"The University of Illinois is also in turmoil. The university sports an Interim Chancellor, an Interim Athletic Director, and an Interim Football Coach; the game will be played at Soldier Field, making this an Illini Interim Home Game."
Well, that's one streak of days stretching into the thousands down. Bonus for those five gloating meatheads ESPN showed at every opportunity: the guys who painted "1" on their chest don't have to change anything to be accurate tomorrow as long as they sit separately. The "8" guy will have to sit at home and cry for a week.
And you can't have one without the other…
Every recruit ever committed to Michigan. To recap the "Hello" posts if you missed any of them during GMD11:
- Three star OH CB Tamani Carter, a recent Minnesota commit, was offered by Michigan and flipped.
- 3/4 star CB Raymon Taylor, an Indiana decommit, went with Michigan when they offered him the second time around.
- Michigan replaced decommit K Matt Goudis with CA K Matt Wile, an Army All-America participant who doesn't have the rankings but we're talking about kicker rankings here.
- 3/4 star LB Antonio Poole was offered and quickly committed after meeting with Mattison. Touch The Banner also has a take.
- Michigan snake oiled Purdue commit and three star TX QB Russell Bellomy. TTB sees shades of McNown.
In addition, OH TE/LB Frank Clark and CO LB Leilon Willingham have moved into the "expected to commit" category. Clark's from Glenville, of all places.
The names and stars aren't that impressive—the partially shirtless are shirtless in the same way Martavious Odoms was, a four star to one site and a generic three star to the others—but if we're talking about Michigan 2013 is the new Martavious Odoms better than air? Yes. And who doesn't like Odoms, anyway?
Even if this is just a version of Rodriguez's quick strikes upon taking the Michigan job, Hoke and Mattison (and I guess some other guys*) are doing this in about a fourth of the time Rodriguez had to assemble the last eight members of his hybrid class. And they screwed over Purdue in the process, thereby twisting the knife on Danny Hope and blowing up one of the very first Rodriguez The Demon memes: the "gentleman's agreement." Excellent work all around. Hope you play as a redshirt senior, kid.
Now we've got some insight into what the coaches think is lacking on the team: defense. Here is a small child reacting to this not at all obvious revelation.
there's gambling in this establishment?
More than the linebacker avalanche it's Michigan essentially turning down one-time silent WR commits Devin Lucien, one of those borderline four star types, and Hakeem Flowers, a three star with epic offers. Both tried to firm up those commits with the new staff and were politely told "defense or GTFO." They chose the latter. Michigan has a surplus on the outside now but surely one of those guys wouldn't have been overkill, right?
Similarly, this Heitzman kid they picked up from Vandy is a 6'3", 225 pounder who doesn't seem like he's got a high upside as a DE. So everyone assumed he was a tight end, since Michigan was trying hard to acquire one even before the shift to a more MANBALL philosophy. He denies this, saying Michigan isn't even talking about offense. Which is weird because between Roh, Paskorz, and Beyer Michigan seems to have undersized weakside DE covered for a good long while.
*[Seriously, all the commits save the Purdue snake oilin' are on defense, and the only defensive coach other than Mattison is Mark Smith. Smith is a 50-something dude who's afraid of flash photography. While a lot of the guys are linebackers I think "I coached Ray Lewis" is more the pitch than "I was the ILB coach at Indiana State for 22 years."]
Good for Michigan State hockey, good for interesting games against State in the future, still extremely uncertain if they'll get back to where they were under Mason. They've never recruited at the level Michigan has but made up for it with suffocating anti-hockey. Now they're not very good, playing in a dead, half-full building, and trying to compete against the OHL, Michigan, Miami, and Notre Dame. If they hire a real star they'll get back quickly but is Blasi going to leave Miami for MSU? Is George Gwozdecky? I have a hard time seeing MSU splashing the cash for their hockey coach—we'll see.
If it's Danton Cole that's the equivalent of hiring Brady Hoke. He'll be decent but that hire won't put the fear of God in Red or Jeff Jackson. The only name in the TOC thread on this is current assistant Tom Newton, which would be like hiring Mike Debord if Carr had stuck around for the 3-9 year. I'm sure you can dismiss that possibility.
