Thanks to OldPhotoRestoration.co.uk and IP.nf
How to disable Skype Home popup?
by d2 on Sep.05, 2011, under solution
- Download older version of skype: http://download.skype.com/msi/SkypeSetup_5.3.0.120.msi
- Uninstall your current Skype
- Navigate to c:\Users\<YOUR_USERNAME>\AppData\Roaming\Skype\
- Delete shared_dynco and shared_httpfe folders
- create files called shared_httpfe and shared_dynco (FILES not FOLDERS!)
- Install Skype 5.3
That’s it. No more annoying popups from Skype. Well, at least for now…
GPG FTW!
by d2 on Aug.01, 2011, under info
Here is my public key – sign any email or file you wish to send to me. Thanks!
Problem solving flowsheet
by d2 on Mar.09, 2011, under solution
For those who can’t solve some particular tasks….
how to change nginx server string?
by d2 on Jul.06, 2010, under bash, code, solution
If you want to hide web server string which is shown each time you perform request, this might be howto for you ;)
Usual nginx response looks like that:
HTTP/1.1 200 OK
Date: Tue, 06 Jul 2010 08:14:19 GMT
Server: nginx/0.7.67
To get rid of it you need to get source code, change it and recompile. Files which requre some small modifications are located at:
- src/core/nginx.h
- src/http/ngx_http_header_filter_module.c
- conf/fastcgi_params
I’ve made bash script to automate whole process. To use it, just save source to some file and launch ./script.sh <directory_of_nginx>. Please have look at it, test and post comment in case it is not working. Enjoy!
#!/bin/bash
DIR=${1}
SERVERNAME=Paranoid
SERVERVERSION=0.4.2
if [[ $# < 1 ]]
then
echo "`basename ${0}` {dir}"
echo -e "\n\tExample: `basename ${0}` nginx-0.7.64"
exit 1
fi
if [[ -e ${DIR}/src/core/nginx.h ]]
then
sed -i "/#define NGINX_VERSION/ s,\"[^\"]*\",${SERVERVERSION}," ${DIR}/src/core/nginx.h
sed -i "/#define NGINX_VER/ s,nginx,${SERVERNAME}," ${DIR}/src/core/nginx.h
sed -i "/#define NGINX_VAR/ s,\"NGINX\",\"`echo ${SERVERNAME}| tr \"[a-z]\" \"[A-Z]\"`\"," ${DIR}/src/core/nginx.h
else
echo "Can not find ${DIR}/src/core/nginx.h"
fi
if [[ -e ${DIR}/src/http/ngx_http_header_filter_module.c ]]
then
sed -i "s,Server: nginx,Server: ${SERVERNAME}," ${DIR}/src/http/ngx_http_header_filter_module.c
else
echo "Can not find ${DIR}/src/http/ngx_http_header_filter_module.c"
fi
if [[ -e ${DIR}/conf/fastcgi_params ]]
then
sed -i "s,nginx/$nginx_version,${SERVERNAME}/$nginx_version," ${DIR}/conf/fastcgi_params
else
echo "Can not find ${DIR}/conf/fastcgi_params"
fi
mod_rpaf vulnerability?
by d2 on Jun.14, 2010, under bug, info
rpaf is for backend Apache servers what mod_proxy_add_forward is for frontend Apache servers. It does excactly the opposite of mod_proxy_add_forward written by Ask Bjørn Hansen. It will also work with mod_proxy in Apache starting with release 1.3.25 and mod_proxy that is distributed with Apache2 from version 2.0.36.
