Archive

Archive for February, 2010

WordPress Malware Cleanup on isle Kamagra

February 21st, 2010 No comments

I managed to loose half of my day yesterday, thanks to a malware infection on the One Lap blog.  It was more like an irritating rash really, but one that scarred our front page with a link to some off branded male enhancement drug.  I wish you could just buy the little blue pills like Advil, as it would eliminate 90% of SPAM, malware and exploits on the Internet.  It almost pains me to put the name of the site in this post, as I know they win by propagating their name once again.

After backing everything up and changing all of the account logins, I had the not-so pleasant task of finding the infection. Following the path of most repair work, I started with Google.  I also found a lot of dead ends and blanket fixes.

I figured I would dump some of the more useful links I could find up here, to help the next soul looking to get rid of the annoying link on the top of their website for kamagra.  Most of the first searches out there, have you hacking away at unknown base64 files, eventually resulting in a complete lobotomy of your site functionality before it is rebuilt with new files.

Run through some best practices first and reset your account passwords for the site, including your FTP accounts.  Realistically the attacker used an SQL injection, allowing them to write straight to the database.  These holes are common during the flexible days before the patches are released.  If you were lucky, the only thing that was added was an annoying link.  So far, that is the only thing I have found.

The code was found in the WP_OPTIONS table in the database, which is where the plugins and other toys get to write to for WordPress. Search through the table for some key words and you will find the inputted entry.  Delete the entire entry and the text goes away. It sounds much easier, now that I know where to look.

Here is the discussion again, between a site owner who knows more than the people offering advice. http://wordpress.org/support/topic/304847

There were a couple useful tools to help parse through this crap.  The Exploit Scanner Plugin, helped draw out some of the code that didn’t look right.  Use with caution and don’t just delete everything it says.

http://wordpress.org/extend/plugins/exploit-scanner/

That helped me pull out the code that was not supposed to be there, allowing me to find the first post of where it was hiding. Their example didn’t have the little pill as the problem, so I didn’t see it initially as I was searching for our miracle drug.

t’+’yle’;
var _0xd22c=[“function seeThat(elem) { eval(x22elem.x22+stl+x22.display=x27blockx27;x22); }”];
_0xd22c[0x0] = _0xd22c[0x0].replace(/block/i,”none”);
eval(_0xd22c[0x0]);
<
2c[0x0] = _0xd22c[0x0].replace(/block/i,”none”);
eval(_0xd22c[0x0]);
</script>
<script>
var str = ‘seeThat(document.getElementById(“link”));’;
eval(str.replace(/link/i,’w
r = ‘seeThat(document.getElementById(“link”));’;
eval(str.replace(/link/i,’wraps’));
</script>

Here is the output of the plugin, which the most useful piece of information was the credit_text2 information.  That is the name of the field in the database.
Most hosting sites come with a database admin tool like  mySQLAdmin, or something similar.  If  you don’t know what  you are doing in the database from a shell, then resort to clicking on the icons and digging through it there.
Good luck.

The Morning After

Having a small celebration after getting the malware off of your WordPress site, only to find the next morning the code is right back on the top of your site?  Well we only removed the entry in the database on the first round. Now we need to get rid of the code setup to run to put it back in place on a scheduled basis.

Now we need to dig into where this is being initiated from.  If you search through your files for credit_text2, you won’t find anything.  That is because they have encoded the text itself inside of a function file you don’t actually need.

Inside of the header.php file, there was a call to a start_template() function, directly after the body.  If you open up the

start_template.php file, you find a pile of encoded garbled junk.

Take the meat of that junk, and use one of the freely available Base 64 Decoders online to decode the file.

http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/

In this particular case, the code was coded twice.  So take the output of the first round of decoding, and run it through the decoder again.

That presents us with the following code. If you notice the time reference, you now see why this annoyance comes back around.

Now our second round of cleanup to see if we can last 24 hours without getting a return of the exploit.

