Friday, October 16, 2009

The server www.xxxxxxx.com at Magic requires a username and password.

Recently one of my wordpress site was giving this message: The server www.xxxxxxx.com at Magic requires a username and password when I was trying to update or preview an old post.

After digging into this for a bit, I found that some files have been modified: ./wp-includes/vars.php and a couple of files in plugins directory like ./wp-content/plugins/akismet/akismet.php.

All these files have lines (usually first line) containing:
eval(gzinflate(base64_decode('1VVtT9swEP7 [...]

After removing these lines (manually via SSH or FTP), the wordpress site turned out to normal.
It seems like one of the wordpress administrator had some trojans on his computer, probably one of them modified the wordpress files through wordpress admin area after he logged in.

You can read more about people complaining about this issue here: http://wordpress.org/support/topic/295482?replies=44

Tuesday, June 30, 2009

E-gold rejects identification documents

I am an E-gold user since many years.
It looked as a very stable system so I decided to keep most of my funds in the system, as a gold investment. Last year they had some troubles with the feds and changed their policy. They requested me to send some docs, I did and now when I login I get:

Photo ID permanently rejected.
Reason previous document was rejected: Refuse Service
Proof of Residence permanently rejected.
Reason previous document was rejected: Refuse Service


I asked for explanation, and they cited from the Terms of service that they reserve the right to reject any user for any reason.
I have no idea now how could I recover my money. It's sad, because I trusted both E-gold and Moneybookers and they both let me down. I was always suspicious about Paypal, but in many years, Paypal was the most stable and I had almost no problems with it.

Saturday, March 14, 2009

SSH brute force attack

Recently I bought a dedicated server. One of the provider's admin, which installed the system added an account called "admin1". First I wanted to remove it, but I thought it may be used for some checks and I let it stay. One month later there was some activity on that account from an IP in a "strange" country let's say. I asked the provider about it and they had no idea.
Luckily the box was not compromised since the user didn't got any root access, I killed his processes and removed the account, but I still needed an answer for this mess.
And here it was, after some hundreds sshd[3157]: (pam_unix) authentication failure; there was one sshd[12358]: Accepted password for admin1 from X.X.X.X

A classical brute force attack on a weak password, so make sure you change every password when you buy a new dedicated server.
And to be even safer, put the SSHD on some other port and add some iptables rules to deny ssh access for other IPs than yours.