SharpDeveloper

[System.Diagnostics.Conditional("DEBUG")]

The name ‘trojan’ came from a historical concept known as a ‘Trojan Horse’.  It was actually a giant wooden horse that was given as a gift to some town or castle, but in reality it was not a gift but had soldiers inside it who jumped out and attacked and ramsacked the town or castle.  This word has now come to mean a program that gets inside and attacks your computer!  It could be an innocent looking software that you install that has this on it.

Recently I was dealing with a server that was compromised by the Trojan Wollf Virus…

According to Symantec, "Backdoor.Wollf.16 is a Backdoor Trojan Horse that installs itself as a server and allows unauthorized access to an infected computer.."

According to Sophos, it:

• Allows others to access the computer
• Steals information
• Downloads code from the internet
• Records keystrokes
• Installs itself in the Registry

Now.. the hacker who gained access to the serve,r he managed to upload some 70GB of personal files - apps, warez, mp3s, illegally copied movies, etc on this server

Take a look for yourself!  Backdoor uploaded files (331kb) 

Here is a snippet:

 Directory of C:\System Volume Information\catalog.wci\bin\DVDR

06/03/2007  10:54 AM    <DIR>          .
06/03/2007  10:54 AM    <DIR>          ..
05/26/2007  10:01 AM    <DIR>          Borat.2006.PAL.MULTISUBS.DVDR-RUSH
06/03/2007  03:40 AM    <DIR>          FaTz
06/03/2007  01:25 PM    <DIR>          Heroes.S01.INTERNAL.HDTV.XviD-SCT
05/26/2007  01:56 PM    <DIR>          Smokin.Aces.PAL.NORDIC.DVDR-RUSH
05/26/2007  11:22 AM    <DIR>          The.Fountain.2006.PAL.PROPER.MULTISUBS.DVDR-SSB
               0 File(s)              0 bytes

I created this list from command prompt by typing "dir /s > output.txt"

These were uploaded to a dedicated windows machine that had its Windows Update set to "automatically download but let me choose when to install"

I cleaned it up with the following steps:

1. Never turn off Automatic Windows update unless you are going to watch it like a Hawk
2. If you are infected with a trojan, check your hard disk for large files as you may have been used as a file server
3. Install Microsoft Defender
4. Install Spybot Search & Destroy
5. Install Lavasoft Adaware
6. Install ClamWin (will only search) or AVG antivirus (AVG cannot be used for free on servers though)
7. Download Mcafee Stinger, a free tool to clean viruses from your machine
8. Run Microsoft Malicious Software Removal Tool
9. Make sure your Windows Firewall is enabled, or better yet, get ZoneAlarm or some other software firewall

Any comments?

There is a particular small software company that has been in business for more than 10 years that builds a web application similar to say PHPNuke.  Here are a few characteristics of this company: They have survived this far using Microsoft Visual SourceSafe for their source control (which is probably okay for small teams but starts to have problems when you start to use it extensively), they have not used any unit testing, they do not have any form of automated testing or regression testing.  They have sales in the millions of dollars, and they have about 6-10 developers and 2 QA (as well as many QA overseas).  Every time a build is made, the overseas QA team has to "crash test it" (meaning to run the site and click frantically until something breaks).  This does not mean there is no test plan, but rather this method of testing is very unreliable and prone to errors.  As well the number of customers they have is less than 100, and we can reasonably assume that simultaneously less than 10 users would be logged in for each application.   Now that the company is growing each one of these issues is going to bite them in the butt. 

The boss might wonder, "if we got along this far without doing any of the following, well… why should we??".. But as a "soldier" on the front lines, you start to see the problems that can come up with this sort of thinking.

Not using unit testing

This means that QA receives a page that is not unit tested.  It is ad-hoc tested by the developer, meaning that they try to click and break their new code, but there is no form of automated manner to this testing.  As well, every time the code is updated, the developer has to re-test and re-re-test it manually.  As well there is no real confidence in the code other than the fact that the QA team has tried their best to crash it and it did not crash.  It might even be very time consuming and painful to set up the test each time.  Without unit testing, this is a lot of time wasted that could be used in development. Read up on Test Driven Development for something else that you can gain from proper Unit Testing.  By the way, what does unit testing software cost you?  FREE if you use NUnit.  Or like $14,000 if you use IBM Rational Test RealTime. Its up to you. Just Do It.

Not using proper Source Control

Not using automated testing

Small number of customers

Many studies have shown that there is a 10 to 1 difference between good developers and bad developers.  How can you become a better developer?  Well,  there is many things you can do, and this is how you can improve your quality, and therefore get more return on your investment in terms of better jobs, and you can also be more selective about the jobs you take. 

1. Improve your communication skills - both speaking and writing.

One of the most important things you can do to become a better developer is to improve your communication skills.  This is a win-win situation.  You will find you will be able to better relate to others, to your boss.  You will find that you can explain yourself (or maybe defend yourself) against your boss and colleagues.  You will be able to knock them out in interviews even if you don’t really know what a deconstructor is or how on earth to deconstruct your class.

2. Constantly learn and improve your skills and yourself

You can only become a better developer if you are constantly learning.  The world is changing so fast, that you need to be constantly reading books, articles, going to conferences, and asking from others.  An easy way to do this is to find some nice sites you like, and subscribe to their RSS feeds on GMail or on your favourite RSS reader.  Make sure you always have a book by your side.  Even if its not a technical book, develop yourself personally.  Find out your weaknesses and improve them.  For many of us that might be our presentation skills, so build those skills!  Practice talking infront of a mirror or to yourself.  I have made so many suggestions to our current process just by keeping up on .NET blogs.  It will make you stand out from the rest of the crowd.  For example I suggested converting our site to a Web Application Project which will allow us to do tons of things like get a build script (automate our build process), break our project into multiple subprojects, etc, etc..

