Flushing PostFix outbound mail queue after servers hacked

Zombie Mail Servers will show constant disk activity without much processor consumption

After your server got hacked with SQL injection (perhaps via Drupageddon) you cleaned your Apache server and removed all malicious code, but your hard drive is still on fire and the disk I/O light never shuts off. You ran TOP but you don't see any process taking more than a few percent of processor time, what do you do?

Check your local SMTP server to see if it is flooded with outbound traffic. Your server has probably become a zombie for spammers, and your retry queue could have hundreds of thousands of outbound messages retrying continuously.


Subway Pastrami so bad I had to blog about it

I gave Subway ten bucks and got back a dollar and a pile of boogers on a bun

Under protest I joined my lunch comrades for a Subway run. I figured I'd be a high roller today and get the Pastrami foot-long, an eight-dollar investment with the hopeful payoff that there might me some actual taste to this meat, instead of the reconstituted, pre-sliced kitchen sponge they offer at more tolerable prices.

On my first bite I got a flake of pretty decent-tasting pastrami nestled in layers of smooshy fat. I figured it was a fluke so I pressed on. Nope, same thing. Blobs of globules.

About halfway into the sandwich (yes, I kept eating. Hey, it was eight bucks!) I started to hit some real tricky bits that had the presumed meat marbled with more firm slabs of grizzle and fat. And the grease - oh, the grease - it really started oozing out of the sides.


Ways to recover a hacked Drupal system with 'PCT4BA6ODSE' in its PHP files

How to un-fudge a system after you've patched it for so-called "Drupageddon"

For those seeing 'PCT4BA6ODSE' in their PHP files - I have some easy commands to run for scrubbing your site out completely of these hacks (in case you do not have backups). This will not fix the underlying issue, but if you find that your PHP files have been devoured by the hackers this will at least clean up the files without damaging them.

This attack does two things: firstly, in creates NEW php files scattered throughout your directory structure. The files are all 494 bytes long, and end in "php" so they are easy to find. Run the following command to see if you have any:

find . -size 494c -name "*.php"

...and then run this command to delete them:


Quicktabs not able to pass arguments when using AJAX

QuickTabs AJAX Errors when passing Arguments

I have three tabs in a QuickTabs block on a Panels Page. Each is set to a callback function like so:

Tab 1 Callback: list/autos/%1/ford
Tab 2 Callback: list/autos/%1/chevy
Tab 3 Callback: list/autos/%1/honda

If I set the tabs to load with AJAX, all arguments come through to the callback function as expected - arg(0) is list, arg(1) is autos, arg(2) is the 1st arg from the URL, and arg(3) is the manufacturer. EXCEPT the default tab, which gets only the original URL args, not those specified in the callback string.

If I set the tabs to NOT load via AJAX, they ALL fail, getting only the original URL args. It's as if the callback args are not yet available while the panel is still loading/rendering.


Drupal Sites Hacked Worldwide in October 2014

Security Exploit revealed in October allows total control of YOUR Drupal site

In mid-October Drupal announced a serious defect in the Database Abstraction Layer allowing guest users to gain full access to a site and server. The security noticed can be found at the FAQ on SA-CORE-2014-005 on the Drupal website.

This exploit creates the ability for attackers to place their own PHP files on your server for remote execution, or to inject their own code into pre-existing files.

Ways to detect a breached system - and steps to remediate:

Look for files with a datestamp in October 2014

If you didn't upload any new versions or modules in October 2014, there should be no php or include files with these datestamps. Use the Linux FIND command to find files last edited on or after October 1st, 2014 and then check those files.

Locate files with PCT4BA6ODSE_ in them


Shake Dog Shake

Hate you Tim Schmidt... Why?!? Because when you and I were working at Baker's Square in the kitchen, just before a trip to Arena Bowl to play FIRE! you told me that he was saying "I COULD TASET THE WRANGLE IN THE BACK OF MY MOUTH" and explained how they call a hocker a "wrangle" over there... I crush your head, crush crush crush...

Shake dog shake

Music by Robert Smith
Lyrics by Robert Smith
Vocals by Robert Smith

Ha ha ha
Wake up in the dark
The after-taste of anger in the back of my mouth
Spit it on the wall
And cough some more
And scrape my skin with razor blades

And make up in the new blood
And try to look so good
Follow me
Make up in the new blood
And follow me to where the real fun is
Ha ha ha


Trivia: I actually had an America Online account before they were called America Onloine - I had a "Chicago Online" account! No joke...
[10:04:43 AM] Todd Young: I htink I still have an ad for that service around here somewhere
[10:05:15 AM] Jerry Holt: wow
[10:05:16 AM] Todd Young: Does SSH access require whitelisting? If so, should probably add to the notes
[10:05:27 AM] Jerry Holt: i think my first internet service was compuserve
[10:05:37 AM] Jerry Holt: yes, ok
[10:05:39 AM] Todd Young: I used to be big into the BBS's
[10:05:51 AM] Todd Young: When FidoNet came out and linked them up that was awesome
[10:06:16 AM] Todd Young: I ran a BBS for a ahort time on my ONE phone line lol, man those were the days
[10:06:21 AM] Todd Young: SO primative
[10:06:24 AM] Jerry Holt: sorry
[10:06:29 AM] Todd Young: lol


Subscribe to All About Todd RSS