Stodge.org

The C99Shell a.k.a. “C99 Shell” is a PHP backdoor script designed to further compromise insecure web-servers. Once installed onto an insufficiently secure server it is able to automatically install a number of wordpress spesific hacks. In addition it can take advantage of the lack of sandboxing in the PHP platform to execute arbitrary OS commands under the user ID of the webserver process.

C99Shell appears as an extra file which is dropped in a random or disguised location somewhere in your web-server. The PHP file contains a ziped, base64 encoded stream which is decoded and then eval’d on the fly. The purpose of this is to obfuscate the file, it’s hard to spot unless you have a method to determine if files have been added to your system. Even though the file is unreadable it’s pretty easy to modify the file so that it prints it’s source-code instead of running it:

Change the “eval” statment at the beginning of the file to an “echo” statement. It will print up the following source-code which I have placed on Pastebin.

By default the C99 Shell can target key vulnerabilities in Wordpres: For example having installed the script an attacker can do a push-button patch on the config-file or the main index.php file. Usually the purpose of these attacks is vandalism or more often to install spam-links.

Detecting the C99Shell is very easy if you installed your Wordpress via SVN. First of all detect and then manually inspect any .php files which have been added to your wordpress installation like this:

svn status | grep ^\?.*php$

Next try to detect files which have changed, it’s possible that these have been patched by the attacker:

svn status | grep ^M

Manually check each one of these files for signs of suspicious additions.

Once you have removed any unwelcome additions to your site, check the following permissions:

• If you still have the hack-file try running it yourself. There are a row of buttons which can be used to install hacks. Hacks which are available but not installed are green. Already installed are yellow and unavailable hacks are red. Now that you are in control you can try out the hacks yourself and get an idea of which files they modify. If you can modify them it means your file permissions are too lax. Try to get all the filesystem security set up right before you permanently delete c99shell.
• Remove group + other write permissions from the wp-include folder and all of the PHP files in the top level of the wordpress installation.
• Ensure that your Wordpress installation, all templates and plugins are installed via SVN. This will enable you to trivially detect and remove any unwelcome modifications in the future.
• You can disable the “eval” function. It’s a dangerous peice of code and I’m pretty sure that it is not required by any legitimate Wordpress component. Use the “disabled_functions” directive in your php.ini

I just bought and downloaded 2dboy’s awesome “World of Goo” for Linux. It looks and plays just like the Wii version, except that it’s higher-resolution and since it’s played with a mouse and not one of those silly nintendo wiimote things it’s a great deal more enjoyable. It really is a perfect port of the game, and without the Nintendo’s crappy control issues it’s a much better game.

If you’ve never tried this game I suggest you grab the demo (available on all platforms). The idea of the game is to build structures out of goo-balls… bizarre adhesive critters that like to link up to each other. The game challenges you a range of puzzles which can all be solved by building increasingly complex structures out of the sticky goo.

if you like it, please send twenty of your hard-earned dollars to 2dboy to show your support for Linux gaming.xanax order online no prescription Lorazepam Generic xanax cheap no prescription
xanax sales online Ambien For Sale what color is generic xanax
buy xanax without perscription; List Of Generic Xanax Cheap alprazolam order now no prescription cheap valium online pharmacy 989.
ambien fedex Xanax Cod Fedex discount generic xanax
buy brand name xanax? Buy Nonprescription Xanax cheapest xanax pills
ativan lorazepam buy cheap ativan online Buy Xanax Now lorazepam on line fedex!
ambien cr buy fed ex delivery Ambien Cheapest Prices buy alprazolam from mexico
cheap generic overseas ativan Ambien On Sale cheap ambien without prescription;
buy diazepam saturday delivery Buying Xanax While In China Buy valium madre natura buy valium in tijuana 318.
ativan for sale? Xanax Buy No Prescription cheap diazepam
xanax generic price Buying Valium Online Pharmacy Online order ambien from canada;
cheapest xanax no prescription Xanax Street Price Value xanax peach pill
valium cheap Generic Xanax Bar all about buy xanax
buying xanax without presciption Want To Buy Alprazolam ambien blue pill
xanax compare prices Percocet Valium For Sale No Prescription prices for sleep aid ambien
valium online order Cheapest Site To Buy Valium On-line buy xanax from india no rx?
buy cheap ambien Discount Xanax pharmacies that send xanax by fedex?
order xanax online Us Pharmacy No Prescription Valium Fedex lorazepam depresses hiccups
buy ativan from discount store Buy Ambien With No Prescription cheap ativan online discount pharmacy
buy xanax by electronic check Buy Xanax Valium ativan for panic disorder

Imagine spending $20+ million on a high-profile video game only to find that puritanical film-industry censors deny you the ability to market your product, even to consenting adults.

