Fix Mailpoet / WYSIJA break in

A WordPress instance that I maintain was affected by a security vulnerability recently discovered in Mailpoet. As so often, Mailpoet was not even being used on that page, but was installed and active anyways.

Through the vulnerability attackers managed to store about 10 new files all containing similar code on the server and in addition, manipulated all php files that they had write access to (good thing the server isn’t running as root or anything – that would have been a real problem).

I discovered that all files were manipulated in a similar way, some obfuscated code was injected into the first line, always containing the keyword “yhvobwawyd”. This might be specific to our instance, or apply globally.

Since the attackers managed to manipulate several thousand files, I quickly wrote a script that would remove these “infected” first lines:

$ grep -l yhvobwawyd * -R | xargs -i sh -c "echo {} && sed -i '1 s/^.*$/<?php/' \"{}\";"

The script searches for the keyword and replaces the first line of all matching files with a standard <?php opening tag. Please add your comments here or on the gist on github.

Thought, someone might find this useful.

Microsoft Natural Keyboard 4000 Scroll up/down instead of Zoom in/out (Ubuntu 12.10)

(Picture taken from here)

My ergonomical M$ Keyboard has this zoom button in between the two key blocks, and it is by default bound to a zoom functionality (which I do neither need nor is it avaliable on my Ubuntu Linux by default). Since scrolling long texts can be cumbersome with the mouse, I looked for a way to reassign this slider to scrolling.

In the gentoo wiki I found a very simple solution: I just needed to change one line (for me it was line 32) in the /lib/udev/rules.d/95-keymap.rules file:

Change it from

ENV{ID_VENDOR}=="Microsoft", ENV{ID_MODEL_ID}=="00db", RUN+="keymap $name 0xc022d zoomin 0xc022e zoomout"


ENV{ID_VENDOR}=="Microsoft", ENV{ID_MODEL_ID}=="00db", RUN+="keymap $name 0xc022d pageup 0xc022e pagedown"

And you’re done!

Liederfolien Powerpoint

Da viele Gemeinden nach wie vor Microsoft Powerpoint benutzen, um Liederfolien anzuzeigen, habe ich in Zusammenarbeit mit der CCLI ein Powerpoint Add-In entwickelt, mit dem man solche Folien direkt aus der SongSelect Datenbank der CCLI generieren lassen kann.

Dieses Add-In ist fast fertig, noch nicht ganz, aber es soll noch im Februar veröffentlicht werden! Mehr Infos gibt es unter

[UPDATE: 21.01.2013 17:19: Links zur Add-In-Seite repariert]

SSD TRIM Ubuntu Linux 12.10

On Ubuntu Linux 12.10 TRIM on filesystem level is not enabled by default (for a good reason!) but also batched discard is not enabled by default.

The German ubuntuusers wiki suggests running a script every day or week. Since I decided that I only wanted this to run if my load is low, because queued TRIM will only be avaliable in SATA 3.1 and running TRIM can block the system.

I decided to run TRIM daily since that would make it run shorter.

So I wrote this little script (Python this time, no other dependencies but the little script mentioned above and a file /var/opt/trim which needs to be existing and non-empty), which will be executed every 3 hours (using cron).


import os, time

TRESH = 1.0
RUN_FILE = "/var/opt/trim"

load_1, load_5, load_15 = os.getloadavg()

#print last_run

if now - last_run > 86400 and load_5 < TRESH:
        except Exception, e:
                import traceback
                print traceback.format_exc()

Moving to a new machine/setup with Ubuntu Linux (or Debian)

Today, as I got my new harddrive (which is a Samsung 830 SSD), I decided to re-install my copy of Ubuntu (for whatever reason). Copying my home folder, some configfiles and so on is an easy task, but what about all these little programs, that were installed with some manual Installer (like QPilot, VMware, …) because they don’t provide a APT-Installer? I do not do any bookkeeping about those, so I wrote a little script, that checks populates a list of files on my root filesystem and checks them, if they belong to some debian package.

It took a while on my old spinning harddrive, probably there is a more efficient way, instead of calling dlocate for every single file.

My little script:


populatelist() {
    echo "Creating fileslist"
    eval "/usr/bin/find / -xdev -type f > $FILELIST 2>/dev/null"

if [ ! -f $FILELIST ]
        populatelist &
        sleep 5;

exec 0<$FILELIST
while read LINE

    if [[ $LINE != *var\/cache* ]]
            if [ $(dlocate -S $LINE | wc -l) == 0 ]
                    value=`expr $value + 1`;
                    echo $LINE;


if [ $FRESHLIST == 1]

echo "****$value Non-APT Files found";

Sharkoon Fireglider Back/Forward Buttons Linux

Because of my RSI-Syndrome, I got myself a supposedly good mouse. I chose a Sharkoon Fireglider, which is actually a gaming mouse, but looks office-ish enough for me.

Like usual everything worked out of the box on my Ubuntu Linux, no need to install any driver, just the back/forward buttons were not working as expected. Seems Sharkoon mapped their buttons differently than usual.

This simple command on the terminal made it work:

xinput set-button-map 12 1 2 3 4 5 0 0 9 8

It maps the key-event 9 to event no 8 and vice versa. (12 is the ID of my mouse, you can get yours by executing “xinput list”) Read this wiki if you need to know more details.