While we're on hockey here's that delightful interlude from the aftermath of the Brown scrum:
Via Michigan Hockey Net.
People started muttering about what it would take for John Beilein to get the axe. It's in the paper and everything. BWS is digging out the wet owl and following that up with the obvious argument about his record.
This is what it will take for John Beilein to get fired this year: Armageddon. There are enough arrows pointed in the right direction, mostly in the persons of Burke, Brundidge, Robinson, Hardaway, et al, that Michigan will give Beilein the epic length of rope they gave Tommy Amaker. He won't get nailed next year and the team will be considerably better in 11-12, and probably better yet in 12-13, whereupon they'll either be a consistent tourney team or even the smitten Michigan athletic department will have to cut the cord.
Of course, I said this about Rich Rodriguez, too, but John Beilein is the kind of saint Michigan likes to be associated with.
Doctor Saturday embarked on his annual defense of the "recruiting-industrial complex." Every year the numbers are the same: on an individual and team basis recruiting numbers are not fate but not useless. Get The Picture set to highlightin' the bit I was going to highlight because Michigan is Georgia:
Those 13 schools [at the top of the recruiting rankings] alone have consistently produced a majority of the top five in the final polls, half of the top 10, at least half of the teams in the BCS and all of the national champions in the BCS era. (With Auburn’s triumph – thanks mainly to über recruit Cam Newton, the five-star headliner of a top five class last year – only two of the top dozen recruiting powers have failed to win a BCS championship: Georgia and Michigan. [Emphasis added.]
We've had a lot of reasons our recruiting success hasn't translated to the field—at least, not the field in Ann Arbor. Georgia not so much, as they seem around where Carr was in '05—good young second year quarterback on a team that's around .500 with a declining coach that has maybe a kick or two left at the can.
People who don't lift weights found out what "rhabdomyolysis" is thanks to Iowa. I'm on with Orson when he dismisses the "save the children" aspect of the media reaction—the big issue is more effective sickle cell trait screening, not squatting until you pee brown. While Iowa's strength coach should probably be fired it's more stupid than immoral.
But man can Iowa rack up the terrible PR. Kirk Ferentz wasn't even at the press conference, and the university thought it could get away with a bland press release about thirteen kids being in the hospital. Add that to Iowa's seemingly biannual drug explosion, that weird press conference held late last year in which unnamed rumors were debunked without mentioning what they were, the laundry list of Hawkeye arrests, and that sketchy sexual assault cover-up-type-substance and it's a wonder that beautiful square-jawed Kirk Ferentz is still regarded a molder of men. Or maybe it's not.
Was that a question?
All right then.
The meme was blessed by Steele. Remember those depressing charts from the past couple years with returning starters and whatnot? Yeah…
|3||San Jose St||7||11||2||20|
…different story this year. That doesn't even count Troy Woolfolk, though it does count Terrible McFieldgoalkicker. Call it a wash.
Oh, Snape. Michigan soccer associate head coach Paul Snape got the head job at Butler. I'm only mentioning it so I can post… awww. Stupid Google. I can't find the version of this…
That I once saw somewhere that said "Oh, Snape." Also it turns out to be a Harry Potter reference. Stupid Harry Potter and the horrifying things you'll see photoshopped if you attempt to find the slightly modified version of this stupid animated GIF.
Etc.: Thumbs up to the Mountain West for its supreme dickery in moving this year's TCU-Boise game to the blue turf. Mark Smith looks like that all the time, but it's less alarming when he's talking. Hecklinksi, meanwhile, sounds like he's saying "you are feeling very sleepy" no matter what he's saying. It's very soothing.
[Note: iPhone app is currently broken; that is the #1 priority in terms of fixes. Hope to have it up by Monday.]
This has nothing to do with Michigan football but the least I can do to help the greater health of the internet is to offer some measure of advice for people who find themselves hacked in the face.
I'm not an expert. Please read the comments for people disagreeing with me, as they may/are better at this than I am. But I just went through this and if you're in the same boat here's what happened with me and what I took from it.