It changes the remote address of the client visible to other Apache modules when two conditions are satisfied. First condition is that the remote client is actually a proxy that is defined in httpd.conf. Secondly if there is an incoming X-Forwarded-For header and the proxy is in it’s list of known proxies it takes the last IP from the incoming X-Forwarded-For header and changes the remote address of the client in the request structure. It also takes the incoming X-Host header and updates the virtualhost settings accordingly. For Apache2 mod_proxy it takes the X-Forwared-Host header and updates the virtualhosts
Latest version is 0.6
Pretty useful stuff if you use load balancers/proxies etc etc and you want to keep your Apache’s log format untouched. Right. Now what will happen if I choose to append/change/add x-forwarded-for header with some ‘malicious’ input like the one below?
x-forwarded-for: \’\”);|]*{
<
Apache 2.2.12 will report 400 bad request and then segfault one thread :)
# cat /var/log/apache2/access.log
IP.IP.IP.IP – - [14/Jun/2010:10:24:53 +0200] “GET / HTTP/1.1″ 400 573 “referer: -” “-”# cat /var/log/apache2/error.log
[Mon Jun 14 10:27:22 2010] [error] [client IP.IP.IP.IP] request failed: error reading the headers
[Mon Jun 14 10:27:31 2010] [notice] child pid 1877 exit signal Segmentation fault (11)
Is it exploitable? I don’t know for now.
calculating md5 sum under bash
by d2 on Jun.14, 2010, under bug, solution
Recently I wrote short bash script to check files integrity inside directory and saw that all sums were wrong :) This couldn’t be a coincidence, so I decided to check with other tools. Well, this is what I found:
$ php -r “echo md5(‘test1234′);”
16d7a4fca7442dda3ad93c9a726597e4
echo test1234|md5sum|awk ‘{print $1}’
eddc02b200ae8a15a7e6b44ac05bf5f1
Reason? Pretty simple. I used ‘echo’ command to print string and then piped it to md5sum command. By default, ‘echo’ add new line characters to string that’s why I get different sum (compared to php). To avoid this problem, it’s better to use -n switch with ‘echo’ (man echo says: -n do not output the trailing newline)
$ php -r “echo md5(‘test1234′);”
16d7a4fca7442dda3ad93c9a726597e4
$ echo -n test1234|md5sum|awk ‘{print $1}’
16d7a4fca7442dda3ad93c9a726597e4
Now all is OK :)
Apache2 [emerg] (28)No space left on device: Couldn’t create accept lock
by d2 on Jun.10, 2010, under solution
When restarting Apache2 it’s possible to hit this error which reveals only in error.log. From console’s point of view, restart/start/stop looks OK, but Apache2 won’t come up ad won’t bind to any port. First check if you have enough space (# df -h) and then study logs and strace output:
# tail -10 f /var/log/apache2/error.log
[Fri Feb 05 13:29:49 2010] [emerg] (28)No space left on device: Couldn’t create accept lock
strace of this process shows:
# strace -f /etc/init.d/apache2 restart
[...]
[pid 26787] fcntl64(15, F_GETFD) = 0×1 (flags FD_CLOEXEC)
[pid 26787] fcntl64(15, F_SETFD, FD_CLOEXEC) = 0
[pid 26787] ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbff2b568) = -1 ENOTTY (Inappropriate ioctl for device)
[pid 26787] _llseek(0, 0, [0], SEEK_CUR) = 0
[pid 26787] ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbff2b568) = -1 ENOTTY (Inappropriate ioctl for device)
[pid 26787] _llseek(1, 0, [0], SEEK_CUR) = 0
[pid 26787] ioctl(2, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbff2b568) = -1 ENOTTY (Inappropriate ioctl for device)
[pid 26787] _llseek(2, 0, [47419], SEEK_CUR) = 0
[pid 26787] ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbff2b568) = -1 ENOTTY (Inappropriate ioctl for device)
[pid 26787] _llseek(0, 0, [0], SEEK_CUR) = 0
[pid 26787] ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbff2b568) = -1 ENOTTY (Inappropriate ioctl for device)
