Nukes…

Posted by jerry as World, politics

Just read this article on reddit, and my head is about to explode.  The author clearly writes with an authoritative air about military operations, and seems to have his shit straight with a believable story.  Trouble is, it’s got holes.

The author makes a reference to “central command” several times.  Anyone at all intimate with US military strategy understands that central command is located in Doha, Quatar, not in the Pentagon, and would not be governing the movement of nuclear weapons in the US.  That job would either fall to United States Transportation Command or to United States Strategic Command.  I really am not sure which in this particular case.

What concerns me is that this is a really good story written with a seemingly good handle on military protocol.  Yet, a basic fact like that is wrong, so what does that say about the rest of the article?  Probably not much if you really really hate Dick Cheney.  Speaking of which, I have yet to understand how good ole Dick has obtained so much control over the military as to be able to single handedly oder the shipment of nuclear weapons to a war front.  Maybe he does, but call me skeptical.

When I heard the story originally, my first thought was that of propoganda - not a mistake or any kind of internal struggle.  This administration is extrodinarily effective at managing the media, if you can say nothing else for them.  I have to believe that whatever the “real” plan is, it involved letting Iran/Syria/whoever else know that we had nuclear weapons en-route to their back door at one point, and that was just on accident.  “Just wait and see what happens when we get mad!”.  I still think that’s a pretty likely scenario. 

Hacked!

Posted by jerry as FreeBSD, Hacking, Security, web site

I don’t think a lot of people who run sites like to admit this, but I was just hacked.  It was extrodinarily interesting… I had the advantage of watching it happen. 

 I have a server at a colo running Freebsd and cpanel.  I host a hand full of sites, and keep telling myself “someday, I’m going to get serious about it”, but life keeps getting in the way.  I personally run a bunch of sites on that server, including this one. 

So anyhow, after I wake up, I grab my laptop from the side of my bed and check email, weather and the usual stuff.  As noted in a previous post here, I’ve been trying to increase the number of visitors to one of my sites - syslog.org, so I had a tail -f running on the apache log file.  Nothing out of the ordinary at first.  Then, if I had hair, it would have been standing up - I saw requests to part of the site that clearly had filesystem path’s in them.  Paths for other accounts on my server.

So, sure enough, when I looked more closely, the requests were going to a file called “public_html/forum/avatars/.php”.  The site is running the Simplemachines forum software.  I copied one of the requested urls into my browser, and BAM! a really nice control panel for my server, the main part of which is a filesystem browser.  Yikes! 

I first moved the .php file to a directory outside of the web path then I logged into WHM and suspended all of the accounts and then started looking through logs to see what had been done.  It was clear that the attacker was going through the public_html directories for all of the sites and replacing files with “Hacked by XXX”.   But only a few files.  I was able to find each file that had been replaced by referencing the logs.  A check of date/time stamps and a comparison against a backup verified that. 

I went back to the avatars directory on the syslog.org site, and found a file called erne.txt.  When I open it up, it’s a file used to bypass PHP safe mode.

I want back, changed passwords, replaced files from backup, and whatnot.  I did find a suspicious user account “courier” in /etc/password.  What made it suspicious is was at the bottom of the file.  I deleted the account and searched for any files owned by that account.  I logged into my dev server and found that the same account existed in the same place, so that was a false alarm.  Thankfully.

So, I went back to the monthly web logs and decided to see how long .php has been on the system.  I found that it was first accessed on Oct 20.  I grepped  through the log for the IP that first accessed and saw that it had come to my site via a google search for “powered by SMF”.  Then I remembered (!) that on Oct 20th, I had been looking at my logs as well, and saw that very request, which prompted me to make sure I was up to date with SMF.  Of course I wasn’t - I was runnig 1.1.2 and 1.1.4 has recently been released.  So, I did the upgrade and didn’t look back.

After looking at the logs a little more, it became evident that they were linking from the site http://turk-h.org.  That site is a defacement content tracking site.  The few sites that they were able to register show that the hack was “political”.  The group that is responsible for the attack has a site here: WwW.BilisimSecurity.Com.  Why is the middle “w” always lowercase on hacker sites??? 

