Tag Archive: vulnerability

WordPress 2.8.2 Upgrade – Out of Memory, Apollo 11?

Strangely post on July 20th, 2009
Posted in Technology Tags: , , , , , , , , , , , , , , , , , , , , , , , , , ,

WordPress Upgrade Error

Neil A. Armstrong - Astronaut Edwin Eugene ´Buzz´ Aldrin, Jr. on Moon (1969)

Neil A. Armstrong - Astronaut Edwin Eugene ´Buzz´ Aldrin, Jr. on Moon (1969)

I had messages from one of my managed sites that it went invisible and chucked out weird messages….  Well  that’s certainly up to the normal standard of feedback I get as a tech person!

However, I too when doing this website got an annoying message on the recently introduced WordPress auto-update feature – it ran out of memory!

The message went:

Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 2355395 bytes) in myRoot/wp-includes/http.php on line…

Now I’m loath to download stuff and re-install files when a method exists to eliminate this tedium.   So….

  1. I hunted for a file list so that I could replace just the changed one – couldn’t find it – “that’s odd” I thought.
  2. Fished around a bit more for it – no joy.
  3. Saw single posting about the XSS vulnerability – ah!  This is important and they’ve whacked it out fast before talking about it!  Security first, chat second.  THIS IS GOOD!.  This is one of the reasons I like WordPress – actions speak louder than words!
  4. Tried looking for a generic fix using the error message – this link in the forums provided the fix!  http://wordpress.org/support/topic/194370

So that’s the answer for me, and it worked.  This is the code change you need to do:

In wp-settings.php which is one of the files in your WordPress root installation (i.e. not in one of the sub-folders), set the memory limit like so (it’s at the top of the file, just after the comments):

if ( !defined('WP_MEMORY_LIMIT') )
       define('WP_MEMORY_LIMIT', '64M');

The ’64M’ is the new value. Previously it was ’32M’.

There are other fixes, but this worked for me, and if it works, ultimately, that’s all I’m bothered about!  It’s the old answer of “chuck more memory at it”….

Apollo 11

As an aside, on the 40th anniversary of men walking on the moon, the lunar module computer has ~76k of memory!  This is Don Eyles, whose first proper job as a young man was to program that computer….  How times change.

Related Posts:

Google Treasure Chest – it’s a scam and a half!

Introduction

While fishing around for some chords I came across azchords.com – as you do.  They’ve a shedload of Google ads and I accidentally hit the banner ad while trying to get rid of pesky popups (why do sites still do this now?)  I was taken to the website of someone called Kevin Hoeffer and an honestly dismal automatic sales pitch.  http://www.kevinlifeblog.com is the address.

kevinlifeblog.com

@AmazonKevin, of course is anonymous because his website uses WhoisGuard.  This “protects” the domain holder from spam, they say.  Well that’s one thing it does – another is that it make it hard to trace spivs. Anyway, he links to EarnFastCashwithGoogle.  This is the link:

http://affiliate.a4dtracker.com/rd/r.php?sid=168&pub=450202&c1=direct&c2=&c3=

You are then redirected to this page where you have to enter various address details:

I did so using the address of an electricity sub station. (yes, I know).  Once all the boxes are ticked and the funny little easily resettable timer is ignored (but noted as a clue to a very good social engineering type scam), you are taken to this website:

In here, the warnings should really be going off in your head by now! They ask for your credit card number, expiry date and CVV number!  And all to get $1 from you!

securecartcenter.com

securecartcenter.com has another hidden domain registration like WhoisGuard but this time with domainsbyproxy.com Surely I can find a real name behind all this?  And don’t call me Shirley. Well right down at the bottom of the credit card screen are some words, well out of normal view.  The whole thing is a signup for Google Treasure Chest who are in no way connected to Google, they hastily point out.  There’s an address in Cheyenne, a house on the corner with about 20 businesses registered there according to Google Maps.  SecureCartCentre isn’t one of them!

