Mostly Harmless

Interesting to see this post from WP developer Donnacha, on removing various popular nasties from a wordpress install after it has been hacked or compromised.

At work we often see instances where it is not possible to simply return a user’s CMS install to a pre-hack backup and then upgrade (the safest course of action) because of

1. Confusion over when the hack(s) / compromises first occured.
2. Confusion over what legitimate content / changes have been made since.
3. No obviously clean recent backup exists.

So we’re often left with a script / CMS install that needs to be cleaned up and upgraded. Where suspicious files have been uploaded, these are often easy to locate because of the sheer number of requests to these, for example from vulnerable PCs that have been tricked into trying to download a virus or trojan loader. Malicious javascript added to core or template files can be more difficult to spot in this manner as are disguised files referenced from the CMS’s database.

It would be helpful if the development / security investigation teams of most major CMS’s published these sorts of guides. Thanks Donnacha!

Rowan :: Jun.17.2008 :: Security, Support, Web Apps, Web Hosting :: No Comments »

Having watched the local property market for longer now than I care to remember, right now its about the weirdest I have ever seen it. Looking at small two bed terraces or two bed flats, new properties are coming on at the same prices they have been for many months, anything between 160k and 190k depending on location.

However there are also a lot of properties floating about that have been on the market for several months, where the asking price is down to 140k (and not just the ones in bad areas as before). This jells with what we’ve all heard about the number of mortgage approvals being heavily down.

Three things therefore seem likely

1. Some people are still paying the asking price (presumably those with money coming out of their ears).
2. Some are getting (comparatively) good deals.
3. Some sellers are hanging onto their properties hoping this is a blip, while some first time buyers are holding off buying hoping (or worrying) that prices will fall still further (up to 30% is now being predicted*).

So…

• In the sellers market of the last few years people have got used to not haggling. ALWAYS haggle unless there is heavy interest in your dream house. While the agent may well act shirty, offering 10% below asking price at first is not unreasonable.

• Don’t forget to check historical sold prices for the area (and even the road) you’re looking at buying in. Remember however that this won’t include sales within the last 2-3 months.

• Remember location. If things pick up again you’ll pat yourself on getting a bargain in the best area you could.

* Note that 0% and even a raise in prices is also being predicted. That’s the great thing about predictions on the property market, no one expects you to be right

Rowan :: Feb.05.2008 :: Property :: No Comments »

A couple of weeks ago I was wondering on what happened to Anonym.OS. After a little searching around I came across xB Machine.

Xerobank appear to be one of those “secure browsing for a fee” organisations offering browser plugins and networks in order to protect your privacy while on the web in exchange for a fee. xB Machine can operate over this commercial network or over the free to connect Tor Network.

There is however one very important difference, whilst Anonym.OS ran as a live CD, xB Machine is only currently available as a set of images that reside on your hard disk that must be run through VMWare or Qemu (I didn’t have the familiarity to get it going in the latter and precise instructions aren’t currently available on the site). In order to alleviate concerns about this, the user session takes place within an encrypted container and there is a “self destruct” routine which can supposedly wipe this. Full details however on how these two aspects operate do not currently appear to be available on the download page or support wiki entry.

Those wishing to try the software should beware of the fact that it is a development pre-release, that does not appear to be open sourced or have undergone peer review. That said, it is good to see a tool like this released freely, even if it is ultimately supported by the option to use commercial networks.

Rowan :: Jan.23.2008 :: Internet Anonymity, Security :: No Comments »

This post is an aide memoir more than anything else, but hopefully might come in handy to someone.

Settings.php

• Database access details
• Local file system path
• URL (if changing)

Database

There are several instances within the settings table where the local file system path is stored within the database. Whether you pick find and replace (if restoring via a .sql file), the forum backend or PHPMyAdmin lots of things such as post icons and avatars will look screwy until you do. The theme path is also stored within the database in some instances. Make sure you get them all

Rowan :: Jan.22.2008 :: Quick Solutions, Web Apps :: No Comments »

I’ve been pleased to see the inclusion of an update warning in recent versions of Wordpress when new versions are released. Coupled with the plugins page that now tells you when updates are available for your installed addons the system is becoming a lot easier for the non technical user to maintain, even if they ultimately have to seek help with the process. Working on a web host’s helpdesk, it’s obvious that half the problem with old script installs is that the site owner isn’t aware updates are required.

I’m looking forward to the day when Wordpress can also have the option to update itself (for example as Simple Machines Forum can do, by feeding it your FTP details), just to make it a little harder for users to ignore

Rowan :: Jan.12.2008 :: Web Apps, Web Hosting :: No Comments »

Roll your mind back to the beginning of 2006 and you might remember Anonym.OS the idea of which was that you could pop a CD into your coffee cup holder, reboot and have nice (relatively) secure and anonymous browsing via TOR in a nice locked down BSD session.  My mind is a little hazy on how it performed in detail, but I remember that in general it worked, which is more than can be said for a lot of security tool releases…

It is somewhat sad to see that the project doesn’t seem to have been maintained. Should a notification be posted to the sourceforge, freshmeat etc pages to say that the versions of software included have security issues? I’m not really qualified to say but I would generally expect something coming up for 2 years of age to have some security issues a user would wish to be aware of.

