This month I've already had two cases where a Joomla website has been attacked and hacked. 

A security vulnerability was used to upload a PHP shell, which then was used to upload complete fake websites. These fake websites turned then out to be Phishing websites (what else...).

This PayPal Phishing website has been uploaded through a PHP shell which itself was uploaded through a vulnerability in the Joomla module com_fabrik

But how did the hacker upload the PHP shell?

After checking and comparing both hack attempts two conclusions could be made:
- The hack-attack was automated, both logs showed the EXACT same way of uploading the PHP shell, just from different IP addresses.
- The vulnerability must come from a module called com_fabrik which allows to upload CSV files. A forged CSV file must have been uploaded or the upload form was 'tricked' to upload a non-csv file.

Here some lines from the log:

41.233.160.99 - - [02/Jan/2012:01:27:31 +0100] "GET /index.php?option=com_fabrik&c=import&view=import&filetype=csv&tableid=1 HTTP/1.1" 200 9297 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"

41.233.160.99 - - [02/Jan/2012:01:27:50 +0100] "POST /index.php?option=com_fabrik HTTP/1.1" 303 - "http://www.example.com/index.php?option=com_fabrik&c=import&view=import&filetype=csv&tableid=1" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"

41.233.160.99 - - [02/Jan/2012:01:27:56 +0100] "GET /index.php?option=com_fabrik&c=import&view=import&fietype=csv&tableid=1&Itemid=0 HTTP/1.1" 200 9557 "http://www.example.com/index.php?option=com_fabrik&c=import&view=import&filetype=csv&tableid=1" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"

41.233.160.99 - - [02/Jan/2012:01:28:03 +0100] "GET /media/ASS.php HTTP/1.1" 401 54 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"

After a quick research, this vulnerability seems to be the one described in the vulnerability report #342 of 2011-11-26: Joomla com_fabrik - Remote File Upload Vulnerability. But what is even more intriguing is the fact, that there have been other exploits before and there will probably be others in the future.

On the developer website (www.fabrikar.com) the latest version mentioned on the blog is 2.1 and and mentions important security fixes - but that post was in July 2011.
On the download page several versions exist (3.0.3 from January 25th 2012 and 2.1.1 from September 26th 2011). Unfortunately there is no Changelog attached, so it is not known whether this particular vulnerability has been fixed or not.

My advise: Don't use this module. It seems to be too insecure for production environments.

Another update has been made on the Nagios/Monitoring plugin/script check_equallogic.

The volume names no longer show up with quotes in the output ("vol1" appears now simply as vol1) and performance data was added to the output, so graphs can be created for all discovered volumes.

As always, feedback is welcome!

There has been a small bugfix in the Nagios/Monitoring plugin check_equallogic. The 'volumes' check had an error in the logic how to handle the volumes, once the system-volumes were successfully ignored. This could cause that some volumes were not taken in account at the output.

The new version (20120123) has fixed this issue. Please use the newest version from now on. Existing versions should be replaced. Thanks to Laurent Colonges for his patience and for the tests with the new version.

To my very big surprise one of the oldest original Nagios plugins (check_procs) doesn't seem to have performance data integrated in the output.

Here's a typical launch of the plugin on the command line, done with two different versions:

# ./check_procs --version
check_procs v2019 (nagios-plugins 1.4.13)

# ./check_procs -w 150 -c 300
PROCS OK: 97 processes

# ./check_procs --version
check_procs v1.4.15 (nagios-plugins 1.4.15)

# ./check_procs -w 150 -c 300
PROCS OK: 110 processes

None of them show the perfdata, which is followed after a pipe character (|) after the output.
To create graphics with Nagiosgraph, at least some output in the perfdata 'field' is necessary.

A quick research on the Nagios Plugin Sourceforce page shows that several patches have already been supplied to add perfdata to this plugin. The first was submitted in 2005, the newest as of now just a month ago in December 2011. But bummer, they never made it into the plugin.
So that means that the good Nagios admin has to take matters in his own hands. I show you now in a step-by-step tutorial how you can enable perfdata yourself, and this is very easy, believe me!

1. First download the Nagios plugin source file from the SourceForge website.

2. Untar/Unzip the file, I'm doing this in /tmp:

/tmp # tar -xfz nagios-plugins-1.4.15.tar.gz

3. Change dir into the newly created folder:

/tmp # cd nagios-plugins-1.4.15

4. Open the check_procs source file which is called 'check_procs.c' and is located in the 'plugins' subfolder with your favourite editor (like vim):

/tmp/nagios-plugins-1.4.15 # vim plugins/check_procs.c

5. Go to line 295 where this line should be (as of version 1.4.15):

printf (ngettext ("%d process", "%d processes", (unsigned long) procs), procs);

Just one line below it add the following line:

printf ("|procs=%d;%d;%d;0", procs, wmax, cmax);

So it looks like this at the end:

        printf (ngettext ("%d process", "%d processes", (unsigned long) procs), procs);
        printf ("|procs=%d;%d;%d;0", procs, wmax, cmax);

What we did is simple: To the standard output we add another output (not as a new line, but directly followed after the original output) by using the variables procs (The number of processes found), wmax (the defined warning threshold) and cmax (the defined critical threshold).