So, here are the lessons I’ve learned (so far):

1. ALWAYS ALWAYS ALWAYS keep your software up to date
2. A correllary to #1 above - a consistent approach to verifying that all software is up to date is desperately needed.
3. Open source web apps really really really need to stop adding a “powered by” line at the bottom of websites that use their software.  This makes it incredibly easy and efficient to find sites to hack.
4. Keeping your logs is really important.  They can in really handy today.
5. Using phpsuexec would have drastically limited the impact of the attack.
6. An automated method to determine if something has changed or been added in a directory tree would have provided me with almost 2 weeks of notice to resolve the issue.
7. The hacker tools are quite sophisticated.  I have retained copies of their tools.  I will not be making them available as I don’t want to spread them any more than they already are.
8. A tool that parses the apache logs for filesystem components (outside of the public_html tree) would have provided a notice that something has happened, though it would really have been too late to stop the attack.

Site updates

Posted by jerry as Uncategorized

So, I’ve taken some time to do things I’ve been intending to for a while.  I deep 6′d Pligg on the NetworkStrike.com site.  Pligg is a very nice package for what it does, but it really doesn’t do what I needed.  After some investigation, I settled on drupal.  Drupal turned out to be even better than I expected.  I was ready to write an RSS importer, but found that there were already some very mature importers available, and unlike a lot of tools like this, it actually worked out of the box.  I’ll be slowly getting Networkstrike back to where it was previously.  It was interesting to watch Pligg go unmanaged.  Most of the story submissions were about alien abductions and other crazy things like that.

On syslog.org, I added a new section that specifically deals with syslog-ng.  Having moderated the syslog forums for many years now, I’ve finally come to the realization that syslog-ng is a great tool, it’s just not well organized or supported on the Internet.  How-to’s, docs and whatnot are spread far and wide.  So I decided to try to fill the void.  We’ll see how useful it is.  As it’s a wiki, I’m hoping that people will opt to contribute their bit of knowledge as well.

On a related note, I added a link to syslog.org into a few entries in wikipedia.  Wow, that site must get some serious visitors, because the number of referrals from wikipedia to my site is pretty impressive.  An order of magnitude lower than google provides, but on par with what Yahoo does.

Thinking about carbon footprints…

Posted by jerry as Environment, World, politics

While in the gym yesterday, I got to thinking about all of the talk recently about reducing one’s carbon footprint.  At first, I pondered about how my decision to work out would impact my carbon footprint - it clearly doesn’t help.  I eat a LOT more, I create more waste, I convert more O2 to CO2, I waste water in showers, etc, etc.  In a way, my decision to be healthy has negative environmental consequences.

I’ve really not been one to be overly concerned about that, though - I drive gas guzzlers, live in a really big house, that’s a really long way from my office - the American dream if you will.

 I got over my guilt quickly and started to think about people who really do care about the environment and really are trying to reduce their carbon footprint.  I started to wonder - do they really - and I mean really - understand the impacts of their decisions?  For instance - riding your bike to work might save 1 gallon of gas, but causes you to need an extra 500 calories of food.  We know that the impact of burning a gallon of gas releases 20 lbs of CO2 into the air.  But, what did it take to make that 500 calories?  It might not be 20lbs of CO2, but it’s not 0, either.

My point is not to throw eggs at people who have decided to try to live more environmentally responsible, just to make sure it’s being done in a sensible way.  I do believe that our society as it is today is wholly unsustainable.  My issues is that on one side, we have people saying “free market enterprise will solve the problem”, and on the other you have people saying “stop driving, move closer to your work, live in denser communities, etc”.  Both groups are so out of touch with reality that the last 2 people on Earth will be arguing with each other as they succomb to some manmade environmental disaster. 

Free markets will continue doing whatever is most profitable until it is no longer profitable.  If I come up with a way to make electricity that is environmentally nuetral, but it costs 15 times normally sourced energy, I will be out of business in no time.  Even if all the ice at the poles melts and we have lots of lucky new beach front owners, there won’t be a “free market” force that makes something that’s 10x more expensive more attractive.

On the other hand, people want their cars.  They want their houses.  They want a yard, privacy, kids, a dog, the minivan, and so on.  That’s not going to change.  I know we live as in a society of sheeple, giving up our liberties for security - so long as it doesn’t interfere with “Dancing with the Stars”, but I believe there would be hell to pay if we start taking away people’s house in the country and making them live in a small highrise condo so they don’t have to have a car.  And furthermore, the beloved government this group tends to align itself with is so blatently inept at civil engineering projects, that the infrastructure to support the commuter-less utopian city-state is out of reach.

What we need are practical solutions.  One I saw that made lots of sense was the algae oil concept.  It uses algae to remove CO2 from powerplant exhaust, then the algae can be processed into bio deisel.  But, I’m skeptical that even this has the ability to rise to a level of profitibality.