This is an online log of my Slackware experiences. Be aware that I'm also using this blog to cover basic and intermediate security issues that may not pertain to Slackware. This is my way of consolidating blogs (I've several of them).
Friday, December 27, 2013
nmon - Linux
Found this little tidbit (nmon) on Google+ (Ubuntu group):
https://plus.google.com/101635552034658832984/posts/BoQk2BibQkJ
It may come in handy during my next troubleshooting crisis.
Monday, December 23, 2013
For those people who are trying to chose the best Linux distro...
For those people who are trying to chose the best Linux distro...
The whole research is here.
Google+ link
The whole research is here.
Google+ link
Snowden again...
2.5 months ago, I posted my thoughts about Snowden and his intentional spillage of classified data.
A few days ago, a friend of mine posted an article discussing how Snowden didn't make Google's top 10 most searched topics.
Today, a different friend posted (on Facebook...due to respect for his [and others'] privacy, I will not copy/paste or screenshot the discussion) that Snowden was filtered from Twitter's search engine.
Some musings and things to think about:
Firstly, I'm glad I'm not the only person out there that thinks this "Snowden is a hero" thing is ridiculous. The fact that I saw several articles that mimicked my thoughts is a bit refreshing. Here's one.
Secondly, there seems to be a lot of people on the web (and in real life) that think that the government is censoring the search content. They don't have *that* much power and hooks into the systems to achieve that goal...no way. Google (and more than likely Twitter too) wouldn't mess with such query results...what would they have to gain, and why would they do this when they're already pissed that the NSA was able to intercept much of their back-end data? If the query results show that Snowden didn't make the top ten, that means that he didn't make the top ten...maybe people don't care so much about him. Oh, they understand the implications of NSA snooping, but they don't need to read articles on Snowden to study up. The only people that are concerned about Snowden are his supporters (and maybe the NSA and other 3-letter gov't orgs -- from the standpoint of never letting such a thing happen again). Yes, I'll say it again: The only people that are concerned about Snowden are the people wearing the tin foil hats...and, apparently, there aren't many of those types of people compared to the rest of the world, because their concerns didn't show in Google's top ten topics for 2013. Thinking on that, that is rather shameful, yeah...people were more concerned with Miley Cyrus and her twerking than their privacy where the NSA is concerned. Again, I am concerned with snooping...I *am*, but, as I explained my my last post about all of this, the NSA isn't attempting to record the whole of the world's lives. They're data-mining and looking for trends that tend to stick out like a sore thumb. They aren't looking at you at a personal level every day (unless you've an anthrax factory in your basement).
A few days ago, a friend of mine posted an article discussing how Snowden didn't make Google's top 10 most searched topics.
Today, a different friend posted (on Facebook...due to respect for his [and others'] privacy, I will not copy/paste or screenshot the discussion) that Snowden was filtered from Twitter's search engine.
Some musings and things to think about:
Firstly, I'm glad I'm not the only person out there that thinks this "Snowden is a hero" thing is ridiculous. The fact that I saw several articles that mimicked my thoughts is a bit refreshing. Here's one.
Secondly, there seems to be a lot of people on the web (and in real life) that think that the government is censoring the search content. They don't have *that* much power and hooks into the systems to achieve that goal...no way. Google (and more than likely Twitter too) wouldn't mess with such query results...what would they have to gain, and why would they do this when they're already pissed that the NSA was able to intercept much of their back-end data? If the query results show that Snowden didn't make the top ten, that means that he didn't make the top ten...maybe people don't care so much about him. Oh, they understand the implications of NSA snooping, but they don't need to read articles on Snowden to study up. The only people that are concerned about Snowden are his supporters (and maybe the NSA and other 3-letter gov't orgs -- from the standpoint of never letting such a thing happen again). Yes, I'll say it again: The only people that are concerned about Snowden are the people wearing the tin foil hats...and, apparently, there aren't many of those types of people compared to the rest of the world, because their concerns didn't show in Google's top ten topics for 2013. Thinking on that, that is rather shameful, yeah...people were more concerned with Miley Cyrus and her twerking than their privacy where the NSA is concerned. Again, I am concerned with snooping...I *am*, but, as I explained my my last post about all of this, the NSA isn't attempting to record the whole of the world's lives. They're data-mining and looking for trends that tend to stick out like a sore thumb. They aren't looking at you at a personal level every day (unless you've an anthrax factory in your basement).
Tuesday, November 26, 2013
Time-saving Tips - Linux Journal
Wow. I was reading the below link, to refresh myself with screen (I've been slacking with admin'ing my Linux machines, and I rarely get the chance to log in via CLI.
I tried the bit in the article here:
http://www.linuxjournal.com/content/time-saving-tricks-command-line?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+linuxjournalcom+%28Linux+Journal+-+The+Original+Magazine+of+the+Linux+Community%29&utm_content=FaceBook
I tried the bit in the article here:
...[L]et's say I want to run a git push
command again, but I don't remember exactly which one. So I press Ctrl-r and start typing "push". This will match the most recent command, but I actually want the one before that, and I don't remember a better fragment to type. The solution is to press Ctrl-r again, in the middle of my current search, as that jumps to the next matching command.
My mind was blown away. I've never used that method. I always referenced 'history', found the ID# for the command I needed, then typed "!ID" (example, !2015), which would run the command. I'm still in the middle of the article (just two pages), but I'm going to skim over LJ articles during the next few days since I'm off until next Monday...I need to force myself to become more immersed in *nix.http://www.linuxjournal.com/content/time-saving-tricks-command-line?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+linuxjournalcom+%28Linux+Journal+-+The+Original+Magazine+of+the+Linux+Community%29&utm_content=FaceBook
Web Administration Scripts - Linux Journal
I haven't read all of this yet, but since it's related to Linux, Apache, and DDoS, I thought I'd bookmark it and share it here. It's an article by Dave Taylor.
http://www.linuxjournal.com/content/web-administration-scripts?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+linuxjournalcom+%28Linux+Journal+-+The+Original+Magazine+of+the+Linux+Community%29
After I finish reading the article, I'll add any comments I may have to this blog entry.
http://www.linuxjournal.com/content/web-administration-scripts?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+linuxjournalcom+%28Linux+Journal+-+The+Original+Magazine+of+the+Linux+Community%29
After I finish reading the article, I'll add any comments I may have to this blog entry.
Labels:
administration,
apache,
Dave Taylor,
linux,
Linux Journal,
scripts,
web
Friday, November 01, 2013
Healthcare.gov web site launch leaves lessons for health of your IT career
Healthcare.gov web site launch leaves lessons for health of your IT career
IT pros following the troubled launch of healthcare.gov can only feel grateful that they were looking at it purely clinically, and as “outside observers”—especially if they were reading some the criticism about the web site in national publications. The President was even quoted in international presses as he acknowledged the web site’s problems, saying "There's no sugarcoating it. The web site has been too slow. People have been getting stuck during the application process. And I think it's fair to say that nobody is more frustrated by that than I am."
Read more @:
http://www.techrepublic.com/blog/career-management/healthcaregov-web-site-launch-leaves-lessons-for-health-of-your-it-career/?tag=nl.e124&s_cid=e124&ttag=e124&ftag=TREdcc9ddc
I thought this was a good read. Last week, my wife had mentioned the woes of this project (she's a budding IT security geek). She'd been listening to radio talk show hosts discussing the issue while commuting to/from work. I'd neglected to track the issue via the media but I'd heard there were issues. She asked my opinion and I told her that I couldn't see how the project went production-live without conducting quality assurance testing and other validation testing. She concurred and stated that the project went live without proper testing. I was shocked. Now, for a seasoned IT person, the article highlights nothing new, but think about this: there had to be some senior guys involved in that project...how in the hell could it have went live without someone being accountable to the state of the product? With the scope of the requirements and the possible political implications, you'd have thought that a high-press project would've been watched closely. That's food for thought, I guess.
IT pros following the troubled launch of healthcare.gov can only feel grateful that they were looking at it purely clinically, and as “outside observers”—especially if they were reading some the criticism about the web site in national publications. The President was even quoted in international presses as he acknowledged the web site’s problems, saying "There's no sugarcoating it. The web site has been too slow. People have been getting stuck during the application process. And I think it's fair to say that nobody is more frustrated by that than I am."
Read more @:
http://www.techrepublic.com/blog/career-management/healthcaregov-web-site-launch-leaves-lessons-for-health-of-your-it-career/?tag=nl.e124&s_cid=e124&ttag=e124&ftag=TREdcc9ddc
I thought this was a good read. Last week, my wife had mentioned the woes of this project (she's a budding IT security geek). She'd been listening to radio talk show hosts discussing the issue while commuting to/from work. I'd neglected to track the issue via the media but I'd heard there were issues. She asked my opinion and I told her that I couldn't see how the project went production-live without conducting quality assurance testing and other validation testing. She concurred and stated that the project went live without proper testing. I was shocked. Now, for a seasoned IT person, the article highlights nothing new, but think about this: there had to be some senior guys involved in that project...how in the hell could it have went live without someone being accountable to the state of the product? With the scope of the requirements and the possible political implications, you'd have thought that a high-press project would've been watched closely. That's food for thought, I guess.
Thursday, October 24, 2013
Google blacklist blocking php.net
Google blacklist blocking php.net
Google's safe browsing API, a security blacklist service which warns of malicious web sites, has marked the php.net site as malicious. As a result, users of Google Chrome and Mozilla Firefox get a dire warning when attempting to visit the site.
Read more here:
Note: Also, be aware of the comments section under the article. There is a bit of banter going on about 1) it was a non-news-worthy event, since Google did what it was supposed to have done -- ie, it was not a false positive, 2) a reader insists that it was a false positive and that Google has a habit of blocking small business owners, causing them financial woes, and 3) reader points out that Netcraft detected possible malware at php.net (substantiated by a Hacker News analysis), which substantiates Google's claim.
Tuesday, October 08, 2013
My Rant on the Snowden Fiasco
I want to talk about the following article, which has every bit to do with integrity and confidentiality:
http://www.wired.com/threatlevel/2013/10/lavabit_unsealed/ - Edward Snowden’s E-Mail Provider Defied FBI Demands to Turn Over Crypto Keys, Documents Show
Specifically, I'd like to refer to the comments made, at the bottom of the article.
Now, I'm a geek at heart. I'm also a US military veteran (which means I'm an ex-government worker). What has America done to warrant the level of hate and distrust that is contained within those comments??? People forget that in order for them to speak such venom, someone has died for them to have that right. People die every day for the freedoms of the US citizen, and they're not just military.
Up front, I'm going to say that I don't give a crap about Snowden. He's definitely not a hero or martyr, IMO. You can spout off all the polls and opinions you like about that...it's not going to change my mind about him. You can be a true hero and martyr without being a traitor to your country (and then running to another country to escape reprisals). I say this while still being a geek at heart because I somewhat understand the nature of the US government and why they do the things they do. And if you think the US government isn't nice to it's citizens, you should check out some of the things other countries do to people like Snowden. There are US spies, but EVERY country has spies. There are US soldiers tangling with civilians in other countries around the world (just as there are with other countries' militaries). Shit happens sometimes. The bad things are handled by our government, but there is no campaign to ruin peoples' lives overseas, just as there is no general campaign to hide things. The government hides things not because it's trying to hide things from it's citizens, but because it's trying to hide things from it's competition (other countries). Because it's hiding data from other countries, by default, US citizens aren't going to see it. You want transparency? That's not going to happen with classified material. Some people want disclosure of all government things, because they distrust what they don't see...that's not going to happen...in ANY country. Some people think that if you're a geek, you should be concerned. I'm not, and I'm a geek. The government is not concerned with little me or the things that I'm doing (which is nothing that needs to be hidden). I certainly don't broadcast my activities, but I'm pretty sure that the government doesn't have a folder on me in a file system somewhere. I'm insignificant. Are they data-mining, looking for certain patterns? More than likely. Are they looking for certain people or certain activities? Probably. Are they tracking EVERYONE, on a "just in case" basis? No. Besides all that, I'm not going to be living in a fortress like I'm some doom's day survivalist.
