I received an email yesterday afternoon, informing me this blog has been hacked:

Regarding fsfoundry.org,

This email is not an April’s fools email and it has been sent to notify you that your blog’s version is old and needs to be updated ASAP as it was hacked.

While tracking some Viagra spammers I have come accross several links coming from your blog and, after testing it, it appears your blog is 2.1.* generation hence vulnerable to SQL injection blind-fishing attacks. Search Google to learn more. In a few words: spammers can take full control of your blog in a matter of minutes and deface it at will.

These attacks are as serious as they can get as the spammers have full access to your blog and add hidden HTML elements to mask their links.

You MUST update your blog to the latest official WordPress version and manually clean your last 5-10 posts of the parasite links which you will only see in HTML view.

Not doing so may attract severe search engine penalties as you are currently linking to sites with VERY bad reputation.

Hoping you will take required action,
A.S.S. (Anonymous Security Specialist)

PS: I got your email address from your Dashboard / Users Management Section. I have warned many during the past months regarding the vulnerable blogs, being a blogger myself, but it seems I haven’t warned everyone. Lateste WordPress is secure.

PPS: Your login name is XXXX and password hash is XXXXXXXXXXXXXXXXXX

(more…)

SiteMeter 是一個提供幫助 web master 了解 viewer 瀏覽網站行為 服務的 provider. 有太多網站, 尤其是個人網站與部落格 (包括 COdE fr3@K) 使用他們的 free package.

大約幾周前, 除了原有的 SiteMeter, 我在站上另外加裝了 StatCounter (一個較少人使用, 提供類似服務的 provider). 今天有空看了StatCounter 的 一篇 blog, 才驚覺 SiteMeter 可能已經被 SpecificClick Network (一家專門側錄分析使用者在網上行為的公司) 收買. 雖然 StatCounter 沒有指名道姓, 但很容易就能猜到說的是 SiteMeter.

(more…)

只用密碼認證? 非常有趣的 idea. 我不是 security 專家, 但還是覺得這篇 blog 不全然是在胡謅一通.

只是這樣不反而造成前人需要更改密碼的機會大大增加了?

密碼改了幾次, 還能記得嗎?

為了要確保能記住密碼而用了身份證號碼, 爸爸的手機, 媽媽的生日, 女朋友的三圍做密碼…. 這樣密碼還安全嗎?

應該有不少人跟我一樣, 有好幾個在不同的地方 shell 帳號. 有自己的機器上的, 有公司的, 有花錢租的 virtual host, 有參加 FOSS 相關計畫用的. 這些帳號 (login name) 常不一樣.

當我在這些機器上 ssh 過來 ssh 過去的時候, 常得多敲好幾個鍵, 把 login name 餵給 ssh. 今天被這事情搞煩了, 認真把 ssh_config 的 man page 看了, 產出就是 ~/.ssh/config:

# Office
Host office-domain.name *.office-domain.name 192.168.* some-office-machine-name
    User login-name-at-office

# Some project
Host shell.foss-project.org
    User another-login-name

Intro

SSH port forwarding 也稱為 SSH tunneling. 這個功能可把連到一個 ssh session 其中一端某個 port 的 TCP connection, 透過加密的 channel，forward 到 session 的另外一端的指定端口. 將開啟 port forwarding 的 ssh session 結束掉, port forwarding 也跟著結束.

Local to Remote Port Forwarding
下面的 command 會建立一個從 firedrake (我的電腦) 連到 fsfoundry.org 的 ssh session. 並且在 firedrake 的 localhost 的 port 8080 等待 incoming connection. 當有 connection 連進來, 該 connection 就會被 forward 到 fsfoundry.org 的 localhost port 3128:


firedrake$ ssh fsfoundry.org -L 8080:localhost:3128


Remote to Local Port Forwarding

相反地, 下面的 command 會建立一個從 firedrake 連到 fsfoundry.org 的 ssh session. 並且在 fsfoundry.org 的 localhost 的 port 3128 等待 incoming connection. 當有 connection 連進來, 該 connection 就會被 forward 到 firedrake 的 localhost port 8080:


firedrake$ ssh fsfoundry.org -R 8080:localhost:3128


X11 Forwarding

建立一個連到 fsfoundry.org 的 ssh session. 這個 session 會把在其 session 內開的 X11 application forward 回到 firedrake 的 X Server.


firedrake$ ssh -X fsfoundry.org


比較舊版的 OpenSSH 用的是 -Y 而不是 -X.