Archive for the 'Development' Category

Inside the C99Shell, and removing it from Wordpress

Published on July 24, 2009 in PHP. 0 Comments

The C99Shell a.k.a. “C99 Shell” is a PHP backdoor script designed to further compromise insecure web-servers. Once installed onto an insufficiently secure server it is able to automatically install a number of wordpress spesific hacks. In addition it can take advantage of the lack of sandboxing in the PHP platform to execute arbitrary OS commands under the user ID of the webserver process.

C99Shell appears as an extra file which is dropped in a random or disguised location somewhere in your web-server. The PHP file contains a ziped, base64 encoded stream which is decoded and then eval’d on the fly. The purpose of this is to obfuscate the file, it’s hard to spot unless you have a method to determine if files have been added to your system. Even though the file is unreadable it’s pretty easy to modify the file so that it prints it’s source-code instead of running it:

Change the “eval” statment at the beginning of the file to an “echo” statement. It will print up the following source-code which I have placed on Pastebin.

By default the C99 Shell can target key vulnerabilities in Wordpres: For example having installed the script an attacker can do a push-button patch on the config-file or the main index.php file. Usually the purpose of these attacks is vandalism or more often to install spam-links.

Detecting the C99Shell is very easy if you installed your Wordpress via SVN. First of all detect and then manually inspect any .php files which have been added to your wordpress installation like this:

svn status | grep ^\?.*php$

Next try to detect files which have changed, it’s possible that these have been patched by the attacker:

svn status | grep ^M

Manually check each one of these files for signs of suspicious additions.

Once you have removed any unwelcome additions to your site, check the following permissions:

If you still have the hack-file try running it yourself. There are a row of buttons which can be used to install hacks. Hacks which are available but not installed are green. Already installed are yellow and unavailable hacks are red. Now that you are in control you can try out the hacks yourself and get an idea of which files they modify. If you can modify them it means your file permissions are too lax. Try to get all the filesystem security set up right before you permanently delete c99shell.
Remove group + other write permissions from the wp-include folder and all of the PHP files in the top level of the wordpress installation.
Ensure that your Wordpress installation, all templates and plugins are installed via SVN. This will enable you to trivially detect and remove any unwelcome modifications in the future.
You can disable the “eval” function. It’s a dangerous peice of code and I’m pretty sure that it is not required by any legitimate Wordpress component. Use the “disabled_functions” directive in your php.ini

http://pastebin.com/f1ca32742

Scratch – Smalltalk based realtime programming (for kids)

Published on February 14, 2007 in Development and General. 0 Comments

According to the OLPC project (One Laptop Per Child), the people who are building a sub $100 laptop so that kids in developing countries can become 3lit3 hackers too, the new device will come pre-loaded with a visual smalltalk based development studio called Squeak, and a fun animation / programming toy called Scratch.

[kml_flashembed movie="http://www.youtube.com/v/jxDw-t3XWd0" width="400" height="350" wmode="transparent" /]

I found the video mostly very annoying, once you skip past the beginning they get into a demo of the environment. Basically it’s a drag & drop scripting environment with an emphasis on animation and sound.

You can program flash-style animations and drag and drop the scripts in real-time – the animation changes in real-time as a consequence. I guess that the individual modules are objects written in Smalltalk, which can easily be extended.

I also like the idea that these laptops will present new users with a whole bunch of new programming languages and VB is not one of them.

Wordpress RSS2 content importer, now with enclosures

Published on February 12, 2006 in Free Software, General and PHP. 1 Comment

Last night, while most crazy young people are out getting sorted for E’s and whizz, I decided to stay in and migrate the Exciting Hellebore Shew and Epistaxis Archives over to Wordpress. To my dismay it appears that the standard Wordpress RSS importer cannot handle enclosures, so there is no way to import a podcast series.

