UH.LEE.KA

JohnnyA WordPress malware on MediaTemple

uhleeka — Wed, 14 Jul 2010 21:03:56 +0000

My MediaTemple (gs) account got hit by JohnnyA a couple weeks ago. I assume that it occurred because I was slow to update my WordPress to version 3.0. Lucky for me, I actually looked at my blog only 4 days (yikes!) after the exploit occurred. Avast caught the site attempting some sort of JavaScript exploit, which clued me in to the problem.

After digging through the site using Firefox and the Firebug plugin, I found the offending JavaScript and stumbled upon the WordPress Administrative user, “JohnnyA”. So I deleted the code from the file and disabled the database user, only to have the exploit reappear less than 24 hours later.

Confused by its reappearence (I had updated WP to the latest version of 3.0), I contacted MediaTemple support. (mt) politely informed me that the problem was mine own and pointed me to this “System Status” link: http://weblog.mediatemple.net/weblog/category/system-incidents/1378-information-about-compromised-sites/, which states in bold “…this is not exploiting any architectural or system vulnerability” which translates to “Fix it yourself or pay someone to do it for you.”

Anyhow, noting that an Adminstrator, username JohnnyA, had been created, I searched and stumbled upon this thread: http://wordpress.org/support/topic/421834. Realizing that there was a .php vector to this attack in addition to a .js vector, i opened up an SSH session and grepped through my “domains” directory. After finding and neutralizing the offending .php file and offending .js file, the site was back to normal and has been malware free for the last 48 hours.

I have since been passively monitoring my site with a plugin called “WordPress File Monitor” which fires off an email every time a file is modified on the site. Hopefully, that will provide an alert of future exploits. I have also installed several other security-related Plugins. Check out http://digwp.com/2010/07/wordpress-security-lockdown/ for a good rundown on WordPress security.

Bottom line, MediaTemple is not at all to blame for this. If I was to exploit a WordPress vulnerability, I would target hosting companies like MediaTemple for the sheer number of (un)managed WordPress installations. Lesson learned? Keep your software up to date!

Edit (2010-07-30): After further looking into this, it appears, IMHO, that MediaTemple (gs) architecture may be at fault. They have acknowledged that there were some sort of permissions issues that allowed neighboring (gs) accounts to read each others data. So they implemented Access Control Lists as a fix (http://weblog.mediatemple.net/weblog/category/system-incidents/1408-gs-grid-service-cluster-issues/). Reading between the lines, something (?) was wrong and MediaTemple took steps to fix it. Transparency? Not really.

~~The new bottom line is: Something happened to compromise my (gs).~~
~~Lesson learned: Don’t issue an opinion based on spoon-fed incident reports. My apologies to WordPress.~~

Edit (2010-08-06): The comments are well worth reading.

If you are interested in fixing things yourself, here are the steps I took for my MediaTemple (gs) account:

BACKUP!

I take no reponsibility for the following steps. They worked for me, but there is zero guarantee that they will work for you. Backup or no backup, what you do is at your own risk.

SSH

Change directory to your “domains” directory so that you can recursively grep all websites within.

cd ~/domains

Search for the offending javascript by looking for a “document.write(unescape”.

grep -R "document.write(unescape" *

Note that there may be legit occurrances of this (e.g. google analytics). Look for something similar to the following:

uhleeka.com/html/something/something.js:

In case you are interested, the above translates to the following which tries to open a malicious “mootools” javascript on a remote domain:

Once you have found the offending javascript malware, remove it from the file. Make sure that you only remove the “bad” part (e.g. don’t delete the tag or anything else adjacent).

Next step is to look for the .php malware. The following looks for a character string longer than 255 (somewhat arbitrary number) within all .php files:

grep -iR --include "*.php" "[a-zA-Z0-9\/\+]\{255,\}" *

You should get back something similar to:

uhleeka.com/html/something/something.php:

This line of code is the core of the malware and another piece to be deleted. It allows the bot or hacker to manipulate the contents of the site and execute queries against the database.