Now, the owner of Lavabit (Levinson) did what he thought was necessary to keep his personal and business integrity. There's nothing wrong with that, even though I disagree with what Snowden did. I might have done the same thing as Levinson. He has to worry about his reputation as a business owner of data security an integrity, so he took the hit (and that might help him in the future). I consider him more of a hero than Snowden, because Snowden wasn't under any type of obligation to share classified data to the public, but he did anyways, throwing his oath in the trash can. Levison was under obligation to project his client base from disclosure (he owned a business and probably had contracts that bound him to ensure data integrity and confidentiality). Snowden is looked at as a whistleblower and hero...WTF??? How can you sign a statement of non-disclosure and swear that you'll not reveal classified information, and still be considered a whistleblower/hero if you do?? How could you work for a secretive agency, by choice, and NOT know that you might see data that you might not want to be aware of? Really? People should always think along those lines when working for any of the 3-letter agencies. Would you work for the mob and be surprised later on that they cut off thumbs occasionally? Just sayin'. Some of what the US government does is NOT pretty. And how can you have an ounce of integrity if you release that type of information to the public, knowing that you're damaging international relations. Snowden probably thought Russia was his friend...I'm pretty sure he doesn't think that now. I'm sure Russia has made it clear to Snowden what they expect out of all of this is, and if not, they're definitely not patting him on the back and paying all of his tabs. They're probably questioning him and trying to benefit from his loose lips. Russia certainly isn't doting on Snowden because they're sympathetic and want to help out as an act of goodwill. The Russian government is trying to insinuate it's nose into the issue and is looking to gain knowledge that they can take advantage of. And just because Snowden did this doesn't mean that countries like Iran are now our friends...they hate us even more and aren't thankful that some traitor spilled the beans. If you were iffy on whether you'd be shot while walking down a crowded street in a Pakistani city, there should now be relative certainty that you'll at least get shanked...and all because of "whistleblowers" like Snowden and Manning (who I can't stand because he was actually a soldier and fellow intelligence analyst and did the worst thing a soldier and analyst could do).
I'm certainly not saying that our government is totally innocent of atrocities, especially since I'm not privy to everything that goes on in the government. But I'm pretty sure that not everyone within the government is guilty. That's not saying that everyone that knows certain classified tidbits should just spill the beans regarding topics they don't understand, either. Maybe there should be a national whistleblower hotline for crap such as this, so that someone internal to the government (that can't be touched by law) can screen such concerns. But really, I've more respect for a gangbanger that takes the heat for a crime of his peers than someone like Snowden or Manning. And I think that the government needs to learn from this and screen soldiers and contractors a LOT better.
Unlike most geeks, I'm not down with the "down with The Man" attitude, and I honestly think that military service should be mandatory for every male citizen (and maybe even females), because it would only help them to understand the government...they might not like it after 2-3 years of mandatory service, but they'll definitely have a better understanding. They'd learn things that history books don't typically explain or expand on. Not that I know much about traveling and the international community (and how other countries out there hate us ALL)...being as I traveled the world for 10 years while I was in the Army and another 10 years after I got out, following my wife as the Army sent her places. I'm going to speak generally for a second. The average US citizen has never left the US other than to maybe vacation for a week or two. I'm sure there are many citizens that have stayed in other countries for at least a year, but compared to the whole citizen base, that number is probably a relatively small number. The average citizen is spoiled. They know nothing of protecting themselves while abroad. They show off how rich they are (thereby making it easy to be target by thieves or terrorists). They know it all but usually don't know any language or culture other than their own (while many others of the world know 2 or more languages). They act arrogant. Outsiders see all of this, so they already have a negative picture of us. Mix it in with the occasional misunderstanding or soldier that kills a foreign citizen (purposely or not, self-defense or not), and guess what...they think ALL of the US is corrupt. Not just the government...ALL.
Now, Manning was in the military when he did what he did. He was also a Private (in rank). I'd also guess that he was was a loner...there's just no way he could've shared his thoughts of the US government and been a popular and mentoring soldier...not doing what he did. It's a bit difficult to look up to people like that as a soldier peer. So he gained new friends (anarchists, I guess)...well, that still doesn't help him or Snowden. At least Manning doesn't have to run. Snowden will eventually tire of running...it's going to be a hard life for him, IMO, even living in Russia. God forbid if Russia tires of him and decides to put him out.
In my opinion, these "down with The Man" types are just doing the dirty work for the foreign malcontents. We're easier to conquer if we're divided. This is why we're no longer really a world power (and have to borrow money from China). We won't force our government to take care of what they're chartered to do, yet we rant about how much they need to go away. If the government disappears tomorrow, this country will tear itself apart in very short order. People nowadays don't have a spirit of nationalism, either. I rarely see youngsters speaking about political issues without extreme venom, which is horrible, since this country should be thriving on political debate (competition always makes things better in the end). If either the Democratic or Republican party died tomorrow, this country will be in a serious world of hurt, because there will be no balance. Our job as citizens should be to have a sense of nationalism (even if you don't believe in government) and to keep to the government honest, since they work for us. That requires hard work (not just internet ranting such as was witnessed in the comments of the supplied URL). Go out and volunteer and be involved with working the issues. Help out your political parties. Be involved with US soldiers. Be a good US diplomat while overseas (we're ALL representatives of the US and everything we do, good or bad, is watched). In fact, with the internet binding the nations tighter, it may do well to be a good US diplomat while online, since your internet buddy may well be a foreign national.
Because I'm a geek, most of my peers assume I hate government, but it's kinda funny, because even geeks have governance. It's all around us, yet we never rant about things such as ToS, GNU, computer AUP at your workplaces... But when anyone mentions US government, the whole community gets bent. Most rules are generally put in place because someone violated some unwritten trust or there is the chance that someone will do something unwanted if it isn't disclosed that it shouldn't be done. In the case of intelligence and security, disclosure can get someone killed in the field. I know you're saying, "Well, Snowden did that, so your argument is busted," but that's where Snowden and Manning screwed up. They put people's lives in danger...and not just Americans, but possibly people overseas who assisted the US.
I'm thinking I'll moderate the comments, because this type of subject-matter tends to bring out the ugly comments from people.
But I'm done with this. I've said my bit.
http://www.wired.com/threatlevel/2013/10/lavabit_unsealed/ - Edward Snowden’s E-Mail Provider Defied FBI Demands to Turn Over Crypto Keys, Documents Show
Specifically, I'd like to refer to the comments made, at the bottom of the article.
Now, I'm a geek at heart. I'm also a US military veteran (which means I'm an ex-government worker). What has America done to warrant the level of hate and distrust that is contained within those comments??? People forget that in order for them to speak such venom, someone has died for them to have that right. People die every day for the freedoms of the US citizen, and they're not just military.
Up front, I'm going to say that I don't give a crap about Snowden. He's definitely not a hero or martyr, IMO. You can spout off all the polls and opinions you like about that...it's not going to change my mind about him. You can be a true hero and martyr without being a traitor to your country (and then running to another country to escape reprisals). I say this while still being a geek at heart because I somewhat understand the nature of the US government and why they do the things they do. And if you think the US government isn't nice to it's citizens, you should check out some of the things other countries do to people like Snowden. There are US spies, but EVERY country has spies. There are US soldiers tangling with civilians in other countries around the world (just as there are with other countries' militaries). Shit happens sometimes. The bad things are handled by our government, but there is no campaign to ruin peoples' lives overseas, just as there is no general campaign to hide things. The government hides things not because it's trying to hide things from it's citizens, but because it's trying to hide things from it's competition (other countries). Because it's hiding data from other countries, by default, US citizens aren't going to see it. You want transparency? That's not going to happen with classified material. Some people want disclosure of all government things, because they distrust what they don't see...that's not going to happen...in ANY country. Some people think that if you're a geek, you should be concerned. I'm not, and I'm a geek. The government is not concerned with little me or the things that I'm doing (which is nothing that needs to be hidden). I certainly don't broadcast my activities, but I'm pretty sure that the government doesn't have a folder on me in a file system somewhere. I'm insignificant. Are they data-mining, looking for certain patterns? More than likely. Are they looking for certain people or certain activities? Probably. Are they tracking EVERYONE, on a "just in case" basis? No. Besides all that, I'm not going to be living in a fortress like I'm some doom's day survivalist.
Now, the owner of Lavabit (Levinson) did what he thought was necessary to keep his personal and business integrity. There's nothing wrong with that, even though I disagree with what Snowden did. I might have done the same thing as Levinson. He has to worry about his reputation as a business owner of data security an integrity, so he took the hit (and that might help him in the future). I consider him more of a hero than Snowden, because Snowden wasn't under any type of obligation to share classified data to the public, but he did anyways, throwing his oath in the trash can. Levison was under obligation to project his client base from disclosure (he owned a business and probably had contracts that bound him to ensure data integrity and confidentiality). Snowden is looked at as a whistleblower and hero...WTF??? How can you sign a statement of non-disclosure and swear that you'll not reveal classified information, and still be considered a whistleblower/hero if you do?? How could you work for a secretive agency, by choice, and NOT know that you might see data that you might not want to be aware of? Really? People should always think along those lines when working for any of the 3-letter agencies. Would you work for the mob and be surprised later on that they cut off thumbs occasionally? Just sayin'. Some of what the US government does is NOT pretty. And how can you have an ounce of integrity if you release that type of information to the public, knowing that you're damaging international relations. Snowden probably thought Russia was his friend...I'm pretty sure he doesn't think that now. I'm sure Russia has made it clear to Snowden what they expect out of all of this is, and if not, they're definitely not patting him on the back and paying all of his tabs. They're probably questioning him and trying to benefit from his loose lips. Russia certainly isn't doting on Snowden because they're sympathetic and want to help out as an act of goodwill. The Russian government is trying to insinuate it's nose into the issue and is looking to gain knowledge that they can take advantage of. And just because Snowden did this doesn't mean that countries like Iran are now our friends...they hate us even more and aren't thankful that some traitor spilled the beans. If you were iffy on whether you'd be shot while walking down a crowded street in a Pakistani city, there should now be relative certainty that you'll at least get shanked...and all because of "whistleblowers" like Snowden and Manning (who I can't stand because he was actually a soldier and fellow intelligence analyst and did the worst thing a soldier and analyst could do).
I'm certainly not saying that our government is totally innocent of atrocities, especially since I'm not privy to everything that goes on in the government. But I'm pretty sure that not everyone within the government is guilty. That's not saying that everyone that knows certain classified tidbits should just spill the beans regarding topics they don't understand, either. Maybe there should be a national whistleblower hotline for crap such as this, so that someone internal to the government (that can't be touched by law) can screen such concerns. But really, I've more respect for a gangbanger that takes the heat for a crime of his peers than someone like Snowden or Manning. And I think that the government needs to learn from this and screen soldiers and contractors a LOT better.
Unlike most geeks, I'm not down with the "down with The Man" attitude, and I honestly think that military service should be mandatory for every male citizen (and maybe even females), because it would only help them to understand the government...they might not like it after 2-3 years of mandatory service, but they'll definitely have a better understanding. They'd learn things that history books don't typically explain or expand on. Not that I know much about traveling and the international community (and how other countries out there hate us ALL)...being as I traveled the world for 10 years while I was in the Army and another 10 years after I got out, following my wife as the Army sent her places. I'm going to speak generally for a second. The average US citizen has never left the US other than to maybe vacation for a week or two. I'm sure there are many citizens that have stayed in other countries for at least a year, but compared to the whole citizen base, that number is probably a relatively small number. The average citizen is spoiled. They know nothing of protecting themselves while abroad. They show off how rich they are (thereby making it easy to be target by thieves or terrorists). They know it all but usually don't know any language or culture other than their own (while many others of the world know 2 or more languages). They act arrogant. Outsiders see all of this, so they already have a negative picture of us. Mix it in with the occasional misunderstanding or soldier that kills a foreign citizen (purposely or not, self-defense or not), and guess what...they think ALL of the US is corrupt. Not just the government...ALL.
