Category Archives: Meta

Pharma Hack Update: Finally Gone

A good while ago, I wrote a blog post about how my blog was pharma hacked, and I thought I had gotten rid of it. I was actually extremely wrong, and it’s taken about half a year of off/on again fiddling to get rid of the infection for good. I thought I’d write up what I did in case anyone else has issues with this hack.

In order to remove it, I tried searching for solutions from other bloggers. They got me to a certain point, but after following the directions and letting my blog sit for a week or so, I’d use the Google Webmasters feature to “fetch as Googlebot” and find that my site was reinfected.

Here’s a step by step summary of what I had to do to finally get rid of the nasty pharma hack.

I downloaded the latest tar.gz from WordPress here and extracted it to my root web directory. My blog lives in the subfolder “/blog/” so I just moved the wp-config.php file from /blog/ to the /wordpress directory, then I renamed the blog folder to something else and renamed wordpress to blog. I found that I’d also have to re-set the permalink settings to get pages besides my home page to show up correctly.

My main mistake was copying the wp-contents subfolders back to the /blog/ directory. I assumed that the main infected file (wp-loads.php) was the only culprit. It turned out that I also had multiple php backdoors in my wp-contents directories, in /plugins, /themes, and even /uploads.

I basically had to re-download anything in plugins and themes so that I knew those directories would be fresh. I ran a command to delete anything in /uploads that was a .php file, as that was how the backdoor worked. I believe it was something like

find /path/to/uploads -name "*.php" | xargs rm

but you probably want to double check that before running it on your server.

I also noticed that some backdoors existed in the root of my web directory, where I keep my portfolio. If you have other directories besides your blog in your web root, it’s probably worthwhile to check those out.

At this point I was pretty close to having a clean WordPress install. But for some reason my site would still eventually fall to the pharma hack. I checked my server logs and it looked like someone was modifying header.php in my theme directory from the admin panel. This was pretty surprising because I thought I had my password locked down pretty tight. I am actually still not sure whether the password was compromised, or some other feature in php (or a cookie) allowed the hacker to access the admin theme editor. Either way I’m pretty sure the header.php was hacked to write a new backdoor file which would then create other backdoors. Pretty smart!

To fix this, I put another layer of security on my wp-admin directory with a .htaccess and .htpasswd file. I also updated my password to a 40 character random string that even I can’t remember. Finally, I just erased the file that does theme editing in the admin interface since I never use it and it seems like a really weak vulnerability.

So far, the pharma hack hasn’t resurfaced and it’s been about two weeks. I’m going to say that I’m slightly confident it won’t return (unless there’s another vulnerability in WordPress that pops up).

I feel like I learned quite a bit about security while playing whack-a-mole with this hack. I got to look at the backdoor files and figure out how they were hidden and obfuscated, and eventually found what I think was the root of the problem in the WordPress theme editor. I also hacked together some scripts to show recently modified files (hacked together from stuff I found doing some searches). If I end up getting hacked like this again, I’ll probably be able to remove it faster.

For a while, I was considering moving to Jekyll for my blog. But that seemed like a bit too much work moving posts and comments, and learning a new blogging system, especially for how infrequently I blog nowadays. For now, I will stick with WordPress with all of its vulnerabilities, which have hopefully been mitigated with the few extra precautions I’ve added.

2011: A Hung Truong Year In Review

Last year I wrote a review of the stuff I had accomplished in 2010. It was useful for me to look back and realize that even though I felt I hadn’t accomplished much, I really had. I figure I should do the same this year, so here’s what I did in 2011.

January was a pretty big month for me. I had entered my apps into a University of Michigan contest and Checkmate ended up winning 3rd place. I also “released” Instascriber, which got picked up on a couple of tech news sites, including LifeHacker. At the end of January, I socially engineered a Facebook poll to virally get around 60,000 responses before Facebook shut it down. That was pretty fun.

February was a bit slower. I think I mostly ported Mapskrieg to App Engine (though I since reverted it back to the PHP version since App Engine raised their prices like crazy). I think I also interviewed at a couple of places for jobs, but didn’t have any sustained interest from anyone (or with anyone, really).

I must have spent most of March doing iOS programming, because the only blog posts I have are the one about UISplitViewController and the release of <3 Threadless for iPad. The iPad app release was pretty big for me since I had not previously released an iPad app that was much more than a simple scrollview with a main view attached.

