Zamfoo Sucks and You Shouldn’t Use It

Posted by Nessa | Tags: | Posted on April 19, 2014

2

If you’re one of the more fortunate ones that has not been exposed (in all meanings of the word) to Zamfoo, it’s a suite of plugins that integrates with cPanel/WHM to add additional account management functionality for “easing the burden of web hosting providers” [SIC]. And by “easing the burden of web hosting providers”, it really means letting people have root access to your server because Kevin Quinn is too lazy to write a decent application.  I don’t know about you, but I often stay awake at night wondering how I can expose my customers to severe and unnecessary security risks, because there just isn’t enough of that on the Internet already.

In case Mr. Quinn removes the install script before you get a chance to lol, don’t worry.  There’s an online installer that is just as legit. Seriously. You’re going to need to change your shorts for this one:

lolzamfoo1

 

All the while I was thinking: Ah, yes.  Let me go ahead and put my ROOT credentials into this unencrypted PHP web form that’s nested into a TikiWiki installation.  And good thing special characters in the root password might be a problem for this totally professional means of installing a server application.  That means I can finally pick a root password that I can actually remember without wasting grey cells #YOLO.

 

Ok, all sarcasm aside, Zamfoo is among the biggest stagnant cesspool of shi*ty coding clusterf*ck I think the modern hosting industry has ever seen.  And Kevin Quinn‘s people skills are just as competent as his coding (and his grammar for that matter, because English is hard), to say the least.  Because when reputable security companies inform you that your software is rootable, a responsible developer completely ignores it and threatens legal action, right?

 

Zamfoo sucks and you shoudn’t use it.

 

As a people, we must stand together and not be part of this.  Uninstall Zamfoo, grab a beer, and send Kevin an email to let him know how big of an a**hole he is for letting this debilitated piece of crap exist on the Internet.

 

PS: Oh, and this is for you Kevin.

cPanel Security Advisor: Don’t Take it to Heart

Posted by Nessa | Tags: , | Posted on February 19, 2014

3

cPanel 11.40 introduces a new feature in WHM called “Security Advisor“. I don’t mess with WHM a lot so while I was vaguely aware that such a feature existed in cPanel, only today did I actually mozy over and give it a run.

Well, it’s pretty obvious that this tool was whipped up in response to people repeatedly asking the blanket question: “How do I secure my server?” (Easy: you hire someone that knows how to secure servers). As the leading provider of its type, cPanel is under a lot of pressure to keep up with the demands of their clientèle, including the ones that expect a point and click solution to everything.  And while cPanel’s efforts here are meritorious, Security Advisor appears to do nothing more than make a series of “educated” guesses about what your server is, or should be, doing.  This leaves me wondering how many people are making unnecessary and thoughtless changes to their servers because some script told them to.

Here are a few examples of what it found on one of my test boxes:

Apache vhosts are not segmented or chroot()ed.

Enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux”

 

No brute force protection detected

Enable cPHulk Brute Force Protection in the “cPHulk Brute Force Protection” area.

 

ClamAV is not installed.

Install ClamAV within “Manage Plugins”.

 

A newer kernel is installed, however the system has not been rebooted. running: 2.6.32-279.22.1.el6, installed: 2.6.32-431.5.1.el6

Reboot the system in the “Graceful Server Reboot” area.

So, for one: my contempt for CloudLinux is only matched by equal hatred for mod_ruid2 (required for “Jail Apache”).  SA missed the CloakFS setup on this server, which achieves the necessary jailing.

CpHulkd and ClamAV are also not the only software of their kind, so if you use CSF, BFD, and/or your own AV, be prepared to hear Security Advisor roar.

Ksplice has been a thing for a while now.  My reboot-less kernel upgrade is no match for you, Security Advisor.

