Kakkoi » 2007 » November

DreamHost greylisted by Gmail

Noah Ark — Fri, 30 Nov 2007 19:35:23 +0000

I stumble on this interesting headline while browsing technorati. Beth’s (afrogtokiss.net) is having a minor problem with his wordpress for not receiving earlier notifications on new comments post. After a few comparison he discovered that GMail Has Greylisted DreamHost.. The reason is still unclear, reading what beth’s posted earlier on it seem like Dreamhost Team will not disclose it on open yet.

dreamhost official blog

Hoping that I could get more clear view on this issue I did some more checking on dreamhost official blogs. Unfortunately It doesn’t fudge any relevant news. Their official webblog seems more like a casual blogs full with party pooper.

I spend few minutes fiddling around in their archives before I get on “Are you older than fifth grade”. Its actual content is much more interesting that the crappy headline. Josh Jones (Dreamhost Co-Founder) write a historic trackback of Dreamhost since 10 years ago. The below screenshot has lots thing to says about their business model.

The 9o’s tag clouds is much larger than today’s. So I’m sure you looking at the cloudy links. There is package for Adult site hosting. This is what Josh’s has to say regarding DreamHost early days marketing strategy.

Excerpt from are-you-older-than-a-fifth-grader

It took about a week before we realized that unlimited bandwidth plus adult content equals not good. Some of these people were using over a GB a day of transfer.. and according to an early email from michael, we needed to be making $200/GB to stay afloat! We immediately had to re-negotiate with some of those early adopters.. one guy began paying $700/month, and others left.

We did learn an important lesson though, and that was that some of those $100/month adult sites used hardly ANY bandwidth at all! And thus, the truth about overselling was realized!

(Ha, if you thought having a dedicated adult hosting plan was crazy, before dreamhost.com launched we had a dedicated warez hosting plan!)

We also had “colocation” options back then

10 years ago this guys are crazy (for money, we all do). Back in 97′ google is still in lab (and its not even called google they name it backrub). Search engine projects is still in early phase. So nothing to worry about adult hosting. After ten years I hope they do honest business and not making any high risks strategy.As getting cheap hosting is not a trends anymore.

In my opinion hosting companies should take more wider steps on building trusts based on standard web policy for hosting industry. Being graylisted by google wont make them very famous, nobody want to be on that lists. Dreamhost should resolved this issue immediately (pronto) or risked losing more customers. It would be a waste of 10 years glory.

This could be the worst case for dreamhost . Hopefuly they can clear beth’s and their Google problem. We dont have to see web hosting provider being banned as they new trends just right after recent controversy over “paid links & payperpost” issue.

How to remove wordpress.net.in spams

Avice De'veréux — Fri, 30 Nov 2007 09:06:54 +0000

I found this while browsing WordPress support forum, some of these victims update their default_filters.php and upload class-mail.php inside their WordPress without being aware that it’s a backdoor (wordpress.net.in). There is no class-mail.php in WordPress except class-phpmailer.php. So don’t get confuse by it.

Below is a quick workaround on how you can removed the offending goro spamware injection before Google banned you from the internet pipes.

Workaround

For temporary disable remote include in php.ini settings.

;;;;;;;;;;;;;;;;;;
; Fopen wrappers ;
;;;;;;;;;;;;;;;;;;

; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
allow_url_fopen = off
allow_url_include = off

Check your .htaccess for suspicious redirect.
Find class-mail.php inside “*/wp-includes/” directory and removed it.

Find the following code inside “*/wp-includes/default_filters.php” and removed it

add_action('wp_footer','wpc7c16b8466d864eeefd20050625c7775');
function wpc7c16<>b8466d864eeefd20050625c7775() {
@include('./wp-includes/class-mail.php');
if(sizeof($wparr)>0){
echo "!div id=\"goro\"!";
foreach($wparr as $k=>$v){
echo "“.ucwords($v[’key’]).”\n”;
if($i++==$inum) break;
}
echo “!/div!”.$_footer;
}
}

Robots.txt Exclusion

Optional - Prevent googlebot from indexing the static spam page.
Login to Wordpress Admin > Manage > Files > Other Files → Key in “Robots.txt”. Add the following code.
```
User-agent: Googlebot
Disallow: /*?*
Disallow: /*?
```
Refer robots.txt.

Possible WordPress class (suspicious) files that would be tempered

Md5 checksum the following files, compare it with official versions from WordPress Release Archive.

The above methods only remove and disabled the spams links, there is no guarantee that it will protected you from future vulnerabilities. Backup (or export your post using WordPress eXtended RSS -WRX) and perform a full upgrade.

Dec 13, 2007

I just notice this recently. You’ll need to check your site HTTP Header. Most of the hijacked websites doesn’t response with correct HTTP Status Header (400<>500). My guess is they did this to cloak from being crawl by search engine spiders. If you had cleaned all the infected files and your header doesn’t response correctly get a rookit scanner.

Check your website status header, try cloak your browser (UA) as Search Engine Crawler. The following screenshot will show you how to setup this at web-sniffer.net.