Boatmurdered. BURN. ALL BURN.
"Last known good" may not be as good as you think. We have a backup. That backup overwrites itself on a nightly basis. Correction: that backup overwrote itself on a nightly basis. Going forward we wanted to be able to roll back up to a week.
However, we found out that would not have helped us here. Some of our infected files were last modified in early January. A "last known good" configuration from last weekend would have still featured multiple scripts with backdoors that Eastern European hackers could jump in.
We're still going to change our backup system so that it has more snapshots—an injection attack would be more susceptible to a DB rollback, I think—and we are going to have a billion and two backups of the actual code so that if, God forbid, something like this happens again we can have a reference point to pull forward stuff we customized and don't want to lose.
BURN. ALL BURN. I'm not pulling anything forward except select bits and pieces I can hand-inspect. The rest of it dies in a fire. I thought we were destroyed until my brother asked "how long would it take to recreate it from scratch?" This was the moment in the movie when the camera zooms out and the city becomes transparent. It would take… um… maybe a couple hours. The defining feature of a CMS is that everything is in the database. So if you're confident the database isn't the issue you can pick that out, raze the world, download and install all your crap, and not have to worry about finding every last piece of corrupted code. You're going to break a few things when the new versions of your modules don't work exactly as expected but it's way better than the alternative.
Then change your FTP password over SSH. And then, if you're paranoid (ie: us now), turn FTP off entirely for a while. We had to use plain FTP, which is not very secure, because for some reason enabling encryption turned directory listing into a cripplingly slow process. A reader had related an experience in which a corrupted local computer had been giving away FTP passwords, giving hackers direct access to the server. We're not taking any chances despite my incessant scanning.
Burn, all burn exception: we pulled the "files" folder forward despite it being too massive to check because it's all data and those folders are locked down by server permissions so they can't execute anything. Everything else was pored over.
Why we thought it wasn't the database. Well, one, we found plenty of stuff indicating the server had taken a direct hit in the form of scripts that included helpful comments like "webshell by oRb." We brought those shells up and didn't find any database functionality.
Also, injection attacks usually don't affect the entire site—they're more likely to be hostile code submitted by users (something Drupal is good about) that affect only the pages they're submitted on. The malware was being delivered via the CSS and JS files, which are amongst the few bits of the page you're reading that don't come from the DB. While the server corruption could have in turn hit the DB, we didn't see obvious avenues for that and all of the problems were segregated from said DB.
We're now watching it closely just in case, but the evidence pointed to something other than an SQL injection.
What to search for. This article is fairly comprehensive but I'd also suggest looking for "unescape" or the string "%3C%69%66%72%61%6D%65." If you run that through the unescape function you get "<iframe". What are the chances that's helpful code? Not so good.
Don't waste your time with "StopBadware." This is the site you get funneled to if you click the I'm-so-screwed button on the Google warning page. Their extremely awesome advice is to look for the bad things and remove them. They list scripts, redirects, and iframes as the main ways you transmit the bad things—okay, probably helpful—and then offer this up:
There exist several free and paid website scanning services on the Internet that can help you zero in on specific badware on your site. There are also tools that you can use on your web server and/or on a downloaded copy of the files from your website to search for specific text.
Awesome! Where are they? Which are the best ones?
StopBadware does not list or recommend such services, but the volunteers in our online community will be glad to point you to their favorites.
Fu. The "online community" at "badwarebusters" mostly consists of people screaming about erroneous hits. About four threads pop up per day and they can go days without a response. If you're looking to do something quickly it's useless.
That's annoying. This is the worst advice possible:
Once you have located the code that is causing the badware behavior, removing it is often as simple as deleting the offending code from all files in which it appears. Sometimes, it is easier, if you have a clean backup of your site’s contents, to re-upload all of the site’s files, though be careful about overwriting files that may have changed since your last backup.
They've just glossed over the difference between the offending iframe and the code that generated it. Backdoors are not mentioned. This section needs to be replaced with:
BURN. ALL BURN.