3. Share your knowledge and experience

There are different ways to do this.  Don’t think that keeping everything to yourself is going to help you.  Infact, sharing your knowledge and experience with others always pays off.  Don’t be stingy, and you will find much in return.  One way to do this is to once a week email your co-developers with some ideas on how to improve the code quality.  Another idea is to start a blog!  This will also result in an exchange of ideas and your bad ideas will be weeded out.   You can also contribute to forums or start a discussion.  If you aren’t willing to do this, you might think you are the smartest piece of cake until you realise just how shallow your ideas are when you discuss with others.

4. Learn from your mistakes

Back when I was doing my first web development job (4 month internship), I decided to make some changes to the ASP application.  However, I did not make any backups.  Let me tell you I learned really quickly to always make a backup.  Don’t be bit from the same snake hole twice! Learn from your mistakes and grow as an individual.

What are some of the other benefits to becoming a sharp developer?

By Ashiq Alibhai

Note: This article applies to T-SQL; it may or may not work on other varients of SQL.

Many of us are familiar with T-SQL aggregate functions–COUNT, SUM, AVG, MIN, and MAX.  However, one often-neglected feature is that you can use these with the DISTINCT keyword.

Imagine you have the following SQL:

CREATE TABLE #TEMP (
  VAL INT)

INSERT INTO #TEMP
VALUES     (1)

INSERT INTO #TEMP
VALUES     (1)

INSERT INTO #TEMP
VALUES     (1)

INSERT INTO #TEMP
VALUES     (2)

INSERT INTO #TEMP
VALUES     (3)

INSERT INTO #TEMP
VALUES     (3)

INSERT INTO #TEMP
VALUES     (7)

SELECT COUNT(VAL),
       COUNT(DISTINCT (VAL))
FROM   #TEMP

…will give you the results 7 and 4.  Similarly, SUM(DISTINCT(val)) will give you 13 while the non-distinct gives you 18.

Note that while MIN and MAX are also DISTINCTable, doing so doesn’t really add any additional value.

Tags: Clipshare, PHPNuke, SQL Injection, SQL Injection Vulnerability


Just last week I was informed that two Clipshare (Youtube clone) sites were hacked.  The culprit was a SQL injection vulnerability in the code.  This article will explain a creative way of securing your site without really fixing the underlying code.

What is a SQL Injection and how do you fix it?

It means that the code was executing code that looked like this:

ExecuteSQL("Select salary from employees where ID = $_GET['id']");

Where $_GET['id'] means the querystring parameter ID which is passed in as follows:

http://www.yoursite.com/index.php?id=5

However, because we are not "sanitizing" the data before sending it to the sql server, someone can load the URL:

http://www.yoursite.com/index.php?id=5 OR 1=1 (or http encoded as http://www.yoursite.com/index.php?id=5%20OR%201=1
What that means is the SQL statement that will be executed is

ExecuteSQL("Select salary from employees where ID = 5 OR 1=1");

When you say that to the database, return salaries for employees if 1=1 (which is always), thus it will return all records for all employees

Even worse can be done, such as when you are checking a login and password, we had a live site that executed the following SQL and checked if the user and password was correct if a record was returned:

string sql = 'select * from users where login = ' + login + ' and password = ' + password;

(C#)

you could put the login as "admin –" and anything for the password, and the password part was commented out and it would load the following:

select * from users where login = admin – and password = asidasdsad

the – indicates that the rest is a comment and should be ignored by the SQL server, thus it will only execute:

select * from users where login = admin

Now the ClipShare software is full of these vulnerabilities.  To fix them (in PHP), you have to call mysql_real_escape_string() on your querystring and form post variables.

So if we have

ExecuteSQL("Select salary from employees where ID = $_GET['id']");

you can change this to:

ExecuteSQL("Select salary from employees where ID = ‘ + mysql_real_escape_string($_GET['id']));

If you want to fix it, you can try to see if there is an upgrade that resolves these problems.  If you have heavily modified the script, or you cannot upgrade, this might not be an option. 
You can try to fix it yourself, but I looked like every single page was vulnerable. 

How to fix your Clipshare software the easy way!

There is another solution that is stronger.  This is not the 100% foolproof solution, but it is an easy way to fix it without having to fix your entire bad codeset.  What you can do is change the actual database table name from ‘adminusers’ which everyone knows, to something like ‘purpleadmins’. It doesn’t fix the underlying problem (the door is still wide open), but the wallet is hidden somewhere else in the house and nobody can find it, even if they can get in.

Here is how you can do it.
It’s been about a year and this method has worked extremely well and my vulnerable PHP Nuke installation (version 7.1) has not been hacked again yet!
This also worked on two clipshare installations.

First you have to execute some SQL code to change the table name.

1) Rename your column (MySQL code)

ALTER TABLE oldAdminTableName RENAME newAdminTableName;

2)  Then you have to execute a search and replace on the actual PHP code. 
This will only work if you have the full source code (Some applications such as whois.cart are encoded and you cannot see the source code).  To replace in files you can run the following Linux command:

perl -e "s/SEARCH/REPLACE/g;" -pi.save $(find ./*.php -type f)


3) To verify that it actually worked, search for files (linux again)

find . -name "*.c" -exec grep -i "find me" {} /dev/null \;

References: