It wasn’t until I started closing /other/ programs that the culprit was found. I’d installed an older version of Silverex’s X-chat http://www.silverex.org/news/ (The free Windows ones) and it’s default popup message handler was, you guessed it, CTRL+T. Disabled that, new tabs again!

This morning, after the wordpress cached pages had expired, I noticed a lot of problems with the site. The themed slidebox was empty and some other cosmetic oddness. I quickly established a common thread – layout on this site is controlled largely by what category posts are in, and a quick look showed none of the posts or pages had any categories associated with them.

Where had they gone?

Because I was running out of time I tried adding a category just to fill the slider with a post, but on submitting was told the category already existed. Interesting.

Anyway, long story short – somewhere along the line of yesterday’s debian update, one of the upgrades (only a handful) had changed the permissions of /tmp to 755 and wordpress wasn’t able to write to it.

I “chmod 777 /tmp” and tried again and everything suddenly worked again.

Some useful errors from WordPress would have been nice!

Geocaching - Started 2001 when the American military unlocked Global Positioning Satellites allowing satnavs to become very accurate. They are hidden all over the world and very likely to be quite close to you right now! You need a GPS or smartphone and after getting the coordinates from the website (or one of the open alternatives), you can locate the cache by following an arrow. The cache typically contains a log book and some toys or random small objects that are swapped. (There are actually many types of cache, from large boxes to those just big enough to hold a small logsheet, to puzzle and multi-box caches, virtual caches, earthcaches and all sorts of things – even boxes that are both letterbox and geocache are known).

There you have it. Kinda similar but different enough.

Which is better? Neither or both, of course. It’s subjective.

I like both. It’s been 28 odd years since I found my first letterbox and only a few months since I found my first geocache. I’ve probably found over a hundred letterboxes (some folk have over thirty or even forty thousand finds!), and I’ve just gone over one hundred geocaches. (Over five thousand isn’t uncommon, although some of the higher scorers are families or groups)

I’ve enjoyed letterboxing a lot. Walking on Dartmoor is a challenge and always rewarding. Letterboxes are there to be collected as I’m passing or not. Same with geocaches. I actually plan an area and collect both, having put any letterboxes with 10 figure grid references onto my GPS as well. In theory this should take me to within 1 meter of them!

But all is not well. At least with Letterboxing.

The hobby is still fantastically popular. I went to the Autumn Letterbox Meet in 2011 and Lee Moor Village Hall was packed out all day. Thousands of visitors. Really impressive.

Yet I’m only finding less than half the boxes I search for. There are known to be rogue elements deliberately removing letterboxes, including some really old and well made stamps. Clearly they, or others, are removing the letterboxes. Quite disappointing. I must admit, this is affecting my keenness to continue hunting. Especially as it’s sometimes hard to report a loss or broken and wet box.

A letterbox, left open to the elements. Large and well filled logbook reduced to mush.

Geocaches though. Feedback is instant. You can tell the cache owner of any problems immediately (if you’ve a smart phone) or on the website. You can log each find, share pictures of the locality with other finders. The owner gets comments from the finders without having to go and visit their box to fetch the log. If the owner goes AWOL and stops maintaining their box, then it is disabled to save anyone hunting for a cache that’s disappeared or is unusable. There are also a huge variety of cunning and amusing containers, hides and puzzles.

An ingenious geocache hidden in a gatepost.

Both groups have good communities, willing to help and genuinely enthusiastic about their hobby.

As I said at the beginning, neither is better than the other, but I find myself more and more leaning towards geocaching. The rewards are greater and it gets me out hunting far more often than letterboxing has done in the past. I recently discovered I haven’t maintained my letterbox lists for weeks, while I’m on the geocaching site several times a day.

To me, letterboxing is a quiet smoke of the pipe and a glass of warm beer in a comfy snug by the fire. Geocaching is crack cocaine.

I know some die-hards will be shocked by my actually revealing what a geocache can look like, but I have my reasons!

Great hides deserve recognition! Many hours go into the creation of some caches and some will only be seen by a handful of people in a geographical area. Why not share them for the wider world? It’ll lead to greater invention, encourage people to join caching (it’s not just 35mm film pots hidden under sticks!) and celebrate ingenuity. So as not to spoil your hunt, I’ll not name where these were found or even the author…

All I ask is that you don’t just copy these and pass them off as your own, use them as inspiration for your own caches.

Might do a geocaching section. New hobby of mine, goes nicely with letterboxing. Got quite into this and want to do an ideas section for containers – really enjoy finding unusual ones.

