burning dwarves
Brief Big Ten Tournament note. No column on it; I wasn't feeling massively invested because I had to miss the second half of the Minnesota game to go to Yost and watched it after I knew the outcome, then Ohio State came out and was all like "today we will play like a team with two lottery picks on it." Once that happened and Burke got annihilated by Craft it was clear this was going to be an ugly old-style loss, which fine. Michigan is not on the level of national contender… yet.
If anything the tourney just reinforced my feeling that this team did fantastically to pick up a Big Ten title split and now that there's a banner in hand the rest of this is house money. After beating OHIO*, that is. Losing to a 13 seed would leave a sour taste. Everything else is gravy-coated candy.
I'll leave the garment rending about how we're not competing for a one-seed for the next couple years.
Side note: now do we believe that Craft is a totally awesome defender? Yes? Okay.
*[SBN MAC blog Hustle Belt refers to the Bobcats as "OHIO" for reasons that are unknown but very probably related to their stunning upset of Georgetown as a 14 seed two years ago.
![232323232%7Ffp43366%3Enu%3D3434%3E252%3E8%3B6%3E25252529%3A7235ot1lsi[1]](https://mgoblog.com/sites/mgoblog.com/files/images/UV_C171/2323232327Ffp433663Enu3D34343E2523E83B63E252525293A7235ot1lsi1.jpg "232323232%7Ffp43366%3Enu%3D3434%3E252%3E8%3B6%3E25252529%3A7235ot1lsi[1]")
Since giving them the all-caps treatment is a term of respect that doubles as diss of plain ol' Ohio, this blog will refer to the Bobcats as OHIO from now on.]
Dave Brandon approves. Michigan-ND 1978 was like Michigan-MSU 2012 in two ways: one team looked totally ridiculous and lost 28-14.
The two games were different because one team didn't look ridiculous and Ufer was going ape in '78.
This game also provides ammunition for both sides of the maize/yellow debate. It's clear that UM's maize is much lighter than the yellow ND is wearing; it's also unattractively blinding.
Also ridiculous. I wish I'd found this before I posted on hockey's tourney streak today, as it really hammers home how remarkable it is:
Let me put that in perspective- of ALL of the teams that have won a National Championship in Hockey the last 21 seasons, here's the tournament appearances:
Michigan- 21
Boston U- 15
Minnesota- 15
North Dakota- 14
Michigan State- 14
Maine- 13
Wisconsin- 13
Boston College- 13
Denver- 10
Lake State- 6
Northern Michigan- 5
UM-Duluth- 4Inside that, the longest streak is 9, shared by Maine, Michigan State, and North Dakota, but North Dakota will extend that to 10 this year. At least should.
Unless there's a power lurking outside this list—and I don't think there is—every other team has missed the NCAAs at least six times during the streak.
Help next year. Hockey's got blue chips on the blue line and at forward in their next recruiting class. Boo Nieves is the forward, and he sounds a little like Carl Hagelin:
Matt Herr thought he had seen it all after taking over as coach at the Kent School in Connecticut following a productive collegiate and professional playing career.
That's before he was introduced to 6-foot-3, 184-pound center Cristoval "Boo" Nieves last season.
"I don't know how he skates so freaking fast for his size," Herr told NHL.com. "He's one of the best skaters I've seen this year. I think he can jump into the American Hockey League and play right now and you wouldn't even blink." …
"He just explodes off the mark and has agility, balance and quickness to break loose from traffic," Eggleston said. "He also has the physical strength to plow through checks along the wall and bring the puck with him. He sees the ice very well, is a very smart and creative playmaker and captains the team ... he's a very good team player."
Herr then compares him to Joe Thornton, which… like… probably not. Here's hoping, though. If Michigan doesn't suffer any departures at forward I'm guessing that AJ Treais slides up to the top line next year between Brown and Guptill; Nieves should center the second line with PDG and… Moffatt? That sounds pretty good to me.
If they can keep defections on defense down to one they'd be skating something like Trouba-Merrill/Bennett, Moffie-Chiasson, Clare/Serville-Carrick. Depth is a bit scary there but kids develop; Serville especially seems like an offseason in a weight program will do him good.
