So I’ve decided to start some name and shame posts for “naughty” ip’s that trip an ids, turn up in my log audits etc … and who are woefully ill prepared …

Dear 82.98.131.66,

This post is for you, I’m not sure what you hope to gain by failing repeatedly to gain access to this blog (god knows I hardly have time to update it …) but doing it from a host with all your ports open probably not the best idea in the world, so here’s some information on you.

And for anyone else reading this, I usually end up ignoring the standard user enumeration and brute force attacks (As the offender get blacklisted very quickly), in this case however it was a targeted attempt …

Your ISP’s whois

Log of you attempting to get access to ftp

Can anyone say firewall?

You need to read this NOW!

Debian? seriously?

mySQL seems recent at least

For the moment I am assuming a compromised box quiet why you wanted to come after this blog is beyond me.

1. 12/06/2011 – This blog written and evidence sent to ISP
2. 12/07/2011 – The Scheduled publication for this post

Tweet

I was a bit taken back today after stumbling across this pdf by Dr. Wolf-Fritz Riekert http://share.ieservices.de/downloads/documents/Wordpress_Flowplayer_Plugin_pash-m_recent_version.pdf

Google translated version

Seems my plugin and the code therein has been the subject of a study, after perusing the google translation of the document I can see some very interesting concepts on how to improve the plugins integration with wordpress itself, I have sent an email Dr. Wolf-Fritz Riekert, asking if I can take his concepts and apply them to my code, so have a read and check back for version 2.1.0.0 soon,

Also of note the authors at Flowplayer.org have also granted me permission to use the latest verison of flowplayer, this will be rolled into 2.1.0.0

Remember to request features please use my Trac system.

Update:Dr. Wolf-Fritz Riekert has gotten back to me, this study is in fact the work of a group of students, the project leader of which was Martin Wörz, of ieservices.de, I’ll be liaising with him over the concepts in the study.

Tweet

For security newer distros of RHEL and their derivatives an mounting /tmp with the noexec option.

Now if you have ever had to clean up a compromised web app you can see why this makes a lot of sense, and if not here’s a quick example.

Yours/Clients web app becomes compromised, running kernel has a buffer overflow that can lead to privilege escalation, attack writes out their code and compiles in /tmp, then runs said app from /tmp creating a pseudo root level shell, aka you’ve just been root kitted.

However there are legitimate reasons for using /tmp to compile, well I say legitimate, what I in fact mean is things like pecl, which you use to install extensions like APC require this …

workaround:

Failing that:

service httpd stop

DO NOT ALLOW ANY WEBAPP ACCESS WHILE NOEXEC IS IN USE!

DO NOT REMOVE THE NOEXEC OPTION IN /ETC/FSTAB PERMANENTLY YOU WILL REGRET DOING SOTweet

Redhat bug 537535

Take for instance this code saved as test.php.png

Low and behold this will render out the entire post array! and will interpret the php itself, now lets be clear here the proper use of selinux and directory structures to prevent UGC from being allowed to be access directly and / or run arbitrary code would of prevented this, however as is often the case the setup is such that the preventative conditions could not / are not deployed.

At any rate this bug comes courtesy of the apache AddHandler directive,

The statement above seems to ‘loose’ match the .php extension meaning a file simply only contain .php anywhere in it’s filename to be interpreted as PHP.

The suggested work around for this is as follows:

Note this does not effect the AddType directive, after testing on the same version using:

Is not effected by this ‘bug’.

Tweet

spambag.org domain appears to have not been renewed as such it is sat at a generic ‘adverts’ placeholder.

This does mean that RBL lookups against blacklist.spambag.org are returning as a ‘false positive’, (similar to the ORDB issue)

If you are concerned about being listed on some RBL’s then get a copy of my sysadmin script here at the time of writing the ‘rblcheck’ function checks 27 RBL’s.

Tweet

Ok I purchased Jing PRO to do some more video posts to saiweb … unfortunately the MP4 quality is lack luster.

To be honest I’d rather have a large size MP4 I can run through my own encode (i.e. FFMPEG) and get the quality I want …

Off goes the email to support … wooo ….

NOTE: You may have to watch the vid in fullscreen to view it properly, I have scaled the player down to fit the blog page width.Tweet

Completion of the milestone listed here: http://trac.saiweb.co.uk/saiweb/milestone/wordpress-flowplayer%202.0.1.0

Means 2.0.1.0 has now been released, so go update and give it a run

I have noticed that wordpress has a habit of setting incorrect file permissions on the config file after updating, if you also run into this issue let me know.Tweet

Today is the last day for votes, so please see the blog entry here: http://www.saiweb.co.uk/general/vote-buzz-for-it-superhero-2008 and vote!

Cheers

buzzTweet

So … LoTR was obviously on TV a few days ago …

Onto the point, at the moment I am maintaining 2 different installations of eclipse … one for PHP, C++.

Wouldn’t it be great if I could have both of these in one happy installation? … Yeh it would however getting all the dependencies is an utter nightmare … unless you have a program do it for you.

Long story short: http://ondemand.yoxos.com/geteclipse/start

Customize your eclipse before you download it.

