It's going to be hard to comment on these Base64 encoded C and Perl programs in their current form.
That daemon() function call is going to cause problems on a whole bunch of non-Linux architectures. Solaris doesn't have it for example.
You should definitely consider supporting IPv6, you can't just assume IPv4 connectivity...
You're also missing a return at the end of main().
+$auth_pass = "fe3f6d96a1ee06bc5415a5c05540c7a8";
1911990 is not a good password. Your birthday?
Let's hope you didn't use that for your email account, lovestory8976@yahoo.com
can you use a sha512 hash, instead? it's more secure.
+
Hmm the HTML isnt compliant. Please rebase from master, squash the previous commit and resubmit.
Allow? They just released a feature that lets you drag and drop images into comments — it automatically uploads to s3 and inserts the URL in your comment. For some reason, they encourage it.
I assumed that was because of changes in Skitch. Everyone I know used to take screenshots with Skitch, upload them and Skitch would copy the URL into your clipboard and you could post into Github. But since Evernote bought them they closed things down and they're basically useless now, so I figured that was why Github was motivated to add this feature.
I know that so much. Skitch is so crippled now. It was my favorite fast and simple "here let me point it out and show you" tool for everything. I annotated everything with it. With evernote killing the ease of "let me show" half, whats the point of annotating things and taking screen shots?
If there was ever an opportunity for a disruptive simple startup idea it would be to replicate what skitch did before evernote bought it and broke the original use case.
If you are a CloudApp user (http://getcloudapp.com/) the second one is super slick. Pretty much duplicates the old Skitch functionality and returns a short URL that you can use to post. You can also use a custom domain with CloudApp if you use the paid service.
Cool, thanks for the suggestion. I had a little trouble creating an account, but I finally got it working. Installed the app and looked around it. Seems slightly less polished than Skitch, but it seems to do everything I need it to do. I'm using it, and just sent the link to my company's devteam.
You can change one setting and it will copy the direct link to the image into your clipboard - Perfect! That's exactly what I want it to do. :)
You can still download the old version (the real skitch) right there from evernote: http://evernote.com/skitch/ (small link at the bottom, "previous version").
Skitch supports FTP-upload, so if they turn off sharing in the future you can just switch to your own webspace.
No need to mess with lesser tools (or the evernote-garbage) while Skitch still works!
yep this is what i did. But free FTP services online are hard-ish to come by =(
i wish there is a plugin or kernel extension that modified skitch so that you could upload it to say dropbox. The other method is to point skitch to the local machine and use dropbox to sync, but i think you lose the clipboard thingy.
May be i will just switch to monosnap. But it looks so ugly compared to skitch!
What is happening here? I am not very accustomed to open source yet.
Edit: un-checking "show inline notes" helps.
Edit 2: So if I understand correctly, OP tried to hack into a website... by submitting code to github. I was confused at first because that would have been (very) wrong way to "hack", but as it turns out, that is indeed true. And rest is about the code he/she used. It seems to be auto generated in some wysiwyg html editor that uses old html.
OT: I think everyone has made the Evil Bit/DNT header connection at some point, but it seems especially funny/snarky being tacked on without any further note in the See Also section of the Evil Bit entry. It's not often I get a laugh out of non-content stuff on Wikipedia : )
This attempt is blatant and obvious, but what about a more serious attempt where you first establish some credibility with a couple of "good" PR that fix major problems and then add a tiny little backdoor that loads code from somewhere else. Distribute the relevant code over a couple of commits and you might just slip it in.
With Githubs ease of merging and automatted testing by Travis, it's easy to forget that changes may be actively malicious and not just buggy.
Spending months building trust while creating a giant trail of information that can be used to find you and then really pissing off the open-source community seems like a bad plan for someone that is attempting to quietly gain root. Might work if one project is attempting to discredit another project (think closed source vendor trying to steal clients who use opensourced github projects).
I'm not saying someone wont do it, I suspect it has been done a few times, but it is a dumb way to break into computers and far more work/risk than downloading metasploit and using a public exploit.
