Updating Virus Definitions for Norton Internet Security 2006

If you are using Norton Internet Security 2006, your auto updater subscription is probably expired. So you need to manually download the Virus Definition Archive from here, and run installer. When you run installer, you might get this error message …

Problem:

===============
Symantec Intelligent Updater
===============
Intelligent Updater session complete.
All updates failed to install on the machine. For more details about the processing, please check the log file “Log.IntelligentUpdater.txt”
created in the user’s temporary directory.
===============
OK
===============

When you Investigate that file …

Sun Jan 22 19:31:40 2012 : PROCESSING ENTRY: VIRSCAN.zip – Virus Definitions
Sun Jan 22 19:31:40 2012 : Entry details:
…………

path for the Authorization DLL from the registry.
Sun Jan 22 19:31:40 2012 : IU failed while deploying V because a compatible product could not be found on the system. Please make sure that a compatible Symantec product is installed on the system.

SOLUTION:

UNZIP the virus definition package, there will be a folder “VirusDef”, copy it to C:\VirusDef
You need to copy this folder inside C:\Program Files\Common Files\Symantec Shared\VirusDefs\Incoming\
But this folder is readonly and probably locked by service, So restart your machine, Run in Safe mode with Command Prompt Only.
Now in Command Prompt,

cd c:\virusdef
copy *.* C:\Program Files\Common Files\Symantec Shared\VirusDefs\Incoming\

Now restart you machine, Norton will detect the new files automatically and update the definitions date.

Ref: http://cert.cc.shu.edu.cn/Symantec/update.txt

=====================================================================
XVI. Installing Virus Definition Files Manually
=====================================================================

If you do not want Intelligent Updater to install the new virus
definitions for you automatically, you can use the /DUMP command to
extract the virus definition files, then copy the appropriate files
to the virus definitions folder.

Installing Virus Definition Files Manually
——————————————————————–
1. Copy the Intelligent Updater program (yyyymmdd-vvv-I32.EXE or
yyyymmdd-vvv-X86.EXE) to an empty, temporary folder.
2. Launch the Intelligent Updater program using the /DUMP command.
For the yyyymmdd-vvv-X86.EXE file, use the /EXTRACT command.
This will extract all the virus definitions to the folder. For
example, type yyyymmdd-vvv-I32.EXE /DUMP to extract the files. Or
type yyyymmdd-vvv-X86.EXE /EXTRACT [path] where path represents
the current directory. The yyyymmdd represents the date of the
definition set. The vvv represents the version number.  For example,
the filename could be 20021231-001-I32.EXE for a December 31
definition set.
3. Copy the files to the virus definition folder.  Copy the files to
this location:
C:\Program Files\Common Files\Symantec Shared\VirusDefs\Incoming\

NOTE: Copy the file ZDONE.DAT last. This file signals Norton
AntiVirus that the definition set has been completely loaded. If
it is not loaded last, it may cause errors.

0.000000 0.000000

Cross-Browser CSS Gradient

Very handy CSS for creating cross-browser gradient effects. Really useful in reducing number of images calls / sprite size.

background: #dde9f5; /* for non-css3 browsers */
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr=’#ffffff’, endColorstr=’#dae6f4′); /* for IE */

background: -webkit-gradient(linear, left top, left bottom, from(#ffffff), to(#dae6f4)); /* for webkit browsers */
background: -moz-linear-gradient(top, #ffffff, #dae6f4); /* for firefox 3.6+ */

Source: http://webdesignerwall.com/tutorials/cross-browser-css-gradient

Fiddler – Web Debugging Proxy & Monitoring Tool

I recently found an Network Traffic Monitoring tool for HTTP requests. Previously i used Ethereal (an ultimate tool). Fiddler is equally good for http traffic. It also provides many other features. Read more @

http://www.fiddler2.com/

Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP(S) traffic, set breakpoints, and "fiddle" with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language.

Fiddler is freeware and can debug traffic from virtually any application, including Internet Explorer, Mozilla Firefox, Opera, and thousands more.

Download Fiddler…

Other links:

http://www.ethereal.com/download.html

Optimizing Web Forms for Conversions – Form Analytics

I was doing a research how to optimize your website Forms, for example increase signup conversion, reduce shopping cart abandonment, detect / reduce bounce rate etc. After little research, I found few solutions … among which ClickTale (a paid service) sounds best … but way too expensive for opensource platform developers.

Factors that i found & could be useful in detecting user experience in filling forms are as follows:

1. Time Spend on a field
2. Field on which visitor abandoned the form
3. Blank fields that were not touched
4. Fields that needed Refill due to some javascript error / validation

Also, these areas can be very useful incorporation with stats, to see many interesting insight.

1. Regional analysis (which region has most error)
2. Client Browser analysis
3. A/B Testing of 2 forms
4. Multi-Variate Testing

I wish someone could develop an opensource or free solution like ClickTale form analytics as it does not sounds like very much rocket science.

NOTE: Updated: 4th July 2011

I’ve drafted a beta release of Visitor Analytics powered by GAE, providing a subset of above mentioned features.
Interested candidates for beta can try it out by Gmail or Email me.

Existing market tools are mentioned below …

ClickTale
http://blog.clicktale.com/2008/09/22/new-conversion-report-maximizes-online-form-performance/

RevenueExpect
http://www.revenueexpect.com/features

RevenueExpect works by capturing customers who have abandoned your shopping cart or form in real time and then transferring that data to your email service provider. With our direct integrations into MailChimp, iContant and Constant Contant, small businesses can now automate shopping cart abandonment and email remarketing campaigns.

Form Alive
http://www.formalive.com/

Using Jquery and Google Analytics events to track form abandonment.
http://www.distilled.net/blog/conversion-rate-optimisation/using-jquery-and-google-analytics-events-to-track-form-abandonment/

Other Links
http://analytics.blogspot.com/2010/04/how-to-measure-quality-of-online-form.html
http://stevenbenner.com/2010/03/custom-link-click-tracking-using-omniture/
http://seewhy.com/products_abandonment_tracker.htm

http://www.conversion-rate-experts.com/articles/understanding-your-visitors/

http://blog.kissmetrics.com/

http://www.crazyegg.com/overview

http://codecanyon.net/item/google-analytics-jquery-form-optimizer/243360

http://visualwebsiteoptimizer.com/split-testing-blog/tag/form-optimization/

http://blog.clicktale.com/2010/10/28/finer-form-analytics-with-segmentation/

http://userfly.com/

0.000000 0.000000

Fix: PHP “echo()” function performance

Few days back, i was optimizing performance of a website. After all benchmark probes placed … i detected that the echo() statement is taking almost 1.6s just to print the $string variable of size around 100K. It sound very pathetic when all your DB fetching and other things are under 0.1s and echo() is taking 1.6s. It reminded me about the website phpsadness.com (that log the big issues of php) shared by my colleague (kadnan) few days back

Actual problem …

$t1 = microtime(true);
echo $html;
$t2 = microtime(true);
echo ($t2-$t1);

I researched on web, and found that it is a known issue with PHP’s Nagle’s Algorithm that is used in echo function.

I alternatively used print() but still it decreased to 1.1s but still not that i want.

A solution was proposed, to split the string in small pieces and then echo … it improved till 1s, but still not that i want.

http://www.php.net/manual/en/function.echo.php#52881

function echobig($string, $bufferSize = 8192) {
$splitString = str_split($string, $bufferSize);
foreach($splitString as $chunk) {
echo $chunk;
}
}

Promising Solution

i got this comment from a blog …
http://wonko.com/post/seeing_poor_performance_using_phps_echo_statement_heres_why#comment-5607

Guys, I think I narrowed it down even further!