Help the Mathlete. He needs some crowd-sourcing to fill in holes in his recruiting database. Your reward is good feelings and some interesting posts.
That's the ticket. Kyle Meinke tries to make us all feel better about going up against that Alabama defense:
"There ain't no one who can learn that defense in under a year," outgoing free safety Mark Barron said last month at the NFL Scouting Combine in Indianapolis. "We played in a very difficult defense, first of all. We did a lot of different schemes.
"I really don’t believe anyone can learn that defense in under a year."
Score! Please score.
Trey Burke is childhood friends with everyone on an Ohio D-I roster. OHIO backup PG and lightning bolt Stevie Taylor has played with and against Trey Burke for big chunks of his career. UMHoops has the story and the requisite adorable picture:
![536055206_thumb7_thumb[1]](https://mgoblog.com/sites/mgoblog.com/files/images/UV_C171/536055206_thumb7_thumb1.jpg "536055206_thumb7_thumb[1]")
Um… check with the basketball team. Michigan's hockey team has adopted a mantra that should be familiar to anyone who followed Michigan basketball's NCAA drought-breaking team of a few years back:
The No. 4 Michigan hockey team emerged from its locker room before Saturday’s game against Notre Dame wearing shirts with the team motto, “Burn the Boats,” prominently displayed.
Hey! I remember that! Isn't that…
“(Sophomore forward Luke) Moffatt brought it up this year,” said sophomore forward Derek DeBlois last month. “It has to do with the Vikings. When they would go to fight, they would burn their boats. No retreat, you just kind of lay all your chips on the table and fight until you win.”
…NOT ABOUT VIKINGS AT ALL. It's actually a famous event in the Spanish conquest of everything when they were discovering the new world, which is why the basketball team's version of the slogan was in Spanish. [Ed-S: actually...] Come on. Vikings. I've never heard about anything so ridicul—
![Book%20o2[1]](https://mgoblog.com/sites/mgoblog.com/files/images/UV_C171/Book20o21.jpg "Book%20o2[1]")
SHOULDN'T HAVE TALKED ISH ABOUT VIKIIIIINGS AIEEEE—
…
…
…
Etc: James Rogers interviewed. Michigan Tech goalie coach and former Michigan goalie Steve Shields profiled. MEL PEARSON UPDATE: Tech reaches the Final Five for the first time in five years. Tech is two games away from .500 on the year. Carty on Draymond Green and Zack Novak. Ohio's PG in a bikini.
[Note: iPhone app is currently broken; that is the #1 priority in terms of fixes. Hope to have it up by Monday.]
This has nothing to do with Michigan football but the least I can do to help the greater health of the internet is to offer some measure of advice for people who find themselves hacked in the face.
I'm not an expert. Please read the comments for people disagreeing with me, as they may/are better at this than I am. But I just went through this and if you're in the same boat here's what happened with me and what I took from it.
Boatmurdered. BURN. ALL BURN.
"Last known good" may not be as good as you think. We have a backup. That backup overwrites itself on a nightly basis. Correction: that backup overwrote itself on a nightly basis. Going forward we wanted to be able to roll back up to a week.
However, we found out that would not have helped us here. Some of our infected files were last modified in early January. A "last known good" configuration from last weekend would have still featured multiple scripts with backdoors that Eastern European hackers could jump in.
We're still going to change our backup system so that it has more snapshots—an injection attack would be more susceptible to a DB rollback, I think—and we are going to have a billion and two backups of the actual code so that if, God forbid, something like this happens again we can have a reference point to pull forward stuff we customized and don't want to lose.
But…
BURN. ALL BURN. I'm not pulling anything forward except select bits and pieces I can hand-inspect. The rest of it dies in a fire. I thought we were destroyed until my brother asked "how long would it take to recreate it from scratch?" This was the moment in the movie when the camera zooms out and the city becomes transparent. It would take… um… maybe a couple hours. The defining feature of a CMS is that everything is in the database. So if you're confident the database isn't the issue you can pick that out, raze the world, download and install all your crap, and not have to worry about finding every last piece of corrupted code. You're going to break a few things when the new versions of your modules don't work exactly as expected but it's way better than the alternative.
