Camping

I went camping this weekend with some college buddies. We had a blast!

image

The weather was good. A bit stormy driving up, and it rained pretty good the last night. One of the tents packed up that last night and cut out early. They always leave first thing the last day anyhow I am told, and this way they didn’t have to pack a wet tent.

image

Everyone’s favorite camping companion.

image

CVS came over to my place on Thursday night, and he made up some of his Famous Doners. We froze them down in my deep-freeze so they wouldn’t spoil in a cooler. My Kitchen Aid stand mixer with the bread hook does wonders with 6lbs of ground Turkey.

image

The finished Doners. We baked them off in my camp oven. They sure did turn out delicious! Thanks CVS!

Going camping again for the first time in about 5 years really got my camping juices flowing again. Now I need to start taking Bella.

HACKED!!!!

A friend’s website was hacked recently. It wasn’t a big deal for him, as it was a testing/playground site anyhow. The site was simply homepage defaced. The site was due to be drezzed and rebuilt anyhow.

I was concerned because it was a Joomla website. My sites at work are Joomla sites.

I tracked down how it was hacked for him. It took me an hour.

It was hacked out of Turkey – no legal recourse for him.

Basically, it turns out there was a bug in the password reset code that allowed them to reset the admin password.
http://www.compassdesigns.net/joomla-blog/Admin-Password-Reset-Vulnerability-in-Joomla-1.5.html — OHPSS!!!

It is interesting to note that they used google for finding websites with the vulnerability – their search was http://www.google.com/search?hl=tr&q=inurl:%22com_user%22+hello&start=40&sa=N

The steps that I took to figure this out. I had my friend dump the website and send it to me. The dump was the full filesystem for that website, a full MySQL dump of the database(s) for the site, and all the log files for that site. At this point he could start doing what he needed to do to rebuild the site.

When I got this zip file, I opened it and went to the logs. I just scrolled through the log to see if anything obvious stood out. Nothing at the initial glance.

Thinking it was a remote file include problem, I started looking for URLs that could have been included. This wasn’t it, but it did lead me to a spot where I recognized the name of a foreign file – an MP3 that the hackers uploaded.

I then grabbed their IP address and looked at the first instance where they interacted with the system. I found the google search and the click through to the password reset page.

At this point, I did a google search of my own and found the hack.

A note on their behavior during the attack:
They started at 7:37 am our time, and where done by 7:49.
They checked the site again at noon, and again at 10:15pm. I guess they wanted a good laugh at how long it took before the site got fixed.

The moral of this story is that if you use open source software, make sure you keep it updated. With the ability to google search for pages that are running a known piece of code, an aweful lot of websites can get hacked between the time a vulnerability is know until a fix is released and until you get that fix installed.