The developers of the disk kaos did publish a pdf on making a BSD live cd and a document on hardening an OS for secure internet activity, but I’d be interested in knowing if the reason the project hasn’t had further releases is simply time constraints or something more fundamental about the idea itself.

If anyone knows the status of the projects, or a worthy alternative, do drop a comment into the box below…

Rowan :: Dec.04.2007 :: Internet Anonymity :: 1 Comment »

If you run an email server, you may be interested to have a look at Microsoft’s Smart Network Data Services tool. Providing you can authenticate yourself as the administrator of the IP address in question you can view statistics on the volume and type of email sent to hotmail / live.com / msn. This includes goodies like

• Whether email from your range has been hitting the “trap addresses” (dummy accounts setup by MS to catch spammers).

• What percentage of your email is being complained about within the hotmail interface

• An overall result from the spam filter in place.

Better than nothing…

Unfortunately, to limit it’s use to spammers the amount of data available is relatively small. The tool only provides you with one example email that has been “complained” about per day per IP.

The sort of email that is being marked by users may be something of a surprise. We have seen the following marked as junk by users within the hotmail interface.

• Order confirmations

• Emails containing login details

•   Requested quotes for technical work (I guess the price wasn’t right…)

Perhaps to a cynic this isn’t a great surprise, it isn’t too much of a leap to define spam email as “anything I don’t want to receive”. However, it pushes the notion that some user re-education is definitely needed at hotmail and also gives the impression that some people are using mark as junk rather than the delete button.

If you operate a site or service where a lot of people will sign up with a hotmail or other free address, you might wish to reduce the number of emails you send. It is tempting to wonder if this is a sign of a change in user attitudes, it used to be the case that confirmation emails were welcomed because they could be kept as a record and were a clue that the automated form you had input data to had actually processed. However it now seems to be the case that as long as screen confirmation / tracking is provided to the user they are now finding the email notifications irrelevant? Are users trusting their web transactions much more than before? Are email newsletters now irrelevant in the age of rss feeds?

Forwarding spam is naughty (and if you use a catch all you’re going to blackhole hell)

The tool provides a spam filter result for the IP as well,  if you’re doing any catch all forwarding to hotmail addresses, you’ll likely end up with a red filter result (as a catch all on an established domain will catch oodles of spam). This is somewhat depressing as users are only forwarding this email, although from the point of view of an administrator forwarded spam is still wasted bandwidth and CPU time. There is no suggestion in the FAQ as to what weighting the filter and complaint rate have in deciding blackholing although keeping the complaint rate below 0.3% is quoted as a target to aim for.

What combination of complaint rate, spam filter results and duration leads to a block or even worse the blackholing of email doesn’t seem to be public information.  Anecdotal evidence (i.e from me to you, now) would seem to suggest that blackholing can be remedied by reducing the filter result (which is only common sense, if several catch alls are running up to 80-90% of your red filter figure might be spam) but I wouldn’t like to bet my salary on it.

Hotmail support seem to have difficulty with the concept of a shared hosting service where you are concerned with unblocking a server rather than a specific domain and their forms and replies are geared towards the latter. It would be helpful if there were a separate route to support through the snds interface given the authentication requirement to access data (although granted that doesn’t guarantee intelligent questions ).

Rowan :: Oct.25.2007 :: Email, Spam, Web Hosting :: No Comments »

Learning to use the command line is one of the hardest things about moving to Linux, however once you’re used to it, doing things becomes second nature and you actually miss being able to use the terminal in those cases where you have FTP access but no shell account. For some things using a GUI is laborious, upgrading web apps is a major case in point.

One way of getting around this is the curlftpfs package. The software allows you to mount your FTP account and access it as you would any other part of your Linux File System.

After installing the package, you may have to modprobe fuse and may have to add your user to the fuse group. The former was necessary on Suse 10.2 and the latter on Kubuntu Feisty. After that simply create the folder you wish to use as a mount point and issue the command.

curlftpfs -v ftp://user:pass@ftp.somewhere.net/ MountPoint/

Once everything is working you can do away with the -v which enables verbose output. This is great if you need to do work on a web app where there is no shell access.

Caution

It is easy to forget this is not shell access, commands like unzip, unrar etc will use the binary on your machine with the resulting backwards forwards data transfer. Use such commands at your peril if working on an unstable connection, with large files or if you don’t have a backup.

Whilst this can be used with the rails command (again not recommended), bear in mind that you’ll need to copy the contents of the vendor directory to the server manually, as this is normally symlinked when working on the shell.

