home

Archive for the 'scripts' Category

Some Recent WordPress Theme Hacking Issues (Mass Emails To Non-Existent Domain Name Addresses) And A Couple Of Things To Look For

Saturday, August 1st, 2015

I’ve spent the past few weeks making several new email client filters each day, with subject lists that look like the following:

Saturday and Sunday Only! Today’s Special Buy of the Day!

One day sale event – today only, [ insert date here ]

[ insert name here ], check out this weeks specials – up to 75% off on selected items

[ Insert name here ], 10% discount for Brand or Generics for purchases placed before [ insert date here ]

We appreciate your past business with us

[ insert name here ], some of your items are back in stock now – complete your order today

[ insert date here ] deals and savings from your supplier

We’re talking between 2000 and 5000 emails a day of the following mishmash, with various random email addresses used, random first names and message content (always with a link or two, plus unsubscribe links), and all to email addresses that look like

[ person’s first name ] + @ + somewhereville.com

This was occurring from the website despite having many popular site-security-related PlugIns running: Including Wordfence, Sucuri Scanner, and Jetpack (not that Jetpack would protect from site problems). As it turns out, Sucuri *might* have found the problem had I installed it (at least) 6 months ago.

The amount of email has gotten so bad I the past few weeks that the site itself has been taken down thrice by my +10-year-long hosting company (web.com. Can’t blame them for this one). Before telling you about where the problem eventually settled, I’ll note the following attempts to find the problem, listed below.

Steps To Diagnose The Problem

1. Taking the site down – which worked

2. Running diffs on all of of the files in the WordPress install (against a freshly downloaded copy from wordpress.org) – this helped greatly

3. Deleting the many files no longer use by wordpress (having run it since 2.1.something and allowing WordPress to do auto-updates) – no affect

4. Scouring my hosting folder for hidden files, modified .htaccess files, or anything else – nothing found

5. Looking for date changes on .jpg files to see if malicious code had been embedded into one of the images that always loads with the site – nothing found

6. The big one – switching from my primary theme (a heavily modified version of relaxation 3 column from 2006) to one of the provided WordPress themes.

The Problem, Localized

The problem, then, was localized to my old theme – which could have meant one of two things

1. Something in the php was causing the problem by being too old (a piece of php that WordPress recommended removing from all themes – that I never read about)

2. Something was, despite having my permissions set for read-only on the server (because this theme is never updated by WordPress), tweaked in one of the theme files (which turned out to be the case)

In my case, a few modifications had been made to theme files over 6 months ago that sat dormant in the .php files until something eventually came along to start spitting out beaucoup spam.

NOTE: Everywhere you see “->” and “< -", these have been replaced from "<" and ">” to keep anything from being read by your browser)

1. This nasty piece of work was deposited into an index.php file many moons ago (but the file date had not changed, so it went unnoticed)

2015august27_infected_1

The following had made into ALL of the theme index.php files in my WordPress install

2015august27_infected_2

These are to be contrasted with the following, more generic look for the top of an index.php file:

?php get_header(); ?

Decidedly different.

These are both interesting, but turned out to not be the problems. Instead, my relaxation-3-column theme had its 404.php, archive.php, and index.php files modified at some point in the distant past (at least as early as November of last year) with the following new lines:

404.php

2015august27_infected_3

vs.

->?php // relaxation 3 column

->?php get_header(); ?< -

archive.php

2015august27_infected_4
vs.
->div id="content"< -

index.php

2015august27_infected_5
vs.
->?php function arphabet_widgets_init()
...

These beg the question – how does one find out that this stuff isn’t supposed to be in a theme file?

The answer, assuming you know a little php, is to compare and contrast you potentially older theme files with new theme files (such as those pre-installed in WordPress). In all the above cases, available themes look like the “after” files above, with unreadable code not present in the tops of the files.

So, long-short, if you find your inbox stuffed with hundreds or thousands of spam samples coming from your own domain, a good first place to look is your running theme. Much like the BSG Episode “33”, you may find yourself NOT getting spam after a certain period of time if you make a simple change from one theme to another (certainly a simple way to determine if the attack is from the theme or not).

Solution And Testing

The test for the modifications was simple:

First, backup your theme files to your local machine (or make a folder in your directory tree somewhere)

Second, after checking and (if necessary) making modifications, replace your index.php file FIRST, as this is the basis for your theme (and what WordPress looks for first in the theme). Your site will load, although it may look like hell.

Third, replace all those theme files which didn’t have something odd in them (like the gobbledegook above) and reload you site. Then, WAIT to see if you get spam (for my problems above, this took about, honestly, 33 seconds). Your site may still look like hell depending.

Fourth, change other problem files and upload them 1-at-a-time, then reload and wait to see if the spam starts.

Fifth – repeat #4 until your theme is all back up

Sixth – when all uploaded, change your theme permissions to READ-ONLY (although this did not help me)

With luck, your spamming problem fit the mold of the above and google brought you to a page that would help. So say we all.

