Skip to content

Not Again! Cracked! Well, at least defaced…

WordPress has been kicking my a$$ recently.  First at Cordell and now on Kel.ly – either defaced or spamming with an ancient captcha.

Let’s chat about Cordell first.  We had some guys build a WordPress site maybe five years ago and it seemed to work okay.  We were using a couple (alright, maybe just one) of plugins but lots of custom code including a contact form.  Yeah, I know but someone wanted an additional contact form and that’s the way that it went down and five years later I inherit the site.

The contact form had an early captcha integrated rather than built as a plugin and, well, it just got old and easy to miss.  Wordpress and the plugins stayed pretty current but the captcha stayed buried and wound up biting me.  The first signs of a problem was basically a denial of service attack.  The cracked captcha allowed 25K email connections a day and with the added overhead of the DNS lookups, the aging hardware in our rack began to tip.  The WordPress site is hosted at Hurricane Electric and they didn’t even seem to notice but when our LAN connectivity began to fail, I dropped to the logs to see who was doing what to whom.  I’m spamming me?  I guess that I should have seen that coming…

I installed the latest (4.7.1), restored the files, restored the database and stepped back to watch.  That lasted for two days.  This time the boys at HE called me after some other customers complained about the spam problem. At least they didn’t take my site down, right?  I dumped the hand crafted captcha and replaced it with a plugin that’s current.  Boom.

Fast forward two months and Kel.ly gets defaced!  What?  I’m running 4.7.1!  Wait, there’s 4.7.2?  Oops….  So I’m apparently not alone in my downrevedism.  And the guy that defaced my site got defaced.  Wow, try to keep up here.

Feb 4 – 1:54pm NG689Skw
Feb 5 – 8:41am MuhmadEmad overwrites
Feb 5 – 11:14am verifying the hack
Feb 5 – 11:38pm verifying the hack from a different machine
Feb 6 – 7:15am, 11:02am, 12:28pm, 1:32pm – verifying the hack
Feb 6 – 7:43pm repaired
Feb 6 – 7:44pm Lightweight from offshore and too late
Feb 7 – 7:17am Lightweight from offshore and too late

So I bumped WordPress to 4.7.2 and rolled back MuhmadEmad’s defaced page past NG689Skw’s defaced page to a page that I wrote (some might call that defacement) and all better.

 

Jolla or iPhone…

I’ve been talking about nabbing a Jolla phone since they incubated from Nokia but I can’t wait any longer.  The wait has been measured in years not weeks or months and when they indiegogo’d their tablet I cried.  At home I’m surrounded by Apple products to the point that my Nokia N900 is the only non-apple product in the house save the Sony TVs. At work I’m surrounded by Android phones but I just can’t assimilate to that.

You will now find a 6+ in my pocket and I’m liking it a lot.  While I’m still trying to figure out how to move around and answer a phone call, I  have managed to VPN into multiple networks (it’s okay, they’re mine) and RDP and VNC to multiple desktops.  There’s not a lot here to not like.

 

Tagged , ,

How do you spell VLAN?

It happens that I know how to spell VLAN but I can’t really use it in a sentence (other than this one) so I have been thinking that it might be time to learn.  I am surrounded by Customers that use VLANs with my equipment and we even talk about this VLAN or that VLAN and I know that if the equipment is on the wrong VLAN it’s not going to work.

As it turns out I actually know what a VLAN is and I think that I know what it does but I definitely can’t give a demo on it and I’ve never knowingly used one.  At my day job I am the network administrator and I have since 2007 been growing my collection of managed switches as the complexity of the building’s network has increased.  The network is now in a state where if my understanding of a VLAN is correct, then we need some.

Background

I am a Netgear guy through and through and I have managed to populate several companies with Netgear hardware as their complexity has grown and I have been asked to assist.  I’ve had good luck with the equipment and they seem to fix their problems as they add features and well, I identify with them.  We have both grown up from a place where a four port hub would suffice to a place where we need the features that someone like a Cisco or a Juniper can provide and we need to be able to manage it and afford it without going to school or having an IT department.  But I digress…

The network in question has these components:

  • a closet where all of the wall jacks terminate
  • a wall jack for all of the workstations
  • a DHCP server for workstations
  • an isolated area where corporate servers live
  • Internet facing servers providing email and web services
  • two separate lab subnets, each with its own DHCP server
  • a wireless network that remains isolated from the corporate LAN

With the exception of the wiring closet all of these areas have grown without planning.  The building was designed with all of this growth in mind (pauses for a bow) but none of the detail was designed – its all ad-hoc.  Even my switch purchases were ad-hoc but at least I had an eye on the future.  We have a number of unmanaged switches on our network and even the managed switches operate in an unmanaged manner.

Equipment List

  1. Netgear GS724TP – 24 port gigE Managed Switch
  2. Netgear GS724TP – 24 port gigE Managed Switch
  3. Netgear GS728TPS – 28 port gigE Managed Switch with POE
  4. Netgear GSM7212 – L2 12 port Managed Switch
  5. Netgear SRX5208 – Dual WAN Firewall
  6. Netgear R7000 Wireless Access Point

The Problem to Solve

Did I mention that some of the corporate servers are virtual in nature?  How about that some of the services that are used on the lab networks are provided by the virtual machines?  What about giving LAN access to some WiFi users and not others?  Ah, there’s the rub.  How do I get those small, lab networks to appear in other areas of the building without stringing cables everywhere?  Or said differently, how do I get rid of all of these different cables strung all over the place?

