Friday 30 July 2021

Can't upload files to GoDaddy Managed WordPress - 0 byte files and disconnects

 I spent a couple of hours trying to work out why I could not upload files to GoDaddy's Managed WordPress.

I was using FileZilla on Windows 10, and connected via SFTP to the Managed Wordpress instance as detailed in GoDaddy's control panel.

Whenever I uploaded media to wp-content/uploads, it would error with 0-byte files and server disconnects.

The solution?

Bizarrely, disable and reenable your NIC. Yes, I did say that.

It's the first time I've ever experienced a software problem get fixed by disabling a NIC. What's the relationship between GoDaddy's SFTP server and your NIC? Maybe when it goes to sleep it doesn't fully restore in a way that allows SFTP to be negotiated correctly?

Monday 26 July 2021

Touchpad jumps on Ubuntu on HP Elitebook 840 G2

The cursor would jump around when typing on an HP Elitebook 840 G2, running Ubuntu.

In the end the following settings worked:

 Natural scrolling off

Tap to click off

Two finger scrolling on

Edge scrolling off

Helped from here

Saturday 24 July 2021

Linux virtual machine emulator - for assembly programming

Uses NASM and QEMU to write a bootloader.

To use Qemu with GDB use -s and -S. This set it listening at port 1234 and halt the VM until gdb connects.

qemu-system-i386 -s -S -drive file=./boot.bin,cache=none,format=raw


connect to qemu

target remote localhost:1234 

  1. Use info reg to display all the CPU registers.
  2. Use x/10i $eip to display the code at the PC position.
  3. Use set architecture i8086 to dump 16 bit code. 
  4. set tdesc filename target.xml
  5. x/10i $cs*16+$eip to dump the next 10 lines of code at the PC position
  6. stepi

To see the disassembled line

gdb) show disassemble-next-line
Debugger's willingness to use disassemble-next-line is off.
(gdb) set disassemble-next-line on
then si

Machine boots

info reg - show registers

cs = 0xf000 (1048560) 

ip = 0xfff0

pc = (cs * 16) + ip

      = F0000 + FFF0

       = FFFF0 (1048560)

This is 16 bytes from BIOS top (at 1048575 or 0xFFFFF)

Inspecting the program at FFFF0:

x/16b 0xffff0

xffff0: 0xea 0x5b 0xe0 0x00 0xf0   0x30 0x36 0x2f

0xffff8: 0x32 0x33 0x2f 0x39 0x39 0x00 0xfc 0x00

or looking at the instructions
x/2i 0xffff0
0xffff0: ljmp   $0x3630,$0xf000e05b

which shows that 0xEA is JMP

However the interetation is a bug because the VM is running in real mode and GDB does not handle it properly, even though we set architecture i8086

So we must download the target 

set tdesc filename target.xml

Now running it again gives

   0xffff0: ljmp $0xf000,$0xe05b 0xffff5: xor %dh,0x322f 0xffff9: xor (%bx),%bp 0xffffb: cmp %di,(%bx,%di) 0xffffd: add %bh,%ah 0xfffff: add %al,(%bx,%si) 0x100001: add %al,(%bx,%si) 0x100003: add %al,(%bx,%si) 0x100005: add %al,(%bx,%si) 0x100007: add %al,(%bx,%si)

Now gives us

(0xf000 x 16) + 0xe05b = F0000 + 0xe05b = FE05B = (1040475)

This jumps us to FE05B
This is 1FA4 (8100) bytes from BIOS top (at 1048575 or 0xFFFFF)

Run stepi (execute instruction)

  0xfe05b: cmpl   $0x0,%cs:0x62c8

   0xfe062: jne    0xfd0b0

   0xfe066: xor    %dx,%dx

   0xfe068: mov    %dx,%ss

   0xfe06a: mov    $0x7000,%esp

   0xfe070: mov    $0xf07c4,%edx

   0xfe076: jmp    0xfcf24

   0xfe079: push   %ebp

   0xfe07b: push   %edi

   0xfe07d: push   %esi

Reference for x386:

Visual chart on the Opcodes:

Good Reference to the opcodes

Saturday 17 July 2021

Wordpress infection

I inherited a WordPress site for a company. That company submitted adverts to Google which referenced the Website.

Infrequently, Google would reject the advert saying the Website had malicious code on it would reference URLs such as:


The site was submitted to various scanners but I could not find the problem.

Eventually the problem was found because the site encountered an issue and a Wordpress email described the problem.

 Since WordPress 5.2 there is a built-in feature that detects when a plugin or theme causes a fatal error on your site, and notifies you with this automated email.

In this case, WordPress caught an error with one of your plugins, Monetization Code plugin.

WordPress version 5.7.2
Current theme: H-Code Child (version 1.1)
Current plugin: Monetization Code plugin (version 1.0)
PHP version 7.3.12

An error of type E_PARSE was caused in line 89 of the file /var/www/wp-content/plugins/mplugin.php. Error message: syntax error, unexpected end of file

The last part indicated the file in question mplugin.php.

You also neeed to check the database.

 SELECT * FROM `wp_options` WHERE (CONVERT(`option_name` USING utf8mb4) LIKE '%ad_code%' OR CONVERT(`option_value` USING utf8mb4) LIKE '%ad_code%' OR CONVERT(`autoload` USING utf8mb4) LIKE '%ad_code%') LIMIT 50


The wp-content\plugins\admin_ips.txt file contains a list of administrator IPs - when the Website is called from these IPs the ad code is hidden, to stop you discovering it.


Friday 9 July 2021

Surface Dock flickering monitor fix

If your Microsoft Surface Dock randomly causes the external monitors to flicker (or go black) then it is worth deleting the following registry settings:

These seem to cache monitor configuration, and once deleted, cause the problem to go away.



 [FIX] - Fix for External Display Monitors Flicker/Issues with Dock (SP4) : Surface (