A couple of months ago, The British Board of Film Classification, the organisation who put those age-certificates at the start of home-videos and movies decided not to award a certificate to Manhunt 2, effectively banning this product from both the retail and rental markets. This week, the British government has publicly backed the BBFC’s position on Manunt 2.

Rockstar have two options – either modify their game such that it is compatible with the BBFC’s hazy standards, or seek an alternative channel to sell their game. My hunch is that they will go for the latter.

Ultimately, the people who will be most hurt are the shops that sell games. Only this week Richard Branson offloaded his last-remaining shares in Virgin Megastore. HMV have been reportedly close to bankruptcy for a long time, and with the exception of Blockbuster, the stores that sell and rent video games are becoming rare on our high-streets.

These are painful times for games-retailers, and now the government is denying them the right to retail what would almost certainly have been a popular title.

RockStar will take the BBFC decision as a strong hint that if they want to keep both their creative freedom and their freedom to sell products they will need a new distribution channel: One that is entirely free of influence of the censors and politicians who like to meddle with the market.

Selling games directly, online is the obvious solution, simply because there is no effective means of censoring sales of software online, and given the international nature of the Internet, no one country will be able to enforce it’s moral-standards globally.

If retailers had any sense they would be petitioning the BBFC to get out of their way and let them sell the games that people want. Unfortunately I fear this will not happen since retailers are afraid of offending the “family values” groups that have lobbied for video game censorship.

In the long-term the games industry will win – retailers and the BBFC will no longer be relevant, and the games producers will have their own mature distribution systems which connect directly with the customer, free of government and censor’s interference.

According to the OLPC project (One Laptop Per Child), the people who are building a sub $100 laptop so that kids in developing countries can become 3lit3 hackers too, the new device will come pre-loaded with a visual smalltalk based development studio called Squeak, and a fun animation / programming toy called Scratch.

[kml_flashembed movie="http://www.youtube.com/v/jxDw-t3XWd0" width="400" height="350" wmode="transparent" /]

I found the video mostly very annoying, once you skip past the beginning they get into a demo of the environment. Basically it’s a drag & drop scripting environment with an emphasis on animation and sound.

You can program flash-style animations and drag and drop the scripts in real-time – the animation changes in real-time as a consequence. I guess that the individual modules are objects written in Smalltalk, which can easily be extended.

I also like the idea that these laptops will present new users with a whole bunch of new programming languages and VB is not one of them.

Yahoo’s latest invention is amazing: Pipes allows the user to visually mix and mash all kinds of web-based RSS and Atom feeds. Have you ever wanted to combine a number of blog feeds into one, and then filter the content according to some simple criteria… that’s the sort of thing that Pipes can take care of really easily.

Later today I will have a go at using it on one of the sites I run where I face exactly this challenge.

For now, be gentle on the system. It’s still pretty new, crashes often and has no support for the kind of scripting that would make Pipes truly useful, however I can see where this application is headed, and I am sure Google are just kicking themselves for not having invented it first.

You want that job in IT but dont have the right credentials? If like me you slept through university, skipping classes and exploiting university for maximum leisure potential then you may have missed out on the opportunity to publish any scientific papers.

Fortunately, this system uses a context-free gramar to generate all the papers you might ever wish to submit. Click on the important looking diagram to view some pre-generated twaddle written by some made-up names.

Released in 1982, Tron is an animated feature film from the Walt Disney Corporation. This film combines live action with CGI and traditional cell animation. The artistic result is way ahead of it’s time; indeed we can safely argue that Tron is the visual forerunner of the cyberpunk genre. The “computer world” of Tron has inspired the alternative realities of more recent works such as Sega’s “Rez” and “The Matrix”.

Tron’s plot is a thinly veiled allegory for the great debate between operating system pioneers Linus Torvalds and Andrew Tannenbaum; spesifically the eternal battle between advocates of monolithic operating system design vs micorkernel. Tron’s producers take a very one-sided view of this argument – the monolithic “Master Control Program” is clearly the bad guy, however in their credit, this was merely the received wisdom of the age. Regardless of the computer-science flaws, the film is visually superb entertainment more than twenty years after it’s original release.

