Grumble Grumble

By Andrew Smith

I’m marking the first assignment for the data structures and algorithms course. Two problems – a painful but well-defined majority element and the other a linked list. I’m reading this code and I’m getting a headache. I need to take a break every 30 minutes, it’s so hard.

The problem is I’m looking at the code and I know that it can’t possibly work. But it does. I try creating a scenario where it will fail as I expect it should, I fiddle with the memory arrangement on the stack, but the bloody things work anyway.

I know the right way to do it, but who says what I think is the right way really is? I’m not going to take marks off for thinking out of the box, even if that’s just evidence of not paying attention in class.

While it’s extremely unlikely that these weird ways to solve problems are any good in the real world, where other people have to read your code – I’ve read enough code in my life to know that whether it works is the ultimate quality metric, and readability is but an illusion.

Back to work.

By Andrew Smith

A few months ago my computer started squealing. It was annoying when it started – a kind of squeeck squeeck one or two seconds each, once a day. But recently one or two seconds turned into five or 6 seconds and once a day into twice and hour.

You have no idea how bad it is. Just imagine – you’re trying to concentrate on something, solve a compilcated problem, find a hard bug, try to understand, and all of a sudden SQUEEEEEEEEEEEEEEEEEEE!

I had no idea what that sound was comming from, until I remembered my video card was making a similar sound if the computer was turned on without the power plugged into the card. I have a BFG GeForce 7800 in my desktop. I tried everything, including smacking the computer – which, amazingly, worked but it wasn’t a permanent solution.

Through trial and error I found the problem – a little beeper on the video card, specifically placed on there to annoy people who do real work rather than play games. Even though the circuitry looked tiny and it was soldered on both sides, I didn’t care – I was ready to smash the card with a hammer. So I used my huge solder gun to remove the speaker.

Peace at last.

By Andrew Smith

I’m gettng a master’s degree. And in the current course I have one of those professors who act like something’s up their ass whenever someone cites a work that’s not ‘academic’.

For the assignment this week I actually needed to get my hands on some academic papers, because the topic is so uninteresting noone else would bother to write about it. What a nightmare! I’ll tell you why, here’s the process I have to go through to get to only one of these papers:

• Find the paper I need via google, because the library search engine is crap.
• Paste the title into the library search engine.
• Remember to check ‘Computing’, which is down below the search button, or else the following step will need to be repeated.
• Watch the MetaLib ‘Quick Search’ search the databases for anywhere between 1 and 3 minutes (I’m not kidding).
• Click on the title of the paper in the search results (assuming the search didn’t crash, which it does sometimes).
• Scan the following page for 20 seconds looking for anything that remotely sounds like ‘download’ or ‘view’. For this particular paper it turned out to be called “Resource:”
• Click that link. A popup window opens with MetaLib doing something unspecified for a few seconds. This window is 1/4 of the screen in size and has no navigation buttons.
• Read the error message in bold: “An error has been encountered. Invalid Parameters”
• Click on ‘Quick Search’ (in the window with the error). Some long number is pre-filled into the search bar.
• Select ‘Technology’ in the subject area drop-down and click ’search’.
• The thing comes back with a link to the paper you were looking for. Click that.
• Scan the following page for 20 seconds looking for anything that remotely sounds like ‘download’ or ‘view’. For this particular paper it took a minute.
• Click the ‘Find it @ Liverpool’ link desguised as a title banner.
• It says ‘ Full text available via ACM Digital Library’, whatever – click go.
• A popup window opens, this one 1/6th of the size of my screen. This is the same page I found via google – except now I have the permission to download the paper. Click on the pdf link.
• PDF downloads.

You see all of the above? That’s for ONE PAPER! It may not even be of any use in my research, I may need to repeat all of the above process 20, 30 times. What sort of a lazy ass moron thinks that I have time for this? In the time it took me to open the academic paper I would have learned everything they found reading the Wikipedia, forums, blogs, wikis, the MSDN, and a hundred other online resources designed to be accessed easier rather than harder. It turns out that on this topic there are no resources except academic, but man am I pissed.

What’s with this pay to access thing anyway? I’d like to know how much money the publishers make charging for access to 15 year old papers. I understand that the peer review process is expensive, that’s fine. Have the papers in the last year, two, five locked up. But for fuck’s sake put anything more than 10 years old in the public domain. If you don’t you will lose your business as people growing up today feel as I do. I will never look for an academic paper when I have a choice. And that means that 10 years from now these publishers and librarians will be out of a job, because of their belief that they are irreplaceable.