Done. [EDIT 2012-09-10] These changes were not permanent. To make them permanent, I created a file 50-sharkoon-fireglider.conf at /usr/share/X11/xorg.conf.d/ containing:

Section "InputClass"
        Identifier      "Sharkoon Fireglider USB"
        MatchProduct    "A4TECH USB Device"
        MatchDevicePath "/dev/input/event*"
        Option "ButtonMapping" "1 2 3 4 5 6 7 9 8"

restarted X and it works! [/EDIT]

Apache and Nginx

On my server, on which I offer web hosting for some of my customers, runs an Apache 2. I remember when I switched from Apache 1 to Apache 2 (back in 2006?), seemed like a hugh for humanity to me. So much more modular, and easier to configure.

Now a little more than two years ago I finally made the transition from the classic PHP-module to php fastcgi, which brought a lot of stability and solved many permission problems on my multi-site environment.

BUT: apache seems to be very resource hungry, especially when using PHP as fastcgi. So I was thinking about switching over to something like nginx or lighttpd, which have a different structure, and they’re just not httpd grandpas. Young and fresh they seem.

Over the last weeks, I had nginx running as a reverse proxy for IPv6 requests, since my customer panel froxlor, is not yet supporting having an IPv4 and IPv6 line for each vhost. And that worked like a charm. I loved the setup, nice and clean, and I was thinking about making a switch, when I found out, that nginx cannot spawn php-cgi threads. On a single-site server, that is perfectly fine, but in a multihost environment, where every user’s scripts execute as their owner, quite impossible. It would mean running a php-cgi thread for every single customer all of the time (even if they don’t have a single php file in their host). Okay byebye Nginx. I will keep you for the time being, until I have native multistack IPv4/IPv6 support in my control panel, but then I will probably give lighttpd another try.

Lighttpd is supposed to offer all of the above and be less memory hungry than the indian. But we’ll see about that. Good night now.

Last update for today: Actually looking at the stats, my servers RAM is usually more than 50% free. Maybe I should not worry about the web server for another year or two.

HTML5 Mobile Device Applications

On a party I was yesterday, a friend told me they have this project where they would develop an application for iOS and Android, but have no one to do it for them, and they have asked around and were told this would cost them about 35’000€. Well, I know their product, which I cannot tell you, but I instinctly said that this was way to high.

So today I did a little bit of research on mobile app development, and heres what I found out (merely some notes for myself, but maybe someone else can take advantage of them):

  • You can develop super native-looking applications with access to the device native features (like geolocation and whatsoever) using HTML5 (well I knew before, but now I know for sure).
  • There are lots of frameworks, but since I’m a heavy jQuery user, I looked into jQuery Mobile, which sounds very promising (not only Android and iOS compatible, but merely any Phone, even my old Nokia 6300i is supposed to be supported somewhat!!), and I also looked at Sencha Touch 2, which is based upon the famous ExtJS Framework, which I have not used myself, but seems to be very professional and easy to learn too!
  • There is a nice in-browser emulator called Ripple Emulator for Chrome, that serves as a development “phone”, where you could test your HTML5 apps, without needing a phone itself (I don’t even have a smartphone!), and you will not need to power up the very sluggish Android SDK or boot into Mac OS X for Xcode. nice.
  • There actually is a way to put your website with an icon on the homescreen on iOS like on Android (starting with version 1.5 I believe), but thats not really the user experience we want our customers to have. While digging around in Maximiliano Firtman’s book on jQuery Mobile, I found PhoneGap:Build, a service which wraps HTML5 apps into packages, for iOS, Android, RIM, bada, … that can be easily installed and even be subitted to the corresponding AppStores. It is not a free service, but it saves a lot of money, so I wouldn’t bother using it.
  • I also stumbled over iScroll, which is supposed to bring a more native-like scrolling behavior to HTML5 apps, but I am unsure, if this is really neccessary with an up-to-date framework.
  • UPDATE (2013-01-15): Apache Cordova, the open-source PhoneGap offspring might also be worth looking at.

Let’s see if I ever get the chance to try some of these tools. After reading all of this stuff, I would suggest development for my friends app would be way cheaper, maybe something like 5’000€ (including backend), whilst the 35’000€ mentioned above were calculated for just the (native) app itself.

I need to stop now, since I actually need to put some time into my current project instead of just getting excited about something that I’ll (sadly) maybe never use.

Happy Hacking!

Applying CodeIgniter Modular Separation / HMVC 5.4 on an existing project with a custom core controller

For my current job at the University of Kassel, I am currently modularizing an existing PHP project that is using the CodeIgniter Framework (which I like very much, by the way)

I found this very helpful “extension” to CodeIgniter, called “Modular Extensions – HMVC version 5.4” whichs documentation is a little chaotic and incomplete.

One problem that I stubled upon, was that we created our own core controller, having our controllers not extend CI_Controller, but our own controller (which is called MY_Controller) in most setups. BUT: We set the $config[‘subclass_prefix’] to something like ‘OwnPrefix_’. I thought the whole extension would not work, but i found out, that you will have to rename the two files MY_Router.php and MY_Loader.php in the application/core/ ‘MY_’ prefix to your own prefix.

Then I had my OwnPrefix_Controller extend MX_Controller and everything seems to work so far!