Because it works even if you can't find a proper codepath to exploit. It might gain you anything you want: A quiet path to leak admin account info to a server of your choice. An attack vector into a system trusted by more than one person.
You don't need to provide much information to get a github account, so the risk is not very much elevated.
>You don't need to provide much information to get a github account, so the risk is not very much elevated.
1. Unless you are extremely lucky, you have to gain someones trust by posting fixes that do not contain backdoors. This leaves a trail in terms of: coding style, word usage, editor settings (tabs vs spaces), and ip records/timestamps in github. It's not much but it is additional unnecessary exposure.
2. Since the code is publicly available on github it stands a much better chance of discovered later. If you own a server, do you business and change the logs, you have a very very low chance of someone discovering the intrusion after the fact.
3. If someone discovers the backdoor they can setup a honey pot. They might even allow the change to be merged and then wait for you to connect, although this is unlikely. An attacker is potentially forfeiting the element of surprise.
4. Gaining access to a remote server is trivially easy (just use a publicly available exploit before it is patched on your target server), especially if it is a webapp, especially if you have access to the code.
I'm not saying there isn't someone out there that thinks this is great attack method. I'm just saying that an attacker that uses this method is either doing it because they think it is funny or a stupid attacker (there is not shortage of stupid attackers).
Editor settings are not much of a record if you just follow the projects code guidelines. ip-records with github are more of a problem, but I guess you can fake those by using tor or any proxy. And to embed your malicious code over a series of innocent looking commits, have a look at the underhanded c contest: http://underhanded.xcott.com/ There are some true marvels, code that looks innocent as a baby but does malicious things.
So yes, owning a server might be easier in some respects, but owning a project might own you a server you'd never get access to - a machine that runs behind a firewall e.g.
or better yet, write some code in the same way like this coding contest (where you write some innocent looking code that contains a subtle bug that you can plausibly deny it was intentional...http://underhanded.xcott.com/?page_id=7). This way, the blame trail isn't useful in proving anything!
Long story short. The FBI put on its payroll a well paid crypto analyst trusted with commit access to the OpenBSD code. Years after that, somebody claims that the analyst has put on the FBI payroll to implant an hidden weakness in the crypto code. Audit follows; nothing found in the code. FUD still remains.
I think that largely depends on who's maintaining the official repo.
See what happened when oh-my-zsh got careless in testing pull requests: https://github.com/robbyrussell/oh-my-zsh/pull/1395/files#L1... everyone who got the update (tons of people, as it's self-updating) had their $HOME screwed up, basically breaking the entire shell.
Point being that trust only goes so far here: proper code reviews are what stop these problems.
Copyright 2000, 2001, 2003, 2005 E\/17 |-|4><0|2z Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY, COMPLETE DESTRUCTION OF IMPORTANT DATA or FITNESS FOR A PARTICULAR PURPOSE (eg. sending thousands of Viagra spams to people accross the world).
Basic Installation
Before attempting to compile this virus make sure you have the correct version of glibc installed, and that your firewall rules are set to ‘allow everything’.
1. Put the attachment into the appropriate directory eg. /usr/src.
2. Type ‘tar xvzf evilmalware.tar.gz’ to extract the source files for this virus.
3. ‘cd’ to the directory containing the virus' source code and type ‘./configure’ to configure the virus for your system. If you're using ‘csh’ on an old version of System V, you might need to type ‘sh ./configure’ instead to prevent ‘csh’ from trying to execute ‘configure’ itself.
4. Type ‘make’ to compile the package. You may need to be logged in as root to do this.
5. Optionally, type ‘make check_payable’ to run any self-tests that come with the virus, and send a large donation to an unnumbered Swiss bank account.
6. Type ‘make install’ to install the virus and any spyware, trojans pornography, penis enlargement adverts and DDoS attacks that come with it.
