Something to talk about…
I finally figured out something involving technology that I can write about, and remain employed. It isn’t that I haven’t had anything cool to talk about in the last year. The problem is, I am not allowed to talk about my job on the social medias… so there’s that. I have had all kinds of cool things to talk about over the last year it just wasn’t something that I could share with the world. My newest hobby is actually an old hobby. I have been working on video editing for my church. It is something that I have not been working on intently since I was in high school. Way back in the olden days (the late 90’s) I worked after school doing video editing. I have used iMovie and some of those tools over the years here and there, but in the last 2 months I have been in it every week editing the weekly sermon and making video bumpers for different events here at the church. Creating digital media has never been my strongest skill so it is making me stretch to work at coming up with ideas. Here is a link to the YouTube Channel we have started. Really the editing portion of it has been pretty easy chop off the front and the back and then upload it to youtube and embed it into the website. It has still been fun. I am also working on creating some new motion graphics for the bumpers on the sermons. Here is the first one I have done. I download Motion from Apple to get me started. This is my first project I am working now on some more loops to welcome people and announce events. I will most them here as I get them worked out.
It has actually been really fun to get away from the engineering side of things and be creative. At first I was dreading it, but now it has become an outlet. To learn about how Motion works (I am by no stretch an expert) I found some cool videos to get my started and I went from there. Here are some of the videos I watched to get reintroduced to video editing on Macs.
33 today – another year in the books
I haven’t been posting as regularly as I would like lately. The last few months have been a blur. It seems that everything has been changing in the last year and then the last few months it ramped up even more. In the last year we (my little family) have experienced some major challenges and been through some changes and battles that we never saw coming.
Both my wife and I have switched jobs in the last year, for me just in the last 3 months. Today marks 3 months at my new job and I am really enjoying it. I have been learning a completely new area of IT and I have enjoyed the challenges of being stretched in new ways. I miss many of my friends and co-workers that I have spent years getting to know, but this was a change that was in the best interest of my family. I am home every night and have an amazingly regular schedule that allows me to attend soccer practice and swim practice and many of the things I just couldn’t get home for early enough previously. My wife is teaching at a new school that she loves, her second year starts tomorrow, as well as Ayden’s. They are loving it there and are both growing in new and different ways. Jamie is teaching subjects that she hasn’t taught before and Ayden is amazing me more each day with how he soaks up and retains everything.
However, it hasn’t all been unicorns and rainbows. I lost two grandparents in the last few months and that has weighted heavily upon us. A big part of why we have never left the town that we are from is out families. Jamie and I are both extremely close with our families and losing two grandparents so close together was really hard on all of us, especially Ayden.
The other dramatic change has been that in the last year Jamie and I have taken up serious focus on our health. I have lost 50 pounds since this time last year and I have never felt better. All 3 of us are participating in 3 5K events is just as many months. It is going to be a fun time, which is never something I would have said about exercise previously, but it is fun because we are all doing it together.
Finally, we have spent a lot of time this year with our friends. We have made new friends and had some friendship attrition as people have grown and changed. If anyone knows me well, you know how important my friendships are to me and I take them seriously. If I call someone my friends it doesn’t mean I would call them for dinner, it means I would call them to help bury a body. We have rekindled some old friendships and made some new ones that I hope last a lifetime. My granddad used to say if you can make if your whole life and be able to count yourself as having 5 great friends you were really blessed. We are beyond blessed and it means a lot to have these people in our lives. To Jamie and I friends are synonymous with family and we are blessed to have such a large family.
Anyway that is all for now I hope to be able to get more time to post as I get more into the groove with this new job.
Helpful WordPress Plugin
I have been using a free WordPress plugin to track unauthorized attempts to login to my WordPress instance. It is called “Limit Login Attempts” and can be found here: http://devel.kostdoktorn.se/limit-login-attempts. It comes configured to allow for 4 bad logins before blocking an IP address for 24 hours. I set mine up this way and watched over the next few days as the same IP tried every day and got blocked every day. At least this user is persistent, not smart, but persistent.. and noisy. Anyway, I have now moved the lockout time to 9999 hours (the max the box would allow for) just so I get less emails about this attacker.