Of note is the “eval” statement at the end of the line, the contents of which translate to:

eval(gzinflate(base64_decode($o)));

So basically, the hacker has encoded and gzip’d a whole mess of code that sits and waits for commands to be executed.

Hopefully (I say “hopefully” because I haven’t had the time to pour over all the code and database to make sure that there isn’t some other vector to this attack) removing the code from those two places and disabling the database user “JohnnyA” is all that is required to restore a little sanity…at least until WordPress exposes its next vulnerability.

Less than percent colon – code render blocks in ASP.NET

uhleeka — Mon, 03 May 2010 21:49:23 +0000

ASP.NET 4.0 introduces the following code render block syntax:

<%: YourOutput() %>

The search terms “less than percent colon” and “less than percentage colon” did not turn up anything for me in google, but thanks to stackoverflow:

http://stackoverflow.com/questions/2676236/are-and-the-same-thing-as-embbed-code-expression-blocks

<%: is almost the same as <%= except that the output from <%: is automagically html encoded.

Essential Freeware

uhleeka — Fri, 29 Jan 2010 09:45:04 +0000

Firefox – web browser
http://www.mozilla.com/en-US/firefox/personal.html

Firefox plugins

Adblock Plus – https://addons.mozilla.org/en-US/firefox/addon/1865
BetterPrivacy – https://addons.mozilla.org/en-US/firefox/addon/6623
DownThemAll – https://addons.mozilla.org/en-US/firefox/addon/201
Firebug – https://addons.mozilla.org/en-US/firefox/addon/1843

7-zip – file compression/decompression library
http://7-zip.org

CutePDF – virtual printer: print to a PDF
http://www.cutepdf.com

Avast – antivirus
http://www.avast.com

Picasa – picture and video organizer
http://picasa.google.com/

Generic List to DataTable using Reflection

uhleeka — Thu, 28 Jan 2010 04:31:23 +0000

The following function takes in a System.Collections.Generic.List and returns a System.Data.DataTable with the properties (via reflection) of T as columns.

public static System.Data.DataTable ListToDataTable(
    System.Collections.Generic.IList elements)
{
    System.Reflection.PropertyInfo[] arrPropInfo = typeof(T).GetProperties();
    System.Data.DataTable dt = new DataTable();
    System.Data.DataRow dr;

    foreach (System.Reflection.PropertyInfo pInfo in arrPropInfo)
    {
        dt.Columns.Add(pInfo.Name, pInfo.PropertyType);
    }
    foreach(object elem in elements)
    {
        dr = dt.NewRow();
        foreach (System.Reflection.PropertyInfo pInfo in arrPropInfo)
        {
            dr[pInfo.Name] = pInfo.GetValue(elem, null);
        }
        dt.Rows.Add(dr);
    }

    return dt;
}

C# Serialization

uhleeka — Thu, 28 Jan 2010 04:15:46 +0000

Xml Serialization and Binary Serialization to a Base64 string

Xml Serialization

Snippit: Take a serializable object and serialize it into an xml string, stored in a System.Text.StringBuilder

System.Xml.Serialization.XmlSerializer serializer = 
    new System.Xml.Serialization.XmlSerializer(typeof(ObjectToSerialize));
System.Text.StringBuilder sb = new System.Text.StringBuilder();
using (System.IO.StringWriter stringWriter = new System.IO.StringWriter(sb))
{
    serializer.Serialize(stringWriter,  myObject);
    stringWriter.Close();
}

Binary Serialization to Base64 string

Snippit: Take a serializable object and serialize it into a Base64 string

byte[] bResult;
System.Runtime.Serialization.IFormatter formatter =
    new System.Runtime.Serialization.Formatters.Binary.BinaryFormatter();
using (System.IO.MemoryStream s = new System.IO.MemoryStream())
{
    formatter.Serialize(s, myObject);
    bResult = s.ToArray();
    s.Close();
}
string s = Convert.ToBase64String(bResult);

