Hacker in the Wild

16 October 2014

Traffic Bots.

In my last installment of Bot fighting I was tracking down a bot style that was placed onto servers that where then used to spread SPAM. Today I'll talk about a slightly different bot, web traffic bots.

This is kind of what the google and yahoo spiders of old use to be, programs that would scrape your site for key words and the like. Not we all like these because they give us legit hits to our web sites, but these spiders aren't all that friendly.

Semalt.com hits.

If first found out about these bot when this showed up in my Apache server log files.

201.50.251.78 - - [18/Sep/2014:10:47:06 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

89.154.210.157 - - [21/Sep/2014:05:16:27 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

201.34.81.160 - - [22/Sep/2014:05:37:09 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36"

189.46.62.91 - - [22/Sep/2014:18:44:26 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

96.245.234.41 - - [23/Sep/2014:10:28:52 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

189.75.142.7 - - [23/Sep/2014:13:30:36 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

187.113.82.65 - - [28/Sep/2014:07:19:14 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36"

177.10.198.243 - - [28/Sep/2014:12:29:53 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36"

188.153.203.167 - - [29/Sep/2014:04:41:00 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36"

84.240.35.233 - - [29/Sep/2014:15:15:12 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

187.41.170.68 - - [30/Sep/2014:08:39:03 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

79.40.98.43 - - [30/Sep/2014:09:03:43 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36"

186.233.117.92 - - [01/Oct/2014:09:28:48 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

201.95.200.9 - - [03/Oct/2014:12:16:13 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36"

201.217.47.207 - - [03/Oct/2014:15:35:10 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36"

188.250.87.122 - - [05/Oct/2014:07:02:08 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

200.131.62.31 - - [07/Oct/2014:04:45:57 -0700] "GET / HTTP/1.0" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36"

179.252.38.142 - - [07/Oct/2014:06:28:36 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36"

177.104.209.216 - - [10/Oct/2014:08:24:27 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36"

177.135.177.50 - - [10/Oct/2014:13:37:12 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36"

190.83.233.158 - - [10/Oct/2014:16:49:57 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

2.150.32.8 - - [11/Oct/2014:05:41:54 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

201.34.219.216 - - [13/Oct/2014:17:01:59 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

187.10.159.143 - - [14/Oct/2014:16:48:03 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36"

186.215.131.42 - - [15/Oct/2014:10:00:38 -0700] "GET / HTTP/1.1" 200 11590 "http://semalt.semalt.com/crawler.php?u=http://kd7dmp.net" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36"

Now as you can they are all coming from different addresses, and when I did some digging on these address they where all residential fixed line or Moble ISP IP most of them coming out of Brazil. I thought this was very and seemed much like a bot attack. So I followed the link.

This sure looked a bit shady.....no info about the company and a page source code filled with data collecting java scripts.

So I did some more digging on Google and was surprised to find a very active account proclaiming to be the manager of the company. Some more queries and digging I found people all over reporting their stats being messed up by very large numbers of hits proclaiming to be references from this site. But those complaining had not paid for this service. Most of these where responded to by the manager sending them to links or vague treatments. See below with my Tiwtter feed about this.

The official Nataliya linked me to a page basically saying, "hey man this is the net, deal with it." But I would ask you to go look at it your self and make a judgement.

http://semalt.com/project_crawler.php

I went ahead a filled out the form on this page for one of my sites and I haven't seem the bots for a bit now, but that is only one day.

When Google says bad things about you.

With some more digging on Google I found several reports on Semalt being connected to a malware in a software called Soundfrost. Links to these article below, as they do a great job covering this.

http://blog.nabble.nl/post/93306955157/semalt-infecting-computers-to-spam-the-web

http://blog.nabble.nl/post/93407897762/semalt-soundfrost-caught-spying

Then more I dug into Google the worse it looked. I found out that the area of the world where Soundfrost was most used..... wait for it.... Brazil.

The hard facts.

So with all this in mind I went about proving this my self. Because.... why not!?

I used VMplayer and installed windows XP SP3 on it. On my main system I was running wireshark monitoring all the traffic from the VMPlayer's emulated NIC. I then went on to find a copy of Soundfrost to see what would happen.

Going to soundfrost.org I was able to download a copy, and nothing happened. It seem this copy didn't have the malware on it.

So I then went to http://soundfrost.en.softonic.com/ and found another copy of the software, this was infected and started talking to the mother ship right away.

After a bit of digging I found the proof I was looking for.

As you can see from the screenshot the same traffic I saw on my web server my honeypot VMplayer was sending to another server. So, how does it work? I only have part of it figured part of it out and hope to get some more info as time goes on.

How site hits work.

There are two programs that seem to do the most communicating, the Controlagent.exe and the ControlContent.exe. Both start out by connecting to soundfrost.com. The controlcontent.exe did a GET request for updates and keep getting a 0 back. The Controlagent.exe seem to do most of the work on this time around.

First it would set a GET request out to soundfrost.com/get_link.php, Then it got a error 302, and redirected to server19.soundfrost.com. Here it was sent a link like this.

http://semalt.semalt.com/semalt.php?u=http://ozzibylittlelotus.com

Then It would follow this link, and get something like this back.

