Category: Security

WordPress Footer.php hacked

Well I’ve learned my lesson regarding critical security updates. I’ve been running a couple of version behind the latest for months now.

I then spotted a whole bunch of 404s in Google’s webmaster tools. Really odd links that shouldn’t even exist on my site. So after investigating I discovered that my footer.php was full of spam links.

So I deleted them. Next time I checked they had come back. So I exported my posts as XML and ditched both the WordPress and the database. I then reinstalled the lastest version of WordPress and imported my posts. Next time I will upgrade when a security patch is realeased!

The only remaining problem is the damage done to my search engine listings, I have fallen off the map completely. Googlebot still hasn’t revisted my site since I repaired the damage, so who knows how long before things correct themselves, I have made a resumbission request just in case I’ve been blacklisted or something.

4 digit door entry systems

Our office block is protected by a keypad. The entry code is 4 digits long and the pad has the numbers 0 to 9. Now I noticed the other day, and have discovered that this is quite common with these entry systems, that there is no kind of punishment for getting the number wrong. The pad just looks at the last 4 numbers you have typed.

So you can try numbers over and over at quite a high speed till you get the right four, with no delay enforced for getting anything wrong.

So I’m thinking, could you make a small device with 10 solenoids that tried every number in turn? How long would it take?

There’s 10,000 four digit combinations, or 40,000 keypresses, but as it only looks at the last four digits we can seriously shorten that.

For example if I type 012345 then I’ve just tested 0123, 1234 and 2345. I looked about a bit and found something called de Bruijn sequences. A de Bruijn sequence is the shortest sequence containing all possible words of a certain length.

So it turns out that the shortest sequence is 10,003 digits long. Googling about some more I discovered this site, which generates de Bruijn sequences for you.

Say for example the keypad can manage 10 digits a second then we need 1000 seconds to try every possible combination. That’s roughly 15 minutes. Not bad down from an hour but I’m sure it could be faster.

Now, the person who regularly resets the code on my building is obviously fond of history, as the codes are always famous dates.We have not, for example, ever had a code that didn’t start with “1”.

I expect many people come up with a year or a day/month combination when asked to generate a 4 digit code. I wonder how many people pin numbers start with 0, 1, 2 or 3? Given this is there a way to order the sequence to increase the probability of an earlier win?

Humans are rubbish at being random. If we concentrate on years then it would seem to make sense to check 19[0-9][0-9] first or just the first 2000. If we are thinking many people choose day/month combinations such as then we shoud check for [0-3][0-9][0-1][0-9] or for US month/day [0-1][0-9][0-3][0-9].

To test any of this we really need sample data to work on. I reckon we need a sampling of the kind of 4 digits humans would choose, that would be a good start. How to go about gathering that data though?

Symantec are Stupid

I’ve just wasted half an hour of my life working out why IMG tags are missing and have been stripped out of the HTML source on my directors laptop.

The key to it was some Javascript that had been injected.

Function SymError()

So if you see this it’s Norton Internet Security and it’s advert blocker at work, seems there’s a list of banned words for images. One of which is “banner”.

So there I am using a perfectly self descriptive image name of main.banner.jpg, which just happens to be an innocent header image spanning the page, and it’s gets wiped out by some lazy cunt at Symantec.

Seems many strings are just wripped out. Here’s a full list. Images of certain sizes are also stripped out as well.