Not sure what else – some stuff, I spect…

So I’ve written a wee bit of php over at http://digdilem.org/cameras and would welcome suggestions and additions. It’s not totally finished – and not particularly pretty, but it does the job. Some basic ideas about getting mac codes eventually which could be used for lan-based camera probing too. Oh, and a basic automatic demo mode for showing how cameras should be set up in ZM.

Also – the entire DB can be exported as CSV for inclusion as whatever.

Note this isn’t meant to replace ZM’s wiki and I urge people to continue adding to that. My motives are simply to help people get cameras working with ZM or even other software. Due to manufacturers, it’s not always as easy as it could be, so I hope this helps.

Had many many successful logins (77), but only half a dozen tried to do anything after they got shell and those did nothing interesting other than gather some server stats. Either they were just curious, or they twigged it was a honeypot. Kippo’s basic environment is not close enough to a real machine to fool anyone clever for long (although you can add to it), and watching a couple of the logs it was clear that the missing files and commands, and especially lack of tab-complete were not to their expectations and they disconnected quickly enough.

So an interesting experiment, learned a bit but not as much as I’d hoped.

Lifetime stats for kippo instance
Instance 15eb4cf2241292f150e9e3d8c6d16d47

Unique values (28564 connections):
– usernames 1505
– passwords 3993
– sources 404

# SSH client versions Count
————————————————————–
1 SSH-2.0-libssh-0.1 21274
2 SSH-2.0-libssh-0.2 3370
3 SSH-2.0-libssh2_1.0 889
4 SSH-2.0-libssh-0.11 546
5 SSH-2.0-dropbear_0.49 32
6 SSH-2.0-OpenSSH_5.5p1 Debian-5+b1 6
7 SSH-2.0-PuTTY_Release_0.60 5
8 SSH-2.0-libssh2_1.2.2 PHP 5
9 SSH-2.0-PuTTY_Release_0.59 4
10 SSH-2.0-WinSCP_release_4.2.8 2
11 SSH-2.0-PuTTY_Snapshot_2010_01_25:r8854 1
12 SSH-2.0-WinSCP_release_4.3.1 1

# Top 20 usernames Count
————————————————————–
1 root 16823
2 154
3 test 120
4 oracle 105
5 admin 102
6 tomcat 73
7 nagios 72
8 postgres 58
9 guest 52
10 hamano 48
11 deploy 37
12 root2 35
13 mythtv 32
14 user 31
15 prueba 31
16 backup 31
17 mongrel 28
18 git 28
19 ide 27
20 svn 27

# Top 20 passwords Count
————————————————————–
1 841
2 123456 631
3 1q2w3e4r 142
4 12345678 108
5 password 102
6 1q2w3e 98
7 qwerty 88
8 changeme 80
9 q1w2e3r4 78
10 root 77
11 123456789 75
12 rootroot 75
13 1qaz2wsx 73
14 redhat 72
15 q1w2e3 72
16 abc123 69
17 1qaz2wsx3edc 68
18 asdfgh 67
19 oracle 67
20 p@ssw0rd 67

# Top 20 ‘user / pass’ combos Count
————————————————————–
1 root / 687
2 / 140
3 root / 1q2w3e4r 129
4 root / 1q2w3e 98
5 root / 12345678 93
6 root / qwerty 81
7 root / 123456 80
8 root / changeme 79
9 root / q1w2e3r4 78
10 root / rootroot 75
11 root / password 75
12 root / q1w2e3 72
13 root / redhat 72
14 root / 1qaz2wsx 71
15 root / abc123 68
16 root / root 68
17 root / 1qaz2wsx3edc 68
18 root / asdfgh 67
19 root / p@ssw0rd 67
20 root / 654321 65

# Top 20 offenders Count
————————————————————–
1 180.210.216.133 3680
2 89.31.10.26 3600
3 87.244.194.139 2344
4 115.111.10.163 2057
5 114.207.87.106 1752
6 218.61.204.170 1672
7 218.61.200.173 1656
8 82.186.254.163 1466
9 201.148.4.244 1327
10 141.85.252.230 1188
11 122.155.16.227 489
12 182.72.212.196 413
13 208.43.127.84 372
14 91.148.134.59 279
15 81.17.70.66 277
16 46.147.175.1 222
17 186.34.247.175 222
18 190.245.60.139 222
19 92.249.114.55 221
20 113.130.71.75 216

What use is this?

