Grumble Grumble

By Andrew Smith

I got an email from someone who appears to be helping KDE out with switching their licences. I guess at some point the guys decided that nothing in KDE shall be licenced GPLv2 only, and that’s the request I got – change the licence to “GPL2 or 3″ or “GPL2 or later”.

Here are a couple of links describing the process:

http://techbase.kde.org/Policies/Licensing_Policy
http://techbase.kde.org/Projects/KDE_Relicensing

I’m not surprised to see only people names listed on the second page, no project names. I wonder how much software KDE plans to scrap just because of some overly idealistic dudes with big beards decided the new GPL is much better and must be incompatible with the old GPL.

My piece of code in there is bkisofs – a library for reading and writing ISO files which is being used by Ark (the KDE archive manager). The integration was not my doing, I only helped – but the library itself is mine. KDE won’t explode the funcionality is removed from Ark.

I haven’t replied to the request yet. On the one hand I don’t care if it’s licenced GPL2 or 3, the changes I recall don’t affect this particular software. On the other hand – I am opposed to the GPL3 as a matter of principle, and I don’t like bending over or getting strong-armed into doing things with my volunteer time.

And if I allow this, that will count as a contribution to GPL3 zealotry.

I’ll go review the GPL3 some time in the next few days. If anyone still reads my blog and has ideas one way or the other – please share.

By Andrew Smith

Sunday was a nice day, and at about 17:00 I decided to go for a ride to Niagara. Everything went ok on the way there, things look nice in the spring. Got to go onto the hill that you can see south of the QEW, always wanted to do that.

Then it started to get dark. And before I know it some idiot turns left in front of me. Luckily he saw me in time and stopped turning, and I’ve slowed down enough so even if he didn’t stop I’d have been ok, but what the hell, is he blind?

A few seconds later I decided to check my headlight. Turned on the high-beam, nothing. Pulled over and sure enough the bulb is dead.

I’m 200km away from home, with not even enough cash for a motel room (and I have to go to work in the morning anyway), what do I do? I decide to try it – I rode home all the way, between 21:00 and midnight.

It didn’t take me long to decide that the QEW is the only way to go. It’s not that much faster than the smaller roads, but at least there aren’t any intersections, so I just had to watch the lane changes.

That turned out to be reasonably easy. Stayed in the middle lane most of the way – it was the slowest one so noone bothered to change into it, and I stayed behind other cars. It got a bit freaky at times where the QEW isn’t lit up – I could barely see the road.

In the end I got home with no incidents. Probably didn’t get pulled over because the cops couldn’t see me :)

By Andrew Smith

I’m marking the first assignment for the data structures and algorithms course. Two problems – a painful but well-defined majority element and the other a linked list. I’m reading this code and I’m getting a headache. I need to take a break every 30 minutes, it’s so hard.

The problem is I’m looking at the code and I know that it can’t possibly work. But it does. I try creating a scenario where it will fail as I expect it should, I fiddle with the memory arrangement on the stack, but the bloody things work anyway.

I know the right way to do it, but who says what I think is the right way really is? I’m not going to take marks off for thinking out of the box, even if that’s just evidence of not paying attention in class.

While it’s extremely unlikely that these weird ways to solve problems are any good in the real world, where other people have to read your code – I’ve read enough code in my life to know that whether it works is the ultimate quality metric, and readability is but an illusion.

Back to work.

By Andrew Smith

A few months ago my computer started squealing. It was annoying when it started – a kind of squeeck squeeck one or two seconds each, once a day. But recently one or two seconds turned into five or 6 seconds and once a day into twice and hour.

You have no idea how bad it is. Just imagine – you’re trying to concentrate on something, solve a compilcated problem, find a hard bug, try to understand, and all of a sudden SQUEEEEEEEEEEEEEEEEEEE!

I had no idea what that sound was comming from, until I remembered my video card was making a similar sound if the computer was turned on without the power plugged into the card. I have a BFG GeForce 7800 in my desktop. I tried everything, including smacking the computer – which, amazingly, worked but it wasn’t a permanent solution.

Through trial and error I found the problem – a little beeper on the video card, specifically placed on there to annoy people who do real work rather than play games. Even though the circuitry looked tiny and it was soldered on both sides, I didn’t care – I was ready to smash the card with a hammer. So I used my huge solder gun to remove the speaker.

Peace at last.

