This morning I took the opportunity to install mod_evasive on my Apache Web Server after being hammered by zombies last night. Quote from [www.nuclearelephant.com]:

mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.

It appears to work well, I tested it out by loading it up with small scale DoS attacks. It blocked the offending addresses as expected and produced the relevant syslog entires & triggered my external reporting script. I was however a little disappointed with its script execution functionality, it basically did a "system" call allowing you to pass only one argument - the offending IP address.

I already have mod_security installed which also executes an external reporting script. However mod_security has a neat little feature which I took for granted, it passes all the 'environment' variables from the request to the script allowing you to see the request itself & any headers passed.

For example, a typical mod_security email alert for me would contain:

DOCUMENT_ROOT=/usr/local/apache/vhosts/www.domain.com
GATEWAY_INTERFACE=CGI/1.1
HTTP_ACCEPT=*/*
HTTP_ACCEPT_ENCODING=gzip, x-gzip
HTTP_CONNECTION=close
HTTP_HOST=www.domain.com
HTTP_MOD_SECURITY_ACTION=500
HTTP_MOD_SECURITY_EXECUTED=/usr/local/scripts/modsec_alert.pl
HTTP_MOD_SECURITY_MESSAGE=Access denied with code 500. Error normalizing REQUEST_URI: Invalid URL encoding detected: not enough characters
HTTP_USER_AGENT=Mozilla/4.0
PATH=/bin:/sbin...
PATH_INFO=/search.cgi
PATH_TRANSLATED=/usr/local/scripts/modsec_alert.pl
QUERY_STRING=q='object+levels%
REDIRECT_STATUS=302
REMOTE_ADDR=XXX.XXX.XXX.XXX
REMOTE_PORT=45852
REQUEST_METHOD=GET
REQUEST_URI=/cgi-bin/search.cgi?q='object+levels%
SCRIPT_FILENAME=/usr/local/apache/vhosts/www.domain.com/cgi-bin
SCRIPT_NAME=/cgi-bin
SERVER_ADDR=XXX.XXX.XXX.XXX
SERVER_ADMIN=foo@bar
SERVER_NAME=www.domain.com
SERVER_PORT=80
SERVER_PROTOCOL=HTTP/1.1
SERVER_SIGNATURE=
SERVER_SOFTWARE=Apache

This shows me detailed information about the request which was declined and why. I wanted to get similar functionality out of mod_evasive and I achieved this with the following additional code (butchered from mod_security).

The original mod_evasive code is expecting a sprintf format string as the parameter 'sys_command' allowing you to define a position with '%s' where the IP address should be inserted. My code above does not to this, it expects 'sys_command' to be the path to the executable which takes a single argument of the IP address.

This change can be applied automagically - to the Apache 1.3.x version of mod_evasive.c only - with the following patch: mod_evasive_execve.patch

Assuming mod_evasive_1.10.1.tar.gz & mod_evasive_execve.patch have already been downloaded to the same directory:

[foo@bar ~]$ tar zxf mod_evasive_1.10.1.tar.gz
[foo@bar ~]$ cd mod_evasive
[foo@bar mod_evasive]$ patch -p1 < ../mod_evasive_execve.patch
patching file mod_evasive.c
[foo@bar mod_evasive]$ $APACHE_ROOT/bin/apxs -iac mod_evasive.c
gcc -DLINUX=22 -DEAPI -I/usr/include/gdbm -DUSE_HSREGEX -fpic -DEAPI -DSHARED_MODULE -I/usr/local/apache/include -c mod_evasive.c
gcc -shared -o mod_evasive.so mod_evasive.o
[activating module `evasive' in /usr/local/apache/conf/httpd.conf]
cp mod_evasive.so /usr/local/apache/libexec/mod_evasive.so
chmod 755 /usr/local/apache/libexec/mod_evasive.so
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.bak
cp /usr/local/apache/conf/httpd.conf.new /usr/local/apache/conf/httpd.conf
rm /usr/local/apache/conf/httpd.conf.new
[foo@bar mod_evasive]$

Now create a simple shell/perl/something script to use this info. My example emails myself and the address listed as the SERVER_ADMIN, because each VirtualHost on my server has a 'ServerAdmin' entry with the owners email address, my customers get a copy of the email too.

