Category Archives: Usual


‘The Webpage is done sir, thank you for doing business with us.’

Got hacked..

Some time ago, I was contacted by a friend. He had a problem. One of his customer’s web-server were compromised. There was an issue with the outgoing e-mails.

The ISP stopped all outgoing email from the domain. With the amount of spam sent out, the ISP could get blacklisted.

This was not good for the customer. They were dependent on e-mail. They might suffer financial loss.

They were using Joomla CMS. The website had not been updated in about two years. I said this is something you will need to fix. You need to take a look and clean up the mess. I got a go.


Finding clues..

The root web-directory listed over 65.000 files.

We had an outdated Joomla, several outdated Joomla plugins, outdated dependencies for the plugins, customized pages. And a deprecated version of PHP running on an old server.

Finding all the malicious code was not easy. First. What script was responsible for the large bulks of outgoing emails ?

The ISP stated that it was the malicious script ‘list37.php’ and ‘utf58.php’. These files was deleted.

Secondly we did some manual searches on the files. And we got some nasty looking code. The most effective results came from searching for ‘base64_decode()’ and ‘eval()’.

We found a PHP RCE script dated back to Mars 2014. So the web-server has been owned for over two years.

–Example. Running copy of the website. Perl backdoor installed from a RCE.


Joomla log-folder stated 75.000 failed login attempts. Moving on.

There were probably also passwords stored in plain-text inside the web-directory. Database credentials was definitively compromised. There were no logs dated from before the compromise was discovered. To pin exactly where the intruders got in was hard. Probably it was the outdated Joomla.



After all the manual searches, the program ‘php-malware-finder’ was very helpful.

By running it we found about 20 malware scripts. Mass-mailers, small RCE’s and a file uploader were found in various sub-folders.

The filenames was casual like ‘configure.php’, ‘images.php’, ‘cache_db.php’, ‘license.php’, ‘list5.php’, ‘widget-links-info.php’, ‘test.php’ and ‘blog.php’.

The biggest we found was ‘WSO BACKDOOR’.

–WSO backdoor. Some work.


There were also an injected line of code found in various legitimate files:



Any (php) file could be compromised. Though it would be harder to find them if they were not obfuscated.

–Typical base64 encoded string. String containing the malicious php code.


The financial side..

System administration is a continuing process of monitoring, deploying updates, reading change-logs, troubleshoot, modify, reading security bulletins and fixing errors. The costs with a compromised system is far more than hiring someone to look after it on a permanently basis.

Do not say ‘The Webpage is done sir, thank you for doing business with us.’

Back to the stupid search function

What I intended to do was to write a file search function with as few characters of C code as possible. I dont think I did, but it was a start.

This time I have the same code in somewhat optimized nasm assembler code. Optimized as in as few instructions as possible while still having a readable source code. This is not omptimized for speed as I would guess loading big chunks into memory would be the way to go. (And some other magic I surely dont know anything about.)

This is for me a programming lesson. Maybe I will take a look at it again in a few years and see if I have improved 🙂

Compiled on OSX with nasm-2.12.02.

section .data
s db "%s: %i: %i: %s",10,0
o db "usage: ",10,0
section .bss
section .text

global _main
extern _open
extern _strlen
extern _read
extern _printf
extern _close

push rbp
mov rbp,rsp
sub rsp,48
cmp edi,3
jne .help
mov rax,qword [rsi+8]
mov qword [rbp-16],rax
mov rax,qword [rsi+16]
mov qword [rbp-24],rax
mov rdi,qword [rbp-16]
mov esi,0
call _open
mov dword [rbp-28],eax
mov rdi,qword [rbp-24]
call _strlen
mov qword [rbp-36],rax
mov r12,0
mov r13,0
mov r14,qword [rbp-24]
lea r15,[rbp-37]

mov edx,1
mov edi,dword [rbp-28]
mov rsi,r15
call _read
inc r13
cmp eax,0
je .end
movzx eax,byte [rbp-37]
movsxd rcx,r12d
lea r12d,[rcx+1]
cmp al, byte [r14+rcx]
mov eax,0
cmovne r12d,eax
cmp r12,qword [rbp-36]
jne .read
mov r12,0
mov ecx,r13d
mov edx,r13d
mov rax,qword [rbp-36]
sub edx,eax
lea rdi,[rel s]
mov rsi,qword [rbp-16]
mov r8,qword [rbp-24]
call _printf
jmp .read

lea rdi,[rel o]
call _printf

mov edi,dword [rbp-28]
call _close
add rsp,48
pop rbp

The distinctive sound of Atari 2600.