Morons!

By Andrew Smith

I left off with my server almost completely back up, but not yet Apache. I’ve had to make sure the web apps off the internet weren’t full of security holes before allowing access to them again.

Though this is my third post 4 days later – in real time it’s been less than 24 hours since I’ve discovered the ftp scanner. So I had some breathing time to do a half-decent job.

Most of all I suspected Wordpress. They come up with a new version every few months and every time claim it’s a security update, which makes me wonder if it’s ever secure. Luckily both ISO Master and Grumble Grumble are just stock wordpress installs with a theme over them. Everything else is stored in the database. So I was able to delete all the code except for the themes, install Wordpress 2.7 on both, and miraculously both websites came back up with no trouble whatsoever.

I have not reviewed the theme code or the contents of the databases – I assume the Wordpress guys were smart enough not to store executable code in either of those places. Either way it was a risk I was willing to take.

A third Wordpress website (the old Canvas3D blog) I’ve decided not to bother with and left it with chmod 0.

Three web apps down, two to go – SquirrelMail and Roudcube. I have both installed because I have more than one email account, so I have both open in browser tabs at once. I’ve decided to look around before enabling these. RoudCube first. Some way or another I stumbled upon a php file in the logs directory:

root@legrand-sw:/media/hd/home/www/htdocs/mail/logs# ls -al
total 129
drwxrwxr-x  2 andrew apache    120 2008-12-30 18:00 ./
drwxr-xr-x 10 andrew users     480 2008-08-15 10:25 ../
-rw-r--r--  1 apache apache  14985 2009-01-07 13:29 errors
-rw-r--r--  1 apache apache   7033 2009-01-07 13:26 sendmail
-rw-r--r--  1 apache apache 105643 2008-12-30 18:00 zq.php

Which is a really strange place to keep a php file, especially since the directory is writeable by Apache. See how zh.php is owned by apache? That’s really bad. And lookie here what was at the top of zq.php:

/******************************************************************************************************/
/*
/*                                     #    #        #    #
/*                                     #   #          #   #
/*                                    #    #          #    #
/*                                    #   ##   ####   ##   #
/*                                   ##   ##  ######  ##   ##
/*                                   ##   ##  ######  ##   ##
/*                                   ##   ##   ####   ##   ##
/*                                   ###   ############   ###
/*                                   ########################
/*                                        ##############
/*                                 ######## ########## #######
/*                                ###   ##  ##########  ##   ###
/*                                ###   ##  ##########  ##   ###
/*                                 ###   #  ##########  #   ###
/*                                 ###   ##  ########  ##   ###
/*                                  ##    #   ######   #    ##
/*                                   ##   #    ####   #    ##
/*                                     ##                 ##
/*
/*
/*
/*  r57shell.php -
/*                                               : http://rst.void.ru
/*        : 1.3 (05.03.2006)
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
/*                                          : blf, phoenix, virus, NorD                  RST/GHC.
/*                       -
/*     rst@void.ru.                                  .
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
/*  (c)oded by 1dt.w0lf
/*  RST/GHC http://rst.void.ru , http://ghc.ru
/*  ANY MODIFIED REPUBLISHING IS RESTRICTED
/******************************************************************************************************/

Isn’t that interesting.. I didn’t quite know what to think of the bug – on the one hand looks like the hacker put it there to taunt me, on the other hand RoundCube is a young open source project so who knows what the developer was smoking?

Didn’t take long to figure out though: both http://rst.void.ru and http://ghc.ru are hacker websites, though ghc.ru looks half-commercial. And the contents of the file (which I’ve had no time to analyse) clearly do something that isn’t nice. I’ve renamed the file to .txt and put it up for you to study if you care.

As with mailman (see previous post) I decided this service is not going to be reenabled. Maybe I messed up something during setup, but just as likely RoudCube was at fault. After all it was the first ’stable’ version, 0.1. And I’ll keep SquirrelMail off too for good measure, I’ll just install Thunderbird on all my machines.

So there you go. One clue in Mailman, one in RoudCube. Are they related or are they two separate hacking attempts? Were they run by script kiddies or serious hackers? Having some evidence that the ftp scanner was set up manually I tend to favour the latter possibility. And what of this zq.php? Was the logo there because it’s a general-purpose cracking tool, or because those groups actually had something to do with my server?