Private Internet Access, OpenVPN (2.3.2), and Ubuntu 14.04 (.2 LTS) – Yet Another Reported Way To Get Them Working (And The Only One That Works For Me)

Friday, July 17th, 2015

If you sign up for an account with Private Internet Access (and this may go for some other VPN providers as well) and follow the only prominent Ubuntu link (12.04) in the Support Section (www.privateinternetaccess.com/pages/client-support/ubuntu-openvpn), you’ll be taken to a reasonably straightforward 9-step process that walks you through the OpenVPN setup – from the install_ubuntu.sh script download to the selection of PIA-points (I just made that up) in your Network Manager GUI (that radial wifi icon or arrows in the upper-right corner).

That is, for Ubuntu 12.04.

The Problem

If you try this in Ubuntu 14.04, everything more-or-less looks and runs the same way. That said, when you try to connect to a PIA-point in the Network Manager, nothing happens. Your wifi radial doesn’t change, flash, or provide any indication that something has gone right or wrong. More importantly (to the lack of feedback, anyway), you are not asked for your PIA password (having put in your username in the install process). This lack of password requesting turns out to be the real kicker (and diagnostic for the fix presented down below).

If you look in /etc/NetworkManager/system-connections, you’ll see that all of the PIA files have been successfully installed.

-rw——- 1 root root 326 Jul 16 16:14 PIA – AU Melbourne
-rw——- 1 root root 313 Jul 16 16:14 PIA – AU Sydney
-rw——- 1 root root 313 Jul 16 16:14 PIA – Brazil
-rw——- 1 root root 316 Jul 16 16:14 PIA – CA North York
-rw——- 1 root root 321 Jul 16 16:14 PIA – CA Toronto
-rw——- 1 root root 313 Jul 16 16:14 PIA – France
-rw——- 1 root root 315 Jul 16 16:14 PIA – Germany
-rw——- 1 root root 312 Jul 16 16:14 PIA – Hong Kong
-rw——- 1 root root 350 Jul 17 15:49 PIA – Ireland
-rw——- 1 root root 313 Jul 16 16:14 PIA – Israel
-rw——- 1 root root 311 Jul 16 16:14 PIA – Japan
-rw——- 1 root root 313 Jul 16 16:14 PIA – Mexico
-rw——- 1 root root 314 Jul 16 16:14 PIA – Netherlands
-rw——- 1 root root 310 Jul 16 16:14 PIA – Romania
-rw——- 1 root root 313 Jul 16 16:14 PIA – Russia
-rw——- 1 root root 312 Jul 16 16:14 PIA – Singapore
-rw——- 1 root root 313 Jul 16 16:14 PIA – Sweden
-rw——- 1 root root 317 Jul 16 16:14 PIA – Switzerland
-rw——- 1 root root 313 Jul 16 16:14 PIA – Turkey
-rw——- 1 root root 319 Jul 16 16:14 PIA – UK London
-rw——- 1 root root 329 Jul 16 16:14 PIA – UK Southampton
-rw——- 1 root root 327 Jul 16 16:14 PIA – US California
-rw——- 1 root root 315 Jul 16 16:14 PIA – US East
-rw——- 1 root root 321 Jul 16 16:14 PIA – US Florida
-rw——- 1 root root 321 Jul 16 16:14 PIA – US Midwest
-rw——- 1 root root 331 Jul 16 16:14 PIA – US New York City
-rw——- 1 root root 321 Jul 16 16:14 PIA – US Seattle
-rw——- 1 root root 334 Jul 16 16:14 PIA – US Silicon Valley
-rw——- 1 root root 317 Jul 16 16:14 PIA – US Texas
-rw——- 1 root root 315 Jul 16 16:14 PIA – US West

My first attempts at troubleshooting brought me to the installing privateinternetaccess on ubuntu 14.04 LTS page at askubuntu.com. The first response seems to be regurgitating the 12.04 installation process on the PIA site (which doesn’t work. For me, anyway), while the second response provides a list of installs that the install_ubuntu.sh script may or may not have successfully installed.

sudo apt-get install openvpn network-manager-openvpn network-manager-openvpn-gnome

The second commenter then walks through the install process as if the .ovpn config files didn’t exist (setting up from scratch, which can be laborious if you want to add all of the PIA points) but uses the contents of the openvpn.zip file downloaded by the question-asker.

The fix to the whole matter is partly in the questioner and second answer, but some additional work needs to be done. What’s described below is the process I used to figure out what was going on (showing all work), including using some alternatively-official .ovpn files (and the official ca.crt and crl.pem files provided by PIA).