References

http://gentoo-wiki.com/HOWTO_FTP_Mount

Rowan :: Sep.02.2007 :: Linux, Quick Solutions, Web Apps, Web Hosting :: No Comments »

Alex Rabe’s gallery plugin for Wordpress “NextGEN Gallery” is becoming almost as popular as the integration with Gallery2 and with good reason. I run the gallery 2 integration on this blog and it means keeping both systems as well as the integration up to date. IF for whatever reason you want / need all the functionality of gallery2 this is great, but otherwise NextGEN Gallery which is still in beta (i.e. pre version 1) is quickly shaping up as a good alternative.

The best thing about WPMU (for those that don’t know) is that themes and plugins written for Wordpress often require little modification to function - so without further ado…

1. Set the default file path for the plugin so that all images are stored per blog. This function is run on activation when the tables for the plugin are created.

ngginstall.php

function ngg_default_options()

Add

global $blog_id;

Edit options line as follows

$ngg_options['gallerypath'] = “wp-content/blogs.dir/” . $blog_id . “/files/”; // set default path to the gallery

2. Remove ability for user to update the above in the blog backend

settings.php

Remove “gallerypath” from the list of fields submitted to the form - or remove the input box entirely.

3. Modify the version check

nggallery.php

Simply set if (version_compare($wp_version, ‘wordpress-mu-1.2.4′, ‘>=’)) or remove the check entirely

Note

Other changes are required

• If you want to take advantage of disk usage limits per blog and will depend on what method you are using to implement this (we’re using zspace upload quotas)

• You’ll probably also want to hide the plugin’s server status / news display.

• You may want to change / disable the “import image folder” function. Normally you won’t be allowing your users the upload access to need this function.

• The default path is displayed in various pages (such as where a gallery is created) in the backend, you may want to remove this as it probably will not be relevant for your users.

• You may need to edit / remove the permissions checking code depending on how your server is setup

• Kevin Element left a comment below to say  “I noticed that when you log in as a user and use the “Uninstall plugin tables” under “setup” it deactivates the plugin for all users.” so that is another feature you’ll wish to look at modifying. Thanks Kevin

Why are you not simply releasing a version of the plugin that works with MU?

Because “works” is relative to how you intend your MU site to function and what other custom code you have installed. The above hacks are the necessary to get the plugin to work on a default MU install. Alex is planning MU support for version one of the plugin - but how best to do this is debatable especially with the addition of things like a role manager and tagging system.

The current discussion on NGGallery for WPMU is here

Rowan :: Aug.24.2007 :: Quick Solutions, Wordpress MU :: 11 Comments »

Article on the BBC about search sites indexing information from social networking sites as well as the usual sources such as websites and newsgroups.

The interesting thing is that these sites don’t really change anything - yes they provide a “picture” of sorts of a person’s dalliances online that is accessible to the ordinary person but they don’t give you much more than a little fiddling with Google could have done.

In my case (and I have a pretty unique name) all you get is a rather fetching picture with a christmas hat from myspace that isn’t currently on this blog. So far so not very revenue generating for the site in question. A few scraped links to technical queries on online forums and mailing lists also aren’t very interesting to anyone, given that the email addresses and topics under discussion will be a few years old now.

What most people already knew to be true hasn’t changed - for piece of mind online just don’t use your real name. Given that I’ve got profiles across several social networking sites, this blog and quite a few domains in my name as well as profiles on numerous forums the level of information scraped by these sites is really pretty piss poor. Yes, these personal info aggregation sites do pose a major risk to those teens currently posting deeply personal stuff publicly over the web, but really that is the fault of the parents who let them have access to something unsupervised that they don’t really understand the implication of themselves.

If you do have a lot of information on a profile (such as facebook) including telephone numbers, address and birthday then that should really be a friends only page anyhow (don’t join a network) - unless you’re the type who writes your details in pub toilet stalls hoping for a “friend request”…

The sites also seem to suffer from the usual “common names” problem - they can tell me that Dan is a councillor in Eastbourne and was a governor at a local school but not one of them managed to link both of these pieces of information to the same name. One of the sites picks up my boss (who has a pretty unique name) but again simply by pulling a myspace entry which links you to one of the sites that she owns.

From the point of view of unique features, if the site is simply trawling other social networks and the web then it’s in danger of dying of irrelevance - myspace, facebook etc could easily partner with a search company if they wanted to trawl information from other sources for users to add to their profiles but most people don’t want that anyway - I have absolutely no interest in auto populating a profile of mine with out of date information or detail of online support requests to the MythTV project. Most people’s profiles are highly tweaked to a specific picture they want to provide at that moment.

I’m not saying that an upstart service couldn’t combine Google style search algorithm power and social networking into something massively wonderful / privacy threatening depending on your perspective but what I am saying is that the level of technical acumen and capital required to achieve such a thing makes it pretty unlikely. Pretty much the only thing these sites seem to do at the moment is provide an ever useful reminder to be careful what you attach your name to.

Rowan :: Aug.08.2007 :: Internet Anonymity, Personal Entries :: No Comments »