By Andrew Smith

I’m gettng a master’s degree. And in the current course I have one of those professors who act like something’s up their ass whenever someone cites a work that’s not ‘academic’.

For the assignment this week I actually needed to get my hands on some academic papers, because the topic is so uninteresting noone else would bother to write about it. What a nightmare! I’ll tell you why, here’s the process I have to go through to get to only one of these papers:

• Find the paper I need via google, because the library search engine is crap.
• Paste the title into the library search engine.
• Remember to check ‘Computing’, which is down below the search button, or else the following step will need to be repeated.
• Watch the MetaLib ‘Quick Search’ search the databases for anywhere between 1 and 3 minutes (I’m not kidding).
• Click on the title of the paper in the search results (assuming the search didn’t crash, which it does sometimes).
• Scan the following page for 20 seconds looking for anything that remotely sounds like ‘download’ or ‘view’. For this particular paper it turned out to be called “Resource:”
• Click that link. A popup window opens with MetaLib doing something unspecified for a few seconds. This window is 1/4 of the screen in size and has no navigation buttons.
• Read the error message in bold: “An error has been encountered. Invalid Parameters”
• Click on ‘Quick Search’ (in the window with the error). Some long number is pre-filled into the search bar.
• Select ‘Technology’ in the subject area drop-down and click ’search’.
• The thing comes back with a link to the paper you were looking for. Click that.
• Scan the following page for 20 seconds looking for anything that remotely sounds like ‘download’ or ‘view’. For this particular paper it took a minute.
• Click the ‘Find it @ Liverpool’ link desguised as a title banner.
• It says ‘ Full text available via ACM Digital Library’, whatever – click go.
• A popup window opens, this one 1/6th of the size of my screen. This is the same page I found via google – except now I have the permission to download the paper. Click on the pdf link.
• PDF downloads.

You see all of the above? That’s for ONE PAPER! It may not even be of any use in my research, I may need to repeat all of the above process 20, 30 times. What sort of a lazy ass moron thinks that I have time for this? In the time it took me to open the academic paper I would have learned everything they found reading the Wikipedia, forums, blogs, wikis, the MSDN, and a hundred other online resources designed to be accessed easier rather than harder. It turns out that on this topic there are no resources except academic, but man am I pissed.

What’s with this pay to access thing anyway? I’d like to know how much money the publishers make charging for access to 15 year old papers. I understand that the peer review process is expensive, that’s fine. Have the papers in the last year, two, five locked up. But for fuck’s sake put anything more than 10 years old in the public domain. If you don’t you will lose your business as people growing up today feel as I do. I will never look for an academic paper when I have a choice. And that means that 10 years from now these publishers and librarians will be out of a job, because of their belief that they are irreplaceable.

Morons!

By Andrew Smith

I left off with my server almost completely back up, but not yet Apache. I’ve had to make sure the web apps off the internet weren’t full of security holes before allowing access to them again.

Though this is my third post 4 days later – in real time it’s been less than 24 hours since I’ve discovered the ftp scanner. So I had some breathing time to do a half-decent job.

Most of all I suspected Wordpress. They come up with a new version every few months and every time claim it’s a security update, which makes me wonder if it’s ever secure. Luckily both ISO Master and Grumble Grumble are just stock wordpress installs with a theme over them. Everything else is stored in the database. So I was able to delete all the code except for the themes, install Wordpress 2.7 on both, and miraculously both websites came back up with no trouble whatsoever.

I have not reviewed the theme code or the contents of the databases – I assume the Wordpress guys were smart enough not to store executable code in either of those places. Either way it was a risk I was willing to take.

A third Wordpress website (the old Canvas3D blog) I’ve decided not to bother with and left it with chmod 0.

Three web apps down, two to go – SquirrelMail and Roudcube. I have both installed because I have more than one email account, so I have both open in browser tabs at once. I’ve decided to look around before enabling these. RoudCube first. Some way or another I stumbled upon a php file in the logs directory:

root@legrand-sw:/media/hd/home/www/htdocs/mail/logs# ls -al
total 129
drwxrwxr-x  2 andrew apache    120 2008-12-30 18:00 ./
drwxr-xr-x 10 andrew users     480 2008-08-15 10:25 ../
-rw-r--r--  1 apache apache  14985 2009-01-07 13:29 errors
-rw-r--r--  1 apache apache   7033 2009-01-07 13:26 sendmail
-rw-r--r--  1 apache apache 105643 2008-12-30 18:00 zq.php

