Categories
Operating System PHP Server Configuration

.htaccess Hack

Today, I got another wordpress that stop working and start giving 404 error. Previously client got it fixed by removing .htaccess from his installation and get it working. I thought he might mess his wordpress himself. But when we got similar error today I search and little and find that in .htaccess there is a php injected to wordpress which reside at  “/tmp/25454b22bf39c75795851f39d5e347c4”, after opening the file it looks like professional white script. But knowing computer programmer, only a hacker or idiot can place an important file in /tmp folder. Anyways, I don’t know the cause of hack yet, but I saw following pattern:

1.  Hack is known for wordpress and OsCommerce as of now. [I personnely see only wordpress below 3.0.5 been hacked, rather more specific to 3.0.4 version]

2. Hack need .htaccess file and /tmp folder, so only Linux [can they use windows temp? not know] and surely for Apache user it is an issue.

I cannot say wordpress or oscommerce is broken, but definately there is a control upload script that copy file to /tmp folder which is usually public readable. and then getting .htaccess is problem.

So if you are on Linux/apache and your software does the .htaccess read/write then you need to be beware.

Precaution

1. Make your .htaccess read only by user and group at most not for public

2. Create a empty non writable file /tmp/25454b22bf39c75795851f39d5e347c4 so in case someone try to copy it fails as file already exists.

3. Change your Passwords

4. Upgrade your software to latest version

5. Do not upload any theme or plugin which is not from known or tested source.

6. Look for vendor recommendation before installing any plugin.

Phew, so far my wordpress is safe, been on windows hosting I am sure the hack will be different if any, lets wait and see.

EDIT:  After few days of writing this article I found few instance where I can safely says that it is not a wordpress or OsCommerce hack, but rather a hack related to either Linux Operating System, or Apache Web server or Plesk Control panel. For sites I see this hack only those three are in common. All those site I saw get hacked in above way are not written by one developer, not belong to one server [except they all use plesk and apache], not using only Mysql [do you really thing mysql query can create ,htaccess?]  So, I give Clean chit to any Open source software as of now from this hack. This is indeed a server hack, Still no reason known to me.

Good luck guys !!!


Categories
MySQL Server Configuration

MySQL : Crash and Upgrade

Today, I face a new problem with MySQL. I got the database to crash quite a few times since morning. Event logs shows that there is a fault in mysqld.exe, but that error was not very clear on specific reason of fault. After searching for articles and forums, I got a hint that in past [about 3-4 yrs], one guy has same random crash problem and he found that crash was related to some store procedure. This give me a clue and I found that in my case it is a corrupted database file. I need to investigate as why that database got corrupted as it is the latest database created in system and was working fine just another day.

Anyways, this lead me to upgrade database server after 6-7 months. It was pretty easy though, just download the new version and run the setup. everything was done automatically. Isn’t it that very simple.

Categories
.NET Server Configuration

.NET 4.0 On IIS 6

With my dedicated Windows 2003/IIS 6.0 server I want to run latest version of .NET framework on it. Hence I use my Web Platform Installer to install .NET 4.0. Everything goes smooth. It was piece of cake to install it.

Now the time came to run my first .NET 4.0 Framework application, I configure a New website in IIS. Select .NET framework 4.0 from ASP.NET tab in Website property. But what I found is I am getting 404 error. Strangely enough that Default.aspx page does exists and with .NET 2.0 it works just fine. So what goes wrong ? I search and experiment with web.config, but to no avail.

Then I found this article http://www.denalimultimedia.com/info/Articles.aspx?cid=20&topic=IIS-6-ASP-NET-4-0-page-not-found-404, which clearly mention that

  • Install framework asp.net 4.0 and restart [Web Platform Installer does it just fine]
  • IIS 6.0 console should now display ASP.NET 4.0 under tab “ASP.NET” [It was again done if #1 above is right]
  • Under Web Services Extensions (in IIS console) .NET 4.0 framework might be set as: prohibited. This must be ALLOWED otherwise a browser might just return the error 404 page not found which is not very descriptive
  • ASP.NET 4.0 applications must be run in a separate process (Application Pool) otherwise you’ll get the error ‘Server Application Unavailable’.

It is anyways always good to run different programming languages in different pool. For Example, if you want to run PHP on same server I use different pool for them. Covering those 4 steps I got my server working with .NET 4.0. Wondering why Web Platform Team forgot to complete 2 step in their installer.

Categories
Article Operating System Server Configuration

IIRF: URL Rewrite, 64bit resolved

Wow, it was hard 48hrs trying to get URL Rewrite for IIS 6.0. Most of solutions are paid and hence not my piece of cake. Especially when I found a great IIRF which is free. However the developer has problem that he doesn’t have 64bit machine to test and fix. Same is with me, but I manage to get a 64bit version of it from original source with almost no change. Here are steps I used to create my 64bit version.