(Thanks Austin!)
Tweet

UPDATE 26/07/09 —–

READ THIS BEFORE POSTING A COMMENT OR SENDING AN EMAIL

THIS PAGE IS PROVIDED FREELY WITH INFORMATION ON HOW TO DISPUTE THE CLAIM AGAINST YOU

THIS PAGE IS NOT A REPLACEMENT FOR PROPER LEGAL ADVISE

THIS SITE IS IN NO WAY PRESENTLY, NOR EVER HAS BEEN AFFILIATED IN ANY WAY WITH LOWELL PORTFOLIO

Sorry for the excessive use of bold and caps, however some people just are not getting the message, and I am getting emails / comments (some with very colourful language I might add) from people thinking this is Lowells website … it is not now was it ever nor will it ever be, this POST was made because I am in the same “boat” as you disputing my claim

— Update 05/01/2009, seems people are not getting the message so I have made this text bright red

END UPDATE 26/07/09 —–

UPDATE 18/02/2011: I am now getting several emails a week from people who are not reading the header of this post,

I will start a “wall of shame” for those people very shortly, DO NOT be among them …

I hate scam artists … the latest today comes as “Lowell Portfolio”, apparently these guys bulk buy “bad debts” in the hope of scaring the unlucky sod that is their target into paying them without question, 99% of the time these debts don’t actualy exist …

Well I’m having none of it …

1. First things first DO NOT TELEPHONE THEM, they will try to extract personal information from you, and attempt you get you to admit to the debt.
2. Keep and file any letter from them as evidence.
3. If they do telephone you demand everything in writing and hang up, at no point admit to the debt, it is down to them to provide evidence of the debt, an admission on your part absolves them of any “burden of proof”
4. As posted here: http://www.moneysupermarket.com/COMMUNITY/forums/t/lowell-portfolio-1-16516.aspx by boyboynova respons with the following template letter RECORDED DELIVERY.

Response template:

To Whom It May Concern:

Your Reference: xxxx

I DO NOT ACKNOWLEDGE ANY DEBT TO YOUR COMPANY

With reference to the above account, I request that you send me a true copy of this credit agreement before I will correspond further on this matter.

This is my right under the legislation contained within section 77 (1) and section 78 (1) of the Consumer Credit Act 1974, and I am entitled to receive a copy of my credit agreement on request.

Your obligation also extends to providing me with a statement of account. I enclose a £1
postal order, which represents payment of the statutory fee payable under the Consumer Credit Act.

I understand that a copy of my credit agreement should be supplied within 12 working days from the date of this letter.

I understand that under the Consumer Credit Act, creditors are unable to enforce an agreement if they fail to comply with a request for a copy of the agreement under these sections of the Act.

Also, since you are a Debt Collection Agency, I would also ask that you supply a signed true copy of the executed deed of assignment for the above referenced agreement.

This is an obligation, whether you are the original creditor or not, under section 189 of the Consumer Credit Act 1974.

Non-compliance with my request is a criminal offence under the above Act and will result in a report being submitted to the relevant statutory authorities.
In summary,

I DO NOT ACKNOWLEDGE THIS DEBT AND THEREFORE REQUIRE YOU TO SUBSTANTIATE THIS BY PROVIDING THE FOLLOWING DOCUMENTATION BEFORE I CORRESPOND FURTHER:

1.True copy of original credit agreement
2.Statement of account
3.Copy of the executed deed of assignment from (INSERT COMPANY NAME HERE )
4.Fair Processing Notice.

As you are aware, a credit agreement that is not properly documented and signed by the customer is totally unenforceable under the CCA and therefore is a complete defence to any court claim that is issued.

Take note at this stage, that any legal action you may contemplate will be both vigorously defended and contested.

Further to the above, please ensure that any contact by yourselves is made in writing only to the above address. Telephone calls and personal visits will not be accepted and viewed as harassment.

As this account is now in dispute, I would also draw your attention to The Banking Code section 13.6:-

We may give information to the Credit Reference Agencies about personal debts you owe us if:

·The Amount Owed is Not in Dispute.
·The Office of Fair Trading provided a Code of Guidance that is in relation to Debt Collection: OFT 664 Response to consultation paper and final guidance on unfair business practices dated July 2003
Deceptive and/or Unfair Methods-
2.8 Examples of unfair practices are as follows:-
k. Not ceasing collection activity whilst investigating a reasonably queried or disputed debt.

If you continue in your pursuance of this account I will have no other alternative than to report you to both, The Information Commissioner and The Office of Fair Trading.

Furthermore, I shall submit a Consumer Credit Act 1974 complaint to the OFT upon the basis that you have failed to comply with the OFT’s direction of 5 April 2006 and are therefore not a ‘fit and proper person’ to hold a consumer credit license under the 1974 Act.

If you do not understand what this means then seek advice from your legal department.

I look forward to hearing from you within the statutory time limit.

Yours faithfully

<< YOUR NAME HERE >>

UPDATE 14/01/2009: I have received a letter in the post today from ScotCall Debt Collecting Services, it appears their client Lowell Portfolio 1 LTD has passed the debt onto them for recovery, no doubt in an effort to disgusie the collection as not being for Lowell no doubt due to people fighting and winning cases against them.

After a friendly telephone conversation with one of ScotCall’s agents I stated “my right under the legislation contained within section 77 (1) and section 78 (1) of the Consumer Credit Act 1974, and I am entitled to receive a copy of my credit agreement on request.” and queries whether this should be in writing to themselves or lowell, the reply came “No problem Sir, as we only receive your contact details and the debt amount, we will simply pass this account back to our client”, at which point I thanked the agent and requested confirmation in writing, “All telephone call are recorded, and you will receive a standard letter detailing this conversation in a couple of days”.

More updates to come.

UPDATE 26/01/2009: Lowell On Watchdog http://www.bbc.co.uk/blogs/watchdog/2009/01/the_chase_for_debts_not_always.html

UPDATE 23/07/2009: Claim dropped! Well I can say after sending this letter via email and a very long discussion on the phone with one of their supervisors, Lowell have said “They are unable to provide a signed credit agreement” and that “Their client in the interest of taking a commercial view, without admitting liability have agreed to clear their claim”, I have a letter confirming the amount owed is now £0.00Tweet