As well as banner ads, as an eBay affiliate you can display auction listings. These add constantly updating, hopefully relevant, content to your pages and provide you the chance of earning commissions. (I say ‘chance‘: your visitors have to click on the eBay links, and also buy something from them!). So it depends at least partly on your powers of persuading strangers to buy things that appear at random

If you compare EPN with Adsense, it looks more interesting on your website, there are more steps required for it to earn you money, but the commissions you’d earn could be higher if you’re selling something valuable.

It’s possible to create eBay adverts free within your eBay Partner Network account. There are also free and paid scripts available, some as WordPress plugins, which automate this process and make it easier or better.

A couple of years ago, a program called BANS (Build a Niche Store) was very popular for this purpose, and was used very widely until Google recognised its software ‘footprint’, took a dislike to it (duplicate content?) and de-indexed a lot of BANS sites, especially the more ‘thin’ affiliate type websites on .info domains. However, BANS may make a comeback in future (it’s half price now), and in the meantime, eBay Partner Network remains a popular way to add content and possible earnings to your website. Whether or not it gets ‘Google-slapped’ though will take time to see: many people say that if you have enough original content and the auction listings are adding to your site rather than being your site, you ought to be ok.

I’ve reviewed 9 non-BANS scripts, tools and plugins for this post:

• eBay Link Generator,
• Ebay Editor Kits,
• Ebay RSS Feed with Javascript,
• RSS2HTML,
• WordBay (free WordPress plugin with an optional ‘Generosity’ percentage to donate to the author),
• Free eBay Store (free WordPress plugin which uses the developer’s campaign ID 10% of the time),
• Affomatic (free WordPress plugin),
• phpBay Lite (free WordPress plugin),
• phpBay Pro (paid WordPress plugin).

What you’ll need before you start using eBay scripts:

Get Accepted into the eBay Partner Network

First of all you’ll need to get accepted into the eBay Partner Network. This will only work if you already have a reasonably decent website that has genuine content and isn’t spammy or under construction. See this post at WPContempo for a good discussion of how to get accepted by the eBay Partner Network.

eBay Affiliate Tracking Codes

Once you have an EPN account, you’ll need to have this data ready for your plugins or scripts:

1. Your eBay Publisher ID
   If you don’t know this, you can find it by logging into eBay Partner Network, going to Tools and then Link Generator. Generate a link, and when you look at the code, the EPID is the number after ‘&pub=’
2. Campaign ID
   A Campaign ID is a unique 9 digit number that you embed within your links to associate the traffic you drive with your account. The first Campaign ID you have is assigned to you by eBay. You can find it in the “Campaign” tab in the main menu. Later on, you can create separate campaign IDs, so you can use statistics and reporting tools to track how each one is doing. Campaign IDs are valid across any eBay programs you have been accepted into.
3. Custom ID:
   A Custom ID is a text label you can add to help you track the performance of different links. In my case, I made up a code word as a custom ID for each script I tested.

The Legal Bit

You will need to check the Terms and Conditions of eBay Partner Network for each eBay site you use, as well as terms and conditions for any other tools and services you use, especially if you are accessing and displaying eBay listings with third party scripts.

It would also be worth checking for comments on the EPN forums.

The eBay Affiliate Scripts and Tools

1. Ebay Link Generator

   The Link Generator is one of the free tools available under the ‘Tools’ menu option within your eBay Partner account. It generates a text link to an eBay page, which could be a Home Page, Search Results, Item ID, Store or Custom URL.

   Geo-targeting is available for eBay home pages, item IDs and for search results on eBay US, eBay UK, eBay AU, eBay CA.

   Since there is an option to produce output code in HTML instead of Javascript, the Link Generator could be used with WordPress.com blogs (if you can get one accepted by eBay), however, the HTML option is only available without geo-targeting, so you would have to pick one eBay country to link to.

   To use Javascript within a self hosted WordPress blog post, upload it as an external javascript file in your scripts directory, eg myscripts/myscript.js. Use the part of the link code that’s between the '<script>' and '<script>' tags. Next, post this code where it should go in the WordPress post, using the HTML editor, not the Visual editor (don’t open this post in the visual editor again, or it will mess up your javascript):

   <script type="text/javascript" src="/myscripts/myscript.js"></script>
   <script type="text/javascript">
   <!-- myscript();
   //--></script>

   Then copy and paste the rest of the link, starting with the '<noscript>' tag, into your post.

   Once you’ve generated the link in either HTML or Javascript, you can easily edit the link text or replace it with something else like an image if you need to.

   Here’s an example, with and without geotargetting:

   • A Javascript link, searching for , with geotargetting.
   • An HTML link, again searching for ‘eBay Business‘, but this time targetted at eBay in the Netherlands. (I noticed that with this search many of the products are the same in different countries, but in this case with the language in Dutch and prices in Euros!).

   If you’re going to use more than one eBay link on your page, this will work more reliably if you turn them into functions in the same external script file, and call the file from your WordPress header.php theme file.

   Here’s a WordPress codex page about using Javascript with WordPress.

   However, this could end up with your site loading lots of unnecessary javascript on each page. If you are planning lots of eBay content, the plugins will be a better option.

   Pros:
   This method is free, and customisable, including geo-targeting to your visitors’ locations.

   Cons:
   This method doesn’t add any eBay content to your blog, and requires fiddling about with Javascript if you use geo-targeting.

   Back to the list

2. Ebay Editor Kits

   Here’s a screenshot of a 300×250 Editor Kit showing results from the ‘‘ Software category:
   
   
   

   Editor Kits are one of the free eBay tools you can use to create ads within your eBay Partner Network account. The Editor Kit allows to to set up a ready made eBay search to appear in a box on any web page or blog post you paste the code into. Editor Kits offer various options for changing the parameters of the search, and the display box it appears in.

   Click here to see a copy of the form.

   Pros

   The title and size of the listings box area, colours used, sorting order and number of listings can be customised using a data entry form.

   You can also choose whether or not to show an ebay search box, what search keywords and category to restrict your search to, whether to search the description as well as the title, what to do if no results are found (eg show search box), and whether to show postage cost, paypal icons, ‘buy it now’ items only, items with images only, and whether to open links in a new window.

   Results: without restricting search by category, some irrelevant results were included.

   Cons

   This method does not allow for geo-targeting, unless you create it separately yourself.

   If you’ve joined eBay Publisher Network in more than one country, you will only get credited for results if you create your Editor Kit on the same eBay site (e.g. eBay.com, eBay.co.uk) that you joined first.

   Searches are confusing and hard to set up, because searching with Editor Kits doesn’t get the same results as when searching eBay’s website. For example, in my case, searching for ‘dogs’ was as likely to match with ‘no dogs’, but I found that the ‘no dogs’ results could be excluded by putting double quotes around it in the ‘exclude these words’ box. I also had to search for ‘dogs’ not ‘dog’, as there were no results otherwise. So it seems to look for specific whole words, rather than matching parts of words.

   I also discovered that if you restrict your search to a category, it doesn’t include subcategories.

   The output was in Javascript, so search results on the page are invisible to search engines and also to anyone visiting with Javascript disabled.

   Since the code produced is Javascript, it also can’t be used on a WordPress.com blog.

   Back to the list

3. Ebay RSS Feed with Javascript

   This option uses the RSS Feed Generator within the ‘Widgets’ section of eBay Partner Network’s free tools, then converts it to a Javacript display using the Feed2JS web service.

   Here is a screenshot of some listings produced in this way:

   

   eBay Listings produced using RSS Feed Generator and Feed2JS

   Pros:
   I thought the results with this method were tidy and well presented.

   Cons:
   The Javascript script is called from another website, adding to the possible delays in loading the page. However, there is an option for installing the script and running it from your own server.

   As far as I know, Javascript listings are invisible to search engines, so these listings will not be indexed in Google or give your site the benefit of freshly updating content as far as the search engines are concerned. I don’t know what effect Javascript would have in terms of the ‘footprint’ that has caused problems with php scripts in the past.

   More seriously, the Javascript is also invisible to real visitors who either can’t use it or choose not to. In particular, for people with some kinds of disabilities, this is a serious usability problem. So an alternative to the Javascript must be provided in order to keep the website accessible.

   I’ve been looking in every plugin site and forum I could find, but still could not find a working method for reading in an RSS feed and displaying it as HTML inside a WordPress blog post.

   However, one possibility is to develop an HTML version of the page, generated outside WordPress using RSS2HTML, and offer a link to that page for visitors who can’t use Javascript.

   Back to the list

4. RSS2HTML

   RSS2HTML is a utility that converts an RSS feed into HTML output, which has the advantage of being more accessible and able to be crawled and indexed by search engines. It is available in standalone and remotely hosted versions.

   As far as I can tell from their help files and forums, RSS2HTML cannot be added within a WordPress post or page, although it can be used on static HTML pages or in the template files. However, there may be new plugins for including code that could handle this.

   RSS2HTML is available from Feed For All.

   Back to the list

5. WordBay

   WordBay is a free WordPress plugin. It had an optional ‘Generosity’ setting which sets a percentage value for times when the commissions earned would be donated to the author, however this has now stopped to avoid conflicts with the eBay Partner Network Terms of Service.

