fseek.me

Did you just rm’ed -rf a file by mistake? Well, that just happened to me as well.

I spent the whole day working on a PDF document and decided to forward it to a co-worker for review. Since the PDF was quite big, I gunzipped it:

$ gzip work-temp.pdf

Then I realized that my co-worker uses Windows, so I had to zip instead of the gzip. That’s what I did:

$ rm work-temp.pdf.gz
$ zip work-temp.pdf
zip warning: name not matched: work-temp.pdf

Uh-oh. I forgot that gzip deletes the original file. Crap!

To recover my file, I used my big friend “foremost”, a file recoverer for Linux. To install on my Ubuntu box, I did:

# apt-get install foremost

To recover my files, I ran foremost, specifying my partition (/dev/sdb2) and the file type (PDF):

# foremost -s 100 -t pdf -i /dev/sdb2
Processing: /dev/sdb2
|**********************************|

Once it was done, we had all the PDF files it could recover at /root/output/pdf. Easy and simple!

Note, that it will not recover the original file names. So all the PDF files (or whatever file type you were looking for) will be stored as /root/output/pdf/12345.pdf, /root/output/pdf/123456.pdf, etc). You will have to check each one to find the one you wanted.

Are you getting this error when trying to reset a password (or send an email) on Wordpress?

The e-mail could not be sent.
Possible reason: your host may have disabled the mail() function…

If you are on a VPS/Private server, it probably means that you don’t have mail/sendmail installed. To fix it, run as root:

# yum install mailx
# yum install sendmail

If you are not on a VPS, call your hosting company or check your php.ini to see if the mail function is disabled:

disable_functions = mail

If it is, disable the “mail” from there…

Someone was trying an RFI (remote file inclusion) attack against my server today.

They were trying to inject the following file: http://[site].com/modules/id.txt into my site. I went to check it out and it looks like the file was hacked a few times.

In the top of it, someone added:

echo “Osirys”;
$un = @ php_uname();
$id1 = system(id);

A bit after, a funny haxor humor:

echo “0sirys was here and also is a fucking gay..“;
echo “uname -a: $un”

I laughed. You can read more about those RFI attacks here.

Have you ever wondered what is the difference between a spammer and a real user? Well, your logs can show you.

I have not enabled any plugin to avoid spam on this blog and because of that I am being hammered with comment spams! Just as curiosity I went to see how a spammer looks like on my logs.

The first one that looked like legit was from:

If you can’t see, it is from 222.124.x.x with a link to an youtube video on how to make money online. That’s how it looks in the logs:

222.124.x.x - - y "GET /2010/03/thats-why-i-will-not-invest-any-money-in-you/ HTTP/1.0" 200
18293 "http://www.youtube.com/watch?v=Q2kmL3eYxgQ" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50"
222.124.x.x - - y "POST /wp-comments-post.php HTTP/1.0" 302 -
 "http://fseek.me/2010/03/thats-why-i-will-not-invest-any-money-in-you" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50"

And do you know how a valid user looks like (when posting a comment):

174.16.a.b - - "GET /2010/03/thats-why-i-will-not-invest-any-money-in-you/ HTTP/1.1" 200 18293 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.22.7 (KHTML, like Gecko) Shiira Safari/125"
174.16.a.b - - "GET /wp-content/themes/simplex/style.css HTTP/1.1" 200 18055 "http://fseek.me/2010/03/thats-why-i-will-not-invest-any-money-in-you/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.22.7 (KHTML, like Gecko) Shiira Safari/125"
174.16.a.b - - "GET /wp-content/themes/simplex/includes/js/suckerfish.js HTTP/1.1" 200 400 "http://fseek.me/2010/03/thats-why-i-will-not-invest-any-money-in-you/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.22.7 (KHTML, like Gecko) Shiira Safari/125"
174.16.a.b - - "GET /wp-content/themes/simplex/css/default.css HTTP/1.1" 200 4276 "http://fseek.me/2010/03/thats-why-i-will-not-invest-any-money-in-you/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.22.7 (KHTML, like Gecko) Shiira Safari/125"
174.16.a.b - - "GET /wp-includes/js/jquery/jquery.js?ver=1.3.2 HTTP/1.1" 200 57276 "http://fseek.me/2010/03/thats-why-i-will-not-invest-any-money-in-you/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.22.7 (KHTML, like Gecko) Shiira Safari/125"
... more logs..
174.16.a.b - - "GET /wp-content/themes/simplex/images/rss.gif HTTP/1.1" 200 621 "http://fseek.me/2010/03/thats-why-i-will-not-invest-any-money-in-you/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.22.7 (KHTML, like Gecko) Shiira Safari/125"
174.16.a.b - - "POST /wp-comments-post.php HTTP/1.1" 302 - "http://fseek.me/2010/03/thats-why-i-will-not-invest-any-money-in-you/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.22.7 (KHTML, like Gecko) Shiira Safari/125"
174.16.a.b - -"GET /2010/03/thats-why-i-will-not-invest-any-money-in-you/comment-page-1/ HTTP/1.1" 200 19647 "http://fseek.me/2010/03/thats-why-i-will-not-invest-any-money-in-you/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.22.7 (KHTML, like Gecko) Shiira Safari/125"

