Blog.LinWard.Net

So this afternoon I got a call from a strange number – 248.562.1268. When I answered it was an Indian fellow who told me he was calling from tech support to help my computer. He said the last time my computer went online that it downloaded a virus and he wanted to help me fix it. At this point my day was made. I have been hoping that they would call me because I wanted to see what website they were directing unsuspecting users to. He told me I needed to be in front of my computer, which I wasn’t, so that he could help me. I got a scrap of paper and took notes and pretended to play along. He wanted to know what version of windows I was running before we got started. I said Windows 7 so he would keep going. First he wanted me to hold down the windows key and press “r” on the keyboard, this is the shortcut for the “Run” box on Windows. He phonetically spelled out “prefetch” so I played along and he said all of the files in there were virus files and to delete them all. Next he said to type “eventvwr” which launches the Windows Event Viewer. I said ok I have it open. We wanted me to scroll through the even viewer for the first red icon I could find I said I found one. He asked for me to read the number out beside it. I just said a random number, I said 5000. He says this is a very grave situation you have 5000 virus files on your computer. I will have to connect remotely to take care of the situation. In my opinion they would be doing a great job in building confidence with a user that was unaware of what they were doing. This call lasted almost 10 minutes before I was even to the exploit part of the call. Of course a lot of that was me saying “huh”, “what” and “could you say that again”. We spoke two very different dialects of English. He wanted me to visit www.360pcsupport.com at this point I could not go any further as I did not have a computer handy, nor was I about to visit it…. so I said I am very sorry I have another call on the line please call back later. So far he has not called me back but I really hope they do. I want to see where else he wanted to take me from one of my sandboxed workstations. If anyone else gets a call from them please let me know I want to see if there are any other links I need to add into our web filtering system to block. This was way too much fun.

I saw this linked from an article I was reading and had to share it. It is some pretty amazing slow motion if you like that kind of thing. Turn the resolution up all the way and watch full screen.

This week I had a friend contact me about a wordpress site he had built distributing malware. He had tried to clean it up and the malware was really persistant so he asked me if I would like to take a look at it.  I opened the site and noscript instantly warned me about scripts trying to run.  Opened up the ftp to the site and saw that the index.php file was huge.  Surfed around inside of the directory structure and index.php inside of the wp-admin directory was also quite large.  In Googling around there was no definitive guide about how to remove infections like this so I thought I should write up my findings if I was able to get it cleaned up.

Thankfully I was able to get it cleaned up so here is how I did it.  First I downloaded the most recent wordpress install from their site and unzipped it.  I copied up all the files from the freshly unzipped folder to the folders on the ftp site overwriting the index.php files and javascript (.js) files too.  Then I changed the permissions on the index.dat files to keep them from getting overwritten again.  I found that as fast as I could copy the files back they would get overwritten.  Using my ftp client I right click on each index.dat file and went to File Permissions and changed it from 644 to 444.  This disallowed the system from changing the files.

Permissions set to 444 from 644

Next I had to find what has causing the reinfection of the site.  I was now able to open the wp-admin panel and login.  I went straight to the plugins section of the control panel and disabled all of the plugins.  From some of the posts I had read there were lots of comments about rouge plugins causing this problem.  I wrote down a list of the plugins and went back to my FTP client.  There were several plugins in the ftp folder that were not listed in the admin interface.  I renamed these folders immediately and started googling the plugins that were in the folder.  One of them was “ToolsPack” I had already observed several other users lamenting the problems with this plugin.  It is basically a plugin that download and installs Malware for you.  While that is very helpful it is not really what most users were looking for.  Another plugin was just a random string of characters, it was also renamed.  Typically I just add a .bad extension to the end of all suspect files/folders until I am sure they are ready to be deleted.  Another good place to look is in your MyPHPAdmin control panel.  Navigate into your database as shown in the picture below and find the Active Plugins in the wp_options table.  If you see any in there that are suspect remove them.  Just remember that a semicolon separates each plugin statement.  It is important to get the formatting correct or you could experience problems.  Check out the image of phpMyAdmin from one of my sites.  Click on the image to see it in it’s original size so you can read the annotations.