There’s lots of investigation left still. At this point my server is completely operational so I have lots of time. I do hope I find more clues, mystery solving turns out to be a really exciting hobby.

By Andrew Smith

First things first – my server had to be brought back up. But bringing it back up was not a matter as simple as reinstalling Slackware and plopping the home directories back in. So the first thing that needed to be done was to figure out how the server’s been compromised.

The quickest way to do this, I figured, was to do both at the same time. I’d get the data off the server, reformat the hard drive, start reinstalling the operating system, and during that time would analyse the backed up files for evidence. Just to be throrough I wanted to keep a byte-by-byte copy of the hard drive – that may contain clues that simple copies of the files would lose, and using the image I could bring a clone of the hacked server back up in a controlled environment – exactly the same minus any processes that were running.

The command was easy enough, ran from the shell of a Slackware 12.2 installation CD:

dd if=/dev/hda1 | ssh 10.0.0.1 dd of=/media/backup/hacked/hda1.dd
dd if=/dev/hda2 | ssh 10.0.0.1 dd of=/media/backup/hacked/hda2.dd

I’ve saved hda2 (the swap partition) just in case I ever found a tool to analyse contents of memory (unlikely to happen). Turns out the 80G image would take hours to transfer over, so I set the alarm clock for 2AM and went to sleep for a couple of hours, knowing I wouldn’t get any the next day.

The image hda1.dd (as any other image of a Linux-supported filesystem) can be mounted onto an existing system. I decided to go ahead and do that since nothing on the partition could damage a fresh system unless they found a bug in the filesystem driver and infected the FAT:

mount /media/backup/hacked/hda1.dd /media/hd -o loop

Looking around /media/hacked I quickly found something that got my attention: a file and a directory in /root/ that didn’t look familiar:

root@legrand-sw:/media/hd/root# ls -l heroina/
<stripped out some things>
drwxr-xr-x 2   1003 users   304 2008-09-23 16:24 heroina/
-rw-r--r-- 1 root   root  81920 2008-12-16 16:42 ketamin.tar

root@legrand-sw:/media/hd/root# ls -l heroina/
total 92
-rwxr-xr-x 1 1003 users    82 2006-03-10 15:02 0-100*
-rwxr-xr-x 1 1003 users    84 2006-03-10 21:02 100-200*
-rwxr-xr-x 1 1003 users    84 2006-03-10 21:02 200-255*
-rwxr-xr-x 1 1003 users   428 2009-01-07 23:44 dava*
-rwxr-xr-x 1 1003 users 17145 2008-09-23 17:07 ftp_scanner*
-rwxr-xr-x 1 1003 users 17246 2008-09-23 16:49 heroina.c*
-rwxr-xr-x 1 1003 users  2094 2006-03-10 21:02 o*
-rwxr-xr-x 1 1003 users 20313 2008-06-15 18:46 pass*
-rwxr-xr-x 1 1003 users   119 2008-09-23 16:22 run*
-rwxr-xr-x 1 1003 users  7490 2008-06-17 15:51 users*

There’s my ftp_scanner, and who would have thought, it even comes with source code. Well of course – who would use a binary to mess with an open source server? Yep, here’s heroina.c if you care to look at it, but basically it looks like general-purpose software:

Multi-thread FTP scanner v0.2.5 by Inode <inode@wayreth.eu.org>

users and pass are tiny dictionaries of common usernames and passwords, the 0-100 files just helpers for making ip addresses, o looked like the output from nmap. Not terribly sofisticated stuff, but interesting.

Of course this doesn’t come close to telling me how that software got on in the first place, but it does give some interesting clues.

The timestamps are really interesting, you could piece any number of stories looking just at those. See for example how ftp_scanner is 18 minutes older than heroina.c, that suggests it was built manually (what sort of automation takes 18 minutes to build one C file?). And ketamin.tar has been sitting there for more than 3 weeks, which is kind of depressing.

And look at the owner, 1003. That according to /media/hd/etc/passwd was mailman on the old littlesvr.ca. Well that’s not going back on the system in a hurry, and how was it able to write to /root/ anyway?

I already knew the web applications are the most vulnerable part of my system. I trust Slackware, I trust me configuring the running services, but I have no idea how many security problems the web apps on the system have. I haven’t read the source for Mailman, Wordpress, SquirrelMail, or Roudcube, and they don’t come with Slackware – how am I supposed to trust them? Who vouched for them?

