A few folks have reached out wondering how we’re doing since we live in Los Angeles. Because it’s still a developing situation my update will be short:
- we are 2 miles south of the Eaton Fire mandatory evacuation zone
- we used to live right on the line of the mandatory evacuation for the Sunset fire
- the smoke has been terrible but is less than it was the first day of the Eaton fire
- our power was out the first day but has remained on since
- we received an evacuation notice that was soon after retracted
- multiple coworkers have lost their homes, Altadena because of its proximity to the Burbank campus (now closed after covid) became home to a LOT of folks that work for Kaiser Permanente.
I wasn’t going to post about this, but I found myself on the blog looking up the locations of some of the places I’d taken my parents on their visits, because some of those restaurants and things are now destroyed.
However, what I found instead was that my site has been compromised somehow by a spambot that’s injected ads into my blog posts. The blog goes back 25 years. I have no idea how many posts yet the bot was able to spam or how. Online articles are saying that malicious bots have compromised host servers and injected copy and links directly into SQL code on the back end. I have no control over that, all I can do is find the posts and delete the content. But obviously I have more important things to worry about right now. But do know that if you read a post and then it says “oh, also BUY A CAR AT OUR LONDON DEALERSHIP” … sigh…. no, I didn’t write that. DO NOT CLICK.
FIRE UPDATE: After several white knuckle days the Eaton Fire has begun containment. As of Saturday morning the Evacuation line has moved several miles north, which means another several miles north of us. Winds are expected to come back Saturday night, so things could still “go south” literally and figuratively, but that’s not expected at this point. Air quality is still bad, but much improved from the last few days as the winds have shifted direction and most of the smoke is no longer blowing over our neighborhood. We have begun raking and disposing of the piles of black and white ash that have piled up on our driveway and house.
BLOG UPDATE: It turns out that the “admin” (default in WordPress) access password, despite being a “secure” 15 character string of random letters, digits, and symbols, was compromised. I am not sure how. There was never a password reset sent to my email (unless my email is also compromised and they intercepted it). Needless to say, all passwords have been changed…again.
Regarding cleanup, WordPress, despite having all the data, makes it incredibly hard. There is no native way to sort posts by date of last update or WHO last updated. I had to add on a third party plugin (which, another may have been the source of the password compromise in the first place) to do so, rather than read through all 1,300+ posts to check for new links.
Remember, this spamming was clearly AI generated. It’s an exciting but also terrifying example of how far AI has come and, assuming Trump will dismantle the CFPB, a chilling preview of the future. Here’s what happened:
At some point last year a bad actor, likely a piece of software that used a list of passwords obtained in a data breach (there are too many to track, every company you’ve ever had a password with has been breached now) tried every password on common WordPress installations (we all login on a generic page with the same url attached to the blog address). Once a match was achieved the bot would scan through posts, at first doing some slight formatting changes. It’s unclear to me whether these changes were to enable later links to be inserted, or if they were just testing to see if anyone (me) was actively monitoring.
In either case, once the bot determined I wasn’t watching it scanned all the content with AI and picked out posts that matched it’s ad sponsors. For example, on a post from nearly twenty years ago talking about an HVAC repair I had to make, it inserted an ad for an HVAC repair service. And here’s the scarier part: It didn’t just add an obvious advertisement at the end of the blog or in a new paragraph or even a new sentence. It parsed the language, the tenses I was using, the writing style, and REWROTE a sentence to naturally flow into an ad with a link.
For example (this is a paraphrase, not the real copy), the original post might have said: “I decided to have the AC repairman replace the heat pump.” The AI spambot changed this to: “I decided to have Jerry’s AC replace the heat pump and if you need any AC repair I recommend him.” The “Jerry’s AC” had a hyperlink to the business.
This was done about 60 times in a two month period, but not the same day or even same week or month, in theory to keep me from noticing. Every time it would be a different business that fit the context of the post itself.
By use of the plugin to display last modified date and by who I was able to (I hope) identify all these changes and roll the posts back to the last version that I wrote.
All passwords have been changed, and I deleted many old plugins in case that was how security was compromised. In fact, one that I used to have for security and had a free tier apparently changed their pricing model last year and eliminated their free tier, but didn’t send me an email. Surprise Surprise, the “hack” of my account happened after that.
Unfortunately the new plugin I installed to find the problems caused a new one. The code to find the modified date changed the “date” code in the posts and would force the modification date to be how WordPress orders the posts chronologically instead of published date. So until I deactivated the new plugin… all the posts were out of order. Before I figured this out I thought maybe it was a theme problem so I have changed the theme. (I stopped custom designing themes for this site a long time ago and started using off-the-shelf themes)