   After installing the WordBay plugin, there are some settings to enter in the plugin’s administration interface, and then it’s easy to insert eBay listings into your posts. You just enter keywords between [wordbay][/wordbay] tags in the HTML editor, and the ‘WordBay readme.txt’ file in the WordBay installation zip file clearly explains how to combine keywords for searches, and exclude others. For example, [wordbay](“old lamp”,”old telephone”) -green[/wordbay] will find all items with either “old lamp” or “old telephone” in the title, but excluding the word “green”.

   Here is a screenshot of a WordBay display, without any CSS modifications:

   

   Screenshot of Wordbay results display, unmodified except for resizing to fit here

   Here’s another WordBay screenshot, with a couple of CSS changes to make it look clearer:

   

   Screenshot of WordBay results with CSS changes

   Cons:

   • You can only set one product category (or ‘All categories’) for the whole website.

   Pros:

   • It’s free
   • It’s fast loading.
   • There are lots of Geo-targetting options.
   • You can set a product category to search in, which will make your results more accurate and should be useful for niche websites
   • Listings are incorporated into the web page as searchable HTML. The default layout is nice with a bit of tweaking, and does not look like eBay listings.

     WordBay uses encoding to avoid creating the kind of software ‘footprint’ that appeared to be the downfall of many websites built with BANS (Build a Niche Store). I’m not sure ‘aHR0cDovL2J1eS5jaGVhcC5jb20vYnV5LzEvNzEx’ is one of my main keywords, but it’s better than being deindexed anyway For the same reason, it’s also possible to move and rename the ‘buy.php’ file.

   • Wordbay automatically sets the Custom ID to be the page url, which seems to me like a great advantage in reporting and tracking the success of each page on your site.
   • Wordbay can be set up to include search boxes leading to eBay search results displayed within your own site.
   • Other options include whether to include an ebay signup link, minimum number of bids, price range, specific seller IDs, geo-targeting, setting up different category codes to use in different countries, and default country selection for various situations.
   • WordBay appears to be a well-supported plugin. When I first tested it a few months ago, I was trying to display listings from a foreign eBay site, and the geo-targeting wasn’t working for the prices and currency. I contacted the author, received a couple of replies attempting to track down the problem, and while it was not fixed immediately, it was fixed in the next plugin update. So I am impressed that the author is very helpful and this plugin is being supported and maintained. I was happy to leave the ‘Generosity’ setting in wherever I used it, but when checking the author’s website today I noticed this message:
     

     If you were previously sharing impressions with the Generosity option please set this to 0% – there may be an EPN TOS issue with this and I would rather not risk any trouble. Thanks to everyone who supported WordBay in this way.

   Wordbay is available from here: http://www.itsgottabered.com/wordbay/

   Back to the list

6. Free eBay Store (WordPress plugin)

   This plugin is free, but uses the author’s campaign ID 10% of the time. Here is a screenshot of some sample results output by the Free eBay Store plugin, on the ‘‘ theme:

   

   Pros:

   • This plugin is very simple to setup. After installing and activating it, you only need to insert a line of code wherever you want it to appear in a post, and edit a few parameters (campaign ID, keywords, rows, columns).
   • Results can also be displayed in a widget.

   Cons:

   • It only uses the US eBay site (a deal breaker in my case), although the author says on his website that a version that works with eBay sites from other countries will be available soon.
   • There’s no way of choosing categories, searching descriptions or sorting results.
   • It’s very slow to load on the page – the code may be called from another site?
   • The store displays a link back to the author’s home page, which is fine with me, but sometimes people prefer not to link out much, or to make all their tools look in-house.

   The home page for the Free eBay Store plugin is: http://geeklad.com/free-ebay-store

   Back to the list

7. Affomatic / Ebay for WordPress (WordPress plugin)

   When I tested Affomatic, it was available from http://www.affomatic.com/ebayfree2.php, but it now seems to have moved to http://affiliatemarketer.info/ and changed its name to Ebay for WordPress.

   So I don’t know if it may have been sold recently, or if the original author is moving more into an affiliate marketing business.

   Pros:

   • This is a free WordPress plugin, with no sharing of profit. However, you do have to enter your email address to get a download link. I signed up again in case there was an updated version, and found a few text changes and tidier looking listings, but got the same search results.
   • The admin interface has options to enter keywords, categories, sort and limit the number of results, and choose your eBay country (but see below).
   • Searches work on the US eBay site.
   • After downloading the Affomatic eBay plugin, I received another email with a $20 discount code for another WordPress plugin, Keywords to Websites, making it $79 at the time of writing. Keywords to Websites uses keywords to generate websites using content and ads pulled from various sources, including eBay, Amazon, Twitter, Commission Junction,Yahoo Answers, Youtube, Linkshare, Google news, and more – interesting but beyond the scope of this review!

   Cons:

   • You have to enter your email address to get a download link, which signs you up to an affiliate marketing newsletter, product offers, etc.
   • I did not get any results appearing at first. I noticed that after I chose UK as the eBay country, the list of categories to choose from was not the same as eBay UK. So I found the list in the PHP file and changed the appropriate category code to the one used on eBay UK. But even then, I didn’t get any results for searches within that category, and no relevant search results for ‘All categories’.

     After finding a category with results that matched, I clicked on the ads and found that although it took me to eBay.co.uk, the prices were in US dollars, and the items were all shipping from the USA. So I think it was still searching the American version of the category. To confirm this, I ran the same search with Affomatic set up to use the eBay.com US site, and the search results were the same, with the prices changed to dollars on the page.

   • There’s no CSS file to tidy up the appearance of the listings, so you’d have to create your own for this. Here’s a screenshot to show how Affomatic listings appeared out of the box (resized slightly to fit). The background colour comes from the web page background, not from Affomatic itself:
   

   Screenshot of Affomatic eBay listings

   Back to the list

8. phpBay Lite (free WordPress plugin)

   phpBay Lite is the scaled down free version of phpBay Pro. If you’re serious about your eBay affiliate progams, and considering using phpBay Pro, it’s worth at least trying phpBay Lite first, if only because the sign up email includes a 20% coupon / discount code for phpBay Pro. If you do this, you’ll need to uninstall phpBay Lite to get phpBay Pro working.

   After you install phpBay Lite, set the Affiliate Type and Ebay PID in your admin -> options -> phpBay Lite control panel.

   When you are ready to add auction listings to a post, you will see a new button on the button panel above of the post, which says “pBL” (for phpBay Lite, in the “Code” tab). To add eBay listings to your posts, you place your cursor where you want to display the auctions and press the pBL button to insert the code.

   There are two parameters used in the tag that appears. The first is the keyword(s) of what you want to list, and the second is the number of listings you want to display. For example:

   [phpbay]apple ipod, 10[/phpbay]

   When entering the keywords, separate them with spaces instead of commas, and use a comma at the end before entering the number of listings to display.

   When looking at the results on the page, the formatting was nice, but only 3 listings appeared instead of the 10 that resulted from entering the same search on eBay’s website. I don’t know why, but I found this happened often with all the eBay tools.

   Here is a screenshot of some of the listings produced by phpBay Lite, without any CSS changes. I think it looks clear and tidy:

   

   Screenshot of listings produced by phpBay Lite, with no CSS changes

   On checking the source code, the listings are there in HTML, not Javascript, so it would be providing freshly updated searchable content to my web pages.

   Pros:

   • phpBay Lite is completely free, but you do have to register with your name and email address.
   • It comes with simple instructions for installation, setup and use.
   • You can choose whether or not to display the eBay logo. eBay’s terms may require the logo to be displayed, however, in at least one case I rearranged the listing display and found it more convenient to position the eBay logo myself.
   • You can choose which eBay country to search, which determines the language and currency to use.
   • You can specify a maximum number of listings to display.

   Cons:

   • It makes you wonder what you’re missing out that would be in phpBay Pro!
   • You can’t sort the listings, so it’s best used where you don’t anticipate many results.

   This is what phpBay Lite says I’m missing:

   “For the ultimate Ebay plugin for WordPress, upgrade to our phpBay Pro product. It provides more options, mod_rewrite, masked affiliate urls, support for specific categories, min/max price, min/max bid, items by specific seller, geo ip targeting, column or row layouts, alternating row colors, hover over item highlighting, paging of results, access to our members only forum and many other features!”

   Well that does sound useful, especially the specific categories. I like phpBay Lite, but I will have to limit its use to searches where category restriction isn’t necessary.

   Back to the list

9. phpBay Pro (paid WordPress plugin)

   I ended up buying phpBay Pro for its combination of non-US eBay listings and the ability to narrow searches down to specific categories.

   It’s more complicated to install thatn phpBay Pro, but comes with step by step instructions. Once installed, it works in a similar way to phpBay Lite, except there are more settings to define at the start. The greatest advantage I found was that you can also add category numbers between the phpBay tags to get more relevant search results.

   In terms of support, I’ve been very impressed. I had trouble with the installation at first, because I still had phpBay Lite installed. I posted a question on the phpBay help forum, and the author replied within 15 minutes. Later on, I had another problem caused by interaction with another WordPress plugin, and again it was solved in the help forum.

   Back to the list

So if your blog is not self hosted, you may be limited to the Link Generator. Otherwise, you have the most options if your blog is aimed at a US audience. If it’s not specifically US, or not only US, phpBay Lite or WordBay could be good options, since they both produce HTML results and can be used in different eBay countries. If your site is focused on a specific niche (or eBay category), WordBay may be your best free solution. If the products you want to sell are easy to find and you want to vary the number of listings from page to page, then phpBay Lite is a good option. And if you’re looking for more flexibility overall and you’re prepared to buy a script, phpBay Pro is professional and well supported.