Anyway – by this time Slackware has been reinstalled and littlesvr.ca was sitting there in its vanilla state. I’ve decided to turn on sendmail and SVN – which would give me back two thirds of half my life, so I cautiously copied my home directories back. Apache was still off.

If you think this is the end of the story, you’re wrong. Come back later as I share more clues with you, I have at least one interesting thing left – plus there still are no certain conclusions about who and how and why did this.

By Andrew Smith

On thursday evening I had a couple of hours to spare, so I’ve SSHed to my server (yours truly littlesvr.ca) to get the Apache logs from the last couple of months. I do this now and then because I like seing the ammount of traffic going up every month. But this time it was not going to be a gratifying experience. The first command I ran was (as usual) ‘ls’:

andrew@littlesvr:/$ ls
/bin/ls: unrecognized prefix: do
/bin/ls: unparsable value for LS_COLORS environment variable
bin/    dev/    home/   media/  opt/    root/   srv/    sys/    usr/
boot/   etc/    lib/    mnt/    proc/   sbin/   svn/    tmp/    var/

A second of confusion, but I knew then and there my box has been hacked. You see I’m running Slackware because weird crap like this (‘ls’ broken) doesn’t happen on Slackware, and though I denied it for a few minutes (oh maybe it’s a terminal problem, oh maybe I deleted something by mistake) soon enough I’ve had ample evidence. I’ve looked at /bin/ls in ‘vi’, which opens binaries as a hex editor. Didn’t see anything obviously wrong there. I’ve examined all the profile files, and those all looked normal. I grepped everything I could think of for ‘do’, and didn’t find a problem. Then I had a look at /var/log/messages, and found lots and lots of lines of the form:

Jan  7 00:13:30 littlesvr in.identd[7245]: reply to 24.165.1.229: 59167 , 21 : USERID : OTHER :0

As I was complaining about this in the #seneca IRC channel, I thought it would be worth while seing just how many of these strange lines are in the log. A quick ‘grep | wc -l’ gave me a staggering number, over 325k. Then I ran ‘ps aux’:

root@littlesvr:/etc/rc.d# ps axo stat,euid,ruid,tty,tpgid,sess,pgrp,ppid,pid,pcpu,comm
STAT  EUID  RUID TT       TPGID  SESS  PGRP  PPID   PID %CPU COMMAND
S        0     0 ?           -1     1     1     0     1  0.0 init
SW       0     0 ?           -1     1     1     1     2  0.0 migration/0
RWN      0     0 ?           -1     1     1     1     3  0.0 ksoftirqd/0
SW<      0     0 ?           -1     1     1     1     4  0.0 events/0
SW<      0     0 ?           -1     1     1     1     5  0.0 khelper
SW<      0     0 ?           -1     1     1     1     6  0.0 kthread
SW<      0     0 ?           -1     1     1     6    40  0.0 kblockd/0
SW<      0     0 ?           -1     1     1     6    41  0.0 kacpid
SW<      0     0 ?           -1     1     1     6    95  0.0 ata/0
SW<      0     0 ?           -1     1     1     6    96  0.0 ata_aux
SW<      0     0 ?           -1     1     1     6    97  0.0 ksuspend_usbd
SW<      0     0 ?           -1     1     1     6   100  0.0 khubd
SW<      0     0 ?           -1     1     1     6   102  0.0 kseriod
SW<      0     0 ?           -1     1     1     6   124  0.0 kswapd0
SW<      0     0 ?           -1     1     1     6   125  0.0 aio/0
SW<      0     0 ?           -1     1     1     6   783  0.0 scsi_tgtd/0
SW<      0     0 ?           -1     1     1     6   814  0.0 kcryptd/0
SW<      0     0 ?           -1     1     1     6   836  0.0 reiserfs/0
S<       0     0 ?           -1   900   900     1   900  0.0 udevd
SW<      0     0 ?           -1     1     1     6  1853  0.0 kpsmoused
S        0     0 ?           -1  1927  1927     1  1927  0.0 klogd
S        1     1 ?           -1  2170  2170     1  2170  0.0 rpc.portmap
S       99    99 ?           -1  2174  2174     1  2174  0.0 rpc.statd
S        0     0 ?           -1  2195  2195     1  2195  0.0 ntpd
S        0     0 ?           -1  2200  2200     1  2200  0.0 acpid
S       81    81 ?           -1  2208  2208     1  2208  0.0 dbus-daemon
S       82    82 ?           -1  2213  2213     1  2213  0.0 hald
S        0     0 ?           -1  2213  2213  2213  2214  0.0 hald-runner
S       82    82 ?           -1  2213  2213  2214  2223  0.0 hald-addon-acpi
S        0     0 ?           -1  2229  2229     1  2230  0.0 crond
S        2     0 ?           -1  2232  2232     1  2232  0.0 atd
S        0     0 ?           -1  2235  2235     1  2235  0.0 saslauthd
S        0     0 ?           -1  2235  2235  2235  2236  0.0 saslauthd
S        0     0 ?           -1  2235  2235  2235  2237  0.0 saslauthd
S        0     0 ?           -1  2235  2235  2235  2238  0.0 saslauthd
S        0     0 ?           -1  2235  2235  2235  2239  0.0 saslauthd
S        0     0 ?           -1  2376  2376     1  2377  0.0 python
S        0     0 ?           -1  2379  2379     1  2379  0.0 svnserve
S     1003  1003 ?           -1  2381  2381     1  2381  0.0 mailmanctl
S        0     0 vc/1      2382  2382  2382     1  2382  0.0 agetty
S        0     0 vc/3      2384  2384  2384     1  2384  0.0 agetty
S        0     0 vc/4      2385  2385  2385     1  2385  0.0 agetty
S        0     0 vc/5      2386  2386  2386     1  2386  0.0 agetty
S        0     0 vc/6      2387  2387  2387     1  2387  0.0 agetty
S     1003  1003 ?           -1  2381  2381  2381  2398  0.0 python
S     1003  1003 ?           -1  2381  2381  2381  2399  0.0 python
S     1003  1003 ?           -1  2381  2381  2381  2400  0.0 python
S     1003  1003 ?           -1  2381  2381  2381  2401  0.0 python
S     1003  1003 ?           -1  2381  2381  2381  2402  0.0 python
S     1003  1003 ?           -1  2381  2381  2381  2403  0.0 python
S     1003  1003 ?           -1  2381  2381  2381  2404  0.0 python
S     1003  1003 ?           -1  2381  2381  2381  2405  0.0 python
S        0     0 vc/2      2422  2422  2422     1  2422  0.0 agetty
SW       0     0 ?           -1     1     1     6  3220  0.0 pdflush
S        0     0 ?           -1  3339  3339     1  3339  0.0 inetd
S        0     0 ?           -1  3508  3508     1  3508  0.0 httpd
S       99    99 ?           -1  7245  7245     1  7245  0.0 in.identd
S       80    80 ?           -1  3508  3508  3508  7754  0.1 httpd
S       80    80 ?           -1  3508  3508  3508  7755  0.0 httpd
S     1000  1000 ?           -1  8112  8112  3339  8112  0.0 imapd
S     1002  1002 ?           -1  8113  8113  3339  8113  0.0 imapd
S     1004  1004 ?           -1  8114  8114  3339  8114  0.0 imapd
S     1007  1007 ?           -1  8115  8115  3339  8115  0.0 imapd
S        0     0 ?           -1  8281  8281 25049  8281  0.0 sshd
S     1000  1000 ?           -1  8281  8281  8281  8292  0.0 sshd
S     1000  1000 pts/2    11949  8293  8293  8292  8293  0.0 bash
S        0     0 ?           -1  8760  9062     1  9063  0.0 ddclient
S        0     0 ?           -1  8760  9079     1  9084  0.0 pppoe-connect
S        0     0 ?           -1  9345  9345     1  9345  0.0 sendmail
S       25    25 ?           -1  9348  9348     1  9348  0.0 sendmail
S        0     0 pts/2    11949  8293 10005  8293 10005  0.0 bash
S        0     0 ?           -1 10377 10377 25049 10377  0.0 sshd
S     1000  1000 ?           -1 10377 10377 10377 10383  0.0 sshd
S     1000  1000 pts/4    10420 10384 10384 10383 10384  0.0 bash
S        0     0 pts/4    10420 10384 10420 10384 10420  0.0 bash
S       80    80 ?           -1  3508  3508  3508 10598  0.3 httpd
S       80    80 ?           -1  3508  3508  3508 10599  0.2 httpd
S       80    80 ?           -1  3508  3508  3508 11510  0.0 httpd
S       80    80 ?           -1  3508  3508  3508 11511  0.0 httpd
S       80    80 ?           -1  3508  3508  3508 11512  0.0 httpd
R        0     0 pts/2    11949  8293 11949 10005 11949  0.0 ps
S        0     0 ?           -1  2379  2379  2379 15669  0.0 svnserve
S       80    80 ?           -1  3508  3508  3508 19216  0.1 httpd
S       80    80 ?           -1  3508  3508  3508 22340  0.1 httpd
S        0     0 ?           -1 25049 25049     1 25049  0.0 sshd
S        0     0 ?           -1 25295 25295     1 25295  0.0 syslogd
S        0     0 ?           -1 25316 25334     1 25345  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25349  0.1 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25380  0.5 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25383  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25385  0.4 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25441  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25444  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25446  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25627  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25632  0.4 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25732  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25740  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25741  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25836  0.1 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25846  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25947  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25949  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 25950  0.4 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26052  0.1 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26054  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26157  0.2 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26158  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26262  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26480  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26586  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26682  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26689  0.1 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26793  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26795  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26796  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26894  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26900  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26901  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26902  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 26998  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 27003  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 27005  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 27007  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 27107  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 27118  0.0 ftp_scanner
S        0     0 ?           -1 25316 25334     1 27221  0.3 ftp_scanner
S        0     0 ?           -1 25316 25334     1 27222  0.0 ftp_scanner
S        0     0 ?           -1 28433 28433  9084 28433  0.0 pppd
S       99    99 ?           -1 28433 28433 28433 28434  6.5 pppoe
S       80    80 ?           -1  3508  3508  3508 29836  0.1 httpd
S        0     0 ?           -1 25073 30993     1 31000  0.0 mysqld_safe
S       27    27 ?           -1 25073 30993 31000 31033  0.0 mysqld
SW       0     0 ?           -1     1     1     6 31163  0.0 pdflush

