Allicient

There isn’t precisely a flood of traffic on this site, so I occasionally take a gander through the logs. The webserver logs are invariably besought with a somnolent assortment of search engine crawls, spam postings, impotent securty attacks, footling scans, and – if I’m lucky – a few “real” page views. Today amongst the clutter, I saw something of some meagre interest. Someone had tried what would at first glances seem an antiquated attack: trying to retrieve the /etc/passwd file c.f. Firewalls and Internet Security: Repelling the Wily Hacker; Cheswick & Bellovin.  The appropriate line from my httpd log is as follows:

62.1.205.86 – - [26/Apr/2009:22:18:43 +0100] “GET //index.php?view=../../../../../../../../etc/passwd HTTP/1.0″ 301 – “-” “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008070400 SUSE/3.0.1-0.1 Firefox/3.0.1″

(The PTR record for the IP being venus.marinet.gr.)

At first, I was quite ammused; I thought that it was a refreshing change to see someone throwing an attack with at least a mien of intent, albeit out-dated by about a decade and probably scripted.

Indeed, if I had been running a very poorly configurated httpd server it may have given the attacker the /etc/passwd file.  Notwithstanding that, even if the attack had suceeded in retrieving the /etc/passwd file, they would have recovered no password hashes as I run FreeBSD; they are looking in the wrong place.  They would also have to invert the ‘Blowfish’ password hashing scheme used in FreeBSD against a high entropy password.  Finally, there is that minor peccadillo of not having a login service available to try the password against.

Aside from those minor complications, I thought the furtive little attempt rather cheeky, and had a chuckle. On a closer inspection however, I found another entry in my httpd logs:

66.249.70.42 – - [27/Apr/2009:00:28:08 +0100] “GET /?view=../../../../../../../../etc/passwd HTTP/1.1″ 200 44729 “-” “Mediapartners-Google”

An IP which is apparently owned by none other than the mighty Google itself.  So, why in holy googlebot is Google trying to retrieve the /etc/passwd file? This I have taken with more than a small pinch of demur.

There are two possibilities:

i) Google is going on a hacking spree – an unlikely reason unless the development team are insufferably bored after all the excitement of taking over the world;

ii) there is some peculiar search engine magic brewing, perhaps there are a few malcontents out there submitting these URLs to Google to crawl.

In an attempt to discern the origin of this, I’d emailed Google’s security lot at the beginning of the week. In a blatent act of solecism, I have decided to post this now instead of waiting the mannerly week. In the mean time, if anybody has seen similar logs or knows what this is then please post a comment.

In anticipation of my desire to post “everything but the kitchen sink” on this blog, I though it best to setup a personal website and keep this for the information security material.

Although, I have now given myself another Wordpress installation to maintain.

Slightly off topic, but annoying enough that I thought it worthwhile.

If you’re ever trying to work out how to enter unicode characters with keyboard shortcuts in Openoffice under Gnome, then it’s Ctrl+Shift+u+XXXX+Space (where the XXXX is the unicode number), the space is the extra spice needed in Openoffice that isn’t needed in other Gnome apps. You wouldn’t believe how annoying that was to find.

Every so often I read about a planned technology or idea and think, “wow, that really is monumentally stupid”, and this month Nokia’s new toy in development takes the prize.

Has Nokia forgot what happened when wireless access points started appearing in people’s homes? Naturally, other people started driving around and creating maps of open access points they could use. Then along came WEP, quickly followed by its subsequent and decisive departure. Personally, I still think wireless is a daft idea. Anyway, back to the point; while all the wirless abuse was/is usually pretty benign, generally limited to getting internet access for free, can you imagine what’s going to happen when the first vulnerabilities start appearing in these “Home Control Centres”? Again a totally redundant and essentially useless technology is going to wreack havock… let the games begin.

Personally, I think programming your neighbour’s livingroom lights and stereo to re-inact the “Day-O” scene from the film “Beetlejuice” could have good entertainment value. I however also think there will be a select few out there that will have other more nefarious ideas. Maybe wirelessly connecting your oven up to your new “Home Control Centre” wasn’t such a good idea afterall….

… is it just me or is there a burning smell?

I love it when you can determine something about the hidden internals of a system only from superficial behaviour.  For example, the idea of being able to detect the presence of a black hole from it gravitational effect on other visible objects like starts struck me as pretty neat.  Anyway, not quite as stellar, but I’ve noticed a curious Gmail phenomena: if you look into the “spam” folder, then for almost every page load, the advertisement that appears above the mail list is for some type of Spam food product (seriously, try it).

More intriguing than the sheer variety of Spam products advertised is how Google’s contextual placement is deciding to put those advertisements there.  It hasn’t come from the contents of the emails, unless I happen to be the only person on the planet receiving a load of spam mail about Spam (oh, the irony, ah-hem) – so the only possible answers must be that either its been hard-coded in (and the advertisers probably deserve a discount), or Google’s contextual system is not only basing its decisions on the content of the emails but the surrounding page structure.

I’m guessing it must be hard-coded, as I doubt any user would want to see advetisements based on the content of spam email – you really never know what it would generate.  Which means at some point they’ve tweaked those adds only to generate advertisements for products containing Spam…hehe.  Monty Python lives on.

I’ve removed the need to wait for comment moderation, so post away.

UPDATED 07/11/08: The Akismet spam filter seems to be a tad on the aggressive side, so if your comment doesn’t appear immediately, it will appear soon as I periodically check the queue.

According to this artcile in the Telegraph, a MI6 agent was being interviewed for BBC’s “The One” show when his fake moustache fell off. To be honest, I’m slightly baffled by this story and assuming its a bit of a joke. But in any event, I’m sure we’ll all feel safer in our beds tonight knowing whom the foreign security interests of our country are entrusted to.

Advisory note to up-and-coming foreign terrorist groups: if you come across a guy with an upper-class English accent, tweed jacket and dodgy moustache – shoot him first.

As a side note, I’ve recently found Opera (9.x versions) using about 80% – 100% CPU when browsing Javascript intensive sites; mainly GMail and Facebook.  It seems that others are having similar issues. GMail seems to be fixed by using the opposite of the advice given here, i.e. do an F12, then “Edit Site Preferences” -> “Network” Tab -> Change the Browser Identification “Opera”.  This could be a fluke, but it seems to have fixed things in GMail at least.