report

cool / humour / reportNo Comments
4
Nov 09

Spinning off with style (pictorial report)

ZeroTurnaround is a spin-off of Webmedia (fastest growing software development company in the Baltic States since 2000). Before JRebel (our flagship product) we worked in the R&D team of Webmedia. Then came JRebel, JSPWeaver, ZeroTurnaround and now we’ve spinned off and are at a new office.

A spin-off is a new organization or entity formed by a split from a larger one, such as television series based on a pre-existing one, or a new company formed from a university research group or business incubator.

Moving is work, getting stuff into boxes, moving the boxes and getting the stuff out of the boxes. We were able to add a fun factor to the process. The evening before the move our team was having beers at a local bar and one thing lead to another and the next moment we were at the old office with a knife, pillow and 3 eggs and it was 1AM.

Knife, pillow and 3 eggs

So in the middle of the night, at the office, 3 guys with the mentioned equipment and a plan! The plan was simple. Webmedia CEO’s name is Eagle (at least in the Estonian language) and what if we prep his office for a proper leaving. Stage it as birdies leaving the nest, feathers, egg-shells. Awesome plan from just 4 beers!

Pictures follow.

  • The sign says ZeroTurnaround guys have left the nest. Thanks!
  • Yeah, all the feathers come from a single pillow
  • Yes, I’m missing a pillow
  • Yes, we had to clean it up (well, just me, because everybody else supposedly had more important tasks at hand).
cool / humour / reportNo Comments
31
Oct 09

A PHB + a startup + dilbert = SALES are up!

Looking at the numbers I can say that it is working but wearing the extra nose is not as easy as it seems.

Dilbert strip

Making sales

report3 Comments
1
Apr 09

Microsoft acquires ZeroTurnaround for undisclosed amount

ZeroTurnaround Ltd., a developer of Java development productivity tools, announced today that it has been acquired by Microsoft Corp. Financial terms weren’t disclosed. ZeroTurnaround will stop any further developments of JavaRebel and JSPWeaver and will buy back all the licenses sold so far.

“The deal fits with Microsoft’s strategy of migrating Java developers to the .NET platform and will increase the conversion rate greatly” said Alain Crozier, Corporate Vice President and CFO, from Sales, Marketing and Services Group of Microsoft Corp. “We saw ZeroTurnaround as a threat to our .NET development platform, enabling Java developers to be as productive as the developers on modern platforms. We had to put a stop to it.”

Rumours say that this can severly affect the IBM and SUN deal and will send Java development back as far as the Stone Age.

creative / humour / reportNo Comments
10
Dec 08

Random observations from Devoxx 2008

Devoxx is an annual European Java conference with a total of 3200 attendees from 35 countries and again has been completely sold out. The place is packed. Lots of people, lots of movement and too little internet.

Second day at Devoxx and it is going well. I’ve attended three sessions so far, it is not so much me being lazy but more about being at the JavaRebel booth most of the time. Still I’ve seen many cool things here. Random ramblings will follow.

Monitoring toolsThe conference passes have embedded RFID chip and every movement (hopefully not) is being tracked. From the local paper I read that they will measure session popularity by how many attended the talks, how many left early and so on.

Don’t know if they’ll realease any of it to public (probably not) but it will be great input at least for the next devoxx. The information is said to be anonymous, although I would like to see if and which sessions did the speakers themselves visit.

I presume we are being monitored by these devices that are present on any entrance of the session halls.

Cool ScreensThe venue is just excellent, having the cinema as the location means that the seating at the sessions is excellent. You have even cup holders and room for popcorn:). The screens are huuuuge and they have added live video of the speaker to the screen.

Which application server is the most popular?

Which app server is evil?Besides Websphere being evil we see that Spring App Platform has now managed to get two users! Depending on the interpretation of the study I would say Tomcat is in the lead!

Tables to chill atSomething that I really like compared to all the other conferences I’ve attended this year are the tables with the power cords. You don’t have to worry about your laptop’s battery dying.