Ayayay. I do not (for those of you who think too much) habitually run anything called ftp_scanner. I found in the ps man page an example to help me show the parent PIDs, and sure enough – all the ftp scanners had 1 (a.k.a. init) for the parent. Which means that the hacker had root access, and likely the box has been rooted.

I’ve hesitated for 10 minutes. The ftp scanner had to stop, rootkit had to be removed, the hacker locked out. But littlesvr.ca is not a toy, half my life is on it – all my email, all my computer work (svn), revenue-generating pages such as ISO Master, and less popular pages that would lose the precious little search engine ranking they had if they went offline. But it had to be done. I braced myself for a 36 hour shift, and:

root@littlesvr:~# halt

By this time my brain was overwhelmed. Too much excitement at once. The server had to be cleaned up and brought back to life in a hurry, but first I had to know how it got compromised to begin with – no point in resuscitating it only to have it hacked again two days later.

But this is a long story, and I have yet to see the ending. This post will be the first of a short series, so come back later if you want to know more.

By Andrew Smith

Sometimes I think the world would be a much better place if everyone just accepted that I’m smarter then them and did what I said. This of course is not the case, and I when I take some time to think about it – it’s good, I have no desire to be a puppet master like Steve Jobs. I am rarely wrong, but have been once or twice and often the fight is what makes a thing worth pursuing. But this fact does prevent me from changing the world with ease.

For a couple of years now I have been looking for a new project. I have exhausted my open source projects of all interesting problems, and I’ve been searching for something more significant – not necessarily world changing (though I do have world-changing ideas) but something that at least a few hundred million people will use.

The problem is – to affect a billion people one must be Bill Gates, or one of a handful of people in the world capable of inflicting such a massive change on the world in years rather than decades or lifetimes.

I have written open source; I have helped tens of thousands of people in small ways; I worked for small companies, not-for profits, and the man; I’ve been a consultant, I’ve been a teacher. But never did I have the power to make significant changes to many people’s lives.

I have one such idea, which I’ll keep to myself until I give up. It’s a simple yet grand idea, it would save people collectively a monstrous ammount of time and patience, it would not take a lot of resources to develop (2-3 years and less money than I have). The problem is that after it’s developed, it will be useless without overwhelming adoption. It will just sit there, ignored despite its glorious potential.

I have lived in this world long enough to know for a fact that a great product in and of itself will fail in the market. The necessary ingredients for success are called different things by different people: business skills, relationships, marketing, selling, lying, luck are but examples of the magic. Where the hell does one get these things? It would take me longer to become good at them than I’m willing to wait. Get a partner to do it for me? I’d need one smart enough to realise that it’s him driving the growth of the business, and not me, so I’d inevitably get screwed.

