The power of greylisting is aided by whitelisting

I’ve been running gld for more than two months now and it is truly efficient. The current statistics say:

# of entries in the database         : 16077
# of one hit entries in the database : 15100
Oldest entry in database             : 65 days ago

This means that almost 94% of the attempts to send mail through my server are only made once!

Unfortunately Facebook and Google Mail do not play well with greylisting, as attempts that are told Service temporarily unavailable, please try later by greylisting are very likely to be retried from a different IP. I’ve made a little script that scans /var/log/mail.log for such mail servers and add them to the gld whitelist table.

WordPress crack attempt this morning!

When I got to work and viewed this blog I noticed that Sidebar Widgets was disabled. I thought "That’s weird!"

When I tried to login to the administration interface I was told that my WordPress database needed upgrading. I thought "That’s weird!"

Some further investigation revealed that someone managed to upload a PHP script called ro8kfbsmag.txt (MD5 sum df3b74cd38c717d9d7bbf0cd1910baa1) to my /tmp directory. It starts like this:

/*Magic Include Shell by Mag icq 884888*/
//TODO: ñëèòü ôàéëî íà ñâîé ôòï (!)

This gave me enough information too start googling. A must-read is Detailed Post-Mortem of a Website Hack Through WordPress & How To Protect Your WordPress Blog From Hacking, as it describes a very similar attack. There is also a support thread at Weird and Dangerous : ro8kfbsmag.txt.

The attack vector on my server looked like this, originating from with HTTP/1.0 as protocol version and "Opera" as User-Agent. I wish I logged POST data!

POST /wp-admin/options.php
POST /wp-admin/upload.php
POST /wp-admin/options.php
POST /wp-admin/options.php
POST /wp-admin/inline-uploading.php?post=-1&action=upload
POST /wp-admin/options.php
POST /wp-admin/options.php
POST /wp-admin/upload.php?style=inline&tab=upload&post_id=-1
POST /wp-admin/upload.php?style=inline&tab=upload&post_id=-1
POST /wp-admin/options.php
POST /wp-admin/options.php
GET /wp-admin/upgrade.php?step=1

Needless to say, I have restored a backup and taken certain precautions to prevent this from happening again.

MySQL support for UTF-8 in Ruby on Rails

As a follow-up to my post about MySQL support for UTF-8 in PHP, here is the very same information for Ruby on Rails. In Rails it is a simple configuration entry in config/database.yml. I use the development configuration as an example:

  adapter: mysql
  database: dev
  username: dev
  password: secret
  socket: /var/run/mysqld/mysqld.sock
  encoding: UTF8

UTF-8 is obviously configured with the encoding setting. Don’t forget to update the test and production databases too!