As previously said, PHP buffering will let PHP race to the end of your script, but after than it will still “hang” while trying to pass all that data to Apache.

Now I was able, not only to measure this (see previous comment) but to actually eliminate the waiting period inside of PHP. I did that by increasing Apache’s SendBuffer with the SendBufferSize directive.

This pushes the data out of PHP faster. I guess the next step would be to get it out of Apache faster but I’m not sure if there is actually another configurable layer between Apache and the raw network bandwidth.

- Francois Planque

This seems very promising, as peoples commented … and i’ll be going to try it very soon.

Reference:
http://wonko.com/post/seeing_poor_performance_using_phps_echo_statement_heres_why
http://phplens.com/lens/php-book/optimizing-debugging-php.php
http://www.php.net/manual/en/function.echo.php#52881

0.000000 0.000000

Mysql Fulltext Secret Bug … I mean feature.

I was recently doing a full text search in which "eight" keyword was used, and it didn’t showed any single result. It was working for all other cases.
Finally after little google searches … i visited this document.

http://dev.mysql.com/tech-resources/articles/full-text-revealed.html#stopwords

It says ….

Suppose you want to search for a text that contains "you want to".

 SELECT ... FROM table1
WHERE MATCH(textcolumn) AGAINST ('"you want to"' IN BOOLEAN MODE)

This is awful, for two reasons:

• "You" and "want" and "to" are all stopwords if you’re using the default stopword list (see the list of stopwords at the end of this article). In fact this particular query always fails because all words are stopwords.
• Even if they weren’t stopwords, there is nothing in a key that tells you what the relative position of the words is within the text (see the index file key structure at the start of this article).

So MySQL can’t get the answer just by looking in the index. The method has to be: first try to filter out the candidate rows by looking for whatever words aren’t stopwords, then examine each candidate row in the data file and make sure the words are there in the correct order. This means exact phrase searching can be a little slower than ordinary searching. On the other hand, MySQL won’t find "Sam was tall" if you search for "Sam grew tall". (If "was" and "grew" are both stopwords, there’s another DBMS that would find "Sam was tall". We think that looks like a bug.)

And … "eight" is also in this stop word list …. (i guess … for no reason)

My Solution:

1. I replaced db value to "_eight" from "eight" …

2. and before doing match against … i replaced "eight" with "_eight".

iSKORPiTX Footprints … Recovering a iSKORPiTX Hacked Site

Last weekend, one of my friend called me in a hurry, that my intranet official site is being hacked and suspended by the hosting service due to phishing. What to do next … Here is the process, i used to finding the root cause and recover …

—
Hosting service indicated this in email …

Reported Malicious Content:
http://www.web.com/. script s/SIIBIC/index.processa

Other Potential Malware:

/home1/web/public_html/tmp/x.txt
/home1/web/public_html/tmp/up.php
—

Root Cause

in /tmp/x.txt …. hacker left his name as a signal. it was “iskorpitx”. I searched google and found many related links of possible cause …

Site hacked through extcalendar component
http://forum.joomla.org/viewtopic.php?t=79050

Dreamhost e-mailed me earlier today and said that my website was an isolated incident. I think it was a Joomla! (opensource CMS) exploit.
http://www.bigevilonline.com/showthread.php?t=1310

The old version of Joomla (1.5.5) has some serious security issue. Upgrade to Joomla 1.5.6.
http://www.namepros.com/domain-name-discussion/508395-my-website-hacked-iskorpitx-turkish-hacker.html

My host support got back to me, looks like it was a server wide issue, someone had an old Joomla script on their site that was exploited.
http://wordpress.org/support/topic/my-blogs-been-hacked-by-iskorpitx-turkish-hacker

There was an older version of joomla installed on website, so this was most probably the core reason of giving access on /public_html/tmp folder.

