herraiz.org | Blog

• Where are you?

  In the last weeks, I have been asked the above question quite a lot of times. Two weeks ago, I was supposed to be in Canada. In 2009, after the lack of opportunities in Spain, and the scary forecasts for the economy in Spain (with unemployment rates reaching 20%), I started to look for research and university teaching positions abroad. I was lucky, and I found a postdoc in Canada, for three years, in a top research group.

  I was very happy for that opportunity, and looking forward to starting to work there. I was having a hard time in Spain, because I did not manage to get "accreditation", and Canada was the right place to gain a lot of experience and opening new future opportunities. Accreditation in Spain is an official (and painful and hyper-bureaucratic) validation process that every candidate for an university position must go through before being able to apply for positions. The process is tough because you have to collect a lot of documents, and you need a lot of teaching and research experience to pass it. With my CV, it was difficult to get the accreditation, and my estimations were that I needed at least two more years doing research to get it. That's why the opportunity in Canada came in the right moment.

  However, last November I got the accreditation. I applied with the idea of a last try before going to Canada. And it turned out to be successful. Having got the accreditation, I started to apply to every position that was open in Madrid. After a couple of months, I finally got a position in a small university in Madrid, which is very teaching oriented, although it is starting new research and doctorate programs. That means that I will probably need some time to continue doing research, because I have to adapt to this new university, and I have lot of teaching duties. But I think that in the following months I will manage to find the way to combine teaching and research.

  So, where am I now? Well, right now I am on a plane, heading Brussels, to attend FOSDEM (the magic of my new blogging system is that I can add posts offline, and synchronize my blog once I am connected). And in the following months (probably years), I will stay in Madrid. Hopefully, my current position will be long-term, maybe even permanent.

  It has been a hard decision. Going to Canada for research is a life changing experience, and I have probably dropped a lot of future opportunities after this decision. But in the personal side, this is the option that currently makes it easier to balance my professional and personal life.

  I have not spread the word till now because in the middle of this deep meditation, Rocío and I have had to face some personal issues. Her mother suffered a heart disease and needed surgery, and we have been very busy (I have been picking her sister's kids from school, preparing lunch for them and doing a lot of other fun tasks). Fortunately, she is now all right, and recovering fast. Should I have gone to Canada when I planned to, Rocío would have had to deal with all this alone. So in spite of all my doubts, and also in spite of being that kind of decisions that no matter what option you choose, you are probably choosing wrongly, at least for now, it has been the right decision.

  
  
  Written on Feb 05 2010 | Comments »

• New GPG key

  My old GPG key (with ID 6248BA12) is now obsolete because it was too short (1024 bits) and I used the deprecated SHA1 algorithm for most of my signatures. I have revoked that key and I generated a new one, that is signed with my old key. The new key ID is FE0A7AF3. Please update your keyring with the following commands:

  $ gpg --keyserver pgp.rediris.es --refresh-keys 6248BA12
  $ gpg --keyserver pgp.rediris.es --recv-keys FE0A7AF3
  

  I will be at the FOSDEM keysigning party, so if you are attending FOSDEM don't miss the party, and we can exchange key signatures for this new key.

  If you still have an old key, you may consider creating a stronger key.

  
  
  Written on Jan 27 2010 | Comments »

• Under attack

  Some weeks ago, I received a message telling me that my website had been hacked, with a link to PHP script that was indeed stored in my server. The email was quite polite, trying to fake a real warning from a benevolent user:

  It appears your server has been hacked. the following link, for
  example, used to redirect to rogue antispyware:
  
  [LINK REMOVED]
  
  don't click on the link unless you're on Linux or you really know
  what you're doing, because it may redirect to a malicious
  site. right now it's just redirecting to CNN's web site. you
  probably want to get rid of this page and get your server cleaned up
  ASAP. just giving you a heads up.  
  thanks.
  

  I reviewed all the contents in my server, and I found several other PHP scripts, that were different, and several subdirectories named .files that contained HTML pages with links to similar PHP scripts stored in other sites.

  The script was a base-64 encoded. I decoded it using a Python script, and the decoded script was encoded using a naive encrypting algorithm that shifts the positions of the characters. I again decoded that using another Python script, and I finally obtained what the malicious script did. It turns out that the script randomly crawled the URLs of other attacked sites connecting to the machine at 77.55.31.116,, and it generated all the files that were stored in the .files directory.

  The IP belonged to an ISP called The Planet.com. The site hosted there seems to belong to a Russian guy. I reported the incident to the abuse contact address of the ISP, but I never got a reply.

  I also noted that all the lines ended in \r\n, so the attacker is a Mac Windows user. I gathered some other scripts randomly, and the scripts gave the attacker control to upload and modify files in the hosted machine. It could also query Wordpress databases in the host, what gave me a hint about how the attacker managed to upload files to my server.

  I had an old Wordpress installation, and it seems that there is a bug that let anyone from the web to register and inject shell script code. I removed a couple of users from all the Wordpress installations that I had, and disabled the possibility of registering new users. Actually I have dropped Wordpress and I using Jekyll and Emacs Org-Mode for this blog.

  From my site, I have recovered a list of 53 sites that have been also attacked, and that have probably not yet cleaned. I am also publishing here a list of the addresses of these sites, together with the name of the malicious PHP script (without the .php extension) that is stored in the site (first and second columns of the text file, respectively). If your site is included in the previous listings, check that the scripts included in the second listing exist, and if they do, remove all the PHP scripts that you are sure you did not upload (you can also check that the suspicious scripts are encoded), and look for directories named .files; remove all those directories.

  And finally, keep your Wordpress always up to date; or even better, drop it and change to another solution. It seems that Wordpress is pretty much a Gruyère cheese.

  
  
  Written on Jan 19 2010 | Comments »

Older posts