<html>

<head>

window.onload = function() {

var myEvt = document.createEvent('MouseEvents');

myEvt.initEvent('click', true, true);

document.getElementById('myLink').dispatchEvent(myEvt);

}

</script>

</html>

<body>

<a id="myLink" href="http://semalt.semalt.com/crawler.php?u=http://ozzibylittlelotus.com">Redirecting ...</a>

</body>

</html>

It would then follow this link and get this back.

..<html>

..<head>

..<title>...</title>

..<meta HTTP-EQUIV="Content-Type" content="text/html; charset=windows-1251">

..<script language="JavaScript">

..window.onload = function() {

..var myEvt = document.createEvent('MouseEvents');

..myEvt.initEvent('click', true, true);

..document.getElementById('myLink').dispatchEvent(myEvt);

..}

..</script>

..</html>

..<body>

..<a id="myLink" href="http://ozzibylittlelotus.com">Redirecting ...</a>

..</body>

..</html>

Then it would follow the final link and send the info as we saw up in the wireshark capture.

From playing around with this using curl I was able to figure out that the whole process allows the backend a very simple kind of handshaking with out any sensitive data being passed. So if the semalt.php doesn't get the same URL that get_link.php passed to the bot, it does nothing. And like wise the crawler.php does the same thing.

Now I wasn't able to get curl to work with crawler.php as it seem to be looking at the user agent and doing some kind of Java based redirect to the target site in question.

What's the point?

All in all, I'm not sure what the end goal of this is. It seems like they are making some money with this as I see reports of people using their service, though I don't know what happens after that. Other article I've seen indicate that the company uses artificial "clicks" to boost sites, but then why give that away for free?

On top of this they are using a botnet of a fair size, estimated to be in the 100,000 range.

So with all this why just fake clicks? I don't know yet.

The servers seem to be well locked down, nothing that makes it clear who may be running things behind it all. I have found some links to a Ukrainian company and the Russian search engine Yadex. But the connection to Yadex seems to stop in that they use them for analytic.Any one else that has info on this Please share and so that we can find out more about all of this.

Maybe they are don't have any other plans at all, but they have done a lot of work just to give away fake clicks.....

30 September 2014

RANT!! #TakeBackOurInternet

Today was an other day of Wack-a-mole with tracking down SPAM sources at work. This is not anything out of the norm for the last 3 months, it was the what was comprised that pissed me off.

The first server I took the hammer to was a server out of Brazil, It was trying to crack into the IMAP port on the work email server. This was fixed by a block rule in iptables, but that wasn't enough for me. I track down who own the IP address, it was a medical office in south central Brazil. These fuckers cracked a med server to spread SPAM! One side of me thinks about the loss of time and medical records that could happen and the doctors not able to do there jobs and help people because of this. The other thinks about what they could do selling those records, and if the didn't they are fools! *Lucky for me I lean on the side of the former and think about all the trouble this causes.*
So, like any good hacker I tried to shut down the VNC back door they installed. I think who ever compromised the server saw my attacks and shut the server down. So they just fucked that clinic! Talk about thinking only about your self!
So on top of this I find out that one of my Pod mates who is home schooling her kids can't today because of a DDOS on the home school web site she uses. WHY WOULD YOU DDOS A HOME SCHOOL SITE!?!? I sure it's a similar group to the ones who hand off SPAM to my work server day in and day out.
Of course I couldn't find shit on the attack on the home school site, so I couldn't help in blocking it.

This leads me to my rant, WHY do we need to sit back and let this happen? The tools are out there for even the lowest of tech able people to strike back at these bot nets and stop them from keeping us from our internet. But what stops them from doing this? I'm actually asking this. What do you think would help people fight back? The US Law system does shit for us, the FBI has JUST NOW opened a Malware reporting site that I'm sure will be less then effective. The anti-virus vendors help some, but that is only if you install their product, and that will cause it's own issues. So what is a KISS way to help people protect their systems, and if they want take an active role in fighting back?

I have personally have been reporting SPAM to www.spamcop.net. you just sign up for an account and they do all the work for you. If the network owner/server owner doesn't reply to the report they black list the IP. I also actively scan and do recon on servers and report new patterns here. When I find a server that is just SPAM, I take it down so it can't spread SPAM any more. *Note: I check all WHOIS reports and services on the server before doing this. If you want to do this too, please do you home work first. Don't be an ass and take down someone's work or home server.*

I want to start a movement here, I want to take back OUR INTERNET!
Leave your ideas in the comments and let me know what you think. I hope you can come up with something that can knock these bot nets on their asses and give the people who control them a run for their money.
TAKE BACK OUR INTERNET!!!

Repost this Blog and use #TakeBackOurInternet

22 September 2014

SPAM Bots!!!

About a month ago a large attack was targeted on US server farms from the bot nets. Now this isn't an odd thing in of itself, but the results from it were a bit odd.

