Month: August 2019

Posted on
by

Today I run into domain abuse while working on a WordPress project due to a typo in the TLD. A foreign server happily served me the requested files but with spiced content. This looked unsuspicious at first glance.

Now this is something that doesn’t happen every day [to me]. I haven’t touched PHP and WordPress in years so I don’t have a workflow established for this any more. Today I got the job to upgrade some legacy system. So I checked out the project from git, configured some dnsmasq magic and launched a local PHP development server and browser.

I was astonished when the project came up in the zero profile development chrome and the first link I clicked opened a new tab presenting me with some scam ringing all alarm bells. I’m on localhost! And Linux! What happened? Do we have an infected project in our git repository? So I started digging.

This should all point to my local dev domain at 127.0.0.1 that has no public DNS records at all.

Wait, this doesn’t look right. Looks like I made a typo replacing the WordPress WP_HOME and WP_SITEURL in our local wp-config and got a doubled dot de. That’s not going to localhost but it’s still loading JavaScript files. No file came back with 404 – Not Found error so at first glance nothing suspicous happened beside the CSS looking weird. Most files were empty but with some exception – as you can see.

That’s not my expected source.

So I run that IP against the IP Abuse DB and it checked out with various reports including a “took over my blog” report. Yeah, I guess that happens when you’re going to login to your blog. This IP ships any file you request back to you but with it’s own flavoured JavaScript. That’s what happens when you do a typo and someone else is just waiting for this. And it happened to my dev setup since I made a search and replace without enough caffeine in my blood to spot the typo and without bothering to set up SSL and CORS for developing.

Requesting without “subdomain” results in an critical error.

So yeah.. you can throw any domain at this. It will happily serve malware, or spam or whatever it’s up to today. It’s just waiting for a typing error.

The 127.0.0.1 one is fetched by my local dnsmasq

There’s a lesson here. Watch careful what domain you really use. Don’t be lazy and make use of SSL/CORS even in development. I can’t help me from having some respect for this idea and there are probably others doing the same.

Posted on
by

Had an awesome day at the airfield. Wife got the chance for a flight and today we had perfect weather. I stayed on the ground with one of the little ones. Flying is fascinating but not my cup of tea. The others had a great time between the clouds 😀

Posted on
by

We revisited Schiltach 77761 / Germany today and this time we were lucky. The SchĂŒttesĂ€ge museum was open just as advertised. It’s free to visit and has a donation box.

Beside the framesaw and it’s water mills it also shows the history of Timber Rafting and Tanning in the area. A really small but nice museum.

After some refreshments – it was a very warm day this time – we moved over to the city museum that had a lot of stuff that could be touched or experimented with. A lot of fun for the kids. It also hosts a tiny library with books about the town – including several well known books about half timber by e.g. Manfred Gerner. This one is also free and has a donation box.

One of the most fascinating items on display is the model of the former “Zum Adler” inn (1604), that can be seen from the window of the museum.

https://en.wikipedia.org/wiki/SchĂŒttesĂ€ge_Museum

https://www.schiltach.de/en/Home

Posted on
by

Visited the 8th Dobler Spectaculum at Dobel 75335 / Germany where we got to hang out with friends from Die Schlegler e.V. – means we were sitting around in their camp, ate their food and relaxed while everyone else was working.

  • Borrowed a gambeson
  • Clear rust with oil and sand.
  • Group unboxing

Just kidding – we helped as well, of course, but ran for the hills when a storm approached 😉 It was nice to hang out on a medieval market again. Something I haven’t done a lot in a very long time.

https://www.dobel.de/gaeste/veranstaltungen/8-dobler-spectaculum-id_1158/

http://www.schlegler.de/

Posted on
by
Managing credentials with KeePassXC - Fedora Magazine by Marco Sarti (Fedora Magazine)
A previous article discussed password management tools that use server-side technology. These tools are very interesting and suitable for a cloud installation.In this article we will talk about KeePassXC, a simple multi-platform open source software that uses a local file as a database.The main advantage of this type of password management is simplicity. No server-side 


I like how this article about KeePassXC mentions the SSH agent integration [that is usually skipped in such articles]. Good stuff:

https://fedoramagazine.org/managing-credentials-with-keepassxc/

Posted on
by

I was late for this party anyway but getting off isn’t that easy.

Cleverdevil has some good pointers on freeing yourself from Facebook but the suggested tool fb-export requires an AccessToken for the Graph API Explorer. For this one has to set up a developer account with Facebook.

That’s not freeing [for me]. That’s entangling even more because this step requires a phonenumber or credit card with Facebook. A step I managed to advert so far.

So yeah, I guess my quest goes on. This may work for others tho.

https://github.com/danburzo/fb-export

https://cleverdevil.io/2018/freeing-myself-from-facebook

Still working on understanding the kinks of microformats2 and webmentions but I’m starting to get the hang of this.

Most of this is supported by the amazing IndieWeb plugin collection for WordPress so much respect for people that roll their own.