7. You may now configure your preferred malware behaviour in /etc/evilmalware.conf.
SEE ALSO evilmalware(1), evilmalware.conf(5), please_delete_all_my_files(1)
Importantly, this software may not function properly unless it is run with root privileges. On systems that disable the root user, look for the sudo command, or similar.
In fact, I might go so far as to say that this was never intended to be merged. I'll assume whoever did this wants their message heard, and while it will never show up on CoderDojo, the hodgepodge of coding styles ensures that the "pull request" will go viral, thus possibly reaching a far greater number of people than it would have otherwise.
What message? I read through the thing and didn't see any message. There's some encoded arabic, but even if I could read arabic, I couldn't read it encoded.
Downloaded that file, removed the JS and took a look in a browser. The Arabic is here(I hope HN can handle the unicode -- I've translated inline -- editorial notes between brackets):
بسم الله رب المجاهدين والشهداء ،،~
In the name of God, lord of martyrs and Moujahidin[no idea how to translate that]
إن الرساله المراد توصيلها لكم ..
The message that you are intended to receive is...
إن صواريخ المقاومه قد وصلت إلى تل أبيب والقدس الغربيه المحتله وإلى جميع التجمعات الإستيطانيه القريبه من قطاع غزه .. وإن طائراتكم التي تحلق في سماء قطاع غزه لن تحلق بعد اليوم . وألياتكم التي تتحرك على طول الخط الفاصل هيه تحت مرمى ضربات المجاهدين وسُفنكم الحربيه قُبالة شواطيء غزه أصبحت تحت الإستهداف
The resistance[Hezbollah]'s rockets have reached Tel Aviv and the occupied West Jerusalem and to all colonies[or colonial compounds/groupings? not sure] in the Gaza district... And your planes that fly in Gaza's airspace will not fly after today. And your tanks[or armoured vehicles] that patrol the dividing line are within reach of the moujahidin and your warships facing the beaches of Gaza are now being targeted.
عليكم الإن الإختيار بين أمرين لا ثالث لهما
You now have to choose between two options, you do not have a third.
( إما الرحيل عن فلسطين , أو أن تموتو على أيدي المقاومه )
Either you leave Palestine or you die at the hands of the Resistance[Hezbollah]
وسنوفر لكم خدماتنا السريعه بإرسالكم للموت بطيئأً ..
We will be quick in giving you a slow death[you can just imagine that guy chuckling to himself as he came up with this pun]
هذا ونتمنى لكم النار منعمين فيها بإذن الله
We wish you [something I don't know how to translate about fire and hell] god willing.
--
I'm Lebanese, so I've met quite a few Hezbollah/Amal people, I tend to sympathise more with the Palestinans than the Israelis in general, but shit like this makes me feel sad and unsure if I want to laugh or cry at the guy who wrote it. That is, if they were being serious and this not just a troll.
Mujahideen has entered the English vocabulary quite a while ago, so don't worry about not finding a good translation, everyone knows it: https://en.wikipedia.org/wiki/Mujahideen
"If there is no check on the freedom of your words, then let your hearts be open to the freedom of our actions"
"The war continues until the last Zionist remains on the beloved land of Palestine"
cough Shouldn't that be until there are no more Zionists in Palestine? Are they proposing to kill all Zionists until there is just one of them left, and then say "you're the last one here, you can stay".
In the sense that it is a cultural artifact that is passed along from one individual to another, yes. In the sense that it is something annoying kids on the internet use that must be complained about, no, not necessarily.
So any salt [was hash] used would have to be present in the code too.
Given that such a simple password (8 digits) could be brute forced in seconds on an average PC, even with a salt, it doesn't really matter whether it was salted or not.
A password of "p*l12nJ9£l ~98as2389bvkqsopfq£3oef2[olpe]wog!wei^og(8ni" would take an unrealistic amount of time to brute force, even if unsalted, and it's beyond the scope of any precomputed rainbow tables for similar reasons.
Anyway, it's only a concern if he uses the same password elsewhere.