The SPAM

So I don't normally see the direct effects of these kinds of attacks as the company I work for is small. But we do see the secondary and tertiary effects of this in the form of SPAM.Our company gets well over 2,000 emails a day, 1,500 of them are SPAM! Most the time my filters block most of these emails, via blacklisting and some content filtering. But after this most recent attack I started seeing a new breed of SPAM. It was walking right through all my filters and took it WEEKS to get black listed. Below is an example of this new SPAM:

Return-Path: <PeterGarcia@cc34b8f738cc4489fda151ad551de4.sortut.com>
X-Original-To: ME
Delivered-To: ME
Received: from cc34b8f738cc4489fda151ad551de4.sortut.com (cc34b8f738cc4489fda151ad551de4.sortut.com [37.156.202.220])
 by ME.MAIL.localhost (ME.MAIL.localhost) with ESMTP id 72A6224FDA
 for <ME>; Thu, 18 Sep 2014 16:36:53 -0700 (PDT)
Message-ID: <Peter.2ac7115c98f53c458ff0cd5b87345e2c@cc34b8f738cc4489fda151ad551de4.sortut.com>
From: Blood Sugar Discovery  <Peter@sortut.com>
To: <ME>
Date: Thu, 18 Sep 2014 16:39:54 -0700
Subject: Info released - 9/18
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0

Notice - Jeremiahp
Diabetes Cure Alert

- Begin Notice - 

------------------------------------------------
Regain control of Blood Sugar levels. 
- Scientifically Proven
- Turn-around of 3 weeks
------------------------------------------------

Exposed Remedy -> http://www.sortut.com/psa/video/released/dia/assoc.html

- End Notice - 
View Doctor Report: http://www.sortut.com/psa/video/released/dia/assoc.html

stop further diabetes notices - http://www.sortut.com/68i/werg/ju76/wt.sert32
or write - TGI Services
1324 Swan Drive_Bartlesville, Oklahoma 7 4 0 0 6

I've changed the solenoid. My battery has over 12 volts, but will not crank the engine. When I turn the key, I may get one or two halfhearted attempts then nothing. When I charge the battery up to over 13.5 volts, it turns over like nothing is wrong. I've tested the ignition switch and I have continuity, it doesn't read to 000's but it beeps and goes to like 0.26 or so. I've unplugged the wire from the solenoid that comes from the ignition and I get 12.5 volts through there. It's a 4 pole solenoid. I get 12+ volts on the post with the red wire that seems to be connected to the battery. I don't get 12 volts on the starter end. And when I try to crank the engine from the ignition, I don't get 12 volts to the starter. How can I test the wire from the solenoid to the starter? Or is that even an issue? I'm at a loss. Any help will be greatly I have a 'quill' now with a grease fitting on top, however (looking inside it) it has Sealed bearings on both ends, so the grease fitting seems kinda useless on this quill , (I would think anyhow, but correct me if I'm wrong).. 

After your post about the pulley, I did put my dial indicator on today to check more accurately the pulley for run-out, & it has .029" run-out on the outer edge.. 
Hard to see by eye, but it is not as true as I thought.. But being stamped steel, would that be considered TOO much out of true ? No it doesn't sound like much.. But nothing else makes sense.. 
Your advice is Always most appreciated.. Now I have a direction to concentrate on.. I want to check for run-out on that 'quill' (spindle top) to see if it is the pulley or the spindle first.. & then test the other Good side for run-out as well.. If it's the pulley, I could possibly true it to a much better tolerance, or make it much worse.. LOL Time will tell.. I'm a bit reluctant to even touch the good side, that is still the original assembly (over 6 yrs old)..

And as I posted above, the bearings are holding up very well, it is the housing that gets the seats for the bearings beat out.

*Note: I have changed things as to not expose any info about my work, Every thing else is as I received it*

So the odd thing about this email is the last part, It's some text aboooooou a guy fixing his starter. WTF? I saw 24 plus emails like this show in my inbox at work and got reports of people getting these emails as well. I found out that the text at the bottom was scrapped from an open forum. This post is from http://www.hobbytalk.com/bbs1/showthread.php?t=421200, a post made in August this year.  The server hosting the forum was not compromised from what I could tell. So I'm guessing what ever the script was that generated this email used a web crawler to gather this text from open forums. The other emails had every thing from talking about home build airplanes to beauty tips. So it seem to be all over the board. But the oddity did stop there....

The Servers

After seeing so many of these emails getting through I started to dig into this further. I couldn't find any info on this with deep google so I dug in my self. All of direct sources of this SPAM seem to be from servers, either was looked like home run servers or long forgotten servers in datacenters for web hosting.They where a mix of Windows and Linux, about 2/3 of the servers that I tested where running Windows 2008 the rest where running Redhat kernel 2.6.x.

This pattern on its own is not so abnormal, as this is what most of the compromised boxes on the net look like from what I have seen. The bit that was abnormal was how the servers had been changed. Most the Windows servers had a very minimalist SMPT and HTTP server installed. No content on the HTTP, just some way to rediect you to another site. The SMPT server had just about everything disabled. Most of them seem to be some version of PowerMTA, an alternative MTA for windows. The Linux servers had a very limited POSTFIX server.

The HTTP was NGINX that had just about everything turned off on it.

The security on the servers where basic, but enough to keep any random person from getting in. I didn't try too hard to break in to gather more info, this was just the reconnaissance.

The Trap

After looking at the servers I started looking at the "path" that the links would take you. I must give a warring here to any one who wants to try this. Use chorme's incognito tabs for this, doing this out side of a sandbox WILL DAMAGE YOUR SYSTEM!!!

So if you open the link you will find that it just sits there for a few, then pops up with annoying add site. If you grab the site with wget -r you will something like this:

wget -r http://www.sortut.com/psa/video/released/dia/assoc.html

--2014-09-22 10:25:31-- http://www.sortut.com/psa/video/released/dia/assoc.html

Resolving www.sortut.com (www.sortut.com)... 66.172.90.246

Connecting to www.sortut.com (www.sortut.com)|66.172.90.246|:80... connected.

HTTP request sent, awaiting response... 302 Moved Temporarily

Location: http://affiliate.gosotrack.com/rd/r.php?sid=928&pub=220319&c1=&c2=&c3=0918864UNIE [following]

--2014-09-22 10:25:32-- http://affiliate.gosotrack.com/rd/r.php?sid=928&pub=220319&c1=&c2=&c3=0918864UNIE

Resolving affiliate.gosotrack.com (affiliate.gosotrack.com)... 173.230.238.191

Connecting to affiliate.gosotrack.com (affiliate.gosotrack.com)|173.230.238.191|:80... connected.

HTTP request sent, awaiting response... 302 Moved Temporarily

Location: http://tracking.routeoffers.com/aff_c?offer_id=22&aff_id=1154&aff_sub=220319&aff_sub2=SUBIDHERE&aff_sub3=SUBIDHERE&url_id=162 [following]

--2014-09-22 10:25:32-- http://tracking.routeoffers.com/aff_c?offer_id=22&aff_id=1154&aff_sub=220319&aff_sub2=SUBIDHERE&aff_sub3=SUBIDHERE&url_id=162

Resolving tracking.routeoffers.com (tracking.routeoffers.com)... 54.183.46.151

Connecting to tracking.routeoffers.com (tracking.routeoffers.com)|54.183.46.151|:80... connected.

HTTP request sent, awaiting response... 302 Moved Temporarily

Location: https://buyglucohealth.com/pages/report-video?AFFID=1154&C1=220319&C2=SUBIDHERE&C3=SUBIDHERE&trackslugs[]={trackslug_1}&trackslugs[]={trackslug_2}&trackslugs[]={trackslug_3} [following]

--2014-09-22 10:25:33-- https://buyglucohealth.com/pages/report-video?AFFID=1154&C1=220319&C2=SUBIDHERE&C3=SUBIDHERE&trackslugs[]=%7Btrackslug_1%7D&trackslugs[]=%7Btrackslug_2%7D&trackslugs[]=%7Btrackslug_3%7D

Resolving buyglucohealth.com (buyglucohealth.com)... 192.64.176.135

Connecting to buyglucohealth.com (buyglucohealth.com)|192.64.176.135|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: unspecified [text/html]

Saving to: `www.sortut.com/psa/video/released/dia/assoc.html'

[ <=> ] 9,540 --.-K/s in 0.005s

2014-09-22 10:25:34 (1.94 MB/s) - `www.sortut.com/psa/video/released/dia/assoc.html' saved [9540]

FINISHED --2014-09-22 10:25:34--

Total wall clock time: 2.4s

Downloaded: 1 files, 9.3K in 0.005s (1.94 MB/s)

You can see if bounces you around 4 different sites before landing you on the ad site where there are so many trackers and pop ups that it feels like the `90's all over again.

The sites that they are bounced through advertise themselves as "Social networking advertising market places." I haven't dug into this much, but from talking with my friends in the marketing world these would be the companies that promise to get your add more clicks, and thousands of more views. They just leave out that it will be views from very pissed off people or lots of unknowing old people.
The end site you land on seems to be really selling what they are saying they want to sell. Complete with all the info to comply with the CANSPAM act burried under 15 pop ups.

Questions

After all this digging I'm still left with a lot of questions. What connection does these SPAM "sources" have with the attack a month ago, if it has any connection?

What is the backend behind all of these bot servers, what packages are they using and how do they work?

Have the bot herders moved from using personal connections to servers to spread SPAM? or are the personal computers used to attack the servers?

Who is behind the command and control systems of these bot nets?

And how are these advertising "markets" connected with the bot nets?

What companies are using these tickets and how can we shed light on what is really behind this kind of marketing?

In the end I want to try to help with reducing the SPAM on the internet and making network admin's jobs easier around the world. I spend a good 60% of my work day on just SPAM.

If any of you out there have info on this please leave a comment below or give me a shout out on twitter @KD7DMP with your info.

Thanks all, until next time.

10 September 2014

Helpful Telescope Spreadsheets.