  • Delete the function call out of the header.php & remove the call to the require_once line that names the license file.  There are valid calls to these files in my theme, which tells me the entire theme may have been exploited.
  • If you delete the start_template.php file and it breaks the site, it is probably being called as required once some place else.  Start by removing everything from the file, or leaving only the PHP call in the file.
Categories: IT Perspectives Tags:

Countdown to the HITECH Act

February 17th, 2010 1 comment

My role as a secret change agent takes on many disguises. My technology credentials are strong enough to move me throughout the nerd community undetected.  As technology brings businesses, communities, and people together, I am able to stretch my legs into new areas, leveraging my technology credentials as  a form of VIP card.  Now I find myself in a new, though not unfamiliar role inside of the world of medical legislation. With an official title of IT Coordinator, I now carry the badge of HIPAA security officer.  Take the fast moving world of technology, watch the reaction when you mix in government legislation and the medical community, and you have the perfect train wreck for a change agent to prevent.

One year is a lifetime for technology, but one year moves really fast in the world of legislation.  While HIPAA policies are based off of legislation, meetings and adjustments representing a rather painful process from a change agent perspective, the technology screws were tightened this year, causing some growing pains throughout the HIPAA community.  Tomorrow is the one year anniversary of the HITECH Act, which also marks the deadline to implement the Act. Before we celebrate the anniversary, let’s run down what this means and what we missed.

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was part of the American Recovery and Reinvestment Act (ARRA)of 2009 or the economic stimulus plan that came about in February 2009. It has a series of dates and deadlines throughout the year, bringing us to this 1 year anniversary on February 18th, 2010 when it goes into effect.

If HIPAA was the neighborhood watch, setup to protect us in the medical world with rules and guidelines, the HITECH Act would be Tony Soprano, coming to break your knee caps if you weren’t playing by the rules. It doesn’t tell you how to fix everything wrong with your HIPAA policy, but sets up some pretty strict penalties for when you get it wrong.

Let’s review what happened so far…

February 17, 2009 – HITECH Act Enacted

This setup the application of tiered civil monetary penalties regarding breaches of PHI (Personal Health Information).
Huh? You mean if I loose a whole bunch of medical records, I have to pay for that?
Not only do you have to pay for it, but that is the first thing we are saying above all else. We will collect money and we must collect money when a breach is found. Not to worry, because later in 2010 we get to define what to do with that money.

April 20, 2009 – (60 Days)

Human Health Services must set forth a list of technologies and methodologies that render information “unusable, unreadable or indecipherable.”

Result: section 13402(h) of the Act, which really should be called the “Oh, that’s what encryption is” Act. While the tech industry knew what encryption meant, the medical world didn’t want to listen. Frankly, they made up their own interpretation of what encryption was and it was painful.

HHS & FTC Guidance Rules

August 18, 2009 – (180 Days)

HHS and FTC must each publish “interim final” regulations on breach notification. These regulations apply to breaches discovered on or after the “interim final” regulations have been published.

Result: Section 13402 of Subtitle D

There is an entire layering system defining who you are required to tell and notify if you loose information, starting with the owner of the information you lost. It is rather thick, but on the scary side of things people are legally bound to notify the news media if you breach over 500 records.  The new focus is also on the Burden of Proof, requiring everybody to prove that they notified everybody and that the message was received.

December 31, 2009 –

Due date for the HHS to adopt rules for the first set of standards regarding disclosures and accounting for disclosures. Then they have a 6 month stopwatch starting which requires them to implement the standard.

You are going to want to read up on Sec. 13405 for this one.  That defines what the HHS needs to have in order to process all of this information they are about to unleash.  This covers what needs to be disclosed, what can’t be disclosed, how long you need to prove that you disclosed the information and a few other guidelines to make sure you follow through. I read through it and ran out of white boards to draw the number of clauses.

February 18th 2010

This marks the date when everything is adhered to and organizations are responsible for following the legislation. The HIPAA Survival Guide site, setup a great breakdown of what just happened and what is about to take effect and do a much better job tying it all together, but here is the summary of what is happening.

  • Organizations are to apply the rules, are accountable for their consequences along with all business associates.
  • Patient’s right to restrict disclosures to health plans.
  • Deeming of limited data set as satisfying the minimum necessary standard.
  • Patient’s right to electronic access to, and an electronic copy of, their health record.
  • Clarification regarding marketing provisions.
  • Opt-out for fund raising communications; HIPAA’s current provisions regarding fund raising remain in full force an effect.
  • Clarification regarding the ability to impose criminal penalties against individuals.
  • Civil monetary penalties and settlements flowing to HHS/OCR (Office of Civil Rights) for enforcement.
  • Requirement for HHS to begin conducting mandatory audits.