phpMyAdmin

Once the rouge plugins are disabled, the index.php files are set to a permissions level of 444, and you are feeling better about the site you should use one of the free virus scanners out there to double check your work.  This site – http://sitecheck.sucuri.net/scanner/ will do a free virus scan of your site.  I see no reason at this point to pay $89.99 for them to clean up a malware infection.  After cleaning up one like this I think I would be happy to take someone’s $89.99 to do another one.  It is not that bad if you are comfortable with the tools involved, ftp, a text editor, and a web browser with no script (to prevent infecting yourself).  After Sucuir pronounces your site clean use the ftp client to delete all of files you marked as suspect with a .bad extension (or however you delineated them from the production files).

One other tools that I used, but that is not always available to everyone is grep.  This is an amazingly powerful *nix tool and I only know a smidgen about it.  Here is how I used this in looking for broken code in this instance.  You can either download the entire infected site via ftp, or if you have ssh access to the server you can use grep to search from bad data in files.  In this case I opened the broken index.php files in notepad and found the text that was part of the virus.  It started out with “Math.Pi” and then a long string of Base64 encoded javascript.  From the command line I entered

grep -r -l “Math.Pi” .

Grep invokes the program, -r searches recursively, -l lists the names of the files where the text is found.  The string of text you are searching for belongs in the quotes, and finally a period at the end of the line and hit enter.  Output will appear below to show you  where the text is found.  You have to be specific and careful.  PHP is a programming language and the text you select to search for could be needed.  Download a fresh copy of any files you think are suspect to compare against.  I downloaded the .zip of the wordpress version that was installed in this case and I downloaded and extracted all of the .zip files for the plugins and themes that were installed.  This allowed me to search and compare the original intended code with what was running live on the site.  I am not a programmer, but it was very clear when I found the bogus code that I had found it.  Here is a screenshot of the code that I found and knew was instantly bad with little programming background.  Keep in mind that the text extends well out of the image shown.  Several of the lines that are cut off were over a thousand characters long.

Infected PHP code

I hope someone else finds this helpful.  It was frustrating as I looked for resources and there were lots of fragmented guides and forums where one or two of these ideas were mentioned but not one that covered all of these different ways to look for and repair a malware problem like this.  If nothing else it can serve as a reminder to me the next time I encounter one of these infections.

* I wrote this offline before I left Jordan. I have just gotten around to posting it today *

Offline Post

I am writing this post now but I will not get to post it until I get back to the states. The hotel we are staying at wants 22$ US for usage of the Interwebs… I just don’t see it. Anyway I can get onto Facebook and the like from my phone, and I could type this entry on there, but I don’t want to fight with autocorrect trying to fix my intentional misspellings of words and constant uses of multiple periods…

Anyhow it has been a good trip. We have slayed the dragons that brought us here and documented how these dragons could be re-slayed should they appear again. We have also eaten great food and had some great conversations with the expatriates we have encountered here in Jordan. I am absolutely in love with the concept of “teatime” and wish we could bring it to America. Taking a break every day at 10 for tea, hummus, zatar, fresh flat bread, olive oil, and preserves is a great way to break up the morning. I plan on taking back some zatar and tea to share with the folks back home. If nothing else maybe we can institute teatime at my house, even if it is only once a week on Saturdays.

The funniest part of this trip had to be the night that an elderly Bedouin woman took up with my traveling partner during dinner. We entered the restaurant and ordered some chicken sandwiches and potato wedges through wild hand gesticulations and pointing. After we ordered the young guys running the front of the café indicated for us to sit. They spoke much more English than we did Arabic so they were asking us questions about America and what we ate and so on and so forth. We were having a good time and then the elderly woman appeared and we were having a great time. She came out into the food prep/dining area and started talking to the boys behind the counter and us. We tried to help her understand what we didn’t speak Arabic. I think she understood but didn’t care. She was talking to us and kept saying Americans, Americans and laughing and patting us on the shoulders. She couldn’t have been a day under 80.