This methods may not work if the cloaking scripts used IP base tracking. So try on different user agent string (ie: inoktomi, askjeeves, ia_archiver).

Firefox Browser

You can also override your useragent string with firefox ↓.

about:config → general.useragent.overide = ‘ua strings‘

Wordpress.net.in Backdoor

Extra info

Wordpress.net.in Doorway

Dec 24, 2007 → http://www.wordpress.net.in/mentors/alxumuk/

Backdoor Files

inside wp-includes directory.

compat.php - (replace with latest version)
class-mail.php delete

scan & removes all backdoor files and create a .htaccess file inside wp-includes & wp-content/plugins. Then add the following code to disabled directory listing (prevent informations leak & Directory search index).

Options -Indexes

Wordpress.net.in New Partner

Feb 23th 2008, We found a similar signature like wordpress.net.in at qwetro.com (germany). Probably from the same attacker with different agenda.

removes malicious create_function wp_head filters

This are fixes for wordpress.net.in spams header injection.

/**
 * Remove create_function action hook
 * append on wordpress wp_head filters
 *
 * @author Avice De'véreux <ck@kaizeku.com>
 * @copyright Copyright (c) 2006 Avice De'véreux
 * @version 1.0
 * @license http://www.gnu.org/licenses/lgpl.html GNU Lesser General Public License
 * @link http://blog.kaizeku.com/wordpress/goro-spam-injection-wp-head-patch/
 */
function remove_create_function_action()
{ global $wp_filter;

	$action_ref	= 'wp_head';
	$filter 	= $wp_filter[$action_ref];
	$_lambda	= array();

	foreach(range(1,10) as $priority){

		if (isset($filter[$priority]))
		{
			foreach($filter[$priority] as $registered_filter ){

				$callback = (string) $registered_filter['function'];

				if ( preg_match("/lambda/", $callback) ) {
		 	 		$_lambda[$priority][] = $callback;
				}
			}

		}
	}

	if ( count($_lambda) >= 0 ){

		foreach($_lambda as $priority => $callback) {
			if ( has_filter($action_ref,$callback) ){
				remove_filter($action_ref, $callback, $priority, 1);
			}
		}
	}
}

add_action('init','remove_create_function_action');

The plugin’s can be download at Kaizeku Ban, goro spam injection fixes

External Links

Short URL

How to safely remove AcroRd32Info.exe

Nick B — Thu, 29 Nov 2007 13:05:00 +0000

AcroRd32Info is a another creative pieces of crap from Adobe a package for Acrobat Reader. Embed in Windows Explorer Shell, its main role is to start an initial prefetching for PDF documents in the Memory.

To test this program behavior, you will need to open your windows task manager (ctrl+alt+del once) and browse to any folder that contained a PDF documents and stay idle. Within just few seconds AdobeRd32Info will be loaded in the background and stay in memory.That was just for browsing the folder without opening any PDF files yet.

Windows has a standard prefetch modes and its fairly stable for most of the applications out there. Having a another background prefetcher hook on explorer is plain abusive not to mention its running without the owner permissions.

Adobe Reader is cheating. Its understable that with this methods it will improve the Acrobat boot time log, but I dont see much differences when its running in the background preparing to load a single PDF documents, its a pollutions.

AcroRd32Info stay in your memory so consider it as a pestware.

Here’s how you can safely removed this programs.

The proper way

open Adobe AcroRd32
Edit » Preferences
Select the internet categories in the menu list then disabled
Allow fast web view & Allow speculative downloading in the background

If thats doesnt work, you try this unrecommended method to disabled it.

Browse to Adobe Reader directory usually at “Program Files\Adobe\Reader\”
Find AcroRd32Info.exe
Rename it from AcroRd32Info.exe to Acro_Rd32Info.exe

Recent Exploit on Adobe Reader

Exploit:W32/AdobeReader.K

From FSECURE, Exploit:W32/AdobeReader.K is detection of a malicious PDF file that is being heavily spammed through e-mail and it appears as an attachment.
This malicious PDF file takes advantage of a vulnerability on the URI handling of PDF files. This vulnerability affects IE7, Adobe Acrobat, and Adobe Reader on some platforms.
Users should update their Adobe Reader installations.

Affected Software Versions

Adobe Reader 8.1 and earlier, Adobe Reader 7.0.9 and earlier. Adobe Acrobat Professional, 3D and Standard 8.1 and earlier versions, Adobe Acrobat Professional, Standard, 3D and Elements 7.0.9 and earlier.

More info on this exploits at National Vulnerability Database

Condolense to Sean Taylor (Washington Redskin).

Avice De'veréux — Wed, 28 Nov 2007 01:59:18 +0000

Miami native Sean Taylor was pronounced dead early Tuesday Morning, at Jackson Memorial Hospital in Miami. Sean Taylor was shot at his Palmetto Bay home early Monday morning in the upper part of his leg where he suffered massive blood loss from a severed femoral artery.