The Diagnosing (What May Have Brought You Here)

With the failure to get any feedback from Network Manager (or the GUI) after the install, I went straight to the syslog to see if anything revealing appears (var/log/syslog). The error report for my VPN connection attempts reads as follows:

cd /var/log/syslog
more syslog

Jul 16 08:54:04 randommachine NetworkManager[13049]: Starting VPN service ‘openvpn’…
Jul 16 08:54:04 randommachine NetworkManager[13049]:
VPN service ‘openvpn’ started (org.freedesktop.NetworkManager.openvpn), PID 13164
Jul 16 08:54:04 randommachine NetworkManager[13049]:
VPN service ‘openvpn’ appeared; activating connections
Jul 16 08:54:04 randommachine NetworkManager[13049]: [1437051244.977042] [nm-vpn-connection.c:1374] get_secrets_cb(): Failed to request VPN secrets #2: (6) No agents were available for this request.
Jul 16 08:54:04 randommachine NetworkManager[13049]: Policy set ‘randomrouter’ (wlan0) as default for IPv4 routing and DNS.
Jul 16 08:54:10 randommachine NetworkManager[13049]:
VPN service ‘openvpn’ disappeared

A google search for “Failed to request VPN secrets #2“ (I can’t stress enough the value of quotes in troubleshooting Linux issues) dragged me to several pages that didn’t directly address my Network Manager issue, but indicated that one should consider running OpenPVN from the Terminal anyway. Extracting openvpn.zip (downloaded from the PIA website) and cd’ing into that folder (I assume you’re in Downloads), the following commands:

cd Downloads
unzip openvpn.zip
openvpn US\ East.ovpn 

Produces the following output – asking for username and password, but then failing to connect (and I include all the output below, assuming the error brought you here).

Thu Jul 16 09:06:55 2015 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Enter Auth Username:pXXXXXXX
Enter Auth Password:
Thu Jul 16 09:07:11 2015 UDPv4 link local: [undef]
Thu Jul 16 09:07:11 2015 UDPv4 link remote: [AF_INET]208.167.254.223:1194
Thu Jul 16 09:07:11 2015 WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
Thu Jul 16 09:07:11 2015 [Private Internet Access] Peer Connection Initiated with [AF_INET]208.167.254.223:1194
Thu Jul 16 09:07:14 2015 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
Thu Jul 16 09:07:14 2015 Exiting due to fatal error

That said, when you apply root privileges:

sudo openvpn US\ East.ovpn

You get the following:

Thu Jul 16 09:07:28 2015 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Enter Auth Username:pXXXXXXX
Enter Auth Password:
Thu Jul 16 09:07:36 2015 UDPv4 link local: [undef]
Thu Jul 16 09:07:36 2015 UDPv4 link remote: [AF_INET]208.167.254.223:1194
Thu Jul 16 09:07:36 2015 WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
Thu Jul 16 09:07:37 2015 [Private Internet Access] Peer Connection Initiated with [AF_INET]208.167.254.223:1194
Thu Jul 16 09:07:39 2015 TUN/TAP device tun0 opened
Thu Jul 16 09:07:39 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Jul 16 09:07:39 2015 /sbin/ip link set dev tun0 up mtu 1500
Thu Jul 16 09:07:39 2015 /sbin/ip addr add dev tun0 local 10.134.1.6 peer 10.134.1.5
Thu Jul 16 09:07:39 2015 Initialization Sequence Completed

Works great (can verify at whatsmyipaddress.com or other). And it asks for your username (because the .ovpn files haven’t been configured yet from the script) and password, so we were already ahead of the game from the Network Manager GUI.

OpenVPN seems to work fine and the .ovpn files work, so the problem is somewhere in Network Manager or how it and OpenVPN are interacting (which I’ve not yet found the answer to). Now, you’re supposed to be asked for the password when you try to establish the VPN connection with Network Manager. To see if that was the only problem with the .ovpn files, I simply added my password to the US East.ovpn file as follows (in US /East.ovpn):

nano US /East.ovpn

And add the following somewhere in the file:

password=put-your-password-here

Then restart the Network Manager (and wait a few seconds)

sudo service network-manager restart

And that didn’t work. That said, there’s another password flag in the file (aptly names password_flags) to play with. A search for details lead me to a post at forums.kali.org that goes into some detail about Network Manager NOT strong the VPN password correctly because the user keyring isn’t root-accessible.

Changing password-flags from 1 to 0 and attempting to connect with Network Manager = success!

So, the problem is somewhere in the failed password negotiation between Network Manager and OpenVPN, and providing that info in the .ovpn files from openvpn.zip and a network-manager restart solves the problem.

Now then, the differences between the .ovpn files in openvpn.zip (download-able from https://www.privateinternetaccess.com/openvpn/openvpn.zip) and the PIA VPN files installed using install_ubuntu.sh are as follows:

US East.ovpn

client
dev tun
proto udp
remote us-east.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.pem

PIA US East

[connection]
id=PIA – US East
uuid=856fc7ec-cd90-4ab1-96c1-2d827e46ea8f
type=vpn
autoconnect=false

[vpn]
service-type=org.freedesktop.NetworkManager.openvpn
username=p9681681
comp-lzo=yes
remote=us-east.privateinternetaccess.com
connection-type=password
password-flags=0
ca=/etc/openvpn/ca.crt

[ipv4]
method=auto

The new format is so clean! It’s also the format you get if you go through the New Connection process through Network Manager. The formatting seems to be important for the fix I’m going to propose below, so I’m going to modify the newer format files below.