There is no ending to this post, sorry. I wanted to make an optimistic one but logic got in my way. See I realised that my personal growth curve, though wavy, is true to a formula. One could have predicted my status in the world today back when I was 6 years old. Maybe I’ll try to find some success metrics and make some actual graphs, that would keep my mind occupied for a while.

By Andrew Smith

For the last wo days or so I’ve been suffering from bandwidth troubles. I throttled the children’s upload to 10K so it wasn’t that. Finally I’ve decided to watch the web server logs for a minute, and I’ve noticed a pattern:

63.226.153.189 – - [09/Dec/2008:17:48:05 -0500] “GET /isomaster/wp-content/themes/ISO_master/images/ss-started-vista.png HTTP/1.1″ 200 26112 “http://scenereleases.info/category/applications” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; MSN 9.0;MSN 9.1;MSN 9.6; MSNbQ002; MSNmen-us; MSNcOTH)”

Going to the referrer page I found a cracked version of ISO Master – NFO file and everything. I saved the file to make sure some anti-piracy idiot doesn’t delete it.

This is a huge boost to my self-confidence. I’ve always dreamed, and never dared hope, that someone would bother creating a crack for ISO Master. After all, it’s nowhere near as popular as its competitors (unlike Linux, Windows has a few established players in this space).

As to that more people will get it for free now, heh – as they say “a small percentage of something is much better than 100% of nothing”. This is free promotion for me that I could never afford to do myself, I simply don’t have the resources. The more people have it, the more people will know about it, the more people will pay for it.

And if that’s not how it ends up, so be it. I am flattered that my software’s been cracked, and if I find out who did it I’ll buy them a beer.

I may even get off my ass and update the Windows version now, it’s two minors behind the Linux version, and GTK had some nice improvements since.

By Andrew Smith

Whomever didn’t know that already? But knowing a fact without understanding the causes or implications can be pretty useless. So here is a summary of my wonderings of the last couple of weeks. For me to remember and you to enjoy.

All of this year I’ve persistently worked on one thing and have signed up to another. As a result I was able to take some risks, not needing to worry about what I’ll be doing in the next two years of my life.

I’ve decided this Mr Nice Guy thing isn’t working, cracked some heads, and got what I wanted. And that got me thinking – what was the point of being nice to begin with?

Shyness is a curse, and I’ll get into that some other time, but I want to say here that the curse of shyness doesn’t compel one to be nice. In fact the pain caused by being shy can just as well be channeled into being evil.

So I took the opposite of what I am as a potential goal, and tried to define it. What is evil, fndamentally? I couldn’t come up with an answer. I talked to a smart guy who studied the topic in some detail, and he suggested everyone is evil, which I thought about and decided noone is evil. Evil is not a fundamental characteristic of a person, it’s just a poor means to describe something else.

So if I don’t want to be nice, and there is no such thing as evil, what options do I have? For now – it’s still a mystery. But the few social norms I was still abiding by flew out the window recently, so if you didn’t like me before – beware, I just got worse.

By Andrew Smith

It’s getting cold. In a few weeks it will be way too cold to ride my Vulcan 500, so I’m trying to make use of it as much as I can before I have to put it into storage for a half a year. Now it’s 2 AM and I just came back from a bit of an adventure.

I went north (as I usually do when going on a joyride) at about 22:00. North of Major Mac it’s quite pretty. And at night it’s nice because there isn’t much traffic.

I went North on Jane, turned east on some little street, and eventually ended up on Yonge Street. So far everything was great, though it was cold in some places (it’s strange how much the temperature ranges).

Then I turned back. Yonge street was boring, so I figured I should go back on Bathurst or Dufferin. I turned west somewhere, and then south on Bathurst. At least at the time I thought that was south, now I don’t know any more.

After a few minutes (didn’t pay attention to the time) I saw a sign saying the road’s ending in 5km. I thought that was strange, but there’s a lot of construction going on, and I always wanted to ride on a ‘closed’ road, just because a bike can handle more than a cage. So went on.

Hardly a minute later the pavement was gone. And a couple minutes later, the road did end. And though I couldn’t see much in the dark, I had a strong feeling this wasn’t a costruction type of ending, it was permanently closed.

I thought damn, I guess better turn back now, but that didn’t feel right. So I got off the bike and looked around. Past the 1-meter tall bump at the end there was a path going downhill. Not paved, but it looked decently smooth.

