Comments for Brett Terpstra http://brettterpstra.com Elegant solutions to complex problems. Sun, 01 Aug 2010 00:41:52 +0000 hourly 1 http://wordpress.org/?v=2413 Comment on Notes on cleaning up the MediaTemple hack (JohnnyA) by Danhttp://brettterpstra.com/2010/07/24/notes-on-cleaning-up-the-mediatemple-hack-johnnya/comment-page-1/#comment-853 Dan Sun, 01 Aug 2010 00:41:52 +0000 http://brettterpstra.com/?p=823#comment-853 <p>I have 5 sites I manage on Media Temple each with their own account and a wordpress install with version 3.0. All were compromised with the JohnnyA malware attack.</p><p>This appears to be more and more related to Media Temple's lack of ACL rather than a wordpress exploit. However, it greatly disappoints me that they have failed to come forth and admit they "screwed up"...again.</p><p>I found the offending rootkit exploit located in folders nested deep without anything in common to the locations with other sites I manage. You can add these file names to the list:</p><p>chmod.php fopen.php mkdir.php</p><p>Still the only way to locate and eradicate the exploit is to use the following "grep" commands with the above mentioned string both for the javascript and php rootkit.</p><p>grep -R "document.write(unescape" *</p><p>grep -iR --include "*.php" "[a-zA-Z0-9\/\+]\{255,\}" *</p><p>After you're done make sure to send a nice note to Media Temple demanding a years free hosting for the trouble...it wasn't too long ago we all had the hassle of changing our MySQL passwords due to a lack of security measure by Media Temple as well.</p> I have 5 sites I manage on Media Temple each with their own account and a wordpress install with version 3.0. All were compromised with the JohnnyA malware attack.

This appears to be more and more related to Media Temple’s lack of ACL rather than a wordpress exploit. However, it greatly disappoints me that they have failed to come forth and admit they “screwed up”…again.

I found the offending rootkit exploit located in folders nested deep without anything in common to the locations with other sites I manage. You can add these file names to the list:

chmod.php fopen.php mkdir.php

Still the only way to locate and eradicate the exploit is to use the following “grep” commands with the above mentioned string both for the javascript and php rootkit.

grep –R “document.write(unescape” *

grep –iR –include “*.php” “[a-zA-Z0-9\/\+]\{255,\}” *

After you’re done make sure to send a nice note to Media Temple demanding a years free hosting for the trouble…it wasn’t too long ago we all had the hassle of changing our MySQL passwords due to a lack of security measure by Media Temple as well.

]]> Comment on Single-keystroke Instapaper in Google Reader by LagaVhttp://brettterpstra.com/2010/07/28/single-keystroke-instapaper-in-google-reader/comment-page-1/#comment-847 LagaV Sat, 31 Jul 2010 16:55:16 +0000 http://brettterpstra.com/?p=836#comment-847 <p>Great tool. I would love to have similar functionality to transfer stuff directly from Google Reader or Instapaper into Evernote....(preferably using the reduced content provided by Safari Reader)</p> Great tool. I would love to have similar functionality to transfer stuff directly from Google Reader or Instapaper into Evernote.…(preferably using the reduced content provided by Safari Reader)

]]> Comment on Safari Reader Antique hack by Xiaohung.http://brettterpstra.com/2010/06/12/safari-reader-antique-hack/comment-page-1/#comment-842 Xiaohung. Sat, 31 Jul 2010 12:15:28 +0000 http://brettterpstra.com/?p=562#comment-842 <p>Hello,I come here for the first time. Nice to meet you too.. &Your avatar(that at your blog) is really~~~ OK,It's a good skin for Safari reader. Love it! Thx~~</p> Hello,I come here for the first time. Nice to meet you too.. &Your avatar(that at your blog) is really~~~ OK,It’s a good skin for Safari reader. Love it! Thx~~

]]> Comment on Notes on cleaning up the MediaTemple hack (JohnnyA) by theFlashBlog » Details Of The JohnnyA MediaTemple Hackhttp://brettterpstra.com/2010/07/24/notes-on-cleaning-up-the-mediatemple-hack-johnnya/comment-page-1/#comment-836 theFlashBlog » Details Of The JohnnyA MediaTemple Hack Sat, 31 Jul 2010 04:11:34 +0000 http://brettterpstra.com/?p=823#comment-836 <p>[...] much searching and with the help of this blog post, I have found the rootkit that is used to do the damage. If you have been hacked you will find some [...]</p> […] much searching and with the help of this blog post, I have found the rootkit that is used to do the damage. If you have been hacked you will find some […]

