On The Rocks

As most of you know a few months back my site was hacked. What many people dont know is that was actually the first of 2 times the box was hacked. The first time the box was hacked I had made the mistake of making the web files on the server writeable by the web server. Again being this server (that my blog sits on) is not used for hardly any commercial activity I was a lot less security focus then something I would call “production” ready. I implemented mod_security and some other logging tools aswell as offloaded the server logs to a different server (yea the logs were owned by the apache user also).

So basically when I got owned the person found a file on my server that was web accessible which then he could execute commands on behalf of the web user. Now because the files and log files were owned by this user he could write to them and even delete them. Lucky for me this guy just wanted to put up his Turkish political statement and try to infect his virus to people. So all he did was do a search on the box for any index.* files and copied his index file to over write them. Then he also deleted all files matching *log. So it was pretty obvious how the person did it but I was not sure what file was the hole in my system. This is the point where you have to weigh catching the hacker vs running a box that has been compromised. Since I really only have blogs and a few low traffic forums running on this box I thought it would be a good chance to see what was vulnerable.

So I installed mod_security and ran it pretty hardcore. Over the next couple weeks I learned more about adjusting its rulesets to allow possibly exploitable code but log it. Nothing happened for many weeks then one morning I got a page that my box was not responding. I quickly attached to my remote server via its DRAC card (Dell Remote Access). The DRAC card lets me take control of the server as if I was sitting right infront of it. I could see the box was sitting in a “kernel panic” mode and that it had crashed. I rebooted the box remotely but kept most services down so I could investigate what had happened.

Sure enough I figured out that the hacker had been back and downloaded some files to the /tmp directory (which was world writeable). Only this time I had changed ownership of all index.* files so they could not write to them. I guess they realized that in order to take over my web server he was going to need to be a bit more aggressive so he downloaded a rootkit to my tmp directory then tried to run it but fortunately for me that made the kernel panic and the server was in a frozen crashed state.

I was able to figure this out and also exactly what file they used to execute commands on my box very quickly because it was pretty much the last thing in the weblogs before the box crashed. (yay!)

So now here is where it gets interesting…. Now that I had figured out how the person was hacking into my box I was curious how in the hell the person found the file. It was in a subdirectory that I had not used in YEARS. There was no link to it from anywhere on my site. The directory structure it was in was like … html/oldforums/oldstuff/badfile.php . How in the hell did this person find this file? Well after going through the logs greping for the ip range that hacked my box I found that the person found my site from Google! Specifically using Google code search. Now while this was interesting it still did not explain how the page was even indexed…. ohh wait I use Google Sitemaps and I had it on to index everything (the default setting) OUPS!!

Now to be honest… this is my fault. I in no way blame Google what so ever. I had old exploitable code on my server and I told sitemaps to index it so… my fault.

I have since been working with the sitemaps team and I had some suggestions to leave some files off by default (like .inc .func) or only allow common web files with extensions like .php .html .asp etc… I hope they do this cause as sitemaps gets more popular its only going to expose more idiot webmasters like me that run with the default settings.

Ok so just for shits I thought I would do some querys on Google Code Search to see what kind of exploits I could find. Now keep in mind this probably will not show your site but it will show code and versions that you might be running… so once someone locates a exploitable version of code they then could just search for “Powered By X” or whatever fingerprint you could put on the exploitable program/version.

Hmm I wonder If we could find some xss exploits…

lang:php (ECHO|PRINT) .*\$_(GET|POST|COOKIE|REQUEST|FILES)

100,000+ results

How About some SQL Injection exploits?

lang:php query\(.*\$_(GET|POST|COOKIE|REQUEST|FILES).*\)

3000 results

hrmm I wonder how easy it is to find host,user,pass for mysql databases…. Lets try:

lang:php mysql_connect\((”|’)[a-zA-Z0-9_.]+(”|’),(”|’)[a-zA-Z0-9]+(”|’) -localhost -127.0.0.1 -192.168

100 results found.