Now configure mod_evasive to execute your script when it is triggered, add the following to your $APACHE_ROOT/conf/httpd.conf:

Now restart Apache:

[foo@bar mod_evasive]$ $APACHE_ROOT/bin/apachectl restart
/usr/local/apache/bin/apachectl restart: httpd restarted

Tada! You're done. Use the 'test.pl' script provided by mod_evasive to trigger a blocking of your IP and see the email generated.

Fedora Core 5 was released yesterday, I attempted to upgrade my existing Fedora Core 4 installation in VMWare Workstation 5.5.0 and encountered a problem.

Fedora isn’t automatically detecting the VMWare SCSI device, it presents a warning that there were no hard drives were detected. I found you can resolve this by manually adding the BusLogic device during setup.

See the following sequence of screenshots.

1. Default Boot Screen

2. Warning Message "No hard drives have been found."

3. List of Automatically Detected Devices

4. Manually Selecting the "BusLogic MultiMaster SCSI" Driver

5. List of Detected Devices now including the BusLogic Driver

After doing this everything installed normally, Good Luck!!

Matt announced a security release for Wordpress today on the Wordpress Development Blog. This release addresses unannounced XSS problems apparently with comment posting & registration. The files affected by this release are:

wp-admin/admin-functions.php
wp-admin/admin-header.php
wp-admin/admin.php
wp-admin/edit-pages.php
wp-admin/import/blogger.php
wp-admin/list-manipulation.php
wp-admin/menu-header.php
wp-admin/post.php
wp-admin/user-edit.php
wp-comments-post.php
wp-includes/classes.php
wp-includes/comment-functions.php
wp-includes/functions.php
wp-includes/js/tinymce/langs/en.js
wp-includes/js/tinymce/plugins/wordpress/langs/en.js
wp-includes/js/tinymce/tiny_mce_gzip.php
wp-includes/template-functions-general.php
wp-includes/template-functions-links.php
wp-includes/version.php
wp-register.php
wp-settings.php

Here is a short summary of some of the notable changes:

wp-admin/admin-functions.php

- Forced default values of $_POST['comment_status'] = 'closed' & $_POST['ping_status'] = 'closed' when they are not set.
- Added escaping of attachment data-objects.
- Added escaping of posts data-objects.

wp-admin/admin-header.php

- Added check for 'manage_categories' privileges before showing the "Add" option to the category list while writing a post.

wp-admin/list-manipulation.php

- Abstracted deletion of links from direct SQL to a wp_delete_link method.

wp-admin/menu-header.php

- New 'admin_notices' Action allowing plugins to insert HTML immediately after the 'adminmenu' and 'submenu' <ul>'s. I think I'll be using that for my "New version of SpamKit available" messages.

wp-admin/post.php

- Additional HTTP Referrer checks using the 'check_admin_referer' method when submitting a new post, editing an attachment and editing a post.

wp-admin/user-edit.php

- Additional HTTP Referrer checks using the 'check_admin_referer' method when updating a User.

wp-includes/comment-functions.php

- Sanitising of user-submitted Name, Email & URL from cookies.

wp-register.php

- Forced blank default value of user-submitted email address & login name.
- Sanitising of the display of user-submitted email address & login.

