One of our customers is running an old, but stable Ubuntu Dapper Server that recently got hacked.
The whole system acted totally normal, except for the fact that it ran ssh brute force attacks against several randomly chosen remote servers. So what happened?

The attacker used a vulnerability in phpMyAdmin, which once had been installed, used one or two times, and then forgotten (version 2.10.xx or so..). Sadly enough, whoever installed phpMyAdmin did not remove the setup.php file (which you are encouraged to do in the readme). This setup.php was the attackers starting point. He/she injected a ssh client running as root in /tmp/dd_ssh that started about 100 child processes.

What I did was the following:

• Removed phpMyAdmin
• Removed all suspicious files in /tmp
• Restarted the network interfaces
• Changed all user passwords
• Installed fail2ban
• Changed /tmp to be non-executable

So my suggestions for today:

• Keep your phpMyAdmin up to date
• Search for installations on all your servers NOW!
• Do NOT install in a folder named “phpmyadmin”, “sqladmin” or similar. Use a non-guessable name.
• Protect it at least using htaccess
• Last but not least: if you can access your server via ssh, there’s no need for phpMyAdmin. Setup a ssh tunnel, use your favourite mySQL GUI, and bingo, you’re safe.

When I posted about cf.Objective(ANZ) 2010 in Melbourne (November 18-19 2010)the other week we had just put registration live and the first batch of speakers online. Just a few days later and there’s already so much more:

• 18 confirmed speakers (and just a few more to come – stay tuned)
• 16 confirmed sessions
• 3 full-day workshops on the day before the conference starts (Wednesday, November 17 2010)

The final agenda will comprise way more than 20 sessions by leading industry-experts over two days – it’s a must for every CF developer in AU/NZ. It’s going to be awesome, join the crowd.

That might sound weird to everyone looking at the awesome list of new stuff in the ColdFusion 9.0.1 updater that Adobe has released just this week. But let me tell you what it that #1 bug fix is and why it makes the life of my clients so much easier.

As I said, it’s in the Admin API and it’s about the trusted cache. This is a feature that helps to increase the performance of your ColdFusion application, it basically tells the CF server not to check for a changed/updated .cfm or .cfc file when serving a request but to just go with the currently used Java class the CF server knows about. You can “clear” the trusted cache from the ColdFusion administrator manually, restart your CF server or use the Admin API to clear a file or a list of files from the trusted cache (clearTrustedCache() in the runtime.cfc)

The client runs a fairly large CF cluster under reasonably high load and as part of the deployment process of new files, the trusted cache is cleared for those files across all cluster nodes, making use of the Admin API. That worked well so far, but had one flaw (bug #82214): In cases where a file was actually deleted from the file system in a new build/release (or just moved), the Admin API didn’t allow us to remove the file from the trusted cache, but bombed with an error message bubbling up from the Java core that the file couldn’t be found. It rather should check for the existence of the file in the cache instead though.

As a result, even though a.cfm was deleted in the filesystem one could still call and execute it unless we cleared the whole cache for that cluster node or create a literally empty file a.cfm that doesn’t do anything and reset the trusted cache with said empty a.cfm. Clearing the whole cache as a work-around is fair enough but is obviously an unnecessary performance hit. With CF 9.0.1 this issue is fixed, yay. You can now delete a file from the trusted cache even though it doesn’t exist in the filesystem anymore. It’s a tiny fix, but it really make the life of that client much easier.

Well, it’s technically not a new desk, but rather a new desk/workstation layout. Thomas from World Sweet World, a friend of mine, is very talented when it comes to crafts, working with wood, renovating and building furniture and so much more. About three years ago, I saw an awesome laptop stand for his MacBook Pro in his office and I wanted one. As it usually happens – he didn’t have the time to make me one at the time, we forgot about it etc.

But now – the topic recently crept up again and yesterday I picked up my new laptop stand (and the corresponding monitor stand). This is the “before” photo of my desk:

It could certainly be worse – it was still not good though. The desk is full of stuff, the laptop is obviously way to low etc. Now let’s have a look at the new layout:

Wow – screens on the same height, lots of cables gone, the permanent external hard drive is below the stand, so are my two mobiles hooked into USB for charging. Here’s the laptop stand a bit closer:

Solid craftsmanship, yay. What you can’t see btw is that the angled surface the laptop sits on has a built-in ventilation system, great for a Macbook Pro… It looks great and it’s just awesome! Thx so much Thomas (and make sure to follow the World Sweet World blog if you’re interested in DIY/MIY)

cf.Objective(ANZ) 2010 will for the first time offer full-day workshops on the day before the actual conference. I’m going to offer a full-day training titled “Flex 4 for ColdFusion developers“. Unlike other Flex 4 one-day training or introductions, this one will focus on the special needs of CF folks either coming new into Flex or wanting to learn more about the specifics of integrating Flex apps with ColdFusion. I’m not saying that it won’t be interesting for non-CF developers though as a lot of the tasks CF developers have to deal with apply to other technologies as well (maybe slightly varied).

Here’s my abstract/proposal, any feedback or suggestions are very appreciated:

—
A lot of server- and client-side web developers are interested in making the leap towards using a Rich Client technology like Adobe’s Flash or Flex. This workshop will help you to get you up to speed with Flex and will put a strong focus on integrating Flex applications with Adobe ColdFusion.

During the first half of the day we’ll introduce the basics of Flex, discuss MXML and ActionScript and certain elements of the Flex component library. We will discuss event handling, basic skinning in Flex 4 and build a straight forward Flex application following the Model-View-Controller pattern.

The second half of the day will focus on integrating with backends and data, in particular ColdFusion. We are going to discuss HTTP and XML Web services as well as AMF-based remoting and using CFCs as backend business and data access logic. We’re also going to have a look at the integrated BlazeDS engine in CF 9 and will look into ways to speed up your development process with using Flash Builder and its data wizards.

Also covered: XML configuration files for Flex in CF and setting up custom channels and adapters to make your development and deployment processes quicker and more flexible.
—

The training/workshop day is not part of the conference ticket, i.e. it has to be paid for separately. The early bird price for the workshop is AU$ 295 (until August 31 2010), the regular price from September 1 on is AU$ 395. You can obviously book the workshop without attending the main conference if you just want to attend the training. The minimum number of attendees needed to run this training is three – if you want to help make it happen, register now!

Note that there are two more and also very interesting workshops available:

Justin McLean is running a day of Arduino goodness (Hands-on Arduino workshop with ColdFusion and Flex) and Charlie Arehart will teach you how to deal with CF performance and reliability issues in his “CF911″ session.

Registration is open now – start the booking process here.

This morning, Adobe has released an update for ColdFusion 9 –  ColdFusion 9.0.1. I’m very happy about the final release of the updater 1 as it doesn’t just contain a lot of bug fixes but also whole bunch of new and/or improved features. There’s a lot of improvement in ColdFusion’s ORM, but also in the caching. You can find a more detailed overview in Ray Camden’s blog post on CF 9.0.1.

Here are some useful links and additional information:

Download of CF 9.0.1

Dreamweaver Extensions for CF 9.0.1 and additional installers (LC DS, SOLR, .NET Integration)

Release Notes CF 9.0.1

What’s new in CF 9.0.1 (PDF)