ nightmare.

  11. Pete K says

    Hope it gets fixed soon. Some people have too much time of their hands. Well, given that he’s affiliated with porn, maybe it’s better he has TIME “on his hands”…

  12. says

    His affiliation with a porn site does not disqualify him from being a hired gun for Focus on the Family. It’s an “ends justify the means” organization. Besides, didn’t you know that good people are allowed to do bad things to bad people — and godless science is bad by definition.

    Thanks for letting us know what that Google jazz was all about. I was pretty confused.

  13. says

    I enjoyed this post in the same way that I enjoy the more bio-detail-laden ones: I understand what you’re saying, but I don’t understand what you’re saying. Or something. Anyway, get well soon!

  14. GH says

    I just read that article from above. They are making each other take polygraphs so they don’t look at naked people.

    Look I think porn can cause problems if you feel the desire to look at it 24/7 at work etc. But why the fuss over looking at a naked body? It seems to me demonizing human sexuality leads to the issues these folks are having and they are pastors.

    So the answer for them is fear of a polygraph rather than an acceptance of their own nature.

  15. says

    PZ, I know that neighborhood… I have relatives in Colorado Springs, only one of whom is FOTF-nuts. (Ok, full disclosure: that one doesn’t associate with the Dobsonites because they’re not conservative enough. There’s one in every family, I like to think.)

    Your imagined image of hellish suburbia in an underestimate. I’d go in to more detail, but words fail me.

    Thank you for the efforts and for updating our little community…

  16. says

    Uhm. Am I missing something?

    I’ve seen people talking about a Google redirect the last few days, and haven’t experienced anything different from my normal Science Blogs experience.

    Am I proof against a script kiddy? Or is the effect random and I’m just sitting at one end of the Bell Curve?

  17. paleotn says

    SteveInMI wrote….

    “Your imagined image of hellish suburbia in an underestimate. I’d go in to more detail, but words fail me.”

    That being said, if you look towards the upper right of the google map, there is a street off Picturesque Cir called Whip Trail. Wonder who lives there? On second thought, I probably don’t want to know.

  18. says

    He hit my site too, which I discovered when loading my Movable Type Activity Log. It lists all seach queries, so when it hit his, I got taken out of my MT control panel and over to Google (and, as the reset button for the activity log is at the bottom of the page, I could never see the button to clear the log). In the end, I went in through a SQL editor to find the offending entry in my database and removed it.

  19. Archangel Gabrielle says

    One wonders whether Mr. Sullivan’s neighbors are aware of his commercial activities. One wonders if they would be less than pleased with the knowledge that a pornographer lives in their neighborhood, perhaps preying upon their virgin daughters or enticing their sons into commerce with Satan. One wonders.

  20. says

    The effect is random, and you need to have javascript enabled for it to affect you. The bot tries to search for a string that is the javascript code; it then appears on the main page, where the latest searches on scienceblogs are listed. It gets bumped off the page when people make other searches, but it keeps coming back.

  21. Archangel Gabrielle says

    Of course, if many many people wrote to the various churches in the area, concerned about Satan’s evil influence in the otherwise righteous and godly town of Colorado Springs, there might occur a kerfuffle.

  22. hank says

    Interesting. The same sort of redirect-to-Google tweak was interfering with use of Spamcop’s webmail a week or two ago, for a few days.

  23. Jason says

    Yh, h’s bvsly Chrstn nd prbbly hgh-rnkng mmbr f Fcs n th Fmly. t’s dfntly nt mttr f hm trgtng Scncblgs bcs y’r bnch f gks wh cn’t gt rl wmn t stsfy yr sxl rgs. Np.

  24. says

    Ah! That’s why. I’ve enabled Javascript through Firefox, but crippled it severely using the ‘Advanced Javascript Settings’ because I dislike Javascript stealing my status bar or resizing my windows.

    My Javascript Console for Firefox shows a huge number of Javascript errors, all for the scienceblogs.com site. All errors are dropped, undisplayed.

    Perhaps I AM immune to this particular tomfoolery.

  25. says

    >>I looked him up on Google maps. He drives an SUV.

