Gettin’ hacked

I had an email this morning only five days after my billing cycle started saying that I was close to using my 15GB of data. Normally we spend about 5-10GB, but 15GB in five days is exceptional.

I started digging and after ruling out intentional upload/download from inside my network (using wireshark on my LAN segment) I then started looking at the wireless side of things. I have a server on my LAN that is connected via wireless, and this is also a public facing server with sshd running on it.

I had a quick page through the /var/log/auth.log file and to my surprise I found repeated attempts to log in with various usernames (491 different ones so far) from various locations. These were coming in at the rate of one every four seconds. I can’t see how this would account for 15GB (or 1.5GB for that matter) but when I called Orcon they said they saw a definite increase in traffic over the last two days, which also corresponds to the first entry in the auth.log file.

Here’s what the log entries look like:
Sep 27 13:29:59 pandora sshd[17366]: Failed password for invalid user oracle from 60.190.133.228 port 45662 ssh2
Sep 27 13:30:03 pandora sshd[17368]: Failed password for invalid user michael from 60.190.133.228 port 45857 ssh2
Sep 27 13:30:07 pandora sshd[17374]: Failed password for invalid user ftp from 60.190.133.228 port 46079 ssh2
Sep 27 13:30:12 pandora sshd[17376]: Failed password for invalid user test from 60.190.133.228 port 46301 ssh2
Sep 27 13:30:15 pandora sshd[17379]: Failed password for invalid user webmaster from 60.190.133.228 port 46553 ssh2
and so on …

The requests have come from a range of IP addresses in China, Europe, Canada and Bangladesh. It’s likely to be a distributed and targeted attack.

Interesting. I did install fail2ban some time ago which I was told was supposed to prevent this kind of thing but it was an install-and-forget excercise. I’ll have to research it a bit to find out how it actually works.

HTTP Monitor Script for Bash

If you run a web application, or want to know when a web server goes up or down. There’s a range of products you can use to do this, such as Nagios (URL monitoring is only one aspect of server monitoring that Nagios can perform). There are times however when configuring a full blown monitoring system like Nagios is way over the scope of what you want to do right now.

Here’s a script I use to monitor URL’s. I put this in my cron to run every 5 minutes. It only emails you when the HTTP status of the URL has changed since last time you requested it. This should avoid heaps of emails in your inbox, unless you have a bouncy server.

#!/bin/bash
# Simple HTTP monitor script
# Monitors a URL and sends an email when the status of it changes

NOTIFY_EMAIL=youremailhere@yourdomainname.com

if [ -z $1 ]; then
  echo Usage: $0 url_to_monitor
  echo Example: $0 http://www.google.com/
  exit 1
fi

URL=$1
STATUS_FILE_PREFIX=.`echo $URL | sed -s 's/[\/\.:]/-/g'`
RESULT_TEXT=`HEAD $URL | head -n 1`
STATUS_FILE_SUFFIX=`echo $RESULT_TEXT | sed -s 's/ /-/g'`
if [ ! -f $STATUS_FILE_PREFIX.$STATUS_FILE_SUFFIX ]; then
  rm "$STATUS_FILE_PREFIX.*" > /dev/null 2>&1
  touch $STATUS_FILE_PREFIX.$STATUS_FILE_SUFFIX
  echo $URL returned $RESULT_TEXT | mail -s "[$0]: $URL returned $RESULT_TEXT" $NOTIFY_EMAIL
fi
exit $RESULT

This should work on a stock Ubuntu/Debian system. To actually use this script:

1. Save the above as monitor.sh in your favourite directory.
2. Edit it and change the NOTIFY_EMAIL address to your own
3. chmod u+x monitor.sh
4. Invoke it like this: ./monitor.sh http://www.google.com/

What you do with it is up to you. Note that to track the status this script will create hidden files in the current directory. For example, if Google returns a 200 OK status, a hidden file called .http—www-google-com-.200-OK will be created.

Things that I hate about PHP

Ok so I’ve been back in the swing of development for a while now and I’ve reminded myself about the things that I hate about PHP. Overall I like it a lot but these are the things I hate.

magic_quotes

So the deal here is that when enabled, any posted information will have any quotes magically escaped, so if you were to post the text “Fish ‘n’ Chips” then your script would receive the text “Fish \’n\’ Chips”. This is useful because then you don’t have to do anything to it to include it directly in a query for insertion into a table, but nowadays parameter binding and database abstraction layers take care of that. If you’re starting from scratch, do yourself a favour and disable magic_quotes on your PHP installation. If you can’t, use this to do it for you:

// If magic quotes are on, remove any slashes in the input.
// This allows us to operate on all inputs without having to addslashes().
if (!empty($_POST))
 if (get_magic_quotes_gpc())
   foreach ($_POST as $var=>$val)
     if (is_string($val))
       $_POST[$var] = stripslashes($val);

This will ensure that the contents of the $_POST variable will always be as it was posted when you first get your hands on it. What you do with the content is then up to you.

addslashes, stripslashes

Ok, I don’t hate these functions as much as I hate how they are abused. The problem is that people don’t seem to understand when and why they should be used. It is not correct to always addslashes() your content before inserting it into a database and stripslashes() when getting it back. It is correct to addslashes() the content as you’re inserting it ONLY if the string hasn’t been addslashes()ed before – remember that magic_quotes does this too. The result is that if you have magic_quotes enabled and you addslashes then our string “Fish ‘n’ Chips” ends up becoming “Fish \\\’n\\\’ Chips”, then it is inserted. A “fix” (ahem) is to stripslashes() when you get it out of the database but this is not correct, it is very much a bandage on a problem.

Automatic Typecasting

It’s useful to be able to have a string with the value “10″ and add an integer value of 2 to it and have the result as an integer of 12, but you cannot disable the automatic typecasting. This lends itself to bad programming practice, and confusion when it comes to how your application will behave when it casts an array to an integer for example. The PHP website lists the exact behaviours but it is annoying when “0″, “”, 0.0 (float), 0, false, NULL, Array() and an empty object (PHP4 only) are all treated as FALSE, but “0.00″ is treated as true. This is alleviated somewhat by using the type equality operator (===) where the result is only true if the type on both sides of the operator is the same but it does annoy me. Hungarian notation may be of use to help set the standard in a project.

Variable Scope

The scope of a variable is the current function, method or global in the case of neither. It would be nice to have the scope of a variable be the current block as in perl (forgive me, it’s been a long time since I had to write perl) where the variable only exists for the scope of the current block, for example:
for (var $i=0; $i<10; $i++)
{
// do something with $i
}
// $i no longer exists here

Prefixing variables with $

I heard one of the PHP guys on a podcast (a TWiT one I think) saying the reason that variables had to be prefixed with $ was that it was easier to write a parser that just knew that $ had to be a variable, rather than determining whether it was an operator. Ok, I agree but let me see how many lines with $’s I can find in my current project: 37375 out of 55925. I’m just annoyed, oh and switching between PHP and Javascript where you don’t use $ as variable name prefixes is annoying (as is the fact that + is the concatenation operator in Javascript and it’s . in PHP)

I miss something like pascal’s “with” operator

Especially when you’re dealing with data deep in an object, for example $foo->bar->baz->quz[] (and I use this object level often) it would be nice to be able to go:

with ($foo->bar->baz)
{
  .quz['element1']
  .quz['element2']
  .quz['element3']  // etc
}

Can’t do it VB has a similar construct but I can’t recall what it’s called.

Different Quoting Behaviours

The difference between a “string” and a ‘string’ irks me. “string” is parsed for variables, e.g. with $name = ‘Bob’, “My name is $name” would return “My name is Bob”, but ‘My name is $name’ would return ‘My name is $name’. I opt for the latter please, and just let us work out what we want to do.

Other than that …

.. it’s all good! As I said above I like PHP a lot and the fact that it’s got such a huge following and is used on some pretty major products (Facebook for one, Yahoo for another) is a testament to how well it can work when implemented properly.

Simple Content Manager Launches

If you care you may know that I’ve been working with Turboweb for a couple of months now. I’ve been mostly working on a system for creating websites. The gist is that if someone wants a website to complement their business or group or whatever but they don’t know how to get started then we provide EVERYTHING that they need (hosting, email addresses, domain names, ecommerce, image gallery, news, events etc etc) for a single monthly cost. We call it the Simple Content Manager (SCM). It’s pretty neat.

I’ve been furiously coding and testing for the last couple of months and to see the final product working – actually working – is almost unbelievable and kind of scary. You can get a website up and running in just a couple of minutes, and thanks to some great design skills the websites look pretty decent too. I’ll be the first to admit that we’re not firmly in the saddle as the horse is taking off but the best way to find out is to ride it.

I’ve heard that it’s not uncommon for people to be charged a single design/build fee of several thousand dollars for a new website – which is kind of silly as the majority of people who want a new website want pretty much the same features that other websites have got. I know of two people who have recently paid over $5,000 for a basic website with ecommerce. That sucks. So, we’re aiming at less than $20 per week with no long term commitment required. A big advantage here is that for small businesses who don’t know how well they’re going to do in the future they can just have their website as a regular monthly outgoing cost.