Source Code

In the source code for SecureCartCentre we find that images are served from bsadn.pantherssl.com Click that and you’ll get the folder structure for bloosky.com who serve advertising campaigns.  Fish through the folder structure and examine various files.  Google Treasure Chest is there.  Check out some css files and you’ll find that some are loaded from discovertotal.com , which has a contact of bloosky.com So far so good.  If they’d have stuck an htaccess file in there I wouldn’t have seen that, ho hum.

Instant Google Kit

Lots of stuff points to this.  http://googletreasurechest.com/index.php/home.html   It’s the homepage for this ferago.  Interestingly, down at the bottom all the links are to this site except for one, the signup link which goes to: http://web.archive.org/web/20090330184905/http://www.redtomorrowfield.com:80/z/gtc2/?cy=10&pr=19&af=16&ad=19

redtomorrowfield.com

These are also shrouded from enquiry by DomainsByProxy.com  The site actually looks like the treasure chest one – weird.  The form at the bottom is similar to the previous address form but the email address is validated by ebizsuite.com, an eCommerce company.

So Where’s The Problem?

The problem lies in this selection of links below.  There are hundreds on the web.  No-one has anything good to say.

At the bottom of the signup page, is the text:
By submitting this form I authorize Google Treasure Chest to immediately charge my credit card for instant access to the Instant Google kit. I hereby request that Google Treasure Chest activate my account and authorize them to advance funds as indicated. Monthly Service fees will commence seven days from the date of this purchase, and will be billed monthly thereafter. After the seven day trial you will be billed seventy one dollars and twenty one cents USD monthly for the continued access to the software. No refunds will be given for failure to use the requested and provided services. You may cancel at anytime by writing to 2510 Warren Ave Ste. 3363, Cheyenne, WY 82001 or calling 866.951.1406. Google Treasure Chest is not affiliated with, endorsed by or in any way associated with Google. Results vary. Individuals have been remunerated. All Content Copyright © 2005-2009, Google Treasure Chest. All Rights Reserved Worldwide.

That’s the problem you see.  It’s almost unreadable.  As everyone found out, instead of a dollar, they all had $71.21 taken away – monthly.

Conclusion

When I started this little investigation, I thought it was a straight phishing expedition to get credit card details.  Instead, it’s a curious grey fuzz of almost legal chicanery. Watch out!


Addendum Posted 7 April 2009

The original popup ad was for a ‘person’ called Kevin Hoeffer with his honestly dismal automatic sales pitch. Today I came across another who mysteriously, used to work for a pipe company! This is on this website http://web.archive.org/web/20110208043425/http://joshmadecash.com/ The actual text goes like this (one paragraph only shown):

A year ago I was an account manager for a (drum roll) a pipe manufacturing company. Not exactly what I dreamed of when I was growing up. The job I had before that, I used to work in at a mortgage company. That job I did like. Initially I was one of the processors and then started working in the sales department. That was really exciting 5-6 years ago. I was trying to learn the ropes as a salesperson and then eventually I really did start to make some money. I was doing well 3-4 years ago. Then as you know the mortgage industry just took a huge down turn. Along with every other industry and jobs available.

Naturally I wondered how many sites there are with this former pipe company (drum roll) bit of spiel going on. Try this Google search on this string “A year ago I was an account manager for a (drum roll) a pipe manufacturing company. Not exactly what I dreamed of when I was growing up.” to see how many. Actually Google says over 100! (202 on 8 May 2009!!)(268 on 29 May 2009!!)


Addendum 10 April 2009

Useful Links

I’ll continue to post extra info here, instead of in the threads below in order to make it more accessible. I seem to be finding stuff out here on an hourly basis, and most of it is depressing as it reveals the vulnerability of the human condition. So please folks, always remember,

“If it looks too good to be true – it is”


Latest News: 27 April 2009

From this article, we see that the ‘company’ behind Google Money Bollox is “Infusion Media Inc”. Try a Google search on the name here. For a company that’s been behind sooooo many different scammy websites, there are only 173 results. Nearly all relate to their dodgy dealings.

We also find that this guy, Philip Danielson, since Dec 2008, seems to have been handed the poisoned chalice that is some form of legal representation for Infusion Media Inc!!

