Sysadmins of the North, a technical blog in English and Dutch

Sometimes it’s useful to know how to replace some content in your MySQL database in bulk using REPLACE(). MySQL’s string function REPLACE returns the string str with all occurrences of the string from_str replaced by the string to_str. REPLACE() performs a case-sensitive match when searching for from_str: REPLACE(str,from_str,to_str).

Replacing strings in MySQL is useful, for instance a use case: on a WordPress blog there were some bad href’s in the WordPress content (MySQL table wp_posts). This can be fixed by executing a MySQL UPDATE search&replace on all posts:

Read More

In my routine, I occasionally have to start multiple website application pools when they are in a stopped state. On more than one web server. Being a lazy system administrator, I find it too much work to log on every server. Therefor I start those application pools in a loop. A condition for me to start application pools is that the application pool autostart parameter is set to true. This is because I set autostart to false when I disable hacked websites, and those application pools may not be started until all problems are resolved of course. To start application pools, I use the AppCmd command.

Utilizing AppCmd with a CMD shell FOR loop, it is very easy to start all application pools matching this condition, on multiple web servers at once. All you need is a text file to list your server hostnames in.

Read More

Just a quicky: To alter or change WordPress’ stylesheet URI, to offload some static content, place in your Theme functions.php file:

add_filter('stylesheet_uri', 'change_css');
function change_css() {
  return "[theme_name]/style.css";

Now your theme’s style.css will be loaded from a subdomain or hostheader called This can improve overall website performance.

Website uptime and availability is important and you want your website to be always online available. When it is down, you want to be informed about the downtime. The following PHP function checks whether a website is online available or not. It uses PHP cURL (Client URL Library). This function takes a domain name as input parameter and outputs TRUE or FALSE (for available or unavailable), depending on the returned HTTP status code.

As you know, HTTP 200 means OK and 304 Not Modified. Those are the status codes we are looking for.

Read More

The Internet Storm Center (ISC) InfoSec Handlers Diary Blog writes about a recent -significant- increase in both scanning for 1900/UDP and a huge increase of 1900/UDP being used for amplified reflective DDOS attacks.

1900/UDP is the Simple Service Discovery Protocol (SSDP) which is a part of Universal Plug and Play (UPnP). The limited information available to me indicates that the majority of the devices that are being used in these DDOS attacks are DLink routers, and some other devices, most likely unpatched or unpatchable and vulnerable to the UPnP flaws announced by HD Moore in January of 2013.

Read on:

This post contains information on vulnerabilities for 7 (at least somewhat) popular WordPress plugins. All of these vulnerabilities were trivial to discover (and are trivial to fix). The state of WordPress plugin security is very sad indeed. None of the developers were contacted in advance of this post (except where otherwise noted). Additional vulnerabilities will be posted as time permits.

Read on:

Security Sucks writes about an interesting way to exploit PHP’s mail() function for remote code execution. Apparently, if you are able to control the 5th parameter of the mail() function ($options), you have the opportunity to execute arbitrary commands.

As with other PHP vulnerabilities, like bypassing PHP’s strcmp() function or phpinfo() type confusion, they are -often- only possible under rare circumstances. Nevertheless, as always it is very important to check your PHP code for this PHP mail() remote code execution vulnerability.

Verify and make sure your code is not vulnerable:

grep -r -n --include "*.php" "mail(.*,.*,.*,.*,.*)" *

For this mail() remote code execution to work, a malicious user has to be able to control what goes into the 5th parameter. For example through not properly validated email forms.

E-Book Gallery for Microsoft Technologies, free content for Azure, ASP.NET, Office, SQL Server, SharePoint Server and other Microsoft technologies in e-book formats. Reference, guide, and step-by-step information are all available. All the e-books are free. New books will be posted as they become available.

E-Book Gallery for Microsoft Technologies

More quality sysadmin & DevOps IT books selected for you. Categories include:


This is a somewhat older article by Stefan Esser, which I didn’t want to keep from you. During the development of a new Suhosin version, he and his team found a phpinfo() type confusion vulnerability. The information leak even allows a PHP script to steal the private SSL key.

Read More

DefenseCode‘s Leon Juranic released an article explaining an old-school hacking technique: Unix wildcard poisoning attacks. No ASLR bypass, ROP exploits or 0day remote kernel exploits, but if you wonder how basic Unix tools like ‘tar’, ‘chmod’ or ‘chown’ can lead to full system compromise, keep on reading.

Currently, the default PHP version for Microsoft’s IIS Express and WebMatrix 3 is PHP 5.5.11. Which is good because it is 5.5.x. Sometimes you may need to upgrade or even downgrade the PHP version available in IIS Express/WebMatrix 3. If you have to match your development environment to your web hosting production environment for example. Or if you want to use OPCache and/or WinCache.

The PHP modules OPCache and WinCache are PHP accelerators, used to cache PHP bytecode (the compiled version of the PHP script) and decrease CPU usage.

Even using the command line, with AppCmd, it is still pretty easy to install a custom PHP version in IIS Express and WebMatrix 3. Here is how.