Snippit: Deserialize

ObjectToSerialize myObject = null;
byte[] b = Convert.FromBase64String(str);
System.Runtime.Serialization.IFormatter formatter =
    new System.Runtime.Serialization.Formatters.Binary.BinaryFormatter();
using (System.IO.MemoryStream ms = System.IO.new MemoryStream(b))
{
    myObject = (ObjectToSerialize)formatter.Deserialize(ms);
    ms.Close();
}

VirtualBox 3.1 – Install Windows XP Guest on Ubuntu 9.04 Host

uhleeka — Wed, 16 Dec 2009 03:50:54 +0000

VirtualBox 3.1 significantly changed the way that harddisks, dvd/cd drives and floppies are mounted. The following steps are to install Windows XP as a guest on an Ubuntu 9.04 host with a IntelAhci SATA controller.

Make sure you download the Windows XP Intel SATA Drivers and unzip to extract “F32.IMA”.

sudo -i

To begin the install process, do the following steps:

Create a new VirtualMachine.
Add three controllers (sata, ide, floppy).
Attach the Intel SATA floppy and the Windows XP dvd iso.
Set the memory, boot order and bridged network connection.

VBoxManage createhd --filename /srv/virtualbox/harddisks/CHANGEME.vdi --size 20480 \
    --variant Standard
VBoxManage createvm --name CHANGEME --ostype "WindowsXP" --register \
    --basefolder /srv/virtualbox/machines
VBoxManage storagectl CHANGEME --name "SATA Controller" --add sata \
    --controller IntelAhci
VBoxManage storageattach CHANGEME --storagectl "SATA Controller" \
    --port 0 --device 0 --type hdd \
    --medium /srv/virtualbox/harddisks/CHANGEME.vdi
VBoxManage storagectl CHANGEME --name "IDE Controller" --add ide
VBoxManage storagectl CHANGEME --name "Floppy Controller" --add floppy
VBoxManage storageattach CHANGEME --storagectl "IDE Controller" \
    --port 0 --device 0 --type dvddrive \
    --medium "/srv/virtualbox/isos/WindowsXP_sp3.iso"
VBoxManage storageattach CHANGEME --storagectl "Floppy Controller" \
    --port 0 --device 0 --type fdd --medium /srv/virtualbox/floppy/F32.IMA
VBoxManage modifyvm CHANGEME --memory 1024 --nic1 bridged --bridgeadapter1 eth0 \
    --boot1 dvd --boot2 disk --boot3 none --boot4 none

Start the VM using a specified port (8888) for VRDP. You will then be able to attach via RDP to the Host IP on the specified port.

VBoxHeadless --startvm CHANGEME --vrdpport 8888 --vrdp on &

When the Windows XP installation begins, Hit F6 during setup and select the Intel(R) 82801HEM/HBM SATA AHCI Controller (Mobile ICH8M-E/M) driver. Proceed with the Windows XP install until reboot is required.

At some point, post install, you may optionally take the following steps:

Eject the Windows XP dvd iso.
Attach (and then install) the VirtualBox Guest Additions dvd iso.
Eject the Intel SATA floppy. Note: it can only be ejected while the machine is powered off; it should be ejected because it will otherwise be locked, such that other VM’s cannot use it.
Change the boot order.

VBoxManage storageattach CHANGEME --storagectl "IDE Controller" \
    --port 0 --device 0 --medium none
VBoxManage storageattach CHANGEME --storagectl "IDE Controller" \
    --port 0 --device 0 --type dvddrive \
    --medium /usr/share/virtualbox/VBoxGuestAdditions.iso 
VBoxManage storageattach CHANGEME --storagectl "FLOPPY Controller" \
    --port 0 --device 0 --type fdd --medium none
VBoxManage modifyvm CHANGEME --boot1 disk --boot2 none

Don’t forget to run windows updates!

bubbletip! A jQuery Coda-style bubble tooltip plugin

uhleeka — Thu, 12 Nov 2009 02:26:46 +0000

Features

multiple tips on a page
multiple tips per jQuery element
tips open outward in four directions:
- up
- down
- left
- right
tips can be:
- anchored to the triggering jQuery element
- absolutely positioned
- opened at the current mouse coordinates
- anchored to a specified jQuery element
IE png transparency is handled via filters

Tested (lightly)

IE 6 on XP
IE 7 and 8 on Vista
Firefox 3.5 on Vista
Chrome 3.0 on Vista
Safari 3.2 on Vista

Examples

MOUSEOVER to open a tooltip above, below, to the left or to the right of any element.