Once you configure the “Limit Login Attempts” plugin it will send you a nice email reminder when it blocks someone that looks like this one below:
Each time I see this email it just warms my heart, maybe I’m a little bit broken…
I could also edit my .htaccess file to block him/her, or the entire country the IP is originating from. However, that would cut into my fun of watching what is going on. That is what this is about anyway, my entertainment. There is a great site to help you write and edit .htaccess files that can be found here: http://incredibill.me/htaccess-block-country-ips there are some more specific tuning resources to be found here for .htaccess http://www.netmagazine.com/tutorials/protect-your-wordpress-site-htaccess
Another option is to limit your logins based on the originating IP address (this is a smart idea). If you are on the go as I am often connecting from your phone, home, and or work this is not your best option as the rules will get long and messy. It would also be “recommended” to disable or hobble your admin account. I set my admin account to a basic read only account and used a complex password generator so if you can get into that account, it’s yours read all you want, but no posting.
Screenshot of the Plugin and it’s Logs, click on images for a larger view.
MySQL Backup and Restore
I was having a time moving my blog from one database server to a newer one at my hosting company that had more space and was reportedly faster. After banging around for a bit I found it was most easily accomplished from the command line using only two commands. These technique requires access to your web host via SSH, and some knowledge of the *Nix command line.
mysqldump –host=server.name –user=user.name databasename -p > filetocreate.sql
You will be prompted for the password which you can enter. The file will be output into the folder you are currently in. After this completes you can upload the file to your new database host with the following command:
mysql –host=new.server.name –user=user.name -p databasename < fileyoucreated.sql
Again you will be prompted for the password which you can enter and the database will be streamed to it’s new location. Once that is done backup wp-config.php and then pop into your wp-config.php and update the database name, username, database host name and password. Cross your fingers and open the site back up to see the results, your mileage may vary. Drop me a message if this doesn’t work for you.
As anyone that knows me already knows I am ADHD personified at times. However, that is not what this post is about it is about another form of ADHD (Active Defense Harbinger Distribution) which a Linux distribution that provides honeypot services and a whole lot more. There is some questionable legality in parts of the whole lot more, so I am just experimenting with the honeypot features. I forwarded a few ports to it on my home firewall so I can watch and see who is scanning me. This distribution is capable of tracking back to a hackers source, but until more legal precedents are set I will be content just to know who is scanning me.
If you want to download it for yourself you can get it here, but be warned some of things in the package could get you into trouble, take care what you make public to the internet: http://sourceforge.net/p/adhd/wiki/Home/
It was created by some of the security minded folks that are creating inroads into offensive countermeasures: http://www.sans.org/course/offensive-countermeasures-defensive-tactics-work
Raspberry Pi – VPN & Proxy
Social Engineering Call
So this afternoon I got a call from a strange number – 248.562.1268. When I answered it was an Indian fellow who told me he was calling from tech support to help my computer. He said the last time my computer went online that it downloaded a virus and he wanted to help me fix it. At this point my day was made. I have been hoping that they would call me because I wanted to see what website they were directing unsuspecting users to. He told me I needed to be in front of my computer, which I wasn’t, so that he could help me. I got a scrap of paper and took notes and pretended to play along. He wanted to know what version of windows I was running before we got started. I said Windows 7 so he would keep going. First he wanted me to hold down the windows key and press “r” on the keyboard, this is the shortcut for the “Run” box on Windows. He phonetically spelled out “prefetch” so I played along and he said all of the files in there were virus files and to delete them all. Next he said to type “eventvwr” which launches the Windows Event Viewer. I said ok I have it open. We wanted me to scroll through the even viewer for the first red icon I could find I said I found one. He asked for me to read the number out beside it. I just said a random number, I said 5000. He says this is a very grave situation you have 5000 virus files on your computer. I will have to connect remotely to take care of the situation. In my opinion they would be doing a great job in building confidence with a user that was unaware of what they were doing. This call lasted almost 10 minutes before I was even to the exploit part of the call. Of course a lot of that was me saying “huh”, “what” and “could you say that again”. We spoke two very different dialects of English. He wanted me to visit www.360pcsupport.com at this point I could not go any further as I did not have a computer handy, nor was I about to visit it…. so I said I am very sorry I have another call on the line please call back later. So far he has not called me back but I really hope they do. I want to see where else he wanted to take me from one of my sandboxed workstations. If anyone else gets a call from them please let me know I want to see if there are any other links I need to add into our web filtering system to block. This was way too much fun.