I have created a patch to take 2.0.1 installations of Wordpress up to version 2.0.2 without having to reinstall and possibly loose customisations.

http://svn.lobstertechnology.com/wordpress-patches/wordpress-2.0.1-2.0.2.patch

You can apply this patch from the top directory of your Wordpress installation using the 'patch' program from a UNIX shell.

patch -p1 < wordpress-2.0.1-2.0.2.patch

Full Example Usage:

[michael@lobstertechnology ~] $ cd blog.lobstertechnology.com
[michael@lobstertechnology blog.lob...] $ patch -p1 < wordpress-2.0.1-2.0.2.patch
patching file wp-admin/admin-functions.php
patching file wp-admin/admin-header.php
patching file wp-admin/admin.php
patching file wp-admin/edit-pages.php
patching file wp-admin/import/blogger.php
patching file wp-admin/list-manipulation.php
patching file wp-admin/menu-header.php
patching file wp-admin/post.php
patching file wp-admin/user-edit.php
patching file wp-comments-post.php
patching file wp-includes/classes.php
...
[michael@lobstertechnology blog.lob...] $

Alternatively, you can simply replace only the files which have changed - listed above.

This is a pretty significant release of SpamKit Plugin which provides some cool new features. This is checked into Subversion over at WP-Plugins.org and you can download the new version here spamkit-plugin.php.

Released as version 0.4:
* Added options page, this required sanity checks to prevent double definition of functions, implemented in a C-style #ifdef / #define pattern.
* Added full configuration functionality, this is done using built-in defaults, overridden by saved options making it upgrade proof.
* Added new EXPERIMENTAL check, comments posted by clients with no User-Agent string are auto-spammed and dont make it to the moderation page.
* Added new EXPERIMENTAL check, submitted email address is subject to format validation & DNS check for a mail exchanger.
* Updated to use Gerry's new OO-based TBT code removing the dependancy on MCRYPT.
* Removed any path-dependant problems, making it compatible with all WP installs *i hope*.
* Added option to place trackback & pingbacks in the moderation queue, disabling this option causes them to be auto approved.
* Added option to moderate comments which fail TBT checks, disabling this option will mean the comments are automatically marked as spam and will never be seen.

Known Issues:
* Because direct calls to this script (for the badge) cannot access WP or any options, there is no easy way to provide a configurable /tmp directory. There is however a configuration option to disable this functionality if it causes problems.

Since writing my SpamKit Plugin I have been keeping a keen eye on the comment/trackback spam subject and have guinea pig'd my ideas on my own blog. Recently I noticed a distinct change in the sophistication of comment-spammers.

The early comment-spammers were using very basic HTTP clients, mostly without thinking about what's going on 'under the hood'. As such their spam-messages would come through with easily filtered HTTP "User-Agent" headers like "PEAR HTTP_Request class ( http://pear.php.net/ )" and "libwww-perl/5.803". Over a period of a few months these – what I call 1st generation – bots began to dwindle in numbers, replaced by slightly more sophisticated clients which loosely emulated real browsers.

These 2nd generation bots were still very primitive, apart from changing the "User-Agent" and adding a few other headers they were still pretty basic and would repeatedly attempt to post comments over the period of a few seconds on a number of posts. This activity is also easily filtered since not even a superhuman Blog-fiend could comment on your top ten posts in less than 10 seconds.

All the attempts so far have been very basic, beginners in Perl / PHP could probably pull it off easily, and they are just as easily filtered out.

Over the Christmas period I observed some very unusual activity, a 'spam attack' coming from dozens of source IP addresses, coordinated within a few minutes. I initially spotted it because the "User-Agent" header was completely empty – stands out a bit. After some investigation and further attacks I became pretty confident this wasn't a fluke or coincidence of independent spammers.

I knocked up a quick Wordpress plug-in to capture as much info about these suspicious requests as possible. Here is one of the first attacks.