More Related Links


Addendum 2 May 2009

  • Please check this post Google Treasure Chest – Phone and Address List for a collated list of addresses and phone numbers mostly derived from the comments below.  For Google Treasure Chest/Kit/Money Maker type things, the later phone numbers have been found to be effective at getting refunds.
  • I can’t vouch for any scam that’s Cyprus based – that’s a different kettle of fish.
  • According to one commenter to this website, the charges in the Texas Court Summons brought by the Texas AG against some people have been dropped.  I must say that I’ve found no corroboratory evidence for this of either a name, company or actual reporting….  Jameson Johnson decided not to tell.  Maybe he can update us.  However, in light of comments made, I decided that the tone of some commentary was getting like a lynch mob and have edited accordingly.  This does not mean I’ve gone soft – I’ll still call a pig-in-a-poke what it is.

Related Posts:

How do You Keep the Gates Closed when the Gatekeeper Loses the Keys?

Despite the best made plans and intentions, no security system is perfect.

A massive recent security lapse means that (again!), the government’s continuing plans to implement ID Cards should be seriously examined.

Not only have their own credentials at data security been demonstrated by themselves to be wholly inadequate (I’m thinking of the DVLA, MOD, CSA data losses as prime examples) but now, companies at the forefront of security, the gatekeepers to all our computers, have been shown to be equally inept.

The Kaspersky (and later, BitDefender) websites have been hacked.  All data tables containing personal information have been exposed.

The hackers made their work known here and here.  The second, Portuguese attack, was against a reseller, not the main site – but even so?

Kaspersky, on the other hand, is a very major player in the anti-malware software league.  They consistently come top or thereabouts in various anti-virus and security tests by both magazines and online testers.

And this, is my point.

If a firm at the top of their game, who do virtually nothing else but live and breathe computer security – if they get it wrong, what hope is there for ID Cards and the databases supporting them?

References:

  • usa.kaspersky.com hacked … full database acces , sql injection
  • [Hacked]Bitdefender (Portugal) exposes sensitive customer data
  • Timeline: Outbreak! – The rise of the SQL infection

Note to Self:

  1. Hacker’s Blog runs on WordPress.
  2. This website also runs on WordPress.
  3. WordPress had a SQL Injection vulnerability some time ago which was fixed.
  4. I hope it’s still fixed.

Related Posts:

The Problem with Microsoft and Oledb32.dll

Another day, another Microsoft security alert..

This morning, another raft of advisories arrived in my mail from Secunia, this is one;
Internet Explorer Data Binding Memory Corruption Vulnerability

This rivetting title is like deja-vu.  Time and again we’ve seen this.  This is the fault of a company, Microsoft, that puts form before function, functionality before security.

Yet again, the core problem stems from years back when Microsoft had the bright idea to get everything linked together, like the internet is now, but different.  The key is the method of linking.

When you connect to a web page, like this one, you connect, when you decide you want to.

Microsoft, unfortunately, have everything set up as they originally envisaged it, that is, everything is permanently connected to everything else!  And that’s the problem!

If you have Visual Studio, say 2008, as I have, when web applications are constructed, one of the key things you’ll notice is the data-binding going on.  The wizards and the help system are all permanently geared to doing this!

This is totally at-odds with a dynamically connected internet

This latest problem hangs around OLEDB32.dll   In M$ shorthand, this stands for “Object Linking and Embedding Data Base 32-bit Dynamic Linked Library”

There we have it, Linking & Embedding.  This is wonderful technology for putting spreadsheets in Word documents within the corporate offfice environment.  However, when passing secure information over unsecured internet lines, it’s not!  Of couse, you can delete oledb32.dll, but then you cannot access any data….doh!

Despite the continuous obvious failings of this methodology, just listen to the sanctimonious obfuscatory speech in their “Security Advisory” here: Microsoft Security Advisory (961051): Vulnerability in Internet Explorer Could Allow Remote Code Execution

Our investigation so far has shown that these attacks are only (my emphasis!) against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008. Microsoft Internet Explorer 5.01 Service Pack 4, Microsoft Internet Explorer 6 Service Pack 1, Microsoft Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 on all supported versions of Microsoft Windows are potentially vulnerable

Basically, this means all their current operating systems and browsers!  Not “only”….

