Upgraded WordPress

We’ll I just upgraded my WordPress installation from 2.0.4 to 2.0.5 and it was very easy and without any problems. This is something I’ve come to expect from this program, everything is done right and made as simple as possible. I definitely recommend the software.

So I haven’t posted anything in a while. I’ve been busy. I have spent several weeks working on Mambo, trying to make a site similar to myfamily.com, but I think I have pretty much given up at this point. It just doesn’t have everything I need. I also tried Joomla, a split off of Mambo, and although it appears that it will be a better program in the long wrong, there’s nothing more there then what I have already been fighting with. As always the biggest problem with Open Source software is the lack of documentation. Unfortunately, there are more programmers then writers out there apparently.

I’ve also been keeping up with a website for my son with pictures from his birth. The site has been completely manual, creating each page every time I posted new pictures. Consequently, only I could update the site, which just made it harder on me since my wife would love to be able to update it. So I installed WordPress and we use that to upload and show off our pictures. So much easier! Now to find a good template…. :)

Webmin Vulnerability

So I recently found out about a vulnerability in the popular system administration web interface program, webmin. I personally don’t use webmin, nor do I like it, since I think if you are going to have a linux server, you or someone you pay to administer it for you should have the skills necessary to set it up correctly. So anyway, at work there were several customers that had this installed and some used it and some didn’t. Either way, most of them don’t know anything about linux or keeping their system up to date (hence the need for Webmin) and had never updated webmin since it was first installed. So this vulnerability is pretty bad, it allows malicious people to view any file on your server. These hackers, download the /etc/shadow file to their own computers and let their computers spend their idle cpu time attempting to crack the passwords. Once a system user’s password has been cracked, they simply log in to the server as an authorized user and setup camp. What a nuisance these hackers cause, especially when they decide to launch a denial of service attack and fill up the network with a UDP packet flood. Nice. Well, now that we know about it, it’s no longer a problem, but man, I hate hackers!

So, how do you know if they have stolen your passwords through webmin? Check /var/webmin/miniserve.log and see if there is a line in there getting your /etc/shadow file. I’m not going to post the actual line, that’s the last thing I want – to give someone who doesn’t know where to find it elsewhere the code they need to steal someone else’s passwords. If the file has already been downloaded, then shutdown Webmin and change your passwords immediately.  Then check to see if there are any extra files in /tmp, /var/tmp, and in user’s home directories.  Really they can be anywhere a normal user can write to.  Often they will be hidden directories, so make sure you use `ls -la` when listing the directories.  On trick is to use the name “. ” where the name is first a period followed by a space.  To enter that directory you would have to type `cd ./. /`and then othertimes they will call them … or .,. or ,,, stuff like that.  If you know how to clean up after a hacker, you may be able to clean it up, if you have no idea, it would be best to get someone else to work on it.  Then if you have to have it installed, upgrade to the latest version!

Mambo

So I am building a new website now for my family to use, so I’m trying out Mambo, an open source content management system. So far I have installed it once with the sample content and once without. I wish there was something in between. The site without any sample data, should still have the links that are common in the different menus, like being able to edit your profile should be in the user menu automatically. Oh well, so now I am comparing the one with sample data and the one without, adding those links that I want.

Indexed by Google

So, I took a little break from blogging and checking the status of this site and utahlinux.com on Google.  Came back to check everything today and it looks like they indexed this site on Sept 22nd (after 5 days of announcing it with a Google sitemap) and utahlinux.com on Sept 23rd (after 4 days of announcing it with a Google sitemap).  Pretty good response time.  Too bad I didn’t announce another site strictly through their submit a URL page at the same time to see how it compared.

Backwords compatibilty and Spammers

So what do you do when you have tens of thousands of customers around the world who are used to using their domain’s smtp server without any smtp authentication?  Well, if it wasn’t for spammers, you would let them keep on doing it.  But, unfortunately, spammers just never stop.  They are constantly scanning for any kind of hole that they can find.  Some days I really hate spammers, they can ruin your day.  As a system administrator, mail is a common maintenance task.  I’ve worked with many types of mail servers: Imail, sendmail, postfix, and qmail.  So far postfix is my favorite and I highly recommend using MailScanner for a complete package of software for spam and anti-virus protection on your server.  I’m still looking for a better solution then qmail for multiple domain e-mail hosting, but hope to someday have time to look into dovecot and cyrus.  Before postfix, I used to evangelize sendmail, but over the years I have realized there is an easier way (and works better too).