You run "Chkrootkit" on a server and get a list of rootkits and signs of rootkits and some of the lines say you are infected or that you have a suspicious file on your system. What do you do? "chkrootkit" looks for possible signs of infections which may just be the results of safe programs. It is then the job of the web-master or systems administrators to take that clue and look further to decide if it is really a threat.

The t() function is probably the most misunderstood function in the Drupal-verse. At the risk of sounding sacrilegious: Why is it there and where is should it be used? Does it really increase my sites security?

learning from a grave mistake- the Apache.org attack

On April 13th, Apache announced that some of their servers were successfully compromised last week. They wrote a very detailed article about every step of the attack and what they did to avoid it again. This is a recap of that article and some of the responses in the community.

RIP to lite weight utilities to monitor your system.

FileMon and RegMon have now been retired from SysInternals.

Two issues I keep reading about a lot lately are that Snow Leopard's and IE8's malware detection. I wish people were making more of a deal about- WPA TKIP being broken.

In early 2000's a hacker that goes by the pseudonym "Rain Forest Puppy" (RFP) broke into the bulletin board system for the security advisory group PacketStorm. He got administrative rights and stole about 800 passwords. There is a lot that the Drupal community can learn from RFP's attack.

SA-2008-072
The storm project allows users with access to the storm project to enter data that has not been properly sanitized.

Versions Affected

• Drupal 5; anything prior to 5.x-1.14
• Drupal 6; anything prior to 6.x-1.18

SA-2008-073
There is a CSRF int the Drupal core which may allow someone to rerun old updates which will impact the database.
Also note that the robots.txt and .htaccess files have changed and need to be replaced with the new kernel.

The GPCODE.AK (also known as GPGCODE variation AK) holds the infected computers for ransom. It encrypts all the data files on a computer and tells the owner that they can get their files back with $100-$200. It is an improvement on a virus that the AV industry has been fighting for years. Now instead of a flawed 660 bit key, they are using a much more secure 1,024 bit RSA key and no flaws have been found yet.

SA-2008-071 - USER KARMA
There is an SQL injection and a CSS (cross-site-scripting) prior to 5.x-1.13 and 6.x-1.0 that could give a user control over an SQL database and user cookies.

SA-2008-070 - COMMENT MAIL
There is a CSRF (cross-site-request-forgery) in Comment Mail for Drupal 5.x prior to 5.x-1.1 that allows end-users to administer permissions and ban IP addresses, deny a comment, or approve one.

In another blog entry, "VMware leaks and directory transversal", I got a comment that made me do some research. I came to the conclusion that the site was a rogue/fake spyware site and shouldn't be visited.

BTW; I'm not going to link there since it seems kind of hypocritical of me. After all, I am saying not to click links in comments so it is a good exercise to look the article up and go there yourself.

The program he mentions, spybot search and destroy (spybotSD), is a good one and has been on the scene for a long time.