Whoever wrote it should be horsewhipped. The next section is about "preventing future infection" when the previous section has essentially advised a n00b who needs to be informed that scripts and iframes are bad, mmmmkay, that "removing the offending code" "often" solves the problem. False. Burn. All burn.
If you aren't already, sign up with Google's Webmaster tools. We first found out the aggregated JS file was an issue from them, and they periodically updated their findings to let us know we still hadn't killed the problems. Tip: if you're aggregating js and css you may want to stop for more precise identification of the end destinations.
These are not the sources. You have to find those, or just burn everything to the ground.
Don't get notifications other than security notifications. This site is now running dozens of Drupal modules, some of which actually have release changelists that read, in their entirety, "fixed typo X." After a while you stop checking just to see that some random module has done some stuff you don't care about, and then you don't know when certain modules are out of date. We're still not sure what the attack vector was but one of the main candidates was known, patched holes in Drupal. I went from weekly updates about everything to daily updates about security. Drupal shouldn't have other options.
Status. We're not entirely out of the woods yet but it's looking promising, and we have installed various alarms in the system to blare at us whenever anything unexpected (a file getting updated outside of the areas that's supposed to happen) goes down. Hopefully if there is another breach we will catch it long before anything starts getting delivered.
|WHAT||Michigan v. #25 Michigan State|
|WHERE||East Lansing, MI|
7:00 PM EST
January 27th, 2011
|THE LINE||Michigan +10.5|
After a surprisingly strong start to the season Michigan was riding high at 10-2 and some of the more optimistic fans (yours truly included) were predicting a finish on the NCAA bubble. A win over Penn State and blowout losses to Purdue and Wisconsin - both on the road - didn't change the equation much. Close losses to #2 Kansas and #1 Ohio State in Crisler Arena gave further hope.
Then it all came crashing down. A previously solid Michigan defense was exposed in road debacles against Indiana and Northwestern, dropping from the top 20 nationally to the worst in Big Ten play. Jordan Morgan says "we thought our defense was good just because it was good, but really it was the hard work we were putting in." The team needs to get back to focusing on defensive play, rather than expecting the success to come.
Of course, Michigan's season - as painfully as it's unfolded - can't be looked at as a disaster, because there were almost no expectations coming in. That's not the case for the other side.. The Spartans have failed to live up to the usual hefty expectations--unfair though they may have been. Michigan State has dropped to an UNACCEPTABLE #25 national ranking (John Beilein: "That's not struggling"), and the perception is that they're reeling.
The perception isn't helped by the recent suspension of Korie Lucious for the remainder of the season. Though Lucious hasn't started any games this season, he's playing starter minutes (4th on the team in minutes/game) and was leading the Spartans in assist rate. He didn't accomplish much in two games against Michigan last year, but he's played a bigger role for the Spartans in 2010-11.
And of course, what would a Michigan-Michigan State basketball game be without the Rivalry Factor? Indiana native Zack Novak said "I hate them as much as people who have been here their whole lives," though his fellow Hoosier expatriate Stu Douglass backs off a bit, saying "I wouldn't call it hate." Either way, the Spartans have owned this "rivalry", winning every game since that duo has been in Ann Arbor. It's been over 10 years since Michigan has won in the Breslin Center (or even kept it to single digits), and Michigan is going to have to break their run of poor form if they want to end that streak.
With a few games under each team's belt, it's finally reasonable to look at the stats. If you need an explanation of the stats, check out Ken Pomeroy.
|Michigan v. Michigan State: National Ranks|
|Category||Michigan Rank||State Rank||Advantage|
|Mich eFG% v. MSU Def eFG%||107||75||S|
|Mich Def eFG% v. MSU eFG%||164||111||S|
|Mich TO% v. MSU Def TO%||21||210||MM|
|Mich Def TO% v. MSU TO%||232||201||S|
|Mich OReb% v. MSU DReb%||303||84||SSS|
|Mich DReb% v. MSU OReb%||58||32||S|
|Mich FTR v. MSU Opp FTR||342||159||SS|
|Mich Opp FTR v. MSU FTR||61||219||MM|
|Mich AdjO v. MSU AdjD||70||18||S|
|Mich AdjD v. MSU AdjO||76||50||S|
Difference of more than 10 places in the national rankings get a 1-letter advantage, more than 100 gets a 2-letter advantage, more than 200 gets a 3-letter advantage, etc.
