WWW

What could be more fun…

Posted on by Timothy Foreman

Than strapping C4 onto a hampster and blowing up monsters with it?

From the NeedCoffee Blog:

Well, it’s a Death Jr. flash game. In the game, you’re Death Jr., wielding hamsters that have some C4 strapped to them. You release them, they run towards a demon, you detonate them properly, and blow the demon’s head off. You score points based on how much carnage the severed, flaming demon’s head causes to other entities on the board once blown off. There’s warp pads and floating demon lords and…I dunno, just oddly reminds me of what it was like to attend high school in Alabama. For some reason.

Misc

Those Wacky Japanese

Posted on by Timothy Foreman

There is a large thread on JWZ’s Live Journal about weird Japanese TV shows…

“If reducing Teenagers to tears on TV isn’t a worthwhile national obsession… nothing is. At least it’s a damn sight better than the Japanese relationship with Baseball.”

Many links to clips from weird Japanese TV shows.

Security

Well, we are back

Posted on by Timothy Foreman

Okay, that was not fun.

As I mentioned in my last entry, I got hacked.

So I upgraded PHP and Apache to the latest packages available from RedHat for ES 3 (which is what I am running.)

Unfortunately, they are not very current. RH supplies PHP 4.3.2 and Apache 2.0.46. The current versions are PHP V4.4.1 and Apache 2.0.55.

Ten minutes after I upgraded, I got hacked again. A different hack, but still!

Both times they came in though the web server, so I took it offline for a bit while I regrouped.

So I had to pull down the sources and build. I figured it might make the most sense to use the RedHat RPM spec files to build with, so I grabbed them and mangled them to suit. And mangled them. And mangled them some more.

Those of you who have created RPM spec files will know what I am talking about.

But I prevailed and finally got Apache 2.0.55 and PHP 4.4.1 built and installed.

Now I just have to make sure that all the PHP apps that I have on all my virtual servers are up to date.

Just what I needed, something to do over the weekend…

If you would like the Apache and PHP rpms, they are right here. I make no warranty as to their suitability.

As a matter of fact, I know that the httpd.conf file that the PHP rpm drops is whacked, but I’m to annoyed to fix it.

If you are an admin, you can work around it.

Security

Looks like we got hacked…

Posted on by Timothy Foreman

My face is red…

My friend Sean got hacked a couple of weeks ago and I thought it was pretty funny. I saw evidence of the same hack attempts on my server, but thought I was immune.

Hah.

For about a week I’ve been noticing that a perl process owned by apache had been eating a bunch of CPU, and I just figured it was an awstats bug or something.

Then I got curious so I started poking around a bit. Strace didn’t show me anything useful, but poking around in the process table showed that the cmdline for the process was /usr/sbin/apache/logins.

There is no such binary on my system.

So I stopped apache and then tried to restart it. I got an error stating that port 80 was already in use. WTF?

A little poking around showed that a process owned by apache and named ./r0nin was running. Uh-oh.

Sure enough, in /tmp was a file named r0nin dated Dec 17th! Man. That’s a pisser.

Running strings on r0nin showed this:

socket
bind
listen
PsychoPhobia Backdoor is starting…
OK, pid = %d
/dev/null
/var/tmp
HOME=%s

Whoops.

Looks like the same PHP bug that bit Sean.

The RedHat ES 3 version of PHP is 4.3.2, kind of old. I was running 4.3.2-14 and the latest version is 4.3.2-26, so I upgraded. The release notes say they fixed some security holes, so I hope this plugs this one.

Guess maybe I should find a later version – maybe download the source and compile it.

I think my server is okay, I’m betting that my firewall blocked the inbound connection attempts, but maybe not, since it seemed to be trying to listen on port 80…

I’m going to have to poke around some more on the box. 🙁