Blocked Strings

CLink
%23CLink
%2Fads%2E
%3Fad%2E
&ad_
&banner=
-ad.cgi
-ads/
.ad.
.ads.
.ads/
.bluestreak.com
.eshop.
.net-on.com
.webconnect.com
/199.78.52.
/?ad.
/ad-
/ad.
/ad/
/ad_control
/ad_image
/ad_track/
/adbot.
/adclient.
/adcontent.
/adcouncil/
/adgifs/
/adgraph/
/adimages/
/adinfo/
/adjuggler/
/adlog.
/adman.
/adnet.
/adnet/
/adpics/
/adpopup
/adproof/
/adredirect/
/adrevolver/
/ads-
/ads.
/ads/
/adsales
/adserv
/adspace
/adsrc
/adv/
/advert/
/advertentie
/advertise/
/advertiser/
/advertisers/
/advertising/
/adverts/
/adview.
/banner.
/banner/
/banner=
/banner_images/
/banners/
/by.banclk?
/clickover.
/cyberfirst
/follow_ad?
/generate_ad.
/graphics/advert
/htmlad/
/jbanner/
/liveads/
/nph-bounce?
/nph-load?
/nph-redir?
/promo_gif/
/promos/
/promote/
/promotions/
/rankem.cgi?action=
/sponsor.
/sponsor/
/sponsors/
/videobanners/
/viewad/
1-2-free.com
199.172.144.25/2
?acb=acb
?ad.cgi
?ad=
?Adcode=
?adlink
?adserv
?adv=
?advertID=
_ad.
_ads/
a32.g.a.yimg.com/7
ad.doubleclick.net/click
ad.infoseek.com
ad.linkexchange.com
ad.preferences.com
ad.tw.doubleclick.net/ad/
adbanner
adbot.com
adcenter.in2.com
AdClick
adcount.hollywood.com
adlink.htm
adlink.preferences.com
adman.medius.net
adoptimizer
adredir.asp
ads.adsmart.net
ads.clickagents.com
ads.imagine-inc.com
ads.imdb.com
ads.infospace.com
ads.lycosasia.com.sg/RealMedia/ads/
ads.narrowline.com
ads.realmedia.com
ads.softbank.net
ads.usatoday.com
ads.washingtonpost.com
ads.web.aol.com
ads.web21.com
adserver.adtech.de
advertisements
advertising.com
alladvantage.com/go.asp?refid=
allpolitics.com/ads/
ar.atwola.com
badservant.guj.de
banner_ad
bannerad
bannerexchange.com
bannerpower.com
bannerswap.com
BF_Home_AD
bfast.com/booklink
cc-dt.com
click1.wisewire.com
click100.genesis.com
click2.wisewire.com
click2net.com
clk_thru^
commonwealth.riddler.com
count4all.com
crosswalk.com/click.ng/transactionID=
dirtycash.com
ds.cybereps.com
exchange-it.com/click.go?
eyeblasterscript
fastclick.net/w/click.here
findcommerce.com/tracking
flycast.com
focalink.com
GeoAD?
globaltrack.com
globaltrak.net
hg1.hitbox.com
home.keycity.com/addd2000/ok.shtml

http://us.i1.yimg.com/us.yimg.com/a

images/mainad
imgis.com
impartnet.de/cgi-bin/
infoback.net
infoseek.com/redirect
java.yahoo.com/a/1-/flash
java.yahoo.com/a/1-/java
java.yahoo.com/a/a-/flash
java.yahoo.com/a/a-/java
linkexchange.com
linksynergy.com
mantel/
maxcash.cgi?
mediahits.com/click.fcg
mediaserv.247media.com
mirror.qkimg.net
movielink.com/media/imagelinks/MF.ad
movielink.com/media/imagelinks/MF.sponsor
netads.hotwired.com
netbanner.com/cgi-bin/
nrsite.com
pagecount.com
pathfinder.com/r0/marketing
pathfinder.com/sponsors
pegasoweb.com
pennyweb.com
progcgi.ads/
qksrv.net
rd.yahoo.com/M=2
rd.yahoo.com/M=3
rd.yahoo.com/M=4
rd.yahoo.com/M=5
rd.yahoo.com/M=6
rd.yahoo.com/M=0
rd.yahoo.com/M=1
rd.yahoo.com/M=7
rd.yahoo.com/M=8
rd.yahoo.com/M=9
register-it.netscape.com/
mbclick.com/
rn11.com
safe-audit.com
service.bfast.com
showad.asp
smartclicks.com
spinbox.
stats.hitbox.com
submit-it.com/images
telecom-pros.com/images
test1234567890
textchange.com/cgi-bin/
tracker.clicktrade.com
tracker.tragedoubler.com
us.a1.yimg.com/us.yimg.com/a
valueclick.com
vk4Voam2y
vwWzJwWLv9m2Cr
websponsors.com/cgi-bin/
webunion.com/cgi-localbin/click.cgi?
weg352o643t322c463h321a
ww3.cybercity.com/tw/adexe/
www.247media.com.tw
www.admax.com.tw/
www.admax.com
www.ads.warnerbros.com
www.anonymozer.com/cm/door.cgi?
www.asiad.net/
www.banner.com.tw/
www.bannerwomen.com
www.clickadhere.com/
www.clickxchange.com/fr.phtml
www.cyberone.com.tw
www.epaper.com.tw/cgi-bin/adm/ad_red
www.halee.com/advert/
www.link4link.com/cgi-bin/
www.marketspace
www.modchip.com/clickcgi/click.cgi?
www.netvigator.com.tw/popad/
www.nj.com/adverts
www.nrsite.com
www.search.com/Banners
www.warehouse.com/netbuyer/ticker/
www.whispa.com/tracking/
www.wishing.com/webaudit/
yahoo.com/adv/
yahoo.com/CategoryId=0
yimg.com/images/compliance

Blocked image sizes

Images:
125x125
160x600
180x150
234x60
240x400
250x250
300x250
336x280
468x60
88x31
120x90
120x60
120x240