That Nasty Firefox Extension

February 26, 2009

So there has been a lot of noise on the interwebs about this new “malware”/”virus”/”worm” that apparently no anti-virus software has been able to detect or remove recently. Last week I was infected with this nasty little thing and it was really starting to piss me off. I had been searching madly across the Internet (using cached search pages, a little work around this bug) to try and find the solution to this little issue. I also ran every piece of malware and anti-virus software I have… which by the way is a lot.

After my holy-trinity of virus-killing software (Malwarebytes, Avira, and CCleaner) found nothing numerous times I was starting to get excessively frustrated. Then I came across a forum posts of Firefox users who all had the same issues… Turned out this was a Firefox specific problem (which of course I wouldn’t know because I never use IE, I assumed all was infected).

One user (bless him) said that this was an extension related issue, just find the extension folder that was modified around about the date you noticed the infections and remove it. Restart Firefox and it works without the problems. Me and my curious self… decided that I wanted to look at the code of this little thing.

So I dug in and copied the XUL (XML User Interface Language) file and opened it to see the code. These files, as a side, are used to change the user interface of Firefox, and are the reason that some extensions can make web pages change and do all the weird and cool things that we all seem to love… They are also the reason for my frustration over the past week..

So I open the file and look at the code and its very simple actually… Here are a few lines…

if( loc.match(/google\..+\/search.*[&\?]q=([^&]*)/)){
keyword = RegExp.$1;
engine = ‘google’;
//    } else if(loc.match(/search\.ua.+[&\?]q=([^&]*)/)){
//        keyword = RegExp.$1;
} else if ( loc.match(/search\.yahoo.*search.*[&\?]p=([^&]*)/)){
keyword = RegExp.$1;
engine = ‘yahoo’;

There are actually a number of lines like this for every single browser. Simple regular expressions and checks the search engine. If it matches, then you are going to see these random redirects to some adserver, then to a page of their choosing… Found this little variable, which is apparently the server your requests are redirected to and changed.

var __d = “http://v1.adwarefeed.com/ffjs.php?u=1145892647-2942932799-2535655826-377724549a=998&s=3&v=icv270109ff&e=”;
I love the Internet, but I hate stuff like this out there. Anyways, Removal instructions are simple:

1.) Go to: %Mozzila Firefox%\extensions\

2.) Delete folder xxxxx where xxxxx is something like {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} and has a modified date around the time you got infected.

3.) Restart Firefox, problem solved.

And if you’re anything like me, look at the code for yourself and see exactly what it was doing… While nasty, its actually a pretty neat trick. Useful if you want to say… spy on someone using your internets. Oh, Change passwords if you’ve used any while being infected. Can never be too safe.


Installing phpmyadmin and PHP 5.2.* on a Centos 5.2 Server (updated)

February 17, 2009

So I spent the better part of last night (12-3:30am) trying to figure out just exactly how to get phpmyadmin installed on my Centos 5.2 Server. Now, I’m no dummy when it comes to linux, package management etc… But this was a task which apparently many other people have had trouble with. I finally gave up on it and went to bed, woke up this morning and went back to it… At which point I actually figured everything out and now have PHP 5.2.8 installed working with phpmyadmin 3.1.2 (which to day, all the most recent stuff) using mysql-server 5.1.31.

So here’s how I did it: Apparently the repositories that Centos 5.2 uses by default still have php 5.1.* so you can just do a yum update or yum install php. The first step here is to set up the Remi repository. He maintains a repository that has the most up to date version oh php and all of its extensions. You can set this up by doing the following:

$ wget http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm

$ wget http://rpms.famillecollet.com/el5.i386/remi-release-5-7.el5.remi.noarch.rpm

$ rpm -Uvh remi-release-5-7.el5.remi.noarch.rpm epel-release-5.3.noarch.rpm

This will set up the Remi repository for yum. By default it is disabled so you’ll have to use the –enablerepo option with yum when you are using it to install or update anything. So in order to update to php 5.2.* you just say:

$ yum –enablerepo=remi install php

To verify that you have php 5.2.8 installed issue a

$ php -v

And you’ll get a response like:

PHP 5.2.8 (cli) (built: Dec  9 2008 14:11:33)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies

At this point I assume you already have mysql and mysql-server installed and configured. If not just issue:

$ yum –enablerepo=remi install mysql-server

It will install all of the necessary dependencies including mysql. Configuring mysql server using mysqladmin is actually out of the scope of this but there are plenty of tutorials online for that. Make sure you set up your   and passwords for accessing it otherwise you’ll have issues later.

Now, you’ll want to install php-mysql. Again use the remi repository for this, otherwise you’ll end up with tons and tons of dependency issues. Trust me, I learned this the hard way…

$ yum –enablerepo=remi install php-mysql

This will install the mysql.so module for you and add it to php.ini so you don’t need to add the extension=mysql.so. It does the same for mysqli.

So now you’ve got everything you need set up properly, so install phpmyadmin. Get the tar ball from the server, extract it somewhere in your htdocs folder, create a system link called phpmyadmin.  Go into the phpmyadmin and create a folder called config. Issue:

$ chmod o+rw config

Now because you’ve already set everything else up, you won’t receive the errors that I got on my first attempts. Now go to http:/www.yoursite.com/phpmyadmin/setup and follow the steps there. It’s a very nice little graphical interface that helps you set the configuration file. After this is done, move the config.inc.php file in the config directory to the head of the phpmyadmin directory. Then remove the permissions you set before:

$ chmod o-rw config

That’s it. Now you can go to http://www.yoursite.com/phpmyadmin and log in using your credentials for mysql-server.

Hope this saves everyone from running into all of the issues I had.