In April, I released another iPad app, Mapskrieg. This was a really good way for me to get better with iOS development and to write my own API to use in the app. I believe April is also when I started interviewing for other jobs, including one at Bebarang. I also started working on a freelance app for the University’s Enriching Scholarship event. I guess I never announced it on my blog previously, but here’s the app I worked on.

In May, I started working with Allen Kim on Bebarang, the Netflix for baby clothes. I moved to New York in June, and stayed there to work on the startup for July and August as well. My summer experience deserves a blog post of its own, which I started writing and sorta forgot about. It was really awesome getting mentorship on the ins and outs of starting a business. I got to meet lots of incredible people and learned a ton. I also got to eat some really good food and experience New York. I am super grateful for the opportunity to work with NYC Seedstart and Bebarang. Unfortunately, things just didn’t work out, and I left the company at the end of August.

In September, I noticed a job posting at Threadless, and contacted my pal Chris about it. I attended the Threadless Family Reunion and got a job offer that I couldn’t refuse! I moved to Chicago (actually a suburb of it, Oak Park) in October and I am currently working on cool things at Threadless, including an awesome looking redesign of the site. So far I have learned a ton about actual software engineering (as opposed to the cowboy coding that I’m accustomed to). It is majorly sweet that I’m getting paid to get better at Django and Python (oh, and contribute to the code base, of course). I really couldn’t ask for a better turn of events than to work at a company I’ve long admired (and bought from).

In December, I took a trip to California to hang out with my family (much of whom also traveled to California to hang out). I went to the Santa Cruz Mystery Spot but forgot my fucking bumpersticker!!!! I am really pissed about that. I discovered that my niece and nephew really like Minecraft, and I think I will write a separate blog post about that.

Looking back, I feel I got a lot accomplished in 2011. I think I finally found a good balance between doing whatever the heck I want (and getting paid little) and being a complete corporate slave (and getting paid slightly better). I learned that maybe being a startup founder is not for me (at least in this stage of my life). I want to make an impact in whichever field I work in. I’m still figuring out how to maximize that (while still enjoying life and hanging out with other people, like my girlfriend). I feel like I am finally at the point where my hard work and accumulation of experience have paid their dividends, and it is now up to me to continue working hard and improving every day.

I think my greatest concern for 2012 is that I won’t accomplish as much as I have in previous years. Working a full time job can be hard on side projects, so I’ll try to put in a good effort on keeping those and my hobbies alive. I also want to work on my health, as living in New York and eating all of its food has added a few pounds. I started playing DDR again. It’s fun.

I have a few ideas for side projects that I’d like to work on. One is an open source ifttt clone that anyone can install (on their own server) and write modules for. Another is a redesign of Anime Nano (and maybe a rewrite in Django). I also want to get an aluminum base plate and photopolymer plates made for my letterpress. Finally, I would like to blog more often; shorter blogs, longer blogs, blogs about wacky stuff that I experience.

I want to look back to this blog post in a year, and hopefully I’ll have accomplished many or all of my “resolutions” by then.

2010: A Hung Truong Year In Review

Looking back at 2010, this year has been one of change and growth for me. I’d like to take a post and look back at what I did this year.

January and February were kinda uneventful. I was pretty nose down trying to become a good PM at Microsoft. Oh, and I was busy making troll posts about how the iPad was gonna suck and I wrote a lot of book and music reviews.

In March, I attended SXSW and moderated a panel that I had submitted the year before on Student Startups. I met many of my friends who I hadn’t seen in a while and met a lot of cool new people. It was from that experience that I decided I needed to stop doing what I was currently doing and change course so that I could do what I was “meant” to do. Also in March, I was rejected from the one PhD program I had applied to. In hindsight, this was probably a good thing. I’m used to rejection anyway!

SXSW Panel

In April I officially resigned from Microsoft as a PM after only about 7 months (and 5 managers!) on the job. I knew this was a serious decision. In hindsight, I’m glad I did it. Quitting let me focus on other cool stuff that I was meaning to get into, like iPhone (now iOS) development. In the same month I finally released an app to the iTunes App Store, something I had wanted to do for years.

In May, I moved back to Ann Arbor to be near to my GF, which required me to pack all my crap into my Corolla and drive the whole way. I also flew to New Mexico for a wedding and got to hang out with my family. This probably explains why I have no blog posts for May 2010.