[pid 26787] _llseek(1, 0, [0], SEEK_CUR) = 0
[pid 26787] ioctl(2, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbff2b568) = -1 ENOTTY (Inappropriate ioctl for device)
[pid 26787] _llseek(2, 0, [47419], SEEK_CUR) = 0
[pid 26787] ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbff2b568) = -1 ENOTTY (Inappropriate ioctl for device)
[pid 26787] _llseek(0, 0, [0], SEEK_CUR) = 0
[pid 26787] ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbff2b568) = -1 ENOTTY (Inappropriate ioctl for device)
[pid 26787] _llseek(1, 0, [0], SEEK_CUR) = 0
[pid 26787] ioctl(2, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbff2b568) = -1 ENOTTY (Inappropriate ioctl for device)
[pid 26787] _llseek(2, 0, [47419], SEEK_CUR) = 0
[pid 26787] stat64(“/var/log/apache2/httpd.pid”, {st_mode=S_IFREG|0640, st_size=6, …}) = 0
[pid 26787] gettimeofday({1265372989, 308944}, NULL) = 0
[pid 26787] write(2, “[Fri Feb 05 13:29:49 2010] [warn]“…, 139) = 139
[pid 26787] open(“/var/log/apache2/httpd.pid”, O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE|O_CLOEXEC, 0644) = 16
[pid 26787] fcntl64(16, F_GETFD) = 0×1 (flags FD_CLOEXEC)
[pid 26787] fcntl64(16, F_SETFD, FD_CLOEXEC) = 0
[pid 26787] write(16, “26787\n”…, 6) = 6
[pid 26787] close(16) = 0
[pid 26787] semget(IPC_PRIVATE, 1, IPC_CREAT|0600) = -1 ENOSPC (No space left on device)
[pid 26787] gettimeofday({1265372989, 315808}, NULL) = 0
So this is clearly issue with semaphores and we need to either reduce them, or clear completely. I prefer option 2.
USER=`cat /etc/apache2/apache2.conf |grep User|grep -v LogF|awk '{print $2}'`
for sem in `ipcs -s |grep ${USER:0:5}| awk '{print $2}'`
do
ipcrm -s ${sem}
done
Next we have to tune system. For Linux Debian:
# echo -e "\n\n# tuning of semaphores (apache related issues with no space left on device)\nkernel.msgmni = 1024\nkernel.sem = 250 256000 32 1024" >> /etc/sysctl.conf
and make system read new values:
# sysctl -p
Cool, problem is gone ;)
New (old) bug in ThunderBird (3.0.4)
by d2 on Jun.08, 2010, under bug
Today, after some time spent on research HTML I thought I have discovered new bug in ThunderBird (v. 3.0.4).
I prepared html code:
<form action=”http://some.server.com/hcp/” method=”get”>
<input type=”text” name=”u_firstname” value=”test”/ size=”25%” />
</form>
And sent to myself as HTML using ThunderBird. Now, when I opened this email I input with default “test” text. Nothing wrong so far, but when I clicked this field with “text” I was redirected immediately to “some.server.com” without even clicking send/submitt button, which in fact wasn’t even in html code. Cool stuff if you want to trick someone to visit evil pages ]:-> Have a look at this code:
<form action=”http://evil.server.com” method=”get”>
Your password will expire within next <b>1</b> day. Please update your profile by visiting following link:<input type=”text” value=”http://google.com”/ size=”25%” onmouseover=”this.style.cursor=’pointer’;”/>
</form>
You will see a stupid message about password expiration and then something that looks as a link. When you click it… well you know what will happen :) What’s worth to mention is that no data is transfered from form fields to remote server for both GET and POST methods.
I was about to publish it somewhere, but first wanted to see if anyone else had similar problems. Well, someone had and even reported to mozilla ;) Here is a bugzilla link:
https://bugzilla.mozilla.org/show_bug.cgi?id=542325
There you go – a half year old bug, rediscovered ;)
Directory Enumeration Killer
by d2 on Jun.02, 2010, under cfg, sysadmin
From time to time I see some scanning on my website. This usualy dies after 5 or so minutes, but it’s pretty annoying and space-consuming so I thought recently that it would be nice to get rid of those scans.
An example – let say – attack looks like:
** IP ** - - [02/Jun/2010:14:35:59 +0200] "HEAD /index.html HTTP/1.1" 404 - "-" "-" ** IP ** - - [02/Jun/2010:14:35:59 +0200] "HEAD /index.shtml HTTP/1.1" 404 - "-" "-" ** IP ** - - [02/Jun/2010:14:35:59 +0200] "HEAD /index.aspx HTTP/1.1" 404 - "-" "-" ** IP ** - - [02/Jun/2010:14:36:00 +0200] "HEAD /index.cgi HTTP/1.1" 404 - "-" "-" ** IP ** - - [02/Jun/2010:14:36:00 +0200] "HEAD /index.php3 HTTP/1.1" 404 - "-" "-" ** IP ** - - [02/Jun/2010:14:36:00 +0200] "HEAD /index HTTP/1.1" 404 - "-" "-" ** IP ** - - [02/Jun/2010:14:36:00 +0200] "HEAD //cgi.cgi// HTTP/1.1" 404 - "-" "-" ** IP ** - - [02/Jun/2010:14:36:01 +0200] "HEAD //webcgi// HTTP/1.1" 404 - "-" "-" ** IP ** - - [02/Jun/2010:14:36:01 +0200] "HEAD //cgi-914// HTTP/1.1" 404 - "-" "-" ** IP ** - - [02/Jun/2010:14:36:01 +0200] "HEAD //cgi-915// HTTP/1.1" 404 - "-" "-" ** IP ** - - [02/Jun/2010:14:36:01 +0200] "HEAD //bin// HTTP/1.1" 404 - "-" "-" ** IP ** - - [02/Jun/2010:14:36:01 +0200] "HEAD //cgi// HTTP/1.1" 404 - "-" "-" ** IP ** - - [02/Jun/2010:14:36:02 +0200] "HEAD //mpcgi// HTTP/1.1" 404 - "-" "-" ** IP ** - - [02/Jun/2010:14:36:02 +0200] "HEAD //cgi-bin// HTTP/1.1" 404 - "-" "-" ** IP ** - - [02/Jun/2010:14:36:02 +0200] "HEAD //ows-bin// HTTP/1.1" 404 - "-" "-" ** IP ** - - [02/Jun/2010:14:36:02 +0200] "HEAD //cgi-sys// HTTP/1.1" 404 - "-" "-"
Sad, isn’t it? This can be done by human, but most probably it’s scanner. The one I know is called “Indir”, written (and still developed?) by WillBe (at least this is what I get from README.TXT file). Well, first of all we have to change Apache’s default ErrorDocument for certain error codes, so open up apache2.conf and paste this:
ErrorDocument 401 "/error/index.html" ErrorDocument 403 "http://website.com/error/index.html" ErrorDocument 404 "http://website.com/error/index.html" ErrorDocument 405 "http://website.com/error/index.html" ErrorDocument 413 "http://website.com/error/index.html" ErrorDocument 500 "http://website.com/error/index.html" ErrorDocument 414 "http://website.com/error/index.html"
This can be also done inside .htaccess file. Just paste above code and it should be OK. Code 401 can’t be replaced by full URL (explained here: http://httpd.apache.org/docs/2.2/mod/core.html#errordocument) but all the rest can. Now what will happen when user hits non-existing content? He will get a custom index.html page from error directory, sure, but before he will, Apache will perform REDIRECT on such request and will serve 302 to client. Having relative path (/error/index.html) instead of full will cause error code to stay as is.
OK, so now every error will be displayed as 302 and we will recognize it i.e by content of served page. BTW – would be good to have some kind of parser for various codes instead of writting multiple *.html files. Maybe I will post some of my sources later on, but for now, just to illustrate, I will keep *.html.
Is it all we can do about above scans? Well, of course not! Next, I should take care of this “HEAD” method. Unless you will run SVN via http you should consider restricting all methods to GET/POST only. This is also done inside apache2.conf and mod_rewrite:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} !^(GET|POST)
RewriteRule ^(.*)$ - [F,L]
Simple, and easy. Now HEAD won’t work and end user will get 302 (not 403 because we use full URLs in ErrorDocument, remember?). OK, so this will keep Indir from getting it’s dirty hands on our server but if there is a clever script kiddie, he will notice that indir/core/connect.pl uses this to check if server can be scanned:
# line 17if (!$head_get) { $head_get = "HEAD"; }
Why? Explanation is simple. Almost all scanners uses this technique to find difference between existing file/directory and the one that doesn’t exist. Here it uses HEAD to performs checks and basing on response codes (200, 404) it decides whether or not to scan the server. We just disable HEAD method by restricting all of them to GET/POST only, but what if one change HEAD to GET? Of course Indir will work again, but we can handle this. Trick is to respond to any non-existing content with 200 code (found). You can use .htaccess in Apache to achieve this:
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*) http://website.com/$1 [R=200]
This will do the trick, but unfortunately you will never know if you have a missing content in your webserver. This can be fixed by adding to RewriteRule custom handler mentioned above and by producing custom logs, like that:
RewriteRule ^(.*) http://website.com/handler.php?type=$1 [R=200]
I think you will figure it out.
Well, that’s it for now. Have fun with testing and share your thoughts in comments.
SSH (no key forwarding)
by d2 on Jun.02, 2010, under solution
This sometimes happens on Linux. You are expecting private key to be forwarded to remote host, but it’s not. Root cause here is key-agent which for gnome might be ssh-agent. It sometimes dies for no reason but resides in system as zombie process.
for signal in {0..20}
do
kill -${signal} `ps awfx|grep -v grep|grep Z|awk '{print $1}'`
done
or this on parent:
# ps -awfx|grep -v grep 960 ? Ss 0:00 gdm-binary 1160 ? S 0:00 \_ /usr/lib/gdm/gdm-simple-slave --display-id /org/gnome/DisplayManager/Display1 1175 tty7 Ss+ 17:02 \_ /usr/bin/X :0 -br -verbose -auth /var/run/gdm/auth-for-gdm-6RpoH3/database -nolisten tcp vt7 2051 ? S 0:00 \_ /usr/lib/gdm/gdm-session-worker 2714 ? Ssl 0:00 \_ gnome-session 2834 ? Zs 0:00 \_ [ssh-agent] <defunct> 3000 ? S 1:23 \_ metacity --sm-client-id *** 3002 ? Sl 1:08 \_ gnome-panel --sm-config-prefix /gnome-panel-kINX8m/ --sm-client-id *** --screen 0 3006 ? S 0:16 \_ nautilus 3022 ? S 0:00 \_ /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1 3032 ? S 0:00 \_ /usr/lib/gnome-disk-utility/gdu-notification-daemon 3034 ? S 0:00 \_ python /usr/share/system-config-printer/applet.py 3037 ? S 0:00 \_ gnome-volume-control-applet
so parent process for ssh-agent is 2714:
Now you can:
- kill parent process, which is (I think) not an option here since we will have to kill entire gnome-session :)
- find out why ssh-agent is not forwarding keys anymore
We will go with option 2. Before we fall into void(), make test to see if your regular key can be forwarded with default options:
# cd ~/.ssh # ls -al # ln -s mykey id_dsa # ssh root@server
You can stick with this solution, but if you are using more than one key you will regret it :) (unless you add more “default” keys in config you wont be able to connect anywhere). Well, finally, check what keyring is ssh-agnt using:
# strace ssh-add
[...] at the very end you shoudll notice:
connect(3, {sa_family=AF_FILE, path="/tmp/keyring-4ZHEOn/socket.ssh"}, 110) = -1 ENOENT (No such file or directory)
# ls -al /tmp/keyring-4ZHEOn/socket.ssh
ls: /tmp/keyring-4ZHEOn/socket.ssh: No such file or directory
now go to /tmp and start ssh-agent again, see what keyring was created and make symlink to its socket (or entire device):
# gnome-keyring-daemon -c ssh # cd /tmp # ls -al |grep keyring drwx------ 2 krzysiek dba 4096 2010-02-12 13:55 keyring-oKwdoF # ln -s keyring-oKwdoF keyring-4ZHEOn
It’s done :) You have working ssh-agent again. Remember to reopen your terminal session in order to make changes persistent. But freaking zombie stays until you reboot :/