Links

• eBay Partner Network
• WP Contempo: How to get accepted by the eBay Partner Network
• EBay Partner Forum discussion of the BANS (Build a Niche Store) script before the widespread deindexing.
• Interesting post about .info domains and the great BANS deindexing on May 1st, 2008:
  Why Would BANS Sites On INFO Domains Be Deindexed?
• Google Burned my Website to the Ground!
  Interesting discussion of separating original and affiliate content to avoid a Google deindexing
• Feed2JS web service is available here: http://feed2js.org/index.php?s=build
• RSS2HTML is available from Feed For All: http://www.feedforall.com/
• Wordbay is available from here: http://www.itsgottabered.com/wordbay/
• Affomatic is available here: http://www.affomatic.com/ebayfree2.php
• phpBay Lite and phpBay Pro are available from this url: http://www.phpbay.com/

I can say with absolute certainty that AddToAny doesn’t run 3rd party
ads at all (never has), and I think it’s unlikely that someone would
try to hijack vicariously through our widget in particular.
Technically, it wouldn’t work unless you’re using forked AddToAny
code, but your requests seem to be from our CDN.

In which case, sorry AddToAny.

So the investigation is continuing: something is hijacking publisher IDs and stealing Adsense.

I installed the AddToAny social bookmarking plugin on a different website about a month ago. I would really like this not to be the culprit, because is it so useful. Here’s what happened:

A few weeks after installing it, I noticed something odd in Statcounter: under the ‘Exit Link Activity’ option, Adsense exit links were showing up with someone else’s Adsense Publisher ID. The rogue Adsense ID I found was this one: ca-pub-7957824725474864

I checked in Adsense, and obviously the clicks from my site with the other publisher id had not been recorded there.

Here is a screenshot from Statcounter (sitename removed), showing the beginning of the exit link with someone else’s publisher ID:

Statcounter exit links showing the rogue Adsense Publisher ID

The visitor had come in from a normal Google search to a landing page on my website, and appeared to have left from a page on my website, as opposed to a page that was saved to someone’s desktop.

I went to the page itself and reloaded it a few times to check the Adsense, but everything looked normal, both on the page and in the HTML source code.

Next I checked the Adsense code that was set up on my website, but again, everything was as normal.

So I did a search to see if anyone else had experienced this, and found this thread on Google Help forums. Not only was someone else experiencing the same thing, but with the same other person’s Adsense publisher ID.

Like the original poster, I reported this to Google AdSense. They replied that any extra ads on my site were placed without their knowledge, I should take security precautions (which I have) and that they would investigate this, but wouldn’t be able to tell me any of the results they found.

Meanwhile, on the Google forums, people were very helpful. Various causes were suggested for the rogue ID, including:

• stealware in browser toolbars and third party applications on the visitors’ PCs (see this post about stealware in peer to peer file sharing programs,
• pages loading in iframes,
• adsense and banner advertising manager programs,
• and third party javascript scripts.

Apparently it is well known for ‘stealware’ programs to hijack ids for affiliate marketing, although I could not find a reference to them hijacking Adsense.

There was a link to the Jensense Adsense blog, describing a Tell a Friend script that was inserting Adsense ads at the bottom of web pages: http://www.jensense.com/archives/2005/07/using_a_third_p.html

The original poster and I established that our websites were running on different software (one WordPress, one Joomla), with different advertising programs (Advertising Manager and Banners Manager). The original poster had uninstalled Advertising Manager a month ago and had not seen the rogue ID since then, but I was not using Advertising Manager. However, one thing we did have in common (apart from Statcounter and Adsense) was the AddToAny social bookmarking code. The original poster had the AddToAny WordPress plugin, and I had the version for other websites.

Although it is very popular, this plugin had also been criticised in the WordPress forums for nondisclosure of privacy issues: http://wordpress.org/support/topic/364390?replies=17, and in Futtta’s technology blog post ‘AddtoAny Removed from here‘.

So because of the timing, with it being the most recent thing I had installed, the privacy concerns and because it was one of only three scripts our sites had in common (Adsense, AddToAny and Statcounter), we were starting to wonder about it. But I was still not convinced it was a script on the page, because I hadn’t seen it in action, apart from exit clicks reported after the fact in Statcounter.

One of the helpful people who answered on the thread suggested reloading the page 5 or 10 times and checking the source code, as many third party scripts are up to similar tricks. So I tried, and found nothing, then tried again while running the Fiddler HTTP debugging tool, and I found something very very sneaky.

On the fifth pageload, the HTTP requests appeared the same at first. I could see the adsense loading with my own publisher ID. I could see the AddToAny button code loading, then Google Analytics, which I don’t use on that website, and then something from media6degrees.com, the website discussed in the WordPress privacy thread. All of these sources were the same each time the page loaded, but on the fifth pageload, after the last line of that code there was a new line, inserting Google Adsense code with the rogue publisher ID. Here is the section with the AddToAny HTTP requests:

The HTTP request URLs:

HTTP Debugging: URLs requested

The bottom line shows Adsense being reloaded with someone else’s publisher ID instead of mine.

The body size, caching and content types:

Next I wanted to compare the caching and content types for the rogue adsense with my genuine adsense, to see if there were any more clues there.

(The first line on the white background below is from my genuine adsense, to show how the rogue version (the last line in blue) is comparable in size and content):

HTTP Debugging: Content types and caching

Both have a same day expiry date, type of ‘text/html’ and size of around 4300.
From the similarities between the two requests, it looks as if Adsense is being completely reloaded, with the other publisher ID.

The URLs (my site and directory names changed):

Here are the full URLs requested in that section, (names changed again):

It looked suspicious to me, seeing the Adsense being reloaded like that right after the AddToAny code, as if either AddToAny was doing it, or something was hijacking AddToAny for this purpose, or something else was hiding itself by appearing immediately afterwards to look like part of the AddToAny code.

The sneakiest thing was that when I looked in my HTML source file, everything still looked normal: the rogue ID was not there. So many people who had concerns about missing Adsense clicks or strange exit links would check the HTML view of their page and not see anything.

But I have no doubt that if I clicked on that ad, the rogue ID would appear in the exit link in Statcounter and nothing would show up in my adsense account.

I spent some time trying to get it to show up again so that I could test that out (after all it wouldn’t technically be an invalid click would it!). When I was testing the rogue ads didn’t appear again, but then looking back through the Fiddler logs I saw that sometimes they appeared later, after a second call to Google Analytics (which I don’t use on that site), so there may be an occasional time delayed attack as well.

I also checked my server access logs for the visit when the rogue link was clicked, but nothing unusual showed up, presumably because it was all requested from other websites. In any case, I did not see anything else unusual going on.

Next I wondered if this was something I had missed that was authorised somewhere in the AddToAny terms, although I know I checked them at the time. Google forum member Steven G had seen such provisions for hijacking publisher IDs left out of the agreements by third party scripts, but listed in FAQs, or even the manual (as he put it, a great place to hide it!). Steven G discusses this more in his pay per click blog.

Checking the AddToAny terms, there is nothing mentioned about Adsense, or revenue sharing. I couldn’t find the manual, but in their FAQ it specifically states:

Does this service cost anything?
AddToAny is free, and always will be.

AddToAny also confirmed to me that they do not run third party advertising, and they did not believe that their plugin could have been hijacked in this way.

Well it’s true that it’s free, as are all the scripts on that website, but if any free script is the culprit, it is certainly costing me something, along with many of its other users.

As Steven G put it,

As long as people monetize their sites and have no choice but to trust the scripts they install to do certain things, there will be programmers to offer their scripts that hijack a portion of your earnings.

– and also hackers taking advantage of another doorway into your system: cross site scripting only works if there is a way in.

In the case of some scripts, the user base is enormous, eg here are the download statistics for AddToAny’s WordPress plugin:

AddToAny WordPress Plugin has been downloaded 880,378 times in the last 2 years

The annoying thing is that if I knew one of the scripts was going to do this (and only this), as long as it was ok with the Google Adsense terms, it would have been ok with me. They could have been upfront about some kind of Adsense revenue sharing arrangement, and I would probably have agreed to it, for a useful plugin. But as it is, I don’t know what else it might come up with, because whatever is happening here is dishonest.

However, having been in contact with AddToAny, I don’t believe they are the ones who are being dishonest, in spite of the coincidences implicating their button code, or other services it uses.

But there are still other possibilities.

Firstly, the two remaining scripts should be considered, ie Google Adsense and Statcounter.

Statcounter

It’s obvious that Statcounter itself is not doing this: for one thing, if they were, they would be able to hide it from the website statistics!

It does not seem very likely to me that Statcounter is involved via hijacking either, firstly because their code loaded after the rogue Adsense, and secondly because the reloaded Adsense always appeared after a call to Google Analytics. Why would something that hijacked Statcounter make itself more noticeable by calling Google Analytics, which would probably not be installed if Statcounter was there.

Also, the other site owner had posted in Statcounter forums, including the rogue Adsense ID.

Google Adsense

The final script that my site had in common with the other site that found the rogue Adsense Publisher ID was Google Adsense itself, and as a third party script that loads code from another website into the page, it also has to be considered.

Obviously there’s no way Google itself is doing this. It just wouldn’t make sense for Google to be jeopardising the service it provides to its Adwords customers by fraudulently loading Adsense units twice on one pageload.