The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object’s memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.

Well that’s what’s wrong.  So what are Microsoft going to do, I can hear you asking?  It’s their software design, after all?

We are actively investigating the vulnerability that these attacks attempt to exploit. We will continue to monitor the threat environment and update this advisory if this situation changes.  On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may (my emphasis) include providing a solution…   Microsoft continues to encourage customers to follow the “Protect Your Computer” guidance of….having a firewall and anti-virus…

So Microsoft is looking, and if it gets worse they’ll let us know!!!

Let’s have the final word on this  from the Secunia Advisory;

NOTE: Reportedly, the vulnerability is currently being actively exploited.

The vulnerability is confirmed in Internet Explorer 7 on a fully patched Windows XP SP3 and in Internet Explorer 6 on a fully patched Windows XP SP2, and reported in Internet Explorer 5.01 SP4. Other versions may also be affected.

We all bought into the “Welcome to Microsoft” world.  We are all fully patched.  Caveat Emptor.

Related Posts:

Canadian Pharmacy in Bagdad?

Following on from my earlier experiment with “The Complainerator“, I got a very similar message from myself to myself  again…  It’s the address I used to dig into XIN NET, whose automated systems now seem to think I really, really need some drugs from a Canadian (United Kingdom for me) Pharmacy.

This is the email message as trapped by Mailwasher Pro:

Subject: RE:ci.Doctor Cordero

If you are unable to see the images in this email, please click here. [links to perfecttyres.com/images/img/gif]

ORDER NOW WHILE QUANTITIES LAST!
[Image ignored] [links to muratdedekoyu.com/old/duyuru/images/img]

VIEW PRIVACY POLICY [links to tts-egypt.com/images/jpg/abaut] This email was sent to: [email protected] You have told us you would like to receive exciting e-mail offers from CLICK HERE TO UNSUBSCRIBE [links to badr-karbala.com/images/swichmax/img/jpg] Please allow 24 – 48 hours for processing. Products limited and may sell out at any time. Prices are subject to change.


Mailwasher Pro Ad

AS you can see there are four domains in this short mail.

Domain Server Location Registrant Location Action on Viewing Domain in Browser
perfecttyres.com Florida, USA Haryana, India At first run, went to a Canadian Pharmacy.  Second run five minutes later it redirects to thebigtoplite.cn and quickly switches to perfecttyres.com and a large Flash intro about – tyres!  In IE7 tries to download snapview.ocx
muratdedekoyu.com Konya, Turkey Turkey tries to download a php file called muratdedekoyu_com which looks like a poorly formed webpage for possibly the tyres website above.  It includes some javascript called: “jsrc/sozler.js” which is heavily discussed in Turkish forums
tts-egypt.com New York, USA Cairo Egypt Started as Pharmacy.  Redirects to hostw212.onlinehorizons.net, suspended page now, during tests.
badr-karbala.com Dallas, Texas Bagdad, Iraq Firefox blocks the site. In IE7 tries to download snapview.ocx, freezes it, then IE7 tries to say it’s fishing as it tries to fire up the default address book. Opera opens the page and fires up a duff instance of Adobe Acrobat.  Chrome has best response.  Blocks site and provides a link to here: http://safebrowsing.clients.google.com which gives technical details.

NOD32 didn’t kick in for the download so it assumes there’s no problem code in the package. The Chrome browser info from Google says hundreds of trojans and webpages are connected to the dodgy places in the warning. Ah well!

Everything for me points to XIN NET again because of the mail content and the flash way that the redirects are done.  Dot cn only shows for a split second!

Snapview.ocx is part of the MS Access snapshot viewer.  This format is similar to Adobe PDF which partly explains Opera loading Acrobat Reader into place…The snapview.ocx has a shedload of Google search returns as an ActiveX vulnerability.

Related Posts:

Comments are closed

© 2007-2017 Strangely Perfect All Rights Reserved