Nov 182013
 

Openx has been a pain in my ass for some time now (5 years).  Even if you have the latest most up to date software release, you will still get append and prepend infections.  I’m not sure if it comes from client browsers when they log in or some other reason.  What I can assure you is that the file system in which openx resides is as secure as it can be while leaving openx functional (all files are owned by a different user than the web server process and are only readable by the web server.  All directories, except two, are also owned by a different process than the web server and are read only….while two have to be writable by the web server process.  The lamp stack is also up to date.).  Anyways, even with these restrictions, clean code, clean db, limited plugins, and even checked the meta data of all image files for backdoors (I first learned about this technique in approx 2010 but here is an article from 2011 detailing this – PHP Code into JPEG Metadata: From hide to unhide ) we still get an occasional append/prepend infection.

How to stop it?  This is pretty easy, I simply wrote a script that checks for append/prepend problems, logs if clean, logs and alerts if infected, and also disinfects.  This only works, if the append and prepend is NOT being used in your ads.

Continue reading »

Aug 262013
 

If you get these errors…..

insserv: warning: script 'S85vpnagentd_init' missing LSB tags and overrides
insserv: warning: script 'vpnagentd_init' missing LSB tags and overrides
insserv: There is a loop between service rmnologin and mountnfs if started
insserv:  loop involving service mountnfs at depth 7
insserv:  loop involving service networking at depth 6
insserv: There is a loop between service rmnologin and mountnfs if started
insserv: Starting vpnagentd_init depends on rmnologin and therefore on system facility `$all' which can not be true!
insserv: Starting vpnagentd_init depends on rmnologin and therefore on system facility `$all' which can not be true!
insserv: Starting vpnagentd_init depends on rmnologin and therefore on system facility `$all' which can not be true!
insserv: Max recursions depth 99 reached
insserv:  loop involving service nfs-common at depth 4
insserv:  loop involving service pulseaudio at depth 13
insserv: exiting now without changing boot order!

The fix is….

Continue reading »

Jun 062013
 

This is a trick I learned a long time ago.  I used to teach it in my linux administration, digital forensics, and ethical hacking courses I taught at college.  It has been one of the most useful commands I ever learned.  So the scenario goes like this:  lets assume you have a user you suspect is doing something nefarious…maybe even a hacker has a shell on your server.  You would like to be able to see exactly what they are doing.  Wouldn’t it be nice to be able to connect to their shell without them knowing so you can watch what they are doing?

Here is how it is done…..

Continue reading »

May 182013
 

A long time ago, I created a database to hold passwords and their respective hashes for some 16 various hash types.  It has approximately 310,261,848 passwords for each type and is growing nearly every day as more password lists become available.  I found a pretty quick way to generate the hashes for these wordlists and wanted to share how it is done.  These hashes only work with unsalted/unpeppered passwords.

First, lets look at my table schema, which is very simple and very effective.  It uses an index on the hash + password column so there can not be any two hashes+passwords that are the same.  The types table is a  simple lookup table that references data.type 1 to a name like DES.  The primary key is on the name column.  I don’t claim to be a db administrator so if you spot any errors, let me know.

Continue reading »

Mar 092013
 

As I use nginx more and more, one of the things I miss is being able to see who is connecting to the server and the request they are making.  This is often helpful in determining attacks.  So, I basically wrote this script which does it.

#!/bin/bash
 
# By Ed Wiget
# This shows active GET and POSTS to port 80
# One of the things i hate about nginx is the lack of an apache style status page showing requests
# hence I wront this script....which does it at a network layer, using ngrep
 
# 20130308 - original script
 
## grep all HTTP GET or POST requests from network traffic on eth0 interface  ##
# sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
 
if [ `which ngrep | head -1 | wc -l` == "0" ]; then
	echo "missing ngrep....please install"
	exit
fi
 
if [ $1 = "" ]; then
	echo "You must pass the interface as an option, i.e. eth0 or eth1, etc"
	read CIF
else
	CIF=$1
fi
 
thing=1
 
until [ $thing = "0" ]; do
	# uncomment top line if you dont need x-forward-for
        #sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
        # use the next line if you do need x-forward-for
	#sudo ngrep -d eth1 -q 'X-Forwarded-For'  tcp and port 80
	ngrep -d ${CIF} -t '^(GET|POST) ' tcp and port 80
	echo
	sleep 1;
done

CHANGES

20130905 – added option to pass interface

Feb 052013
 

So I wrote this script because I often need to run tcpdump on a remote host and then view it in wireshark.  The old method was to run tcpdump on remote host, scp/rsync the file back to my local machine, open it in wireshark, view it.  This script saves a lot of time.  It assumes you are logging in as root and will need modified if you are running as a normal user (change root to your username and make sure you have sudo privileges for tcpdump)