Rather than cut & paste seventy episodes of Epistaxis Time, I hacked up a new RSS2 importer based on the existing design, but using Magpie RSS to parse the RSS feeds. As a result we have a new parser that is more able to cope with the nuances of RSS2. You can download my code as a SVN diff here: http://svn.stodge.org/wordpress_rss2_import/magpie_rss2_import.diff

In order to make this work you will need a recentish version of Magpie RSS in a folder called ‘magpierss’ somewhere in your PHP search path. Just apply the diff at the root folder of your Wordpress installation. This works best if you got Wordpress via subversion… it’s much easier than downloading and unpacking tgz or zip files.

Enhanced Python AllOfMp3.com downloader

Published on October 16, 2005 in Python. 0 Comments

I’ve been working on a hacked version of r00tshell’s Python “All Of Mp3 music downloader“; The idea is to take his research into exactly how to connect to the All of MP3 music download service and re-package it as a friendly, testable, deployable python program.

It’s not finished yet, however the key advantages my version ought to offer will include:
* Fully Object-Oriented Design – This will encourage code-reuse, e.g. somebody could build the class into a QT or GTK based graphical application.
* Support for multi-threaded downloading – This allows users to download multiple files at a time.
* Support for file organisation – This will allow files to be sorted into subdirectories based on their ogg/id3 metadata.

My work is on my subversion archive. The original version can be found on r00tshell’s subversion.

Viennese Arrival

Published on September 18, 2005 in Plone, Words & Pictures and voffle. 0 Comments

I�ve just landed in Vienna, in anticipation of the Plone conference 2005. Since my recent work for BlueOrange has been more zope-centric: The company somewhat eschews the majesty of Plone, I hope that this will be a chance to catch up with the Plone and Zope events that have occurred during the last six months since the EuroPython conference in Sweden.

My fight was uneventful; Heathrow was as bustling and overcrowded as usual. One moment of levity came from observing the near-arrest of a young girl and her subsequent argument with a police officer.

She was outraged at the police officer�s temerity to intervene in a family squabble that resulted in her assaulting another woman. I heard her outraged protestation of �But it�s my father�s girlfriend�. Of course that makes it all right!

Afterwards I found the same police officer diligently patrolling the area next door to the American Express foreign exchange desk (or was he trying to chat-up the pretty lady who worked behind the desk). I congratulated him on his policing methods – one cannot be too careful when intervening in such fights: These women know no respect for the law when enraged.

At the check-in, British Airways issued me with a �5 voucher with which to buy food, their outsourced catering company �Gate Gourmet� had gone bankrupt a month ago. I�m surprised that no other company has stepped in to fill this role, but on the whole I would rather grab a snack or two from the airport than eat what passes for food in the air.

Could this not be seen as an opportunity for cost-cutting? The lack of food did not seem to put people off travelling with BA (I could think of better reasons not to fly with them than the absence of a soggy sandwich). If food were not provided then tickets might be a few quid cheaper and we could all feed ourselves however we desired courtesy of McDonalds or �Caviar House� in the departure lounge. On second thoughts, that is perhaps not such a brilliant idea.

On the flight I began �Moby Dick� by Herman Melville – a most spectacular novel – and certainly not light reading. Once again, the inspiration for trading this text was Frank Key�s website. In a few of his stories he refers to this book (and at least one commentary on Moby Dick). I find Frank�s style of writing not all that dis-similar to melville.

I note with some glee that WiFi is free in this airport: I�m sat in an internationally branded coffee bar blogging this courtesy of Cisco who have sponsored WiFi access throughout the entire airport site. Now why cant they do this in London�s airports where T-Mobile and others routinely charge five pounds per hour for accessing a service whose wholesale value is nearly zero.

Anyway, more blogging shall ensure over the next week. In a few moments I expect Nate (Author of the Plone4Artists suite) will find me in this cafe. He�s come all the way from Boston. After a short wait for a third conference attendee we shall share a taxi into the city and see what adventures fate has in store for us.

SourceForge to Offer Subversion Service

Published on August 10, 2005 in Development. 0 Comments

I remember when SourceForge was new, it was revolutionary. Sourceforge gave poor developers the means to host an open source project in public. SourceForge did for free what might be otherwise costly to set up. It gave users a version control system, a bug-tracker, a forum and a home page all as a turnkey solution.