This query might be a little puzzling for those that are not Google ninjas like me so.. I will explain. Basically we are checking for anything that ends in .php extension. Then we search the file for mysql_connect. If it contains Mysql we look for the pattern of a connection string. lastly we use the minus sign to get rid of all localhost databases (cause we cant access them).

So did we find anything interesting? Well…

Lets just look at the first 10 results:

www.ubio.org/downloads/XID.TAR.gz - Unknown License - PHP
connect.php

$connection = mysql_connect(”RANSOM”,”GlobalWebUser”,”goober8″) or die(”Couldn’t connect.”);
$db_name = “dwf”;

Now in this case RANSOM is probably a local box…

ohh whats this:

$f = mysql_connect(”zeus.mbl.edu”,”tns”,”");
if (empty($limit)) $limit=50;

hrmm intersting….

more?

$db=mysql_connect(”62.149.150.11″,”Sql43254″,”M9dKTz3M”);
$selezione=mysql_select_db(”Sql43254_4″, $db);

I can post tons of other examples but I think I have made my point. Watch your logs for people coming from google code search and always make sure your running the latest version of your software.

Also keep in mind my searchers were only looking for .php files. This is a small percentage of all the different languages and filetypes out there.

Be scared. Be very scared.

(from http://www.shoemoney.com/2006/12/26/how-hackers-are-using-google-to-pwn-your-site/)

Create music using your vision …

Visual Acoustics

The Google Maps flight simulator…

Goggles

Take a look on the net and you’ll see endless pages of AJAX Frameworks: libraries which promise to do all the trivial and dirty AJAX work for you, leaving you free to code without actually understanding how the application you’re writing really works. So lets pull back the smoke and mirrors and see what AJAX is and why it’s just a simple evolution of client/server tricks Javascript programmers have been doing since the web was born.

AJAX for n00bs

RIP king of soul

Aprenda a desenhar o corpo humano, através de videos, neste fabuloso site.

The Structure of Man

How Products Are Made explains and details the manufacturing process of a wide variety of products, from daily household items to complicated electronic equipment and heavy machinery. The site provides step by step descriptions of the assembly and the manufacturing process (complemented with illustrations and diagrams) Each product also has related information such as the background, how the item works, who invented the product, raw materials that were used, product applications, by-products that are generated, possible future developments, quality control procedures, etc.

www.madehow.com

Step 1 - Selecting the corner and warp transform it to a curl

Select the Rectangle Selection tool from the Toolbox and drag a squared selection starting from the bottom right corner of the image (holding down shift) going diagonally left, till you have a big part selected of the bottom right corner of your image. Go to the Edit menu and select Transform > Warp. Drag the bottom right point of the mesh up left till you get some curly effect. Drag the bezier handles to get the right curl effect and hit the return key if you’re pleased with the result.

Step 2 - Create the curl

Since this curl doesn’t show the back of our photo, it doesn’t really look realistic. The only way I’m aware of to achieve this effect is that we draw it ourself. Select the Pen tool from the Toolbox and draw a path on top of the picture. Follow the borders of the curl you just transformed as guidance. Fill the Shape layer with a white color (double click the layer icon).

Step 3 - Add shading effect to the curl

Double click on the right of the Shape layer to active the Layer Styles. Check the Gradient Overlay option. Set the Angle of the gradient to 152° and click in the gradient to adjust the colors. Drag the stop swatches to the position shown in the image above and choose a grey for the left stop swatch (click once on the stop swatch and then once in the Color field). You can play around with the effect till you get the result you want. These numbers and info are just as a guidance and what I’ve used to achieve my result.

Step 4 - Add shading effect to the image

To achieve an even more realistic effect, we add a depth/shading effect on the picture itself as well. Double click on the right of the layer that holds your picture to get to the Layer Styles options. Again, check the Gradient Overlay option. Set the Angle of the gradient to 152°, choose Multiply as Blend Mode (to filter out all the white) and click in the gradient to adjust the colors. Drag the stop swatches again as before to the position shown in the image above. As an extra you can check the Drop Shadow effect in the Layers Styles options as sort of realistic finishing touch

Todos os motores de geração de Mapas num só site.