Which is a really strange place to keep a php file, especially since the directory is writeable by Apache. See how zh.php is owned by apache? That’s really bad. And lookie here what was at the top of zq.php:

/******************************************************************************************************/
/*
/*                                     #    #        #    #
/*                                     #   #          #   #
/*                                    #    #          #    #
/*                                    #   ##   ####   ##   #
/*                                   ##   ##  ######  ##   ##
/*                                   ##   ##  ######  ##   ##
/*                                   ##   ##   ####   ##   ##
/*                                   ###   ############   ###
/*                                   ########################
/*                                        ##############
/*                                 ######## ########## #######
/*                                ###   ##  ##########  ##   ###
/*                                ###   ##  ##########  ##   ###
/*                                 ###   #  ##########  #   ###
/*                                 ###   ##  ########  ##   ###
/*                                  ##    #   ######   #    ##
/*                                   ##   #    ####   #    ##
/*                                     ##                 ##
/*
/*
/*
/*  r57shell.php -
/*                                               : http://rst.void.ru
/*        : 1.3 (05.03.2006)
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
/*                                          : blf, phoenix, virus, NorD                  RST/GHC.
/*                       -
/*     rst@void.ru.                                  .
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
/*  (c)oded by 1dt.w0lf
/*  RST/GHC http://rst.void.ru , http://ghc.ru
/*  ANY MODIFIED REPUBLISHING IS RESTRICTED
/******************************************************************************************************/

Isn’t that interesting.. I didn’t quite know what to think of the bug – on the one hand looks like the hacker put it there to taunt me, on the other hand RoundCube is a young open source project so who knows what the developer was smoking?

Didn’t take long to figure out though: both http://rst.void.ru and http://ghc.ru are hacker websites, though ghc.ru looks half-commercial. And the contents of the file (which I’ve had no time to analyse) clearly do something that isn’t nice. I’ve renamed the file to .txt and put it up for you to study if you care.

As with mailman (see previous post) I decided this service is not going to be reenabled. Maybe I messed up something during setup, but just as likely RoudCube was at fault. After all it was the first ’stable’ version, 0.1. And I’ll keep SquirrelMail off too for good measure, I’ll just install Thunderbird on all my machines.

So there you go. One clue in Mailman, one in RoudCube. Are they related or are they two separate hacking attempts? Were they run by script kiddies or serious hackers? Having some evidence that the ftp scanner was set up manually I tend to favour the latter possibility. And what of this zq.php? Was the logo there because it’s a general-purpose cracking tool, or because those groups actually had something to do with my server?

There’s lots of investigation left still. At this point my server is completely operational so I have lots of time. I do hope I find more clues, mystery solving turns out to be a really exciting hobby.

By Andrew Smith

First things first – my server had to be brought back up. But bringing it back up was not a matter as simple as reinstalling Slackware and plopping the home directories back in. So the first thing that needed to be done was to figure out how the server’s been compromised.

The quickest way to do this, I figured, was to do both at the same time. I’d get the data off the server, reformat the hard drive, start reinstalling the operating system, and during that time would analyse the backed up files for evidence. Just to be throrough I wanted to keep a byte-by-byte copy of the hard drive – that may contain clues that simple copies of the files would lose, and using the image I could bring a clone of the hacked server back up in a controlled environment – exactly the same minus any processes that were running.

The command was easy enough, ran from the shell of a Slackware 12.2 installation CD:

dd if=/dev/hda1 | ssh 10.0.0.1 dd of=/media/backup/hacked/hda1.dd
dd if=/dev/hda2 | ssh 10.0.0.1 dd of=/media/backup/hacked/hda2.dd

I’ve saved hda2 (the swap partition) just in case I ever found a tool to analyse contents of memory (unlikely to happen). Turns out the 80G image would take hours to transfer over, so I set the alarm clock for 2AM and went to sleep for a couple of hours, knowing I wouldn’t get any the next day.