The advantages for Michigan State come where you'd expect: rebounding and not sending Michigan to the free thrown line. Sparty's not the exceptional rebounding team they've been in the past, but early rebounding competency from the Wolverines has faded as the schedule has gotten tougher, and Michigan has gone with Evan Smotrycz at the 5 more frequently.
All said, this isn't the statistical nightmare on paper that I've come to expect from these contests. Though Michigan has had at least their share of struggles, State is in a similar boat, albeit against tougher competition.
One key will be for MIchigan's bigs to stop committing silly fouls. Jordan Morgan said, "I'm learning from a lot of mistakes I've made," but learning means very little if it's not applied in game situations. Foul trouble among the bigs must be avoided, as State's Draymond Green and Delvon Roe are just the tip of the iceberg when it comes to the Spartans' talent in the frontcourt. Another key is to defend Michigan State's athletes, and prevent the Spartans from getting up and down the court in transition, and getting into the lane on drives from the likes of Kalin Lucas. That can be a tall task, as even John Beilein admits that Michigan's quickness is a weakness.
Rivalry games mean lots of coverage across the internets:
- Dylan asks questions of KJ from The Only Colors.
- KJ returns the favor, and TOC's Pete does the same with Remember Bo of Maize n Brew.
- MSM coverage from AnnArbor.com, the Free Press, and the Detroit News.
- Finally, game previews from TOC and from UMHoops.
At least one Wolverine fouls out, more likely two. I'll guess Jordan Morgan and Tim Hardaway Jr. Darius Morris picks up his play, though not to early-season levels. He finishes in double digits scoring, and is close in assists. The Wolverines will come closer than they have in a long time, but still fall in Breslin, 76-68.
If you have recruiting tips or questions, tweet @varsityblue or email email@example.com. All-time updates live on the Michigan Football Recruiting Board.
Every Prospect in America Goes Blue
Since last we spoke, Michigan has picked up 6 commitments, with a few more likely to drop before Signing Day. It's HOKEMANIA season in Ann Arbor.
Brady Hoke started the commitment parade by gettin' his snake oil on, yanking OH CB Tamani Carter from Minnesota's commit list. Hello: Tamani Carter.
Carter had previously been committed to Stanford, but when Harbaugh left for the NFL, reconsidered that. Local article:
"Tamani had a very special season," said Central coach Jay Sharrett to ThisWeek last fall. "When we needed a pivotal play, he was always there for us. Whether we needed a big reception, interception or fumble recovery. Tamani was the guy who made plays that won games for us."
Read delusional Minnesota message board reactions here. Carter's high school coach tells Mark Snyder that Hoke's days at Ball State made him comfortable with the staff.
Helloooooo Heitzman (sorry). OH DE/TE Keith Heitzman has said he's being recruited mostly for defense, but it remains to be seen what will happen with all these guys once they sign.
Tom spoke with CA K Matt Wile's coach shortly following his commitment, and he had this to say:
"It's no surprise that's where Matt ended up. You have a heck of a coach, and you got a heck of a kicker."
The developments with TX QB Russell Bellomy happened fast, as he visited campus over the past two days. Before leaving yesterday, he committed to Michigan. Hello: Russell Bellomy. Brady Hoke seems to be reinforcing the new Michigan tradition of stealing a commit from Purdue in one's first recruiting class.
Michigan has offered OH LB Antonio Poole ($, info in header). Wolverine coaches were in Cincinnati earlier this week to check in on him. Last night, he made it official. Hello: Antonio Poole. Video (HT: @MikeDyer):
That's 6 Hello posts in 6 days. Stay tuned for more.
Sealing the Deal and Who's Up Next?
FL OL Commit Tony Posada firmed up his commitment ($, info in header) on the visit.
MD CB Commit Blake Countess hosted defensive coordinator Greg Mattison last night, and has reaffirmed his commitment to the Wolverines.