Would it make sense for an Adsense ad to include a script that inserted a different publisher ID? Well it wouldn’t make sense to do it with their own ads, since they’d be paying more for the user to click it than they’d get for having it fraudulently clicked.

But would they make a profit if their ad caused Adsense to reload with a different ad including a publisher ID that they would profit from? They would have a lot of impressions, with no clicks on their own ads, and profit from clicks on other ads that should have been earned by the website owner. I just can’t see them getting away with that from Google.

Ads Serving Malware

There have been security bulletins for a long time warning of malware being hidden in Flash adverts and other hotlinked graphics files, exploiting unpatched vulnerabilities in certain software and browser plugins.

Over the last few weeks, there have also been discussions online about malware being served through third party ad networks provided through Adsense.

Here’s a post from six weeks ago about malware being served by ad networks, including ad networks including Google Adsense, Adultadwords, and Adbrite. There’s also a Google Help forum thread from today about websites and visitors being attacked by malware served by advertisers in third party networks supplied by Adsense. http://www.google.com/support/forum/p/AdSense/thread?tid=420c791905c1c74d&hl=en

The Anti-Malvertising website (http://www.anti-malvertising.com/) is a useful resource for those dealing with malware and malvertising.

Browser Vulnerabilities

Another possibility to consider is unpatched vulnerabilities in Internet Explorer 8, since all the rogue exit links were clicked by visitors with Internet Explorer 8. However, many visitors do use Internet Explorer 8, and the number of rogue exit links we have visitor data for is too small to generalise from. I’ve also only been able to use the HTTP debugger with IE 8. So it’s a possibility to consider, but not at all conclusive (as it seems to be with all the options so far).

In the meantime, I have uninstalled the AddToAny code and disabled third party ad serving networks through Adsense (this is done by disabling image ads via your Adsense ‘My Account’ page). I am continuing to monitor my pageloads, so if I see the rogue ID without these being installed I will post it here immediately.

If anyone has found similar exit link activity, found this publisher ID elsewhere, or has more suggestions about this, please do post a comment below.

(Click for comments)

I have an HP OfficeJet J6480 all-in-one printer. This is connected via USB to our Windows XP desktop machine. I also have a Linux (Kubuntu 9.04 “Jaunty Jackalope”) Laptop which connects to the wireless network setup by our router. The printer also connects wirelessly to that network. Thus, if I’m on the network on my laptop I have access to the printer.

This is the story of how I got the printer to work after having it stop working inexplicably one day. I consider myself a Linux novice; I am comfortable using it, but uncomfortable administering it.

Setting up the printer via USB on the Windows machine was trivially easy. I was unable, though to connect to the printer wirelessly either using Windows or Linux (my laptop is dualboot). Eventually, after spending far too long with HP Technical Support, I realised that the problem was simply that the router was using a channel with too much interference on it. By switching the channel to something else, we could confirm that the laptop (in Windows mode) could connect to the printer wirelessly. They hadn’t heard of Linux, though, and so I was on my own from there.

Setting up the printer initially was actually very easy. Simply running hp-setup as root did the trick. However, although this recognized the printer I never was able to get double-sided printing to work. And I saw no way to access the scanning features of Linux.

After a while, the printer would inexplicably not be connected when I booted up the laptop and I would have to re-istall it using hp-setup again.

In the meantime, I stumbled upon CUPS (the common UNIX printing system) which is a great way to administer your printers and even comes with a nifty web interface. All it took was setting the J6480 to be the default printer and I could run lpr commands. This was important to me because I had written a bunch of scripts to make text files print out nicely. I was also able to install CUPS-PDF and thereby get a “print to PDF” option from KDE.

Eventually, though, the laptop failed to locate the printer. And, no matter how many times I tried, hp-setup just wasn’t doing the trick. Not only that, but now my three printers (J6480, the J6480 “fax” machine that I never use, and CUPS-PDF) had disappeared from the KDE Printer Adminitstration tool.

So first I made sure that the printer could talk to the wireless network. I did this by connecting to it manually using the console on the printer itself. I then printed out a “wireless status report” (again from the printer console) to get me the IP adress of the printer. Trying to run hp-setup with that IP address failed. And trying to ping that IP address from the laptop failed. Now I knew that the printer could talk to the network, the laptop could talk to the network (because I still had internet access), but the laptop could not talk to the printer on the network. Weird.

I looked on the internet for help and found that the hplip utility might help manage my printer. However, I was (and had been ever since I first learned of this tool) unable to install it using apt-get because of conflicts with other packages: libxml-sax-perl. So this time around (having finished the Perl work that needed those libraries), I removed the offending packages, cleared my package install cache (sudo apt-get clean), and installing the most recent version of hplip. Wow! This gave me a nifty new taskbar application for managing the printer. It even seemed to handle scanning and double-sided printing.

I had to reboot the laptop, but then I was able to detect the printer using hp-setup. However, I still couldn’t print to it. I noticed the following message in the error log available from CUPS:


E [14/Apr/2010:07:27:45 -0700] Syntax error on line 10 of printers.conf.


and I noticed the following error when trying to print from lpr:


lpr: bad job-sheets value ""!


Based on advice from some more internet searching I edited the file “/etc/cups/printers.conf” by changing the line


JobSheets


to


JobSheets none


And that fixed things. Finally. I also messed about with CUPS to get double-sided printing enabled by default.

I was really happy, but soon realised that scanning wasn’t quite working. I could scan to images but not to PDF. So I re-installed CUPS-PDF using apt-get (it had dissappeared somewhere along the line). In doing this, I had to manually create the folder “~/PDF” as a location for CUPS-PDF to save files to (in theory I would have to do this to every user’s home file, but I am the only user of this laptop). Then, from within xsane (a Linux scanning utility) I made the CUPS-PDF printer the default printer to use when copying (details were found here: https://help.ubuntu.com/community/XSane).

Things work better now. To scan a document I select the scan option from hplip, this brings up xsane, I select the copy option from xsane if it’s a single image, otherwise I select the multipage option from xsane being sure to specify the number of pages – when all pages have finished scanning save the multipage project to a file. I still need to mess about with the resolution of the scanner because the scanned image is consistently quite dark.

But at any rate, I have a fully-functional all-in-one wireless printer working with Linux and I love it. And it’s just that easy.

So it was obviously done for a hidden, longer term purpose, rather than to take the site down, and that worried me too. Could it be rescued?

This is a long post, detailing the steps I took to trace the problem, minimise the damage and rescue the website, so the steps I took are linked in this step-by-step list:

How I noticed something was wrong

Because I usually use Firefox, which hadn’t had any problems with the site, I only realised my site was hacked when I tested a new page in Internet Explorer 8. There was an error message I hadn’t seen before.

The message said, ‘This website wants to run the following add-on: ‘Remote Data Services Data Control’ from ‘Microsoft Corporation’. If you trust the website and the add-on and want to allow it to run, click here’.

Now this website and I have been through stormy times together. If I’ve ever made a lot of sales calls, spent a whole day cold calling at trade shows, or I’m at home with flu and a hyperactive toddler, that’s the day the site will crash. True to form, I had just applied to some new affiliate programs and was about to stop work for the day and start cooking for my son’s 4th birthday party. So did I trust this website? Erm…

At first, I thought maybe there was a script I hadn’t noticed in some content I had just added from Wikipedia, so I checked the source code, but I didn’t see anything unusual there. I browsed to other pages on the same website, and then back again, and didn’t see it again. I wondered if it was something left over from my MSN Internet Explorer home page, so I went back to that and it wasn’t there. Then I went back to the same page, and there it was again.

Back to list

What is Microsoft ‘Remote Data Services Data Control’?

I tried searching for ‘Remote Data Services Data Control’, assuming it was some kind of Microsoft script, and found a post on a Microsoft Security newsgroup leading to this ‘Can You Spot the Fake?’ post on Hosts News, warning,

‘any time you see that warning “Remote Data Services Data Control” watch out! … this is NOT from Microsoft! This is the generic warning IE7 throws up when an exploit is trying to enter the system.’

Starting to feel alarmed, I following a trackback from Hosts News to the post that saved my day (though ruining my night first ) : the Little Big Tomatoes post The one with the evil jscript on my blog.

Back to list

HTTP Debugging with Fiddler

The hacked site there appeared to be WordPress based, but the errors looked similar. The post showed a useful free web debugging tool called Fiddler, which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP(S) traffic, set breakpoints, and “fiddle” with incoming or outgoing data. There’s an instruction video for Fiddler here.

So I downloaded Fiddler and ran it. I’d never run Fiddler before, but when I loaded the web page again in Internet Explorer, Fiddler picked it up automatically. So I looked down the list of http requests, and in the middle of my normal HTTP requests (site name blocked out) I found these (don’t go to any URLs listed here!):

Back to list

‘Yourgoogleanalytics’ and ‘Statscounter’???

Looking down the list, I saw ‘statscounter’ and did a double take: I do use Statcounter for website statistics, but here it’s misspelt, and I hadn’t used Google Analytics at all, so that was another red flag. Some Google Adsense HTTP requests appeared around the same time, but it just looked dodgy. Was this really something Google Adsense did?

The next requests, for ‘dos.ms’ were completely unfamiliar, and called PHP scripts called ‘redir.php’ and ‘in.php’, whose names alone sounded worrying. I wondered: shouldn’t hackers have called them something less sinister, perhaps kittens.php and flowers.php? Or had they just stopped pretending? Most of all, I wondered what was going on with my website.