03/02/2006 20:37:44 212.0.XXX.XXX GET /
03/02/2006 20:38:14 201.242.XXX.XXX GET /category/wordpress/plugins/
03/02/2006 20:39:54 210.183.XXX.XXX GET /2006/02/02/search-term-highlighter-plugin-0-0/
03/02/2006 20:40:25 200.122.XXX.XXX GET /category/java/jakarta-velocity/
03/02/2006 20:40:37 62.23.XXX.XXX GET /2006/02/02/sitecom-cn-502-usb-bluetooth-dongle-works-on-linux/
03/02/2006 20:40:55 68.96.XXX.XXX GET /2006/02/02/search-term-highlighter-plugin-0-0/
03/02/2006 20:41:18 70.88.XXX.XXX POST /wp-comments-post.php
03/02/2006 20:41:20 70.88.XXX.XXX GET /category/thoughts/
03/02/2006 20:41:44 200.21.XXX.XXX POST /wp-comments-post.php
03/02/2006 20:41:48 200.21.XXX.XXX GET /2006/01/25/ti-7x21-flashmedia-sd-host-controller-104c-8033/
03/02/2006 20:42:16 61.145.XXX.XXX GET /category/wordpress/plugins/search-term-highlighter/
03/02/2006 20:42:24 217.113.XXX.XXX GET /category/flash/
03/02/2006 20:42:48 212.251.XXX.XXX GET /category/internet/
03/02/2006 20:43:04 205.180.XXX.XXX POST /wp-comments-post.php
03/02/2006 20:43:22 82.76.XXX.XXX GET /keywords/
03/02/2006 20:43:56 218.248.XXX.XXX GET /2006/02/02/search-term-highlighter-plugin-0-0/#postcomment
03/02/2006 20:44:13 206.191.XXX.XXX GET /2006/02/02/search-term-highlighter-plugin-0-0/%23postcomment
03/02/2006 20:44:14 206.191.XXX.XXX GET /category/tools/
03/02/2006 20:44:15 206.191.XXX.XXX GET /category/wordpress/plugins/search-term-highlighter/
03/02/2006 20:44:38 62.23.XXX.XXX GET /category/wordpress/plugins/search-term-highlighter/
03/02/2006 20:45:33 82.76.XXX.XXX POST /wp-comments-post.php
03/02/2006 20:45:34 82.76.XXX.XXX GET /category/tools/
03/02/2006 20:45:35 82.76.XXX.XXX POST /wp-comments-post.php
03/02/2006 20:45:48 203.162.XXX.XXX POST /wp-comments-post.php

In this particular instance, the attack was over a ten minute period. The first request was a HTTP GET on the root of my Blog "/" almost definitely used to feed the other bots with URL's. Next, other clients in the Botnet continue to spider my Blog in parallel, building a list of URL's to try later and lastly the first of the attempts to post a comment.

If you examine the sequence of requests, the bots are posting a comment, then coming back to check if it was successful. Analysis of later attacks even found other bots in the group checking if the comment posted by a peer bot was successful. The participating hosts are located all over the world but the majority are in North America and Asia.

This obviously demonstrates a very high level of sophistication. Initially I presumed that there was a single client application running requests in parallel over a group of HTTP proxies. After tracing down the locations & owners of each of the participants in the attacks I concluded it was infeasible that they all happened to have open proxies being abused in this way. A large proportion of the machines being used are actually web servers which have probably been exploited and are running IRC-controlled Trojan software.

Backing this up is the pace these attacks are evolving, the first few were very primitive without even a HTTP "User-Agent" header; however this was very quickly amended. The most recent attack I observed (1st March 2006) showed even more improvements, each client was almost indistinguishable from normal visitors. Providing full 'Internet Explorer' like headers of accepted mime types, charsets, languages and even including valid HTTP referrer headers and cookies.
Thankfully, all their time seems to be invested in improving the client software; the actual content of the comment was practically identical.

My SpamKit Plugin has so far easily handled each of these situations. It uses Gerry's "Time Based Tokens" which were auto-generated and written into a hidden form field. Any incoming comments without a token or with an invalid token could be held for moderation while at the same time having zero impact on real visitors writing comments. Unlike techniques used by other solutions it does not require the user to type in a random key from an image like the 'captcha' technique, nor does it rely on JavaScript support in the browser. Until these spam bots reach a level of sophistication where they are parsing out HTML forms including hidden values and posting them, the current version of SpamKit will still be an effective solution.