The Solution

The solution is, after many hours, stupid-simple – run the install_ubuntu.sh as described on the PIA website (which will also make you install a few extra programs if you don’t have them already- and it places ca.crt into your OpenVPN folder, which is then called by the VPN files), modify all of the PIA files in your /etc/NetworkManager/system-connections folder by putting your password into each (in the format as below), and restart network-manager from the Terminal. That, in theory, should be it. You’ll have to have root access to do this, though, as the file permissions are all (or should be) 600.

1. https://www.privateinternetaccess.com/pages/client-support/ubuntu-openvpn

2. Open Terminal

3. Move to the system-connections folder:

cd /etc/NetworkManager/system-connections

4. Edit all the PIA files. To each of the PIA files, all you have to do is add the following:

[vpn-secrets]
password=put-your-password-here

The [vpn-secrets] is important! I would have thought this to be a comment block for organizational purposes, but adding thr password line alone won’t cut it.

NOTE: If you’re trying to connect through the GUI and the VPN Connections DO NOT appear in the list – provided your password is in the file, your problem is very likely that the file permissions are wrong. If they’re not -rw——, then Network-Manager will not read them.

5. Extra bookkeeping step: double-confirm the permissions on the PIA files:

chmod 600 PIA*

6. Restart network-manager

sudo service network-manager restart

I do not know if/when the fix will come in between OpenVPN and Network Manager (or something else in Ubuntu) that will obviate the need for this workaround. In the meantime, the procedure above works just fine (works at all) on a clean install of 14.04.2 LTS. The problem seems to be with OpenVPN as it plays with 14.04, a recurring theme I’ve found from lots of people (or, perhaps more specifically, the use of the GUI to call OpenVPN). Given several reports of PIA/14.04, I’m surprised there isn’t more, perhaps specifically on the PIA website, to address this issue. Hopefully a proper fix from PIA, OpenVPN, or Ubuntu developers in en route.

Happy more safe/more secure surfing. And if you’re so inclined, the Litecoin bubble has not, yet, right now, burst (scroll to the bottom of http://www.somewhereville.com/?p=1896).

Led Astray By (A) Photon – WordPress, Jetpack, and The Perils Of Embedded Clear Sky Charts (And Other)

Friday, May 1st, 2015

A re-post from the CNY Observers website (www.cnyo.org).

Greetings fellow astrophiles,

CNYO has been anticipating our first observing session at Beaver Lake for this year, with the first of our two Spring dates (April 23rd) already clouded/snowed out. The forecast for April 30th hadn’t looked too much better based on Monday estimates, leaving us to wonder if attendees would be stuck indoors with a lecture instead of outdoors with the rest of the universe.

I woke up early on the 30th to blue skies and a very bright Sun, certainly already exceeding the expectations of the past few days. But what of the afternoon and evening?

As I am prone to do on the day of an observing session, I headed right for the CNYO Cheat Sheet, where one can find the sky conditions for a large part of Central New York in the form of several Clear Sky Charts (CSCs – and, based on the different cloud cover at different locations, even begin to piece together how the skies at your location may change). The morning’s CSCs are shown in the image below.

2015april30_photon_before

You will note that the bars to the far left (representing the morning) are not the dark blue squares that would indicate an almost cloud-less sky. As the red text at the bottom notes, sometimes the CSC images from a previous session are still sitting in your browser’s cache and, to make sure you’re looking at the newest data, you should hit Page Reload. Well, 5 or 10 of those didn’t change matters at all. I clicked on the Downtown Syracuse image in order to see what the actual CSC website said about today. An almost perfect band of dark blue – prime observing weather (when the wind is mild, that is).

So, what happened?

The first clue came when I right-clicked on one of the images in order to see just the image in my browser. When you do this, you should see something like: cleardarksky.com/c/SyrcsNYcs0.gif?1

What I saw for the link was the following: i1.wp.com/cleardarksky.com/c/SyrcsNYcs0.gif?1

Something is afoot in Boötes.

A quick google search indicated that the i1.wp.com (which might also be i0.wp.com, i2.wp.com, maybe more) site is, in fact, an image (maybe other) repository for wordpress.com that is supposed to speed up your page downloading process (by being faster than the same image you might load somewhere else) and is called upon, specifically, by Photon – one of the functions built into Jetpack (itself a large suite of plugins for WordPress that very generally make my life much easier by providing Site Stats, Contact Forms, etc.). That said, this is no good for the Clear Sky Chart, as you don’t know how many days ago that i1.wp.com image was saved (and it clearly ain’t today’s!).

To disable this feature (if it was turned on, anyway), go to your WordPress Dashboard and click on Jetpack on the right-hand side.