I should say at this point that the website often needs work and doesn’t get much traffic (a good thing, for once).  In  the words of Courtney Tuttle, it’s a time sucking money pit.   But I leave my money pits on my own terms, thanks.
So there weren’t any visitors right then and I thought I had a bit more time to figure out what was going on.

I searched for ‘yourgoogleanalytics’, and found nothing for ‘yourgoogleanalytics.us’, but there were posts about ‘yourgoogleanalytics.cn’ on Google’s support forum from a site using Microsoft software, with a useful answer about rogue javascript added to external .js files:

“Have you looked at the code in menus/milonic_src.js ?

What do you suppose is the long line starting with this: document.write(unescape(‘%3C%69%66%72%61%6D%65%20%73%72%63%3D ?

I suggest you check all of your external javascript js files for code tampering.”

More reading turned up a couple more examples of obfuscated javascript being added to js files, creating invisible (0 x 0 dimensional) iframes, which would then call php files on other domains to pull in dodgy code such as trojan downloaders.

Andrew Martins security blog lists the yourgoogleanalytics.us domain as being used for ‘Money Mule Recruiting’, and gives an example of Money Mule Recruiting on a related domain:

“During the trial period (1 month), you will be paid 2000 USD per month
while working on average 3 hours per day, Monday-Friday, plus 5
commission from every transactions or task received and processed. The
salary will be sent in the form of wire transfer directly to your
account. After the trial period your base pay salary will go up to
3,500USD per month, plus 5 commission.”

I couldn’t see my visitors falling for that, so I hoped if it was hacked it was for money mule recruitment rather than the various trojans and downloaders that were mentioned on other sites as possibilities.

Back to list

Checking the Javascript files

My site has a lot of javascript files, so I thought the best place to start looking for this would be the file Fiddler reported just before the odd domain names: moscom.js, moscom.jquery.js, and moscom.ui.tabs.js, which were all part of a comments extension I had installed a few weeks earlier.

So I downloaded those three files, and checked them one by one in Notepad, and when I got to the top of moscom.jquery.js, there it was:

document.write(unescape('%3C%69%66%72%61%6D%65%20%73 ... and so on.

I didn’t know if the file had always been like that, but that line of code appeared before the header section with the package and file names and looked very suspicious, so that was enough for me: it was clear the website had been hacked.

I felt awful, thinking of people visiting my website, and being at risk from trojans and viruses.

Back to list

Preventing further infection

I didn’t want to be infecting my visitors with malicious downloads, so I took the site offline via the Global Configuration settings.

I set off a backup of the database and files, in case uninstalling or repairing anything might trigger off some kind of malicious code. Then I noticed that the backup program itself was trying to access the malicious files, so I stopped it and downloaded the files and database separately.

Back to list

Telling the Web Hosting Provider

Then I emailed my web hosting provider, told them the situation, and apologised for the inconvenience. I told them that I had identified the infected files and taken the website offline to visitors, and that I would be uninstalling the infected components and upgrading everything that needed upgrading.

I also asked them to let me know if they could please check for anything they knew of that could have got the javascript into the site, so I could prevent it from happening again.

I was pretty nervous about this, having heard of other hosts deactivating hacked accounts, and I stared at the backups, willing them to go faster…

That didn’t work. My web hosts were really helpful though, and sent me this reply:

“It appears that your site has been subject to an attack via a method known as script injection. Typically, this works by forcing a site to execute code when it was expecting to process another input, fake .txt files are often used for this purpose.

Because script injection attacks the site code itself, it is able to completely avoid webserver security. Unfortunately, some content management systems (especially older versions of Joomla) are extremely susceptible to this form of attack.

Here’s the best way to get your site back up and running:

1. Begin by clearing out your public_html directory, ensuring no anomalous files or hidden files are left, this way you know that any backdoors the hacker might have left in are completely eradicated.
2. Change any passwords relating to the site, along with the ftp password.
3. At this point we can turn scripting back on for you – as the hacker’s entryway is now gone.
4. Restore the site from your last known good backup.

If you feel confident removing this infection by hand, please inform us when the site is completely clean and we will turn it back on for you. However, if the infection does recur, we would ask that you completely clear the public_html directory before we reactivate the site again.

I would also suggest contacting the author of the script as it appears there maybe some security issues with the code. “

Script injection? I’d heard of cross site scripting, and SQL injection (see the ‘Bobby Tables’ cartoon about this), but not script injection. A quick look at the Wikipedia page told me that script injection (or code injection) is the more general name for the type of website hacking that adds extra code to a computer program, and can be accomplished using cross site scripting or SQL injection, among other methods.

Back to list

Checking my Desktop PC

I’d like to say the next thing I did was to run the virus and spyware checker on my local PC. But in fact, I changed all my hosting account’s FTP and database passwords, and then thought, “What if I have keylogger spyware on my local PC…?” Then I ran the virus and spyware checker on my desktop PC and changed my passwords all over again.

When your website has been hacked, your desktop PC’s security is easy to overlook (apparently!), but can be crucial. This post from Brian Teeman’s blog discusses why it’s important to consider keylogging trojans and viruses when dealing with hacked Joomla sites.

Checking on the Joomla security forums (the Joomla 1.0.x security forum and the Joomla 1.5.x security forum), I found advice to check the desktop PC with several different antivirus and spyware tools, as each of them might miss something different.

I was able to run AVG antivirus, PC Tools Anti-virus, and Lavasoft’s Ad-Aware. I also tried Kaspersky, but it wouldn’t install because it found remnants of an old AVG version, which I couldn’t find and couldn’t uninstall.

Some more recommended security tools can be found listed here:

Free virus checkers:

• AVG free anti virus
• House Call
• Bit Defender
• Kaspersky
• F-Secure
• PC Tools free antivirus for Windows XP and Vista

I ran the quick check first, then the thorough ones, but my desktop PC was apparently ok.

I also discovered Secunia’s free check for vulnerable software on desktop computers.

Back to list

Securing the Web Hosting Account

Just in case, I had changed the FTP and database passwords again, because it was easy to do. Looking through the files, I didn’t find any others that were infected, but wasn’t convinced they were safe either. I didn’t see anything else like the encrypted Javascript, but neither do I know every line of code like the back of my hand.

So I decided that in the long run it might be quicker to take the drastic route. I uninstalled the infected component first, then deleted all the files. While the files were deleting, I used phpMyAdmin to export a text file of the database, and I searched it for anything I could think of that had been out of place so far.

Back to list

Finding the Vulnerabilities

Obviously, I wanted to avoid this happening again, so it would help to know how the hackers got in.

I’d added extra code to my php.ini and .htaccess files that was recommended on the Joomla Security forums for blocking common exploits, so I’d thought my site would be safer than most, but apparently part of it wasn’t. So where was the problem, and how could I track it down?

The first place I looked was in the new component with the infected files. The infected files had the same date stamp as the others from the same component, so either they were infected on the day I installed them, or the date of hacking had been hidden. So I checked the same file in the installation package, and the rogue javascript wasn’t there.

I emailed the author anyway, as advised by my web host, and eventually received a reply telling me not to store my files with permissions set to world writable. Ok, that’s valid advice, except that wasn’t what happened and I don’t know why he thought it was.

Another place where I have often seen hacking attempts is the Friendly URLs list of my Search Engine Friendly (SEF) URLs program. When hacking attempts arrive via the browser URL, they are not known URLs, so the SEF program makes FURLs for them. In the past I’ve often checked through these to see which components are being targeted, but this time I’d recently cleared them out and deleted the invalid FURLS. So I didn’t find anything there.

The next thing I did was to download the access and error logs from my web hosting server. All I found from the error logs was that one of my graphics files was missing. The access logs were long text files, but only went back to about 5 days after I installed the files that became infected.

I started looking back through them. I’ve seen SQL injection attempts in my access logs in the past, and there was one almost immediately in the most recent log file. But when I looked up references to SQL injection in the component that was targeted, the attack I saw was known and the vulnerability had been patched many versions previously. I contacted the author and he confirmed this (although not long afterwards they did produce a new security release). I also didn’t see any administrator activity or unusual file accesses in the log entries around it.

I found lots of hacking attempts by the bot libwww-perl, which is often used for automated hacking attempts. Many were targeting Community Builder, which I hadn’t seen targeted before, and many were bringing up my ‘page not found’ page.

I continued trawling through the logs, finding nothing that looked successful. Occasionally, the infected files appeared when I didn’t think they should have done. Eventually, the log files ended, leaving me with that half a week gap.

I changed tack and itemised the components in the website to see what needed upgrading.

Joomla itself was up to date, but Community Builder was known to have an exploit, and I had put off upgrading it because the new version required PHP 5, and I had only had PHP 4.4.7 on my server. In the meantime, however, my web hosts had installed a capability to switch hosting accounts to the upgraded PHP version.

Back to list

Improving Security in Future

So the first change I made was to upgrade the PHP version to 5. Then I restored the files from a backup taken before installing the infected component, working on the assumption (or hope!) that the site was only hacked once.

I had already made the .htaccess and php.ini changes recommended in the Joomla Security Forum, but I added some new lines to my .htaccess file to block libwww, as recommended in these useful and detailed blog posts: ‘Hackers, Botnets and libwww-PERL’ by WebGeek and ‘Block LIBWWW-PERL and web addresses to protect your site from botnets’ by incrediBILL.