1. Educating myself as to habits.
2. Tarpits the badguys (very slightly since they’ll be portscanning the world on a loop)
3. Getting stats to prove that the very minimal basic moves you need to do are: Disable root logins in /etc/sshd_config and move ssh off port 22. (last not always possible, but it’s a good thing to do if you can)

Lifetime stats for kippo instance
Instance 8bb203fce624c97ce0c618e35f9d9865

Unique values (1740 connections):
– usernames 110
– passwords 403
– sources 13

# SSH client versions Count
————————————————————–
1 SSH-2.0-libssh-0.1 1709
2 SSH-2.0-OpenSSH_5.5p1 Debian-5+b1 6
3 SSH-2.0-PuTTY_Release_0.59 4
4 SSH-2.0-libssh-0.2 1

# Top 10 usernames Count
————————————————————–
1 root 954
2 test 32
3 backup 18
4 oracle 17
5 server 16
6 ts3 14
7 aaron 13
8 nagios 12
9 postgres 12
10 admin 12

# Top 10 passwords Count
————————————————————–
1 123456 28
2 backup 23
3 1q2w3e4r 22
4 test123 18
5 redhat 17
6 123qwe 17
7 1234 17
8 server 17
9 test 16
10 qwerty12345 16

# Top 10 ‘user / pass’ combos Count
————————————————————–
1 root / 123qwe 17
2 root / redhat 17
3 root / qwerty12345 16
4 backup / backup 15
5 root / qwer1234 12
6 root / 1234 11
7 root / a 11
8 root / changeme 11
9 root / asdfgh 10
10 root / 12345 10

# Top 10 offenders Count
————————————————————–
1 141.85.252.230 1188
2 203.212.6.29 201
3 217.119.114.126 168
4 93.62.118.35 160
5 217.147.82.53 6
6 67.23.246.190 4
7 10.0.1.150 3
8 87.106.140.179 3
9 27.115.13.114 3
10 85.10.238.24 1

Created new VMware host. Installed XP SP2, disabled firewall, ran DMZ on a dedidated public IP. No recent patches.

I am aware this is not a scientific study, the viruses were of unknown age but probably still in the wild. None appeared to be massively sophisticated or very recent however, but as it’s common for one exploit to be used to introduce many others it’s not possible to assume that.

I made a clone of the new image and went hunting.

Googling quickly found an unprotected dir containing many known dropper exes run by a virus research site. It had plenty of warnings on the top not to run anything. Since I wanted to get infected I ignored those and ploughed on…

Downloaded and ran half a dozen likely looking files, saw some cmd boxes appear and disappear, some extra processes started so I knew the game was afoot. I left it connected to the net for an hour or two.

Several processes noted is taskmgr that weren’t running before.

Service.exe
iexplorei.exe
winamp.exe (Not the real one)
wincfg32.exe

Some exhibited persistent behavior. wincfg32.exe would instantly restart if process killed. If I ran msconfig and it was soon shut down.

I found a batch file in c:\windows\PcHealth\Setup.Bat which contained a very long list of commands to shut down every running anti malware process you can image, using Service.exe to halt their respective services. (I know most AV’s can protect against this now)

Rebooted. System hung before desktop was displayed. C+A+D brought up taskmgr and killing iexplorei.exe allowed boot process to continue. This process would restart periodically if killed, and seemed to completely halt some system calls. Not clever since it’s more likely the user will seek help and get it removed.

Some bad exes running that were using cpu, but no major bandwidth usage yet. Wireshark sniffing showed dns queries and attempts to access ath.cx, an irc server and several domains that were “parked” (Expired perhaps? These were old viruses) msconfig’s startup tab showed many new additions.

It was clear this copy of windows had caught a cold!

So – the cleanup.

Downloaded current Avira (23/04/11). Ran install. Install hung. Again, killing iexplorei.exe allowed it to continue but most users wouldn’t have been able to proceed.

Install appeared to complete ok, and started initial update and scan.

First scan showed 5 active infections just after memory scan.

wincfg32.exe BDS/Sdbow Q.Plus
system.exe BDS/Backdoor.Gen
system.exe BDS/Backdoor.Gen
system.exe BDS/Backdoor.Gen
taskmgr.exe BDS/Servu.BA

Action suggested was ‘Move to quarantine’ so clicked Apply.

Two popups followed on the above files saying they were infected and suggested deletion. I approved this.

Avira file Scan completed with more infections:

Nora TR/Smalldrop.Q18.A
iexplorei BDS/Sdbot.P
SysDrefWv2.exe WORM/Drefir.E (Note – this was stopped by DEP and crashed out by itself)
iexplorer.exe BDS/mIRC-1799680.A
MsgPlus.exe TR/Agent.185480.A
Service.exe TR/Runas.B
system.exe BDS/Backdoor.Gen

Again, approved suggested quarantine action.

