Recently a few WordPress sites on my server were attacked by the Blackhole exploit going around. Each time it was removed, it would come back shortly after and after much frustration in trying to find a working solution to the problem, I finally figured it out this morning.

A number of people recommended WordPress plugins like Firewall 2 and Exploit Scanner to stop attacks, but none of these worked (Which is not to say it doesn’t do what it’s supposed to, just wasn’t working for this particular exploit).

I flipped through the access logs in an attempt to find something that stood out, like an exceptionally long URL query string or multiple consecutive accesses to a particular page but didn’t notice anything until I thought about filtering down to just the POST requests to the site. That’s when I found the following entry.

83.69.224.227 - - [06/Mar/2012:10:35:40 -0800] "POST /wp-content/plugins/ToolsPack/ToolsPack.php HTTP/1.0" 200 1 "-" "Mozilla/4.76 [en] (Win98; U)"

The ToolsPack wasn’t anything we had heard of or even recognized and there were only 3 different IPs that accessed this page directly numerous times throughout the day across the affected sites. We had our culprit.

Viewing the source of the file confirmed my suspicions and revealed that all it did was decode and evaluate whatever text was posted to that script.

The only thing I haven’t quite figured out yet is how the script got there in the first place. I found a ToolsPack zip file in the WordPress uploads directory which would suggest something in WordPress allowed it to be uploaded and decompressed to the plugins directory, but what, I’m unsure of.

If anyone has any thoughts or information I’d love for you to comment and let me know your findings!

For now, I’ve removed the files, blocked the IPs and made all the index files 444 (globally read-only) which should help prevent this from happening again.

A while back one of the drives in my server’s RAID array had failed so I went and purchased a replacement drive and popped it in. The problem then became that the Adaptec Storage Manager wouldn’t allow me to do anything with it. It simply told me it was an “Inaccessible Disk.”

Well, since I had a RAID6 array, I let it be and worked with Adaptec on figuring out what the issue was from home. Unfortunately, it I never got around to trying out the suggestions (supposedly there was an option to add the drive as a Hot Spare, but I swear it was never even an option on the drive).

Jump ahead to a few days ago, I decided to take a look at the issue again. This time I was smart and downloaded the command line interface version of Storage Manager from the Adaptec site. Read the rest of this entry »

So I finally went ahead and upgraded to OSX Lion today and overall the process was pretty painless. The App Store makes the purchase and upgrade process super easy, and in under 20minutes, I had the installer loaded and ready to go. It should be noted that, for those who wish to keep a hard copy of the installer should make that copy BEFORE proceeding with the install as once the upgrade is done, Lion will go and clean up after itself, removing the installer.

Since I wanted to keep a copy, I followed these simple instructions on Lifehacker and burned a copy of Lion to DVD for safe keeping. There is also a 650MB recovery partition with Lion on it as well (I’m actually not sure if this was there from the start or if Lion created it) so you can always boot up with that in a pinch.
Read the rest of this entry »

I had this weird problem come up today with cPanel where it wasn’t storing user permissions on databases I was creating.

After digging into the cPanel error log located at /usr/local/cpanel/logs/error_log, I found that I was getting access denied errors to the mysql root user.

DBD::mysql::db do failed: Access denied for user 'root'@'localhost' to database '____' at /usr/local/cpanel/Cpanel/Mysql.pm line 1139

So anything I was trying to do database related wasn’t actually happening (apart from database and user creation, oddly).

After some feeble attempts at recreating the users, databases, and trying to grant all on *.* to root, I came across these simple steps to fix the permissions. You’ll need root and shell access.

Step 1: Add skip-grant-tables to /etc/my.cnf to disable authentication.
Step 2: Restart the MySQL service, and log back in to the mysql command line interface
Step 3: Issue the following commands:

UPDATE mysql.user SET Grant_priv='Y', Super_priv='Y' WHERE User='root';

GRANT ALL ON *.* TO 'root'@'localhost';

Step 4: Remove skip-grant-tables from /etc/my.cnf and restart the MySQL service

Done!!

So yesterday, a small package arrived in the mail for me! For those of you who haven’t heard of the Yubikey (I certainly hadn’t), it’s a great little USB device that generates a One-Time Password (OTP) at the press of a button.

You can configure the Yubikey, which supports 2 identities based on the length of time you press the button, to generate different types of passcodes from a static password to a challenge-response string.

What I really like about the Yubikey, and is what got me interested in it, is not only is there an API you can tie into, Yubico’s authentication server is open-source and freely available to download which means you can roll into your own personal applications!

I’m still digging into the possibilities of the Yubikey but right now, I’m pretty excited about the whole thing! For those of you who want to get even fancier, there are RFID versions and even one that’s compatible with Symantec VIP, all of which are quite inexpensive to buy from Yubico’s online store!

I helped a friend install the H4h Affiliates module on his OS Commerce store after he ran into an issue where loading his site would return errors for missing files. The installation instructions were pretty good except for one step where the author provides an incorrect step.

The step where you have to add the following lines to your catalog/includes/configure.php

// H4H AFFILIATE PROGRAM
if (isset($Module) && $Module == 'Affiliate') {
define('DIR_WS_INCLUDES', '../includes/');
} else {
define('DIR_WS_INCLUDES', 'includes/');
}
// H4H AFFILIATE PROGRAM

The problem is, the author tells you to add these to the end of your configure.php file when you should actually be replacing your existing DIR_WS_INCLUDES definition line.

The issue with what is in the instructions is that you cannot redefine something that’s been defined already. So by placing the code at the end of the configure file, nothing actually happens so the path is then completely wrong when the affiliates code is run.

So I recently got a new MacBook Pro to replace my ailing one which gave me the rare opportunity to compare my late 2008 (the first unibody MBP) with the new 2010 model.

The main difference between the two models are the CPUs, mine has the Intel 2.8GHz Core 2 Duo and the new one has the new Intel 2.66GHz Core i7. I also opted for the new High-res anti-glare screen over the regular glossy one I have now. (Back then, it wasn’t even an option to chose from).

Cracking the box open, you still get the same sleek packaging, with the little “Designed by Apple in California” label, the documentation and cables in the tray, etc… Why mess with a great package design, right? Read the rest of this entry »

When I had a second monitor on my Windows laptop one of my must-have apps was Ultramon. A great little application allowing you to have greater control over your programs, wallpapers and extends the start bar across each monitor. The thing I really liked was that you could assign hotkeys to move your program windows between monitors. Something that would prove to be quite handy (especially when Windows would screw up and throw programs to a monitor that didn’t exist when you were in single monitor mode).

For Mac users, a new app called SecondBar, which is still in its early stages, is the beginning of something similar to Ultramon. At the moment, it only duplicates the menu bar over one other monitor, and according to the developer, only works for some programs. A recent mention in LifeHacker has sparked development again so it’s definitely something to keep an eye on.