That isn’t to say the film has dated; It certainly has – while the animated sections remain compelling, the live action segments set in the real world appear ludicrous and clumsy. They lack the panache of the virtual-reality scenes and only serve to provide a somewhat redundant set-up for the entirely self-contained animated sequences that form the body of the film.

The live-action epilogue is also baffling in it’s redundancy. I suspect the film producers were trying to provide some kind of revenge themed closure, in which our hero replaces the corrupt manager of the company; Once again, this live action sequence detracts from the final sequence of the animated section where we see “Flynn” rise god-like from the spinning wreck of the “master-control program”. We can only assume he has made it, but his absence from the cyberscape after that moment leaves us in doubt.

One of the film’s main strengths is it’s sound-track. The score was composed and performed by Wendy Carlos (an associate of the recently deceased synth-pioneer Bob Moog), with help from the London Symphony Orchestra. It’s evocative, subtle, original and entirely spoilt by a number of unimaginative prog-rock tracks by a band called “Journey”. Fortunately there are only two sections of prog-rock in the film, both of which are somewhat redundant.

Perhaps by now you have twigged, that it’s my intent to correct some of these flaws. In a nutshell, we have an visually superb film spoilt by some unnecessary, badly-filmed live-action sequences. Thanks to affordable digital editing software I can now take my DVD copy of this film and completely strip it of all of it’s flaws, leaving a shorter, more challenging and ambiguous film.

When you remove the “real world” from Tron you get a completely different effect. Without any orientation, we do not nececarily know from the beginning what the nature of these characters who inhabit the virtual world are.

We see Clu apprehended and apparently crushed by a “recogniser” at the start of the film. In the original version Clu is destroyed and replaced by his alter-ego. In my version he is merely thrown into the “game-grid” as a result of his capture. Naturally that also explains his colour change. In Tron, the MCP’s agents are predominantly coloured red, whereas the fugitive programs are pale-blue.

Of courese, if the real-world does not exist then how do we explain Clu/Flynn’s change of manerism and his claims to be a user. Before his apprehension he makes no reference to userdom (the equivalent to divinity in the computer-world). Is Clu delusional or perhaps some kind of computer-world mesiah.

My reduced ending also adds a delicious ambiguity to what in the original version is shown to be a clean escape. Clu/Flynn is propelled upwards in the disintegration of the MCP. He is not shown to have been destroyed, but nor is he shown to be safe, or re-united with the programs that he has saved from assimilation. We are now free to interpret the nature of his escape for ourselves.

Sadly, the film Tron and it’s soundtrack are copyrighted works. This means I cannot legally distribute a copy of this movie, however I will release my “Edit Decision List”, the recipe for you to take a copy of the Tron film and re-create my edits. This will be released into the public domain, which means that anybody is free to view this classic work of science fiction is it was meant to be.

Last night, while most crazy young people are out getting sorted for E’s and whizz, I decided to stay in and migrate the Exciting Hellebore Shew and Epistaxis Archives over to Wordpress. To my dismay it appears that the standard Wordpress RSS importer cannot handle enclosures, so there is no way to import a podcast series.

Rather than cut & paste seventy episodes of Epistaxis Time, I hacked up a new RSS2 importer based on the existing design, but using Magpie RSS to parse the RSS feeds. As a result we have a new parser that is more able to cope with the nuances of RSS2. You can download my code as a SVN diff here: http://svn.stodge.org/wordpress_rss2_import/magpie_rss2_import.diff

In order to make this work you will need a recentish version of Magpie RSS in a folder called ‘magpierss’ somewhere in your PHP search path. Just apply the diff at the root folder of your Wordpress installation. This works best if you got Wordpress via subversion… it’s much easier than downloading and unpacking tgz or zip files.

… because if they did they would know better than to try to intimidate Cory Doctorow for criticising their products. They would know that an effect to chill certain kinds of free speech is almost certainly going to provoke a backlash. It’s really not such a difficult concept.

Doctorow recently revealed that the Starforce anti-copying technology uses hidden malware which is installed onto gamers’ computers without permission or notification. He also noted that Starforce installs a driver that can seriously degrade the performance of a CD drive on a Windows PC.

As usual, Linux and Mac users need not worry about this sillyness.

Updare: The Consumerist is covering this story – I think it’s about to get very big.