Are you seeing a big difference here? They first have to download the CSS and all images that compose my template. Second, they have a valid referrer and third, after he posts a comment, he is redirected back to the post he was commenting at.

With the spammer, he just downloads the post itself (not the template, images, scripts, etc), post the comment (see POST /) and goes away. Doesn’t even redirect back to the page. His referrer is also the web site he is spamming for.

I checked a few other spams and they all look the same:

91.214.44.x - - [18/Apr/2010:19:40:24 +0000] "POST /wp-comments-post.php HTTP/1.0" 302 - "http://fseek.me/2010/03/how-to-convince-any-c-developer-to-dump-gcc-and-use-clang/" "Opera/7.11 (Windows NT 5.1; U) [en]"
91.214.44.x - - [18/Apr/2010:19:40:24 +0000] "GET /2010/03/how-to-convince-any-c-developer-to-dump-gcc-and-use-clang/comment-page-1/ HTTP/1.0" 200 41741 "http://fseek.me/2010/03/how-to-convince-any-c-developer-to-dump-gcc-and-use-clang/comment-page-1/#comment-513" "Opera/7.11 (Windows NT 5.1; U) [en]"

123.238.42.a - - [17/Apr/2010:19:04:41 +0000] "GET /2010/03/thats-why-i-will-not-invest-any-money-in-you/comment-page-1/ HTTP/1.1" 200 22491 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.238.42.b - - [17/Apr/2010:19:04:46 +0000] "POST /wp-comments-post.php HTTP/1.1" 302 - "http://fseek.me/2010/03/thats-why-i-will-not-invest-any-money-in-you/comment-page-1/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

Always the same behavior. It loads the page, and POST the comment, without even returning to the blog.

Hilarious:

Having issues using cat/grep and long lines? Well, we too!

Today we were trying to use “grep” to, well, grep some lines from the output of a tool we were testing. Something like that:

# /usr/local/bin/ourtool |grep -E “error: .* string”

It was matching fine when the string we were looking for happened on small lines (less than 4k). However, some of them were above 4k in size and if the string was after 4k character in the line, grep wouldn’t match.

We looked for that on google and all we found was some information about the TK_GREP_LINE_MAX environment varialble that didn’t make a difference for us.

At the end, we solved the problem by sending the output to a file and grepping it directly (instead of piping to grep):

# /usr/local/bin/ourtool >/tmp/logfile
# grep -E “error: .* string” /tmp/logfile

Why the later worked and the first one didn’t? I have no clue. Do you?

I am tired of all those lame April 1st jokes. Will they ever get old? Does anyone fall for that anymore?

If you have a site or a blog, that’s how to make you look stupid on April 1st:

1-Post on your blog that you were acquired by Google or Microsoft. Problogger made this mistake this year. Lame!

2-Post that you will be shutting down. webkit did this mistake in 2007. Lame, lame and lame.

3-You post anything with the words: “Government”, “seized” and “monitoring”. College Humor is doing that today.

4-You changed your logo, your name or your site layout. That’s lame++.

I need more lame ideas… Suggestions?