I’m assuming some idiots got hold of a login password at PRO FOOTBALL TALK:
I didn’t contact site purveyor Mike Florio about it, since he’s no doubt scrambling to get the site back up. Hang in there guys.
At last check, there’s now a “database error” message on the site, which tells me the site should be up again soon. Let’s just hope everything’s backed up.
UPDATE: Site is back up. All is well.
UPDATE #2: Turns out PFT was planning a server upgrade today, so perhaps it wasn’t hacked after all.
UPDATE: #3: Florio confirmed that the site wasn’t hacked. It was indeed a server change. The Word Press screen, according to Florio,”popped up” somehow and a user took liberties with. Which Florio actually found amusing.
12:36 pm on February 20th, 2009
John Clayton gets his revenge.
11:06 pm on February 20th, 2009
Although "assuming some idiots got hold of a login password" of the blog is the easiest explanation, exploiting SQL Injection Vulnerabilities is also a common way to get the blog's password and produce the described symptoms. HTML Injection known as XSS (Cross Site Scripting), either persistent or reflected, is another easy exploit to get the password.To prevent this from happening, one needs to properly sanitize all user definable variables.There are also other non-injection exploits and vectors worth guarding against, such as CSRF (cross-site request forgery), register_globals, and just random logic errors. Etc…I won't get into the technical aspects of how it's done, but it involves a customized ILLEGAL
Server To Enable Rights Over Inserted Data INJECTION.As you might guess from the acronym of the name of the method used, in Pro Football terminology this is commonly called:
"ILLEGAL S-T-E-R-O-I-D INJECTION".This serves to emphasize the fact that "ILLEGAL STEROID INJECTION" (as well as its use through other delivery vectors) in Pro Football can be dangerous!
(Ya, I'm talking about hacking the password plus the other stuff! Hee, hee!)
Getting caught doing it to a third party (or being on the receiving end) can cause you serious problems! The penalties incurred can be expensive or time-consuming to remedy! It can also damage your reputation in the world of Pro Football Talk.
(Ya, take that both ways too!)– aFriend.ca
12:47 am on February 21st, 2009
OK, there's an update here now saying that the blog wasn't really hacked. Nice to know!
That shoots down my "half truth — half joke" about the hack explanation:
ILLEGAL Server To Enable Rights Over Inserted Data INJECTION exploit.
aka:
"ILLEGAL S-T-E-R-O-I-D INJECTION" exploit.
It's good to know that there's no Illegal Steroid Injection exploits going on at the Pro Football Talk blog — at least not at the server level!
Best wishes from a fan of this site; a Friend in Canada,
– aFriend.ca
(There's no spam or commercial ads at this link. It takes you to a "Click To Donate Free" page full of worthwhile charitable & humanitarian causes where you can donate for free, without spending a cent. Hope you check it out!)