2015april30_photon_jetback

At present, Photon is the first clickable item at upper left. Click on “Photon” to reveal the following image:

2015april30_photon_deactivate

Click on Deactivate and go back to your Clear Sky Chart-containing page:

2015april30_photon_after

You’ll note that the Clear Sky Charts are fixed (revealing an excellent day for Solar and Night Observing) and you’ll also see that the NASA/SOHO image is different, the SWPC/NOAA image is different, and event the Wunderground logo is different. Quite the site fix!

If you have the same problem, I hope the above fixes it. If you know of a site running the Clear Sky Chart and it doesn’t reflect what you see outside, let the site admin know.

Stupid-Simple (*nix-Specific) Sed Scripts To Get (All Current) Gaussian09 Output Files Working With aClimax

Monday, September 1st, 2014

The following three snippets of Gaussian output are for an optimization and normal mode analysis of simple olde methane (CH4).

...
 ******************************************
 Gaussian 03:  EM64L-G03RevE.01 11-Sep-2007
                31-Aug-2014 
 ******************************************
...
 incident light, reduced masses (AMU), force constants (mDyne/A),
 and normal coordinates:
                     1                      2                      3
                     T                      T                      T
 Frequencies --  1356.0070              1356.0070              1356.0070
 Red. masses --     1.1789                 1.1789                 1.1789
 Frc consts  --     1.2771                 1.2771                 1.2771
 IR Inten    --    14.1122                14.1122                14.1122
 Atom AN      X      Y      Z        X      Y      Z        X      Y      Z
   1   1     0.02  -0.42   0.43    -0.34  -0.13  -0.08    -0.36  -0.23  -0.23
   2   6     0.00   0.08  -0.09     0.00   0.09   0.08     0.12   0.00   0.00
...
 -------------------
 - Thermochemistry -
 -------------------
 Temperature   298.150 Kelvin.  Pressure   1.00000 Atm.
 Atom  1 has atomic number  1 and mass   1.00783
...
...
 ******************************************
 Gaussian 09:  EM64L-G09RevA.02 11-Jun-2009
                31-Aug-2014 
 ******************************************
...
 incident light, reduced masses (AMU), force constants (mDyne/A),
 and normal coordinates:
                     1                      2                      3
                     T                      T                      T
 Frequencies --  1356.0058              1356.0058              1356.0058
 Red. masses --     1.1789                 1.1789                 1.1789
 Frc consts  --     1.2771                 1.2771                 1.2771
 IR Inten    --    14.1123                14.1123                14.1123
  Atom  AN      X      Y      Z        X      Y      Z        X      Y      Z
     1   1    -0.03   0.42   0.43    -0.34  -0.14   0.07    -0.36  -0.23   0.23
     2   6     0.00  -0.08  -0.10     0.01   0.10  -0.08     0.12   0.00   0.00
...
-------------------
 - Thermochemistry -
 -------------------
 Temperature   298.150 Kelvin.  Pressure   1.00000 Atm.
 Atom     1 has atomic number  1 and mass   1.00783
...
...
 ******************************************
 Gaussian 09:  EM64L-G09RevD.01 24-Apr-2013
                31-Aug-2014 
 ******************************************
...
 incident light, reduced masses (AMU), force constants (mDyne/A),
 and normal coordinates:
                      1                      2                      3
                     ?A                     ?A                     ?A
 Frequencies --   1356.0132              1356.0132              1356.0132
 Red. masses --      1.1789                 1.1789                 1.1789
 Frc consts  --      1.2771                 1.2771                 1.2771
 IR Inten    --     14.1119                14.1119                14.1119
  Atom  AN      X      Y      Z        X      Y      Z        X      Y      Z
     1   1     0.02   0.42   0.43     0.34  -0.14   0.08    -0.36   0.23  -0.23
     2   6     0.00  -0.08  -0.09    -0.01   0.09  -0.08     0.12   0.00   0.00
...
 -------------------
 - Thermochemistry -
 -------------------
 Temperature   298.150 Kelvin.  Pressure   1.00000 Atm.
 Atom     1 has atomic number  1 and mass   1.00783
...

Two of these things are not like the other. The data’s nearly identical (and thank heavens. Unfortunately, Gaussian09 D.01 didn’t see the fully-optimized methane as belonging to the Td point group – despite all three versions being run with the same exact input file – but a rigorous re-symmetrization would have taken care of that), but there are some subtle formatting differences between all three versions (including differences between both Gaussian09 versions) that cause the venerable, all-encompassing aClimax program (developed by Timmy, the venerable, all-encompassing A. J. Ramirez-Cuesta) to throw out the following errors for all three cases when you use *.log files from a *nix (UNIX, Linux) machine.

Serious Error: A-CLIMAX has encountered an unhanded error. Please Save your data and contact support
aClimax: Quote Error Number 9
Error Loading File: Error reading data. Please check and try again.
aClimax: WARNING loaded file containing no frequencies

Problem number 1 is the existence of *nix newlines (carriage returns) in the *.log files coming off a *nix machine. Performing a conversion from *nix to DOS (for myself, using LineBreak in OSX, but tofrodos works just as well), the Gaussian03 file now opens just fine in aClimax:

File Loaded: Data Loaded Succesfully [sic].