The image hda1.dd (as any other image of a Linux-supported filesystem) can be mounted onto an existing system. I decided to go ahead and do that since nothing on the partition could damage a fresh system unless they found a bug in the filesystem driver and infected the FAT:

mount /media/backup/hacked/hda1.dd /media/hd -o loop

Looking around /media/hacked I quickly found something that got my attention: a file and a directory in /root/ that didn’t look familiar:

root@legrand-sw:/media/hd/root# ls -l heroina/
<stripped out some things>
drwxr-xr-x 2   1003 users   304 2008-09-23 16:24 heroina/
-rw-r--r-- 1 root   root  81920 2008-12-16 16:42 ketamin.tar

root@legrand-sw:/media/hd/root# ls -l heroina/
total 92
-rwxr-xr-x 1 1003 users    82 2006-03-10 15:02 0-100*
-rwxr-xr-x 1 1003 users    84 2006-03-10 21:02 100-200*
-rwxr-xr-x 1 1003 users    84 2006-03-10 21:02 200-255*
-rwxr-xr-x 1 1003 users   428 2009-01-07 23:44 dava*
-rwxr-xr-x 1 1003 users 17145 2008-09-23 17:07 ftp_scanner*
-rwxr-xr-x 1 1003 users 17246 2008-09-23 16:49 heroina.c*
-rwxr-xr-x 1 1003 users  2094 2006-03-10 21:02 o*
-rwxr-xr-x 1 1003 users 20313 2008-06-15 18:46 pass*
-rwxr-xr-x 1 1003 users   119 2008-09-23 16:22 run*
-rwxr-xr-x 1 1003 users  7490 2008-06-17 15:51 users*

There’s my ftp_scanner, and who would have thought, it even comes with source code. Well of course – who would use a binary to mess with an open source server? Yep, here’s heroina.c if you care to look at it, but basically it looks like general-purpose software:

Multi-thread FTP scanner v0.2.5 by Inode <inode@wayreth.eu.org>

users and pass are tiny dictionaries of common usernames and passwords, the 0-100 files just helpers for making ip addresses, o looked like the output from nmap. Not terribly sofisticated stuff, but interesting.

Of course this doesn’t come close to telling me how that software got on in the first place, but it does give some interesting clues.

The timestamps are really interesting, you could piece any number of stories looking just at those. See for example how ftp_scanner is 18 minutes older than heroina.c, that suggests it was built manually (what sort of automation takes 18 minutes to build one C file?). And ketamin.tar has been sitting there for more than 3 weeks, which is kind of depressing.

And look at the owner, 1003. That according to /media/hd/etc/passwd was mailman on the old littlesvr.ca. Well that’s not going back on the system in a hurry, and how was it able to write to /root/ anyway?

I already knew the web applications are the most vulnerable part of my system. I trust Slackware, I trust me configuring the running services, but I have no idea how many security problems the web apps on the system have. I haven’t read the source for Mailman, Wordpress, SquirrelMail, or Roudcube, and they don’t come with Slackware – how am I supposed to trust them? Who vouched for them?

Anyway – by this time Slackware has been reinstalled and littlesvr.ca was sitting there in its vanilla state. I’ve decided to turn on sendmail and SVN – which would give me back two thirds of half my life, so I cautiously copied my home directories back. Apache was still off.

If you think this is the end of the story, you’re wrong. Come back later as I share more clues with you, I have at least one interesting thing left – plus there still are no certain conclusions about who and how and why did this.

By Andrew Smith

On thursday evening I had a couple of hours to spare, so I’ve SSHed to my server (yours truly littlesvr.ca) to get the Apache logs from the last couple of months. I do this now and then because I like seing the ammount of traffic going up every month. But this time it was not going to be a gratifying experience. The first command I ran was (as usual) ‘ls’:

andrew@littlesvr:/$ ls
/bin/ls: unrecognized prefix: do
/bin/ls: unparsable value for LS_COLORS environment variable
bin/    dev/    home/   media/  opt/    root/   srv/    sys/    usr/
boot/   etc/    lib/    mnt/    proc/   sbin/   svn/    tmp/    var/

A second of confusion, but I knew then and there my box has been hacked. You see I’m running Slackware because weird crap like this (‘ls’ broken) doesn’t happen on Slackware, and though I denied it for a few minutes (oh maybe it’s a terminal problem, oh maybe I deleted something by mistake) soon enough I’ve had ample evidence. I’ve looked at /bin/ls in ‘vi’, which opens binaries as a hex editor. Didn’t see anything obviously wrong there. I’ve examined all the profile files, and those all looked normal. I grepped everything I could think of for ‘do’, and didn’t find a problem. Then I had a look at /var/log/messages, and found lots and lots of lines of the form:

Jan  7 00:13:30 littlesvr in.identd[7245]: reply to 24.165.1.229: 59167 , 21 : USERID : OTHER :0