I have been into astronomy for... well as long as I can remember really. I think it started when my Dad got me a CAD print out of the space shuttle Columbia, OV-102. This was about the time I was getting into radio as well, and as a 7 year old typed a letter out on a typewriter to NASA asking about their Deep Space Network system. I didn't get much info about the DSN, but I got a ton of images from from Hubble and other deep space probes they had sent out over the years.

Sadly I wasn't really able to do much in the field with it because of a lack of money and my poor understanding of optics at the time. So it just kind of sat in the background, coming out as more of a obsession with all things NASA, ESA, and AMSAT.

This all changed when recently a member of our pod gave me a pair of telescopes she no longer had need for. This got me going viewing celestial object directly again, and after a few viewings of Jupiter and its moons, Saturn and it's Rings, and trying to find Apollo landing sites on the moon I was hooked again!!!

On top of this my cash flow had been increasing due to some contract jobs I was doing and this gave me a chance to improve my equipment. But after looking at what is out there the question was raised, "what do I really need, and what do I really get for this stuff?" OFF TO RESEARCH!!!!

After my optical principle research frenzy I came back with some very good info! Which I was able to distill down into this GDoc Spreadsheet.

Telescope/Eyepiece combo info

The Basics:

Now before you go and run off to look at the spreadsheet, I would like to explain a few things here, just to fill you in on the details.

The basic idea of an optical telescope is that it gathers light from distant sources use its Objective optical device, a parabolic mirror or convexed lense, and focuses that light on to a focal plane. This inverted image of the distance object is then magnified via the eyepiece and then sent to your eye. This basic system allows you see objects that are normally too dim for your eyes to see. Or for objects that you can see, it allows you to resolve more detail on those objects. Now there is a lot of math and such that can get involved here, but I want to start out with the practical details first, then we can get to the meat of it. ;)

Terms:

So lets getting a few terms down before we move forward:

Focal length: Distance between the Objective Optical device and the focal Plane, In millimeters.

Eyepiece Focal length: The distance between the focal plane and the the end element of the eyepiece, in millimeters.

Apparent View: How big the magnified chunk the sky looks to your, in degrees.

Actual view: The chunk of the sky that is being magnified. Most the time measured in Degrees.

Magnification: A relative number that tells you how much more you are seeing then your naked eyes.

Arcseconds: A polar measurement of an area of the sky. one arcsecond=1/3600th of a degree.

The Math:

Now, let dig into to this, first lets hit magnification. To get an idea of magnification we need to know how much you can see with your eye. Most humans have an effective view of view of 114 degrees, or about 410,400 arcseconds of the sky. Reference:Wikipedia:Field_of_view You can resolve down to about 60 arcseconds with your eye, or about 0.016 degrees.Reference: darkskydiary:arcminutes-and-arcseconds

Magnification:

So the idea here is that the telescope should be able to give use some degree more resoultion and hence a small field of view. The math for this is basic, it the focal length of the telescope over the focal eyepiece of the telescope. So you can say that magnification is inversely proportional to focal length of the eyepiece. So if your telescope has a focal length of 1100mm, and you are using a 15mm eyepiece. 1100/15=73.3 But this doesn't really give us much info, how much of the sky can you now see, what kind of resolution can you expect?

Field of View:

Lets now go through the math for figuring out the field of view now. Each eyepiece you buy for you telescope will have a spec called "apparent field of view". This is the field of view that it will magnify the chunk of the sky to so you can see. Because your field of view and resolution of vision is fixed. From this number and the magnification we can figure out the "actual field of view", which is size of the area of the sky you are actually looking at. So if we use our example above we should be able to figure out how much we can see with our 1100mm telescope and 15mm eyepiece. Now, lets assume our eyepiece has a 52 degree apparent field of view. We take this number and divide it by the magnification, in other words our actual field of view is inversely proportional to the magnification. (52/73.3=0.709 degrees) We can convert this into arcseconds to get 2,553.8.

Now, what does this number really mean?? Well we can compare this the apparent diameter of different celestial objects.

Celestial body	Angular diameter	Relative size (10 pixels per arcsecond)
Sun	31.6′ – 32.7′	28.7–29.7 times the maximum value for Venus (orange bar below) / 1896–1962″
Moon	29.3′ – 34.1′	26.6–31.0 times the maximum value for Venus (orange bar below) / 1758–2046″
Venus	9.565″ – 66.012″
Jupiter	29.800″ – 50.115″
Saturn	14.991″ – 20.790″
Mars	3.492″ – 25.113″
Mercury	4.535″ – 13.019″
Uranus	3.340″ – 4.084″
Neptune	2.179″ – 2.373″
Ceres	0.330″ – 0.840″
Vesta	0.20" – 0.64"
Pluto	0.063″ – 0.115″
R Doradus	0.052″ – 0.062″
Betelgeuse	0.049″ – 0.060″
Eris	0.034" – 0.089″
Alphard	0.00909″
Alpha Centauri A	0.007″
Canopus	0.006″
Sirius	0.005936″
Altair	0.003″
Deneb	0.002″
Proxima Centauri	0.001″

Source: Wikipedia:Angular_diameter

So if we compare this to the sun, with an angular diameter of 32.7 arcminutes, or 1,962 arcseconds, we can see our view with this setup will be 1.3 times greater in size. Or to put it a different way, if you centered the sun(while using a sun filter on your telescope, not doing that could damage your eyes) in your telescopes view with the 15mm eyepiece there would be 295.9 arcsecond on each side of the your view. So the sun would fill up a little over half your view.