Arizona's Scout site thinks IL OL Chris Bryant is still favoring Michigan. Even though he visited Pittsburgh a couple weeks back, the Panthers must not be too confident, as they added a JuCo offensive lineman on Monday ($, info in header). He visited Illinois over the weekend, and announces on Friday.
CO LB Leilon Willingham, a Texas A&M commit, visited Michigan last weekend... instead of taking his official to Texas A&M. That probably says a lot about his interest in Michigan, and meeting TX LB Commit Kellen Jones probably doesn't hurt. Willingham had been thinking about a decision today, but will visit UCF this weekend and plans to announce on Signing Day.
MI RB Thomas Rawls will announce at his school next Wednesday, and he "hopes for surprise" ($, info in header). Given that Central Michigan is his only current offer, it will be tough for him to surprise anyone - unless the surprise is that he's gotten a qualifying test score and therefore a Michigan offer. He wants to visit this weekend, so stay tuned.
Michigan has shown interest in OH FB Trayion Durham. His high school coach says if they plan to offer, he'll know by (last) Friday. He decommitted from Wisconsin in December, and is an unconfirmed commitment to Kent State. He is one of the nation's top fullbacks, and may visit Ann Arbor this weekend.
AZ OL Ryan Nowicki, a Penn State commit, plans to visit this weekend.
Despite positive vibes, Tom says not to get your hopes up for MD DT Darian Cooper unless the kid schedules an official to Ann Arbor despite Brady Hoke's in-home visit ($, info in header). He spoke with Michigan DC Greg Mattison on Sunday and hosted the former Ravens coach in-home yesterday. GERG2 had "interesting" things to say, and Cooper's also been hearing from Commit Blake Countess about Michigan. If Cooper visits Michigan this weekend, consider the Wolverines back in the running.
TX DE Devon Moreland, an SMU commit, might visit this weekend.
LA CB Floyd Raven has scheduled two official visits for the final two weeks before Signing Day ($, info in header). Intrepid mgouser UM_lawful uncovers that he was planning to be in Ann Arbor this weekend, but after re-affirming his Ole Miss commitment, that may not happen.
CA CB Stefan McClure's post-visit article doesn't have a positive header ($), which is probably a bad sign for landing him. In fact, he's announcing a decision this week and Michigan is no longer in the running.
Happy trails, LA CB Daren Kitchen. He was looking for a committable offer that never came, and has committed to SMU ($, info in header).
OH TE Jamare Mills has received interest from the new Michigan staff.
Past-and-hopefully-future Commit MI OL Jake Fisher came away from his Florida visit with positive vibes, but it certainly doesn't sound like he was blown away. If I had to guess, I would say Oregon is the biggest threat to Michigan re-gaining his commitment. He visits Eugene this weekend.
PA DE Max Issaka, who held an offer from Rich Rodriguez's staff, had that offer reaffirmed by Brady Hoke.
OH WR Shane Wynn might visit Michigan soon. He's a teammate of Frank Clark at Glenville.
For those who were getting hopeful about swiping MI DE/OL Anthony Zettel from Penn State... don't; He's solid to the Nittany Lions. ESPN's Bill Kurelic thinks Frank Clark and Chris Bryant will drop soon for Michigan. Article on Kris Frost officially to Auburn. AnnArbor.com fluff on Kellen Jones.
Michigan WR coach and recruiting coordinator Dave Hecklinski talks a little bit about recruiting at the end of this video.
So: we found backdoor shells and various files infected with eval() and unescape() items that turned into the nasty iframes. We decided the best thing to do was throw it all away and start from scratch.
We've changed all the passwords every twenty seconds to various strings of unintelligible gibberish. We've thrown away every bit of code from the old site and re-downloaded fresh, current items. We've scanned incessantly for injection vulnerabilities without finding any. I scanned my laptop with three different AV programs. We updated every bit of software to be the latest and greatest. The server is now in full Dwarf Fortress mode. This time I think we killed it, but these things require constant vigilance and only time will tell.
In the process we broke some things—say hello to yet another ugly, not very functional version of the board!—but right now we're just trying to get online. If/when this proves stable we'll start restoring the stuff that was broken. Cross your fingers.