Avira summary showed 814 scanned files, 12 detections, 4 warnings. (These files showed \windows\system32\system.exe and iexplorei.exe could not be deleted)

Avira proposed reboot. Did so.

Desktop returned ok this time.

msconfig.exe started. All but one of the malware additions had been removed. The exception was winamp.exe which was still there and being auto started on boot. However, msconfig.exe wasn’t automatically killed any more.

Avira automatically started another scan, and this time picked up during memory scan:
Winamp.exe TR/Flood.CL.1
Suggested quarantine. Did so. It killed the running process but did not remove the startup entry.

During the second file scan it picked up quite a few more! 61 NEW file infections!

(Log attached 0 AVSCAN-1.LOG)

Quarantined those and closed the scan window.

Avira then seemed content and stopped making suggestions. I rebooted and took a look at taskmgr and msconfig. Winamp.exe was still listed as a startup item, but not running in taskmgr.

I initiated another full scan with Avira.

Nothing in memory, but it found 29 infected files and moved 24 into quarantine out of 43163 files. (Log attached – AVSCAN-2.LOG )

Immediately followed this with another scan, although Avira did not request it.

This time it scanned 43261 files and found no infections.

I rebooted.

msconfig still showed Winamp.exe in the startups. I think I can assume Avira is not going to deal with that itself so I remove it. The actual file has been removed, so it’s not a dangerous oversight.

I force another full file scan. Completely clean. Avira seems to have done the job.

I uninstall Avira and install AVG. (AVG will not install while Avira is in residence)

AVG shows http headers in a popup window – I assume this is some sort of advert and a serverside issue. Also, despite the huge download (129MB of installer and data) – it doesn’t install with a current set of algorithms, so you still need to update.

Update and start a scan. Eventually it finds two pieces of malware that Avira missed;

;”C:\WINDOWS\pingpong.exe”;”Potentially harmful program Dialer.IPK”;”Moved to Virus Vault”
;”C:\WINDOWS\PCHealth\HEX.EXE”;”Potentially harmful program HideExec.G”;”Moved to Virus Vault”

Conclusion:
I don’t like Avira’s nag screens on update. They fill the desktop and cannot be avoided. When I ran this for a charity the users would often get worried and ring me, thinking they’d caught a virus. At least it doesn’t try to install a toolbar or change your default search home to its own website like AVG does. AVG is also twice the filesize of Avira – a serious consideration if your bandwidth isn’t huge.

Avira did a reasonably competent job and was easy to use. It let itself down by missing the two medium-risk files that AVG later picked up, but it did deal well with the many it did find and had no problems removing them – even though several were sophisticated enough to have some defences built in. Overall I was quite impressed.

I do need to point out that AVG could well have missed some of the 73 malwares Avira dealt with, so don’t assume it’s better because it caught two that Avira missed.

I use Eset’s Nod32 at work now with a commercial licence. It has good points, but it too has allowed several Website “Driveby” infections to waltz right past it recently and set up home. (Most notably the modern and very sophisticated fake antivirus “You are infected” sites that demand CC details to remove them, and they hook into all exe loads and web browsers. In each case I got rid of them manually, but it wasn’t trivial)

So, just my thoughts and simple findings. No AV is perfect, even with old viruses. They need to balance usability and resources with keeping the upper hand on what can be really really clever and determined people escalating the arms race.

Update: My ISP forwarded a complaint that an ip under my control “issued irc attack commands”. It wasn’t online long enough to do any damage, but a little embarrassing never the less

To help organise games, various clans I’ve been in have run kalhimeo’s war-manager – a script for eggdrop.

I hate eggdrop and was finding war-manager increasingly hard to setup, also requiring eggdrop’s user management which in a private clan channel wasn’t necessary.

So, finding some time free for such a project, I set out to copy the ethos of war-manager for Irssi instead. Irssi is a text mode irc client that if run in a screen is a great way to run a versatile and robust irc bot. I’ve scripted a lot of things for irssi and it’s my preferred bot.

So here’s my tool, version 1.0 – been used for a month and although not a direct copy of war-manager, it’s close and users of that should feel familiar, so less retraining of your members. Full instructions inside.

It manages multiple wars, multiple gametypes, does html stats creation and a bunch of other stuff. If not enough people have added to a war 15 minutes before, it’ll highlight all the people in your clan channel to highlight you’re short.

An example of the html output, which is fully template-driven by the way, at http://rolf.yuss.org/~flash/warstats.html

Update 1.2:
Added gametype to topic.
Added gametype to pending.
Fixed small bug that showed wars yet to be played in !upcoming

Update – 22nd November 2010 – Added this as a project on sourceforge. Look there for any future development; https://sourceforge.net/projects/warbot/