This, unfortunately, does not improve the matter with the Gaussian09 files, which produce the following error:

Error: One of the numbers you have entered is of the wrong type.Please recheck and try again
Error Loading File: Error reading data. Please check and try again.

Given how little of the .log file aClimax actually needs to produce simulated inelastic neutron scattering (INS) spectra, I ran the methane normal mode analyses in three different Gaussian versions to determine what, in G09, was changed to make it just un-G03 enough to fail to load. With those changes figured out, I had a Perl script drafted up that would have converted everything back to the original G03 format. It was awesome. That said, after a small amount of testing to see where aClimax’s sensitivities lay, I discovered that very little of the .log file contents needed to be changed out, meaning that simple sed scripts would work just as well for those of us using our Windows boxes (or VirtualBox emulations) only for that “one stupid program” that keeps us having to log in (and, by that, I mean that we have sed already on our computers).

So, the problems between G09 and aClimax not related to carriage returns lie in two places.

1. The spacing of “Atom AN” – at the top of the eigenvector lists are the column labels, beginning with “Atom AN” – or something very close to “Atom AN” (the “|” in the boxes below mark the left edge of the output):

G03 E01 | Atom AN
G09 A02 |   Atom  AN
G09 D01 |  Atom  AN

Yes, the addition of a space or two results in a read error by aClimax. I would call this an… aggressive stringency in aClimax. That said, what did the original space in G03 versions not do that they do do in G09?

2. The spacing of “Atom N” – In the “Thermochemistry” section below the eigenvectors, atomic masses are listed as “Atom N” – or something very close to “Atom N” (again, the “|” in the boxes below mark the left edge of the output):

G03 E01 |  Atom  1
G09 A02 |    Atom     1
G09 D01 |   Atom     1

This change in spacing is also enough to cause aClimax to error out.

The Solution

A small sed script performs the necessary conversions on your *nix box (including OSX) for all .log files in a directory without issue:

#!/bin/sh

# This section converts all .log files to aClimax-friendly G03-ish format
find . -type f -name '*.log' -print | while read i
do
sed 's|  Atom  AN| Atom AN |g' $i > $i.aclimaxconversion_step1
sed 's| Atom   | Atom|g' $i.aclimaxconversion_step1 > $i.aClimaxable.log
rm $i.aclimaxconversion_step1
done

# This section converts all .out files to aClimax-friendly G03-ish format
find . -type f -name '*.out' -print | while read i
do
sed 's|  Atom  AN| Atom AN |g' $i > $i.aclimaxconversion_step1
sed 's| Atom   | Atom|g' $i.aclimaxconversion_step1 > $i.aClimaxable.out
rm $i.aclimaxconversion_step1
done

But Wait! Running G0* Jobs Under *nix? Convert To DOS Carriage Returns

The final problem halting your aClimax spectrum generation is the DOS carriage return (^M). For those running DOS-based Gaussian calculations (likely with a .out suffix), your conversion with the short script above (under *nix) likely (hopefully) worked just fine. For those running under *nix, you performed the conversion and still received the following aClimax error:

Serious Error: A-CLIMAX has encountered an unhanded error. Please Save your data and contact support
aClimax: Quote Error Number 9
Error Loading File: Error reading data. Please check and try again.
aClimax: WARNING loaded file containing no frequencies

The solution is an additional line in the sed script that will globally replace all *nix newlines with proper DOS carriage returns. The .out section remains the same.

#!/bin/sh

# This section converts all .log files to aClimax-friendly G03-ish format
find . -type f -name '*.log' -print | while read i
do
sed 's|  Atom  AN| Atom AN |g' $i > $i.aclimaxconversion_step1
sed 's| Atom   | Atom|g' $i.aclimaxconversion_step1 > $i.aclimaxconversion_step2
# This section converts your *nix newlines into DOS carriage returns
CR=`echo "\0015"`  # define the Carriage Return
sed -e "s/$/${CR}/g" $i.aclimaxconversion_step2 > $i.aClimaxable.log
done
# this cleans up your folder of temp files
rm *.aclimaxconversion_step1
rm *.aclimaxconversion_step2

# This section converts all .out files to aClimax-friendly G03-ish format
find . -type f -name '*.out' -print | while read i
do
sed 's|  Atom  AN| Atom AN |g' $i > $i.aclimaxconversion_step1
sed 's| Atom   | Atom|g' $i.aclimaxconversion_step1 > $i.aClimaxable.out
rm $i.aclimaxconversion_step1
done

Q. But what if I run the *nix-to-DOS version of the script on an already DOS-output file?

A1. The simple answer is that you’ll make your text file double-spaced (which is bad enough). aClimax will then provide the following error when you try to open it:

Error Reading File: Unexpected File End. File May be incorrect or corrupt.
Error Loading File: Error reading data. Please check and try again.