As I was complaining about this in the #seneca IRC channel, I thought it would be worth while seing just how many of these strange lines are in the log. A quick ‘grep | wc -l’ gave me a staggering number, over 325k. Then I ran ‘ps aux’:

root@littlesvr:/etc/rc.d# ps axo stat,euid,ruid,tty,tpgid,sess,pgrp,ppid,pid,pcpu,comm
STAT  EUID  RUID TT       TPGID  SESS  PGRP  PPID   PID %CPU COMMAND
S        0     0 ?           -1     1     1     0     1  0.0 init
SW       0     0 ?           -1     1     1     1     2  0.0 migration/0
RWN      0     0 ?           -1     1     1     1     3  0.0 ksoftirqd/0
SW<      0     0 ?           -1     1     1     1     4  0.0 events/0
SW<      0     0 ?           -1     1     1     1     5  0.0 khelper
SW<      0     0 ?           -1     1     1     1     6  0.0 kthread
SW<      0     0 ?           -1     1     1     6    40  0.0 kblockd/0
SW<      0     0 ?           -1     1     1     6    41  0.0 kacpid
SW<      0     0 ?           -1     1     1     6    95  0.0 ata/0
SW<      0     0 ?           -1     1     1     6    96  0.0 ata_aux
SW<      0     0 ?           -1     1     1     6    97  0.0 ksuspend_usbd
SW<      0     0 ?           -1     1     1     6   100  0.0 khubd
SW<      0     0 ?           -1     1     1     6   102  0.0 kseriod
SW<      0     0 ?           -1     1     1     6   124  0.0 kswapd0
SW<      0     0 ?           -1     1     1     6   125  0.0 aio/0
SW<      0     0 ?           -1     1     1     6   783  0.0 scsi_tgtd/0
SW<      0     0 ?           -1     1     1     6   814  0.0 kcryptd/0
SW<      0     0 ?           -1     1     1     6   836  0.0 reiserfs/0
S<       0     0 ?           -1   900   900     1   900  0.0 udevd
SW<      0     0 ?           -1     1     1     6  1853  0.0 kpsmoused
S        0     0 ?           -1  1927  1927     1  1927  0.0 klogd
S        1     1 ?           -1  2170  2170     1  2170  0.0 rpc.portmap
S       99    99 ?           -1  2174  2174     1  2174  0.0 rpc.statd
S        0     0 ?           -1  2195  2195     1  2195  0.0 ntpd
S        0     0 ?           -1  2200  2200     1  2200  0.0 acpid
S       81    81 ?           -1  2208  2208     1  2208  0.0 dbus-daemon
S       82    82 ?           -1  2213  2213     1  2213  0.0 hald
S        0     0 ?           -1  2213  2213  2213  2214  0.0 hald-runner
S       82    82 ?           -1  2213  2213  2214  2223  0.0 hald-addon-acpi
S        0     0 ?           -1  2229  2229     1  2230  0.0 crond
S        2     0 ?           -1  2232  2232     1  2232  0.0 atd
S        0     0 ?           -1  2235  2235     1  2235  0.0 saslauthd
S        0     0 ?           -1  2235  2235  2235  2236  0.0 saslauthd
S        0     0 ?           -1  2235  2235  2235  2237  0.0 saslauthd
S        0     0 ?           -1  2235  2235  2235  2238  0.0 saslauthd
S        0     0 ?           -1  2235  2235  2235  2239  0.0 saslauthd
S        0     0 ?           -1  2376  2376     1  2377  0.0 python
S        0     0 ?           -1  2379  2379     1  2379  0.0 svnserve
S     1003  1003 ?           -1  2381  2381     1  2381  0.0 mailmanctl
S        0     0 vc/1      2382  2382  2382     1  2382  0.0 agetty
S        0     0 vc/3      2384  2384  2384     1  2384  0.0 agetty
S        0     0 vc/4      2385  2385  2385     1  2385  0.0 agetty
S        0     0 vc/5      2386  2386  2386     1  2386  0.0 agetty
S        0     0 vc/6      2387  2387  2387     1  2387  0.0 agetty
S     1003  1003 ?           -1  2381  2381  2381  2398  0.0 python
S     1003  1003 ?           -1  2381  2381  2381  2399  0.0 python
S     1003  1003 ?           -1  2381  2381  2381  2400  0.0 python
S     1003  1003 ?           -1  2381  2381  2381  2401  0.0 python
S     1003  1003 ?           -1  2381  2381  2381  2402  0.0 python
S     1003  1003 ?           -1  2381  2381  2381  2403  0.0 python
S     1003  1003 ?           -1  2381  2381  2381  2404  0.0 python
S     1003  1003 ?           -1  2381  2381  2381  2405  0.0 python
S        0     0 vc/2      2422  2422  2422     1  2422  0.0 agetty
SW       0     0 ?           -1     1     1     6  3220  0.0 pdflush
S        0     0 ?           -1  3339  3339     1  3339  0.0 inetd
S        0     0 ?           -1  3508  3508     1  3508  0.0 httpd
S       99    99 ?           -1  7245  7245     1  7245  0.0 in.identd
S       80    80 ?           -1  3508  3508  3508  7754  0.1 httpd
S       80    80 ?           -1  3508  3508  3508  7755  0.0 httpd
S     1000  1000 ?           -1  8112  8112  3339  8112  0.0 imapd
S     1002  1002 ?           -1  8113  8113  3339  8113  0.0 imapd
S     1004  1004 ?           -1  8114  8114  3339  8114  0.0 imapd
S     1007  1007 ?           -1  8115  8115  3339  8115  0.0 imapd
S        0     0 ?           -1  8281  8281 25049  8281  0.0 sshd