Now, Manning was in the military when he did what he did. He was also a Private (in rank). I'd also guess that he was was a loner...there's just no way he could've shared his thoughts of the US government and been a popular and mentoring soldier...not doing what he did. It's a bit difficult to look up to people like that as a soldier peer. So he gained new friends (anarchists, I guess)...well, that still doesn't help him or Snowden. At least Manning doesn't have to run. Snowden will eventually tire of running...it's going to be a hard life for him, IMO, even living in Russia. God forbid if Russia tires of him and decides to put him out.
In my opinion, these "down with The Man" types are just doing the dirty work for the foreign malcontents. We're easier to conquer if we're divided. This is why we're no longer really a world power (and have to borrow money from China). We won't force our government to take care of what they're chartered to do, yet we rant about how much they need to go away. If the government disappears tomorrow, this country will tear itself apart in very short order. People nowadays don't have a spirit of nationalism, either. I rarely see youngsters speaking about political issues without extreme venom, which is horrible, since this country should be thriving on political debate (competition always makes things better in the end). If either the Democratic or Republican party died tomorrow, this country will be in a serious world of hurt, because there will be no balance. Our job as citizens should be to have a sense of nationalism (even if you don't believe in government) and to keep to the government honest, since they work for us. That requires hard work (not just internet ranting such as was witnessed in the comments of the supplied URL). Go out and volunteer and be involved with working the issues. Help out your political parties. Be involved with US soldiers. Be a good US diplomat while overseas (we're ALL representatives of the US and everything we do, good or bad, is watched). In fact, with the internet binding the nations tighter, it may do well to be a good US diplomat while online, since your internet buddy may well be a foreign national.
Because I'm a geek, most of my peers assume I hate government, but it's kinda funny, because even geeks have governance. It's all around us, yet we never rant about things such as ToS, GNU, computer AUP at your workplaces... But when anyone mentions US government, the whole community gets bent. Most rules are generally put in place because someone violated some unwritten trust or there is the chance that someone will do something unwanted if it isn't disclosed that it shouldn't be done. In the case of intelligence and security, disclosure can get someone killed in the field. I know you're saying, "Well, Snowden did that, so your argument is busted," but that's where Snowden and Manning screwed up. They put people's lives in danger...and not just Americans, but possibly people overseas who assisted the US.
I'm thinking I'll moderate the comments, because this type of subject-matter tends to bring out the ugly comments from people.
But I'm done with this. I've said my bit.
Labels:
classified,
contractor,
down with The Man,
lavabit,
levison,
manning,
military,
NDA,
snowden,
US,
US government
Friday, September 27, 2013
Running a CMS on one of my VPSs...now seeing weird scans.
So, I decided to run one of my own CMSs (doesn't matter which for this particular post), instead of setting up another Blogger blog. I implemented some hardening plugins and enabled a backup solution. The backup solution is backing up the configuration periodically via SCP to wigglit.com, which is already allowed by the FW, but I noticed that the same day I stood up the CMS and enabled the backup, I began to see scans from a 1&1 host:
Sep 27 21:57:26 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=74.208.16.118
DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=55 ID=20101 DF PROTO=TCP SPT=53949 DPT=52300 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 27 21:57:39 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=74.208.16.118 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=55 ID=9603 DF PROTO=TCP SPT=53185 DPT=59347 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 27 21:57:47 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=74.208.16.118 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=55 ID=57673 DF PROTO=TCP SPT=63266 DPT=33952 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 27 21:57:50 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=74.208.16.118 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=55 ID=64740 DF PROTO=TCP SPT=64200 DPT=56377 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 27 21:57:57 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=74.208.16.118 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=55 ID=51825 DF PROTO=TCP SPT=65017 DPT=54342 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 27 21:57:26 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=74.208.16.118
DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=55 ID=20101 DF PROTO=TCP SPT=53949 DPT=52300 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 27 21:57:39 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=74.208.16.118 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=55 ID=9603 DF PROTO=TCP SPT=53185 DPT=59347 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 27 21:57:47 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=74.208.16.118 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=55 ID=57673 DF PROTO=TCP SPT=63266 DPT=33952 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 27 21:57:50 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=74.208.16.118 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=55 ID=64740 DF PROTO=TCP SPT=64200 DPT=56377 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 27 21:57:57 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=74.208.16.118 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=55 ID=51825 DF PROTO=TCP SPT=65017 DPT=54342 WINDOW=5840 RES=0x00 SYN URGP=0
At first, I thought I'd forgot to add an acceptance rule to the firewall, but everything works perfectly. The traffic is bouncing off of the clean-up rule, 5 times a day, roughly around the same time. I also initially thought that 74.208.16.118 was unixfool.com (the host that's running the CMS software), but that particular IP is 74.208.41.182.
It makes me wonder if 1&1 is running some anti-malware software that scans what they think may be suspicious hosts.
I'll continue to investigate.
Labels:
1&1,
blogger.com,
clean-up rule,
CMS,
SCP,
unixfool.com,
wigglit.com
Tuesday, July 02, 2013
Inbound traffic on source port 80
I haven't checked my firewall logs in awhile, so I decided to do a very quick assessment.
I immediately noticed a pattern of inbound hosts attempting to communicate on source port 80, which is weird, as that's not typically a normal port for non-webservers to communicate on. Web clients typically communicate on destination port 80 unless it's the web server responding to a previous HTTP request (to a client). That's not the case here. These connection attempts are being initiated at source port, by IPs not normally affiliated with my server.
Here's an example:
Jul 2 08:40:18 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=92.53.126.193 DST=abc.def.ghi.klm LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=21826 PROTO=TCP SPT=80 DPT=64689 WINDOW=16384 RES=0x00 ACK SYN URGP=0
Jul 2 11:15:50 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=77.241.198.20 DST=abc.def.ghi.klm LEN=44 TOS=0x00 PREC=0x00 TTL=115 ID=30264 DF PROTO=TCP SPT=80 DPT=8713 WINDOW=8192 RES=0x00 ACK SYN URGP=0
Jul 2 11:15:53 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=77.241.198.20 DST=abc.def.ghi.klm LEN=44 TOS=0x00 PREC=0x00 TTL=115 ID=323 DF PROTO=TCP SPT=80 DPT=8713 WINDOW=8192 RES=0x00 ACK SYN URGP=0
Jul 2 12:17:20 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=172.245.4.168 DST=abc.def.ghi.klm LEN=44 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=TCP SPT=80 DPT=5359 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Jul 2 14:37:01 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=94.23.170.2 DST=abc.def.ghi.klm LEN=44 TOS=0x00 PREC=0x00 TTL=52 ID=36510 PROTO=TCP SPT=80 DPT=26429 WINDOW=16384 RES=0x00 ACK SYN URGP=0
Jul 2 14:39:33 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=91.121.9.198 DST=abc.def.ghi.klm LEN=44 TOS=0x00 PREC=0x00 TTL=52 ID=43029 PROTO=TCP SPT=80 DPT=30638 WINDOW=16384 RES=0x00 ACK SYN URGP=0
Jul 2 15:02:45 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=213.186.33.5 DST=abc.def.ghi.klm LEN=44 TOS=0x00 PREC=0x00 TTL=236 ID=35986 PROTO=TCP SPT=80 DPT=11082 WINDOW=536 RES=0x00 ACK SYN URGP=0
Jul 2 17:02:10 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=91.105.235.7 DST=abc.def.ghi.klm LEN=44 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=80 DPT=40217 WINDOW=14600 RES=0x00 ACK SYN URGP=0
Jul 2 17:02:10 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=91.105.235.7 DST=abc.def.ghi.klm LEN=44 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=80 DPT=40217 WINDOW=14600 RES=0x00 ACK SYN URGP=0
Jul 2 17:53:52 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=142.4.208.23 DST=abc.def.ghi.klm LEN=44 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=TCP SPT=80 DPT=31415 WINDOW=14600 RES=0x00 ACK SYN URGP=0
Jul 2 18:15:55 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=199.101.102.66 DST=abc.def.ghi.klm LEN=44 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=TCP SPT=80 DPT=23103 WINDOW=14600 RES=0x00 ACK SYN URGP=0
Almost half of the logged traffic is trying to communicate on source port 80 (of 486 log entries, 218 are source port 80). The traffic is being blocked by the firewall, and what I'm seeing is initiation attempts. This traffic isn't a huge issue, but I'm curious as to what's going on. I've commented on such traffic before, but the amount I'm seeing now is far more than what I'm used to seeing.
I think I'll capture some traffic to try to see what's going on.
EDIT: nothing much captured so far. After some sniffing and tinkering, I had to filter some IPs out - two IPs belong to my server and the other belongs to Ubuntu):
root@li7-220:~# tcpdump -XXvvnne -s 0 -r pcap.linode.src_port_80_2 | less
reading from file pcap.linode.src_port_80_2, link-type EN10MB (Ethernet)
20:56:43.532338 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 112, id 3943, offset 0, flags [none], proto TCP (6), length 44)
190.220.25.34.80 > abc.def.ghi.klm 1234: Flags [S.], cksum 0x36e9 (correct), seq 2466963778, ack 1, win 16384, options [mss 1460], length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 002c 0f67 0000 7006 93a8 bedc 1922 42a0 .,.g..p......"B.
0x0020: 8d1e 0050 04d2 930a e142 0000 0001 6012 ...P.....B....`.
0x0030: 4000 36e9 0000 0204 05b4 0000 @.6.........
UPDATE: I let a pcap capture run overnight and when I checked the process, I got 999 hits. In looking at the pcap, I saw that I'd missed a few Ubuntu server IPs that my sercer was polling (for OS updates). I filtered those out and got 22 hits:
21:29:53.200175 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 53, id 0, offset 0, flags [DF], proto TCP (6), length 44)
206.188.198.69.80 > abc.def.ghi.jkl.31029: Flags [S.], cksum 0x6868 (correct), seq 2068810236, ack 320012289, win 14600, options [mss 1460], length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 002c 0000 4000 3506 e10b cebc c645 42a0 .,..@.5......EB.
0x0020: 8d1e 0050 7935 7b4f 89fc 1313 0001 6012 ...Py5{O......`.
0x0030: 3908 6868 0000 0204 05b4 4001 9.hh......@.
23:44:52.151134 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 50, id 0, offset 0, flags [DF], proto TCP (6), length 44)
109.236.85.70.80 > abc.def.ghi.jkl.15190: Flags [S.], cksum 0x0d4e (correct), seq 3480870608, ack 3571253249, win 14600, options [mss 1460], length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 002c 0000 4000 3206 b5db 6dec 5546 42a0 .,..@.2...m.UFB.
0x0020: 8d1e 0050 3b56 cf79 ded0 d4dd 0001 6012 ...P;V.y......`.
0x0030: 3908 0d4e 0000 0204 05b4 0000 9..N........
23:59:19.278658 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 57, id 3552, offset 0, flags [none], proto TCP (6), length 44)
168.61.144.13.80 > abc.def.ghi.jkl.56871: Flags [S.], cksum 0xeacd (correct), seq 280591713, ack 4171956225, win 16384, options [mss 1460], length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 002c 0de0 0000 3906 6be3 a83d 900d 42a0 .,....9.k..=..B.
0x0020: 8d1e 0050 de27 10b9 7d61 f8ab 0001 6012 ...P.'..}a....`.
0x0030: 4000 eacd 0000 0204 05b4 0000 @...........
01:51:58.488229 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 55, id 0, offset 0, flags [DF], proto TCP (6), length 44)
84.16.89.109.80 > abc.def.ghi.jkl.25420: Flags [S.], cksum 0x1559 (correct), seq 1800765718, ack 3394417182, win 14600, options [mss 1460], length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 002c 0000 4000 3706 c690 5410 596d 42a0 .,..@.7...T.YmB.
0x0020: 8d1e 0050 634c 6b55 8116 ca52 b21e 6012 ...PcLkU...R..`.
0x0030: 3908 1559 0000 0204 05b4 0000 9..Y........
03:57:00.885857 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 118, id 7812, offset 0, flags [DF], proto TCP (6), length 44)
188.138.86.58.80 > abc.def.ghi.jkl.3456: Flags [S.], cksum 0xec7d (correct), seq 689800127, ack 2517303297, win 8192, options [mss 1460], length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 002c 1e84 4000 7606 ab68 bc8a 563a 403e .,..@.v..h..V:@>
0x0020: e7dc 0050 0d80 291d 83bf 960b 0001 6012 ...P..).......`.