That was then… Now I regard it as a nuisance. I’ts built around the antique CVS source-control system which while technically still better than Microsoft SourceSafe, has been overtaken by other technologies, most notably Subversion. CVS based projects are a nuisance to keep up to date compared to SVN. Put simply, if you are still using CVS, please give it up. Subversion does everything that CVS does only faster, better and with less hassle.

Allegedly Sourceforge will be launching a subversion trial service sometime soon; but will anybody want it now that SVN has made version control trivial to DIY? It might be far too late, as people who do not care about SVN will stick with SourceForge, and people who do have long since moved away.

LibDems vague on software patents

Published on June 29, 2005 in Computing and Python. 0 Comments

At the IT conference I am attending, the organisers conducted a straw poll of who opposed the impending Euro-software patent legislation. Everybody I saw was against it; The unambiguous conclusion is that software patents are harmful and the �economic majority� of Europe�s IT industry who oppose software patenting.

In essence, a patent grants a monopoly on an idea. Patents were invented hundreds of years ago to protect the investments made by inventors. In return for publishing the designs of an invention (e.g. the plans of your contraption), and agreeing to license the idea for a standard fee, the government would protect that monopoly. This worked back in the 18th century because other inventors could study the designs in the patent-office and invent better machines.

The assumption of many MEPs appears to be that since patents appear to work quite well for contraptions they must also benefit software inventions. However there are critical differences between the world of software and the mechanical age that spawned the patent.

A central principle of computer-science is idea-reuse: Software languages are built to encapsulate ideas and re-use them. Any programmer can download �modules� – collections of working functions. Some functions implement simple, single-minded ideas. Others amalgamate thousands of the simpler functions and can do complex things. The programs that you or I use in our day to day work are made of thousands of these complex functions, so it�s not unusual for any substantial work to contain millions of potentially patentable ideas.

Unlike a car or a steam-engine, a useful program is almost never a totally original work because re-use of ideas is so fundamental to what we do. The programmer who works at the leading edge of technology will almost certainly not be aware of which of the millions of ideas in a program are patented, and therefore any substantial program is likely to blunder into the patent minefield.

Software patents drive up the cost of innovation. Since any program is potentially infringing then all commercial software must be scoured for potentially infringing code before it can be sold. Of course, companies could opt to remain ignorant of their potential patent infringements, but if convicted of a patent violation the costs are enough to bankrupt most firms. Most companies would rather spend 10% to 20% of their annual profits on lawyers to audit their products.

In addition, rather than re-investing their remaining profits back into development, companies will feel pressured into building their own patent arsenals. A patent typically costs between �30k and �100k, so the more money we send to the patent office, the fewer productive computer-scientists we can afford to employ. This is why software patents cost jobs.

According to a friend who moves in parliamentary circles, there is at least one LibDem MEP who has not yet made his mind up about software patents. He told the FFII that if they can present two hundred signatures opposing software patents he would vote against the legislation. We managed to collect more than 250 from the delegates in the space of half an hour: a unanimous response against software patents

I believe that a vote for software patenting is misguided and harmful because it makes the best-practices of software development into something that is legally risky. In theory, any program that I write that is substantially useful has the potential to infringe somebody�s patents. The risk of accidental patent infringement will turn today�s playing-field into a minefield.

Software patents will harm me, and they will harm my customers. If any MEPs are readinf this, I request that you against software patents.

Europython Conference, Day Zero

Published on June 26, 2005 in Python. 0 Comments

I�m off to the Europython conference; My heart is aflutter because I�m running rather late and I know how bad the queues for budget air-lines can be. I�ve never travelled on Ryan-air before and I am expecting the very worst possible experience. This is conference day zero because technically it does not start until tomorrow and in any case all good computer scientists make a habit of counting from zero.

Initially I was expecting a weak line-up; At the time I registered the presentation roster was empty and the attendee list was meagre; but in the last few weeks both have grown and I�m quite impressed at what the conference management have achieved. I�ve barely been able to keep up with the high-bandwidth conference mailing list.