Now if you tied to look at Pluto, with an apparent diameter of only 0.115 arcseconds you would have a hard time see it as it would only be .004% of your view. That is far below the resolution of the human eye and you would need a shorter focal length eyepiece for that.

How to pick the right eyepiece for the job.

So now that we have some of our basic math down, how do you know which eyepiece to use? We that depends on what you are doing. Using the chart from above you can figure out the size of the object you want to view. If the object is not on the list there are many sites out there that can help you figure out what it's angular diameter is. Once you figure that out, go to the spreadsheet, Telescope/Eyepiece combo info, and fill in the info for the eyepieces you have and your telescope. BINGO, you have the area each of your eyepieces can see! But what if it's not enough? There is a device for that!

The Barlow.

A Barlow is a device that multiples the magnification of you eyepiece. Your place the device in between your eyepiece and your telescope. So if you put it between the 1100mm telescope and our 15mm eyepiece it would be the same as using a 7.5mm eyepiece. Now on the spreadsheet, Telescope/Eyepiece combo info, I have a second sheet that includes a column for a Barlow. Now the effect on the actual view is not proportional to the barlow, so second sheet will help you figure out how much area you can see by putting the Barlow in.

Conclusion.

I hope this post has helped fill in some of the gaps about the practical details of what you need to get a good view of the sky. I also hope the spreadsheet will help speed things up. Now I have filled it in with examples, just replace those with your values.

If you have any questions or comments please leave them below.

I also want to thank Jay Reynolds Freeman for his page http://old.observers.org/beginner/eyepieces.freeman.html

It was the main inspiration for this post and the source of the math in the spreadsheet and this post. He has a lot of good practical info on the page, you should really check it out.

04 September 2014

Things you wouldn't think of as a "hack".

There are many people out there that think you have to know something about coding or electronics to be a hacker. But there are many non-tech ways to hack.
A good example is a guest post my partner Andrea did on Offbeat Home.
Why damaged tablecloths may be the most surprisingly useful item in your home
Here simply simply asking about damaged tablecloths at your local rental store could get you some useful gear.
This is also a great example of look in places that you wouldn't think of looking.
Andrea also found found a good portion of the parts for this DIY thresher.
*soon to come post from Andrea on that*

One of our local scrap places sells these used plastic barrels for $20. I had the steel 75 gallon drum sitting around my farm. The strap was found along the rail road tracks. The motor was sitting in my pole barn, and the better arms where built out of old lumber laying around both of our places.
There are no microcontrollers, no computers at all, just good old fashion farm hacking.

And this is just example of this, there are many many more out there on the net.
So just remember, you don't have to be a tech wizard to be a hacker.

Keep on hack'n!!

19 August 2014

OATS!! Small Scale Harvest, and Processing.

Most people thinking of hacking as longs nights in a dark room in front of computer screens. Or a long day sitting working with oscilloscopes and soldering irons. But in my view that is only part of it, Sometimes hacking looks like this:

Cutting the heads off of the oats for harvest.

According to my Dad this cicle has been the family for over 100 years.
Credit: Andrea Parrish

This what it looks like to harvest oats by hand. Today I'll talk about what I like to call "farm hacking." Farmers have been doing it for ever and I would like to share my modern twist on it.

Why Oats?

So why did I plant oats? Well, for a lot of reasons. In the last few years I opened up more land on my property to farm. I did this for a few reasons, A: I hate grass, B: I wanted my land to be more productive than just some place to dump water and get useless green stuff. So I opened up part of my front yard, and a sizable part of my back yard. That was 8,000 square feet of open land that was just about dead from over farming and too many years of fertilizers. After a year of trying to keep the ground bare, which took lots and lots of hours and didn't work, I figured there had to be a better way. A lot of research I did pointed to cover crops being the best bet. The idea is that no matter what you do, if there is open soil some thing will grow there. So you might as well make sure it's what you want!

I chose oats for a few reason, they are very fast growing and will out compete most everything else. Two, you can eat them! Oats can be used for bread, power bars(in combo with local fruit), beer, cookies, etc,etc. It's a multifunction crop, because I won't have single function things around my house. In combo with the oats I planted two different clover as well. The clover help because when inoculated with rhizobacteria they fix nitrogen into the soil. This helps to rebuild the damage from over farming which depleted the soil. The clover also make from a great smoother crop as it fills in the spaces between the oats, thus keeping weeds down even better. You clover isn't the best to eat, but it will make for a great grass replacement if I don't put oats back into these areas again.

How to do it.

