• Category Archives security
  • Hacking the Code

    Last Post i was talking about how to clean up a hacked web server, hopeful your server is clean now and you can get back to what you do best. But what was the hacker trying to do? What does that long string mean? I will tell you how to decode the string the safe way, and understand how it was constructed.

    The Example that I am going to use is from a real hacked website, the code that I will display is only partial but the construct will be complete. Any identifiable URLs will be changed to prevent identification and your safety.
    Lets start by identifying the code, this is what i had found at the very beginning of the page.
    <? /**/eval(base64_decode(aWYoZnVuY3Rpb25<–>KTt9fX0=)); ?>

    lets start with /**/, it looks innocent but its a way to hide the code, what the code usually used for is large blocks of comments instead of using // on each line you would start it with /* and  end with */ but what i noticed is that in bluefish and notepad++ when these are highlighted the whole line appears to be a comment, my guess is that other code scanners will look like one long comment  on that line and skip it. But this is just my conclusion and testing, very clever way to use comments.

    almost forgot the first thing to notice is the use of short tags(<?) that they use, on my personal server I have short tags disabled, I had learned that it should be disabled for security purposes, I don’t know if this holds true today. but the reason they use it is it helps hide it as a comment adding php to   it (<?php),makes it show up as php code not a comment, now its starting to unravel………

    evalEvaluate a string as PHP code

    very simple right, they need something to run there code, eval does this trick, you can even add html to the string. just another peice of the pie.

    base64_decode – it decodes base64 code, now what is base64? It was originally for email to send binary data in emails, and other uses like binary data in urls and other variables but newest use is hiding php code in a long string, the string was 2692 characters long. So what did that string have in it.

    Continue reading  Post ID 220

  • Web Site Security- what to do when you get hacked?

    Recently a Client/friend asked me to help him with his site after he found out he was hacked, in a situation like that i would gladly volunteer my time to help assess and fix the issue and prevent it from happening again. All the Guides from the major CMSs or other frameworks all have help guides to helped you when you get hacked. WordPress and Zen cart both have very good guides, but this guide should be a general help guide to getting back on track, you may have better site specific info from the company that developed the framework. Also check the forums as well for other people that have been hacked and how they fixed it and what the cause was.

    Continue reading  Post ID 220

  • This really scares me!


    I was reading and Found this article above, yes i have been hearing about it early yesterday but just got around to read what all the talk was about. This Bill really scares me, Government ability to turn off the Internet? This is Ridiculous, turning off a major communications to private networks. so before I jump to any conclusion, Lets read the Bill and then criticize them and there socialized dreams.

    Ok after reading the 55 page document, I’m a little scared of what they are proposing. first of all there is a lot of spending in the bill for how little it is but i can agree with some of the spending, but not all.

    for example i can agree to put an ad campaign to bring people’s Internet security up to date but i cant agree with things like “section 5 C (3) make loans, on a selective, short-term basis, of items of advanced cyber security countermeasures to small businesses with less than 100 employees.” is the US gov a Bank ? oh yeah they are now, i forgot they took over some banks…….ha ha!

    or creating a bunch of cyber soldiers under the section 12, so you get a free education and now you have to work for the government under the control of the cyber czar, So who is going to be the balance to this new power to keep it in check, it look like its up for review ever 2 and 4 years, that’s along time in between policy changes when things on the Internet change in an instant. What about section 7?


      (a) IN GENERAL- Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals.
      (b) MANDATORY LICENSING- Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President’s designee, as a critical infrastructure information system or network, who is not licensed and certified under the program.

