Wednesday, December 22, 2010

PunBB Textpattern based web site hacked and fixed

A few days ago I noticed that search results on Google for sahi, started showing strange content which was not visible on the webpage or in the view-source.

A little hunting around showed that some of the common included php files on the website had been modified, such that when the page was accessed using google-bot's user-agent values, the page added the extra spam content. This made Google index the website with the spam title instead of the real one. Here is a great detailed post on this hack on Google's Webmaster Central website.

The hack had modified the PHP files by adding a single line which looks like this:
error_reporting(0);eval(base64_decode('JGxMOXdG..long long string..'));


When the string is decoded, it shows HTML content with all the spam links.

The modified time of the file was the same as other files, so who ever did this made sure the modified time was set to the original one. I removed the extra content and placed a request to delete the page from Google's cache (For details on removal, look at http://www.google.com/support/webmasters/bin/answer.py?hl=en&answer=164734&rd=1 under "The page has changed and I want the outdated information removed")

Everything worked fine. Till a few days ...

Google results again started showing weird results, and another hunt showed similar strings added. Removed the content, was fine for a few days and again ... This was becoming painful and stressful. I had now got into this habit of logging into the shell and running

grep -RI base64_decode . | more

to see if there were any long entries, and then replacing that file with the untainted one from my backup. But the root cause of the problem was still unknown.

And then there was one particular file which on my machine was called groups.php
This had another eval(gzinflate(base64_decode('...'))) and when run, it showed a page called "r57shell 1.40". This page gave full access to whatever PHP exposed under the web users permissions, which meant one could access the filesystem, database, mail, ftp and what not. This was brilliant and I would have admired it more had it not been so harmful to me. I guess this was used to periodically modify various php files on my website to inject spam content. This may have been added during the brief period I was using ftp instead of sftp. I am not sure yet though. A couple of other similar harmful files also surfaced, (called white.php and added to punBB's lang/eng/ directory) which had some other back doors opened.

Removed these files and started searching for a solution which would track such problems and alert me, when I came across an "Anti Virus" link on a2hosting's CPanel. Added back the problem files, ran the AV (powered by ClamAV) and sure enough, those files were detected as Trojans. I wish I had known about this a couple of months back.

To prevent further such attacks,
all file permissions were changed to 644 and directory permissions to 755
all ftp users were removed and only sftp will be used henceforth

Also created a small php file which would show files with base64_decode in it


<?php
$output = shell_exec('grep -RI base64_decode /my/homedir/www');
echo "<pre>$output</pre>";
?>


I hope this post helps others who face similar problems.

Tuesday, November 16, 2010

Windows 7 fix for slow copy speeds from USB

I was recently copying over about 1.5 GB of data from my USB stick to Windows 7 (32bit) and was surprised to see that it took over 25 minutes to do the copy. I researched a little bit and this is what helped me fix it.

1) Run these commands to turn off TCP autotuning. (http://www.speedguide.net/articles/windows-7-vista-2008-tweaks-2574)

netsh int tcp set heuristics disabled
netsh int tcp set global autotuninglevel=disabled


Effect: good increase in speed

2) Turn off Quick Heal antivirus during copy
Effect: good increase in speed

3) In Device Manager, right-click the USB drive in Disk drives folder, then select Properties, switch to Policies tab, and choose "Better Performance". Click OK to keep it. (http://social.technet.microsoft.com/Forums/en-US/itprovistahardware/thread/60a7b507-9bda-4e66-8693-b85498cd860c/)
Effect: good increase in speed

Overall the copy time came down to about about 4 minutes (From stable speed of 500KB/s prior to changes, to 5.4 MB/s)

Note for the smart asses: before one starts inferring more than is necessary, let me clarify that Win7 and Quick Heal are both great products and serve my purpose very well.

Saturday, October 30, 2010

GTAC 2010

After having been denied participation initially, I did get to attend the second day of GTAC thanks to Simon Stewart helping me get in. I met a lot of interesting people, and spoke at length to the WebDriver folks, comparing notes, discussing road-map and about possible use of WebDriver underneath Sahi. It is going to take us a little while to do an honest appraisal and see whether that is the right direction to take.

GTAC was good over all, in the quality of crowd. The talks were interesting. James Whittaker definitely lost my vote when he said something like "Honestly I was not thrilled when I heard GTAC was in India. I did not expect much, <pause>, and I must say, I am not disappointed". Seriously man, next time think before you say something like that, or be dishonest. Btw, some morons clapped at this.

There was one other instance where I thought I need to add my comments. During a discussion, where I mentioned that going back to the web developer to add ids increases turn-around time, Simon jumped to say that it is wrong to have teams separate, they should be sitting next to each other and should get it fixed immediately. This may be the ideal situation (I strongly question that too), but it is definitely not what is practised or feasible in the industry. While interactions are good, minimizing the testers dependence on the developer is required. They may wish to discuss business logic, but really why should they know the internal ids that need to be added to the view. It is just a waste of time. Adding ids is also not always possible when using off the shelf javascript UI frameworks. Why burden everyone with ids when tools like Sahi can do without the ids? I wish the discussion had stuck to testability and not gone off to project management.

Those aside, I think GTAC was good. Thanks GTAC for letting me be there at least for the second day!