Matraex, Inc Blog

Today a customer called me about a PHP website that was popping up viruses all over the place.

I loaded up the site and there it was,  the page was immediately redirected to a spyware / virus type site that tried to convince me to download their software to fix a problem.  Since I knew better I carefully answered the browser prompts to make sure I closed out and left the page without opening anything malicious.
Then I went back to the page that had the problem and tried to load it again.  But the problem was GONE!

After a bit more investigation I found that the people who wrote the “virus” dropped a cookie on my machine and made sure they allowed me back in the site.  I am sure this trick helps them to keep the “virus” on a site for longer because the site administrators may not recognize it as an on going problem (or even a problem that their site caused).

In digging I found that each PHP page on the site had some PHP code added to the top of it.
something like

This was on a single line at the top of the file and even the administrator who had noticed the odd code at the top passed over it not thinking it was malicious.
However,  the text inside the “encoded” string was VERY malicious.  I decoded it and found several PHP functions and additional encoded strings.

I decided it wasn’t worth figuring out what all they did with the code but instead decided to just clean it up.  I assumed that the code probably helped “replicate” itself by checking that ALL other PHP pages on the site also had the same code in them.  So if someone removed the code and then the code was run on another page it put itself back where you removed it.

 Anyway,  pretty sophisticated but it was easy for me to find the problem just opened and looked at the PHP file and saw code that shouldn’t have been there.

A cool way that I found where the problem was before even opening the PHP file was to use HTTPWatch to see which exact files were downloaded from which site in the browser.  I use the free version of the softwar and it has met all my needs so far.  It is similar to firebug in FireFox.

We often deal with very complex, dynamically generated SQL Statements which run from our applications.

If we need to debug them for any reason we often have to display them to the screen and then copy and paste them in to an SQL Query window.  The problem is that those SQL Statements are not always formatted to be very readable.  Sometimes they might even be on a single line.  This requires a bunch of time going through and reformatting the sql statement, making it legible for debugging.

I have used this tool “SQLinFORM” several times in the past but I keep forgetting about when I dont have to use it very often.

http://www.sqlinform.com/

I just copy and paste the SQL into the window and click “Format”.
It does a great job formatting code quickly and even has some options for how you would like to see the output,  I then select the output and paste it into my SQL Query window.

If you use it often they do have a version for sale.

Over the last couple of weeks I have been working on doing some in depth “System Discovery” work for a client.

The client came to us after a major employee restructuring,  during which they lost ALL of the technical knowledge of their network.
The potentially devestating business move on their part turned into a very intriguing challenge for me.

They asked me to come in and document what service each of their 3 Linux servers. 
As I dug in I found that their network had some very unique, intelligent solutions:

• A reliable production network
• Thin Client Linux printing stations,  remotely connected via VPN
• Several Object Oriented PHP based web applications

Several open source products had been combined to create robust solutions

• LAMP (Ubuntu and CentOS)
• CUPS
• Subversion
• PHP, PEAR
• MySQL
• openvpn
• hylafax

It has been a very rewarding experience to document the systems and give ownership of the systems, network and processes back to the owner.

The  documentation I have provided included

• A high level network diagram as a quick reference overview for new administrators and developers
• An overall application and major network, server and node object description
• Detailed per server/node description with connection documentation,  critical processes , important paths and files and dependencies
• Contact Information for the people and companies that the systems rely on.

As a business owner myself,  I have tried to help the client recognize that even when they use an outside consultant,  it is VERY important that they maintain details of their critical business processes INSIDE of their company.  Their might not be anything in business that is as rewarding as giving ownership of a “lost” system back to a client.