I have to say out of all the crops I have grown this is the easiest to grow. I used a variety of oats call "Viking" which is bred to grow between two and three feet tall. For the clover I planted Duch white, which is a vine clover, and Kenland Red, which is your traditional looking big leaf clover. I used a grass seeder to spread the seed and small scale to measure out the seed. I did 4 pounds of oats for every 1k square feet, .25 pounds of Kenland red per 1k square feet, and .5 pounds of Dutch white per 1k square feet.

My Measuring setup for getting my seeding rate right.
I use the canning jars to hold pre measured amounts of seed for each area.

I then roughly measured out 1,000 square foot blocks in the fields and just started spreading seed. I was able to do this in about a days worth of work without too much trouble. I then took my Dad's tractor with a chain drag behind it to cover the seeds. In the areas that I couldn't get the tractor in I just used a rack to cover the seed. Then I just watered and within 2 weeks I had oat and clover coming up.

Oats and Clover starting to come up.

Credit:Andrea Parrish

Harvest:

I stopped watering when I saw a majority of the oats turning brown from the bottom up. It seem to start at the edges of the field and work it's way in. I figured it was near time because they were turning brown despite water. I then waited about a month before I could harvest. I tested it by chewing on the oat seeds, if they were still soft in the middle, then it was too early. When I was able to get hard seed samples from multiple locations in the field then it was time to go to work.

Now this may have been the easiest to grow, but by far it is the hardest to harvest. I don't have any tractor equipment to harvest oats. Plus many of the fields are too small to get a tractor in so I had to do it all by hand.

Pete cutting down the straw with my Dad's 100+ year old scythe.

Below is a video I took showing the process for all of this.

Results:

After all of that was said and done we found that for the approximate 1,000 square feet we harvested we got about 100 gallons worth of oat heads and top straw. After the processing we got it down to about 10 gallons of oats, or about 40 pounds worth. The seeding rate was 4 pounds per 1,000 square feet, and the yield is 40 pounds per 1,000 square feet. So its a 10 time greater yield, which I'm quite happy about.
In recent days after the first two weekends of work we have had heavy storms and rain come through the area which have put a stop to our harvest. This is because the oats have to be very dry, if they have moisture in them they can start to mold in storage and destroy the crop in the storage container.
For Storage containers I am using 5 gallon buckets with airtight lids, the buckets are then stacked in my basement for storage.

I could not keep doing this without the help of my Pod/Chosen family and friends. Here are some pictures of all the help I've gotten thus far.

Pete and I striping heads off in the living room on old table cloths.

Credit:Andrea Parrish

Friends helping processes oats while I was away on a contract job. <3

Credit:Andrea Parrish

Even the kids get to have fun with it.

Credit: Skullflake Studios

Training.

Credit: Skullflake Studios

Conclusion:

It seems that small scale grain production is doable. It's a great way to keep weeds down, put ground to good use, and have some food security. But it requires a lot of work in the harvest to put it all to use. It is by far something you need a "tribe" to help out with. I am also finding that you are far more at the whim of the weather than with other crops. Over all I think thus far it is well worth the work. I do think it would be best to have oats be part of a crop rotation so that a person can get a range of grains over to time into their stores. All in all, I will see how it works as time moves on.

08 August 2014

PVIR:Solar Power panel using both visible and IR light.

As I've been working on my house power sources are an ever recurring theme. Right now my house is power via the electrical mains from the local power company. I'm luck where I live because power is very cheap, about $.07 USD per Kw/h. But recently we lost power during one of our later summer storms that hit us with 60mph winds. I was able to hook a battery and get things back up, but what if this happens for a long period of time?? How will I recharge my batteries then? Well that is what brought about this project.

This is part of a 4 part project that I will working on between a few other things. I'll have some blog post up about the other 3 parts later on this month. The other parts being: The battery Bank, The wind turbine, and the Rectifier system. I hope also to build a control for the whole system but I'm not sure when that will come. The idea behind all of this is to build a system that will have multiple ways of charging my battery backups so that I will also have some kind of power source no matter what happens to the mains. I hope that down the line I'll be able to build a grid tie in system and sell power back to the system, but the cost of those systems are quite high now.

So this part the project will be like a Solar panel PLUS!!! But before I geek out too much, lets get into some theory first.

Theory of Solar Panel Operation

So the way that Solar Panels, or Photovoltaic cells, work is wonderfully simple. A photon of 1100mn or shorter in wavelength hit a silicon molecule. This excites one of the electrons in the valence shell of the atom which bumps it up an orbit. This causes a potential difference in the doped silicon which will give you the ability to charge batteries or power a device with enough of it. Now there are a few shortcomings of this system. First any and all wavelengths longer than 1100 nm are just absorbed by the device and converted into heat. As we move to shorter wavelengths than 1100 nm less and less of photons energy is used to create current, so that excess energy also goes into heating the device. So there is a whole lot of heating going on, unless you are only getting 1100 nm wavelength of light.

So, lets put this into some more practical info, shale we?