MOUSEOVER a trigger element to open a tooltip above and below a target element.

Using it?

If you enjoy using it, I’d love to hear about it. Drop a comment with a link!

Credit

bubbletip was inspired by http://jqueryfordesigners.com/coda-popup-bubbles/.

VirtualBox BSOD p3.sys

uhleeka — Tue, 27 Oct 2009 05:29:31 +0000

After converting a physical machine to .vmdk via VMWare Converter, I got a BSOD indicating that there was a problem with p3.sys when trying to boot. The Windows XP system was running on a PII 600mHz Dell Optiplex from the year 2000.

To fix, boot in Safe Mode and run the following at a command prompt:

sc config p3 start= disabled

Install Windows XP Guest on Ubuntu 9.04 Host

uhleeka — Wed, 21 Oct 2009 04:46:26 +0000

Create a Windows XP VirtualBox guest from scratch using a SATA harddrive.

Download the Windows XP Intel SATA Drivers and unzip to extract F32.IMA
Hit F6 during setup to select the Intel(R) 82801HEM/HBM SATA AHCI Controller (Mobile ICH8M-E/M)

sudo -i

VBoxManage createhd --filename /srv/virtualbox/harddisks/CHANGEME.vdi --size 20480 \
    --variant Standard
VBoxManage createvm --name CHANGEME --ostype "WindowsXP" --register \
    --basefolder /srv/virtualbox/machines
VBoxManage modifyvm CHANGEME --memory 1024 \
    --boot1 dvd --boot2 disk --boot3 none --boot4 none \
    --sata on --sataportcount 1 \
    --sataport1 /srv/virtualbox/harddisks/CHANGEME.vdi \
    --dvd /srv/virtualbox/iso/WindowsXP_sp3.iso \
    --floppy /srv/virtualbox/floppy/F32.IMA \
    --nic1 bridged --bridgeadapter1 eth0

Start the VM without a gui (note: the ampersand executes the command and returns you to the prompt)

VBoxHeadless --startvm CHANGEME &

Start the VM without a gui and without VRDP (after you have loaded the os and configured remote desktop accessability).

VBoxHeadless --startvm CHANGEME --vrdp off &

Stop the VM in a saved state

VBoxManage controlvm CHANGEME savestate

Power off the VM (like pulling the plug)

VBoxManage controlvm CHANGEME poweroff

Limiting network file transfer throughput with rsync

uhleeka — Tue, 20 Oct 2009 19:42:32 +0000

To transfer a large amount of data (200GB) across a 100mbps network without saturating the connection, I used rsync with the –bwlimit=KBps flag.

Transferring from Windows to Ubuntu 9.04, I first mounted the windows share:

sudo mkdir /mnt/winshare
sudo mount -t smbfs -o username=user,password=pass //winserver/share /mnt/winshare

Next, run rsync with a specified bwlimit. Optionally, unmount the share

sudo rsync -vrR --delete --delete-excluded --bwlimit=6144 /mnt/winshare/* /destination/
sudo umount /mnt/winshare

Note that the bwlimit is in kilobytes not kilobits — 6144 KB ~= 48 Mbps. Also note that the bwlimit is limiting the I/O bandwidth…whatever that means.

    --bwlimit=KBPS          limit I/O bandwidth; KBytes per second

NTop (http://www.ntop.org) is great for tracking bandwidth usage:

sudo apt-get update
sudo apt-get install ntop

Set the administrative account password for ntop to run under:

sudo ntop -A

Start the service:

sudo /etc/init.d/ntop start

Browse the reports on the default port, 3000. http://yourserver:3000/