Once done, save the changes.

6. Still in the nagios-plugins folder, the plugins need to be compiled (or re-compiled):

/tmp/nagios-plugins-1.4.15 # ./configure
/tmp/nagios-plugins-1.4.15 # make

7. The new check_procs plugin can now be found in the plugins folder and you can copy it to the other plugins:

/tmp/nagios-plugins-1.4.15 # cp plugins/check_procs /usr/local/nagios/libexec/

8. Test it on the command line and you'll find the performance data output:

/usr/local/nagios/libexec # ./check_procs -w 150 -c 300
PROCS OK: 133 processes|procs=133;150;300;0

Hurray!

What's missing now is the Nagiosgraph map entry for check_procs. Here you go:

# Service Type: check_proc
# Regex by Claudio Kuenzler
# Nagios Output: PROCS OK: 114 processes
# Perfdata: procs=114;150;200;0
/perfdata:procs=(\d+);(\d+);(\d+);0/
and push @s, [procs,
        ['active', GAUGE, $1 ],
        ['warn', GAUGE, $2 ],
        ['crit', GAUGE, $3 ] ];

Enjoy!

I'm currently working on a new website for my father, who will be a candidate for the local parliament in the canton (state) of Thurgau in Switzerland. The main goal is to deliver some basic information of the political views and ideas but it shouldn't be a "boring" website with tons of text which nobody's gonna read.

We came up with the idea of using a dynamic Gallery Slideshow which doesn't require Flash, so it will also be working on mobile devices. This way impressions can be given to the visitor through pictures and some text as descriptions. The technical solution for this gallery is a JavaScript solution called fadeslideshow.

The gallery doesn't need interaction, automatically changes pictures (fade-effect) and shows an embedded description in a layer above the image.

Here are two other pictures showing the general design of the website and the navigation, which uses CSS3 for the effects:

The website will be available soon on http://www.frischer-wind-im-thurgau.ch.

A new version of the monitoring plugin check_equallogic has been released yesterday. Two bugs were fixed in the 'temp' and 'info' checks which occured, if only one controller was working (discovered by Laurent Colonges).

The new version (20120104) is since yesterday evening available for download on the plugin page.

On a Debian Lenny server I changed the default locale from en_US.UTF-8 to en_US.ISO-8859-15 to be able to edit some files with European Umlauts. 

The setting has changed on the fly and I was able to view and edit such files perfectly with vim. But some scripts couldn't find that new locale, as they showed perl errors like this:

perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
        LANGUAGE = (unset),
        LC_ALL = (unset),
        LANG = "en_US.ISO-8859-15"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory

This error comes from the command update-locale and as it points out, the file or directory for the defined locale couldn't be found.

It can be resolved by installing the package locales-all (by default only 'locales' is installed) which downloads additional locale files. The command update-locale worked fine just after.

On a new Roundcube (0.7) installation I recently did, something strange has happened: The defined plugins were not loaded and the error log was full with errors like these:

PHP Error: Failed to load plugin file /var/www/roundcube/plugins/lang_sel/lang_sel.php in /var/www/roundcube-0.7/program/include/rcube_plugin_api.php on line 196 (GET /)
PHP Error: Failed to load plugin file /var/www/roundcube/plugins/authenticate_by_confixx_email/authenticate_by_confixx_email.php in /var/www/roundcube-0.7/program/include/rcube_plugin_api.php on line 196 (GET /)
PHP Error: Failed to load plugin file /var/www/roundcube/plugins/persistent_login/persistent_login.php in /var/www/roundcube-0.7/program/include/rcube_plugin_api.php on line 196 (GET /)

At the begin I thought it could be a problem with the path, but it was correct (roundcube is a symlink to roundcube-0.7). Even by manually changing the vhost this didn't change the problem.
Another fact is that I use the exact same installation with the same configuration and plugins on another host, but one which is running on PHP 5.2.x.

Even by googling for this problem didn't find any clues, most of the hints were due to wrong paths or include path definitions.

But then it hit me! Just out of the blue I thought, what the heck, I check the permissions again and look at that:

/var/www/roundcube/plugins # ll
total 128K
drwxr-xr-x 4  501   80 4.0K Dec 22 10:20 acl
drwxr-xr-x 2  501   80 4.0K Dec 22 10:20 additional_message_headers
drwxr-xr-x 4  501   80 4.0K Dec 22 10:20 archive
drwxr-xr-x 2 root root 4.0K Nov  4 12:45 authenticate_by_confixx_email
drwxr-xr-x 2  501   80 4.0K Dec 22 10:20 autologon
drwxr-xr-x 2  501   80 4.0K Dec 22 10:20 database_attachments
drwxr-xr-x 3  501   80 4.0K Dec 22 10:20 debug_logger
drwxr-xr-x 2  501   80 4.0K Dec 22 10:20 emoticons
drwxr-xr-x 6  501   80 4.0K Dec 22 10:20 enigma
drwxr-xr-x 2  501   80 4.0K Dec 22 10:20 example_addressbook
drwxr-xr-x 2  501   80 4.0K Dec 22 10:20 filesystem_attachments
drwxr-xr-x 5  501   80 4.0K Dec 22 10:20 help
drwxr-xr-x 2  501   80 4.0K Dec 22 10:20 http_authentication
drwxr-xr-x 4  501   80 4.0K Dec 22 10:20 jqueryui
drwxr-xr-x 2  501   80 4.0K Dec 29 11:41 lang_sel
drwxr-xr-x 6  501   80 4.0K Dec 22 10:50 managesieve
drwxr-xr-x 4  501   80 4.0K Dec 22 10:20 markasjunk
drwxr-xr-x 3  501   80 4.0K Dec 22 10:20 newmail_notifier
drwxr-xr-x 3  501   80 4.0K Dec 22 10:20 new_user_dialog
drwxr-xr-x 2  501   80 4.0K Dec 22 10:20 new_user_identity
drwxr-xr-x 4  501   80 4.0K Dec 22 11:42 password
drwxr-xr-x 4 root root 4.0K Dec 27 13:12 persistent_login
drwxr-xr-x 2 root root 4.0K Oct 16 13:21 qtip
drwxr-xr-x 2  501   80 4.0K Dec 22 10:20 redundant_attachments
drwxr-xr-x 4 root root 4.0K Dec 22 11:38 settings
drwxr-xr-x 2  501   80 4.0K Dec 22 10:20 show_additional_headers
drwxr-xr-x 2  501   80 4.0K Dec 22 10:20 squirrelmail_usercopy
drwxr-xr-x 3  501   80 4.0K Dec 22 10:20 subscriptions_option
drwxr-xr-x 3  501   80 4.0K Dec 22 10:20 userinfo
drwxr-xr-x 4  501   80 4.0K Dec 22 10:20 vcard_attachments
drwxr-xr-x 2  501   80 4.0K Dec 22 10:20 virtuser_file
drwxr-xr-x 2  501   80 4.0K Dec 14 14:01 virtuser_query

Now isn't that something. All the plugins which were mentioned in the error log are the ones owned by root (I added them manually as they are not part of the original Roundcube installation).
As soon as I corrected the ownership of these plugin folders (and their files) / set them to the same user as the others, the plugins were loaded fine and no errors appeared in the error logs anymore.

Like I already mentioned, this worked fine on PHP 5.2.x but on PHP 5.3.x it seems to cause troubles.

Marc Féret informed me (already a while ago) that the Nagios plugin check_mysql_slavestatus, which is used to check the status of MySQL replication, doesn't check the value of 'Slave IO Running'.

In some circumstances it is possible that 'Slave SQL Running' is set to Yes (which is checked by the plugin) but 'Slave IO Running' is set to No or NULL.
To prevent this situation, he contributed another check to the plugin, which does the check for 'Slave IO Running'.

The new version (2011122700) has been released. Thanks, Marc!

In the past weeks I came across several applications which needed a USB dongle as hardware license. The problem with virtualization is that such dongles can't be simply plugged to the physical host - what happens when the machines moves (vmotion)?

One of the possible solutions is to forward the USB device via IP. That successfully works with a Digi AnywhereUSB 5, a 5-port USB hub which forwards attached USB devices to one remote host. Yes, only one remote host. And that causes a problem of course. The goal should be to have a USB forwarding machine which can handle different USB devices and forward them to different hosts.

Luckily Digi has also a bigger horse in the race: Digi AnywhereUSB/14, a 14-port USB hub:

This horse eats more (= pricey) but it is much more powerful as well. It has the possibility to define so-called groups to which one or several of the 14 ports can be assigned (image left):

The software on the remote host (the virtual machine) can then be configured to connect to a defined Group Number (image right).

As soon as the software then connects to the IP-USB-Hub, it takes ownership of all USB devices attached to the defined group.
So far I've tested it with two virtual machines, both accessing each one USB device: VM1->Group1->Port1, VM2->Group2->Port2. Works like a charm!

There was one minor issue though. Once the software on the VM successfully connected to the AnywhereUSB device, Windows couldn't find the correct driver for the USB Hub:

This can be solved easily though, as it is marked in this KB entry on the Digi website: http://www.digi.com/support/kbase/kbaseresultdetl.jsp?id=1051.
A missing file (usbd.sys) in the C:\Windows\system32\drivers folder (on W2k3 32bit) causes this problem. A virtual machine doesn't have (by default) a USB controller, therefore the installation of Windows doesn't contain all USB drivers, compared to "normal" installations on physical machines. Just copy the missing file (usbd.sys) from a similar machine (same OS, same architecture) to the VM and restart the machine. The drivers will be working at the next boot.