0x0030: 2000 ec7d 0000 0204 05b4 0000 ...}........
07:56:45.059391 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 31356, offset 0, flags [none], proto TCP (6), length 40)
164.177.186.182.80 > abc.def.ghi.jkl.24548: Flags [R.], cksum 0x2305 (correct), seq 1331337029, ack 1, win 5840, length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 0028 7a7c 0000 f406 1d2d a4b1 bab6 42a0 .(z|.....-....B.
0x0020: 8d1e 0050 5fe4 4f5a 9745 0000 0001 5014 ...P_.OZ.E....P.
0x0030: 16d0 2305 0000 0000 0000 0000 ..#.........
08:29:11.344433 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 234, id 38305, offset 0, flags [none], proto TCP (6), length 40)
222.231.1.55.80 > abc.def.ghi.jkl.1234: Flags [S.], cksum 0xd717 (correct), seq 3438077857, ack 1, win 5840, length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 0028 95a1 0000 ea06 32f5 dee7 0137 403e .(......2....7@>
0x0020: e7dc 0050 04d2 ccec e7a1 0000 0001 5012 ...P..........P.
0x0030: 16d0 d717 0000 0000 0000 0000 ............
I immediately noticed a pattern of inbound hosts attempting to communicate on source port 80, which is weird, as that's not typically a normal port for non-webservers to communicate on. Web clients typically communicate on destination port 80 unless it's the web server responding to a previous HTTP request (to a client). That's not the case here. These connection attempts are being initiated at source port, by IPs not normally affiliated with my server.
Here's an example:
Jul 2 08:40:18 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=92.53.126.193 DST=abc.def.ghi.klm LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=21826 PROTO=TCP SPT=80 DPT=64689 WINDOW=16384 RES=0x00 ACK SYN URGP=0
Jul 2 11:15:50 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=77.241.198.20 DST=abc.def.ghi.klm LEN=44 TOS=0x00 PREC=0x00 TTL=115 ID=30264 DF PROTO=TCP SPT=80 DPT=8713 WINDOW=8192 RES=0x00 ACK SYN URGP=0
Jul 2 11:15:53 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=77.241.198.20 DST=abc.def.ghi.klm LEN=44 TOS=0x00 PREC=0x00 TTL=115 ID=323 DF PROTO=TCP SPT=80 DPT=8713 WINDOW=8192 RES=0x00 ACK SYN URGP=0
Jul 2 12:17:20 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=172.245.4.168 DST=abc.def.ghi.klm LEN=44 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=TCP SPT=80 DPT=5359 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Jul 2 14:37:01 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=94.23.170.2 DST=abc.def.ghi.klm LEN=44 TOS=0x00 PREC=0x00 TTL=52 ID=36510 PROTO=TCP SPT=80 DPT=26429 WINDOW=16384 RES=0x00 ACK SYN URGP=0
Jul 2 14:39:33 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=91.121.9.198 DST=abc.def.ghi.klm LEN=44 TOS=0x00 PREC=0x00 TTL=52 ID=43029 PROTO=TCP SPT=80 DPT=30638 WINDOW=16384 RES=0x00 ACK SYN URGP=0
Jul 2 15:02:45 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=213.186.33.5 DST=abc.def.ghi.klm LEN=44 TOS=0x00 PREC=0x00 TTL=236 ID=35986 PROTO=TCP SPT=80 DPT=11082 WINDOW=536 RES=0x00 ACK SYN URGP=0
Jul 2 17:02:10 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=91.105.235.7 DST=abc.def.ghi.klm LEN=44 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=80 DPT=40217 WINDOW=14600 RES=0x00 ACK SYN URGP=0
Jul 2 17:02:10 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=91.105.235.7 DST=abc.def.ghi.klm LEN=44 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=80 DPT=40217 WINDOW=14600 RES=0x00 ACK SYN URGP=0
Jul 2 17:53:52 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=142.4.208.23 DST=abc.def.ghi.klm LEN=44 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=TCP SPT=80 DPT=31415 WINDOW=14600 RES=0x00 ACK SYN URGP=0
Jul 2 18:15:55 li7-220 kernel: Clean-up Rule - BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:84:78:ac:0d:79:c1:08:00 SRC=199.101.102.66 DST=abc.def.ghi.klm LEN=44 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=TCP SPT=80 DPT=23103 WINDOW=14600 RES=0x00 ACK SYN URGP=0
Almost half of the logged traffic is trying to communicate on source port 80 (of 486 log entries, 218 are source port 80). The traffic is being blocked by the firewall, and what I'm seeing is initiation attempts. This traffic isn't a huge issue, but I'm curious as to what's going on. I've commented on such traffic before, but the amount I'm seeing now is far more than what I'm used to seeing.
I think I'll capture some traffic to try to see what's going on.
EDIT: nothing much captured so far. After some sniffing and tinkering, I had to filter some IPs out - two IPs belong to my server and the other belongs to Ubuntu):
root@li7-220:~# tcpdump -XXvvnne -s 0 -r pcap.linode.src_port_80_2 | less
reading from file pcap.linode.src_port_80_2, link-type EN10MB (Ethernet)
20:56:43.532338 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 112, id 3943, offset 0, flags [none], proto TCP (6), length 44)
190.220.25.34.80 > abc.def.ghi.klm 1234: Flags [S.], cksum 0x36e9 (correct), seq 2466963778, ack 1, win 16384, options [mss 1460], length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 002c 0f67 0000 7006 93a8 bedc 1922 42a0 .,.g..p......"B.
0x0020: 8d1e 0050 04d2 930a e142 0000 0001 6012 ...P.....B....`.
0x0030: 4000 36e9 0000 0204 05b4 0000 @.6.........
UPDATE: I let a pcap capture run overnight and when I checked the process, I got 999 hits. In looking at the pcap, I saw that I'd missed a few Ubuntu server IPs that my sercer was polling (for OS updates). I filtered those out and got 22 hits:
21:29:53.200175 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 53, id 0, offset 0, flags [DF], proto TCP (6), length 44)
206.188.198.69.80 > abc.def.ghi.jkl.31029: Flags [S.], cksum 0x6868 (correct), seq 2068810236, ack 320012289, win 14600, options [mss 1460], length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 002c 0000 4000 3506 e10b cebc c645 42a0 .,..@.5......EB.
0x0020: 8d1e 0050 7935 7b4f 89fc 1313 0001 6012 ...Py5{O......`.
0x0030: 3908 6868 0000 0204 05b4 4001 9.hh......@.
23:44:52.151134 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 50, id 0, offset 0, flags [DF], proto TCP (6), length 44)
109.236.85.70.80 > abc.def.ghi.jkl.15190: Flags [S.], cksum 0x0d4e (correct), seq 3480870608, ack 3571253249, win 14600, options [mss 1460], length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 002c 0000 4000 3206 b5db 6dec 5546 42a0 .,..@.2...m.UFB.
0x0020: 8d1e 0050 3b56 cf79 ded0 d4dd 0001 6012 ...P;V.y......`.
0x0030: 3908 0d4e 0000 0204 05b4 0000 9..N........
23:59:19.278658 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 57, id 3552, offset 0, flags [none], proto TCP (6), length 44)
168.61.144.13.80 > abc.def.ghi.jkl.56871: Flags [S.], cksum 0xeacd (correct), seq 280591713, ack 4171956225, win 16384, options [mss 1460], length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 002c 0de0 0000 3906 6be3 a83d 900d 42a0 .,....9.k..=..B.
0x0020: 8d1e 0050 de27 10b9 7d61 f8ab 0001 6012 ...P.'..}a....`.
0x0030: 4000 eacd 0000 0204 05b4 0000 @...........
01:51:58.488229 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 55, id 0, offset 0, flags [DF], proto TCP (6), length 44)
84.16.89.109.80 > abc.def.ghi.jkl.25420: Flags [S.], cksum 0x1559 (correct), seq 1800765718, ack 3394417182, win 14600, options [mss 1460], length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 002c 0000 4000 3706 c690 5410 596d 42a0 .,..@.7...T.YmB.
0x0020: 8d1e 0050 634c 6b55 8116 ca52 b21e 6012 ...PcLkU...R..`.
0x0030: 3908 1559 0000 0204 05b4 0000 9..Y........
03:57:00.885857 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 118, id 7812, offset 0, flags [DF], proto TCP (6), length 44)
188.138.86.58.80 > abc.def.ghi.jkl.3456: Flags [S.], cksum 0xec7d (correct), seq 689800127, ack 2517303297, win 8192, options [mss 1460], length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 002c 1e84 4000 7606 ab68 bc8a 563a 403e .,..@.v..h..V:@>
0x0020: e7dc 0050 0d80 291d 83bf 960b 0001 6012 ...P..).......`.
0x0030: 2000 ec7d 0000 0204 05b4 0000 ...}........
07:56:45.059391 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 244, id 31356, offset 0, flags [none], proto TCP (6), length 40)
164.177.186.182.80 > abc.def.ghi.jkl.24548: Flags [R.], cksum 0x2305 (correct), seq 1331337029, ack 1, win 5840, length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 0028 7a7c 0000 f406 1d2d a4b1 bab6 42a0 .(z|.....-....B.
0x0020: 8d1e 0050 5fe4 4f5a 9745 0000 0001 5014 ...P_.OZ.E....P.
0x0030: 16d0 2305 0000 0000 0000 0000 ..#.........
08:29:11.344433 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 234, id 38305, offset 0, flags [none], proto TCP (6), length 40)
222.231.1.55.80 > abc.def.ghi.jkl.1234: Flags [S.], cksum 0xd717 (correct), seq 3438077857, ack 1, win 5840, length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 0028 95a1 0000 ea06 32f5 dee7 0137 403e .(......2....7@>
0x0020: e7dc 0050 04d2 ccec e7a1 0000 0001 5012 ...P..........P.
0x0030: 16d0 d717 0000 0000 0000 0000 ............
08:47:53.958682 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 221, id 14963, offset 0, flags [none], proto TCP (6), length 40)
222.231.1.55.80 > abc.def.ghi.jkl.1234: Flags [S.], cksum 0xf320 (correct), seq 2967725985, ack 1, win 5840, length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 0028 3a73 0000 dd06 9b23 dee7 0137 403e .(:s.....#...7@>
0x0020: e7dc 0050 04d2 b0e3 e7a1 0000 0001 5012 ...P..........P.
0x0030: 16d0 f320 0000 0000 0000 0000 ............
09:08:53.303546 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 116, id 26734, offset 0, flags [none], proto TCP (6), length 48)
66.161.44.199.80 > abc.def.ghi.jkl.61773: Flags [S.], cksum 0x0776 (correct), seq 3759141565, ack 2231612163, win 16384, options [mss 1460,nop,nop,sackOK], length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 0030 686e 0000 7406 9f33 42a1 2cc7 42a0 .0hn..t..3B.,.B.
0x0020: 8d1e 0050 f14d e00f f2bd 8503 b303 7012 ...P.M........p.
0x0030: 4000 0776 0000 0204 05b4 0101 0402 @..v..........
11:57:44.978045 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 114, id 0, offset 0, flags [DF], proto TCP (6), length 40)
223.4.117.159.80 > abc.def.ghi.jkl.54404: Flags [S.], cksum 0x2882 (correct), seq 2018622826, ack 1, win 0, length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 0028 0000 4000 7206 8c11 df04 759f 403e .(..@.r.....u.@>
0x0020: e7dc 0050 d484 7851 bd6a 0000 0001 5012 ...P..xQ.j....P.
0x0030: 0000 2882 0000 aaaa 0000 2882 ..(.......(.
11:59:10.842293 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 114, id 0, offset 0, flags [DF], proto TCP (6), length 40)
223.4.117.159.80 > abc.def.ghi.jkl.41266: Flags [S.], cksum 0xa070 (correct), seq 2354167082, ack 1, win 0, length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 0028 0000 4000 7206 e46d df04 759f 42a0 .(..@.r..m..u.B.
0x0020: 8d1e 0050 a132 8c51 bd2a 0000 0001 5012 ...P.2.Q.*....P.