However there is one major drawback with SpamKit; pingback/trackback's are machine-generated, they will not have a "Time Based Token" and will be held for moderation as if they were spam. The problem with this is that spammers are also increasingly using the pingback/trackback mechanism to get their comments through the net. A lot of thought and discussion on this subject with Gerry lead to one potential solution; scoring & validation on the URL the pingback/trackback is supposedly from.

In early examples of trackback spam the URL given pointed straight to some advertising-based web page. Something like this lends itself to easy detection and filtering as the content when examined would score highly for spam key words like 'Viagra' etc. However these attacks have also evolved, the most recent of which point to real web pages or Blogs that contain obfuscated JavaScript redirection code – redirecting real visitor's browsers but avoiding any page content detection techniques. In some cases the code has been inserted into Bulletin Boards or Guestbook's which allow unfiltered HTML.

An example page with obfuscated JavaScript redirection (warning, this will redirect you to mp3search.ru)

http://zigfrid.blog.kataweb.it/il_mio_weblog/

So, what measures can be taken to stop spam?

Personally I don't think you will ever get rid of spam, you have a pretty good chance of eradicating all but the most sophisticated of spammers, but you'll never stop 100% of spam. The best methodology is to constantly evolve your defences at the same rate or faster than the opposition. For starters Gerry & I are constantly dreaming up new ways we can enhance SpamKit… Recent updates include encoding the original source IP address in the "Time Based Token" which would become invalid if submitted from a different address. Other works in progress include hardcore validation of the email address submitted; does the domain exist? does it have a mail exchanger MX record? etc. content validation, key word searching and probabilities of the content being spam – progress will be reported here and on Gerry's site.

In the long term spammers are going to have clients that pretty much replicate real users down to the delays & randomness between requests. Countermeasures are going to have to be just as sophisticated, evaluating content and even executing JavaScript as if they were also real clients.

I wrote this RC4/ARCFOUR implementation in PHP - based on the original C source code posted on usenet in 1994. The rc4() call itself is completely self-contained, two other methods rc4_test() and rc4_benchmark() have been provided for testing and are optional.

My motivation for writing it was to replace the dependency on MCrypt in my SpamKit plugin for Wordpress - see Gerry's site for the updated TBT code I will wrap in the next SpamKit Plugin release.

This is software is completely public domain, all I ask for is a simple credit for my work if you find it useful.

View Source: rc4.php
View Source: rc4tests.php

Examples:

1. Simple encryption & decryption

2. Execute the tests and display the results

3. Execute the tests as benchmarks and display the results

Bit of an update, my previous post is now getting a significant amount of traffic; in fact it’s my hottest post yet!

Progress over at http://tifmxx.berlios.de/ - I downloaded the latest revision of this driver and it appears to be going through re-structuring, still not-functional I am afraid.

However, a month since contacting TI I received a response to my telephone-based support request by email.

From: support@ti.com

Hello Michael,

I am sorry TI doesn't support software drivers for cardbus devices,
please see below for more details on this:

TI PC Card, Flash Media, IEEE 1394 and Smart Card Controller
Devices:

Texas Instruments (TI) I does not develop software drivers for
these multi-function controllers. Our devices are used in Personal
Computers and add-in cards from many manufacturers. These
manufacturers include drivers from Microsoft and, for certain
platforms, from the Linux community that enable the PC Card and 1394
functions in these TI devices. Texas Instruments does not provide
drivers for Windows, Linux or any other operating system.

If you are encountering difficulties with your PC or add-in card,
please contact the manufacturer for support. Texas Instruments does
not provide any support for these end products.

If you require drivers for Flash Media or Smart Card you need to
contact the PC manufacturer. TI does not provide drivers for atypical
system applications.

Additional information

To find the manufacturer of the card, use the FCC's web page
http://www.fcc.gov/oet/fccid/ to search for the FCC ID number printed
on the bottom of the card. If it came preinstalled, please contact
the store where you purchased the computer.