S     1000  1000 ?           -1  8281  8281  8281  8292  0.0 sshd
S     1000  1000 pts/2    11949  8293  8293  8292  8293  0.0 bash
S        0     0 ?           -1  8760  9062     1  9063  0.0 ddclient
S        0     0 ?           -1  8760  9079     1  9084  0.0 pppoe-connect
S        0     0 ?           -1  9345  9345     1  9345  0.0 sendmail
S       25    25 ?           -1  9348  9348     1  9348  0.0 sendmail
S        0     0 pts/2    11949  8293 10005  8293 10005  0.0 bash
S        0     0 ?           -1 10377 10377 25049 10377  0.0 sshd
S     1000  1000 ?           -1 10377 10377 10377 10383  0.0 sshd
S     1000  1000 pts/4    10420 10384 10384 10383 10384  0.0 bash
S        0     0 pts/4    10420 10384 10420 10384 10420  0.0 bash
S       80    80 ?           -1  3508  3508  3508 10598  0.3 httpd
S       80    80 ?           -1  3508  3508  3508 10599  0.2 httpd
S       80    80 ?           -1  3508  3508  3508 11510  0.0 httpd
S       80    80 ?           -1  3508  3508  3508 11511  0.0 httpd
S       80    80 ?           -1  3508  3508  3508 11512  0.0 httpd
R        0     0 pts/2    11949  8293 11949 10005 11949  0.0 ps
S        0     0 ?           -1  2379  2379  2379 15669  0.0 svnserve
S       80    80 ?           -1  3508  3508  3508 19216  0.1 httpd
S       80    80 ?           -1  3508  3508  3508 22340  0.1 httpd
S        0     0 ?           -1 25049 25049     1 25049  0.0 sshd
S        0     0 ?           -1 25295 25295     1 25295  0.0 syslogd
S        0     0 ?           -1 25316 25334     1 25345  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25349  0.1 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25380  0.5 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25383  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25385  0.4 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25441  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25444  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25446  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25627  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25632  0.4 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25732  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25740  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25741  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25836  0.1 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25846  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25947  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25949  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25950  0.4 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26052  0.1 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26054  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26157  0.2 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26158  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26262  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26480  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26586  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26682  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26689  0.1 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26793  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26795  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26796  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26894  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26900  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26901  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26902  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26998  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 27003  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 27005  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 27007  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 27107  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 27118  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 27221  0.3 ftp_scanner
S        0     0 ?           -1 25316 25334     1 27222  0.0 ftp_scanner
S        0     0 ?           -1 28433 28433  9084 28433  0.0 pppd
S       99    99 ?           -1 28433 28433 28433 28434  6.5 pppoe
S       80    80 ?           -1  3508  3508  3508 29836  0.1 httpd
S        0     0 ?           -1 25073 30993     1 31000  0.0 mysqld_safe
S       27    27 ?           -1 25073 30993 31000 31033  0.0 mysqld
SW       0     0 ?           -1     1     1     6 31163  0.0 pdflush

Ayayay. I do not (for those of you who think too much) habitually run anything called ftp_scanner. I found in the ps man page an example to help me show the parent PIDs, and sure enough – all the ftp scanners had 1 (a.k.a. init) for the parent. Which means that the hacker had root access, and likely the box has been rooted.