A2. I will assume that your problem is that you’re running the script in DOS to try to get your G09 to read more like G03. In this case (assuming you’re generating .out files), you’ll want to use a text editor to make the replacements described above (which is to say, that Perl script might makes it way to this page eventually. If you write a DOS .bat file or similar script for all OS’s, I’d be happy to link to it).

“From Kurdistan With Love” or Some Things To Do Before And/Or After Your WordPress Site Gets Hacked

Thursday, December 12th, 2013

“Hopefully, because he’s busy.” – Commissioner Gordon, The Dark Knight

On the plus side, www.somewhereville.com received its first update in just over 5 months. On the minus side, the new post was less than useful in many ways. I received a timely email from Dr. Obi Griffith of the Washington University in St. Louis Division of Oncology noting that my entire site was differently-down (thanks to the hijacking of my Sanger (And Illumina 1.3+ (And Solexa)) Phred Score (Q) ASCII Glyph Base Error Conversion Tables page that he linked to on a biostars site thread – so my thanks to Obi for catching something I likely would have gone weeks without noticing!).

The snapshot below shows the state of swv as of 3 December 2014. On the bright side (minus a friendly conspiracy to get someone else in trouble), I can say with some certainty that Serwan performed the content-ectomy (twitter: @S3RW4N, current email (although I suspect it won’t last long): serwan_007 – at cymbal – hotmail.com, on the Facebook, etc. All sites subject to change as people try to track him/her down post-attack (he/she’s been prolific if nothing else)).

2013dec11_serwan_hack

Exhibit A. Flag is waving in the actual version.

Several problems. To begin, it’s a gaudy hack, complete with rolling text and techno music. Second, the Television New Zealand (TVNZ) news service thought this hack to be significant enough to warrant actual coverage on their website when a similar file-swap on a WordPress (or WordPress-esque) site brought down the Health and Sports Fitness Club in Sandringham (syracuse.com didn’t give me the time of day). I commend this Kurdish hacker group for their ratings. Third, the manner in which files were replaced in the blog (specifically meaning the index.php file) blocked every other post on the site from being accessed, so every link anyone had posted to a page anywhere else on the Internets was made useless.

That said, I appreciate that Serwan generally performs fairly benign attacks on websites. File replacements were clearly identified from a simple date sorting, the important MySQL database content wasn’t touched, and Serwan even went as far as to set up a second Admin account so that I could quickly retake control of the site.

So, in light of the plight of the Kurdish people, I left the hacked version up for a few hours as I pondered what to do, which I discuss below.

My Spotty Procedure For Recovery:

What follows is a list of obvious and less obvious things to consider when recovering your WordPress blog from a hack. There are plenty of websites that show how to protect your site in the first place, then others that explain how to revive it (provided you do your own due diligence and back your site up regularly enough). What’s below is not complete, but you can rest assured that google is your friend in such matters, so keep your keywords targeted and see what comes up.

General Considerations:

1. Don’t use your blog. My last post at the time dated back to June 25th, during which time I’ve made several full backups (and kept WordPress up-to-date, the last time being 7 November 2013) of my entire site. In this respect, I was well set up to quickly recover from a hacking incident.

2. Keep a copy of your current running version of WordPress handy for file replacements. In my case, index.php was written over. All I had to do to recover was uncompress my WordPress  3.7.1 download, upload index.php to my server, and the site was back and running.

3. Have you backed up lately? This phrase has been in the .sig of my emails for many, many years. If your entire life is lived in the Googleverse (email, images, documents, etc.), then you’re fine until the Earth’s magnetic poles shift and wipe all the hard drives out (just kidding. I think). If you’re a computational scientist and have TBs of data, it’s up to you to make sure you have access to it all again. Same applies to WordPress. I’ve a biweekly alarm that tells me to back up several websites and I’ve an encrypted .txt file with all of the login info and steps needed to perform this backup. You should absolutely be doing the same if you’re not.

4. Set up an additional Administrator. In my case, my admin account was hacked to change the associated user email address to Serwan’s email. Obviously, attempting to log in, change the password, or what have you simply sent little pings of your futile attempts to the hacker. Having that second admin account will allow you to reroute your login efforts (and if they’re both hacked into, there’s still a way around. Will get to below).

5. Make a real password. At the risk of de-securing my sites by providing personal info, my typical password looks something like this:

d@!25fj014or&ydoSDfu

20 characters long, upper and lower, numbers, and non-alphanumeric characters. If you care about your site security, stay the hell away from the dictionary.

6. Dry-run your SHTF moment. Are you a survivalist? Can you identify edible berries by sight, build a lean-to, or stitch an open wound? Or are you the Marty Stouffer of the camping section at Target? If you’ve never had to work your way back from a complete disaster, you likely won’t know how to do it either quickly, efficiently, or securely.

