Thursday, May 18, 2006

Talk about time lapse!

I plugged in my Toshiba that happens to be running Slackware-current. It's been off awhile and I noticed that the time was an hour or so behind, so I ran the below:

root@toshi:~# ntpdate ntp.nasa.gov
Looking for host ntp.nasa.gov and service ntp
host found : ntp-nasa.arc.nasa.gov
18 May 19:23:05 ntpdate[2185]: step time server 198.123.30.132 offset 4042.874524 sec
root@toshi:~# ntpdate ntp.nasa.gov
Looking for host ntp.nasa.gov and service ntp
host found : ntp-nasa.arc.nasa.gov
18 May 19:23:09 ntpdate[2188]: adjust time server 198.123.30.132 offset -0.000203 sec

I know this thing has a CMOS battery. Why the hell did it lose that much time??

I also got a Dell Precision 220 from work yesterday. They were going to throw it out. It's a decent system, but a coworker stripped the RAM before I got ahold of it. Unfortunately, it requires RAMBUS RAM. I'm looking now on eBay for some cheap RAMBUS RAM. The machine is dual proc capable but has one 667MHz Pentium III CPU. It is all IDE instead of SCSI like my Precision 410, but that's OK. It's internal layout is nice for a flat case. It has 2xUSB ports in the back. It has 5 PCI slots, so I can add a USB 2.0 PCI card when I get the chance. It has an integrated NIC (10/100) and came with a V770 PCI vidcard. It also has a Zip Drive. It has space for two hard disks and a CD drive. I have spare hard disks (all SCSI though). I may add SATA technology to it, though. I also grabbed a 17" CRT monitor that was about to be trashed also, and a bunch of CAT5 (that was golden, as CAT5 is expensive). I only need to decide what OS/distro I'm going to put on it...maybe NetBSD, as I already have a FreeBSD and an OpenBSD box). I also need to decide what duties this box will perform. The box has some life left, as it will take a gig of RAM and the CPU is upgradable to 1GHz.

I now need a big rack, as my systems are starting to pile up and my computer room looks horrendous!

A Dell rep or contractor will be showing up at my home tomorrow to repair my Inspiron 8500's monitor. Tomorrow is the last day of its service contract. I may renew it, as that laptop is my powerhouse machine, the most high-end system I have. My self-built tower probably has more raw horsepower (it's my gaming machine) but the Inspiron is troublefree and does indeed have a serious power at 2GHz. I usually watch my TiVo'd movies on it, crunch data on it when I boot into Slackware (it's a dual boot machine), or watch DVDs.

I'm still eyeing a Mac laptop or maybe even a Mac mini. Funds are the issue. We shall see what the near future holds for me. ;)

Monday, May 15, 2006

Another example of log correlation

Tailing my Snort logs this morning, I found the below:

[**] [1:1882:10] ATTACK-RESPONSES id check returned userid [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
05/14-20:05:01.237145 213.92.8.4:6667 -> 66.160.141.30:32811
TCP TTL:48 TOS:0x0 ID:41299 IpLen:20 DgmLen:212 DF
***AP*** Seq: 0xF793F39A Ack: 0xDDC1DA82 Win: 0x2180 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1184125330 36300125


I then searched for the actual payload with the below command:

tcpdump -Xvnner /var/log/snort/snort.log.1147297546 | less

I then hit the '/' button and entered the source IP (213.92.8.4), which showed me the Snort payload of this specific alert:

20:05:01.237145 00:b0:4a:6c:76:53 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 226: IP (tos 0x0, ttl 48
, id 41299, offset 0, flags [DF], length: 212) 213.92.8.4.6667 > 66.160.141.30.32811: P [tcp sum ok] 4153668506:
4153668666(160) ack 3720469122 win 8576
0x0000: 4500 00d4 a153 4000 3006 fbb1 d55c 0804 E....S@.0....\..
0x0010: 42a0 8d1e 1a0b 802b f793 f39a ddc1 da82 B......+........
0x0020: 8018 2180 42f8 0000 0101 080a 4694 5192 ..!.B.......F.Q.
0x0030: 0229 e55d 3a60 4265 6c69 616c 216e 3d6a .).]:`Belial!n=j
0x0040: 6f65 4036 392e 3138 322e 3234 352e 3235 oe@69.182.245.25
0x0050: 3220 5052 4956 4d53 4720 2323 736c 6163 2.PRIVMSG.##slac
0x0060: 6b77 6172 6520 3a75 6964 3d31 3030 3028 kware.:uid=1000(
0x0070: 6a6f 6529 2067 6964 3d31 3030 2875 7365 joe).gid=100(use
0x0080: 7273 2920 6772 6f75 7073 3d31 3030 2875 rs).groups=100(u
0x0090: 7365 7273 292c 3130 2877 6865 656c 292c sers),10(wheel),
0x00a0: 3137 2861 7564 696f 292c 3138 2876 6964 17(audio),18(vid
0x00b0: 656f 292c 3139 2863 6472 6f6d 292c 3230 eo),19(cdrom),20
0x00c0: 2867 616d 6573 292c 3131 2866 6c6f 7070 (games),11(flopp
0x00d0: 7929 0d0a y)..

I then decided to check my IRC bot's logs, as I've an eggdrop bot logging ##slackware on irc.freenode.net. The bot logs into the server using port 6667, which is in the payload. This is what I found:

...
[20:04]  bbiab
[20:05] <`Belial> joe@GTA:~$ id
[20:05] <`Belial> uid=1000(joe) gid=100(users) groups=100(users),10(wheel),17(audio),18(video),19(cdrom),20(games),11(floppy)
[20:05] then you got something wrong with your channels (both master and pcm are unmuted, right?)
[20:06] <`Belial> yeah
...

Nice! This wouldn't have shown up in the FW logs, as I don't track IRC with iptables. Chalk this up as a false positive.