Web development is not as much fun as it’s cracked up to be

Today so far has been a comedy of errors with some web programming I wanted to do. A confederacy of dunce issues, one after the other.

URL Shortener

It started with some work I’d been doing yesterday with the URL shortener code I use for my jmbk.nl links. The web hosting I have for the domain on GoDaddy is a couple of months from its renewal date, but, to be honest, what I’m paying for it (about $7 a month) is not worth it. I’ll move it to Azure, I thought to myself. Let’s see what amount of work it would take. The code is dead simple: a web service on top of SQL Server, so no sweat there. Let’s take a look at the SQL database: should be simple since there’s only one table. I fired up SSMS and did a few queries … but what’s that? A row in the ShortUrl table showing well over 100,000 hits (that is, that particular short URL has been followed that many times), whereas all the others were less than a thousand. Wut?

Even worse is that the real URL wasn’t a URL at all. It was just the string “undefined”. Mmm: reeks of JavaScript.

Main blog

There are two ways a jmbk.nl short URL gets created: there’s a (hidden) web page on the site and there’s some fancy schmany JavaScript on my blog. Since I’ve certainly never created a short URL for “undefined”, it’s time to look at that JavaScript code.

I’ve set up my blog engine templates such that they operate in two modes: a normal reader mode for someone visiting from the internet, and logged-in user mode (aka, god mode). In the latter mode there’s a few extra elements and content that gets displayed alongside blog posts and some other JavaScript that gets loaded. One of those is a chart that shows how many people are reading the post over time and the other is the fancy JavaScript code that does a callback to jmbk.nl to get a short URL for the blog post. (I then use this short URL in Twitter and Facebook to talk about said blog post.)

var linkElement = $("#shortLink");
var realUrl = encodeURIComponent(linkElement.attr("href"));
$.getJSON(...);

Lo and behold, this code was getting run for everybody, but the HTML element only existed for me in god mode. In other words, linkElement was being set to an empty jQuery object, the call to attr() was therefore succeeding but the return value was undefined. And that was being converted by encodeURIComponent() to “undefined”. Yessss!

I changed the code completely so that it’s only loaded in god mode and also – just in case – to check that linkElement actually existed before making the callback. Brilliant! I updated the site, tested it in Firefox (my usual browser) and also for fun in Microsoft Edge.

Personal website

I’ve set up all my browsers to have my personal website as the home page in each. So, as soon as I started Edge, it displayed my personal home page … with a malware warning.

WTF? The site is completely static, only four files get downloaded: the HTML, the CSS, and two font files. There is no JavaScript or anything like that. I verified that the files on the site were the correct ones – no changes anywhere – and then I clicked the “Report as Safe” button .

So if my site and contents are fine, why is it being reported as a “harmful'” website? Time for more investigation.

The IP address

I nipped over to MX Toolbox because it has an option to check if a site has been blacklisted. (Aside: I can’t remember why or how I found this site in the first place, it was several years ago. But it’s dead handy.)

Ah ha! It’s not my site that’s been blacklisted, it’s the IP address of the hosting. And that is an Azure hosting IP address: there must be hundreds if not thousands of domains hosted there.

I clicked on the first item (CBL), and that site told me that “IP Address 23.99.0.12 is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.” It also reported the domain name of the site where the malware was detected: a PHP-based site. I tell ya: PHP is a great language for writing server software (WordPress is written in it), but you have to be really on top of security updates and make sure you are fully up to date. (One of the features of god mode on my blog is a display of the links people are accessing the site with that cause a 404 “not found” error, and it’s 95%+ script-kiddie probes for various PHP pages or WordPress admin links. I personally wouldn’t touch PHP with a bargepole.)

Azure support

OK, so all in all it’s a problem for the Azure guys: there’s absolutely bugger all I can do about removing my site from this blacklist. But where to report it? I certainly wasn’t about to invoke a paid Azure support ticket. After a bit I decided to tweet about the issue and included @AzureSupport in the tweet. A few minutes later, someone there sent me a tweet with the proper issue-reporting link, so I reported it there. Let’s see what happens.

Now … where was I?

  Loading links to posts on similar topics...