    Not precisely. The vehicle on the driveway could very well be a minivan. At the resolution of Google Maps, it’s hard to tell.

    Second, when I search for my address, Google points proudly to three houses over. So the house Google points to may not be the correct one.

  26. Jason says

    Y knw wht’s s fnny bt ll ths “dsmvwl Jsn cz h’s trll” stff? Mst f th cmmnts md hr by thrs wld b cnsdrd trllng f thy wr md nywhr ls.

    Qck, Grg! sk m sm mr qstns ‘v lrdy nswrd!

  27. says

    Zeno: I understand there’s a growing problem with spoofed WHOIS data. Perhaps the porn domain in question isn’t affiliated with the guy at all. (Maybe that’s part of the program – to get the porn domain flooded with crap?)

  28. architeuthis says

    Notice he lives about 7(ish) miles from Focus on the Family Headquarters

    Start address: 8605 Explorer Dr
    Colorado Springs, CO 80920
    End address: 3171 Whileaway Cir W
    Colorado Springs, CO 80917
    Distance: 7.9 mi (about 14 mins)

  29. says

    I thought you might like to know Dick DeVos, he’s the Amway kingpin running for governor in Michigan, just called for “Intelligent” Design to be taught in Michigan schools.

    He’s also been linked to the Hitler Zombie through a guy named Adolph Mongo.

  30. craig says

    No problems for me. Running firefox with the noscript extension. I recommend noscript.

    I’m still not convinced this guy’s system hasn’t been zombified and he’s a victim too. Not that I know enough technically to judge.

  31. Lars says

    …when I search for my address, Google points proudly to three houses over…

    Indeed. It has me living in the middle of the parking lot across the expressway. And my ex appears to be camping out in one corner of a Chinese cemetary near her home.

  32. Pidgas says

    I have to join the ranks of those saying: “stop hyperventliating and thing logically for a minute.” Especially before posting someone’s name, address, and personal invective against them. Especially when you cannot prove he did anything! This is a very irresponsible post. The kind that lands you in court when the guy ends up being assaulted or something.

    WHOIS data is spoofed ALL THE TIME! Identities are stolen every day. Anyone hosting a website in their own name (esp if its a blog or the launching pad for online attacks) is asking for trouble. As an aside, there are tons of services that will register a domain on your behalf to avoid just this kind of situation. Oh, and to everyone linking the supposed script kiddie to FOTF because they’re physically located in Colorado Springs better not have family in Milwaukee. I thought this was a science blog. Yet, it seems that many posters here have left reason and skepticism at the door.

  33. Steve_C says

    He has a phone number there. It wouldn’t hurt to just call and ask him nicely if he even knows it’s happening. He may be appalled to find out he’s being spoofed.

  34. Nes says

    Ah! That’s why. I’ve enabled Javascript through Firefox, but crippled it severely using the ‘Advanced Javascript Settings’ because I dislike Javascript stealing my status bar or resizing my windows.

    My Javascript Console for Firefox shows a huge number of Javascript errors, all for the scienceblogs.com site. All errors are dropped, undisplayed.

    Me too. Javascript is enabled, but all of the advanced settings are disabled. Just opened the JavaScript Console and checked, and yup, lots of error for scienceblogs.com, but most of them are just unknown properties in CSS sheets. I also block cookies from scienceblogs.com. I don’t seem to have the problems that PZ described, dunno if it has anything to do with my JavaScript or cookie settings though.

  35. says

    Mr Sullivan, slimy and contemptible hack that he is, is probably chortling into his breakfast of booze and cornflakes at the chaos he has wrought.

    So, are you trying to say he’s a graduate student?

  36. RedMolly says

    There once was a trollboy named Jason
    Whose rhetorical flubs were amazin’
    ‘Til one day PZ growled,
    “Let him be disemvowelled!”
    And started his comments defacin’.

    (That’s been stuck in my head all day and I just needed to get it out. Thank you.)

  37. mathpants says

    something wrong with “booze and cornflakes” for breakfast, PZ?

    I had chocolate chip pancakes with a Hefeweizen this morning.