#!/bin/bash
 
# By Ed Wiget
# This runs tcpdump on a remote hosts and pipes it back locally to wireshark to view in realtime
 
# 20130205 - original script
 
if [ $1 == "" ]; then
	echo "What is the remote host by fqdn, i.e. server1.domain.com"
	read RHOST
else
	RHOST=$1
fi
 
wireshark -k -i <( ssh -l root ${RHOST} /usr/sbin/tcpdump -i eth0 -w - )
 
# after you kill wireshark, the tcpdump still runs on remove host...we need to kill it
PIDOF=`ssh root@${RHOST} "ps aux | grep [t]cpdump" | awk -F" " '{print$2}'`
 
echo "killing pid ${PIDOF} on ${RHOST}...please wait...."
ssh root@${RHOST} "pkill tcpdump"
 
# now we make sure it is killed
PIDOF2=`ssh root@${RHOST} "ps aux | grep [t]cpdump" | awk -F" " '{print$2}'`
if [ ${PIDOF2} == "" ]; then
	echo "pid check returns ${PIDOF2}"
else
	echo "pid check returns ${PIDOF2}"
fi

Oct 312012
 
#!/bin/bash
 
# By Ed Wiget
# This script grabs the latest nmap, zenmap, ncat, nping in rpm format and converts them to deb
 
# 20121031 - original script
 
# the version we are grabbing
VER=6.01-1
 
# the architecture we are using
ARCH=x86_64
 
# our working dir
TEMP_DIR=~/nmap-files
 
# check if it exists and if not, create it
if [ ! -d ${TEMP_DIR} ]; then
	mkdir -p ${TEMP_DIR}
fi
 
# check to make sure alien is installed and if not, install it
if [ ! -f /usr/bin/alien ]; then
	sudo apt-get install alien
fi
 
# cd to the working dir
cd ${TEMP_DIR}
 
# 386 files
# http://nmap.org/dist/nmap-6.01-1.i386.rpm
# http://nmap.org/dist/zenmap-6.01-1.noarch.rpm
# http://nmap.org/dist/ncat-6.01-1.i386.rpm
# http://nmap.org/dist/nping-0.6.01-1.i386.rpm
 
# x86_64 files
# http://nmap.org/dist/nmap-6.01-1.x86_64.rpm
# http://nmap.org/dist/ncat-6.01-1.x86_64.rpm
# http://nmap.org/dist/nping-0.6.01-1.x86_64.rpm
 
# no arch
# http://nmap.org/dist/zenmap-6.01-1.noarch.rpm
 
# grab the files
wget -O ${TEMP_DIR}/nmap-${VER}.${ARCH}.rpm http://nmap.org/dist/nmap-${VER}.${ARCH}.rpm
wget -O ${TEMP_DIR}/ncat-${VER}.${ARCH}.rpm http://nmap.org/dist/ncat-${VER}.${ARCH}.rpm
wget -O ${TEMP_DIR}/nping-0.${VER}.${ARCH}.rpm http://nmap.org/dist/nping-0.${VER}.${ARCH}.rpm
wget -O ${TEMP_DIR}/zenmap-${VER}.noarch.rpm http://nmap.org/dist/zenmap-${VER}.noarch.rpm
 
# remove any deb files currently in this dir
rm -f *.deb
 
# convert the downloaded files to deb
sudo alien nmap-${VER}.${ARCH}.rpm
sudo alien ncat-${VER}.${ARCH}.rpm
sudo alien nping-0.${VER}.${ARCH}.rpm
sudo alien zenmap-${VER}.noarch.rpm
 
# install the packages
sudo dpkg --install *.deb

Jul 032012
 

So I wrote this script because I had a bunch of files I copied from my ipod touch that were named like ABCD.mp3 and I wanted them to be like ARTIST-SONG_TITLE.mp3 There was also another issue where I had some songs named ARTIST-SONG_TITLE.mp3 but they did not have the id3 information. So this script does both. Also, if the file is an itunes file like ABCD.mp3 and it doesn’t have embedded id3 information, it skips it. Here is the script:

Continue reading »

May 252012
 

I do things the easiest way that gets the job done.  Someone asked me recently about mounting a shared windows drive in Linux from bash.  They stated they normally mount it through dolphin using:

smb://username:password@ip_address/SHARED_DRIVE

That works until you need to copy files via rsync or some other bash method.  The solution is actually very simple:

mount -t cifs //ip_address/SHARED_DRIVE /mnt/directory -o user=username,password=user_password_on_windows_share,uid=500,gid=500

Just be sure you replace uid=500 with the users id in linux and gid=500 with the users group id in linux in order to be able to write files/directories with the proper permissions.  Of course the mount directory, /mnt/directory, also must exist.

If you get an error about “mount error(12): Cannot Allocate Memory

the fix is:

Edit the windows registry

Set “HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\LargeSystemCache” to “1″.
 
Set “HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\Size” to “3″.
 
Restart the “server” service.