Amazing Slow Motion Photography
I saw this linked from an article I was reading and had to share it. It is some pretty amazing slow motion if you like that kind of thing. Turn the resolution up all the way and watch full screen.
Removing WordPress Malware
This week I had a friend contact me about a wordpress site he had built distributing malware. He had tried to clean it up and the malware was really persistant so he asked me if I would like to take a look at it. I opened the site and noscript instantly warned me about scripts trying to run. Opened up the ftp to the site and saw that the index.php file was huge. Surfed around inside of the directory structure and index.php inside of the wp-admin directory was also quite large. In Googling around there was no definitive guide about how to remove infections like this so I thought I should write up my findings if I was able to get it cleaned up.
Next I had to find what has causing the reinfection of the site. I was now able to open the wp-admin panel and login. I went straight to the plugins section of the control panel and disabled all of the plugins. From some of the posts I had read there were lots of comments about rouge plugins causing this problem. I wrote down a list of the plugins and went back to my FTP client. There were several plugins in the ftp folder that were not listed in the admin interface. I renamed these folders immediately and started googling the plugins that were in the folder. One of them was “ToolsPack” I had already observed several other users lamenting the problems with this plugin. It is basically a plugin that download and installs Malware for you. While that is very helpful it is not really what most users were looking for. Another plugin was just a random string of characters, it was also renamed. Typically I just add a .bad extension to the end of all suspect files/folders until I am sure they are ready to be deleted. Another good place to look is in your MyPHPAdmin control panel. Navigate into your database as shown in the picture below and find the Active Plugins in the wp_options table. If you see any in there that are suspect remove them. Just remember that a semicolon separates each plugin statement. It is important to get the formatting correct or you could experience problems. Check out the image of phpMyAdmin from one of my sites. Click on the image to see it in it’s original size so you can read the annotations.
Once the rouge plugins are disabled, the index.php files are set to a permissions level of 444, and you are feeling better about the site you should use one of the free virus scanners out there to double check your work. This site – http://sitecheck.sucuri.net/scanner/ will do a free virus scan of your site. I see no reason at this point to pay $89.99 for them to clean up a malware infection. After cleaning up one like this I think I would be happy to take someone’s $89.99 to do another one. It is not that bad if you are comfortable with the tools involved, ftp, a text editor, and a web browser with no script (to prevent infecting yourself). After Sucuir pronounces your site clean use the ftp client to delete all of files you marked as suspect with a .bad extension (or however you delineated them from the production files).
grep -r -l “Math.Pi” .
Grep invokes the program, -r searches recursively, -l lists the names of the files where the text is found. The string of text you are searching for belongs in the quotes, and finally a period at the end of the line and hit enter. Output will appear below to show you where the text is found. You have to be specific and careful. PHP is a programming language and the text you select to search for could be needed. Download a fresh copy of any files you think are suspect to compare against. I downloaded the .zip of the wordpress version that was installed in this case and I downloaded and extracted all of the .zip files for the plugins and themes that were installed. This allowed me to search and compare the original intended code with what was running live on the site. I am not a programmer, but it was very clear when I found the bogus code that I had found it. Here is a screenshot of the code that I found and knew was instantly bad with little programming background. Keep in mind that the text extends well out of the image shown. Several of the lines that are cut off were over a thousand characters long.
I hope someone else finds this helpful. It was frustrating as I looked for resources and there were lots of fragmented guides and forums where one or two of these ideas were mentioned but not one that covered all of these different ways to look for and repair a malware problem like this. If nothing else it can serve as a reminder to me the next time I encounter one of these infections.