    All systems seem to be operating normally . . .

  38. carlie says

    I remember reading somewhere on another blog (great citation, eh?) that Colorado Springs is the location of some major AOL Grand Central Traffic locations, so an awful lot of addresses look like they’re coming from Colorado Springs because of routing via AOL accounts. My knowledge of computers doesn’t go beyond turn it on and hope it works, so I may have just spouted a load of bs – is that possible? (the explanation, not that what I said was bs. I know that part is possible)

  39. George Cauldron says

    (That’s been stuck in my head all day and I just needed to get it out. Thank you.)

    No problem. As long as you feel better, that’s what counts. :-)

  40. says

    Nah, the address is legit, but the location — depsite a previous commenter’s note about 7 miles — is not even close to being in the same neighborhood as Focus. *I* am closer to Focus than this idiot.

    The entire neighborhood does have the most ridiculous names, doesn’t it? It’s pretty amusing when juxtaposed with the often un-cared-for homes that were built 20-30 years ago. It’s a largely lower-middle-class, blue-collar kind of area, FWIW.

    And this is where I do a happy dance that I’m moving from super-conservative Colorado Springs to Santa Fe, NM! Wheeeee! Buh-bye!

  41. says

    Hmm. According to Google Earth, I live in a swimming pool.

    Heh. Google Maps has an old satellite photo of the apartment complex where I live, so according to them I live in a partially poured foundation in the middle of a large dirt lot.

  42. says

    Quit complaining. Google maps has the most pathetically poor resolution for my part of the world, so all I can say is that I live in a kind of blurry green smudge.

  43. Mena says

    I have never had the Google problem either, I’m running Opera with javascript enabled. I haven’t done anything special with it. Speaking of “special”, Jason just keeps trying doesn’t he? I like the disemvoweling thing, it’s much more entertaining than just blocking someone.

  44. hexatron says

    I have never had a problem with this site, but I just looked at the Firefox javascript console. The .css files for scienceblogs.com seem to be a total mess–someone had the dim-bulb idea of ‘removing’ options by preceding their names with an underscore (so text-align is renamed _text-align and no longer works.) There is also a tag called ‘text-deocration’ in the .css for the scienceblogs.com home page.

  45. says

    Yeah, for all of its nice names, that part of town is a dump. This guy lives within a block or two of my optometrist. I’m not even kidding. It’s a pretty unkempt pile of humanity, and the traffic is miserable.

    This town is really getting the bad rap it deserves around pharyngulaland. One of these days, something that isn’t Ted Haggard, a scriptkiddie-pornographer, or Wayne Allard will come from this city (I hope).

  46. says

    Also, “Carefree” is the most ironic name in the history of road names. If you want to get in a wreck, you drive on Carefree. “Meander” is not just a street name, it’s actually our official urban development policy. There are 4 north south corridors in this city. But if you try to move east or west, well, may Bog in his bolshy heaven have mercy on your soul.

    And now you know.

  47. says

    But if you try to move east or west, well, may Bog in his bolshy heaven have mercy on your soul.

    Ah, Dustin, you are quite familiar with the Seattle bus “system”, I see.

  48. Graculus says

    Do you supress cookies? What browser are you using?

    Posted by: Steve_C

    I dunno about that poster, but I am using IE6 with third party cookies blocked, and have had no problems on any of my many visits to Pharyngula and other scienceblogs. I also use SpywareBlaster which disables known bad sites and known bad ActiveX.

    I’m wiling to bet that this guy isn’t zombified…. porn merchants are pretty notorious for scumware and dialers and other shenanigans (like hijacking the City of Los Angles entier netblock).

    Another stop on the “Peasant Mob World Tour”. Bring your own pitchforks, I’ve got the torches and the list of spammers.

  49. says

    Reminds me of a few years back… there was a root vulnerability in Aurora, or some service like that, I forgot which one. Anyway, someone exploited that before I learned about the problem and turned my linux box into a scan zombie. I got blamed, but was able to clear it up pretty easily, particularly since it was only going for a day before I noticed it.

