Aug 3, 2008 - Matt
I would like to announce the initial release of the 757Labs’ PDFResurrect tool:
PDFResurrect is a tool aimed at analyzing PDF documents. The PDF format allows for previous document changes to be retained in a more recent version of the document, thereby creating a running history of changes for the document. This tool attempts to extract all previous versions while also producing a summary of changes between versions. This tool can also “scrub” or write data over the original instances of PDF objects that have been modified or deleted, in an effort to disguise information from previous versions that might not be intended for anyone else to read.
This tool and accompanying whitepaper can be found over at the labs:
http://www.757labs.com/projects/pdfresurrect
Special thanks goes out to all the hr-geekers, and 757labs. Many were consulted on this and provided suggestions. including Tele, Derez, Remad, Count, Sunpuke. Special thanks to Brent, not really part of the 757 crew, but aided in proofreading the paper. Thanks Guys!
-Matt (enferex)
Comments: 0
May 5, 2008 - Nathan
So due to some really bad coding on our part, googlebot managed to wipe out a bunch of web content on one of our webpages today. The webpage is setup so that the individual pages all include a small piece of php code that pulls it’s content out of an SQL database and spits it out. We set this up for particular pages so that the user can make changes to the content with an HTML editor in a /admin sort of setup. It’s not the fanciest, but it’s simple, efficient and reliable.
Well the customer calls me this morning and tells me that all their content is missing, which I quickly confirm to be fairly accurate. I fire back an e-mail saying that the pages must have been deleted through the admin interface because the missing pages have been removed from the database. I then go off to read logfiles with the intent of finding evidence that this customer blew up their own webpage and that it’s not my problem, because that’s how I think. Here’s what I find in my logs:
66.249.73.92 - - [02/May/2008:13:48:47 -0400] “GET /admin/website_pages_delete.php?id=25 HTTP/1.1″ 200 4642 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”
66.249.73.92 - - [02/May/2008:13:52:39 -0400] “GET /admin/website_pages_delete.php?id=26 HTTP/1.1″ 200 4760 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”
66.249.73.92 - - [02/May/2008:14:10:44 -0400] “GET /admin/website_pages_delete.php?id=42 HTTP/1.1″ 200 4642 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”
So it would appear that the session based authentication for the pages in /admin wasn’t added to the delete script, and somehow (i’d really love to know) google managed to find out about, and traverse links from, the page with all the delete links on it. When it did, it deleted every single page out of the database. Obviously this never ever should have been possible but hey. The lesson here is don’t be lazy and just put the authentication mechanism on the index page. Fortunately it was only done on this particular site. Whatcha gonna do. I blame Google…
Comments: 4
Apr 2, 2008 - Nathan
So for those of you who may have had strange Cox outage issues in the HR area this fine Wednesday (04/02/08) morning, I have some good news. I think I know what was going on. At about 9:30 it would appear my network at work was on the painful end of a DoS attack from somewhere on the internet. At the peak we were getting about 40,000 packets/sec through one provider and 70,000 through the other, bringing our router to it’s knees (normal load for us is about 3000/sec). It would appear that this attack caused some pretty major problems for Cox as well. It just stopped all on it’s own at about 11:00 and neither provider has any reliable information about where it came from. It was still Apr 1 in China at 9:00 AM right?
Comments: 0