    So now government wants to control who is employed at these “critical systems” and must be certified and reported to congress, and its Illegal to work there with out that licence? How much wil this cert be can any one get it, or will it be like the civil service test? I make this analogy, that to fix a windows PC you have to be certified By microsoft and any individual fixing it is breaking the law….now i know its a little out there but that is how i see it, This is another example of Government trying to control another part of our lives. Read it carefully….”as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President’s designee, as a critical infrastructure information system or network, who is not licensed and certified under the program.” so any system that the president sees as critical will be off limits to those not licenced by the goverment. So what constitutes a Critical system? well your guess is good as mine but let me throw something out there, I work on Credit card processing and network issue for a Major company, will my job become critical because i work with the network that affects credit card processing? will i have to shell out the cash to become certified? or will the all mighty government subsidize it, I really couldn’t tell you but it does make me worry, that they can call anything critical and then regulate who can work there.

    next is the Part about IP addressing in the US, now the government will have a say so on who gets what IP addresses and must go through an advisory panel, now that sounds like a great idea from the people that cant even streamline the health care system or the post office of freddie or fannie!! Whats next our local networks?


      (a) IN GENERAL- No action by the Assistant Secretary of Commerce for Communications and Information after the date of enactment of this Act with respect to the renewal or modification of a contract related to the operation of the Internet Assigned Numbers Authority, shall be final until the Advisory Panel–
      • (1) has reviewed the action;
      • (2) considered the commercial and national security implications of the action; and
      • (3) approved the action.
      (b) APPROVAL PROCEDURE- If the Advisory Panel does not approve such an action, it shall immediately notify the Assistant Secretary in writing of the disapproval and the reasons therefor. The Advisory Panel may provide recommendations to the Assistant Secretary in the notice for any modifications the it deems necessary to secure approval of the action.

    Ok so section 10 has a great Idea, make the public aware of the impending doom of there PC, LOL, yes it it a great idea to inform people, maybe if people are informed we may make an impact on the botnets that cause most of these attack, WOW personal responsibility thats a novel idea, maybe some one will learn something and prevent there PC from becoming a spam zombie or a DDOS ghoul. Its almost 2010, almost 20 years of PC expierence is out there, i say 20 because before 1990 PCs didn’t really have this kind of power and accessibility to the world, so how come we need to educate the people about cyber security? i really cant rtell you people should have that concept down by now especially with all the viruses, malware, spyware, rogue application out there people really should already have a clue, but i am proven wrong every day……..”i keep getting these pop ups” do you have antivirus or anti spyware program?” ….”no……..? should I?”…………..Errg is about the only thing that comes to mind when dealing with people that should know, I really think people need to start taking personal responsibility for there Cyber actions or lack there of.


      The Secretary of Commerce shall develop and implement a national cybersecurity awareness campaign that–
      • (1) is designed to heighten public awareness of cybersecurity issues and concerns;
      • (2) communicates the Federal Government’s role in securing the Internet and protecting privacy and civil liberties with respect to Internet-related activities; and
      • (3) utilizes public and private sector means of providing information to the public, including public service announcements.

    The next 2 sections are just ways to spend more money and make cyber soldiers for the GOV

    sec 11 goes on about research and dev


    (2) shall require scholarship recipients, as a condition of receiving a scholarship under the program, to agree to serve in the Federal information technology workforce for a period equal to the length of the scholarship following graduation if offered employment in that field by a Federal agency;

    now these last few is what really scares me to death, pretty much states that under a cyber security threat, the president can cut your Internet……so what is considered a cybert threat? no one really know according to the bill, so lets say people are upset with the government….sounds familiar?……people go out and protest……Internet gets turned off……hmmm where have i heard that before, oh yeah sounds like Iran to me……….that’s just what could happen if the incumbent leader doesn’t want to give up his power or trying to push through unconstitutional laws or even really unpopular ones.

    the whole thing is the Internet is supposed to be the last free realm in the world where every one is just a bunch of 1 and 0’s and you can say almost anything, where minds can exchange ideas and people can sell there goods in the world market with out having to go through a 3rd party, The Internet should never be censored or controlled or limited by anyone.


    (2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;

    (6) may order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security;

    (11) shall notify the Congress within 48 hours after providing a cyber-related certification of legality to a United States person.

    This should make every one upset, because your losing one part of you freedom of speech, after this they will start encroaching on other rights that we are born with. Please call up your representatives and tell them to can this bill before the government take another bite out of your freedom cookie, this should be just as important as the health care debate and needs to be brought to the attention of everyone, Lets Say NO to S.773 Cybersecurity Act of 2009.

    The full Bill can be found here