]]> Comment on TabLinks Safari Extension by Robert Spencerhttp://brettterpstra.com/2010/06/18/tablinks-safari-extension/comment-page-1/#comment-832 Robert Spencer Fri, 30 Jul 2010 19:33:05 +0000 http://brettterpstra.com/?p=641#comment-832 <p>I've just tested again and it works now. Seems like all that was needed was a total restart of Safari. Apologies for the noise, I should have tested for that to before reporting a problem. In my defence I was mislead by extensions.apple.com saying that there was "no need to restart Safari".</p><p>That you for this great extension. I'm quite chuffed with it. :-)</p> I’ve just tested again and it works now. Seems like all that was needed was a total restart of Safari. Apologies for the noise, I should have tested for that to before reporting a problem. In my defence I was mislead by extensions.apple.com saying that there was “no need to restart Safari”.

That you for this great extension. I’m quite chuffed with it. :-)

]]> Comment on Single-keystroke Instapaper in Google Reader by Google Reader an Instapaper per Tastendruck - surfgardenhttp://brettterpstra.com/2010/07/28/single-keystroke-instapaper-in-google-reader/comment-page-1/#comment-826 Google Reader an Instapaper per Tastendruck - surfgarden Fri, 30 Jul 2010 14:44:55 +0000 http://brettterpstra.com/?p=836#comment-826 <p>[...] wirklich praktische Erweiterung für Safari ist GReader Instapaper: Ist es installiert, braucht es nur einen Tastendruck – wie z.B. “i” – um den [...]</p> […] wirklich praktische Erweiterung für Safari ist GReader Instapaper: Ist es installiert, braucht es nur einen Tastendruck – wie z.B. “i” – um den […]

]]> Comment on Make amazing coffee without the hassle by Scott Jangrohttp://brettterpstra.com/2010/07/24/make-amazing-coffee-without-the-hassle/comment-page-1/#comment-816 Scott Jangro Fri, 30 Jul 2010 06:33:46 +0000 http://brettterpstra.com/?p=816#comment-816 <p>That's interesting that the aeropress (which I've never tried) is optimal at such a low temperature. Convention says that 195-200 degrees is best for brewing coffee.</p><p>My favorite way to make coffee is with a syphon pot. It is a bit more involved than the aeropress but it makes the cleanest cup that you'll ever taste.</p><p>Maybe I'll pick up an aeropress as, Iike you, I've switched to drinking tea more during the day. I've heard good things about it elsewhere.</p> That’s interesting that the aeropress (which I’ve never tried) is optimal at such a low temperature. Convention says that 195–200 degrees is best for brewing coffee.

My favorite way to make coffee is with a syphon pot. It is a bit more involved than the aeropress but it makes the cleanest cup that you’ll ever taste.

Maybe I’ll pick up an aeropress as, Iike you, I’ve switched to drinking tea more during the day. I’ve heard good things about it elsewhere.

]]> Comment on Notes on cleaning up the MediaTemple hack (JohnnyA) by Joshuahttp://brettterpstra.com/2010/07/24/notes-on-cleaning-up-the-mediatemple-hack-johnnya/comment-page-1/#comment-813 Joshua Fri, 30 Jul 2010 02:50:22 +0000 http://brettterpstra.com/?p=823#comment-813 <p>I had PHP files added throughout my file structure on almost every site hosted with (mt). I ended up finding them using instructions found here: http://www.uhleeka.com/blog/2010/07/johnnya-wordpress-malware-on-mediatemple/</p><p>Because of the way the hack works he recommended searching for a string longer than 255 characters.</p><p><code>grep -iR --include "*.php" "[a-zA-Z0-9\/\+]\{255,\}" *</code></p> I had PHP files added throughout my file structure on almost every site hosted with (mt). I ended up finding them using instructions found here: http://www.uhleeka.com/blog/2010/07/johnnya-wordpress-malware-on-mediatemple/

Because of the way the hack works he recommended searching for a string longer than 255 characters.

grep -iR --include "*.php" "[a-zA-Z0-9\/\+]\{255,\}" *

]]> Comment on TabLinks Safari Extension by Bretthttp://brettterpstra.com/2010/06/18/tablinks-safari-extension/comment-page-1/#comment-807 Brett Thu, 29 Jul 2010 22:43:59 +0000 http://brettterpstra.com/?p=641#comment-807 <p>I'll need to know more about how you're using it to figure out why it's not working for you. It has to be run in a tab which has a page loaded in it, but beyond that, it really should function in almost any case. Do you have a template set in the preferences (there's one loaded by default)?</p> I’ll need to know more about how you’re using it to figure out why it’s not working for you. It has to be run in a tab which has a page loaded in it, but beyond that, it really should function in almost any case. Do you have a template set in the preferences (there’s one loaded by default)?

