SuSe JeOS and Software Appliances

There are only a few reputable Linux distributions out there, that are built and maintained by an experienced team that has a well formed understanding of who their target market is and what that target’s needs are.

I’ve always been a fan of SuSE Linux… Its target is not the typical kid crowd that Linux seems to attract (Ubuntu?).

When Novell [SuSE Linux] initially made a deal with Microsoft, everyone was worried (or at least rightfully suspisious) that this was a poison pill designed to kill another company.

This did not happen.

Instead, the deal *worked*. Microsoft realized that 1) Linux was here to stay and 2) they might as well take advantage of that fact and stop fighting the tape.

So who do you partner up with? IBM? RedHat? I don’t think so! You don’t make deals with your enemies just like the US does not negotiate with terrorists.

Novel was a logical choice.

Now we have a Linux distribution that is certified and interoperates with Microsoft products. A distribution that is useful vs. being a play-thing to help spend your time idly.

And here is a great idea that Novel has put out: SUSE Linux Enterprise JeOS.

JeOS (pronounced “Juice”) is a minimal version of the SUSE Linux Enterprise platform. It stands for “Just Enough Operating System”. It allows you to get a base Linux distribution, add your applications to it, and have your clients, customers, etc, deploy the app+os bundle in a virtual machine.

Of course this is nothing new, but the difference here is that you have a well backed business designing, providing and maintaining a product that is targeted to a specific need. Unlike some of these other “lets just throw it at the wall and see if it sticks” business models & their products.

This move by Novell is another key factor for the continuing success of the “software appliances” market.

Software appliances empower ISVs to deliver a fully configured, optimized software stack that incorporates the operating system, lower-level infrastructure products and applications in a unified, easily managed package. This emerging form factor ensures seamless interaction between the operating system and the application, and directly leverages the virtual infrastructure that customers are putting in place today.

The SUSE Appliance Program will enable ISVs to bundle their applications with customized versions of the SUSE Linux Enterprise platform and to deliver the bundle as a software appliance, which can be run natively on x86-based hardware, or as a virtual appliance, which includes a paravirtualized kernel designed to deliver optimal performance in a virtualized environment.

Virtual appliances built in the SUSE Appliance Program will run on customers’ choice of hypervisor, including Xen, VMware ESX and Microsoft Hyper-V, as both a paravirtualized and fully virtualized guest.


[I myself have a great idea about using JeOS for an upcoming product.]

Ubuntu Concedes Defeat, Canonical Throws in The Towel

While it’s not quite as dramatic as the title might suggest…

It is true. As it was a year ago, and still is today.

The success of Ubuntu Linux and Canonical is only one part truth… If success = being popular.

If you take your news from, cnet, or any other tech friendly site on the net, you will read one thing over and over again, every day of the year: Ubuntu is taking over the world, Vista does not work, and Microsoft is dying.

The facts are that 1) Ubuntu Linux is another popular linux distribution (at the head of a long line of distros that have seen their peaks), 2) Vista is the best OS so far, works well, and is a major seller, and 3) Microsoft revenues have been trending upward for as long as I can remember.

Consider also the facts that (net’s biggest anti-MS site) makes all its money from a Microsoft partnership [after Google dropped them], and that Ubuntu Linux is purely a product of Corporate sponsorship and development … and what do you have left?

It’s not “reality” because reality is not something that the pressure groups of self agendas can handle, and neither is the truth.

The truth is that 1) some people feel the need to be part of a group that needs to constantly reassure one another that “their way is the best way” and 2) tech sites need to drive traffic to generate ad revenues by spreading fear, uncertainty, and distrust.

Just today I was reading on a tech site how Canonical’s revenues are in the stratosphere. Right! Lets see…

This is the same day Shuttleworth goes on to claim that Canonical is not cash positive (they are spending more than they are taking in) and it will take another 5 years of funding [Source]… At only a 10 million a year burn rate.

In other news, there is no money to be made on desktop linux, but that’s okay, because everyone already new that. Hindsight is always 20/20.

Windows Mail for Vista, Not As Bad As I Thought.

Having used Windows XP for the last several years, I’ve recently decided to migrate to Windows Vista after purchasing a Dell 530 quad core PC with a 24 inch LCD.

My choices were to:
1. Keep using Thunderbird
2. Migrate to Outlook [Office]
3. Or try the native Windows Vista Mail application [“Windows Mail” is the replacement for Outlook Express].

The choice of using Thunderbird was the simplest of them all… But I wanted to try something new. The stability issues and a non-modern UI were the other decisive factors at play.

In the end, Windows Mail was the winner. But not an easy one.

Here is what I have discovered, which should have been documented somewhere but is not.

a) There is no way to import mbox format mail from other Mail Clients.