Now, there were some legitimate things SA found, but nothing that I necessarily care about.  Here’s why:

My intention here, quite to what seems to be the contrary, is not to blast Security Advisor for its efforts in guiding sysadmins through the daunting and never-ending path of system security.  My point is, you need to understand your system and what security ‘violations’ it reports are actually problematic and what is the best way to address these problems in your environment.  The solutions SA is suggesting may actually be invalidated by  other measures in place on your system, or better addressed using a different method.  For example, I don’t condone switching to ruid2 on a shared server just to provide the jailing capabilities that CloakFS and CageFS can just as securely provide.  Or pointlessly rebooting your server because SA doesn’t like the output of uname.  Before you make changes to your server, understand what you’re doing, why you’re doing it, and whether it really needs to be done.

BTW, cPanel, I still love you guys.  I just don’t fancy Security Advisor.

Spike TV’s “World’s Worst Tenants”, Absolutely Fake

Posted by Nessa | Tags: , | Posted on April 17, 2013

2

I’m not a huge reality TV fan, but a few days ago I stumbled across a show called “World’s Worst Tenants” on Spike TV, and admittedly I got a little hooked.  The show focuses on a trio of “eviction specialists” that investigate disputes between tenants and their landlords, often ending in some sort of bizarre situation that, in essence, seems utterly ridiculous and only borderline realistic (even though they are in fact stated to be re-enactments of events that supposedly happened).

What really caught my attention is the season 2 episode “Motel California“.  My husband happened to be watching this episode with me and as the last segment progressed he almost immediately noticed that something was amiss.

The house in the episode is the same one that appeared as the setting of The Amityville Haunting, a 2011 low-budget horror film on Netflix that wasted almost two hours of my life last month.  Since the movie sucked so much and it’s unlikely that anyone lasted past the first ten agonizing minutes, I guess the show’s producers didn’t think that filming there would be a dead giveaway.  And yes, I’m the loser that sat there taking still shots of the TV with my camera phone to deliver undeniable proof that this show is completely fake.  It’s understandable that the crew would rent a house to perform their re-enactment, but they also clearly stole the back-story from the movie as well.

Let’s start with the front of the house.  Here is the shot that was shown as the three are walking up to the house, discussing the reason why they were there: the tenant wasn’t paying her rent and the show’s specialists – Todd, Randye, and Rick – were sent to give her notice to pay up.

Now, here is a similar image from the movie, taking place near the beginning when the Benson family is touring their future home that, unbeknownst to them, is haunted by the late DeFeo family (even though it’s not the same glaring house from the other 10 Amityville movies). Aside from the identical architectural features, such as the steps, windows, door, and bushes, you’ll notice the same lion statues and cement sculptures decorating the porch area:


 

A few minutes later, the lady is explaining to Todd and Randye the reason she hasn’t been paying rent – her house is apparently haunted, and she spent her rent money hiring paranormal investigators to look into what she believes is the ghost from a murder that occurred in the house in 2010 (apparently the landlord never disclosed this information, she instead found a death certificate on the Internet). She hears sounds at night, feels a strange vibe when walking around the house, and her lights keep flickering. Ooooooo, scary. And original. Definitely not the premise of the movie that happened to be filmed in the same house.

 

 

If you look behind Randye you’ll see the same door from the film that was repeatedly opening itself at night, next to the same fireplace, dresser chest, and white sofa seen in the movie.  When Todd moves out of the way you can also see the two lamps,  but I didn’t care to get a still shot of that one.

 

 

Now we’re walking through a dining room area while Todd yaps about how his dad was a mortician who didn’t believe in ghosts.  Behind them you can see a large paned window with a swan sitting on it:

 

 

This is where the likeness becomes all too visible.  It looks like whatever studio owns the house didn’t even bother to redecorate between filmings:

 

 

You may have also noticed the ugly wallpaper behind Todd.  Look familiar?

 

 

While loony lady is going on about the murder, we’re lead to a study-type area with a large bookcase, a ladder in front of said bookcase, and a few couches.

 


 

Several scenes in the movie display the same room with the exact same bookcase, chaise, and ladder (plus a really dead guy who didn’t grace the TV show):

 

 

Unfortunately the kitchen and bedrooms were not shown in the episode, but it’s pretty obvious this is the same house.

