Author: Brandon

I’ve long realized the importance of version control, but since I tend to work on most projects myself, I’ve never really been force to use one. Recently though, I’ve been working on several different website simultaneously, and I’ve found myself making changes to code on one site.

Subversion is the perfect answer to this situation.  I’ve recently set up a subversion repository for my common code, and I can now work on the code on one site and ‘commit’ it.  Then, just update my local copy on another site, and all of my work is merged.

Of course, I have to take care to realize what the updates will do, and that it doesn’t break functionality on each site, but the usefulness of being able to share code like this is amazing.

A recent blog post about the Google Blacklist brought up a thought I had a while ago about reducing the effectiveness of phishing. In his post Micheal says that “The pages are generally exact replicas of the original web page and generally pull graphics (*.jpg, *.gif, etc.) from the legitimate web site.” This has been my experience as well. The phishing page actually includes graphics from the legitimate site.

I can see a couple reasons for this.

1. The phishers have some concern about bandwidth usage or disk space usage on their hosts
2. When the page is loading, some browsers will say “waiting for www.paypal.com” which helps to make the site appear more legitimate.
3. Phishers are lazy and don’t want the added work of changing the source and uploading more files to their web host

In any case, the fact that these phishing sites are pulling graphics from the legitimate site provides an easy way for the target site to identify phishing sites. On 90% (or more) of browsers, when the browser requests a graphic, it sends an HTTP_REFERRER header that tells the web server which page included the graphic.

For example, if you are hitting my site now, your browser requested this graphic:

http://www.brandonchecketts.com/wp-content/themes/cordobo-green-park-09-beta-09/images/h3_bg.gif

When your browser requested it, it also told my web server which page the request originated from. This is the default behavior for all major browsers. The request in my Apache log looks like this:

11.22.33.44 – – [05/Jan/2007:09:59:58 -0500] “GET /wp-content/themes/cordobo-green-park-09-beta-09/images/h3_bg.gif HTTP/1.1” 200 1581 “http://www.brandonchecketts.com/wp-content/themes/cordobo-green-park-09-beta-09/style.css” “Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1”

Basically, your web browser told my server to request the graphic, and that the page that instructed it to do that was the “style.css” file.

The phishing targets (PayPal, eBay, Bank of America, etc) could easily look through their logs to identify those phishing sites that are including their graphics.

Or, better yet, instead of just displaying the static images, they could program their web server to look at the HTTP_REFERRER field on each request. If it comes from a legitimate source, then display the normal graphic. If it comes from an unknown source, then display an alternate graphic that says “THIS IS NOT THE REAL PAYPAL SITE!”

Who knows why they haven’t done this yet. I could whip up a script to do it in about an hour!

strace is a useful Linux utility for watching the system calls that a program makes. I usuall don’t have to dig this deeply into an application to debug it, but I’m running int a problem with one application, and the developer recommended doing an strace to see if anything looks suspicious. Here’s the command I’m using:
strace -Fft -o /var/tmp/strace.out -p <PID>

This command has a couple useful options. the “Ff” makes the strace follow program forks. The “-t” makes it print a human readable timestamp before each line. The “-o” argument dumps the output to the specified file, and the -p argument attaches it to a specific process.

The output is fairly cryptic, but I’m hoping that it catches something useful

Google is a mystery to me. The home page of this site has had a Page Rank of 2 for quite a while. Right, now, if you check out my links on Google, it shows the same ones that I’ve had forever, bu somehow I suddenly have a page rank of 4!

I have been working on generating more content on this site (like the semi-regular blog postings). As part of that, I installed WordPress, which I supposed search engines might like. I’ve also been generating some incoming links by posting a couple things on Slashdot and various other places. In addition, I’ve noticed that I’m slowly getting a few more people that have installed my speedtest, which has a link to this site.

I guess everything is working. Now I need to start doing this to the sites that I make money from 🙂

We’re upgrading our DNS Servers from BIND to PowerDNS, and at the same time, will be changing their IP addresses to move them onto different networks.

I looked all over the Internet and could never really find a way to change the IP address of a DNS server. It seemed that there was a chicken and egg problem. Suppose you have a domain named mydomain.com. At your registrar, you’ve told them that the Primary name servers for mydomain.com are ns1.mydomain.com and ns2.mydomain.com.

Now, if you change the IP address of ns1 & ns2.mydomain.com, how does the rest of the Internet know how to get to them? The solution is that somewhere, there is a global registry of DNS servers that really define where ns1 and ns2.mydomain.com are at. I’m not sure where this is at, but fortunately, our registrar (Godaddy) has a way to edit them. All that was required was to log into our Godaddy account, find the “host summary” section, and change the IP addresses there that were assigned to ns1 and ns2.

I assume that once we changed that, Godaddy submits those changes to the mysterious database of name servers. They said it takes 4-8 hours for that to happen, but I noticed queries coming in to our new servers immediately. Queries will continue to go to our old DNS server for a couple days. dnsstuff.com has a cool tool called “ISP Cached DNS Lookup” where you can see how long your DNS records are cached at many major ISP’s.

With careful planning and an decent understanding of how DNS works, our switchover went flawlessly.

I’ve been working with PowerDNS recently to replace our old Bind servers. One small issue I’ve had with the program, though, is that it’s built-in Web interface that displays statistics about the running server only works with a username and password. I didn’t particularly like this setup, because it means that everybody that needs access to it has the same password.

So, I configured the PowerDNS web server to only listen on the localhost, and the created an Apache instance on the server to perform the authentication, and then do a proxy lookup on the PowerDNS Web Interface.

PowerDNS Configuration from /etc/powerdns/pdns.conf

## Start the webserver for statistical information
webserver=yes
webserver-address=127.0.0.1
webserver-password=
webserver-port=9099

Apache Configuration
I just put this file in /etc/httpd/conf.d/pdns.conf You can use any type of authentication here that Apache supports, just like you would use in a .htaccess file

<Location /pdns/>
  AuthType Basic
  AuthName “Admin”
  AuthUserFile /var/www/html/.htpasswd
  Require valid-user
</Location>
ProxyPass /pdns http://127.0.0.1:9099/
ProxyPassReverse /pdns http://127.0.0.1:9099/