After surgery Sean Taylor was said to be responsive to doctors which gave his family a little hope. But he passed away early in that morning. Police are investigating the home invasion and murder of Sean Taylor. Sean Taylor is survived by his high school sweetheart Jackie Garcia, eight-teen month old daughter named Jackie, and his family.

Mark W. Everson (American Red Cross) Resign Statement

Noah Ark — Wed, 28 Nov 2007 01:16:56 +0000

The American Red Cross Announced today that its Board of Governors asked for and received the resignation of President and CEO Mark W. Emerson, Effective immediately. Concurrently, the Board appointed Mary S. Elcano, General Counsel as Interim President and CEO.

Excerpt from washigtonpost

Everson, 53, who is married and has two children, released a statement today saying, “I am resigning my position for personal and family reasons and deeply regret it is impossible for me to continue in a job so recently undertaken. . . . I leave with extraordinary admiration for the American Red Cross, the service its men and women provide our nation, and for the humanitarian work of the Red Cross/Red Crescent movement across the world.”

Mark W. Everson resigned today because he engaged in a personal relationship with an employee.

Matt cutts Snippet video - The anatomy of a search result

Nick B — Tue, 27 Nov 2007 18:58:15 +0000

Matt cutts (Head of Google Webspam team) explained the important part of meta content.

view the video here

How to Block Acces to Unsavory Websites Without using Firewall or third party software

Nick B — Tue, 27 Nov 2007 17:42:51 +0000

There is many reason why you need to block certain website from being access in your network. below is a “the few reason why”.

It’s a warez and porn sites.
I don’t want my employee to view my Competitor Websites.
I’m using illegal software and It seem necessary to disable the automated online registry checkup. ;p
I’m against this [countryname] I want to block all this particular domain from being access.
I hated this [socialnetworksite]

Safe Blocking

Here’s two methods you can safely used to block or redirect unwanted website from being access without using third party software.

1. Block Website using Windows Host file

Open Window explorer, browse to C:\WINDOWS\system32\drivers\etc click on the file name “host” (the file has no extension) make a backup copy first. Then right click view file properties and disabled the read only attributes and open it with a text editor (i.e: notepad).

Windows host settings instructions note

This file contains the mappings of IP addresses to host names. Each entry should be kept on an individual line. The IP address should be placed in the first column followed by the corresponding host name. The IP address and the host name should be separated by at least one space.

route-to target-hostname
example
127.0.1.1 www.thewebsite.com

note: 127.0.1.1 is you localhost address this is where you want the target-hostname/website to redirect. thewebsite.com is the targeted website URL.

alternatively you can also redirect it to google
64.233.167.99 www.thewebsite.com

Save the file and restore back the read only mode, then type in the block address url in your browser see if works.

OpenDNS filtering

The second methods is universal, its work on any operating systems. OpenDNSfiltering. This articles wont teach you how to setup opendns, you can read it at https://www.opendns.com/start. After you had setup OpenDNS account. Read their KB39 articles

its pretty much straight forward from there on. I’m sure you wont have problem configuring opendns filter . everything is just 2 click way.

Example Blocked Lists

127.0.0.1	babe.the-killer.bz
127.0.0.1	www.babe.the-killer.bz
127.0.0.1	babe.k-lined.com
127.0.0.1	www.babe.k-lined.com
127.0.0.1	did.i-used.cc
127.0.0.1	www.did.i-used.cc
127.0.0.1	coolwwwsearch.com
127.0.0.1	www.coolwwwsearch.com
127.0.0.1	coolwebsearch.com
127.0.0.1	www.coolwebsearch.com
127.0.0.1	hi.studioaperto.net
127.0.0.1	www.hi.studioaperto.net
127.0.0.1	webbrowser.tv
127.0.0.1	www.webbrowser.tv

Notes: Notice the double entries for each domain example.com and www.example.com , You will need both long and short URL for effective blocking. Dont depend on canonical address

Beware of this site

Nick B — Sat, 24 Nov 2007 03:03:05 +0000

Its quite rare to see website attacking visitors but the following site is an exception.

girlhell.org
66.79.184.58
Apr 27 08 - usawarez.net

There is few known threads from the above website

JS/Exploit.ADODB.Stream NAP Trojan
Hidden download.
usawarez - False Image Checksum/corrupted

Fracois Paget from McAfee explain in great details regarding this Stream Attack and their Complete Methods. I’m quite amazed with the analysis. read it all here.

Change Scarlett Johansson into a zombie

Nick B — Fri, 23 Nov 2007 22:55:59 +0000

Learn how to change the sexy Hollywood star into a real zombie with this photoshop video …enjoy!

by MonaLisaChild

Warez site with High Pagerank. That’s not fair Google

Noah Ark — Mon, 19 Nov 2007 18:14:51 +0000

Just google for “warez full apps”, most of results sites has PR6. I don’t like to put any name here so do your own research and go ask Matt’s for good answered. If you arent satisfied with this issue I suggest you open Google Webmaster accounts and submit those site for reviews/sandbox.

After the recent controversy over payperpost and linkexchange policy. What do you think of PR over this issue? Do you care about SEO?.