Unfortunately, there are some legitimate uses of Libwww-perl that would also be blocked, but so far the only disadvantage I have found to blocking it is that if I want to run the W3C link validator, that uses Libwww-perl so I have to temporarily allow it again.

I also added lines to block the domains used in the hacking attempts. For more .htaccess protection, the Webmasterworld forum has a useful discussion on ways to block bad bots.

I had a couple of small PHP errors to fix after upgrading to PHP 5, and then I tested the site thoroughly using Internet Explorer and Fiddler, and all seemed ok.

Next I upgraded Community Builder, followed by checking and upgrading any other components that needed it.

My users’ passwords are all stored in encrypted form, and the site does not collect personal information about them, so there wouldn’t be a security risk from that. I checked the user list to see who had logged in recently, and checked their data. Then I changed the passwords to prevent fraudulent logins in future. If they try to log in, the ‘forgot password’ option can be used to reset passwords. It’s not great, but no damage has been done there.

The users’ passwords did give me some scary moments: this is another example of why it’s so important to use different passwords for anything important you do online: if the users’ passwords had been on a website where they weren’t encrypted, and they used the same password for their email, that would be extremely risky. And if I’d used the same passwords for logging in to my website as I did for online banking, email or anything involving credit cards, for example, I could be in deep trouble now. If you’re not convinced, check this entertaining but scary “One Man’s Blog” post on “How I’d hack your weak passwords”.

Looking back, I may be in good company too: I can think of several online services I’ve joined where the password has mysteriously stopped working. None of them told me why, and some of them did have more information of mine than I’d want to let go.

Back to list

Why was my website a target for hackers?

I can think of a couple of reasons why my site might have been targeted:

1. When I first launched it, I posted links in various ‘Site Showcase’ type threads in the forums for the Joomla components I’d used. At the time, I thought this was great, because it brought me visitors from all over the world, as well as a truly improbable sounding Alexa ranking. But then, when any of those components develop a vulnerability, my site is an obvious target. Thankfully, component owners tend to develop patches or eventually take their sites offline, and my links with it. But I wouldn’t post links there again unless it was truly relevant to the website’s focus.
2. Social networking sites are increasingly becoming targets for hackers (see Facebook and Twitter becoming Top Targets for Hackers at Brick House Security), which could lead to Community Builder being targeted more than in the past, with hackers assuming that any site using Community Builder would be a social networking / membership site. Plus, the older version of Community Builder had a vulnerability posted. I haven’t been able to find out what it is anywhere, but hackers could have tried attacks in many variations
3. What’s most likely, considering that my website isn’t a high value target, is that hackers were using bots such as libwww-perl to run scripted attacks with many variations, and eventually one of them worked. Woohoo, lucky me! Should have kept all my extensions up to date

Back to list

Online Tests for Malware in your Website

There is an online service called Unmask Parasites which tests web pages for malware. To check your web pages you can either bookmark their service or place their Security Check shortcut links on every page you want to be able to check.

Every time you click the Security Check link the Unmask Parasites service will automatically check the referring web page so you don’t have to type any URLs.

The shortcut links should work for any public web pages, however, I have found since then that when I checked a hacked oscommerce website, the security report service appeared to crash with error messages, so if you see errors they should also be treated as a warning that your website may have been hacked.

Back to list

Google Malware / Security Warning

If your website has been unlucky enough to be flagged by Google as hosting malware or in some other way risky, this post explains how to get that warning removed from your website’s Google listings: How to remove ‘This site may harm your computer’ from Google search results.

There’s some more information here about Google’s safe browsing diagnostic pages.

Back to list

General Website Security Links

• Description of a recent attack that infected 40,000 websites
• Sign up for Websense Attack Alerts
• Websense Security Labs Blog
• SANS: Top Cyber Security Risks
• Stop Badware: Tips for Cleaning and Securing Your Website

Joomla Security Links

• Joomla 1.0.x security forum
• Joomla 1.5.x security forum
• Joomla! Security Checklist
• Joomla Advisory: dealing with hacked websites and hacking attempts
• Joomla Security Forum: Malicious Javascript in Your Site
• List of Vulnerable Joomla! Extensions

Back to list

If you’ve also had your Joomla website hacked, you might find these security links useful, and I wish you luck with it! In the meantime, with the files backing up, then deleting, then restoring, and the anti-virus running, the computer ran so slowly that I had lots of time that night to get things ready for my little boy’s birthday party: I may have felt like a zombie but at least the scumbag hackers didn’t ruin his special day. Comments, advice, suggestions etc welcome – if there’s one thing I’ve learned above all from this it’s that I’d rather improve my knowledge of website security at more convenient times

I’d just added the RSS feed to Goldenfeed, and saw a link underneath to another RSS directory, ‘readablog’. So I clicked on it and got this error screen:

Sounds like a perfectly normal RSS and blog directory so why has Alexa toolbar come up with this stuff???

For once I agree with Alexa: ‘Why am I seeing this page?’

Firstly, where did the ‘porn’ search come from? Going back to Goldenfeed, all I can see in the status bar is the URL.

Then, looking at the listings, where did Alexa toolbar get those from? OK Home Cinema could have some relevance. And maybe Royal Caribbean Cruises are trying to spice up their image (unlikely, but you never know). But ‘Christian Child Ministry’?? Is someone having a joke on this site, Google bombing them or something like that? And Cisco Systems – some lonely nerds with a networking fetish?

I can’t help wondering why Readablog has been lumbered with this. It has such a wholesome, non-X-rated name. Looking at its page in wholinkstome.com, none of the incoming links have adult sounding names, and it seems to rank best for keywords about marriage and babies.

Looking at its page on Alexa, it seems to have been related to other RSS directories. The closest to dodgy term I can find in its keywords is ‘swimsuit’. Which isn’t even dodgy.

Meanwhile, quantcast has its visitors as mostly male, in their late 30s, without kids and with college degrees. Ok, I’m starting to get a little creeped out about how much the net seems to know about us…

In any case, I can’t see any reason for these Alexa toolbar results (or Cisco Systems, etc for that matter!) Has ‘porn’ become another word for ‘website’?

Finally, I check up on Goldenfeed, and find it has let’s say more of a mixture of stuff. Oops. And there’s my feed, on the home page! Woo hoo!

Now I’m just wondering what the Adsense will come up with for this page…

After my first experiments with Adsense and artificial intelligence, I thought it might be interesting to try it out on a website with more traffic. (However great my privacy and ‘under construction’ pages are, they aren’t the most visited pages on the web!) So when I discovered there was a scheme for sharing profit from Adsense on a community website I was using anyway, it seemed like a great opportunity: after all, what was there to lose?

3 Months of Sharing Profit from Adsense on a Community Web Directory

Huge piles of cash for your
community members!

At the time (in 2007), I was a member of Hedir, which was then a busy website based around a peer reviewed directory. There was a community of developers, moderators and reviewers and a much larger group who submitted websites for approval in the directory. The idea was that people who submitted websites should also review others, but not many of them seemed to catch on to this. This was a shame because it was a great way to find out what works and what doesn’t work on other people’s websites. The Hedir community website also offered forums, and later blogs for its members.

Every page on the website showed a couple of Google adsense units, and they operated a scheme for sharing the profits with members of the community who signed up for it by adding their Google AdSense publisher IDs to their user profiles.

Having signed up, whenever I reviewed a website submitted to the directory or posted a message in their forums, my publisher ID would become the most recent one to have posted on the page. When a web page using this system loads, it runs a Javascript program so that a certain percentage of the time the Google ads belong to my publisher ID and the rest of the time they belong to the website owners or developers.

This seemed like a clever idea to me. Having seen as a member that hundreds of websites were submitted to the directory every day, I was sure this idea would be a winner, especially when my own website was as quiet as Tumbleweed City.

AdSense also provides a feature called ‘channels’ which allows you to track which pages are loaded and which ads are clicked. So I created an AdSense channel ID and added it to my Hedir user profile. I reviewed about 50 websites and posted some entries into the forums. Then I checked in with Google AdSense every day for the next few weeks to see what was going on.

At the end of February, my first month with Google AdSense, I had gone from under 20 Adsense impressions, to over 300. I also made $0.13, which surprisingly turned out to be from my own site. It was a click from my Valentine’s Day poem. So I’m up there with Hallmark, making a profit from Valentine’s Day.

I checked again after the first half of March, when I had been away for 10 days so presumably wasn’t loading my own website as much, and the excitement was all over: not many page loads and no more earnings.

After a month of fairly intensive posting, I had not made any money from it. As I’d been away for 10 days in the middle, I thought for a proper trial I’d give it another month of posting to review pages and forums. By the end of this I had posted about 300 times in total, and I think that gives it a very good chance of working if it’s going to. And it didn’t, much.

So what happened to my adverts?

The Alexa traffic rank of the site seems good, at around 32,000, but there were at the time about 180 pages of sites listed in the review queue, and not many people reviewing them. This probably meant that each directory page wasn’t viewed as much as I expected. People were happy to submit their own sites but most couldn’t be bothered to review anyone else’s.

If there had been a requirement for everyone who submitted a site to do a certain number of reviews, that would have brought the size of the queue down and got each page viewed more frequently. However, it wouldn’t necessarily have got more views for each member’s adverts, and here’s why:

The reason for the tail off in Hedir adsense views when I was away is of course that once another review was added to each page (which would be the reason for most of the page views), those ads wouldn’t show up with my adsense id any more, because they would be assigned to the next reviewer’s id. They would have been removed from the number of pages still available for earning me adsense commissions.

