Now I feel the net is ready for high quality music.
Check out this AIFF high quality render. (About 190~200 mb)
Please be aware of the cost of mobile data packets.
Some time ago, I was contacted by a friend. He had a problem. One of his customer’s web-server were compromised. There was an issue with the outgoing e-mails.
The ISP stopped all outgoing email from the domain. With the amount of spam sent out, the ISP could get blacklisted.
This was not good for the customer. They were dependent on e-mail. They might suffer financial loss.
They were using Joomla CMS. The website had not been updated in about two years. I said this is something you will need to fix. You need to take a look and clean up the mess. I got a go.
The root web-directory listed over 65.000 files.
We had an outdated Joomla, several outdated Joomla plugins, outdated dependencies for the plugins, customized pages. And a deprecated version of PHP running on an old server.
Finding all the malicious code was not easy. First. What script was responsible for the large bulks of outgoing emails ?
The ISP stated that it was the malicious script ‘list37.php’ and ‘utf58.php’. These files was deleted.
Secondly we did some manual searches on the files. And we got some nasty looking code. The most effective results came from searching for ‘base64_decode()’ and ‘eval()’.
We found a PHP RCE script dated back to Mars 2014. So the web-server has been owned for over two years.
Joomla log-folder stated 75.000 failed login attempts. Moving on.
There were probably also passwords stored in plain-text inside the web-directory. Database credentials was definitively compromised. There were no logs dated from before the compromise was discovered. To pin exactly where the intruders got in was hard. Probably it was the outdated Joomla.
After all the manual searches, the program ‘php-malware-finder’ was very helpful. https://github.com/nbs-system
By running it we found about 20 malware scripts. Mass-mailers, small RCE’s and a file uploader were found in various sub-folders.
The filenames was casual like ‘configure.php’, ‘images.php’, ‘cache_db.php’, ‘license.php’, ‘list5.php’, ‘widget-links-info.php’, ‘test.php’ and ‘blog.php’.
The biggest we found was ‘WSO BACKDOOR’.
There were also an injected line of code found in various legitimate files:
Any (php) file could be compromised. Though it would be harder to find them if they were not obfuscated.
The financial side..
System administration is a continuing process of monitoring, deploying updates, reading change-logs, troubleshoot, modify, reading security bulletins and fixing errors. The costs with a compromised system is far more than hiring someone to look after it on a permanently basis.
Do not say ‘The Webpage is done sir, thank you for doing business with us.’
Where is my Mac connected to ?
What Application is using that connection ?
Geo-Netstat is a program you run in your terminal and it provides a geographical location for your application’s internet connections.
You can find it at GitHub. (macOS)
What I intended to do was to write a file search function with as few characters of C code as possible. I dont think I did, but it was a start.
This time I have the same code in somewhat optimized nasm assembler code. Optimized as in as few instructions as possible while still having a readable source code. This is not omptimized for speed as I would guess loading big chunks into memory would be the way to go. (And some other magic I surely dont know anything about.)
This is for me a programming lesson. Maybe I will take a look at it again in a few years and see if I have improved 🙂
Compiled on OSX with nasm-2.12.02.
s db "%s: %i: %i: %s",10,0
o db "usage: ",10,0
mov rax,qword [rsi+8]
mov qword [rbp-16],rax
mov rax,qword [rsi+16]
mov qword [rbp-24],rax
mov rdi,qword [rbp-16]
mov dword [rbp-28],eax
mov rdi,qword [rbp-24]
mov qword [rbp-36],rax
mov r14,qword [rbp-24]
mov edi,dword [rbp-28]
movzx eax,byte [rbp-37]
cmp al, byte [r14+rcx]
cmp r12,qword [rbp-36]
mov rax,qword [rbp-36]
lea rdi,[rel s]
mov rsi,qword [rbp-16]
mov r8,qword [rbp-24]
lea rdi,[rel o]
mov edi,dword [rbp-28]
53 54 53 31 3c c8 02 03 00 01 00 02 00 40 1c 00
01 1f 0f 00 02 00 00 00 00 04 01 14 0f 00 05 00
00 00 00 06 01 14 0f 00 07 00 00 00 00 08 01 15
0f 00 0a 00 00 00 00 0c 01 14 0f 00 0e 00 00 00
00 10 01 14 0f 00 12 00 00 00 00 14 01 13 0f 00
16 00 00 00 00 18 01 1d 0f 00 20 01 1f 0f 00 22
00 00 00 00 24 01 14 0f 00 26 01 15 0f 00 28 01
14 0f 00 2a 01 15 0f 00 2c 01 14 0f 00 2e 01 15
0f 00 30 01 14 0f 00 32 00 00 00 00 34 01 13 0f
00 36 00 00 00 00 38 01 1d 0f 00 01 40 01 00 00
00 0f 00 02 40 02 00 0c 0f 0f 00 01 00 00 00 00
This is actually the music data, on a cartridge,
with its player running on 128 bytes of RAM.
Its byte values are the header, the refresh rate,
tempo in bpm, number of pages and patterns, pages
index, pattern number, lenght, number of used rows,
and row data of a pattern; number, waveform,
frequency, volume and trigger.
This is the Stella Tracker Song format,
used in Lowres, Solskogen 2014, Oldskool Demo Compo.
If you want to check it out, goto YouTube.
LIFL, or its full name, Linux Filesystem Logger, is a new, rewritten version of loggedfs, a filesystem activities logging daemon, based on FUSE.
LIFL logs any file system call inside a given directory-path, in details.
To describe the prosject I will summarise the functionality of the program in a list:
This project need some big testing. I think I will set up a honeypot to see if the program has the expected behavior, and to see if I am able to find some valuable results.
(If so I will come back with another post about that.)
See Github page.
Ok. I needed the data and I wanted cleartext files, so I made my own Tomboy XML data extractor.
This utility takes data from Tomboy application data folder and outputs the data to cleartext files. If there is multiple revisions of a Tomboy note, only the newest is stored.
This process of trying to get the data into cleartext was annoying. I guess others might have had the same problem, so I wrote this post and made the utility public.
I made a mess of my photos. About 9000 originals stored as many as three times in the Pictures folder on my Mac.
So I started to write my own code for finding duplicate files.
This code will inspect the file’s content, not match with filename and size. It ran unbelivable fast. 9000 photos scanned and compared in only a few seconds.
Job done. 🙂
When a Subversion-client do not filter characters in filenames properly, it may result in :
I. Client stops working while committing, resulting in a broken checkout of repository. (And a half done commit results in not having a overview of the files.)
II. Writing files to repository which cannot be distributed, results in broken repository. (And it is hard to purge files from a subversion repository.)
III. A broken repository, then again, results in a broken client checkout. (And you have to clean up the client too.)
If you have done all these awful steps, you dont want to do them again.
If you need to clean up the filenames, i wrote a small program that takes care of all the restricted filename letters and names on Windows, OSX and Linux.
Please feel free to grab it, its under the GNU GPL.
In regard of the demolition of the party place where Datastorm was arranged and the end of Datastorm, here is a gallery from 2011.