Source:http://www.viridiansolar.co.uk/Solar_Energy_Guide_5_2.htm

The above figure gives you a rough breakdown of the spectrum emitted from our star. Peaking around 550 nm or and tapering off from there. Keep in mind that IR is 700 nm and longer, Visible is 700 nm to about 400 nm. UV is about 400 nm and short in wavelength. Now as you can see from the figure a fair portion of this spectrum is absorbed by our atmosphere. Via that you can see the spectral lines for H20, O2, N, and CO2. The green section is the section which we want to look at, this is the septicum which with work with silicon PV cells. Everything else that hits our panel with be converted into heat!

On top of this we will need a transparent material to allow photons of different wavelengths through to our PV cells but keep rain and such out. Luck for us most polycarbonate transparent materials will do the trick.

Source:http://www.plasticgenius.com/2011/05/infrared-and-ultraviolet-transmission.html

We can see here that the bandpass of Makrolon is from about 400nm to about 1700nm. This is plenty to help our panel work. (Note:Lexen and other polycarbonate materials should have a bandpass about like this.)

But we run into a problem, what do we do with all the energy the PV cell can't convert to current??

Converting IR to Current:

After look at the info above I've guessing it's quite clear that PV cells are not the most efficient power source in the world. In fact the ideal PV cell can only convert 31% of the photons that hit it into current. The remaining 69% will just heat things up. Now there isn't much out there yet in production that is a "solar cell for UV", yet! There are a few things still in testing that may fix this problem later. But until that point we are left just letting the 400nm+ spectrum to hit our devices and heat them up.

Now we do have some options for using all of that radiation below 1100nm coming off the sun and our devices. Heat has for a long time been used to produce power one way or the other, and this is where will with add the "IR" to our "PVIR" panel.

The most well known way to convert IR into current without any moving parts is with a peltier diode pack. These devices are used to both generate current as well as sense thermal shifts. The way this works is as the temperature shifts the forward voltage for the diode changes. The benefit of this is that if you heat one side up and cool off the other it will create current.

The other way we can create some current from our IR is to use the heat to move other things, like air, or steam. By making sure the area behind the PV cells will absorb as much IR as it can we will be able to transfer that energy into water. This can be via mount the PV cells onto a thermally conductive pad, like sil-pad, then mounting this on to a copper plate. You can then solder copper pipes to the back of the plate. The water running through the pipes will heat up and this heat change can be used create steam.(Note: Not test yet!)

Another way would be to heat air up in the are behind the PV cells, this air would then rise through a vent which could have "wind turbine" on the opening. This would then spin to give us some more current.
The water idea can also be used with our Peltier diode packs, attaching one side to the PV Cell copper plate/heatsink and the other side to a copper block soldered to the water in take we will create a thermal difference. This could also work by using the air intake as a cooler as well.

The PV Cells:

Now this is where things get a bit confusing. Data on PV cells can be a bit flaky, at best. In my search for cheap cells I found a few good deals, with ZERO documentation! So I'm going to have to wing this a bit and hope I can figure out some better specs as I go.

Most solar cells have ratings such as this:

Source:www.spectrolab.com/DataSheets/SJCell/sj.pdf

These are the specs for 7cm x 7cm high output cells. These guys are a bit price and not what we will be working with, but they are the best datasheet I could find.

Here you can see our current/voltage, Efficiency/wavelength, and the specs of open and short circuit voltage/current. We also have the temp coefficients which will tell use how the out put will change over a range of temps. Based on most the data I have seen the current/voltage is very standard as well as the efficiency/wavelength. Also the open circuit, closed circuit data seems very standard as well. But I couldn't find much info on how the output of the panels changed over a temperature range. I found some sources that state it change up to 33% between 0C and 75C.(Source:jeldev.org/9Tayyan.pdf) Now this is a very extreme shift in temperature, but it gives you some idea of how what your PV cells will be doing over days and year.

From talking to many people who have built panels before as well as some info on google it seems the standard is 36 cells to charge a 12VDC battery system. Now I questioned this as most sites show 0.5VDC as the Avg voltage for a cell. Well for the above cell that would be right, but now looks at a cheap cell.

Source:http://www.hebesolar.com/solution/Photovoltaic-Cells-2.html

This a data sheet for a cell that is close to the one I'm buying for this project, a 150mmx150mm multicrystalline silicon cell. Here you can see the roll off voltage is right around 0.45 and 0.5VDC. That sure as hell doesn't look average to me!!! This will be very important to keep in mind when we desgin our panel's layout and order the cells we need.

A final note before first design:

The biggest thing that I took away from my research on this is that PV power sources are by no means very efficient. In fact I would say they are one of the lowest efficiency sources out there, with only a 31% max and an effective 10% - 19%(based on info seen in my produce searches) there is a lot of energy that is been lost to heat in these systems. So I feel it is important to keep an eye on this and see how you can make the best use of that heat to add to our final system output.

I think the other important thing to keep in mind here is that this will not be the only source, this will only be one part in a larger picture of power sources. So lets make sure not to put all our electrons in one place.

I hope this was a good primer on photovoltaic cells and some of the practical elements involved. Next time I'll cover some of the first design idea I have and what will be going into to the first build.

until that time, keep on hacking!