Then change your FTP password over SSH. And then, if you're paranoid (ie: us now), turn FTP off entirely for a while. We had to use plain FTP, which is not very secure, because for some reason enabling encryption turned directory listing into a cripplingly slow process. A reader had related an experience in which a corrupted local computer had been giving away FTP passwords, giving hackers direct access to the server. We're not taking any chances despite my incessant scanning.
Burn, all burn exception: we pulled the "files" folder forward despite it being too massive to check because it's all data and those folders are locked down by server permissions so they can't execute anything. Everything else was pored over.
Why we thought it wasn't the database. Well, one, we found plenty of stuff indicating the server had taken a direct hit in the form of scripts that included helpful comments like "webshell by oRb." We brought those shells up and didn't find any database functionality.
Also, injection attacks usually don't affect the entire site—they're more likely to be hostile code submitted by users (something Drupal is good about) that affect only the pages they're submitted on. The malware was being delivered via the CSS and JS files, which are amongst the few bits of the page you're reading that don't come from the DB. While the server corruption could have in turn hit the DB, we didn't see obvious avenues for that and all of the problems were segregated from said DB.
We're now watching it closely just in case, but the evidence pointed to something other than an SQL injection.
What to search for. This article is fairly comprehensive but I'd also suggest looking for "unescape" or the string "%3C%69%66%72%61%6D%65." If you run that through the unescape function you get "<iframe". What are the chances that's helpful code? Not so good.
Don't waste your time with "StopBadware." This is the site you get funneled to if you click the I'm-so-screwed button on the Google warning page. Their extremely awesome advice is to look for the bad things and remove them. They list scripts, redirects, and iframes as the main ways you transmit the bad things—okay, probably helpful—and then offer this up:
There exist several free and paid website scanning services on the Internet that can help you zero in on specific badware on your site. There are also tools that you can use on your web server and/or on a downloaded copy of the files from your website to search for specific text.
Awesome! Where are they? Which are the best ones?
StopBadware does not list or recommend such services, but the volunteers in our online community will be glad to point you to their favorites.
Fu. The "online community" at "badwarebusters" mostly consists of people screaming about erroneous hits. About four threads pop up per day and they can go days without a response. If you're looking to do something quickly it's useless.
That's annoying. This is the worst advice possible:
Once you have located the code that is causing the badware behavior, removing it is often as simple as deleting the offending code from all files in which it appears. Sometimes, it is easier, if you have a clean backup of your site’s contents, to re-upload all of the site’s files, though be careful about overwriting files that may have changed since your last backup.
They've just glossed over the difference between the offending iframe and the code that generated it. Backdoors are not mentioned. This section needs to be replaced with:
BURN. ALL BURN.
Whoever wrote it should be horsewhipped. The next section is about "preventing future infection" when the previous section has essentially advised a n00b who needs to be informed that scripts and iframes are bad, mmmmkay, that "removing the offending code" "often" solves the problem. False. Burn. All burn.
If you aren't already, sign up with Google's Webmaster tools. We first found out the aggregated JS file was an issue from them, and they periodically updated their findings to let us know we still hadn't killed the problems. Tip: if you're aggregating js and css you may want to stop for more precise identification of the end destinations.
These are not the sources. You have to find those, or just burn everything to the ground.
Don't get notifications other than security notifications. This site is now running dozens of Drupal modules, some of which actually have release changelists that read, in their entirety, "fixed typo X." After a while you stop checking just to see that some random module has done some stuff you don't care about, and then you don't know when certain modules are out of date. We're still not sure what the attack vector was but one of the main candidates was known, patched holes in Drupal. I went from weekly updates about everything to daily updates about security. Drupal shouldn't have other options.
Status. We're not entirely out of the woods yet but it's looking promising, and we have installed various alarms in the system to blare at us whenever anything unexpected (a file getting updated outside of the areas that's supposed to happen) goes down. Hopefully if there is another breach we will catch it long before anything starts getting delivered.
45