The sites been hacked, Ill keep investigating…

Lorem Ipsum text is used as a placeholder for actual content when you are building a website. There are arguments on both sides about whether it should be used or not but if you do use, you can automatically add it by using css:

And now with codeblock plugin

1
2
3

.LoremIpsum:after {
  content: "Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Vestibulum tortor quam, feugiat vitae, ultricies eget, tempor sit amet, ante. Donec eu libero sit amet quam egestas semper. Aenean ultricies mi vitae est. Mauris placerat eleifend leo. Quisque sit amet est et sapien ullamcorper pharetra. Vestibulum erat wisi, condimentum sed, commodo vitae, ornare sit amet, wisi. Aenean fermentum, elit eget tincidunt condimentum, eros ipsum rutrum orci, sagittis tempus lacus enim ac dui. Donec non enim in turpis pulvinar facilisis. Ut felis. Praesent dapibus, neque id cursus faucibus, tortor neque egestas augue, eu vulputate magna eros eu erat. Aliquam erat volutpat. Nam dui mi, tincidunt quis, accumsan porttitor, facilisis luctus, metus";
}

Add the class LoremIpsum to any element and the css will insert the Lorem Ipsum text for you.

Grenadier Electric Firelighter

This would make my wifes life so much easier…

I’m trying out a new blog engine called Octopress. My previous blog always had difficulty displaying code so I wanted one that was designed for techies (or geek if you listen to my wife).

Lets try a simple piece of code using markdown and backticks:

1
2
3
4
5

class Fixnum
  def prime?
    ('1' * self) !~ /^1?$|^(11+?)\1+$/
  end
end

And now with codeblock plugin

1
2
3
4
5

class Fixnum
  def prime?
    ('1' * self) !~ /^1?$|^(11+?)\1+$/
  end
end

Lets try a different language objective c

1

[rectangle setX: 10 y: 10 width: 20 height: 20];

Good old Chrome autoupdated itself last week. All was fine except now I can’t seemlessly log into my web applications.

Turns out it has stopped supporting embedded identities eg: http://username:password@google.com

(note: that is not my real username and password!) That is fine but it looks like when you use the following code:

1
2

var xhr = new XMLHttpRequest();
xhr.open("GET", "/data", false, "pete", "test1");

It doesn’t use the username and password anymore and instead the user gets the authentication dialog box.

Surely this is a bug?!

I thought I had got a workaround by adding the following code:

1

xhr.setRequestHeader("Authorization","Basic cGV0ZTp0ZXN0Mg==");

This does work but the browser doesn’t save the credentials, so if the browser gets sent to a secure page, you still get the popup authorisation dialog.

My choices are:

1. Wait to see if they fix this problem

2. Don’t support Chrome anymore

3. Rewrite the authentication system

It looks like point 3 is the way to go. I might have to start using cookies within the authentication process, I really liked using the Basic HTTP authentication because it can be used by the browser and programmatically very easily. If I introduce cookies, then programmatically retrieving data gets harder and a lot messier.

I started to get a lot of spam email from one email address, about 10 every minute: they were all going into my junk mail folder but after a few hours I was curious as to why this was happening.

In outlook, I opened the email and then selected ‘Properties’ (in outlook 2010, click on File menu then click properties button). You get to see the headers for the email, of interest was the Received: header which identifies the source.

Unfortunately the IP address it was coming from was one of our servers… uh oh…..

Perhaps we had an smtp server sitting on there being used as our secondary mail server (in case our primary mail server went down) but no, the smtp server option hadn’t been installed. I tried telnetting to port 25 on the box but no response so it didn’t seem to be a piece of software (rogue or otherwise~) acting as an smtp server.)

Next brainwave: I used netstat on the commandline to see if port 25 was currently in use. The command is:

netstat -ano formats the data quite nicely and if you do the following:

netstat -ano |findstr :25 you can find only entries that are communicating to/from port 25.

Success, netstat told me which process was being used by giving me the pid (process id). If you then go into resource monitor or task manager you can relate pid to a process (you might have to add pid as a column for task manager).

It was a w3wp.exe - one of the application pools on IIS. Luckily we have started to use application pool identities on IIS so I knew which application pool was the culprit (On resource manager, add column ‘username’ to see the application pool name, in task manager, it shows it there by default)

Ok, it happens to be one of our old websites but how is it occurring? For that particular website (we have 1 application pool per website which makes things a lot easier) I then looked into its log files stored here: C:\inetpub\logs\LogFiles{id} (Find the ID from IIS manager by clicking on the sites folder in the left hand side and you will see all the sites with their ids)

Most log files were 1Mb each, except for today which so far is 24Mb! Ahah! Success. Looking into the log file told us which page was being ‘hacked’. It was a tell a friend page where you could enter yours and a friends email address along with a message and the server would send the friend an email looking like it came from your email. A classic case of forgetting to put a captcha on the page. The page has been around for 4 years and only today someone discovered its vulnerabilities. Luckily I am BCCd on all emails sent which is why I got a lot of emails sent to me. If I hadn’t been copied in, we wouldn’t have found out until our email server had been blacklisted.

I blacklisted the IP address which put an immediate stop to the problem but have deleted the page aswell. It was very rarely used (not for months) and so wont be missed. But a good learning experience all round.

By amazing coincidence my second in command is on holiday this week. He says he is at Centre Parcs but if I found out he has gone to the Philippines (which is where the IP address of the hacker comes from), well, I hope for his sake, he brings me back a nice present.

Adding association to a dbml; if they aren’t working making sure both tables have a primary key!

After helping my daughter (age 6) with singing Its a long way to Tipperary, she asked me:

“Were you in the war Daddy?”

IIS 7 recommends using ApplicationPoolIdentities for its application pools. This is instead of using NetworkService. One advantage of this is looking at Processes in Task Manger, the IIS Worker process has the username matching the application pool name and thus it is easier to see which is consuming more resources etc.

BUT, if you switch to ApplicationPoolIdentity as the Identity you might come across the following error:

[SecurityException: Request for the permission of type ‘System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089’ failed.]

To fix this, in advance settings for the application pool change load user profile to true.

For more information on ApplicationPoolIdentity see [http://learn.iis.net/page.aspx/624/application-pool- identities/](http://learn.iis.net/page.aspx/624/application-pool- identities/)

The jobs created by reporting services subscriptions have ‘random’ names. Here is some sql that helps you identlfy the subscription and the report.

SELECT Schedule.ScheduleID AS SQLAgent_Job_Name, Subscriptions.Description AS sub_desc, Subscriptions.DeliveryExtension AS sub_delExt,

[Catalog].Name AS ReportName, [Catalog].Path AS ReportPath

FROM ReportSchedule INNER JOIN

Schedule ON ReportSchedule.ScheduleID = Schedule.ScheduleID INNER JOIN

Subscriptions ON ReportSchedule.SubscriptionID = Subscriptions.SubscriptionID INNER JOIN

[Catalog] ON ReportSchedule.ReportID = [Catalog].ItemID AND Subscriptions.Report_OID = [Catalog].ItemID

Thansks to SteveFromOz at Sqlservercentral forums