walkah: site

I finally "re-launched" my blog last night, after tinkering for a few months. I'm now running (at the time of writing) Drupal 6.3. More interesting, however, is that my site is almost entirely powered now by Views 2.

The biggest visible change is the home page. Inspired in part by Dave Shea's lovely blog, I wanted to make my front page shorter. So now, I'm displaying the latest full post, with 9 previous titles only. This is all done with views (using the awesome new "attachment" display type).

The other interesting bit is that I'm using the latest version of twitter module so that the "twitter" block on the right is actually views2 powered as well (and gets cached).

I'm sure I'll keep tweaking, but I dig it. How about you?

So, faithful readers, as you may have noticed if you tried to visit this site - I got "hacked". All of the sites hosted here had their index.php files replaced with a defacement message reminding us, amongst other things, that "Hack is not a crime". Since lots of folks have asked - specifically if it was drupal related - and since the information might be generally useful for the internets, I've decided to post a brief recap here.

First off: in a move I'd never seen before, the guys removed *all* log files from the system which makes figuring out exactly what happened pretty darned tricky. In fact, they had removed anything with 'log' in the name - things like logwatch and logrotate binaries were also removed. So, what I say here is largely speculation based on the few remaining traces I found left behind. As such, here is my theory (perhaps the cracking team will be nice enough to post comments with clarifications ;):

The only real clue how they got in was the following in /tmp:

drwxr-xr-x 3 www-data www-data 4.0K Apr 28 16:24 .sc/

That might not mean a whole lot - except that the datestamp is right and the directory is owned by www-data : the uid of my apache process. This strongly suggests a web-based exploit. Since pretty much all that runs on my server is Drupal it looks like we've got a problem...

I had an old Drupal 4.4 site still running on this server (sudden-thoughts.com - down until further notice). Drupal 4.4 is susceptible to the (fairly) infamous XML-RPC hole. I had manually removed xmlrpc.php from this site, however, it was back - it looks like in a brain cramp moment by yours truly I had cvs up'ed the directory which brought the file back (as part of my routine drupal site maintenance on my server).

Now, that part is speculation, but a likely guess. Without my apache logs I can't even accurately guess which site was targetted... but 'statistics' module is enabled on most sites and showed nothing suspicious in accesslog or watchdog... thus suggesting xmlrpc as a likely candidate. All other sites run Drupal 4.7 or 5 - with all security updates applied. So, if it wasn't that site, then there is a new remote-execution vulnerability in drupal that we've not yet heard about on the Drupal security team. Possible, but unlikely given that the other glaring hole was available.

Remote code execution is a serious problem, but usually containable from a web application if you run apache as a non-privileged user (as i do). So, how then were they able to overwrite all the index.php files?

My server runs Debian Etch (the latest release) with all security updates applied. So, again, unless they were using 2 un-resolved exploits - it leaves one likely option : the kernel. I was running an old, custom compiled 2.4 kernel - I mean *really* old, from 2003. Said kernel is vulnerable to things like a ptrace exploit for privilege escalation. My theory is that something like this was used to gain root access. From there, they were able to overwrite all index.php files. They also installed the "shv5" rootkit - which modifies a bunch of system binaries (ls, ifconfig, nestat, etc) - detected by both rkhunter and chkrootkit. More information on that available via google.

So, that's my theory and I'm sticking to it. So, is Drupal insecure? No. Not if you're good about running recent, maintained versions and keeping an eye on security announcements. The problem here was more accurately due to lackadaisical administration on my part - both with the drupal version and the stale kernel. I know better ... chalk it up as a "shoemaker's son" scenario.

Thanks to Steven who was the first to notify me (via SMS) that something was up. Of course, other speculations are welcome in the comments :)

Happy Halloween everyone : Drupal 5 beta1 has been released!

Amongst the several changes in Drupal 5, there is officially a new default core theme. After years and years of looking at bluemarine day after day, my eyes have been granted quite a treat. What's better: the new theme, "garland" comes with "color" module which allows you to easily customize the color scheme used.

To celebrate, I've switched this site to use garland - with the old walkah.net color scheme. Like it?

i have been considering starting a more personal blog for quite sometime. this blog has become much more tech-centric - to the point where i feel reluctant to post lots of personal stories (stuff about the kids, etc) here. however, i've felt lately like i could use an outlet for the goings on in my personal life.

so, i present to you: james.walkah.net. it won't be for everyone, but if you're family, a friend, or just a fan - check it out. otherwise, stay tuned here for (hopefully more frequent) updates no the geek stuff.

so, i've totally sold out. you probably didn't notice but there are now google ads.. yes ADS! ... in the right column of this fine site. why? well... 'cause i wanted to see what google adsense was like. call it research. call me a sellout. do whatcha like. just click on the links, please ;)

so, as part of my little posting flurry, i spent some time actually looking at my site. frankly, i don't totally dig it. so, i've been playing around here and there trying to make it look cooler. how am i doing? :)

i did add some funky little status indicators for my IM accounts (over there --->). they actually work too. when they're grey i'm offline, otherwise i'm online. feel free to say 'hi'. the aim status trick i picked up from deanspace. the jabber status is edgar the status bot.

so, after briefly flirting with a fixed width design, i've got back a "fluid" layout for this site. thanks mainly to peter at openflows for some good articles on the merits of liquid layouts. i've personally come to the conclusion that both approaches have their own merits, and as usual it's a matter of fitting the design to the application. that said, this blog (imo) looks better liquid - too damned much white space otherwise. besides, not enough people read it to really make a difference ;)
as an interesting aside... i also dug up this article discussing "elastic" design (a sort of compromise). looks like an interesting 3rd party.

so after reading some fairly convincing articles on fixed width design. i've decided to change this site to use a fixed width. it's supposed to improve readability. survey says?

... on all platforms, all versions. over the past 24 hours, i have wasted waaaay too much time trying to fix and/or work around stupid stupid things that internet explorer does.
first off, there is the often-discussed, frequently-worked-around lack of support for transparent PNG images in IE on windows. silly me, in playing designer on sudden thoughts, i made some transparent pngs. they, of course, looked like crap in IE and have since been converted to .gifs :(
then, there is the idiotic CSS wonkiness that was breaking the otherwise elegant dropdown menus at sudden thoughts. (yes those menus are straight ul's - inspired by this article)
finally, adrian pointed out that my own site was broken in IE... since i'm not sure when. anyway, i redid the css to use all absolute positioning and IE seems to be happy for the moment.
god i wish everyone would just use real browsers.

so, i've gone back to drupal for hosting my site. i'll probably keep it like this for a long time. it's too much work to convert back and forth :P
i've also been doing some drupal hacking lately, but more on that later...