0x0030: 0000 a070 0000 aaaa 0000 a070 ...p.......p
12:02:08.880498 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x2,ECT(0), ttl 114, id 0, offset 0, flags [DF], proto TCP (6), length 40)
223.4.117.159.80 > abc.def.ghi.jkl.54404: Flags [S.], cksum 0x28c2 (correct), seq 2018622762, ack 1, win 0, length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4502 ..@>...x..y...E.
0x0010: 0028 0000 4000 7206 8c0f df04 759f 403e .(..@.r.....u.@>
0x0020: e7dc 0050 d484 7851 bd2a 0000 0001 5012 ...P..xQ.*....P.
0x0030: 0000 28c2 0000 aaaa 0000 28c2 ..(.......(.
12:53:54.286082 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 114, id 0, offset 0, flags [DF], proto TCP (6), length 40)
223.4.117.159.80 > abc.def.ghi.jkl.54404: Flags [S.], cksum 0x2594 (correct), seq 2067774826, ack 1, win 0, length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 0028 0000 4000 7206 8c11 df04 759f 403e .(..@.r.....u.@>
0x0020: e7dc 0050 d484 7b3f bd6a 0000 0001 5012 ...P..{?.j....P.
0x0030: 0000 2594 0000 aaaa 0000 2594 ..%.......%.
12:55:19.762030 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 114, id 0, offset 0, flags [DF], proto TCP (6), length 40)
223.4.117.159.80 > abc.def.ghi.jkl.41266: Flags [S.], cksum 0x5cec (correct), seq 3486891306, ack 1, win 0, length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 0028 0000 4000 7206 e46d df04 759f 42a0 .(..@.r..m..u.B.
0x0020: 8d1e 0050 a132 cfd5 bd2a 0000 0001 5012 ...P.2...*....P.
0x0030: 0000 5cec 0000 aaaa 0000 5cec ..\.......\.
13:00:54.393330 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 114, id 0, offset 0, flags [DF], proto TCP (6), length 40)
223.4.117.159.80 > abc.def.ghi.jkl.54404: Flags [S.], cksum 0xa4fd (correct), seq 4225088874, ack 1, win 0, length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 0028 0000 4000 7206 8c11 df04 759f 403e .(..@.r.....u.@>
0x0020: e7dc 0050 d484 fbd5 bd6a 0000 0001 5012 ...P.....j....P.
0x0030: 0000 a4fd 0000 aaaa 0000 a4fd ............
13:05:42.419546 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 240, id 18537, offset 0, flags [none], proto TCP (6), length 40)
195.244.222.208.80 > abc.def.ghi.jkl.3409: Flags [S.], cksum 0xa210 (correct), seq 302051360, ack 857669633, win 0, length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 0028 4869 0000 f006 b786 c3f4 ded0 403e .(Hi..........@>
0x0020: e7dc 0050 0d51 1200 f020 331f 0001 5012 ...P.Q....3...P.
0x0030: 0000 a210 0000 0000 0000 0000 ............
13:16:03.791551 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 52, id 16141, offset 0, flags [none], proto TCP (6), length 44)
94.23.225.114.80 > abc.def.ghi.jkl.24664: Flags [S.], cksum 0x369d (correct), seq 323364370, ack 533921793, win 16384, options [mss 1460], length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 002c 3f0d 0000 3406 e01a 5e17 e172 403e .,?...4...^..r@>
0x0020: e7dc 0050 6058 1346 2612 1fd3 0001 6012 ...P`X.F&.....`.
0x0030: 4000 369d 0000 0204 05b4 2626 @.6.......&&
13:26:19.398167 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 116, id 33033, offset 0, flags [none], proto TCP (6), length 40)
121.10.105.5.80 > abc.def.ghi.jkl.1234: Flags [.], cksum 0x1c3f (correct), seq 2951871426, ack 788062144, win 8760, length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 0028 8109 0000 7406 13f9 790a 6905 42a0 .(....t...y.i.B.
0x0020: 8d1e 0050 04d2 aff1 fbc2 2ef8 dfc0 5010 ...P..........P.
0x0030: 2238 1c3f 0000 aaaa 2238 1c3f "8.?...."8.?
13:35:52.715311 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 114, id 0, offset 0, flags [DF], proto TCP (6), length 40)
223.4.117.159.80 > abc.def.ghi.jkl.54404: Flags [S.], cksum 0xa2a5 (correct), seq 4264410474, ack 1, win 0, length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 0028 0000 4000 7206 8c11 df04 759f 403e .(..@.r.....u.@>
0x0020: e7dc 0050 d484 fe2d bd6a 0000 0001 5012 ...P...-.j....P.
0x0030: 0000 a2a5 0000 aaaa 0000 a2a5 ............
13:37:20.082116 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 114, id 0, offset 0, flags [DF], proto TCP (6), length 40)
223.4.117.159.80 > abc.def.ghi.jkl.41266: Flags [S.], cksum 0x2295 (correct), seq 170769706, ack 1, win 0, length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 0028 0000 4000 7206 e46d df04 759f 42a0 .(..@.r..m..u.B.
0x0020: 8d1e 0050 a132 0a2d bd2a 0000 0001 5012 ...P.2.-.*....P.
0x0030: 0000 2295 0000 aaaa 0000 2295 ..".......".
14:03:05.415420 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 55, id 9949, offset 0, flags [none], proto TCP (6), length 44)
69.20.56.19.80 > abc.def.ghi.jkl.48972: Flags [S.], cksum 0x1c7d (correct), seq 1191661700, ack 1191661700, win 16384, options [mss 1460], length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 002c 26dd 0000 3706 100a 4514 3813 42a0 .,&...7...E.8.B.
0x0020: 8d1e 0050 bf4c 4707 5084 4707 5084 6012 ...P.LG.P.G.P.`.
0x0030: 4000 1c7d 0000 0204 05b4 0000 @..}........
14:35:45.494119 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 232, id 40546, offset 0, flags [none], proto TCP (6), length 40)
222.231.1.199.80 > abc.def.ghi.jkl.1234: Flags [S.], cksum 0xaea0 (correct), seq 1770244942, ack 1, win 5840, length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 0028 9e62 0000 e806 8400 dee7 01c7 42a0 .(.b..........B.
0x0020: 8d1e 0050 04d2 6983 cb4e 0000 0001 5012 ...P..i..N....P.
0x0030: 16d0 aea0 0000 0000 0000 0000 ............
Each are SYN packets...the firewall is blocking any further activity (at the catch-all/deny-all rule).
I did notice a pattern, though:
root@li7-220:~# cat test3.txt | grep "1234"
222.231.1.55.80 > abc.def.ghi.jkl.1234: Flags [S.], cksum 0xd717 (correct), seq 3438077857, ack 1, win 5840, length 0
222.231.1.55.80 > abc.def.ghi.jkl.1234: Flags [S.], cksum 0xf320 (correct), seq 2967725985, ack 1, win 5840, length 0
121.10.105.5.80 > abc.def.ghi.jkl.1234: Flags [.], cksum 0x1c3f (correct), seq 2951871426, ack 788062144, win 8760, length 0
222.231.1.199.80 > abc.def.ghi.jkl.1234: Flags [S.], cksum 0xaea0 (correct), seq 1770244942, ack 1, win 5840, length 0
root@li7-220:~# cat test3.txt | grep "41266"
223.4.117.159.80 > abc.def.ghi.jkl.41266: Flags [S.], cksum 0xa070 (correct), seq 2354167082, ack 1, win 0, length 0
223.4.117.159.80 > abc.def.ghi.jkl.41266: Flags [S.], cksum 0x5cec (correct), seq 3486891306, ack 1, win 0, length 0
223.4.117.159.80 > abc.def.ghi.jkl.41266: Flags [S.], cksum 0x2295 (correct), seq 170769706, ack 1, win 0, length 0
root@li7-220:~# cat test3.txt | grep "54404"
223.4.117.159.80 > abc.def.ghi.jkl.54404: Flags [S.], cksum 0x2882 (correct), seq 2018622826, ack 1, win 0, length 0
223.4.117.159.80 > abc.def.ghi.jkl.54404: Flags [S.], cksum 0x28c2 (correct), seq 2018622762, ack 1, win 0, length 0
223.4.117.159.80 > abc.def.ghi.jkl.54404: Flags [S.], cksum 0x2594 (correct), seq 2067774826, ack 1, win 0, length 0
223.4.117.159.80 > abc.def.ghi.jkl.54404: Flags [S.], cksum 0xa4fd (correct), seq 4225088874, ack 1, win 0, length 0
223.4.117.159.80 > abc.def.ghi.jkl.54404: Flags [S.], cksum 0xa2a5 (correct), seq 4264410474, ack 1, win 0, length 0
As well, in the below instances, the source host is the same. The packets are maybe 2 min apart (this is a sequential set of packets). The destination ports are different:
13:35:52.715311 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 114, id 0, offset 0, flags [DF], proto TCP (6), length 40)
223.4.117.159.80 > abc.def.ghi.jkl.54404: Flags [S.], cksum 0xa2a5 (correct), seq 4264410474, ack 1, win 0, length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 0028 0000 4000 7206 8c11 df04 759f 403e .(..@.r.....u.@>
0x0020: e7dc 0050 d484 fe2d bd6a 0000 0001 5012 ...P...-.j....P.
0x0030: 0000 a2a5 0000 aaaa 0000 a2a5 ............
13:37:20.082116 84:78:ac:0d:79:c1 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 114, id 0, offset 0, flags [DF], proto TCP (6), length 40)
223.4.117.159.80 > abc.def.ghi.jkl.41266: Flags [S.], cksum 0x2295 (correct), seq 170769706, ack 1, win 0, length 0
0x0000: fefd 403e e7dc 8478 ac0d 79c1 0800 4500 ..@>...x..y...E.
0x0010: 0028 0000 4000 7206 e46d df04 759f 42a0 .(..@.r..m..u.B.
0x0020: 8d1e 0050 a132 0a2d bd2a 0000 0001 5012 ...P.2.-.*....P.
0x0030: 0000 2295 0000 aaaa 0000 2295 ..".......".
Someone is scanning my server and purposely using source port 80 when attempting deliberate (and distributed) scans. If I had the balls to run a honeypot, I could probably gain a better understanding of what type of scans are being conducted.
Thursday, June 20, 2013
Possible Malware Infection on Home System
So, I've a potential malware infection on a host within my home LAN. It is a Windows 7 system. Before anyone ridicules the choice of Windows, let it be known that it is rather easy to secure a Windows system from a lot of malware. Really. And in my line of work, I've seen many non-Windows systems compromised, so my view is entirely different than the typical *nix zealots out there. If you aren't already aware, I tend to be highly objective when it comes to OS ideology. I'm not going to be open to discuss things if the first shared thought is, "why are you using Windows?" I'm not for the "down with the man" mentality.
Now, about this issue. Here are the current symptoms:
McAfee AV is installed. It was found to not be running when I first began to investigate. I reactivated it last night, did a quick scan (no issues detected) and then did a full scan (no issues detected).
I also ran MalwareBytes. It didn't find anything other than some cookies that it suggested to be removed (I removed them).
I also ran both AdAware and Spybot: Search and Destroy. Both found some spyware-related things that I removed. They didn't find anything with high severity.
I also ran the MS malicious software removal tool (it didn't detect any issues).
I did all this yesterday evening and finished around 8PM.
I also have Snort sniffing traffic on the LAN. It is detecting some rather weird traffic. It is seeing the Win7 system trying to communicate with a Linux host on port 137 (the Linux host is refusing the attempts). Also, if I do a tcpdump to see any traffic coming from the Win7 machine, I see the Win7 machine connecting to each Linux server on the LAN on port 80. What's odd about that is that it seems to have focused purely on the Linux machines, and each and every machine it connects to actually has Apache running. I've seen no service scans (or any other scans).
This morning, I decided to check the Snort logs and saw that the activity stopped occurring after my "fix" last night, but that it started up again at 2:44AM this morning. When I checked the Win7 host, McAfee wasn't running. I couldn't restart it (it was unresponsive). I did another MWB scan, which didn't detect anything. I checked the system logs and didn't see anything other than a lot of DNS errors (that may be indicative of anti-antivirus activity). I then went to the McAfee AV home page to get a status of my system and saw that the status was, "This device needs to be online to get the latest protection updates." Weird, especially since I've no indication that the system isn't online.