I’ve hesitated for 10 minutes. The ftp scanner had to stop, rootkit had to be removed, the hacker locked out. But littlesvr.ca is not a toy, half my life is on it – all my email, all my computer work (svn), revenue-generating pages such as ISO Master, and less popular pages that would lose the precious little search engine ranking they had if they went offline. But it had to be done. I braced myself for a 36 hour shift, and:

root@littlesvr:~# halt

By this time my brain was overwhelmed. Too much excitement at once. The server had to be cleaned up and brought back to life in a hurry, but first I had to know how it got compromised to begin with – no point in resuscitating it only to have it hacked again two days later.

But this is a long story, and I have yet to see the ending. This post will be the first of a short series, so come back later if you want to know more.

By Andrew Smith

Sometimes I think the world would be a much better place if everyone just accepted that I’m smarter then them and did what I said. This of course is not the case, and I when I take some time to think about it – it’s good, I have no desire to be a puppet master like Steve Jobs. I am rarely wrong, but have been once or twice and often the fight is what makes a thing worth pursuing. But this fact does prevent me from changing the world with ease.

For a couple of years now I have been looking for a new project. I have exhausted my open source projects of all interesting problems, and I’ve been searching for something more significant – not necessarily world changing (though I do have world-changing ideas) but something that at least a few hundred million people will use.

The problem is – to affect a billion people one must be Bill Gates, or one of a handful of people in the world capable of inflicting such a massive change on the world in years rather than decades or lifetimes.

I have written open source; I have helped tens of thousands of people in small ways; I worked for small companies, not-for profits, and the man; I’ve been a consultant, I’ve been a teacher. But never did I have the power to make significant changes to many people’s lives.

I have one such idea, which I’ll keep to myself until I give up. It’s a simple yet grand idea, it would save people collectively a monstrous ammount of time and patience, it would not take a lot of resources to develop (2-3 years and less money than I have). The problem is that after it’s developed, it will be useless without overwhelming adoption. It will just sit there, ignored despite its glorious potential.

I have lived in this world long enough to know for a fact that a great product in and of itself will fail in the market. The necessary ingredients for success are called different things by different people: business skills, relationships, marketing, selling, lying, luck are but examples of the magic. Where the hell does one get these things? It would take me longer to become good at them than I’m willing to wait. Get a partner to do it for me? I’d need one smart enough to realise that it’s him driving the growth of the business, and not me, so I’d inevitably get screwed.

There is no ending to this post, sorry. I wanted to make an optimistic one but logic got in my way. See I realised that my personal growth curve, though wavy, is true to a formula. One could have predicted my status in the world today back when I was 6 years old. Maybe I’ll try to find some success metrics and make some actual graphs, that would keep my mind occupied for a while.

By Andrew Smith

For the last wo days or so I’ve been suffering from bandwidth troubles. I throttled the children’s upload to 10K so it wasn’t that. Finally I’ve decided to watch the web server logs for a minute, and I’ve noticed a pattern:

63.226.153.189 – - [09/Dec/2008:17:48:05 -0500] “GET /isomaster/wp-content/themes/ISO_master/images/ss-started-vista.png HTTP/1.1″ 200 26112 “http://scenereleases.info/category/applications” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; MSN 9.0;MSN 9.1;MSN 9.6; MSNbQ002; MSNmen-us; MSNcOTH)”

Going to the referrer page I found a cracked version of ISO Master – NFO file and everything. I saved the file to make sure some anti-piracy idiot doesn’t delete it.

This is a huge boost to my self-confidence. I’ve always dreamed, and never dared hope, that someone would bother creating a crack for ISO Master. After all, it’s nowhere near as popular as its competitors (unlike Linux, Windows has a few established players in this space).

As to that more people will get it for free now, heh – as they say “a small percentage of something is much better than 100% of nothing”. This is free promotion for me that I could never afford to do myself, I simply don’t have the resources. The more people have it, the more people will know about it, the more people will pay for it.

And if that’s not how it ends up, so be it. I am flattered that my software’s been cracked, and if I find out who did it I’ll buy them a beer.

I may even get off my ass and update the Windows version now, it’s two minors behind the Linux version, and GTK had some nice improvements since.