JohnnyA WordPress malware on MediaTemple
My MediaTemple (gs) account got hit by JohnnyA a couple weeks ago. I assume that it occurred because I was slow to update my WordPress to version 3.0. Lucky for me, I actually looked at my blog only 4 days (yikes!) after the exploit occurred. Avast caught the site attempting some sort of JavaScript exploit, which clued me in to the problem.
After digging through the site using Firefox and the Firebug plugin, I found the offending JavaScript and stumbled upon the WordPress Administrative user, “JohnnyA”. So I deleted the code from the file and disabled the database user, only to have the exploit reappear less than 24 hours later.
Confused by its reappearence (I had updated WP to the latest version of 3.0), I contacted MediaTemple support. (mt) politely informed me that the problem was mine own and pointed me to this “System Status” link: http://weblog.mediatemple.net/weblog/category/system-incidents/1378-information-about-compromised-sites/, which states in bold “…this is not exploiting any architectural or system vulnerability” which translates to “Fix it yourself or pay someone to do it for you.”
Anyhow, noting that an Adminstrator, username JohnnyA, had been created, I searched and stumbled upon this thread: http://wordpress.org/support/topic/421834. Realizing that there was a .php vector to this attack in addition to a .js vector, i opened up an SSH session and grepped through my “domains” directory. After finding and neutralizing the offending .php file and offending .js file, the site was back to normal and has been malware free for the last 48 hours.
I have since been passively monitoring my site with a plugin called “WordPress File Monitor” which fires off an email every time a file is modified on the site. Hopefully, that will provide an alert of future exploits. I have also installed several other security-related Plugins. Check out http://digwp.com/2010/07/wordpress-security-lockdown/ for a good rundown on WordPress security.
Bottom line, MediaTemple is not at all to blame for this. If I was to exploit a WordPress vulnerability, I would target hosting companies like MediaTemple for the sheer number of (un)managed WordPress installations. Lesson learned? Keep your software up to date!
Edit (2010-07-30): After further looking into this, it appears, IMHO, that MediaTemple (gs) architecture may be at fault. They have acknowledged that there were some sort of permissions issues that allowed neighboring (gs) accounts to read each others data. So they implemented Access Control Lists as a fix (http://weblog.mediatemple.net/weblog/category/system-incidents/1408-gs-grid-service-cluster-issues/). Reading between the lines, something (?) was wrong and MediaTemple took steps to fix it. Transparency? Not really.
The new bottom line is: Something happened to compromise my (gs).
Lesson learned: Don’t issue an opinion based on spoon-fed incident reports. My apologies to WordPress.
Edit (2010-08-06): The comments are well worth reading.
Less than percent colon – code render blocks in ASP.NET
ASP.NET 4.0 introduces the following code render block syntax:
<%: YourOutput() %>
The search terms “less than percent colon” and “less than percentage colon” did not turn up anything for me in google, but thanks to stackoverflow:
http://stackoverflow.com/questions/2676236/are-and-the-same-thing-as-embbed-code-expression-blocks
<%: is almost the same as <%= except that the output from <%: is automagically html encoded.
Essential Freeware
Firefox – web browser
http://www.mozilla.com/en-US/firefox/personal.html
Firefox plugins
- Adblock Plus – https://addons.mozilla.org/en-US/firefox/addon/1865
- BetterPrivacy – https://addons.mozilla.org/en-US/firefox/addon/6623
- DownThemAll – https://addons.mozilla.org/en-US/firefox/addon/201
- Firebug – https://addons.mozilla.org/en-US/firefox/addon/1843
7-zip – file compression/decompression library
http://7-zip.org
CutePDF – virtual printer: print to a PDF
http://www.cutepdf.com
Avast – antivirus
http://www.avast.com
Picasa – picture and video organizer
http://picasa.google.com/
Generic List<T> to DataTable using Reflection
The following function takes in a System.Collections.Generic.List<T> and returns a System.Data.DataTable with the properties (via reflection) of T as columns. [ Read more » ]
C# Serialization
Xml Serialization and Binary Serialization to a Base64 string [ Read more » ]
VirtualBox 3.1 – Install Windows XP Guest on Ubuntu 9.04 Host
VirtualBox 3.1 significantly changed the way that harddisks, dvd/cd drives and floppies are mounted. The following steps are to install Windows XP as a guest on an Ubuntu 9.04 host with a IntelAhci SATA controller.
Make sure you download the Windows XP Intel SATA Drivers and unzip to extract “F32.IMA”.
[ Read more » ]
bubbletip! A jQuery Coda-style bubble tooltip plugin
Download
http://code.google.com/p/bubbletip/downloads/list
Demo page
http://uhleeka.com/demo/bubbletip/
Discuss
http://groups.google.com/group/bubbletip
Features
- multiple tips on a page
- multiple tips per jQuery element
- tips open outward in four directions:
- up
- down
- left
- right
- tips can be:
- anchored to the triggering jQuery element
- absolutely positioned
- opened at the current mouse coordinates
- anchored to a specified jQuery element
- IE png transparency is handled via filters
Tested (lightly)
- IE 6 on XP
- IE 7 and 8 on Vista
- Firefox 3.5 on Vista
- Chrome 3.0 on Vista
- Safari 3.2 on Vista
Examples
MOUSEOVER to open a tooltip above, below, to the left or to the right of any element.
MOUSEOVER a trigger element to open a tooltip above and below a target element.
VirtualBox BSOD p3.sys
After converting a physical machine to .vmdk via VMWare Converter, I got a BSOD indicating that there was a problem with p3.sys when trying to boot. The Windows XP system was running on a PII 600mHz Dell Optiplex from the year 2000.
To fix, boot in Safe Mode and run the following at a command prompt:
sc config p3 start= disabled
Install Windows XP Guest on Ubuntu 9.04 Host
Create a Windows XP VirtualBox guest from scratch using a SATA harddrive.
- Download the Windows XP Intel SATA Drivers and unzip to extract F32.IMA
- Hit F6 during setup to select the Intel(R) 82801HEM/HBM SATA AHCI Controller (Mobile ICH8M-E/M)
sudo -i
VBoxManage createhd --filename /srv/virtualbox/harddisks/CHANGEME.vdi --size 20480 \
--variant Standard
VBoxManage createvm --name CHANGEME --ostype "WindowsXP" --register \
--basefolder /srv/virtualbox/machines
VBoxManage modifyvm CHANGEME --memory 1024 \
--boot1 dvd --boot2 disk --boot3 none --boot4 none \
--sata on --sataportcount 1 \
--sataport1 /srv/virtualbox/harddisks/CHANGEME.vdi \
--dvd /srv/virtualbox/iso/WindowsXP_sp3.iso \
--floppy /srv/virtualbox/floppy/F32.IMA \
--nic1 bridged --bridgeadapter1 eth0Limiting network file transfer throughput with rsync
To transfer a large amount of data (200GB) across a 100mbps network without saturating the connection, I used rsync with the –bwlimit=KBps flag.
Transferring from Windows to Ubuntu 9.04, I first mounted the windows share:
sudo mkdir /mnt/winshare sudo mount -t smbfs -o username=user,password=pass //winserver/share /mnt/winshare
Next, run rsync with a specified bwlimit. Optionally, unmount the share
sudo rsync -vrR --delete --delete-excluded --bwlimit=6144 /mnt/winshare/* /destination/ sudo umount /mnt/winshare