Ergo, do another WordPress installation in a sub-folder of your main installation, create a new database, make your site pretty, perform a full backup of your database and uploaded media, then break it, either by deleting core files or corrupting your database (deleting a table would do the trick). If you can put the site back together again (the uploading of the database back onto your server likely being the worst part of the whole process), you’re likely in good shape for the real deal.

7. Harden WordPress. The good people at WordPress even tell you how to (although, admittedly, I thought I did all of this, so maybe there’s something being missed that will go into a future iteration of this page).

8. Get rid of “admin.” Several of the sites discussing WordPress hacks report that having this default account (or account default’ed) is a top-5 problem when trying to keep people out of your site. So get rid of it. Easily. Set up a new account, give it administrative privileges, then delete the admin account, which will ask you to attribute the current admin posts to another admin account.

9. Delete deactivated plugins if you’re not going to use them. Plugins are developed by people. People often have lives that keep them from timely updates of security exploits. If you’re using a plugin, that’s one thing. If a deactivated plugin languishes in your plugins folder, never gets updated, and some hacker writes something specifically to exploit a security flaw in that old, poorly maintained plugin, that’s all on you. So don’t risk your pocket knife being a projectile as you walk into the MRI room and get rid of the knife before it comes a problem.

10. I know nothing about it yet, but am giving Wordfence a whirl presently.

11. Hey, check your blog every once in a while to make sure it’s still you and not Serwan.

For The Specific Attack (From Easy To Harder):

1. FTP in and check file dates. The offending .php files (index.php and a hello.php containing the techno) were both dated 3 December 2013. Everything else was, at its newest, 7 November 2013 (from my last WordPress update). This made finding the hacked and previously not-present files easy. A cluster of important files with identically modification times and dates is an easy giveaway.

2. FTP in and check ALL the file dates. One never knows when something else is going to be placed into a themes folder, plugin folder, etc., to keep track of site access (that’s why I delete all deactivated plugins). So, sort by date and scour the whole site for modifications and new files.

3. If you make it into your site, go right to your User Settings, change the email address, then change your password.

4. Check out something like Sucuri SiteCheck. Hopefully, this search will complement your initial search as well as test against known threats. I ran a Sucuri on a similarly-hacked site (in this case, indoorstinkbugtrap.com) and received the following notification of defacement (so the check worked).

2013dec11_securi_results

securi.net results for fellow victim indoorstinkbugtrap.com.

5. If you can’t make it in the front door, crawl through the plumbing. You can change your admin account from within MySQL using, for instance, phpMyAdmin (check your hosting provider for details if this is new information to you). In the case of phpMyAdmin, you can modify the admin account in six easy steps.

1. Log in to phpMyAdmin

2. Click on the Structure Button in wp_users (red circle)

2013dec11_serwan_hack_mysql_1

3. Click on Browse (told you this was easy)

2013dec11_serwan_hack_mysql_2

4. Click the edit button for your administrative account (red circle)

2013dec11_serwan_hack_mysql_3

5. Change the email address back to your email and delete the current password.

2013dec11_serwan_hack_mysql_4

6. Save and go back to our WordPress site, then request a new password.

And, While We’re At It:

Serwan’s twitter image currently features a white hat (the Gandalf-ian sign of a good guy/gal hacker) and a long list of sites that have been defaced with otherwise useless, feral medadata promoting Kurdish Hackers for google to get confused by. A search for somewhereville.com in google left the following bad taste in its results page for a week after:

Hacked By Serwan. Allah Is Greatest. Long Live Kurdistan. Thanks To All Kurdish Hackers. Follow @S3RW4N FB.com/Mr.S995

If I may be so bold (and I’ve told Serwan the same), the Kurdish people had a long history of getting steamrolled by an oppressive regime that, regretfully, first-world countries didn’t put enough into stopping or acknowledging until the tanks rolled South into Kuwait. If you’re gong to label yourself an ethical hacker, fine. Mangle the front-end of someone’s WordPress site. That said, you could be educating others on the Kurdish people by including a few links into your hack. I live in America, where certain news services use “Muslim” and “Islam” in headlines purely for shock value when they want to appeal to an audience so narrow-minded that their hearing is susceptible to the Casimir Effect. I recommend adding the wikipedia article on Kurdistan and the Al-Anfal Campaign to future hacks (and I’m sure Serwan could find more) to provide a little substance to your efforts unless, of course, your goal is just to be a stupid-ass script-kiddie hacker.

If you’re gonna hack, at least try to be productive. Meantime, this was a valuable lesson for myself on what to do to try to keep WordPress from falling into the same limbo during a time when I might not have had an hour to fix it.

Obligatory

  • CNYO

  • Sol. Sys. Amb.

  • Ubuntu 4 Nano

  • NMT Review

  • N-Fact. Collab.

  • Pres. Asn. CNY

  • T R P Nanosys

  • Nano Gallery

  • nano gallery
  • Aerial Photos

    More @ flickr.com

    Syracuse Scenes

    More @ flickr.com