In June I mostly basked in the glory of my funemployment and took it easy (read: I marathoned Lost). I also tinkered with my existing iPhone app and enhanced it a bit, building up my Obj-C chops. I interviewed for some jobs here and there to test out the waters, but none ended up being fruitful. The incompetence of HR departments never ceases to amaze me, but I suppose that’s a topic for a different post.

In July I looked for some more opportunities to work with other companies. I didn’t end up teaming up with anyone, but a conversation I had during an “interview” led me to start development on Checkmate, my second app for the iPhone. I spent a fair amount of July developing and testing Checkmate. I also took a cool part-time gig with the coolest boss in history.

August saw the release of Checkmate, which was featured in a story on Mashable! Thanks, Pete Cashmore! While Checkmate wasn’t (and it still isn’t) the perfect app, I learned a ton from developing it and gained a lot of confidence as well. I also discovered the NPR news story of that time I went on a chocolate factory tour in Seattle!

My September was mostly spent improving Checkmate and learning about how to handle a paid app in the App Store. Doing a paid app is a quite a bit different than a free one. I also spent some time looking for an old printing press and finally scored one on craigslist!

In October, I started working on another app that eventually became ♥s Threadless. This was the biggest undertaking I’ve done so far on iOS, and it also required me to do more complicated work in App Engine than I had done before. I also spent October tracking down supplies for my Letterpress machine, and ended up doing my first prints ever: Giraffe Coasters!

I split my November into days where I’d work on getting better at printmaking (and coming up with stuff like these letterpress business cards) and days where I’d work on the Threadless app. I finally ended up releasing the Threadless app at the end of November. The reception of the app has been great! So far the app has 6 perfect reviews and one 4-star review. That makes me incredibly happy.

This brings us to the current month, December. I started another app engine project that’s not quite ready for public beta yet (though I feel it will be really soon). Because of the app, Threadless was super cool and invited me to their Chicago headquarters. I finally realized one of my lifelong dreams of becoming a Threadless t-shirt model! I’ve also been hanging out in Albuquerque and spoiling my nephew rotten for a few weeks.

And that is my 2010 year in review. One surprising thing is that many times during 2010, I was really down on myself. But looking back, I actually accomplished some neat stuff! I think it boils down to the fact that there’s still a lot of uncertainty in my life, and that’s hard to manage. But I think I’m getting better at managing it every day. In retrospect, 2010 was a great year, maybe even the best (so far).

Looking at 2011, I see a lot of opportunity. I’m going to continue to remind myself that minor setbacks are just that. I’ll push through them and accomplish even more than I did in 2010! My role model for 2011 is this guy:

Hopefully I’ll have some good stuff to report in a year or so!

Hung Withdrew TWENTY TEN. Hung Sent Out K2. It’s Super Effective!

I switched my blog theme again. Twenty Ten is the official default theme of WordPress 3.0, but that doesn’t make it good. Too much wasted space on top. On a normal monitor, you practically have to go below the fold to get to any content!

I switched back to good ol’ K2. It’s good to have you back, buddy (even though by default you show post featured images in a really, really stupid way)!

A Chat With Hung Truong

I use Olark (formerly Hab.la) on my portfolio site. It’s a widget thing that lets you chat with your visitors. My friend Ben invented it, so check it out.

Anyway, some guy just started chatting with me on it. He was also named Hung Truong. Here’s the strangeness that ensued:

webuser5.1128: yo

me: hi

webuser5.1128: sup man

me: not much bro

webuser5.1128: where u from?

me: uh, you’re on my portfolio

webuser5.1128: my name is hung truong ๐Ÿ™‚

me: what
me too

webuser5.1128: like seriously though
i search my name in google
and this website came out

me: yeah, cool
do you have a website?

webuser5.1128: nope, but nice webste man

me: thanks
there’s also some hung truongs in the news

webuser5.1128: wow

me: like one who killed a police officer or something
that’s not me
that’s not you either, right?

webuser5.1128: hahaha
nooooo!!

me: ok good

webuser5.1128: lol

me: just checking to make sure

webuser5.1128: i was born in vietnam
are you by any chance vietnamese
?

me: my name’s vietnamese but i’m actually chinese
my parents lived in vietnam
but i was born in the US

webuser5.1128: cool
i g2g man nice talking to u dawg

me: yeah you too
bye

webuser5.1128: peace out

[System] (visitor closed chat)