We were watching the food be made and the guys were trying to get us to move to some different seats so they could corral her somewhere else. This was obviously not what the lady was wanting. She took her cane and wacked the nearest boy to her, and for an old lady she had a swing. She could have been at least a prospect in AAA ball. With that he left her alone and she pulled up a chair and joined us for dinner. She just sat there laughing and talking to us like we could understand. We were there nodding and smiling like we had a clue what was going on. We offered her some of our pile of fries and she declined. The boys brought her a Pepsi, which she would not accept until they told her it was from us and then she was ok with that. It made her even happier and she wanted to talk to us more. Finally she relented and joined us in our potato wedges and ate some salad that came along with our sandwiches that we were not going to eat.

It was an adventure we will not soon forget. Especially Ted, he tried to take her picture before we left and she brandished the cane ready to pop him with it. He quickly responded with replacing the camera in his pocket, and apologizing profusely. We all said goodbye and we headed back. Today we are getting ready to travel back to the states on a flight late tonight.

The other thing that has constantly amazed me this trip is the driving here. Ted has described drivers here as using the road to express the inner child or some such craziness. At one time there were lines on the road, they have faded, and with them the understanding of what the lines meant also faded. Drivers just move from lane to lane with no signal no mirror check, just a honk of the horn and they start moving. The fact that we have not seen more accidents is dumbfounding. The cars are like water filling every small unused spot of the asphalt. The snow that is falling today just compounds this. We have seen people building snowmen atop their cars and driving slowly to maintain their precarious placement, groups of teenagers stopping in the road for a snowball fight, and distracted drivers drifting all over the road because they are paying more attention to the falling flakes than the cars ahead. On our previous trip here the driving amazed me, but when you add in the snow it is almost impossible to describe.

Anyway it is almost time to go home. It has been a good trip here but I am ready to be back home.

So I am back in the middle east this week on a semi-surprise trip, it is the middle of the week so I thought I would update on how things were going. Getting here was an adventure. We took 3 flights to get here so that meant lots of changing planes. We flew to DC first and that was easy and then from there on to London Heathrow. That airport is an absolute maze. We had just enough time to grab a coffee and rush to the next plane. I am glad we did not try to check our baggage because we would have arrived sans pants if were were not carrying our own baggage to that flight, or the next one. From Heathrow we were off to Amman and then a short drive later we were here.

Our trip here has been really productive so far. We have fixed a lot of issues, and solved several provlems for the users. I think everything should be wrapped up nicely by the time we leave at the end of the week. Today we were on the way to lunch and hitting the scan button on the radio in an attempt to find something in English. Low and behold we happened upon a radio station playing something completely unexpected… George Strait. That was amazing right there, then next it was Carrie Underwood and then came some old twangy country that neither of us could identify. It was a great laugh. The station apparently plays country every day from 1 to 2pm. So we may have to take a late lunch tomorrow as we so we can hear some music from home. When we went to dinner they were playing some light rock from the 80′s which made me want to skip dinner… Dinner was another round of what I like to refer to as “adventure eating”.

Adventure eating is where you go into a restaurant in a country where you speak none of the language and just order something off of the menu at semi-random. So far this trip we haven’t struck out. We get them to bring us a menu and we do some pointing and hand gesticulations to indicate portion size and then they bring us something to eat. You never really know what you are going to get. Sometimes it is excellent, and sometimes it is scary and you smile,act polite, and eat a candy bar from the stash in your bag. The food here in Jordan has been amazing. We have had pizza that was great, lots of grilled chicken, fresh veggies, and loads of this wonderful flat bread that I have not been able to find a replacement for in the states. Adventure eating is probably my favorite part of my travels. Each new place presents new and interesting foods to try. It is getting late here so it is time to get some sleep.

Over the last week or two I have heard the same cliche used over and over again. It is starting to get to me. So I figured I would tell the Interwebs about it and then I would feel better.

The over used phrase is “That’s how we have always done it”. People tend to use this as a rational excuse to avoid change. What people seem to be misunderstanding is that just because something has been done over and over again for years it does not indicate that it a sound practice. It just makes this practice a tradition. If we just keep doing everything the way we always have throughout history we would still be driving around in horse drawn carriages and making fire with rocks to cook. Thinking like this is nothing but a barrier to innovation.

