Nov 182013
 

Openx has been a pain in my ass for some time now (5 years).  Even if you have the latest most up to date software release, you will still get append and prepend infections.  I’m not sure if it comes from client browsers when they log in or some other reason.  What I can assure you is that the file system in which openx resides is as secure as it can be while leaving openx functional (all files are owned by a different user than the web server process and are only readable by the web server.  All directories, except two, are also owned by a different process than the web server and are read only….while two have to be writable by the web server process.  The lamp stack is also up to date.).  Anyways, even with these restrictions, clean code, clean db, limited plugins, and even checked the meta data of all image files for backdoors (I first learned about this technique in approx 2010 but here is an article from 2011 detailing this – PHP Code into JPEG Metadata: From hide to unhide ) we still get an occasional append/prepend infection.

How to stop it?  This is pretty easy, I simply wrote a script that checks for append/prepend problems, logs if clean, logs and alerts if infected, and also disinfects.  This only works, if the append and prepend is NOT being used in your ads.

Continue reading »

Mar 062013
 

This was tested on centos 6.3.  It is running at approx 900 – 3,000+ log events per second from approx 30 hosts.

Current load is about 900 messages per second:  load average: 1.57, 1.35, 1.29 with 8GB memory.

With the above in mind, there was approx 165GB of log data after running for 4 days.

graylog.org web site

elasticsearch web site

mongo db

passenger phusion web site

logstash web site

I wrote a script in order to install a graylog2 central log server.  Its a one shot run and be done kinda thing…..

CHANGES20130309 – see notes in script

Continue reading »

Feb 052013
 

So I wrote this script because I often need to run tcpdump on a remote host and then view it in wireshark.  The old method was to run tcpdump on remote host, scp/rsync the file back to my local machine, open it in wireshark, view it.  This script saves a lot of time.  It assumes you are logging in as root and will need modified if you are running as a normal user (change root to your username and make sure you have sudo privileges for tcpdump)

#!/bin/bash
 
# By Ed Wiget
# This runs tcpdump on a remote hosts and pipes it back locally to wireshark to view in realtime
 
# 20130205 - original script
 
if [ $1 == "" ]; then
	echo "What is the remote host by fqdn, i.e. server1.domain.com"
	read RHOST
else
	RHOST=$1
fi
 
wireshark -k -i <( ssh -l root ${RHOST} /usr/sbin/tcpdump -i eth0 -w - )
 
# after you kill wireshark, the tcpdump still runs on remove host...we need to kill it
PIDOF=`ssh root@${RHOST} "ps aux | grep [t]cpdump" | awk -F" " '{print$2}'`
 
echo "killing pid ${PIDOF} on ${RHOST}...please wait...."
ssh root@${RHOST} "pkill tcpdump"
 
# now we make sure it is killed
PIDOF2=`ssh root@${RHOST} "ps aux | grep [t]cpdump" | awk -F" " '{print$2}'`
if [ ${PIDOF2} == "" ]; then
	echo "pid check returns ${PIDOF2}"
else
	echo "pid check returns ${PIDOF2}"
fi

Jul 122012
 

I had a few virtualboxes running centos 5.7 that I hadn’t updated in a while.  They were used for testing.  Today I went to update them and couldn’t because the 5.7 repo’s had been deprecated and were not longer available.  I found a quick way to do this, and this got my virtualboxes updated to 5.8……which is what I needed anyways.

Continue reading »

Aug 242011
 

Thought I would share this quick fix ref CVE-2011-3192 with the POC available here:
http://seclists.org/fulldisclosure/2011/Aug/175

First, if you are an apache admin, get this fixed ASAP. I was able to take down a small test server with 7 http get requests.

Login to the server and run this command to see if you have mod_headers installed:

locate mod_headers

If you see mod_headers.so in that list, you can continue to Configuring Apache.  Otherwise go to Compiling Mod_Headers

Continue reading »

Aug 112011
 

ï£ ¥ð ¢åñ’† rêåÐ ßå§h, gê† Ðå £µ¢k 𵆆å hêrê

#!/bin/bash
 
# By Ed Wiget
# This script automates downloading youtube video and converting to mp3 file
# I use it to grab new songs for my ipod that I am too lazy to insert store bought cd 🙂
 
# set this variable to the location of your scripts:
BASE_DIR=~/scripts
 
# this sets the location of the python youtube-dl script, relative to above
YOUTUBE_DL=${BASE_DIR}/youtube-dl/youtube-dl
 
# this sets the path of the downloaded files and temp directory
DL_FILES=~/Downloads
 
# this sets the path to were the final mp3 is stored
MP3_LOCATION=~/Music
 
# this checks for the youtube-dl script and if it doesn't exist, it gets it
# if it does exist, it checks to make sure its the latest version
if [ ! -d ${BASE_DIR}/youtube-dl ];
then
echo "grabbing the youtube-dl script"
cd ${BASE_DIR}
git clone git://github.com/rg3/youtube-dl.git youtube-dl
else
echo -e "youtube-dl already exists\n\nMaking sure we have the latest version"
${YOUTUBE_DL} -U
fi
 
# this checks to make sure we have ffmpeg and lame installed, and if not, grabs them
FFMPEG1=`which ffmpeg | wc -l`
LAME1=`which lame | wc -l`
 
if [ ${FFMPEG1} = 1 ];
then
echo "ffmpeg already exists"
else
echo "grabbing ffmpeg"
# for ubuntu based distros, use this line
sudo apt-get install ffmpeg
# for redhat based distros, use this line
#sudo yum install ffmpeg
# for arch
#pacman -S ffmpeg
fi
 
if [ ${LAME1} = 1 ];
then
echo "lame already exists"
else
echo "grabbing lame"
# for ubuntu use this line
sudo apt-get install lame
# for redhat use this line
# sudo yum install lame
# for arch linux
#pacman -S lame
fi
 
# next we ask the user for the video file, it should be in format like:
# http://www.youtube.com/watch?v=6E2hYDIFDIU
echo -e "What is the video to download, ie. http://www.youtube.com/watch?v=6E2hYDIFDIU"
read VIDEO_URL
 
echo "You entered ${VIDEO_URL} is this correct? ( y / n )"
read ANS
        if [ ${ANS} = "y" ];
                then
                        cd ${DL_FILES}
                        # grab the song title
                        SONG_TITLE=`${YOUTUBE_DL} --get-title ${VIDEO_URL}`
                        echo -e "the song title is ${SONG_TITLE}"
                        # downloading video
                        echo "downloading video....please wait"
                        ${YOUTUBE_DL} ${VIDEO_URL}
                        # we need to convert the dl url to a filename for later processing
                        # the url is like:  http://www.youtube.com/watch?v=6E2hYDIFDIU 
                        # the downloaded file will be 6E2hYDIFDIU.mp4
                        MP4_FILE=`echo ${VIDEO_URL} | awk -F/ '{print$4}' | awk -F= '{print$2}'`
                        # get the downloaded file extension
                        FILE_EXT=`ls ${DL_FILES}/${MP4_FILE}* | awk -F. '{print$2}'`
                        echo "your video is located in ${DL_FILES}/${MP4_FILE}.${FILE_EXT}"
                        echo ""
                        echo "converting ${DL_FILES}/${MP4_FILE}.${FILE_EXT} to wav.....please wait"
                        # ffmpeg -i 6E2hYDIFDIU.flv 6E2hYDIFDIU.wav
                        ffmpeg -i ${DL_FILES}/${MP4_FILE}.${FILE_EXT} ${DL_FILES}/"${SONG_TITLE}".wav
                        echo "video converted to wav file....converting wav to mp3"
                        lame -b 128 ${DL_FILES}/"${SONG_TITLE}".wav ${MP3_LOCATION}/"${SONG_TITLE}".mp3
                        echo "${SONG_TITLE} is now available at ${MP3_LOCATION}/${SONG_TITLE}.mp3"
                        echo -e "\n\nmoving video download file ${DL_FILES}/${MP4_FILE}.${FILE_EXT} to ${MP3_LOCATION}/${SONG_TITLE}.${FILE_EXT}"
                        mv ${DL_FILES}/${MP4_FILE}.${FILE_EXT} ${MP3_LOCATION}/"${SONG_TITLE}".${FILE_EXT}
                        echo "video file is now at ${MP3_LOCATION}/"${SONG_TITLE}".${FILE_EXT}"
                        echo -e "\n\ndone .... and enjoy"
        else
                echo "there was an error...."
                exit
fi