I decided to search the McAfee pages to see what solutions they offer (free solutions). Right off the bat, I saw that the only thing they offer is a $90 removal service...WTH. Their product let the machine get compromised, then they want to charge an additional $90 for removal (and no other free offerings). That seems hokey. I never had this problem with Norton/Symantec.
At this point, I'm probably going to reinstall the system with it's factory image. This is the first time in a very long time (I'm talking 10+ years) that I've had to reimage due to malware on a Window system. I've other systems in the house running Windows, and some have NO 3rd-party AV (my Alienware system is running Win8 and it's using Windows Defender without issue).
I'll keep this post updated with any other information I discover over the next few days.
UPDATE - I've found some free tools -- http://www.mcafee.com/us/downloads/free-tools/
UPDATE 2 - I've conducted some scans using the free tools and I'm still not able to find anything. I'm wondering if the activity I've observed is actually part of their host discovery toolset...that sorta makes sense. If only I could get some type of verification on this from a McAfee rep, or maybe find some document that describes how the host discovery system works and how it would look from a network security perspective. But all that still wouldn't explain why the AV keeps disabling in the middle of the night...
FINAL UPDATE - Issue resolved. After investigating further, I found that there was no infection. Two things were occurring: 1) I've found that the AV services appear to be polling for services (network discovery - Symantec/Norton has this feature as well), 2) the self-update process had hung, which was causing the AV shutdowns. Once I removed the existing version and got the latest, I found that there was a drastic difference between the two versions. As well, the account portal had changed. The fact that there was a major client upgrade may've broken communication with the account portal (that began working once I upgraded manually). When this subscription is up, I'll either use Windows Defender or use one of my existing Symantec licenses to install that AV onto the system...not liking the McAfee AV experience. :/
Now, about this issue. Here are the current symptoms:
McAfee AV is installed. It was found to not be running when I first began to investigate. I reactivated it last night, did a quick scan (no issues detected) and then did a full scan (no issues detected).
I also ran MalwareBytes. It didn't find anything other than some cookies that it suggested to be removed (I removed them).
I also ran both AdAware and Spybot: Search and Destroy. Both found some spyware-related things that I removed. They didn't find anything with high severity.
I also ran the MS malicious software removal tool (it didn't detect any issues).
I did all this yesterday evening and finished around 8PM.
I also have Snort sniffing traffic on the LAN. It is detecting some rather weird traffic. It is seeing the Win7 system trying to communicate with a Linux host on port 137 (the Linux host is refusing the attempts). Also, if I do a tcpdump to see any traffic coming from the Win7 machine, I see the Win7 machine connecting to each Linux server on the LAN on port 80. What's odd about that is that it seems to have focused purely on the Linux machines, and each and every machine it connects to actually has Apache running. I've seen no service scans (or any other scans).
This morning, I decided to check the Snort logs and saw that the activity stopped occurring after my "fix" last night, but that it started up again at 2:44AM this morning. When I checked the Win7 host, McAfee wasn't running. I couldn't restart it (it was unresponsive). I did another MWB scan, which didn't detect anything. I checked the system logs and didn't see anything other than a lot of DNS errors (that may be indicative of anti-antivirus activity). I then went to the McAfee AV home page to get a status of my system and saw that the status was, "This device needs to be online to get the latest protection updates." Weird, especially since I've no indication that the system isn't online.
I decided to search the McAfee pages to see what solutions they offer (free solutions). Right off the bat, I saw that the only thing they offer is a $90 removal service...WTH. Their product let the machine get compromised, then they want to charge an additional $90 for removal (and no other free offerings). That seems hokey. I never had this problem with Norton/Symantec.
At this point, I'm probably going to reinstall the system with it's factory image. This is the first time in a very long time (I'm talking 10+ years) that I've had to reimage due to malware on a Window system. I've other systems in the house running Windows, and some have NO 3rd-party AV (my Alienware system is running Win8 and it's using Windows Defender without issue).
I'll keep this post updated with any other information I discover over the next few days.
UPDATE - I've found some free tools -- http://www.mcafee.com/us/downloads/free-tools/
UPDATE 2 - I've conducted some scans using the free tools and I'm still not able to find anything. I'm wondering if the activity I've observed is actually part of their host discovery toolset...that sorta makes sense. If only I could get some type of verification on this from a McAfee rep, or maybe find some document that describes how the host discovery system works and how it would look from a network security perspective. But all that still wouldn't explain why the AV keeps disabling in the middle of the night...
FINAL UPDATE - Issue resolved. After investigating further, I found that there was no infection. Two things were occurring: 1) I've found that the AV services appear to be polling for services (network discovery - Symantec/Norton has this feature as well), 2) the self-update process had hung, which was causing the AV shutdowns. Once I removed the existing version and got the latest, I found that there was a drastic difference between the two versions. As well, the account portal had changed. The fact that there was a major client upgrade may've broken communication with the account portal (that began working once I upgraded manually). When this subscription is up, I'll either use Windows Defender or use one of my existing Symantec licenses to install that AV onto the system...not liking the McAfee AV experience. :/
Labels:
antivirus,
AV,
compromise,
linux,
malwarebytes,
McAfee,
MWB,
system logs,
Window 7,
Windows Defender
Friday, May 31, 2013
Bought a Managed Switch
So, I bought the above switch. It is a TP-Link TL-SG3216 16-Port Gigabit managed switch. I got tired of my rat's nest connected to several hubs. I used hubs because I wanted a cheap way of enabling sniffing network traffic (for my lab, which isn't really isolated from the rest of the network).
Well, I should've done this a LONG time ago, but I'm not sure if such equipment would've been more expensive 4-5 years ago.
I could've settled for an unmanaged switch, but I wanted port mirroring capability, as well as a slew of other options (gigabit speed, for example). It took me a long time to find a switch that had everything I wanted. This switch is actually a home/SOHO switch. I like the management interface (unlike a lot of Netgear's switches, you're not stuck with having to use a Windows machine to access the switch). It is fully configurable. I've never managed an L2 switch before, so this will also be a learning experience for me (I can study up on how to set up VLANs). I can manage it via CLI as well, using an SSH shell or console port (it comes with console port cabling).
This switch wasn't cheap (wasn't expensive, either). I found it on Amazon for $180...that's the cheapest I found it.
So, I unplugged everything from my two hubs (an 8-port and a 4-port) and plugged them into the new switch. I'm actually using 10 of the 16 ports (I was able to remove the two link cables that attached the hubs to the gateway, so I freed up some cabling and ports in upgrading to a managed L2 switch. Still, I'm using half of the ports already. It makes me wonder if I should've went bigger, but this was as big as my wallet allowed at the time. If I find I need more ports later, I can alway buy an 8-port TP-Link, I guess.
I'll begin to set up port mirroring soon. I'll be mirroring all used ports (9). I believe this switch is capable of mirroring 15 ports to one port. I'll be able to cover almost every part of my network, with the exception of my Powerline connections (there's 3 of these). I won't be able to monitor those because the main adapter has to be plugged into the gateway router, which I won't be managing. And if/when I connect my gaming system into the switch, that will eat up another port. I might have to order another switch sooner than I think. :/
Labels:
16-Port,
Amazon.com,
gigabit,
hub,
managed,
port mirroring,
Powerline,
switch,
TL-SG3216,
TP-Link
Wednesday, May 01, 2013
Millions of WordPress sites exploitable for DDoS Attacks using Pingback mechanism
http://thehackernews.com/2013/05/millions-of-wordpress-sites-exploitable.html
This article also mentions another recent report, released by them (The Hacker News), involving another method of DDoS attack using DNS amplification as a method of attack.
I've been testing out WordPress on my 1and1.com virtual server and it is pretty locked down...I've still had at least one compromise (someone uploaded php-based exploit code onto the server via a plugin, which I've since removed). WordPress constantly gets attacked and even though I'm running extra layers of security, it's taking 100% of my attention to ensure that nothing is amiss...it takes the fun out of administrating a CMS, IMO. :/
Over the weekend, Incapsula mitigated a unique DDoS attack against a large gaming website, in which they have discovered a DDoS attack using thousands of legitimate WordPress blogs without the need for them to be compromised.
This article also mentions another recent report, released by them (The Hacker News), involving another method of DDoS attack using DNS amplification as a method of attack.
I've been testing out WordPress on my 1and1.com virtual server and it is pretty locked down...I've still had at least one compromise (someone uploaded php-based exploit code onto the server via a plugin, which I've since removed). WordPress constantly gets attacked and even though I'm running extra layers of security, it's taking 100% of my attention to ensure that nothing is amiss...it takes the fun out of administrating a CMS, IMO. :/
Wednesday, April 17, 2013
ACLU files complaint with FTC over older Android software
ACLU files complaint with FTC over older Android software
http://tinyurl.com/cqj67ds
The ACLU has a point. As a person who has been an Android user the last 2+ years, I believe I've seen *maybe* 3 (more than likely 2) OS updates on my Thunderbolt (and NONE for my SGN2, so far). One was to disable free hotspots. I find it hard to believe that there were little to no Android updates in that time span (especially security-related updates). Verizon is my carrier and I hold them responsible. Yes, they pushed out ICS to my thunderbolt right before it went out-of-contract, but that push actually made the phone run worse, and I was forced into the update (I wasn't asked)...being forced into an untested update broke my phone.
The carriers need to do a better job of handling updates. They also need to ensure they're periodically pushing security updates, because Android's security posture is horrendous. Google sells its own devices and pushes updates to them without issue, but the carriers never act in a timely fashion when Google pushes those updates to them...it's like they vanish into a black hole. :/
http://tinyurl.com/cqj67ds
The American Civil Liberties Union filed a federal complaint Tuesday accusing the nation’s largest wireless carriers of “deceptive” business practices for failing to keep the software on tens of millions of Android smartphones updated — a shortcoming that can make the devices vulnerable to hackers.
The ACLU has a point. As a person who has been an Android user the last 2+ years, I believe I've seen *maybe* 3 (more than likely 2) OS updates on my Thunderbolt (and NONE for my SGN2, so far). One was to disable free hotspots. I find it hard to believe that there were little to no Android updates in that time span (especially security-related updates). Verizon is my carrier and I hold them responsible. Yes, they pushed out ICS to my thunderbolt right before it went out-of-contract, but that push actually made the phone run worse, and I was forced into the update (I wasn't asked)...being forced into an untested update broke my phone.
The carriers need to do a better job of handling updates. They also need to ensure they're periodically pushing security updates, because Android's security posture is horrendous. Google sells its own devices and pushes updates to them without issue, but the carriers never act in a timely fashion when Google pushes those updates to them...it's like they vanish into a black hole. :/
Wednesday, April 03, 2013
My Book Live - Connection Issues and Troubleshooting
I've been noticing issues with my NAS solution, which is a Western Digital My Book Live Personal Cloud Edition.
I keep losing connectivity after 5 or so minutes of connecting to the NAS via the web-based console or accessing it as a mapped drive. I'd get the message:
I did find a way to log into the device's command line. Here's what I did:
Once I logged in, I immediately began to run 'top' because I knew I'd lose the session after 5 or so minutes and wouldn't be able to log in again unless I power-cycled the NAS. I noticed that Twonky appeared to hog CPU cycles, so I went to the web GUI and disabled it. Then I watched top again. The load averages were a bit high before I disabled Twonky (in the 7.xx range as a first number). I watched them drop to the mid-4s, then they started raising again. Top wasn't telling me anything, though.
I watched the load average raise to 22.xx before the terminal session showed signs of degrading to the point that it stopped taking input.
Then there is this:
Something isn't quite right with this NAS, but it's going to take awhile to figure out what's going on. Also, it responds well to pings, even if the SSH session is dead and won't recover. And I still have to back it up. I think I've 378GB of data on it (that's crucial...like once-in-a-lifetime types of pictures).
I don't think the drives are bad, but it may be too early to say that. I've never seen bad drives ramp up load averages like that.
The drive is out of warranty and I'm a bit upset that what's touted as a top-notch home NAS is having such issues, especially considering that it's a WD product.
