Wednesday, 24 April 2013

AARTO Website Hacked


Imagine visiting your website only to find someone you've never met and probably never will took the time to deface it. This is definitely one of the top 10 things an IT administrator never wants to see but exactly what happened to the website of the Administrative Adjudication of Road Traffic Offences in South Africa.

Googling for "rEd X was here" clearly shows many sites with similar carnage, results count here was well over 161 000 on Google and the seemed to be mostly wordpress based sites. With such a high count the chances are very good that this is some script being run which checks if a site is vulnerable to a specific wordpress bug or flaw.

Additionally the website is accompanied by the following song on youtube, loaded in the background and played automagically to the user: http://www.youtube.com/watch?v=ptZ1wo3JsPc

Additionally the code contained some interesting javascript to disable the context menu, key down, and mouse down actions on the page:

<body oncontextmenu="return false" onkeydown="return false" onmousedown="return false">

Interestingly enough the name used for some of the files included within the page contain the name "ondhokarer_rajputra" which seems to point to 1 user on google (which has listened to the song above recently), and 1 facebook user, both seem to be based in Bangladesh. Could this be the hacker?







Sunday, 21 April 2013

Compiling GCC 4.8.0 on Linux

Ever wondered how to compile gcc? I recently required a feature in a version of gcc that wasn't readily available as a package on my distribution, so as I love source compiling in Linux, the recipe is below:

wget http://www.onmsfiles.com/gcc/gcc-4.8.0/gcc-4.8.0.tar.gz
tar xvzf gcc-4.8.0.tar.gz
cd gcc-4.8.0
./contrib/download_prerequisites
./configure --prefix=/opt/gcc480
make
make install

You can limit the languages by gcc by adding the --enable-languages flag to the configure command eg. --enable-languages=c,c++

Additionally it's quite a beast to compile, so if you have a more than one processor available you may want to add flags to your make to speed up the process.

Thursday, 11 April 2013

What, I need "premium" support?

I notice more and more start-up companies that I do business with are offering various levels of support, ie. the more your willing to pay the faster they may answer. I find this to be such a flawed concept... you purchase their paid service (open source is clearly different) at a profit to the company, I feel it's their duty to provide free decent support - after all it's their service!

Think about it, how often do you really call on support? I mostly do when things go wrong and depending on how good the service is this might be less than once a year, I've had services run for more than 3 years without having to call on a support team once! The majority of places offering a service to you offer free support, some of the support is absolutely excellent at helping you out and do so with a smile, one major example being hosting companies like Burst, Softlayer, Leaseweb, etc

Waiting for days for a "free" support (if even available) reply not only turns frustration into anger it makes customers want to find an alternative, a company who cares about them and will even pay more for the product if it means supports readily available. Truth be told I've worked in support, yes it becomes busy but their is simply no reason not to assist people in a timely manner (if you can't - get more staff or check why your getting so many requests) or at the very least provide proper communication for them to know whats happening behind the scene's.

As I write this I'm waiting on a support ticket answer, one part of my site is down and it's been days, why purchase a support plan when it'll just make them rich when I don't use it for the majority of the time... almost feels like they stretch it out to entice you to purchase support, it feels like time to find an alternative! *update* I found an alternative (sms messaging API with free "premium" support) and implemented their API in less time than the 4 days support took to respond with what was a question leading to another 4 day wait... they (and a popular cloud based security provider) have lost all my feature revenue, might not be much but combined with all the clients they lose in a competitive environment due to this, pretty sure it'll hurt in the long run!