Given the way that people used the review pages, I think there is not likely to be much commission from revenue sharing ads in this situation, although it does may a short term incentive to post a review.

The forums were probably viewed more often, being publicly available and linked from the front page, but forum ads were only linked to the last poster 20% of the time.

However, I did discover another benefit to posting on a community website: people will sometimes follow the links in your posting’s signature. So I had about 300 signatures posted on various pages, which I linked to 3 of my customers’ websites, and I did see more traffic coming to the websites from them.

The site also offered blogs with adsense revenue sharing, but I didn’t get round to trying that, as I found that even when I was getting page impressions, people hardly ever clicked on the ads.

I’ve read in various blogs that visitors from social networking websites will rarely click on the ads, and when they do, they aren’t looking to buy anything. What’s worse, too much social traffic to your Adsense sites can lead to your account being smart priced (a policy of paying you only very small amounts for each click, since your visitors are not valuable to the advertisers). And once your account is smart priced, those low payments will apply to all your Adsense, on any website.

So sharing profit from adsense on Facebook, for example, could be a bad idea if it’s used on home pages, with their social visitors and generalised content.   (Or would half the Facebook pages become stuffed with high value keywords?!)   But it could do better on group pages focused on particular subjects, where members might be looking for advice or a product recommendation, and an advertiser could supply it.

Other possibilities for sharing profit from adsense on community websites:

Sharing profits encourages
your community

I still think adsense profit sharing is a very clever idea, and great from the website owner’s point of view. It encourages members to interact with the website, post new content and promote it.

For those developing Joomla websites, there are adsense-sharing plugins available here, for websites with and aithout Community Builder: http://extensions.joomla.org/extensions/search/adsense+sharing

On a community website with blog pages for each member, the idea could work out better, with members having more control over the subject focus of the page, and a more long term interest in it due to always being the last person to post on their own pages.

So is the idea of sharing profit from adsense on a community website a good one? Personally, I think so, depending on the website’s subject focus, how much control members have over their content, and how much the benefit carries on into the long term. For a community website, sharing profit from adsense can be a fun way to encourage members’ involvement with the community, and motivate them to promote it and interact with it. It also gives your community members something else they might have in common!

Is it right that employers take out life insurance policies on their employees?  Most employees do not even know if their employers have taken out life insurance policies against them, and undertandably so:  how could it feel to work for a company, knowing the company would profit from your death?

Most people had no idea that this practice was even going on until it appeared in the latest Michael Moore film, ‘Capitalism: a Love Story’, and was featured on ABC News (see the video clip from YouTube):

Ok, so it makes sense for companies to have a financial backup plan in the event of losing a key employee:  projects may be delayed, recruitment costs must be covered, and temporary staff may be needed to fill in the gaps.   So then tax breaks were offered to encourage this practice, and it has become far more widespread.

But I can’t think of many policies more likely to discourage employee loyalty, especially when you consider that the employers must have taken the life insurance costs into account when planning the employee’s salary package, and they have no intention of sharing any of the money paid out with the employee’s family.

Work harder…
Work harder…

Where is the motivation for Health and Safety now? Are companies banking on the life insurance outweighing the lawsuits?

What message does this send to employees who want to be loyal to their employers and feel that their hard work is valued?  Instead, are they now realising that their employers will literally benefit from working them to death?

Genuine loyalty comes from a relationship where respect goes both ways.  It shows very little respect for working people to take out life insurance policies against them without even telling them, and then to call these ‘Dead Peasants Policies’ is downright offensive.  Are the people who come up with these ideas complete sociopaths?

So here’s what I’d do if I ran the zoo:

1. Keep the tax break, with legal modifications.
2. Let employers take out life insurance policies on their employees, with their consent.
3. Limit the amount of payout that the employers can keep to a prearranged amount that could reasonably be required to cover lost work time and recruitment costs.
4. Require any amount left over after that to be given to the employees’ families, or a charity of their choice.
5. Allow the employees to add to the policy if they want to, as part of payroll along with tax and social security, with any resulting extra payouts guaranteed to go to their families or whoever they have chosen.
6. Encourage loyalty and a long term relationship by having the employer and employees working together, taking advantage of the tax break for everyone’s benefit.

That way everyone wins – because anything else is just creepy.

So I spent a couple of years learning about robots, intelligent systems, evolution and natural language processing. Little robots will go to Mars, they told us. They’ll be Fast, Cheap and Out of Control. I thought it was strange at the time that no one seemed concerned with more immediate practical applications.

Shortly before I graduated, I met an ex-boyfriend of my cousin’s, who worked in marketing. “They’re just starting to use neural networks where I work now,” he told me. They used them to target direct mail advertising. So there it was, the first real life example of AI I’d personally encountered, and it was used for spam. I really should have known. By which I mean, I really should have known, and started Google. Then I’d be laughing.

Cybot by Macaruba

Adsense: not that kind of robot

Ten years later, after having the kids and so on, I went into freelance web development. Many of my former classmates do in fact do interesting and groundbreaking work involving artificial intelligence. They’ve invented guard robots, simulated the climate and ecosystems, programmed artificial lifeforms for videogames and invented Web 2.0 software applications. Wow, I wish I’d done that stuff. But when I look around on the common-or-garden Internet, I mostly see artificial intelligence being used to target contextual PPC (pay-per-click) advertising.

And that, I am often told, is the way to effortless millions. So I thought I’d check it out.

Having tried some experiments with affiliate marketing, pay per click advertising seemed like the next logical thing to try out. The basic setup is this: you sign up for Google AdSense or a similar contextual PPC advertising program, use their online advert design process to create snippets of Javascript code, and then paste this code unaltered into the appropriate part of your web page. Google’s Adsense robot visits, processes the other text on your web page and/or website and selects relevant adverts to display in the colours and layout you have chosen. Then the Adsense code loads when your web page does. You’re not allowed to click on your own adverts, but if someone else does you make a small amount of money (often very small). So millions of people click on the ads and you make an effortless fortune. Right? Well, so far I’ve found the system works apart from the last part.

The first thing I was interested in was how the adverts were chosen to be relevant. Would it depend more on the content of the page, or the website as a whole? I also didn’t want Google ads for my competitors appearing on my home page, although I did see the appeal of taking some of their money. So I tested out the ad selection process by setting up my first Google ads on a mix of obscure and slightly odd pages to see what they came up with.

Check out how the ads appear on:

• my privacy policy
  
  
  This is a screenshot, not an ad:
  
  The text before and after the adsense block mentions privacy several times, but the adverts that appear are for general web design and backup security. A quick search on Google for ‘privacy site:uk’ gives me no PPC ads next to the search results, so that would be why the ads weren’t so relevant to privacy: no one was advertising with the ‘privacy’ keyword in the UK.

• my ethical policy
  This is a screenshot, not an ad:
  

  Not bad – these contextual adverts do all relate to business ethics and professional codes of conduct. However, it is obviously not a simple case of pattern matching, linking words in the text to words in the adverts, as my page does not mention the word ‘whistleblower’, for example. Previously on this page I’ve seen ads for sex offender registers, which are really not mentioned in my ethical policy! These ads probably came from keywords in the policy about my web hosting not allowing porn, and using the film rating standards as a guideline.

  Surely if Google used some kind of vast semantic network to link related words together, wouldn’t it be very slow? If that’s how they identify keywords for a webpage, perhaps they would store the results rather than do it every time the page loads. Perhaps they combine two approaches, identifying and storing keywords for the website as a whole (hence the delay in seeing ads when you first put the Adsense code on a website) and then checking individual pages for keywords when they load. Most probably, this is all on record somewhere.

  In fact, when pay-per-click advertisers bid for keywords they write the adverts separately from that. So in theory, they could bid for a keyword and write a completely unrelated advert, although there probably wouldn’t be much point!

• my copyright / credits page
  This is a screenshot, not an ad:
  
  Again, these ads are nicely relevant – perhaps there’s some lucrative legal work in the copyright field.

• my legal document templates
  This is a screenshot, not a real ad:
  
  This one surprised me, because there’s plenty of PPC advertising on Google for legal document services. So why did my web design business site get a whopping graphic leaderboard ad about building websites in minutes? This is the last sort of thing I want my customers to be told when I charge by the hour! Obviously this possibility is a major drawback in putting adsense on a business site. To some extent, competitors ads can be blocked out, and it’s also possible to block image ads if you want to, but it’s still likely that some contextual ads will be for competing services.

  Reloading the page a few times gives me a text alternative to the banner ads, which explains the situation better:

  This is a screenshot, not an ad:
  
  Looking at my page about legal contract templates, and the ads about building websites with website templates, it’s obvious that the Google Adsense code has connected the word ‘template’ to the general web design theme of the site, and taken it out of context, giving a higher weighting to ‘template’ in determining the advertising keywords, rather than the ‘legal’ and ‘contract’ keywords.

  It would be interesting to know how the adsense code manages these weightings (and probably very lucrative too!). Thinking back to how I wrestled with neural networks in college, it would be so ironic if Google had just gone and made one of my website.

Next I tried:

• my ‘Under Construction’ page, with free photos of diggers.
  This page gets some nice ads for sustainable buildings, green architecture and design engineers, possible picking up on the ‘ethical policy’ link in the footer, and the ‘design’ and ‘beach’ keywords used in the site name.