In care you’re wondering, it turns out the lady’s house was actually not haunted.  No – I guess that claiming it was would have blown the whistle on the fakeness all too soon.  Apparently Rick discovered the house had some foundation damage that was messing with the structure stability and electrical wiring, explaining all the paranormal phenomenon that loony lady was experiencing.

In conclusion, the entire episode was staged.  It’s not like they claim the stories on the show are 100% real, but some are just obviously fabricated in their entirety.  All in all, the show is still pretty funny, but definitely not as enjoyable now that I know the truth.

Basic Fun with IPs in PHP

Posted by Nessa | Tags: | Posted on August 7, 2012

1

I was working on an application a couple weeks ago that required the ability to extract data about an IP range when only a CIDR is provider.  Of course I checked the oracle first because I’m too lazy to write my own code, but was disappointed to be unable to find a PHP script that did exactly what I needed.  I did manage to find this nifty little function which made things so much easier:

function cidrToRange($cidr) {
    $range = array();
    $cidr = explode('/', $cidr);
    $range[0] = long2ip((ip2long($cidr[0])) & ((-1 << (32 - (int)$cidr[1]))));
    $range[1] = long2ip((ip2long($cidr[0])) + pow(2, (32 - (int)$cidr[1])) - 1);
    return $range;
}

This function, those short in stature, is actually all you need to extract data from a provided CIDR range. Firstly, let’s set the value of $cidr to something simple, and get the value of the returned $range array:

$cidr="192.168.1.0/24";
$range=cidrToRange($cidr);
print_r($range);

Result:

Array
(
    [0] => 192.168.1.0
    [1] => 192.168.1.255
)

If you notice, the array contains the values of the first and last IPs in the CIDR range.  Therefore, you can grab these values out rather easily:

$first_ip = $range[0];
$last_ip = $range[1];

Getting the gateway, broadcast, and subnet mask

To get the gateway and broadcast IPs, well, you’ve already done it. This is the first (usually) and last IP in the block.  All you need now is the subnet mask, and to pull this out you’ll need to separate the CIDR mask (what follows the “/”) from the value of $cidr:

$cidrmask = explode("/",$cidr);
$cidrmask = $cidrmask[1];

Once we have the bitmask, which in my example is “24″,  you can calculate the subnet mask:

$subnet_mask = long2ip(-1 &lt;&lt; (32 - (int)$cidrmask));

Listing all IPs in the CIDR range

Now for the fun part, which was not so fun when you’re automatically conditioned to think that everything has to be harder than it needs to be.  PHP has an ip2long function that basically converts an IPv4 IP address to a long forgettable number. The simplest way I found to pull out a list of IPs in a range is to convert the IP to its long format, increment it, then convert it back.  Here’s the full script:

function cidrToRange($cidr) {
    $range = array();
    $cidr = explode('/', $cidr);
    $range[0] = long2ip((ip2long($cidr[0])) & ((-1 << (32 - (int)$cidr[1]))));
    $range[1] = long2ip((ip2long($cidr[0])) + pow(2, (32 - (int)$cidr[1])) - 1);
    return $range;
}
 
$cidr="192.168.1.0/24";
 
$range = cidrToRange($cidr);
$first_ip = ip2long($range[0]);
$last_ip = ip2long($range[1]);
 
$first_ip++;
while($first_ip < $last_ip){
    $real_ip = long2ip($first_ip);
 
    if(!preg_match('/\.0$/',$real_ip)){ // Don't include IPs that end in .0
        echo $real_ip . "\n";
    }
 
    $first_ip++;
}

This will list out all the usable IPs in the CIDR provided (typically all the IPs that are not the gateway or broadcast addresses, or that end in in a “.0″.  Note the preg_match function within the while loop – this will prevent ips ending in .0 from being included, which is useful when dealing with blocks of /23 or higher.  This is of course just a starting point – you can adjust to meet the needs of how your networks are set up.

New URL Shortener – gg.gg

Posted by Nessa | Tags: | Posted on June 27, 2012

0

All of us Facebook and Twitter buffs are fond of URL shorteners.  When you’re working with character limitations or on mobile devices they make sharing links a lot easier than typing in long URLs. I came across a semi-new URL shortener and thought I’d share it with my readers. The website gg.gg is similar to other URL crunchers out there but offers a nice suite of interesting features:

  • URL shortening (of course)
  • No ads
  • Ability to choose a custom shortened URL
  • Quick “share” links for Twitter, Facebook, and FriendFeed
  • Ability to track visitors
  • URL shortener chrome plugin
  • Extensions for Opera

In the future, the developers of gg.gg will be offering more advanced hit statistics as well.  The added support for QR codes is also an excellent feature that which enhances support for mobile devices. For example, instead of having to type in a link, the user can simply scan the QR with their smart phone and go to the website without having to enter the URL.  Being able to track visitors is also a handy feature if you’re trying to see how popular your links are when you don’t have the patience to deal with things like Google Analytics.

Not to mention how easy it is to remember something like “gg.gg”.

 

Basics of YAML Parsing in PHP

Posted by Nessa | Tags: , | Posted on June 22, 2012

0

I know I’ve been on hiatus for a while and have neglected to update my website in over a year. That’s what happens when you get married and pop out a kid three months early. But now that I have more time on my hands I promise to devote a little more time to the website, starting with some of the basic PHP tutorials that my readers have grown to know and love.

First off, YAML is not a markup language, nor does it claim to be (YAML Aint a Markup Language), but it does represent a decent way to statically store arrays of data that are easily parsed by almost any programming language.  I recently had to write a script to parse out domain data from a cPanel “userdata” file, which is a YAML-formatted template that cPanel uses to build an httpd.conf file:

---
addon_domains: {}

cp_php_magic_include_path.conf: 0
main_domain: v-nessa.net
parked_domains:
  - v-nessa.com
sub_domains:
  - mail.v-nessa.net
  - cpanel.v-nessa.net
  - anothersubdomain.v-nessa.net

Essentially with a YAML file you’ll treat the data like a multi-dimensional array – key/value pairs are separated by a colon, and sequences are prefaced by dashes.  PHP makes it easy to parse these files with the YAML PECL module.

First things first, does your PHP installation have YAML support?

root@server [~]# php -m |grep yaml

To install YAML for PHP:

Install libYAML

Then:


wget http://pecl.php.net/get/yaml-1.1.0.tgz
tar -xvzf yaml-1.1.0.tgz
cd yaml-1.1.0
phpize
./configure && make && make install

Then make sure that yaml.so is located in your php.ini

extension=yaml.so

In its simplest form, our YAML file can be parsed as so:

$file="/var/cpanel/userdata/myuser/main";
$parsed = yaml_parse_file($file);
 
print_r($parsed);

This will return the YAML file as a multi-dimensional array:

Array
(
    [addon_domains] => Array
        (
        )

    [cp_php_magic_include_path.conf] => 0
    [main_domain] => v-nessa.net
    [parked_domains] => Array
        (
            [0] => v-nessa.com
        )

    [sub_domains] => Array
        (
            [0] => mail.v-nessa.net
            [1] => cpanel.v-nessa.net
            [2] => anothersubdomain.v-nessa.net
        )

)

Then from here, we can simply parse the array as usual.  For example, this will print out all of the items under the parked_domains key:

foreach($parsed['parked_domains'] as $key=&gt;$value){
    echo "$value\n";
}

hPage is Punishment for your Website

Posted by Nessa | Tags: | Posted on May 4, 2011

0

Working in the hosting industry for a while, the most common frustration among new users is how to get started with their shiny new hosting account.  There are dozens of reputable tools online to help you build a site…but hPage is certainly not one of them and I’ll happily share why.

I first heard about hPage from a few of my readers that were looking at an easy way to start up a website, thinking hPage was the key. I hopped over to hpage.com and signed up for a free account, which took only a few seconds.  hPage brags that you can create a 100% free website in minutes – except I noticed that it takes quite some time just to be able to log in even though your user account is created immediately. Their servers are so overloaded that in all I think it took me about 20 minutes just to pick out a template and create one page with an image and two lines of text.   At one point I got up to let the dog out, made myself a turkey sandwich, and when I came back the templates were still loading – not that I really missed anything when they finally did.  Their templates are disappointing to say the least.  We’re still in the web 2.0 era and these templates looked like they were designed in Microsoft Word back in 1982 – hardly “professional” as the site claims.

Still, keeping an open mind, I continued poking around and found the “bells and whistles” they claimed to offer – guestbooks, forums, image galleries, etc. Not very impressive, but still decent for a free site builder – no major complaints there. They do have a couple neat features like right-click disabling and magic dust (mouse tracer), and some other features that are very web 1.0-ish like snowflakes and visitor counters.  Nothing like a visitor counter to show just how unpopular your ugly hPage website is going to be…

Probably the most irritating thing of all is that they plaster your “free” website with ads, and you have to pay $40-$80 to remove them.  I realize that many free services are ad-supported, but it’s simply a waste of money for what you get.  With hPage you don’t even get your own domain – you get a subdomain of hpage.com you.hpage.com) or one of their many similar subdomains.  Not to sound like a spokesperson for my employer, but for just a few bucks more you can get reliable budget hosting at Web Hosting Hub to include a free domain and web builder – a web builder much better than the junk you get out of hPage.

So if you’re looking to start up a website, don’t waste your time with hPage. And if you’re one of my readers, you got what you asked for – an unbiased review on how much they suck.

phpacademy.org Offers FREE PHP Tutorials

Posted by Nessa | Tags: , | Posted on March 31, 2011

4

There’s a new site out there that’s offering high quality PHP video tutorials – for FREE!  All you PHP gurus, check out phpacademy.org.  They currently have over 200 PHP and MySQL tutorials for both beginner and intermediate users.  Unlike other PHP tutorial sites, phpacademy is unique because the tutorials are all on video, so there’s less boring reading.  Did I also mention that it’s free?

Head on over and check them out, feel free to post comments and reviews here!

Error Installing APC via PECL

Posted by Nessa | Tags: , | Posted on February 27, 2011

1

I got the following error when compiling APC on one of the servers:

/root/APC-3.1.6/apc.c:464: error: ‘apc_regex’ has no member named ‘nreg’

To fix this, make sure that PHP is installed with PCRE support (type php -m for a list of modules), then install the pcre-devel package:

yum install pcre-devel

Using POST Variables Outside the Loop

Posted by Nessa | Tags: , | Posted on February 24, 2011

4

I was working on this mini contact form the other day where a user basically enters in a bunch of info, the form submits to itself via PHP_SELF, and sends out an email. Oddly enough, once I transferred the form to its permanent home and spent a decent chunk of time trying to figure out why it wasn’t working anymore, I discovered that my developement box still had register_globals enabled from a previous project I was working on.  Doh!

This is part of my loop, which basically just grabs all the $_POST variables and their values to compare them with a previous array ($required) that specifies what values should be present in order for the mailer to determine how much of the form was completed:

// Values passed: domain,email
foreach($_POST as $name => $value) {
    if(in_array($name,$required)){
        if(empty($value) && value != 0 ){
            $complete=0;
        }else{
            $complete=1;
        }
    }
}

The problem is, when I went to use the names of the variables or their values later in the script, I got nothing. This of course would work with register_globals enabled, but since I prefer to work in a more secure environment, a small adjustment was needed in to make those variables available outside the loop:

// Values passed: domain,email
 
foreach($_POST as $name => $value) {
    $$name = trim($value);
    if(in_array($name,$required)){
        if(empty($value) && value != 0 ){
            $complete=0;
        }else{
           $complete=1;
        }
    }
}

Pretty simple stuff, eh? All I did here was tell the loop to actually create a variable and value for each $_POST value that was part of the foreach loop. From there, all I had to do was use these values are normal ($domain,$email,etc)