This is also the first Open-Source conference I have attended; I�ve been told by frequent conference attendees to lower my expectations. Open source conferences have a minimal budget and therefore lack even the most rudimentary glitz; This will be a glitz free zone.

My accommodation is going to be a shared room in a student�s union owed building. I booked the cheapest kind of room available, so I will be sharing with three others; All will be python developers like myself; I have no idea who these individuals will be.

And what a fool I am; I�m still plagued by nagging doubts; What if there are two cities in Europe called Gothenburg, one in Sweden (where I am headed), but another somewhere far far away, perhaps in a destination that I will not possibly be able to afford to fly to. And I will be forced to spend a fruitless three nights in a cold Nordic country, all alone and unloved.

In any case; All my fears may be for nothing; I might not even get to the airport at this rate. As I type this, the train has been stuck on the tracks outside Stanstead for the last fifteen minutes, going absolutely nowhere.

pod.py – A minimal cross-platform “podcatcher”

Published on June 11, 2005 in Podcasts and Python. 2 Comments

I’ve been listening to a lot of podcasts recently; a particular favourite is “Escape Pod“, a weekly podcast which aims to revive the genre of the science-fiction short-story. The standard podcast reciever is iPodder, a very feature rich program that is just too bloated for my needs: I want a cross platform downloader that can be scheduled from UNIX cron and works from the command line.

I went hunting for an alternative client. The best I could find was Bashpodder: a pure bash podcast downloader. Bashpod features some of the best shell-scripting I have ever seen, but even code of this quality is a little bt ugly for me; Of course, what I really wanted was a Python based podcast reciever.

So I created pod.py – a pure Python Podcast reciever. It depends on the excellent 4suite XML processing library to do all the hard XML processing. If you want to try it out, you can get it from my subversion archive: http://svn.stodge.org/pod.py/trunk/

Instructions

1. Get the program: If you want to check the program out, and you have the command-line subversion program installed, you can type:

svn co http://svn.stodge.org/pod.py/trunk/

You also need to download 4suite. On windows you might need to download an run an installer. On Gentoo Linux you might need to type something like:

emerge -uD 4suite

2. Install the program: You can use python’s standard distutils isntaller to help you out:

python setup.py install

The program should now be installed. It’s really easy to use:

3. Use the program:

pod.py url -d downlaod directory

So for example, if I want to download BBC’s “In Our Time” podcast to a folder called ‘my_podcasts’, I can issue the following incantation:

pod.py http://downloads.bbc.co.uk/rmhttp/downloadtrial/radio4/inourtime/rss.xml -d /home/sal/my_podcasts

update: The new SVN site is here, http://suxtools.googlecode.com/svn/import1/pod/ – I’d advise you not to use this. There are much better things on the market these days.

The Python Challenge

Published on May 29, 2005 in Python. 0 Comments

I’ve not spend much time blogging recently; this is because I have been puzzling through “The Python Challenge” – a sequence of 30 riddles intended to test the mettle of python developers.

Each challenge takes the form of a web-page; usually with a cryptic or hidden clue waiting to be found. If you have managed to identify the nature of the puzzle, the solution normally requires the player to write a short python script in order to discover the next password; These puzzles are devised in such a way to force the player to investigate rarely used python modules, or consider new ways of using the familiar ones.

For example, one puzzle has the player writing a script to extract a hidden message from something vaguely resembling a barcode hidden in an image; Having recognised that the image contains a coded message, the player must find a tool that will allow the message to be extracted, and if you are lucky, that contains a cryptic clue that will lead you on to the next puzzle.

The delight of the Python Challenge is the variety of techniques a developer must acquire in order to complete the sequence. Just like the real world, programming skill alone will not give you the solution; one must first recognise the problem and devise a strategy. Writing the program is usually the smallest part of each challenge � investigating the problem and ruling-out the various blind-alleys forms the bulk of it.

I�m on puzzle 10 out of 30, so you can expect me to stay quiet for the next week or so.