I'll update this post when/if I've more findings on this issue.
EDIT: I just checked again after posting and, while the shells aren't dead, they are very slide-show-like. I checked the load average and it's dropped to 12.94.
EDIT 2: I got tired of waiting for "apachectl stop" to finish and I think it was actually hung, so I did a "killall -9 apache2" which immediately brought the load down. The load is currently at 1.09 and has been around that the last 20 minutes. So, it's apache that's killing the NAS. Note that I tested to see if I could reach the NAS shares in a conventional manner (ie, non-shell or without apache) and was able to reach the shares without issue. I may keep apache off for the duration (unless I need to access the control panel).
I keep losing connectivity after 5 or so minutes of connecting to the NAS via the web-based console or accessing it as a mapped drive. I'd get the message:
30001 - Your last operation timed out. Make sure there are no network connectivity issues and try again.I used Google to attempt to find a solution, but all I see is shared pain.
I did find a way to log into the device's command line. Here's what I did:
- I put "http://[ip of your MBL NAS]/UI/ssh" into my browser's address bar.
- Clicked the "enable" button.
- Shelled into the NAS using Putty and "root/welc0me" as a username/password.
Once I logged in, I immediately began to run 'top' because I knew I'd lose the session after 5 or so minutes and wouldn't be able to log in again unless I power-cycled the NAS. I noticed that Twonky appeared to hog CPU cycles, so I went to the web GUI and disabled it. Then I watched top again. The load averages were a bit high before I disabled Twonky (in the 7.xx range as a first number). I watched them drop to the mid-4s, then they started raising again. Top wasn't telling me anything, though.
I watched the load average raise to 22.xx before the terminal session showed signs of degrading to the point that it stopped taking input.
login as: rootroot@xxx.xxx.xxx.xxx's password:Linux MyBookLive 2.6.32.11-svn70860 #1 Thu May 17 13:32:51 PDT 2012 ppcDisclaimer: SSH provides access to the network device and all itscontent, only users with advanced computer networking and Linux experienceshould enable it. Failure to understand the Linux command line interfacecan result in rendering your network device inoperable, as well as allowingunauthorized users access to your network. If you enable SSH, do not sharethe root password with anyone you do not want to have direct access to allthe content on your network device.MyBookLive:~# w22:37:58 up 2 min, 1 user, load average: 5.03, 1.54, 0.54USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot pts/0 ron-alien.home 22:37 1.00s 0.05s 0.03s wMyBookLive:~# w22:38:10 up 2 min, 1 user, load average: 5.85, 1.89, 0.67USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot pts/0 ron-alien.home 22:37 0.00s 0.04s 0.02s wMyBookLive:~# w22:38:18 up 2 min, 1 user, load average: 6.11, 2.07, 0.74USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot pts/0 ron-alien.home 22:37 0.00s 0.04s 0.02s wMyBookLive:~#MyBookLive:~#MyBookLive:~#MyBookLive:~# toptop - 22:39:10 up 3 min, 1 user, load average: 7.44, 3.06, 1.14Tasks: 97 total, 1 running, 96 sleeping, 0 stopped, 0 zombieCpu(s): 31.9%us, 17.4%sy, 41.8%ni, 0.0%id, 6.6%wa, 0.3%hi, 2.0%si, 0.0%stMem: 253632k total, 242432k used, 11200k free, 41280k buffersSwap: 500608k total, 42560k used, 458048k free, 52736k cachedPID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND4429 root 21 1 21504 8192 3456 S 43.6 3.2 0:45.39 twonkymediaserv3936 www-data 4 -16 72704 30m 20m S 11.6 12.4 0:01.09 apache23327 www-data 4 -16 76160 31m 19m S 5.6 12.6 0:02.37 apache23809 www-data 4 -16 72704 33m 23m S 5.6 13.6 0:03.08 apache23326 www-data 4 -16 74944 26m 16m S 1.7 10.7 0:03.34 apache23829 www-data 4 -16 66624 23m 16m S 1.3 9.7 0:01.50 apache24156 www-data 4 -16 69248 25m 17m S 1.3 10.3 0:00.30 apache25071 root 4 -16 5056 3136 2304 D 1.0 1.2 0:00.03 getServiceStart4639 root 39 19 5120 3264 1920 D 0.7 1.3 0:03.12 ls4641 root 39 19 3776 1792 1344 S 0.7 0.7 0:00.77 tally4821 root 20 0 5056 3008 1920 R 0.7 1.2 0:00.34 top5067 root 4 -16 5056 3136 2304 D 0.7 1.2 0:00.02 getServiceStart2230 root 20 0 31424 3264 2048 S 0.3 1.3 0:00.19 rsyslogd2385 root 20 0 0 0 0 D 0.3 0.0 0:00.28 jbd2/sda4-84405 root 20 0 57280 7552 2816 S 0.3 3.0 0:00.94 forked-daapd4640 root 39 19 4480 1856 1344 S 0.3 0.7 0:00.48 awk1 root 20 0 4352 1984 1600 S 0.0 0.8 0:00.82 initMyBookLive:~#MyBookLive:~#MyBookLive:~#MyBookLive:~# w22:39:15 up 3 min, 1 user, load average: 7.24, 3.09, 1.16USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot pts/0 ron-alien.home 22:37 1.00s 0.04s 0.02s wMyBookLive:~# w22:39:16 up 3 min, 1 user, load average: 7.24, 3.09, 1.16USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot pts/0 ron-alien.home 22:37 0.00s 0.03s 0.01s wMyBookLive:~# w22:39:19 up 3 min, 1 user, load average: 7.22, 3.16, 1.20USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot pts/0 ron-alien.home 22:37 1.00s 0.04s 0.02s wMyBookLive:~# w22:39:20 up 3 min, 1 user, load average: 7.22, 3.16, 1.20USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot pts/0 ron-alien.home 22:37 0.00s 0.03s 0.01s wMyBookLive:~# w22:39:25 up 3 min, 1 user, load average: 7.36, 3.25, 1.24USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot pts/0 ron-alien.home 22:37 2.00s 0.04s 0.02s wMyBookLive:~# w22:39:32 up 3 min, 1 user, load average: 7.09, 3.26, 1.25USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot pts/0 ron-alien.home 22:37 0.00s 0.05s 0.02s wMyBookLive:~# w22:39:39 up 3 min, 1 user, load average: 6.62, 3.29, 1.28USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot pts/0 ron-alien.home 22:37 0.00s 0.04s 0.01s wMyBookLive:~# w22:40:17 up 4 min, 1 user, load average: 5.75, 3.43, 1.40USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot pts/0 ron-alien.home 22:37 1.00s 0.05s 0.02s wMyBookLive:~# w22:40:24 up 4 min, 1 user, load average: 5.79, 3.52, 1.45USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot pts/0 ron-alien.home 22:37 0.00s 0.05s 0.02s wMyBookLive:~# w22:40:35 up 4 min, 1 user, load average: 6.11, 3.66, 1.52USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot pts/0 ron-alien.home 22:37 1.00s 0.05s 0.01s wMyBookLive:~# w22:40:46 up 4 min, 1 user, load average: 5.85, 3.69, 1.55USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot pts/0 ron-alien.home 22:37 0.00s 0.05s 0.01s wMyBookLive:~# w22:41:00 up 5 min, 1 user, load average: 5.44, 3.70, 1.59USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot pts/0 ron-alien.home 22:37 0.00s 0.05s 0.01s wMyBookLive:~# w22:41:54 up 5 min, 2 users, load average: 4.65, 3.75, 1.73USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot pts/0 ron-alien.home 22:37 0.00s 0.06s 0.02s wroot pts/1 ron-alien.home 22:41 21.00s 0.17s 0.15s topMyBookLive:~# w22:42:48 up 6 min, 2 users, load average: 4.90, 3.93, 1.89USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot pts/0 ron-alien.home 22:37 2.00s 0.09s 0.04s wroot pts/1 ron-alien.home 22:41 1:15 0.50s 0.48s topMyBookLive:~#MyBookLive:~#MyBookLive:~# w22:43:11 up 7 min, 2 users, load average: 5.26, 4.09, 1.99USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot pts/0 ron-alien.home 22:37 2.00s 0.07s 0.02s wroot pts/1 ron-alien.home 22:41 1:39 0.66s 0.64s topMyBookLive:~# w
Then there is this:
Something isn't quite right with this NAS, but it's going to take awhile to figure out what's going on. Also, it responds well to pings, even if the SSH session is dead and won't recover. And I still have to back it up. I think I've 378GB of data on it (that's crucial...like once-in-a-lifetime types of pictures).
I don't think the drives are bad, but it may be too early to say that. I've never seen bad drives ramp up load averages like that.
The drive is out of warranty and I'm a bit upset that what's touted as a top-notch home NAS is having such issues, especially considering that it's a WD product.
I'll update this post when/if I've more findings on this issue.
EDIT: I just checked again after posting and, while the shells aren't dead, they are very slide-show-like. I checked the load average and it's dropped to 12.94.
EDIT 2: I got tired of waiting for "apachectl stop" to finish and I think it was actually hung, so I did a "killall -9 apache2" which immediately brought the load down. The load is currently at 1.09 and has been around that the last 20 minutes. So, it's apache that's killing the NAS. Note that I tested to see if I could reach the NAS shares in a conventional manner (ie, non-shell or without apache) and was able to reach the shares without issue. I may keep apache off for the duration (unless I need to access the control panel).
Thursday, February 21, 2013
NBC site redirecting to Exploit kit
NBC's website appears to be redirecting to an exploit kit
https://isc.sans.edu/diary/NBC+site+redirecting+to+Exploit+kit/15223
I saw Brian Krebs' twitter page mention this earlier this morning. A few friends also mentioned it on Facebook.
Crazy...older attack vector (iframes)...still working.
https://isc.sans.edu/diary/NBC+site+redirecting+to+Exploit+kit/15223
I saw Brian Krebs' twitter page mention this earlier this morning. A few friends also mentioned it on Facebook.
Crazy...older attack vector (iframes)...still working.
Mandiant APT2 PDF Malware
That didn't take long at all.
http://blog.9bplus.com/mandiant-apt2-report-lure
https://threatpost.com/en_us/blogs/spear-phishing-campaigns-use-fake-mandiant-apt1-report-lure-022113
http://www.symantec.com/connect/blogs/malicious-mandiant-report-circulation
So, I got a notification from corporate security that there was a piece of malware around that it taking advantage of the popularity of Mandiant's APT1 report. That's a huge deal, but one should really be checking downloads against Mandiant's posted MD5s anyways.
Bottom-line: do not open it (verifiy the PDF if you can...if you can't don't open it).
I've reported it to ISC.
http://blog.9bplus.com/mandiant-apt2-report-lure
https://threatpost.com/en_us/blogs/spear-phishing-campaigns-use-fake-mandiant-apt1-report-lure-022113
http://www.symantec.com/connect/blogs/malicious-mandiant-report-circulation
So, I got a notification from corporate security that there was a piece of malware around that it taking advantage of the popularity of Mandiant's APT1 report. That's a huge deal, but one should really be checking downloads against Mandiant's posted MD5s anyways.
Bottom-line: do not open it (verifiy the PDF if you can...if you can't don't open it).
I've reported it to ISC.
Wednesday, February 20, 2013
Mandiant Exposes APT1 – One of China’s Cyber Espionage Units & Releases 3,000 Indicators
Mandiant Exposes APT1 – One of China’s Cyber Espionage Units & Releases 3,000 Indicators
Read more below. It's pretty much mandatory reading for the IT security person. Interesting facts and it may well help test your employees (of spear-phishing) and/or lock down your network. This is probably the IT security news of the year...I'm scared to see anything that could top this.
https://www.mandiant.com/blog/mandiant-exposes-apt1-chinas-cyber-espionage-units-releases-3000-indicators/?utm_source=rss&utm_medium=rss&utm_campaign=mandiant-exposes-apt1-chinas-cyber-espionage-units-releases-3000-indicators
http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
UPDATE:
I wanted to add my opinions to this post.
I'm a subscriber to Richard Bejtlich's TaoSecurity blog. If you're not aware, he's the CSO of Mandiant. He has my utmost respect because he CSO of a security firm and is still a hands-on person (read his blog to see what level of content he provides on a normal basis). He also attends SANS events and is a trainer. He understands network security monitoring as no one else does -- I broke into the IT security industry by accepting a network security monitoring position, and can relate to a lot of what he prints/states regarding a lot of his topics regarding NSM. I've purchased (and read) at least one of his books. I follow his Twitter posts. I'm familiar with his experience within the civilian and federal IT security sectors. I can relate to a lot of what he states (not saying I'm at the same level but he's certainly a mentor of mine).
He has been very vocal about APTs the last 4-5 years. It's very obvious that he was watching APTs well before the recent APT1 report, without reading all the headlines and internet news (as well as the report itself). Many people seem to think that he was over-zealous in the release of such data. They think he is confirming that the culprit is China and is state-sponsored. What I'm seeing is that the's providing the data that supports the claim, but isn't outright claiming it. Whether this was state-sponsored or not, it will be extremely difficult to prove who was behind the attacks. In most cases, if the attack isn't linked to a certain ideological group (ie, Anonymous for example) and that group isn't publicly acknowledging that they were responsible for the attack, a company will have an extremely difficult time proving the actual culprit with 100% accuracy.
I think Mandiant did a very good job in providing the extreme details regarding APT1. I think that the details show that it is highly unlikely that the responsible party is not originating from China. IP addresses alone don't prove their case, but they definitely went above and beyond in showing that there's data besides IP addresses that support the idea that the Chinese government is somehow involved (or, at very least, aware). There are only two unlikely scenarios (and one of them was mentioned in the report): there is a non-government-sponsored group at the same location as APT1 that is responsible for the cyber-espionage incidents (mentioned in the report); or, APT1's network has been compromised by outside entities (outsiders are using their tools to attack financial, governments, and news organizations). Both of those are highly unlikely, especially when factoring in the data of the Mandiant report.
My main thought is that if the organizations that were previously attacked had shared their information regarding their cyber-attacks, the IT sector would've benefited greatly and at least been aware of how to harden their employees and architecture. It may not have stopped the attacks outright, but it certainly would've lessened the success of the methods that APT1 used in compromising networks. Some security experts think that Mandiant made unconfirmed claims. They did the best they could while still trying to determine the culprit...I challenge any other security firm to do the same. Others think that they should've consulted the US government first, but I think all that would've done was mire the whole thing in typical bureaucratic red tape. Some think that he has a hard-on for China -- this may or may not be true, but every real or couch security professional I know of has had some brush with anomalous and/or malicious packets from China...the fact that Mandiant provided a literal ton of detail to support the report is a plus, in my opinion.
They did good and I hope to see more of such reports in the future, whether it's from Mandiant or other companies.
Update 2:
A follow-up article, posted after the Mandiant report was posted:
http://www.securityweek.com/china-cybervictim-claims-red-herring-analysts
Friday, February 15, 2013
Facebook Computers Compromised - 0 Day Java Exploit
Facebook computers compromised by zero-day Java exploit
http://tinyurl.com/cwmvxrv
https://t.co/M46qJAiH
I'm still reading up on it but wanted to put it out there ASAP!
http://tinyurl.com/cwmvxrv
https://t.co/M46qJAiH
I'm still reading up on it but wanted to put it out there ASAP!
Labels:
0 day,
compromise,
exploit,
facebook,
Java,
vulnerability
Thursday, February 14, 2013
Obama's cybersecurity executive order: What you need to know.
Obama's cybersecurity executive order: What you need to know.
Embargoed until the delivery the State of the Union address, US President Obama signed the expected and highly anticipated cybersecurity executive order. With potentially serious implications for US and foreign citizens' privacy, here's what you need to know.
Read more here.
Labels:
cyber-attack,
cybersecurity,
executive order,
Obama,
privacy
Tuesday, February 12, 2013
Iptables and Blocking by Region
I'm tired of seeing certain network ranges always peppering my linux server, so I'm going to experiment with blocking via region. I've seen several hints/tips but I want to do this with the server not taking too much of a hit. Note that I'm mainly concerned with traffic that I typically allow, such as port 80. I could block via apache, which may well work, but I also want to investigate using iptables.
So far, I've found:
Solution #1 seems a bit too hackish. As well, the server may take a performance hit if I decide to drop more than one region (China's netranges are broad enough as it is).
Solution #2 might not be so bad, as it leverages the htaccess function. I've no idea how performance-intensive this method is, but it may be worth looking into. A con is that I also run a mail server...this method won't work for mail.
Solution #3 looks good. This method uses iptables and ipset. Ipset lessens the performance hit when blocking thousands of IPs.
So, before hitting the bed, I decided to give solution #3 a shot. I immediately found that the tutorial is out-of-date (it caters to Ubuntu 10.04...I'm using 12.04). I'm attempting to work through it by leveraging the manual pages and 'ipset info', but I'm running into kernel errors such as:
I do not have full control over my host (it is running on a linode, and the modules are locked down). I may not be able to use this, but I'll continue to investigate.
EDIT: Well, I'll be damned! I got the command to take. I had to select a more current kernel to boot up (I was using a depreciated Linode kernel). I guess I should check that more often. I'll continue this exercise tomorrow...I just have to ensure I've bookmarked all my reference sites.
So far, I've found:
- http://www.cyberciti.biz/faq/iptables-read-and-block-ips-subnets-from-text-file/
- http://www.parkansky.com/china.htm
- http://www.webhostingtalk.com/showthread.php?t=1146401 (and http://www.jsimmons.co.uk/2010/06/08/using-ipset-with-iptables-in-ubuntu-lts-1004-to-block-large-ip-ranges/)
- I could possibly use tcpwrappers as well, but I'm not sure tcpwrappers can handle the amount of ranges I want to block.
Solution #1 seems a bit too hackish. As well, the server may take a performance hit if I decide to drop more than one region (China's netranges are broad enough as it is).
Solution #2 might not be so bad, as it leverages the htaccess function. I've no idea how performance-intensive this method is, but it may be worth looking into. A con is that I also run a mail server...this method won't work for mail.
Solution #3 looks good. This method uses iptables and ipset. Ipset lessens the performance hit when blocking thousands of IPs.
So, before hitting the bed, I decided to give solution #3 a shot. I immediately found that the tutorial is out-of-date (it caters to Ubuntu 10.04...I'm using 12.04). I'm attempting to work through it by leveraging the manual pages and 'ipset info', but I'm running into kernel errors such as:
root@li7-220:~# ipset create feckoff hash:ip
ipset v6.11: Kernel error received: Invalid argument
I do not have full control over my host (it is running on a linode, and the modules are locked down). I may not be able to use this, but I'll continue to investigate.
EDIT: Well, I'll be damned! I got the command to take. I had to select a more current kernel to boot up (I was using a depreciated Linode kernel). I guess I should check that more often. I'll continue this exercise tomorrow...I just have to ensure I've bookmarked all my reference sites.
Monday, February 11, 2013
U.S. said to be target of massive cyber-espionage campaign
U.S. said to be target of massive cyber-espionage campaign
http://www.washingtonpost.com/world/national-security/us-said-to-be-target-of-massive-cyber-espionage-campaign/2013/02/10/7b4687d8-6fc1-11e2-aa58-243de81040ba_story.html
Well, what took them so long to notice this?
Here's another article, as well:
In a world of cybertheft, U.S. names China, Russia as main culprits
http://www.washingtonpost.com/world/national-security/us-cyber-espionage-report-names-china-and-russia-as-main-culprits/2011/11/02/gIQAF5fRiM_singlePage.html?tid=obinsite
http://www.washingtonpost.com/world/national-security/us-said-to-be-target-of-massive-cyber-espionage-campaign/2013/02/10/7b4687d8-6fc1-11e2-aa58-243de81040ba_story.html
Well, what took them so long to notice this?
Here's another article, as well:
In a world of cybertheft, U.S. names China, Russia as main culprits
http://www.washingtonpost.com/world/national-security/us-cyber-espionage-report-names-china-and-russia-as-main-culprits/2011/11/02/gIQAF5fRiM_singlePage.html?tid=obinsite
Labels:
APT,
China,
cyber-attack,
cyber-espionage,
cyber-theft,
national security,
Russia
Monday, January 28, 2013
Alienware TactX Mouse - Replaced
My Alienware TactX mouse has been acting weird lately. It has been acting erratic. If I move it slowly to the left, it warps to the left or may not move at all. I think the cord has a short in it, creating an intermittent connection. It is not the mousepad, nor the DPI settings. I used a standard Dell mouse (laser mouse with multiple DPI settings) and it works fine. Sometimes the TactX mouse works fine, other times it doesn't.
I've e-mailed Alienware support, as there's an entry in their online knowledgebase that directs the user to try certain things and if they're still having issues, to e-mail them with the issue that's being experienced. The mouse is less than a year old (it is still under warranty). I was hoping they'd respond and replace the mouse, but they haven't responded. I'm not sure the issue will even be fixed, as I think it's a design issue that won't be fixed by just replacing the mouse with a new one that still has the faulty part.
The TactX mouse is soooo damned nice, but it needs to live longer than a year for users to be happy. This isn't an issue that I'm only experiencing, either. I saw many complaints when searching Google and my favorite Alienware forums.
I replaced the TactX with a Logitech G700 wireless gaming mouse.
The G700 is badass. It is physically bigger and heavier than the TactX. It is more configurable, as well. It is rechargeable, has a AA-sized battery that can be replaced, has 5 DPI settings, up to 5700 dpi, can be used while charging or when the electronic environment is unfriendly toward wireless devices, has internal memory, and each button can be mapped independently. It has powder-coating on the sides of the mouse, which a really like. It has performance settings that can dictate how much power is used.
The only thing I'm wary of is the SetPoint software. I'm installing it now and will play with the mouse tonight and throughout the week...I'll update this post with my thoughts in about a week.
I've e-mailed Alienware support, as there's an entry in their online knowledgebase that directs the user to try certain things and if they're still having issues, to e-mail them with the issue that's being experienced. The mouse is less than a year old (it is still under warranty). I was hoping they'd respond and replace the mouse, but they haven't responded. I'm not sure the issue will even be fixed, as I think it's a design issue that won't be fixed by just replacing the mouse with a new one that still has the faulty part.
The TactX mouse is soooo damned nice, but it needs to live longer than a year for users to be happy. This isn't an issue that I'm only experiencing, either. I saw many complaints when searching Google and my favorite Alienware forums.
I replaced the TactX with a Logitech G700 wireless gaming mouse.
The G700 is badass. It is physically bigger and heavier than the TactX. It is more configurable, as well. It is rechargeable, has a AA-sized battery that can be replaced, has 5 DPI settings, up to 5700 dpi, can be used while charging or when the electronic environment is unfriendly toward wireless devices, has internal memory, and each button can be mapped independently. It has powder-coating on the sides of the mouse, which a really like. It has performance settings that can dictate how much power is used.
The only thing I'm wary of is the SetPoint software. I'm installing it now and will play with the mouse tonight and throughout the week...I'll update this post with my thoughts in about a week.
Friday, January 18, 2013
PSAD and signature updates
Is it true that the creators of PSAD haven't updated the PSAD signatures since 2007???
Line 29 of my /etc/psad/signatures file:
As well, at http://www.cipherdyne.org/psad/signatures, it is on line 28.
Dead project? Not sure, but the signatures are old as hell! While I don't think it's a usage deal-breaker, I'm rather surprised. Does it need updated signatures? Probably not, but every little bit helps, especially nowadays. I'd much rather a developer (and package maintainer) be up-front about such things.
Line 29 of my /etc/psad/signatures file:
# $Id: signatures 2129 2007-12-12 04:56:10Z mbr $
As well, at http://www.cipherdyne.org/psad/signatures, it is on line 28.
Dead project? Not sure, but the signatures are old as hell! While I don't think it's a usage deal-breaker, I'm rather surprised. Does it need updated signatures? Probably not, but every little bit helps, especially nowadays. I'd much rather a developer (and package maintainer) be up-front about such things.
Subscribe to:
Posts (Atom)