The last one is important. (hence the powerful red color) No longer does the HHS only hold the right to conduct audits, they are required do. Now that the legislation is in place for the monetary values, they will hold audits, and they will collect your money.

What do I expect to really see out of this?   6 months from now, they want to review all of the initial findings from the audits and report back to the federal government.  I would predict that things will not be as secure as they “envisioned” when they wrote the act in the first place.  The government will tighten the screws a little more, legislation will react, and we will fall into a cycle that keeps us chasing stronger regulations.

That prediction isn’t what will happen, because there are factors in the mix that nobody wants to acknowledge.   Without tipping my entire hand, let’s just say that my work as a secret change agent is just beginning.

Regardless, nobody wants to be involved in the first round of audits, including the auditors.  So expect some scrambling around and tidying up as the first wave reaches the shore.

Categories: IT Perspectives Tags:

Leveraging Facebook Pages

February 4th, 2010 No comments

Facebook allows anybody to start a Group or a Page, but is not until you have actually created one do you understand which direction to pick.

Adding a Facebook Page should be part of every business owners “list of free tools I should take advantage of on the Internet to enhance viral marketing”.  As of this post, you can not magically transform a group into a page without having some sort of VIP card into the support team of Facebook, so I wanted to offer some insight as to why your business should have a page setup.

Search Engine Journal has a nice comparison chart between a group and a page if you are still the fence about which one to choose.

From a marketing perspective, the Page offers a few distinct advantages.

  1. A page can be viewed by non Facebook members.  Among a list of reasons why that is powerful is the fact that it opens up the page to be indexed by the search engines.
  2. A page will provide statistical analysis in terms of users, time online, demographics, all in the form of what they call “Insights”.

Don’t laugh too hard that I have two empty graphs here.  I created this particular Facebook Page while I wrote this post. The idea is that I can return to you in 6 months and show you how to interpret the trends and turning them into useful information.  That is of course if I get anybody to add the page.

Last year we took an epic journey into the racing world by establishing a team to run in the One Lap of America.  We started a Facebook group, allowing us to coordinate members of that group, schedule meeting events, and create some communication paths for people to follow us.  We didn’t know it then, but what we needed was a page.

Facebook Page of RochesterDSM One Lap Team

While we were not a business, we wanted to use the page for the same reasons, which was to promote our escapades across the country.

The Facebook Page becomes a free extension of your own website, allowing you to have instant access to a photo gallery, discussion boards and resources that allow fans of your product to keep up to date and help spread the word.

Updating the page is amazingly easy for a team traveling across the country with limited internet access, as they allow you to even post updates by providing you with an email address.  Setting up the page to tie back into Twitter and becomes quite a useful resource for getting information updates published.

If you own a business, setup a Facebook Page. If you want to promote a brand, setup a Facebook Page.  If you want to have closed door meeting, allowing select members into those meetings without the prying eyes of the Internet, setup a Facebook Group.

Categories: Automotive, IT Perspectives Tags:

iPad Micro SIM Lockdown

February 1st, 2010 No comments

In case you missed the technical specs of the new Apple iPad, you may have overlooked the word “micro” in front of the SIM card slot on the iPad.  That can be read a couple of ways, and certainly will be touted as a move to the new standard by Apple and AT&T.

It really can’t be a standard, when the rest of the planet still conforms to a standard SIM card size for every device. The Micro SIM has been slow to adopt, because it is frankly not needed.   Apple’s move to put the Micro SIM card into the iPad can be seen as nothing more than a blocking attempt to keep current data users from putting taking their SIM card out of their iPhone and putting it into the iPad.

That doesn’t mean people won’t try and make it work. The micro SIM card is smaller, yet retains the same contact patch for connectivity. I would certainly trim down a SIM card to see if it works.  You would need to create an adapter ring to put it back in the iPhone.  Seems a little more reasonable than paying for another unlimited data plan.  The industry really needs to stop using the word unlimited in describing anything.

In the mean time, good luck finding a carrier who knows what a Micro SIM card is.  While T-Mobile announced some platform movements in that direction at CES this year, the low availability of the cards themselves, will cause some hiccups on rolling out the iPad.  While the rest of the devices on the AT&T network use a normal SIM card, having one device that does not, will certainly cause complications.

Categories: IT Perspectives Tags: