linuxsecurityblog.com

Happy Halloween folks!

My new computers is finally finished and how appropriate for Halloween, are the 2 skull fan grills with black lights.

New Computer

This took about 2 months working on it when I had some spare time.

Features include:

• Blue acrylic case
• Red cold cathodes
• Black lights
• Skull fan covers with black lights
• See through power supply
• 4 led switches
• 4 sets of bright leds
• UV reactive wires, sata cables, heat shrink, and molex’s

For the hardware I went with:

• Asus Motherboard
• Crucial Ram with leds (4GB)
• AMD CPU
• 3 1TB harddrives
• Raid 1 (hardware raid)

And my Linux OS of choice for this was Kubuntu.

I’ve done a few mods before, but this was the most complicated one, as I have not wired switches before, and instead of daisy chaining a bunch of molex connectors I soldered a lot of the wires together.

Naturally I ran into a problem, I wanted to run the lighted side fan grills through a switch, along with the fans themselves, but the grills are 5V and the fans are 12V, I realized this when I went to plug it into the switch harness and said wait a minute, there’s only two wires on the harness.  Then a light came on, and I realized I can’t run 2 different voltages through a single pole single throw switch. So those are now on all the time, and I will either get a different switch, or add something else to plug into the empty switch.

TTYL,
Doug Walker

Well, after tell my clients to upgrade their scripts yesterday, I’ve been busy fielding questions, and upgrading the people who don’t know how.

One guy in particular is already infected with malware.

This is what I just told him:

Your site is already infected with malware, we are going to try to remove that for you.

I disabled these two old joomla installs:
public_html/joomla/tmp/install_48698a1f8c122/libraries/joomla
public_html/joomla/tmp/install_4869bd8b81e25/libraries/joomla

They are in tmp directory, did you want me to remove them?

Here is part of the malware code, which is on your index.html, I’m going to scan you other pages for it:
<script type=”text/javascript”>var iquXiQSJiqVYjfLaNHOA = 99UNtj105UNtj116UNtj121UNtj61UNtj4Ntj60UNtj

And sure enough he has other pages infected with the malware.

I’m now grepping his other pages for the malware, and what I have noticed on other sites, is the hacker will vary the code, so I have to grep based on a regex as a text string will find only the one page.

And here is some info to support my earlier claim that the average number of pages hacked in a site is greater than 10:

# grep -R  un*******ant * |wc -l
457

Well, I am off to formulate a quick command to remove those.

TTYL-
Doug Walker

Howdy all!

Just came across the article today:
http://www.scmagazineus.com/New-data-shows-website-hacks-continue-to-grow-unabated/article/156291/?DCMP=EMC-SCUS_Newswire

640,000 websites hacked, and almost 6 million pages.

Personally I feel that number is a bit low, at least the second number, that is less than 10 pages hacked/infected per site, and the vast majority of hacked sites that I have dealt with had way more pages than that infected, as the hacker just did a search and replace for all the html htm and php files.  One client in particular had thousands of pages infected.

Well in light of that article I am busy helping clients upgrade.

TTYL,
Doug Walker
Linux Security Consultant
Network+, SnortCP