Alerts added
I received a message today that is so obviously an attempt to install malware, that I decided to create a category to hold alerts. Not that it would help very much, most users will nver learn to think before they follow a link, but no-one can now tell they haven’t been warned…
I know it’s their very own responsibity but on the other hand, if ISP’s tend to send messages like this, they should at least warn their users for mails like this.
I get more and more of this messages – it would be a good idea that the ISP’s block these abusers _completely_, but I doubt they ever will.
Alert 09-Jul-2007
Don’t reply on this:
Subject line:
Worm Alert!
Message body:
Dear Customer,
Our robot has detected an abnormal activity from your IP adress
on sending e-mails. Probably it is connected with the last epidemic
of a worm which does not have official patches at the moment.We recommend you to install this patch to remove worm files
and stop email sending, otherwise your account will be blocked.Abuse Team
(“this patch” is actually a link:
<a href="http://68.61.229.214/?7703a3b01bdad81d9b848ca9a885b5e6291c3d">this patch</a>
and will very likely install a worm, backdfoor, virus of other malware on your system.
The header that I found was:
X-McAfeeVS-TimeoutProtection: 0
Return-Path:
Received: from grootstal.nijmegen.internl.net by hees.nijmegen.internl.net
via grootstal.nijmegen.internl.net [217.149.192.7] with ESMTP for
id l69JQmRx021094 (8.13.8/2.11); Mon, 9 Jul 2007 21:26:48 +0200 (MEST)
Received: from 248.145-62-69.ftth.swbr.surewest.net by grootstal.nijmegen.internl.net
via 248.145-62-69.ftth.swbr.surewest.net [69.62.145.248] with SMTP for
id l69JQjFj012570 (8.13.6/2.05); Mon, 9 Jul 2007 21:26:47 +0200 (MEST)
X-RelayHost: 69.62.145.248
Received: (qmail 24120 invoked from network); Mon, 9 Jul 2007 12:26:42 -0700
Received: from unknown (HELO crs) (98.132.150.165)
by 248.145-62-69.ftth.swbr.surewest.net with SMTP; Mon, 9 Jul 2007 12:26:42 -0700
Date: Mon, 9 Jul 2007 12:26:42 -0700
To: willem@grooters.100.nl
From: “Abuse Team”
Reply-to: art@hyde-housing.co.uk
Subject: Worm Alert!
Message-ID:
X-Priority: 3
X-Mailer: PHPMailer [version 1.72]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/html; charset=”windows-1252″
X-Language-Detected: en
X-Spam-Scanned: InterNLnet Mail Scan System V2.03
and the address is an anonimized one (doesn’t lead to a real address)
05-Jul-2007
Updates
Today I updated the blog software which went almost flawlessly – but the cause of trouble was me: After creating a running copy of the current version in a separate directory, I made some typing errors in defining the blog searchpath, and forgot to change the protection of files. Once that was settled, the blogs could be accessed using the previous version of the software while I was updating and testing the new one. Once that was found to be fine, just resetting the logicals was enough to have the new version live.
(oops – I don’t see a preview pane, where there was one before…Might be a twist in the PHP engine, or is something broken?)
Second, I wanted to update phpmyadmin to a new version – I already downloaded 2.0.10 and now it was time to install it.
Well, that didn’t run as nice as I expected. Of course, I used a similar method: Renamed the root directory, anmd renamed the directory that resulted from unzipping the kit, to the correct name.
That
- should
have worked. But is didn’t.
First of all, the kit contains files named like “something.type.php” and extracting the zip, this expanded to “something_type.php”. or with even more embedded dots. Of course, trouble arose. The solution is a small, simple procedure to rename what’s to be renamed:
$ extensions = "/inc/lib/class/default/dbi.lib"
$ I = 0
$ProcessExt:
$ I = I+1
$ ext = F$ELEMENT (I,"/", extensions)
$ if ext .EQS. "" THEN GOTO Done
$ if ext .EQS. "/" THEN GOTO Done
$Loop:
$ Full = f$search("phpmyadmin:[000000...]*_''ext'.php", 1)
$ IF Full .EQS. "" THEN GOTO ProcessExt
$ fdev = F$PARSE (Full,,,"DEVICE")
$ fdir = F$PARSE (Full,,,"DIRECTORY")
$ fnam = F$PARSE (Full,,,"NAME")
$ fext = F$PARSE (Full,,,"TYPE")
$ fgnam = F$EXTRACT (0,F$LENGTH(fnam)-(F$LENGTH(ext)+1),fnam)
$ fgext = "."+ext+fext
$ GFull = fdev+fdir+fgnam+fgext
$ RENAME/LOG 'Full' 'GFull'
$ Goto Loop
$ Done:
$ exit
This solved that problem, it did start allright, but next, I ran into the problem that any specified authentication method was deemed ïnvalid, even the original file didn;t work properly, although the documentation clearly states it should be sufficient.
So this version is unusable for now.
Forum disabled
I have disabled the forum for now. There are far too many bogus members to handle, I need some plugins to keep things more managable: checking e-mail address before storing, an easy view on IP addresses and a facility to store them easily, and a few more.
Web redesign
is not progressing very much now, since the preparation of the pictures of this year’s holiday must be finished first. But given time, it will come – onde day.