53 54 53 31 3c c8 02 03 00 01 00 02 00 40 1c 00
01 1f 0f 00 02 00 00 00 00 04 01 14 0f 00 05 00
00 00 00 06 01 14 0f 00 07 00 00 00 00 08 01 15
0f 00 0a 00 00 00 00 0c 01 14 0f 00 0e 00 00 00
00 10 01 14 0f 00 12 00 00 00 00 14 01 13 0f 00
16 00 00 00 00 18 01 1d 0f 00 20 01 1f 0f 00 22
00 00 00 00 24 01 14 0f 00 26 01 15 0f 00 28 01
14 0f 00 2a 01 15 0f 00 2c 01 14 0f 00 2e 01 15
0f 00 30 01 14 0f 00 32 00 00 00 00 34 01 13 0f
00 36 00 00 00 00 38 01 1d 0f 00 01 40 01 00 00
00 0f 00 02 40 02 00 0c 0f 0f 00 01 00 00 00 00

This is actually the music data, on a cartridge,
with its player running on 128 bytes of RAM.

Its byte values are the header, the refresh rate,
tempo in bpm, number of pages and patterns, pages
index, pattern number, lenght, number of used rows,
and row data of a pattern; number, waveform,
frequency, volume and trigger.

This is the Stella Tracker Song format,
used in Lowres, Solskogen 2014, Oldskool Demo Compo.

If you want to check it out, goto YouTube.


LIFL, or its full name, Linux Filesystem Logger, is a new, rewritten version of loggedfs, a filesystem activities logging daemon, based on FUSE.

LIFL logs any file system call inside a given directory-path, in details.

To describe the prosject I will summarise the functionality of the program in a list:

  • Fully configurable with On/Off switches for performance.
  • Remote logging with MySQL.
  • Logging of lstat, access, readlink, readdir, mknod, mkdir, unlink, rmdir, symlink, rename, link, chmod, chown, truncate, utimens, open, read, write, statfs, fallocate, setxattr, getxattr, listxattr and removexattr.
  • SQL provides flexibility to represent the log data.
  • Logs system error messages.
  • Monitor write calls and log a copy of the write buffer with options to target the command, effective user id and write sizes of the write calls.
  • Logging of time, hostname, user id, group id, username and groupname.
  • Logging of TTY, login time and remote host.
  • Logging command, arguments, process id, parent process command and parent process id.
  • And file, path, file protection, file owner and group.
  • This project need some big testing. I think I will set up a honeypot to see if the program has the expected behavior, and to see if I am able to find some valuable results.

    (If so I will come back with another post about that.)

    See Github page.

    Tomboy data extractor

    When I changed platform from Linux to Mac, some of my Linux software where unavailable. The most important app I lost was Tomboy Notes. It had all the things I needed to write down. After looking for a working version on OSX, I decided I had to export. Both the Linux and the Windows port where lacking working functionality to export to a more readable format. I tried the different plugins for a way to export, but I could not get them working. I tried to export the data with libXML, but libXML did not recognize the data as valid xml data.

    Ok. I needed the data and I wanted cleartext files, so I made my own Tomboy XML data extractor.

    This utility takes data from Tomboy application data folder and outputs the data to cleartext files. If there is multiple revisions of a Tomboy note, only the newest is stored.

    This process of trying to get the data into cleartext was annoying. I guess others might have had the same problem, so I wrote this post and made the utility public.

    Sourcecode here: ohboy.c   ohboy.h   ohboy.readme

    Practical lazyness

    I made a mess of my photos. About 9000 originals stored as many as three times in the Pictures folder on my Mac.
    So I started to write my own code for finding duplicate files.
    This code will inspect the file’s content, not match with filename and size. It ran unbelivable fast. 9000 photos scanned and compared in only a few seconds.
    Job done. 🙂

    Compilation should be straight forward.
    You will find the files here and here and readme.

    Be careful with filenames, platforms, and distribution.

    When a Subversion-client do not filter characters in filenames properly, it may result in :

    I. Client stops working while committing, resulting in a broken checkout of repository. (And a half done commit results in not having a overview of the files.)

    II. Writing files to repository which cannot be distributed, results in broken repository. (And it is hard to purge files from a subversion repository.)

    III. A broken repository, then again, results in a broken client checkout. (And you have to clean up the client too.)

    If you have done all these awful steps, you dont want to do them again.

    If you need to clean up the filenames, i wrote a small program that takes care of all the restricted filename letters and names on Windows, OSX and Linux.

    Please feel free to grab it, its under the GNU GPL.


    Datastorm revisited

    In regard of the demolition of the party place where Datastorm was arranged and the end of Datastorm, here is a gallery from 2011.