  50. Kagehi says

    Identities are stolen every day. Anyone hosting a website in their own name (esp if its a blog or the launching pad for online attacks) is asking for trouble.

    Sorry Pidgas, but **not** using your real name and information in a WHOIS is now a federal offense, since a lot of even bigger f***wits used aliases to hide themselves from law enforcement by using false information. They might still be doing it anyway, especially using zombies, but the feds are not going to care if you are running a Pokimon fan site or a child porn site if they find out you gave false information for your site registration, at least in the US.

    Well, unless I am wrong, and that law actually wasn’t ever passed. Its part of the whole, “Posting things that offend people under an assumed name.”, legislation and while some might argue that its somehow unfair, I happen to think they are right, for the same reason its illegal to run a business and call yourself Elmer Fudd on the business license (unless its your actual name).

    But, I also agree that the odds are probably better than 50-50 that this guy is a victim, not the originator. It wouldn’t be surprising from some ass to kill two birds with one stone and attack someone who belongs to what they think is the *wrong* sub-cult, by zombieing the guys machine, then using it to attack the *even more evil* science site. :p

  51. Michael Hopkins says

    I ran into the Google problem on September 12 in Firefox and IE. I reported it to webmaster and he wrote back the next day that no one else had reported it. I guess I was one of the first to see the problem. I have not seen the problem since September 12. Before I wrote the webmaster I used HTML-Kit to get the source code and HTTP headers for the homepage and found that the only instance of Google in the source code <script> link to a javascript file hosted at Google.

  52. demallien says

    Point #1 – Who was the idiot that decided to put unparsed user-content into the html. Take that web designer out back and shoot him/her before more damage is done.

    Point #2 – I don’t get the redirect, using Firefox and Safari. What actually happens over at Google. Is there a search already launched (ie is this guy trying to increase the number of requests for a website, to improve it’s rating?)

  53. Bob O'H says

    Quit complaining. Google maps has the most pathetically poor resolution for my part of the world, so all I can say is that I live in a kind of blurry green smudge.

    Some mornings tha must seem pretty accurate.

    Bob

  54. says

    I can’t comment about the technical questions, but as for Colorado Springs, FotF is hardly the only noxious religious right group there. It’s the anti-Eureka, the capital of groups like this, most prominently Pastor Ted Haggard and the New Life Church.

    Harper’s had a great article on the city and Pastor Ted, “Soldiers of Christ I”
    http://www.harpers.org/SoldiersOfChrist.html

    Given them, it wouldn’t be unimaginable that they could combine hacking with evidence blaming a local ‘pornographer.’

  55. says

    There’s a discussion here about the “Jonny” XSS vulnerability in MT 3.32. Someone said this bug hack has hit 36,000+ sites so far, and speculates that it is a precursor to “something big”…Nothing on MT’s website. Do a google search on +js +jonny .

  56. Graculus says

    Well, unless I am wrong, and that law actually wasn’t ever passed.

    I think that there is some confusion here. There is a US law against using a fraudulent identity ot obtain internet access. That applies to info that is between you and your ISP, and does not have to be public.

    ICANN will pull your registration if the information that you provide is not accurate and up to date. That is public, but ICANN are a technical, not legal, body.

  57. says

    Yeah Jim. This scriptkiddie lives only a paltry few blocks away from the infamous Patriot University, and he’s even closer to the local branch of Power Invasion Ministries, of Hell-House fame.

    This town is the Vatican City of Evangelical Lunatics.

  58. says

    S wndr wht knds f chrgs y jcksss cn b brght p n fr hrssng nd lblng n nncnt prsn…

    Wndr wht PZ’s mplyrs wld thnk f ths… thnk shll fnd t.

  59. Jake says

    Calm down on the conspiracy theories gang. I am a professional web designer who has been hit by this as well on several commercial sites. The script is attacking sites based upon potential exploits, not agenda. The hack is not political, no matter how much you want it to be. This man, Mr Sullivan is the victim of identity theft, to the best of my knowledge from correspondence, and is not at fault. The poor man claims that his life has even been threatened.

    Relax a little bit. The hack is not a political attack