—

Recovering

I found a useful link showing some recovering tips …

How to find backdoor PHP shell scripts on a server
http://25yearsofprogramming.com/blog/2010/20100315.htm

I went to access_logs to find scripts, but only last 24 hour logs were there … with heavy accessing on mailware code.

I asked hosting service to give me SSH access, and after several tries, i searched for the recently created files on server …

Files created in last 60 days …
find ./ -type f -ctime -60 -exec ls -lc ‘{}’ \; > ../last-activity.txt

Files created in last 60 days, with exclude folder option …
find ./ -path ‘./ignore-folder’ -prune -o -type f -ctime -60 -exec ls -lc ‘{}’ \; > ../last-activity.txt

Now last-activity.txt showed exactly what i was looking for … there were files with creation time, showing footprint of hackers.

# file uploaded in tmp folder, probably using joomla security hole … as tmp is joomla’s temp folder

Mar 10 11:48 ./tmp/x.txt
Mar 20 04:16 ./tmp/up.php
Mar 20 03:33 ./tmp/abc.php
Apr 22 11:25 ./templates/ja_purity/index.php

# reverse shell console … that will execute the sh commands
Apr 30 16:45 ./templates/beez/index.php

# probably remote shell helper
May 4 07:34 ./images/logs.php

# uploaded phishing script archive
May 4 11:39 ./images/https.zip

# extracted phishing scripts
May 4 11:46 ./.scripts/index.html
May 4 11:46 ./.scripts/infobusca/index.htm
May 4 11:46 ./.scripts/cetelem/login.php
…
May 4 11:49 ./images/https.zip.1

Phishing scripts were dead evil … they were getting users input (ccard, user/pass), storing it ../.out/file.txt and emailing file content to “infos.trace@gmail.com” … Contains cloned login pages of 12 portals (bank / credit card / other … serasaexperian, amex etc).

I’ve asked gmail security team to trace this account for investigation.

There was no extra email account, cronjob, ftp account, database found through cpanel.
I cleared that malicious content and updated hosting service to enable website again.

—-

Learnings

- Pay serious attention to security updates of installed apps (windows, joomla, wordpress … any thing)
- Don’t blindly trust on 3rd party plugin / extensions of open source tools. Do a minimal code audit if possible.
- Don’t install any thing from untrusted, warez like website, Comprehensive code audit is a must.

0.000000 0.000000

Gmail Compose Link – Alternate of Mailto

Just found an alternate of obseleted html "mailto:" option. Use following URL to redirect users to Gmail Compose window.
No plugin is required in it, if the user is not logged in … it will ask to, then redirect to compose window.

<a target="_blank" href="https://mail.google.com/mail/?view=cm&fs=1&tf=1&to=youremail@gmail.com&body=my-text">Click here to email</a>

original idea is here
http://toric.blogspot.com/2005/07/gmail-compose-link.html

A Practical Example of Map/Reduce algorithm

A practical example of Map/Reduce algorithm. Very easily understandable article … with no buzz jargon.
Example target’s the problem of Finding count of comments, group by blog_id, on very large dataset (not feasible for DB SELECT)

http://ayende.com/Blog/archive/2010/03/14/map-reduce-ndash-a-visual-explanation.aspx

In short … Map/reduce is a very hot topic, but you need to realize what it is for. It isn’t some magic formula from Google to make things run faster, it is just Select and GroupBy, run over a distributed network.

http://ayende.com/Blog/archive/2010/03/15/what-is-mapreduce-for-anyway.aspx

Map/Reduce or Hadoop  sound best for large data aggregation and summarization
(as name suggest … reduce function – reducing the chunk of data)

Few google index stats … http://practicalquant.blogspot.com/2010/11/inside-googles-infrastructure-mapreduce.html

0.000000 0.000000

The Usability of Passwords

A very interesting research …

A password like,’this is fun’ is more secure than writing stuff like TR^4d

http://www.baekdal.com/tips/password-security-usability