Anyway, the long and short of this blog post is that everyone on the planet (with internet access) can trial our SCM for 14 days to see if they like it. We’re also on the hunt for resellers so drop me a line if you’re curious.

You can sign up for a trial at http://www.scmdemo.com/signup/. Would be interested in your feedback.

Tweeting in Linux

Quickly tweet from your Linux environment with this script – all you need is the ability to launch a shell script, e.g. from a terminal, shortcut on your desktop or Gnome panel

Requires: curl, zenity.

Change the TWITTER_USERNAME and TWITTER_PASSWORD accordingly. Remember to make the script executable and since it contains your twitter username and password you most probably want u+rwx, go-rwx (or 0700).

#!/bin/bash
TWITTER_USERNAME=twitterusernamehere
TWITTER_PASSWORD=twitterpasswordhere

tweet=$( zenity --title "Tweet:" --entry )
if [ ! -z "$tweet" ]; then
  result=$( curl -s -u $TWITTER_USERNAME:$TWITTER_PASSWORD -d status="$tweet" http://twitter.com/statuses/update.xml | grep -i "could not authenticate" | wc -l )
  if [[ $result -eq "1" ]];  then
    zenity --error --text="Error logging onto Twitter - please check your username and password or Twitter availability."
  else
    zenity --info --text="Tweeted!"
  fi
fi

Getting help anonymously

I’ve often wondered how to go about getting technical assistance for work related issues without revealing sensitive information to your competitors, or even worse, making yourself look like you don’t know what you’re talking about to your current and potential customers. The number of times I’ve seen ridiculously simple questions asked by people whose business it is to know is astounding, and especially so when they appear to be asked by the person literally named in the forum post or email.

Case in point: one of the projects I worked on in the past was the integration of a bespoke image library system into a global image management system. The idea behind it was that an end user with a native Windows/Mac desktop publishing application would be able to search for anything they like, and the results would be served up from a broad range of sources. They could then use the image in their work and the global company would facilitate the payment between the provider of the image and the end user.

When we were invited to pass the benchmark integration tests, one of the first things I did was to look at the authors of the specification and Google them. It was clear that at least one of the authors who was top billed on this specification had very little knowledge about what it was he was implementing, and he was using his work email address to ask these questions, dutifully stamped with the company name after the @ symbol.

I haven’t yet had a need to venture into the public arena with work-related questions, although a do feel guilty that I’m a community ‘sucker’ – that is when I have a problem I exclusively google it and never give anything back, at least not where it’s needed. For when I do make that step, it would be irresponsible of me to assume that posting with my work email address (or indeed my personal address which can easily be tied back to my employer) would do no harm. For that reason, I’ve prepared this list of ideas.

Pick a pseudonym
A fake name, or a handle would be appropriate. A fake name would imply a level of professionalism not given by the use of a handle. Consitent use of the name for posting questions is important for the sake of the community rather than me. It would be easy enough to make up a new name for each question.

Hide your tracks
Posting to a forum or newsgroup with a gmail email address is not enough, as your IP address is normally recorded, resulting in an easy trail to follow for someone determined enough to do so. I’m pretty sure Gmail has your original IP as a X-* header in the email. Other possibilities are to use a free/anonymous proxy server, however be aware that a lot of proxy servers add a “forwarded for” HTTP header for tracking/logging purposes. A commercial tool such as anonymizer, or a dialup account and spare modem would be suitable. Whatever solution you chose, carefully examine what happens when you post to a forum or send an email to ensure nothing to link you to the email is there.

Don’t get tagged by cookies
There’s no reason why a website can’t track your visits, and associate the website accounts used from your computer, thus undoing your careful aliasing and track hiding. Make sure you clear your cookies, or even better, use a virtualised OS (Microsoft Virtual PC and an Ubuntu install would be perfect) to avoid this. If using the latter in order to avoid having to delete cookies, ensure you use the virtual OS exclusively for anonymous posting.

Reword your problem
Goes without saying really, but make sure your problem/question gets reworded so that it looks as little as possible like what your issue is that you’re facing, but make sure you give enough meat for the community to help you out. Boiling it down to it’s metasyntactic bones makes it disinteresting and an academic question – real people like solving real problems. You’re likely to get more bites if your problem doesn’t start “given a class called Foo and a method called Baz…”

Give and take
Make sure that you give back to the community by answering questions, writing documentation, bug fixing etc. This was one of my new years resolutions for 2008 and so far I’m doing pretty badly at it. It doesn’t help that my chosen project to contribute to has gone on ice and the maintainers are incommunicado. Pfft.

Any other ideas you may have are welcome.