I used a temporary IMAP folder to copy/move messages from one mail client to the other; to bypass the obvious underlining format issues.

b) All POP accounts go into the main Local Inbox folder.

If you want to structurally segment different POP accounts, you will need to create Local sub-folders and create message rules that are conditional on the specific account. I can make a case for or against this [if this is a feature or a limit].

c) Message Rules do not apply to IMAP folders.

And there are no setting to automatically copy/move messages from select IMAP folders or accounts to the Local Folders. Again, I can make a case for or against this [both ways].

d) The Spam filter does not automatically apply to IMAP accounts and folders even when “Synchronization Settings” are set to “All messages” [which downloads the entire message body].

You actually have to open the message for the spam filter to process it. Though I think it might act on the header data it receives, proactively, or perhaps even on the message body when you select “Work Offline”.

All in all, after using Windows Mail I’ve actually become fond of it. It’s a great app and integrates well with the system.

Gmail IMAP folders use a “/” path in their structure. Example: The All Mail folder is “[Gmail]/All Mail”. Windows Mail does not allow you to use this character to specify the special IMAP folders. It still works, but looks a little odd. There are ways to get around this if it bothers you.

Another Day, Another WordPress Hack.

It could have been worse.

A few weeks ago we were hit with an SMF v1.1.3 exploit just a few days after the release of v1.1.4. The intruder inserted a slew of hidden spam links into the main ‘index.php’ file.

It took me a day or two to detect the modifications. And in this short time period, which has been online since 2003, with a healthy Pagerank, had all it’s pages dropped from Google [with the exception of profiles and archives].

It’s a good thing I keep the forums on their own sub-domain, which Google treats more like a separate domain than anything else. A SE problem with the sub does not affect the main domain.

As a counter-measure to these “exploit app weakness, get shell, d/l script, profit” type of attacks, I have disabled most of the shell related PHP functions on the server.

And so I thought my problems where solved…

This time it’s my fault. I was running WordPress v2.2.2, with v2.2.3 having been released about a month ago. I’ve been checking the WP dashboard, but I must have missed it, or forgotten about it.

This time the intruder exploited one of many WP weaknesses, and inserted some type of a hidden “-1″ post that was nothing more than an attachment to this particular shell-script, executed with URL ‘/blog/?poncheg’…

WordPress Hack 1

WordPress Hack 2 - - [08/Oct/2007:07:10:20 -0400] "GET /wp-includes/js/tinymce/wp-mce-help.php HTTP/1.0" 404 520 "-" "-" - - [08/Oct/2007:07:10:25 -0400] "GET / HTTP/1.0" 200 12071 "-" "-" - - [08/Oct/2007:07:10:35 -0400] "GET /blog/wp-includes/js/tinymce/wp-mce-help.php HTTP/1.0" 200 7665 "-" "-" - - [08/Oct/2007:07:11:01 -0400] "POST /blog/xmlrpc.php HTTP/1.0" 200 4327 "-" "Opera" - - [08/Oct/2007:07:11:49 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 200 1647 "" "Opera" - - [08/Oct/2007:07:11:56 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 302 904 "" "Opera" - - [08/Oct/2007:07:11:59 -0400] "POST /blog/wp-admin/upload.php?style=inline&tab=upload&post_id=-1 HTTP/1.0" 200 1554 "
blog/upload.php?style=inline&tab=upload&post_id=-1" "Opera" - - [08/Oct/2007:07:12:14 -0400] "POST /blog/wp-admin/upload.php?style=inline&tab=upload&post_id=-1 HTTP/1.0" 302 509 "
log/upload.php?style=inline&tab=upload&post_id=-1" "Opera" - - [08/Oct/2007:07:12:25 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 200 1629 "" "Opera" - - [08/Oct/2007:07:12:30 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 302 904 "" "Opera" - - [08/Oct/2007:07:12:33 -0400] "GET /blog/wp-admin/upgrade.php?step=1 HTTP/1.0" 200 1446 "-" "-"
... - - [08/Oct/2007:07:12:48 -0400] "GET /blog/?poncheg HTTP/1.0" 200 4789 "-" "Opera/9.22 (Windows NT 5.1; U; ru)"
JSC "VimpelCom" WLAN1 Moscow

Host name of is

Luckily, in addition to the disabled PHP functions, I also had all my file/dir permissions under WP locked down, so it does not look like anything was modified. I still recreated the entire WP directory, just for safety sakes, and had to manually go into the database and delete the hidden attachment/post.

It’s not a matter of if you are going to get hacked, it’s a matter of when. So keep those web apps patched!

All Your SMF Forums Have Been Hacked. Have a Nice Day.