Third-party vendors have developed Card &Socket Services driver
support for other operating systems. These vendors include Phoenix
Technologies/Award Software, and SystemSoft:

Microsoft
www.microsoft.com 800-426-9400

Award Software/Phoenix Technologies www.phoenix.com
800-677-7305

Systemsoft Corp.
www.systemsoft.com 800-796-0088

Softex, Inc.
www.softexinc.com 512-452-8836

Best Regards,
Sandeep.

TI assumes no liability for applications assistance or customer
product design. Customer is fully responsible for all design
decisions and engineering with regard to its products, including
decisions relating to application of TI products. By providing
technical information, TI does not intend to offer or provide
engineering services or advice concerning Customer's design. If
Customer desires engineering services, the Customer should rely on
its retained employees and consultants and/or procure engineering
services from a licensed professional engineer (LPE).

***Please do not delete the below Thread ID when replying to this
email, doing so will delay our response to your inquiry***

[SR THREAD ID:1-3RGCWY]

Dear Michael Cutler

Thank you for choosing Texas Instruments Technical Support. Your
case 1-227511394 has been resolved. See the description below for
details.

Would like Linux driver for this card. I told him we didn't supply
them and to contact PCMCIA, but he said that he knew somebody who had
managed to get these from TI

Regards,

X0045551

Texas Instruments

Semiconductor Technical Support

http://www-k.ext.ti.com/sc/technical_support/pic/americas.htm

If you have further questions please reply to this email.

TI assumes no liability for applications assistance or customer
product design. Customer is fully responsible for all design
decisions and engineering with regard to its products, including
decisions relating to application of TI products. By providing
technical information, TI does not intend to offer or provide
engineering services or advice concerning Customer's design. If
Customer desires engineering services, the Customer should rely on
its retained employees and consultants and/or procure engineering
services from a licensed professional engineer (LPE).
***Please do not delete the below Thread ID when replying to this
email, doing so will delay our response to your inquiry***
[SR THREAD ID:1-3RGCWY]

And my response.

Dear Sandeep,

Thank you for taking the time to respond to my query. I appreciate that Texas Instruments (TI) does not tend to support end-users of your devices, especially with driver problems and believe me if it were that simple I would not be taking up your time today.

The reason I am contacting you is simple, I am trying to use my TI 7x20/7x21 Flash Media controller (PCI ID 104c:8033) within Linux. After a lot of research on the subject I discovered this page on the Everest Consultants Inc website. It suggests the Texas Instruments hired Everest to produce Linux Device Drivers for this particular chip; judging by the write up they have produced a well designed and much needed driver solution. I contacted Everest about obtaining this driver and they referred me to you.

http://www.everestinc.com/fml.htm

In the meantime I continued researching this on the internet and discovered an open source and “free” (as in freedom) effort to produce a driver for this device. Unfortunately it isn’t progressing particularly quickly because technical documentation on this chip is scarce.

http://tifmxx.berlios.de/

I also discovered another person who had managed to obtain a binary version of what are presumably the Everest-made drivers. It is also interesting to note that the ‘modinfo’ for the driver states it is under GPL (Gnu Public License) and as such, the source code should be available on demand.

http://www.webcon.ca/~imorgan/tifm21/

I have been recording my progress on my personal website. In the past seven days I have had 243 unique visitors who have searched for this device in relation to Linux and discovered my website and the record of my progress, a handful have contacted me directly about it.

There is a great demand for Linux support for this device, I would like to see either the Everest-made GPL driver source code made available or, extensive technical documentation - sufficient to allow open source developers to produce a driver - made available to the Open Source Community.

Yours Sincerely,

--
Michael Cutler . o O ( http://blog.lobstertechnology.com/ )
PGP: 0xC3ABA735

I will follow up by calling them again during mainstream office hours and see where I can get myself transferred to this time.