Find malware on your web server/shared hosting

Some of my client websites get hacked. Some shared hosting providers provide some virus scanning tools, but it’s not always enough and what about those who even don’t provide malware scanning. Hopefully they provide SSH access and AI-BOLIT can be used. It’s a free website virus and malware scanner for websites.
Just download it, unzip and upload to your desired host. Copy it into the root directory of your website.
Last run it
php ai-bolit.php --mode=2
or not paranoid/normal mode
php ai-bolit.php

Advertisements

Blocking web access by country code via htaccess

Some Ukraine and Russian folks don’t know how to behave so I decided to block the whole country. Also they’re not target audience for the targeted web.

# .htaccess

<IfModule mod_geoip.c>
GeoIPEnable On
SetEnvIf GEOIP_COUNTRY_CODE UA blk
SetEnvIf GEOIP_COUNTRY_CODE RU blk
Deny from env=blk
</IfModule>

They were causing 509 Bandwidth Limit Exceeded on some client webs with Joomla :/

Passwordless ssh not working

I was getting the following with ssh -v user@remote_host

debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/mike/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: password

The solution idea came from http://askubuntu.com/a/90465/168459 to fix .ssh dir permissions and .ssh/authorized_keys

Later during investigation after login with password and debug turned on SSH complained with:

debug1: Remote: Ignored authorized keys: bad ownership or modes for file /home/REMOTE_HOST_USER/.ssh/authorized_keys

Facebook and Chrome connections revealed via Little Snitch

I decided to make a video showing how many connections are made after starting Chrome

And connecting to Facebook

When I opened Facebook in Firefox it made a connection to http://cx.atdmt.com which after visiting shows 1x1px GIF image. Wikipedia info about Atdmt https://en.wikipedia.org/wiki/Atdmt contains the following: “ATDMT is a tracking cookie served by Facebook subsidiary Atlas Solutions and used as a third party cookie by several websites.”
Opening FB in Chrome made connection to http://pixel.quantserve.com which after visiting informs that it is “Quantcast Measurement Service”, they provide also a table of most visited sites at https://ak.quantcast.com/top-sites. Quantcast on wikipedia https://en.wikipedia.org/wiki/Quantcast

Be aware of the watchers 😉

Vulnerabilities to consider while coding

I just found these following pages which describe SQL Injection and Cross Site Request Forgery (CSRF) vulnerabilities and how to prevent them in WordPress’s PHP code.

http://ottopress.com/2014/better-know-a-vulnerability-cross-site-request-forgery-csrf/

http://ottopress.com/2013/better-know-a-vulnerability-sql-injection/