There is nothing quite like innocently checking over your httpd logs, attempting to figure out why the ‘preview’ feature of your forum s/w has stopped working [stuck on ‘fetching preview…’], only to come up to this…

           => `include.txt'
Connecting to||:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 44,348 (43K) [text/plain]

    0K .......... .......... .......... .......... ...       100%   69.60 KB/s

09:57:25 (69.60 KB/s) - `include.txt' saved [44348/44348]

For those that do not know, the above translates to using wget, or the equivalent, to download a script to your system. With all this being done via Apache and usually from a simple URL designed to exploit a weakness in the given application.

My journey starts here.

Step 1.

find / -name include.txt

Nothing. Intruder must have deleted or renamed it.

Step 2.
Check for clues.

$login = ""; //Login
$pass = "";  //Pass
$md5_pass = ""; //If no pass then hash

Intruder must think this is clever. Once you decode and inflate the string, it returns…

eval(gzinflate(base64_decode('[another string to decode and inflate]')));

Step 3.
We do not want to execute any PHP code that is an unknown. The only option left is to write a PHP script to decode/inflate until we get at the center…

$string = "eval(gzinflate(base64_decode('HJ3HkqN...[removed]...f/79z/8A')));";
$pattern = '/^eval(gzinflate(base64_decode('([^');]*)/';
$count = 0;
while (preg_match($pattern, $string, $matches) )
$string = gzinflate(base64_decode($matches[1]));
echo "Decoded/Inflated:$countn";
echo "$string";

Seems to be some type of a web php shell script called C99madShell.

Step 4.
We need to locate the downloaded script…

find / -name '*.php' | xargs grep 'eval(gzinflate(base64_decode('

Not good!

Hack Shell 1

Hack Shell 2

Step 5.
Check logs.

grep 'readme.php' /.../

Intruder was up to something no good. - - [26/Sep/2007:09:57:38 -0400] "GET /Themes/readme.php HTTP/1.1" 200 4374 "-" "Opera/9.21 (Windows NT 5.1; U; ru)" - - [26/Sep/2007:09:58:00 -0400] "POST /Themes/readme.php HTTP/1.1" 200 3501 "" "Opera/9.21 (Windows NT 5.1; U; ru)" - - [27/Sep/2007:13:08:03 -0400] "GET /Themes/readme.php HTTP/1.1" 200 4366 "-" "GoogleBotv2" - - [27/Sep/2007:13:09:24 -0400] "POST /Themes/readme.php HTTP/1.1" 200 4980 "" "GoogleBotv2"

Final Analysis.
I’ve search the logs, and I cannot locate anything helpful about the exploit. It does not seem to be an exploit in a URL, maybe POST related, or has something to do with the SMF theme function. I run no mods, and use the default theme, and do not allow users to switch themes.

The latest SMF 1.1.4 changelog does not state anything about fixed exploits.

I know the IP of the intruder [I’m sure just a hijacked system], the user_id on the forum, the mail account used for activation, but not much anything else.

Host name of is - - [26/Sep/2007:09:52:58 -0400] "GET /index.php?action=activate;u=1992;code=136bd7eb0f HTTP/1.1" 200 3409 "
read_body.php?mailbox=INBOX&passed_id=685&startMessage=1" "Opera/9.21 (Windows NT 5.1; U; ru)"

Checking the forum account, I see this user has also logged in via another IP [and this might be where the exploit starts]… - - [26/Sep/2007:09:48:07 -0400] "GET /index.php?action=register HTTP/1.1" 200 5961 "
q=+%22powered+by+smf+1.1.3%22+site%3Anet&btnG=Search" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv: Gecko/20070914 Firefox/"
... - - [26/Sep/2007:09:57:07 -0400] "POST //index.php?action=login2 HTTP/1.1" 302 851 "-" "Mozilla/4.0 (compatible; Windows 5.1)" - - [26/Sep/2007:09:57:09 -0400] "POST /index.php?action=post2; HTTP/1.1" 200 375 "-" "Mozilla/4.0 (compatible; Windows 5.1)" - - [26/Sep/2007:09:57:11 -0400] "POST /index.php?action=post2; HTTP/1.1" 200 1527 "-" "Mozilla/4.0 (compatible; Windows 5.1)" - - [26/Sep/2007:09:57:23 -0400] "POST /index.php?action=post2; HTTP/1.1" 200 307 "-" "Mozilla/4.0 (compatible; Windows 5.1)"
Host name of is

I can understand phpBB getting rooted, I can understand WordPress being owned, but this is a first one for SMF.

And for anyone having odd issues with SMF [like getting stuck on ‘fetching preview…’]…

Smile. All your SMF forums have been hacked. Have a nice day.

Search ‘fetching preview’ on the SMF support forums. This hack/exploit might be going back years.