But! when compared to the other conferences where your battery actually died you were able to use the internet. Write emails, read news, hack on projects and all the other stuff until you ran out of juice. Here at certain times you have internet, most of the time you don’t. Even if you have it, some domains don’t resolve on certain occasions and it is dead slow if it works.

Is Bruce Willis working for IBM? Sure, he was in a movie Tears of the Sun.

Featured / report28 Comments
4
Nov 08

Script kiddies have awesome tools

About 10 years ago a friend of mine showed me an exploit. It was written in C and it tried to spawn a shell at a remote host. It seemed pretty cool. I did not understand the code but the mere idea that almost anybody equipped with a script like that could deface a webpage seemed scary.

You did have to compile the c file, have the right devel packages installed and use the correct flags. And then you had to figure out how to use it. A 14yr old could do it.

Today I spent many hours grepping logs, checking the filesystem for new/changed files to figure out how an old WordPress instance was hacked and what had the hacker done there.

Going through the changed files I stumbled upon a php file which had some code prepended. The script had a very long line that started like this:
[PHP]
eval(gzinflate(base64_decode(‘FJ3HcqPsFkUf……..
[/PHP]

Ok, lets check what does the script do. Lets assign the long string to a variable and base64 decode it and inflate the compression.
[PHP]
$script = base64_decode($script);
$script = gzinflate($script);
echo $script;
[/PHP]

The output was not what I expected.
[PHP]
eval(gzinflate(base64_decode(‘FJ3HjqPcGkUf57……..
[/PHP]

The strings looked similar and I was already looking for an error in my code. Nope, code is correct. There is a slight change in the string. It seems it was compressed and encoded couple of times. Wow, it means I can have many evals inside evals. Fun!
[PHP]
do {
// extract the first 28 characters
// the eval(gzinflate(base64_decode part
$start = substr($string, 0, 28);
// remove the first 30 chars, the eval(gzinflate(base64_decode(‘ part
$string = substr($string, 30);
// remove the last )));
$string = substr($string, 0, strlen($string)-4);

$string = base64_decode($string);
$string = gzinflate($string);
echo “Iteration:”.$i++.”\n”;
// iterate as long as we get a eval(gzinflat start
} while ($start == “eval(gzinflate(base64_decode”);
[/PHP]

After 11 iterations I got the code. Kind of reminded me a challenge that was posted to a mailing list and the question was what was the output of the program. That time it was more difficult: base64 encoded perl, that outputted base64 encoded bytecode, that outputted Java source file with a byte array that was byte code for the class file of the solution.

Anyways the 11 iterations gave me this (shot is made from my home computer).
Wow!

Lets see the functionality that it has to offer:

  • Full blown file manager
  • Quick menu for
    • Finding all suid files
    • Finding all sgid files
    • Finding all htaccess files
    • Finding all writeable folders
  • Interface for the UNIX tool find
  • Input field for executing commands as webserver user
  • Tools for installing a backdoor
    • Perl/C flavoured programs that are downloaded from a Singapore server
    • Compiled/Interpreted – depending what is available
  • Processes viewer
  • FTP brute force cracker using users from /etc/passwd
  • System info (CPU, Memory, installed binaries, passwd file, configuration files)
  • SQL dump utility
  • Interface for executing PHP code
  • Self removal
  • Adding a password for the script
  • Fancy design!

I’m just amazed. This is way too eazy. So this is how it works:

  • Lets scan the internet for WordPress installation (automated)
  • Look for vulnerable versions (automated)
  • Exploit (in this case themes were filled with hidden links – semi automated)
  • PROFIT! (automated)

How to avoid being hacked:

  • Keep an eye on your WordPress installations
  • Subscribe to WordPress release emails/RSS and upgrade when needed
  • Monitor for changed files (for example fcheck)
  • Run Apache in chroot to minimize the available software for the Apache user
  • Any other ideas?

PS. The script is 2500 lines of code, supports Windows and Linux and looks great :)

← Older Entries