The fact that grown people constantly confuse traditions with fear of change amazes me. I think once you start using that phrase to justify your actions you are officially done with personal growth. Or, Maybe I just don’t understand. Only time will tell, I might start using it next week. It would serve us all well to be less afraid of change and slower to strike down the innovations of others. I have always heard it said “nobody likes change but a wet baby” but I think we could all learn from bring little more flexible.

See I am feeling better already. Thanks to the magic of the Interwebs I can get some rest now to be ready for Friday. Then on Saturday I am off to the mideast for sun, sand, and adventure… Just no water, so surfing is probably out… Happy Friday y’all.

Last Friday night we had a really cool event with our sub scouts. We setup 2 rain gutters 10 feet long and the boys brought boats they had made from the blanks that the scout master had given them. Two by two they raced the boats down the “track” powering them with only sub scout generated wind power. It was a lot of fun. I am posting the videos below.

This is a really cool video about the McGurk effect and how it works. It freaked me out how easily my mind could be tricked into hearing something that wasn’t there.

I am loving my new GoPro camera… I ordered it on Thursday of last week and it arrived on Friday. Saturday we wanted to test it out so I stuck it to the top of Jamie’s Jeep with one of the supplied 3M sticky pads. I was kinda worried about how well the camera would stuck to the luggage rack so I also tethered it with some string. Jamie drove and I sat (we all know I don’t sit I fidgeted in the front seat) watching the GoPro out of the sunroof. We drove down a winding dirt road and then back towards civilization and even onto the interstate and it never broke free. I was pretty amazed by how well it statyed put during the trip. My biggest challenge was getting the video to upload to youtube at a decent resolution. The original video was at 1080p and it uploaded to youtube initially at 240p. I compressed it down to 720p and encoded in H.264 and I was able to get it into youtube at 480p. Not perfect but good enough to make it watchable. It is embedded below so give it a watch and let me know what you think. This weekend my goal is to get it attached to my Golf and find some curvy roads.

As VMworld 2011 draws to a close I thought I should write some about it before it starts to fade away and I get too busy to remember to do it. Currently I am drafting this on my iPhone because unlike last year the wireless is not as plentiful. In 2010 the event was held in San Francisco and this year it was held in Las Vegas. There were many differences, but much was also the same. We had some great speakers both for the individual sessions and for the keynote events just as last year. The difference is that this year all of the event was held in one gigantic building. Last year we were scurrying across the streets like nerd ants at a picnic. Another big plus this year was the ability to preregister for the sessions. Last year there were several times after running from one building to the next only to find out your desired session was already full and you had to just find something nearby to attend that was not what you were really interested in. After attending this year and having the registration process I do not know that I would attend another of these events if the registration process were removed. It was a good addition that should stay even as the conference moves back to San Francisco next year. As nice as it was to all be on one building for sessions I must admit I do prefer the downtown of San Fran to the strip of Las Vegas. It is a much quieter place and better suites my desire to get out and walk around in the evenings as I think about all of the days sessions. It is blisteringly hot here be it day or night and the sidewalks are so congested that I just prefer to avoid them and remain in the comfort of the air conditioning. San Fran has much more pleasant evenings. Walking outdoors here feels like standing in a planes jet-wash. There is never a cool breeze. Coming from the south you expect the breeze to cool you off not melt your face.

One of the amazing things that we have seen this year is the absolute precision with which the Vegas conference industry can feed 19,000 people quickly and efficiently. There were many times in San Fran where getting to eat took a lot of time and caused you to miss your next session. Hopefully they can marry the good aspects of both conference locations together next year for VMworld 2012 (that is of course providing that the world doesn’t end).

For anyone that works in the VMWare space you need to start saving your pennies now for next years conference because any questions that you have can be answered here. All of the heavy hitters of the VM space are here and readily accessible. I have been amazed at how easy it has been to network with authors, bloggers, vendors, and developers that are just looking to share their knowledge. Thanks for VMWare for putting on another successful conference.

All that is left is a few more sessions and then it is time to pack up and prepare for a long day of traveling tomorrow that is apparently going to start about 4am.