1. Download Latest PCRE version from http://www.pcre.org

2. Download Cmake from http://www.cmake.org

3. Using CMake, I create a Visual Studio 9 64bit Solution from it.

4. Compile PCRE in 64bit.

5. Now download the Latest Source of IIRF from Codeplex (http://iirf.codeplex.com )

6. Open its solution file, change IIRFConfig.c file to by replacing pcre_free function call to free function call [2 replacements only]. [it was otherwise giving linker error to me]

7. Now replace 3rdParty files from your PCRE version [you need to compile PCRE in Release mode only, and make a STATIC Library [by default it is dynamic library, though you need both static and dynamic]

8. Now compile your IIRF version and Bingo!!! it is done, you will get a IIRF in 64bit machine.

Now some interesting facts

1. I use Windows 7 with Visual Studio 2008 to do all this on my 32bit machine only. So I cannot test my build as it won’t run 64bit stuff.

2. I had a 64bit windows 2003 VPS with IIS 6.0 running in 64bit mode, I test it up there and it works.

3. I did all this because I want to move this blog to Windows 2003 64bit. I will do it soon.

Now, your award for reading it out, you can download that 64bit IIRF Release version here

Categories
Joyous Operating System Server Configuration

Apache and IIS 7

Been a web development company, my company need to setup a local server that allow developers to work on centralized server for ease of use and development. For this we got one Physical server. Our requirements are simple, we need IIS 7 to let the development on ASP.NET take place and we need Apache to have support for .htaccess files. Though we can do URL rewrite and more other things with IIS 7 but some of our clients have Linux hosting only, so we have to technology that our clients use.

Now I have two options, I create a Virtual Machine one over other, where one machine is Linux and other is Windows. My company got Windows 2008 Web edition License through Microsoft WebSpark program. So I decide to without Virtual machine, as I don’t like virtual machine for development purpose, they are just too much overhead. So what I did is, I install windows 2008 as Operating system, with IIS 7. Install the Web Platform using Microsoft Web Platform, which also installed ASP.NET 2.0 and ASP.NET 4.0 and SQL Server which is good enough for small scale development.

Now, it is time to configure server for PHP team, well quite a simple stuff, I download the MySQL Community edition and install it. Easy and neat. Now Download the Apache HTTPD server and install it. However I just change it’s Listen Port from 80 to 700 [just any random port] and we are done. Web Installer already install and configure PHP on IIS 7, and I use PHP-cgi from its folder to run as Apache CGI application. Hope that is decently good platform until we get our second server for development.

Our server is now become a host for:

IIS 7

Apache HTTPD server

MySQL

SQL Server

Visual SVN

Yeah it does all those, and you will get surprised to know that it runs on regular PC configuration with core2duo 2.0 GHz on intel Desktop board without RAID. It servers 1 SQL server per second per stats and have more than 20 GB of data as Web application scripts with more than 100 website configured to run on this server. And Mind it the server runs 24×7 and used only 9 hrs of production, rest of other time it just serve for Demo to client.

Isn’t it that nice little server.

Categories
Operating System Programming Server Configuration

PWNAT: Windows Complied Version

Recently I complied the PWNAT on windows, and already got few mail asking on how I did that. So to help all fan of great software, I am uploading the Windows Compatible Source.

Disclaimer: I haven’t modify any license Information. All Copyrights and signature are same as Official release of Pwnat 0.3 Beta by Samy on his site. I only remove the compile error for Windows NMAKE Utility, and I have complied the software using NMake that got shipped with visual Studio 2008. But my guess is it will work fine with any nMake version.

Note:

1. To get it complied you need to have Windows SDKs 6.0A, I try to compile it with SDK 5.0 but it failed on Winsock Library.

2. Complied Version works fine on Windows XP SP2 and Later for me. I believe it works on Windows XP onwards.

Hope I cover all notes. So enough talking here is Download Link of the same:

http://www.sumitgupta.net/download/pwnat.zip

I feel bad about this software is that it is first time when I try to contact some author he didn’t respond back, and that is why inspite been very good concept and software I found people are finding its solution somewhere else. I wish Samy, you take care of your software well. This Code is still 100% yours, I just move some line in few condition.

Categories
Operating System PHP Server Configuration

1and1.com hosting – WordPress upgrade failure

Today I was upgrading one of my client’s wordpress installation, but it was failing, later I found in some forum that this failure is because 1and1.com hosting doesn’t have PHP enable by default and that we need to map php5 compiler properly. For this all you need to do is just add

AddType x-mapp-php5 .php
AddHandler x-mapp-php5 .php

in your .htaccess and the upgrade will work fine. Also, this is just one of many reason for upgrade failure, and you should perform this after you check all permission and stuff on your application.