]]> Comment on TabLinks Safari Extension by Robert Spencerhttp://brettterpstra.com/2010/06/18/tablinks-safari-extension/comment-page-1/#comment-805 Robert Spencer Thu, 29 Jul 2010 22:34:56 +0000 http://brettterpstra.com/?p=641#comment-805 <p>I think it's a beautiful idea, I installed it from extensions.apple.com and then came here to read up more about it. Unfortunately after repeated testing I've come to the conclusion that it does nothing. Maybe it's bust, but I don't get anything like in your screen-shot. I even tried uninstalling, downloaded the zip file from here and tested again. Nothing. Using Safari 5.0.1 (5533.17.8).</p> I think it’s a beautiful idea, I installed it from extensions.apple.com and then came here to read up more about it. Unfortunately after repeated testing I’ve come to the conclusion that it does nothing. Maybe it’s bust, but I don’t get anything like in your screen-shot. I even tried uninstalling, downloaded the zip file from here and tested again. Nothing. Using Safari 5.0.1 (5533.17.8).

]]> Comment on Instapaper Beyond for Fluid.app by Kacy Triolohttp://brettterpstra.com/2010/03/28/instapaper-beyond/comment-page-1/#comment-803 Kacy Triolo Thu, 29 Jul 2010 20:28:49 +0000 http://brettterpstra.com/?p=344#comment-803 <p>Awesome, ok if i link back to you?</p> Awesome, ok if i link back to you?

]]> Comment on Single-keystroke Instapaper in Google Reader by Bretthttp://brettterpstra.com/2010/07/28/single-keystroke-instapaper-in-google-reader/comment-page-1/#comment-794 Brett Thu, 29 Jul 2010 13:58:33 +0000 http://brettterpstra.com/?p=836#comment-794 <p>Quite possibly a bug, I haven't tested it without a password yet.</p> Quite possibly a bug, I haven’t tested it without a password yet.

]]> Comment on A better System Service for Evernote clipping — with MultiMarkdown by Bretthttp://brettterpstra.com/2010/03/06/a-better-os-x-system-service-for-evernote-notes-with-multimarkdown/comment-page-1/#comment-793 Brett Thu, 29 Jul 2010 13:57:00 +0000 http://brettterpstra.com/?p=302#comment-793 <p>That's easy enough. Let me know if you build it before I do :).</p> That’s easy enough. Let me know if you build it before I do :).

]]> Comment on Notes on cleaning up the MediaTemple hack (JohnnyA) by Bretthttp://brettterpstra.com/2010/07/24/notes-on-cleaning-up-the-mediatemple-hack-johnnya/comment-page-1/#comment-792 Brett Thu, 29 Jul 2010 13:54:58 +0000 http://brettterpstra.com/?p=823#comment-792 <p>That's exactly where I found them in one install. I didn't list it verbatim as I didn't find them there in all installs and figured it was random.</p> That’s exactly where I found them in one install. I didn’t list it verbatim as I didn’t find them there in all installs and figured it was random.

]]> Comment on Notes on cleaning up the MediaTemple hack (JohnnyA) by Chrishttp://brettterpstra.com/2010/07/24/notes-on-cleaning-up-the-mediatemple-hack-johnnya/comment-page-1/#comment-784 Chris Thu, 29 Jul 2010 04:41:41 +0000 http://brettterpstra.com/?p=823#comment-784 <p>Did you notice any files added to the TinyMCE folder that's included in WordPress? I noticed that this folder path was the most common across all of the affected domains. This path in particular:</p><p><code>(domain name)/html/wp-includes/js/tinymce/plugins/inlinepopups/skins/clearlooks2/img/</code></p><p>I wonder if that wasn't the point of entry, or if it's just a coincidence.</p> Did you notice any files added to the TinyMCE folder that’s included in WordPress? I noticed that this folder path was the most common across all of the affected domains. This path in particular:

(domain name)/html/wp-includes/js/tinymce/plugins/inlinepopups/skins/clearlooks2/img/

I wonder if that wasn’t the point of entry, or if it’s just a coincidence.

]]>