Friday, July 21, 2006

Effective Shark Strike!

(Wire)Shark strike that is....

Noticed while loading my blog page that the blogpage was referencing a cross-link to the server.

That didn't sound like any link I had ever coded into the page, so I was instantly concerned that maybe someone-somehow-dropped the code in or was attempting to hijack something.

Claus had a mystery!

(Wire)Shark bite #1

First thing I did was to examine my blog template code. Nope, no references to it there. I then checked the page code on a loaded page. Nope. Hmm.

I Googled it, and found some things that that suggested complaints of it being a spam-source. Not a good sign. I was getting suspicious now as my gmail account has been getting hit harder with more spam lately. (It has caught it all, but I was curious as to the sudden increase...)

Since it wasn't going to be an easy solution, I brought out the big-fish: Wireshark. This is a network protocol analysis tool. I fired it up so I could start a packet-capture loading my blog page. This way I hoped I could find out what was calling to that site.

With Wireshark running packet captures, I dumped my browser cache and reloaded the web-page. Once loaded I stopped the packet capture and started picking through the code.

I ran a quick packet search of the packet byte string values looking for x.phoenix-dns Bingo! I found a number of them. Examining the packet text data I found that it was related to requests of a graphic hyperlink to

ErisFree was the website where I was able to generate the basic code for this blog-template I am using right now. That seemed fine. But when I went to the web-page--there is an account-suspended message!

Mystery solved!

The template HTML code was calling to display the ErisFree logo off the server that site was hosted on. Since the account is suspended, it was generating the calls to the x.phoenix-dns site to get instructions. That cross-site chatter is what I was seeing in my browser's status bar.

I edited the impacted references code out of my template and problem is solved.

Now maybe you can see why having a network protocol analysis program could be useful for bloggers!

And x.phoenix-net is off the hook as a source of any of my suspicions--just a simple cross-linking call going on.

(Wire)Shark bite #2

While looking into my template code, I found where my gmail address was actually coded into my page. I had missed that! That's probably where the spam-bots were harvesting my email address from. I pulled it out as well.

If you need to email me it's (this blog title as one word)

I hope that tweak cuts down the spam.

(Wire)Shark bite #3

I also noticed this blog's HTML "Keywords" meta tag code was filled with useful stuff for ErisFree (as examples) but not conducive for Grand Stream Dream's overall purpose. The Keywords coding allows search engines to better associate your site with web-searches. I fixed that up as well with some better word associations.

(Wire)Shark bite #4

That stupid copyright symbol I have at the bottom of the right column never displayed correctly. I found the correct HTML code on-line and fixed that also.

See what happens when you feed a shark?


No comments: