Well, I sat at Primo 360 tonight and hacked up a little shell script to automatically add a statistics page for an arbitrary virtualhost on my server. The problem was, everytime I added a new host, I’d need to manually create some scripts to run awstats, and add those into cron. Now, I can do it with one command, completely automatically. This script is pretty robust and does a lot of work that I was previously doing manually. The next step is to create a script that automatically adds bind, sendmail and apache configuration per VirtualHost entry. It would be alot easier if all of these programs used MySQL instead of flat files, so they could easily be controlled by a web control panel instead of having to write custom infoware to do all of the updates.

I was infinitely proud of this last hack on OS X that seems to work. I wanted to send email from an arbitrary wireless or wired IP address from Mail.app. So, here’s what I did… I issued this command to route port 25 from suudsu to hudge!

sudo ssh -L 25:localhost:25 hoyhoy@hudge

Hudge is where involution.com is hosted and runs a mail server. So, I redirect my Powerbook’s port 25 to hudge, and configure Mail.app to use localhost as it’s outgoing sendmail server over an encrypted link via SSH I’m syncing my Powerbook to Gmail’s POP access (over SSL). Involution.com’s mail (*@involution.com) that is not stopped by Spamassassin, Bogofilter, DCC, or my custom virus notification and unreadable character set filters is forwarded to GMail if it’s not something that was sent from within gmail, and mails sent to hoyhoy@example.com are forwarded back to hudge which implicitly creates a backup. Also, I setup Mutt to BCC sent mail to GMail so it’s included in the archive. The only one that I haven’t figured out is how to make Mail.app BCC sent mail to Gmail, and how to make GMail send it’s sent mail back to hudge. I know there’s ample sendmail foo to be messed with, and I imagine it’s possible to replicate based on the fact that it knows when an email is coming from the Mail.app MUA and tony@involution.com, it is safe to mirror that to my user account on hudge. Similarly, I think I can actually hack Eric S. Raymond’s “fetchmail” program to download emails that I sent from GMail over POP3, and only grab any email that I didn’t send to myself, and archive it on hudge. These are automatically in Mail.app because it syncs to GMail POP3, and sent email is part of what’s downloaded. So, basically, I’m left with emails I sent from Mail.app only being in Mail.app, and email sent from GMail only going to Mail.app and not hudge, but everything else is mirrored everywhere. I used to keep Outlook running on Windows too, but I’ve since stopped being part of that whole scene about four years ago. I transferred all of my Outlook email over to Berkely format and use pine to look through it, on the rare occassion I need an email from before 2002. If only I could somehow get all of that imported to GMail, but that’s another story. Someone needs to write a GMailFS driver to where I can simply drag .eml files or entire mbx files and have them import.

People keep hammering my sshd with false login requests. I wrote this script which I call nunar_reaper.pl that retaliates against the stupidity in favor of a tarpit. The infamous Dave Dellanave helped out with this one. I still need to fend off imaginary user name attacks, but that’s a little harder.

#!/usr/bin/perl
open(TAIL, "tail -f /var/log/secure|");
while() {
  if(/Failed password for root/) {
  ($ip) = $_ =~ /(\d+\.\d+\.\d+\.\d+)/;
   system "iptables -A INPUT -i eth0 -s $ip  -j DROP"
  }
}

Bumper is taking an innovative approach to dealing with hotlinkers by updating a couple of images grokked by the Modesto Junior College Criminal Justice Page. I’ve petitioned him to have Sterrance/Rendoggle Day, and I think he’s going to do it given enough pressure from the blogging community.

Wednesday night, I had to rescue a friend’s Windows 98 computer from Spyware oblivion. I was amazed at how far behind the times I had gotten in terms of spyware/adware removal with Windows and Internet Explorer. I hadn’t realized what nasty, evil stuff was on the Intraweb these days. When I first started working on the machine here’s what I noticed:

• Internet Explorer’s start page was about:blank, but some site appeared that continually popped up windows.
• IE Default Search was set to some dll on the hard drive
• HKLM/Software/Microsoft/Windows/CurrentVersion/Run, RunOnce, and HKCU/Software/Microsoft/Windows/CurrentVersion/Run had lots of suspect entries like "Winad.exe" and "Winclt.exe"
• Win.ini had a suspicious Run entry.

Now, whenever faced with this situation, I usually do the following. First, I run Windows Update about two to three times to upgrade IE and get all the Critical Updates. This particular box hadn’t been updated since like 1999. So there was something like 21 Critical Updates from The Vole to apply. After that, I then delete spurious entries from the various Run and RunOnce Keys from the Registry, run Ad Aware, delete suspect entries from Start Menu->Startup, and run sysedit to peruse autoexec.bat, config.sys, win.ini, and system.ini. This is what I _knew_ already going into the situation which is substantially more than most people.

To my surprise, all that couldn’t remove CWS which was causing Internet Explorer’s about:blank to download from some very questionable web site and I think _REINFECT_ the box by executing arbitrary code. Thankfully, the reinfections stopped ocurring after the Windows Update, but IE was still hopelessly infected with various toolbars and a nefarious about:blank redirect.

I had vaguely remembered that SpyBot was supposed to be a halfway decent program in the same vein as AdAware. So, I downloaded and installed it. It managed to find and remove loads of stuff that AdAware missed all without incident. It even forced a reboot of the box, and axed a bunch more malware that was immutable after Windows had loaded it into memory on boot-up.

I had never heard of HijackThis until googling for the specific problems I encountered over the course of cleaning this box. HijackThis informs you of every modification done to the Registry (post-install) that could be harming your system. It can then fix or delete any or all of the items that it finds. HijackThis managed to find even more malware hiding in the depths of the Registry that was missed by AdAware and Spybot. I promptly removed these items which were mostly extraneous IE toolbars and cruft.

After all of that, IE’s default page was fixed, however, Winad and Winclt remained in the process list. It seemed to me that these two processes were a very lame imitation of the famous Xerox/Motorola “Friar Tuck/Robin Hood-hack”. When you kill Winclt, Winad starts a new Winclt. When you kill Winad, Winclt starts a new Winad. Of course, when you delete the Winad entry from the Registry Run key, this process manages to rewrite it again within seconds. In addition, the executables were loaded into memory and immutable. So, they couldn’t be deleted when Windows was booted, and Spybot couldn’t manage to axe them during it’s boot-up removal process. My solution to this was to reboot and hold down F8 when Windows restarted. Boot into “Command-line Only Mode”, and do a
deltree c:\progra~1\winad~1.

Finally, I reran Spybot, HijackThis, and Adaware yet again, and purged the remaining malware in the depths of the OS. When I was done, the machine appeared to be clear of all the spy/ad/malware that had infected it, however, without reimaging the box, there’s no way to be 100% sure. After all, every executable is now suspect to having been tampered with.

I can’t imagine an ordinary member of the populace being able to fix problems like these. It’s amazing to me that Microsoft would allow such insanity to occur on its operating systems. I don’t see how normal trusting people can be expected to maintain a Windows system that is inherently insecure.

I happened across this guys site again. I say again, because I read his first article sometime in 1999. I started reading his articles at 10 PM and stopped at around 1 AM after exhausting his online archive. After reading everything he had to say, it seriously made me want to start learning Lisp and Python.

Well, apparently my old provider got what we in the buidness call “teh 0wnz0r3d!!!!”. There was some IFRAME tag in a couple of my html files that got restored from the old server in California.

Involution.com is receiving what appears to be a DoS attack from

host-24-225-153-16.patmedia.net

. I’ve contacted my provider and patmedia.net to attempt to stop this.