Read More

Increased SQL injection activity: Since a week or so, I notice a huge increase in SQL injection attacks on various websites. Anyone else seeing the same SQL injection attacks lately? On various websites/databases, for example (some information redacted)

SELECT * FROM Figures WHERE tPath='1' and(SeLeCt 1 FrOm(SeLeCt count(*),CoNcAt((SeLeCt(SeLeCt CoNcAt(char(33,126,33),LoAd_fIlE(0x2f6574632f706173737764),char(33,126,33))) FrOm information_schema.TaBlEs LiMiT 0,1),floor(rand(0)*2))x FrOm information_schema.TaBlEs GrOuP By x)a) and '1'='1' ORDER BY ID_Figures DESC;
SELECT cnt_id, cnt_title, cnt_title_link, cnt_plaats, cnt_meta, cnt_content1, cnt_Publish, cnt_date_insert, cnt_laatste_bewerkt, keuze_afbeelding, Bnr_Visible_from, Bnr_Visible_till, Bnr_Visible_Unlimited FROM tbl_content WHERE Foobar and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e,0x27,column_name,0x27,0x7e) from `information_schema`.columns where table_schema=0x696E666F726D6174696F6E5F736368656D61 and table_name=0x494E4E4F44425F4255464645525F504147455F4C5255 limit 12,1)) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1 = 1 and cnt_Publish = 1 and ('2014-08-07 10:51:21' Between Bnr_Visible_from And Bnr_Visible_till or Bnr_Visible_Unlimited = 1) ORDER BY cnt_date_insert DESC LIMIT 0, 1;
SELECT * FROM course_offerings where courseID = '54' AnD sLeep(3) ANd '1';
SELECT * FROM course_offerings where ((courseTitle = '54' AnD sLeep(3) ANd '1') AND (courseType = 2));
SELECT page_content FROM pages WHERE page_name = 'weblog_en' AND SLEEP(3) oRDeR BY 1 #';

The sleep(3) in these SQL injection attacks (attempts) can be very nasty and can lead to MySQL sleep() attacks causing website and backend database-server Denial-of-Service (DoS) attacks. This is something I’ve described earlier.

Therefor, to prevent SQL injection, it is very important to validate user supplied input in your PHP, classic ASP, Perl and ASP.NET code! For PHP, use mysqli or PHP Data Objects (PDO) to prepare SQL statements. With classic ASP, use ADODB.Command object to prepare statements.

This release fixes a possible denial of service issue in PHP’s XML processing, reported by Nir Goldshlager of the Product Security Team. It was fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team. This is the first time our two projects have coordinated on joint security releases.

Read More

The other day I noticed several hung queries (SELECT statements) on one of the MySQL database servers I administer. All hung queries had in common they were runnig for a very long time, and mysqladmin processlist -v showed a sleep() command in the query. Given the casing of the command (SLeeP) this was obviously done by a sql injection tool of some kind. I could simply kill the MySQL queries and threads and be done with it, but I also wanted to be sure this MySQL sleep() attack couldn’t happen again.

Read More

SMTP and TLS with WordPress, by overriding the function wp-mail() and utilizing the PHPMailer class.

I was suprised WordPress is not able to send email using an SMTP server out-of-the-box. Not to mention using TLS transport for security. A quick Google search showed me multiple plugins to handle this. Hence, everything is handled through plugins in WordPress… Need to optimize your website? Use plugin x. Want a more secure WordPress? Use plugin y.

I haven’t checked how other plugins work, but I was sure that I wouldn’t want my SMTP credentials to be stored in the MySQL database. My thought was that storing the SMTP credentials in the wp-config.php file might be better. I decided to try something, and it turns out to be pretty easy! Just follow the next few steps and you’ll send emails from WordPress using authenticated SMTP (SMTP AUTH) over a StartTLS/TLS secured connection.

Read More

1 2 3 4 25
Search & find

Custom Search
About Sysadmins of the North

Hi and welcome to Sysadmins of the North!
Sysadmins of the North is just another technical blog. Just like so many others out there. Most posts are written in English, some in Dutch. On you can find all kinds of computer, server, web, sysadmin, database and security related stuff.

About me: My name is Jan Reilink. I am not a hacker, coder, developer, programmer or guru. I am merely a system administrator, doing his daily thing at Vevida Services in the Netherlands. Living in the north of the Netherlands, so hence the name Sysadmins of the North :-)
Drop me a comment somewhere or send an email to say hi, or discuss about security, website or WordPress, performance, Windows or IIS topics.


If you feel that Sysadmins of the North has helped solve your problem, saved you time, or you just simply like, then please consider making a donation with Paypal. Thanks! :)

IT Books & WP Themes

Windows PowerShell Cookbook: The Complete Guide to Scripting Microsoft\'s Command Shell
DNS and BIND - 5th Edition
DNSSEC Mastery: Securing the Domain Name System with BIND
Windows Server 2012 Unleashed
Enfold - Responsive Multi-Purpose WordPress Theme
Striking MultiFlex & Ecommerce Responsive WordPress Theme


The Sysadmins of the North network

Just for the fun of it, Sysadmins of the North is hosted on mulitple servers:

  1. one (shared) Windows Server 2012, IIS 8.0 webserver running PHP 5.5
  2. one (shared) MySQL database server, running MariaDB 5.5
  3. one Varnish Cache HTTP reverse proxy with Nginx Droplet, for offloaded static content, running Debian 7.0 @ DigitalOcean
Easy share

Be social and share posts if you like them. Thanks!
RSS feed
If you like
donate to Sysadmins of the North
Twitter Feed

What's happening, right now, around

Bad Authentication data
Copyright © 2007-2014 . Design by OrangeIdea