  Surprisingly, this page turned out very well, and for a while it was a popular resource for free photos of diggers! It even got some Adsense clicks – but why? Well, for one reason, I think although the button to click for more photos doesn’t reload the adverts, perhaps it encourages people into interacting more with the page in general. So once they’ve clicked something a few times, they look for something else to click. There’s also the consideration that the rest of my website is unrelated to diggers, so the easiest place for visitors to follow their interest in construction is out through the adverts: interaction design (accidentally) in action!

Then I thought of some types of work I was too booked up for at the time:

• Content Management Systems, which gets general web design ads, and
• Database Websites, which gets some nice looking ads for business database software and professional database development tools.

While keeping an eye on the Google forums and looking at how the Google AdSense code is used on the net, I discovered several gimmicky pages along the lines of ‘Find Your Hobbit Name’ that seemed designed to keep people reloading and seeing new ads they might click on. Reloading the whole page over and over again seems a little dodgy. So I wrote this page, similar to the free photos page, where different parts of the page can be changed by clicking buttons. It took a while to be indexed, but it was popular in February and gave a little boost to the adsense this year:

• Random Valentine’s Day Poems

How romantic.

I even tried it on a ‘Lorem ipsum’ page, before realising that would go against AdSense policies by placing them on a page with ‘content primarily in an unsupported language’. For the record, they were mostly about beach resorts, because of the domain name, and temp agencies, probably because of the ‘tempor’ word fragment.

Here’s a sample of lorem ipsum, for anyone who hasn’t seen it before:

“Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. “

I guess I can see their point.

Finally, I signed up for Gmail (or Google Mail as it’s called in the UK because someone else already had ‘Gmail’ there), and I discovered the Adsense code was reading my mail, and putting relevant ads around it. What’s more, my Google inbox had a Page Rank of 7 (Huh? Who’s linking to it??) I wondered if this was all a creepy invasion of privacy, and then realised that Google would forget what my emails said almost as soon as I would, and I decided not to mind.

Today I read a post by Stephen Wildstrom on Business Week’s TechBeat blog that really sums up Google Adsense:

“I came across a curious item about a man whose family had placed his ashes inside the case of an old Sun Microsystems SPARCstation. Sure enough, beneath the item was an ad for Shine On Brightly cremation urns, plus offers for discount cremation, a San Francisco Bay ash-scattering service, and a company that will place your cremated remains in an artificial reef off Miami…”

Retro Robot by Sasan

Robots in the shed. Yup.

With all those Suns and SPARCs and artificial things, it looks like it should be science fiction, but in fact it really isn’t. It’s an urn full of somebody’s ashes, for people who needed somewhere to put them. Futuristic technology met real life and created something unglamourously useful.

So after all the exciting sci-fi promises of artificial intelligence, it could be that Google Adsense is its most widespread application. It watches what you read and write, and it can make you pennies! It may be a bit disillusioning, but I guess the trick is to make those pennies on a big scale, and build the robots in your shed.

As an e-business from the start, an online presence was essential to Last.fm’s business model. There was no risk of channel conflict or cannibalisation of pre-existing sales channels.

Last.fm’s Relationship with Technology

Using Rogers’ (1962) technology adoption lifecycle model, organisations can be innovators, early adopters, early or late majority, or laggards. However, an organisation like Last.fm can have a different relationship with each technology it uses.

Technology Adoption Lifecycle Model:

1) Innovators 2) Early Adopters (chasm) 3)Early majority 4) Late Majority 5)Laggards

(Adapted from Rogers (2003 p.281, Moore (1999, p 16), Chen (2003, p 269)

(The middle of this post has been unpublished at the request of the Open University, as it began as a report for their course in ‘E-business Technologies’).

Last.fm: A mature E-business Enterprise

Last.fm’s well-timed innovations, choices in technology adoption and adaptation to current conditions in the digital technology revolution have enabled their success and recent purchase by CBS, while their ongoing commitment to continuous learning and change is the hallmark of a mature E-business enterprise (Earl, 2000).

References:

Michael Arrington, Techcrunch (2007) iLike Growing Quickly, Still Massively Trailing Last.fm [online] http://www.techcrunch.com/2007/02/27/ilike-growing-quickly-still-massively-trailing-lastfm/ (accessed 24 May 2008)

BBC News | Technology (2007) Last.fm strikes Sony music deal [online] http://news.bbc.co.uk/1/hi/technology/6284798.stm (accessed 24 May 2008)

BBC News | Cornwall (2007) Web pioneer, 24, is millionaire [online] http://news.bbc.co.uk/1/hi/england/cornwall/6727809.stm (accessed 24 May 2008)

BBC News (2007) Fatal blow to Web Broadcasters. [online] http://news.bbc.co.uk/1/hi/technology/6562823.stm (Accessed 25 May, 2008)

BBC News (2007) How to be a high-tech startup success [online] http://news.bbc.co.uk/1/hi/technology/6979941.stm (accessed 25 May 2008)

BBC (2007) Webscape [online] http://news.bbc.co.uk/1/hi/programmes/click_online/6619183.stm (accessed 25 May 2008)

BBC | Newsbeat | Technology (2008) Internet music library launched [online] http://news.bbc.co.uk/newsbeat/hi/technology/newsid_7207000/7207749.stm (accessed 25 May 2008)

BBC News | Technology (2008) Web users ‘getting more selfish’ [online] http://news.bbc.co.uk/1/hi/technology/7417496.stm (accessed 25 May 2008)

BBC News | Technology (2007) Web 2.0 ‘neglecting good design’ [online] http://news.bbc.co.uk/1/hi/technology/6653119.stm (accessed 25 May 2008)

BBC News. (2007) Last.fm stories in BBC Audio and Video [online] http://search.bbc.co.uk/cgi-bin/search/results.pl?tab=av&q=last.fm&recipe=all&scope=all&edition= (accessed 25 May 2008)

Internet Archive Wayback Machine. Archive for Last.fm [online] http://web.archive.org/web/*/http://www.last.fm (Accessed 25 May 2008)

Rory Cellan-Jones, BBC News | Technology (2008) Last.fm debuts free music service [online] http://news.bbc.co.uk/1/hi/technology/7205147.stm (accessed 24 May 2008)

Rory Cellan-Jones (2001) Dot.Bomb: The Rise and Fall of Dot.Com Britain. (Aurum Press Ltd)/

Cnet (2000-2001) Streaming Reviews, Blogs and Features at CNET.co.uk [online] http://www.cnet.co.uk/tags/date/78/streaming.htm (Accessed 25 May 2008)

Earl, MJ (200) Evolving the E-Business. Business Strategy Review, 2000, Volume 11 Issue 2, pp33-38.

The Economist (1999) ‘Catch the wave’, The Economist, 18 February, Innovation in Industry pp. 7–8.

Leander Kahney, Wired: Last.fm: Music to Listeners’ Ears [online] http://www.wired.com/print/culture/lifestyle/news/2003/07/59522 (accessed 24 May 2008)

Last.fm About Last.fm [online] [online] http://www.last.fm/about/ (accessed 24 May 2008)

Last.fm tour [online] http://www.last.fm/tour/ (accessed 24 May 2008)

Laudon, K.C. and Traver, G.T. (2008) E-Commerce: Business, Technology, Society, Prentice Hall.

Perez, C. (2002) Technological Revolutions and Financial Capital: The Dynamics of Bubbles and Golden Ages, Edward Elgar Publishing.

Yves Rabeau, Institute for Research on Public Policy (2004) Choices, Vol 10, no. 7. The Schumpeterian Wave in Telecommunications: Public Policy Implications [online] http://www.irpp.org/choices/archive/vol10no7.pdf

Rogers, Everett M. (1962). Diffusion of Innovations, Glencoe: Free Press

Clay Shirky, Clay Shirky’s Writings about the Internet (2003) The Music Business and the Big Flip [online] http://www.shirky.com/writings/music_flip.html (accessed 24 May 2008)

Wikipedia: Joseph Schumpeter [online] http://en.wikipedia.org/wiki/Joseph_Schumpeter (accessed Sept 2009)

Wikipedia. Streaming Media. [online] http://en.wikipedia.org/wiki/Streaming_audio (accessed 25 May 2008).

Wikipedia: Technology Adoption Lifecycle [online] http://en.wikipedia.org/wiki/Technology_adoption_lifecycle (accessed Sept 2009)

]]> http://www.ebusiness-technology.net/2009/e-business/ebusiness-case-study-last-fm/feed 3 http://www.ebusiness-technology.net/2009/e-business/ebusiness-technology-web-development-and-internet-business-blog http://www.ebusiness-technology.net/2009/e-business/ebusiness-technology-web-development-and-internet-business-blog#comments Fri, 18 Sep 2009 20:48:06 +0000 annabelt http://www.ebusiness-technology.net/?p=1 Welcome to Ebusiness Technology, my new blog about Web Development and Internet Businesses, and the gold mine that is surely out there somewhere for all of us.

I work from home as a freelance web developer while my kids are at school and preschool, and also when I should probably be asleep When I’m not working on customers’ websites, I develop and run my own websites to try out internet business ideas and make my effortless millions.

I’m curious about it too: I want to know how these ideas work, and how the internet is used in society and by businesses.

So this blog will be a mixture of the technical side of web development, interaction design and usability, internet business models and working from home with kids. I know there are many others out there, so I would like to hear from you!