I got the bike on top of the bump and shone the high beam down into there. The dirt path had some grass on it by the bottom, but I saw some house lights not so far in the distance, so I figured what the hell, it will be just a bit bumpy and then I’ll be back on a real road.

And I rolled down. Very quickly the path I went on dissapeared, or at least turned in the wrong direction – so I had to go on the grass. That wasn’t so bad, I thought at the time. Then it really went down hill. I held the front brake and the front wheel was locked, but the bike was accelerating anyway. I couldn’t take my foot off the ground to use the rear brake, cause I would have lost the balance.

That should have given me an idea of what’s about to happen, but I wasn’t thinking yet. At the bottom of the hill I found a house, the lights I saw from the top. And I realised I’m not on a road, I’m on private property. Most likely a farmer, cause I could see a plowed field next to the house.

And again I said what the hell, the bike will get dirty, but it should be able to handle the stress, and I really want to get off these people’s property right now, so I directed it straight into the field. In less than a second the bike was stuck. It can go pretty far in a second, I think it was about 3 meters. The plowed land is impossible for a cruiser to go on, it’s too heavy. I had to rock it back and forth, and that worked for about a meter, then I had to go push the bike backwards from the front, and that worked for about a meter, then I almost gave up cause it became so hard, but I put some heart into it and it came back out.

At this point I’m pretty freaked out. I’m within 20-30m of a house, with the motorcycle engine roaring, and the high beams turning this way and that. Just imagine how freaked out you would be if that happend in your back yard (remember, this is the middle of nowhere, no neighbours, not the type of place where you’d dare come out and face an unwelcome biker). So I decided to go back the way I came.

Big mistake. A cruiser is way too heavy to go up a steep hill covered with grass. I felt that and tried to go up at an angle, but eventually I had to turn all the way up, and the bike fell onto its left side. This was the first time I dropped the bike completely (since I bought it). I killed the engine, and started raising the bike. I’ve had to raise it half way once when I put it down with the stand up and that was easy, but this was really really hard. The bike wasn’t even horisontal, it was a bit upside down (I’m on a hill, remember?). So I tried this and that, and eventually just found the right angle and the right force to put it up.

Then, yes of course, it started rolling down the hill. Backwards. And the front brake didn’t work, just as it didn’t work earlier. But I managed to put my foot on the rear brake, and stopped it. Wooh.

Key, start, start, start? The engine wouldn’t start any more. God dammit. I was freaking out already, and this made it worse. What would I do, knock on these people’s front door at midnight and ask for help? I’d get the police in the best scenario, but more likely shot or stabbed (these are farmers, they must have guns).

Then I got an interesting idea – roll down hill in gear and start the bike as I’m doing that. And amazingly that worked. I was so relieved. In retrospect I think the gear wasn’t engaged so rolling downhill had nothing to do with it, but whatever.

Now I’m seriously worried, and very pissed. No more mister nice guy. I point the bike straight at the hill and go in full first. Yes, I was that stupid. It’s easy to say so in retrospect. When very cold, very tired, and worried to death your brain doesn’t work so well, trust me.

This time the bike fell on its right side. And trying to start it while in gear and rolling down hill didn’t work. Shit!

But now I noticed that the house I kept trying not to look at had 3 garage doors. Garage doors? Cars? Paved road? Yes indeed. So I rolled the bike all the way down the hill onto the road. At least now in the worst case I won’t need to leave the bike on its side in the grass.

Now I’m on a paved road, and reasonably sure that if the bike starts, I’ll be able to get out. That’s when I remembered that I smelled gas while lifting it the second time, and that reminded me of ‘flooded’, and how to deal with it. Key, clutch all the way in, full throttle, start. It started the first time like a charm.

I went towards the house first, found that was a dead end, and had the lights turned on on me (I think they were sensor-activated). Going to the other side I got out. I still had no idea where I was, but the way back home was straight-forward.

Now I’m wondering if I should figure out whose back yard I was in, and maybe call and apologise. I could maybe find it again. I’m guessing it was somewhere around Bathurst and Green La W, but that’s a really rough guess. I don’t think I’m going to bother.

But in the unlikely case that an inhabitant of the house reads this blog post, or someone who knows them does – I apologise. If I had any reason to believe that downhill was going into private property, I wouldn’t have even considered going there. And I must have messed up your lawn too. Mostly I hope I didn’t scare anybody, and for what it’s worth – I’m sorry if I did.