> A password of "p*l12nJ9£l ~98as2389bvkqsopfq£3oef2[olpe]wog!wei^og(8ni" would take an unrealistic amount of time to brute force, even if unsalted, and it's beyond the scope of any precomputed rainbow tables for similar reasons.
Since rainbow tables look up a password via its hashed value, I believe you could find something else that has a hash collision -- for all we know, it has the same hash as 'ponies'.
In case anyone's curious and got down to the embedded YouTube video in the code, it's an Arabic-titled video of a screen recording of a Facebook video (further evidence of the author's technical prowess) of two Israelis in a place undergoing rocket fire from Gaza... definitely recent as well as they say "Where's the iron dome!?" in Hebrew. It's about a minute and a half of the rocket sirens blaring and them hearing rockets landing in the distance, screaming out of fright/being startled when they do.
Pretty disturbing stuff, to say the least. Combined with the english text about the Zionists leaving Palestine, I just wanted to shed some light on the intention of the defacement.
But if I ever need a jury of my peers to audit my coding style to see how good it is, now I know what to do - a pretend-attempted-defacement is bound to be more effective than finding some place on the net to ask 'Is this proper idiomatic javascript?'.
If you ever actually need a place to check whether your JavaScript is idiomatic, try Code Review Stack Exchange (http://codereview.stackexchange.com/).
I can't understand how did someone capable of understanding and doing a git pull request can produce this kind of "code".
Or how did he think that he can pull this thing off? is there a "10 ways to hack a website" where a git pull is one of them?
The fact that there is a code snipped a tutorial on "How to Create a Website With Notepad" and the whole thing seems like it came out from an old WYSIWYG editor, the thing obviously was made by a script kiddie.
script kiddies uses git now? wow
Github makes a lot of things really easy. I'm guessing he just used the "edit" button while viewing a file in Github, which will make Github automatically fork, commmit, and submit a pull request.
Hacktivism is more like hacking for a cause. This is social hacking, where the hack is perpetrated entirely in the social space - adding a PI as a friend on Facebook, having a rival company able to see your LinkedIn profile page or hanging around in your company Skype channels - that sort of thing.
It's equivalent to knocking on someone's door and asking them if you can graffiti their house wall, egg their car, and toilet paper their front yard tree. All while having the graffiti, egg, and toilet paper in your hands in front of their face.
The comments are even better, and so to extend this analogy:
After you ask them, they then criticize your choice of spraypaint ("Krylon? Really? Not using Rustoleum, even though this is clearly for outside application?"), testing that your egg is actually of proper dimension and size, and then sighing in annoyance upon finding out that your toilet paper isn't quilted.
What if they are palestinians "being bombed back into middle ages"[1] or from other arab country that provides 1/100th of the opportunities we have to know `how to be a pro hacker`, a foreign language or, say, an expert modern coder that know all the little beautiful standards?
Suddenly all the smart comments feel a lot less fun
+ <script language="JavaScript1.2">
Are you sure, like, really really sure, you want JavaScript 1.2?
+var speed=1
please run jslint on your code before submitting a pull request
There are so many errors that JSLint gives up on this code at 39%.
+temp=document.body.scrollTop
You really shouldn't declare a variable without using var - can lead to all sorts of scoping problems.
Oh, good catch! You should submit a pull request to fix this
+<mass of span elements>
There's a couple of redundant span elements here, when you get time, you could optimise this
+ <p align="center" dir="rtl"> </p>
It's great that you've made sure that non-breaking space is read right to left, your readers would have been screwed otherwise.
+ $bind_port_p="IyEvdXN...<base64 encoded string>";
+$auth_pass = "fe3f6d96a1ee06bc5415a5c05540c7a8";1911990 is not a good password. Your birthday?
Let's hope you didn't use that for your email account, lovestory8976@yahoo.com
can you use a sha512 hash, instead? it's more secure.
+
Hmm the HTML isnt compliant. Please rebase from master, squash the previous commit and resubmit.
Thanks for your invaluable future contributions