I’m thinking that this is why I need to learn how to spell VLAN.

The Ah-Ha Moment

Best Practices suggests that one needs a management vlan in addition to a vlan for each subnet.  And most places that talk about this also remind you that shanking the setup of the management vlan is the best way to lock yourself out of a switch.  Now that I have the management vlan working I can reflect back on the number of times that I needed to factory default the switches with a smile on my face.  Let’s just say that I’m pretty dang good at it now.

One of the more difficult concepts that I needed to grasp was that of routing and the fact that vlans don’t want to route amoungst one another.  Another was the complexity of creating a vlan-network on top of a non-vlan network.  I was smart enough to create a drawing to design the new network and just making the drawing helped me learn quite a bit.  Once I simplified the routing issues then I really started making some progress.  The real kicker was when I realized that my existing network would not work in a vlan network and that once I redesigned the network as a vlan network things really started coming together.

How We Made it Work

We have a four-port VLAN capable firewall that doesn’t do any VLAN work, shares our two WAN interfaces and creates a DMZ subnet that we use for our WiFi network.  I remember when I put that in service struggling to make all that VLAN stuff work without making any VLANs.  Well, now all of that VLAN stuff has come in handy.  I realized that what better way to create a separate networking environment in which to build a VLAN segmented network than to create a separate VLAN network on this network and then build the entire new network in there.  A sandbox for VLANs.

Tagged , , , ,

mySQL tricks

 Setting Up the Initial MySQL Privileges

After installing MySQL, you set up the initial access privileges by running scripts/mysql_install_db. The mysql_install_db script starts up the mysqld server, then initializes the grant tables to contain the following set of privileges:

The MySQL root user is created as a superuser who can do anything.  Connections must be made for the local hose.  Note:  The initial root password is empty, so anyone can connect as root without a password and be granted all privileges.
An anonymous user is created that can do anything with databases that have a name of ‘test’ or starting with ‘test_’.

Connections must be made from the local host.  This means any local user can connect without a password and be treated as the anonymous user.  Because your installation is initially wide open, one of the first things you should do is specify a password for the MySQL root user.  You can do this as follows (note that you specify the password using the PASSWORD () function):

shell> mysql -u root mysql
mysql> SET PASSWORD FOR root@localhost=PASSWORD (‘xxxx’);

or:

shell> mysqladmin --user=root password ‘xxxx’
shell> mysqladmin --user=root password ‘’

 Post-installation Setup and Testing

Use mysqladmin to verify that the server is running.  The following commands provide a simple test to check that the server is up and responding to connections:

shell> mysqladmin version --user=root --password=xxxx

msqladmin Ver 8.40 Distrib 4.0.15, for pc-linux on i686
Copyright © 2000 MySQL AB & MySQL Finland AB & TCX DataKonsult AB
This software comes with ABSOLUTLEY NO WARRANTY.  This is free software, and you are welcome to modify and redistribute is under the GPL license

Server version 4.0.15-standard-log
Protocol version 10
Connection Localhost via UNIX socket
UNIX socket /var/lib/mysql/mtsql.sock
Uptime: 60 hours 45 min 39 sec

Shell> mysqladmin processlist –user=root — password=xxxx

~$ mysqladmin processlist –user=cordinc –password=xxxxxxxx
+———+———+———–+—-+———+——+——-+——————+
| Id      | User    | Host      | db | Command | Time | State | Info             |
+———+———+———–+—-+———+——+——-+——————+
| 1219584 | cordinc | localhost |    | Query   | 0    |       | show processlist |
+———+———+———–+—-+———+——+——-+——————+

shell> mysqladmin variables –user=root  –password=xxxx
cordinc@kilo:~$ mysqladmin variables –user=cordinc –password=xxxxxxxxx
+—————————————–+—————————–+
| Variable_name                           | Value                       |
+—————————————–+—————————–+
| auto_increment_increment                | 1                           |
| auto_increment_offset                   | 1                           |
| automatic_sp_privileges                 | ON                          |
| back_log                                | 50                          |
| basedir                                 | /usr/                       |
| binlog_cache_size                       | 32768                       |

shell> mysqlshow –user=root –password=xxxx

cordinc@kilo:~$ mysqlshow –user=cordinc –password=xxxxxxx
+——————–+
|     Databases      |
+——————–+
| information_schema |
| cordinc            |
+——————–+

cordinc@kilo:~$ mysqlshow –user=cordinc –password=xxxxxxx cordinc
Database: cordinc
+———————————-+
|              Tables              |
+———————————-+
| jos_agora_adsense_config         |
| jos_agora_bans                   |
| jos_agora_bans_auto              |
| jos_agora_categories             |
| jos_agora_censoring              |
| jos_agora_config                 |
| jos_agora_feeds                  |
| jos_agora_forums                 |

shell> mysql –user=root –password=xxxx -e “SELECT host,db,user FROM db” mysql

OR

pete@thome:~$ mysql –user=root -p -e “SELECT host,db,user FROM db” mysql
Enter password:
+———————–+—————+—————-+
| host                  | db            | user           |
+———————–+—————+—————-+
| %                     | kel_wiki      | kel_mysql_user |
| %                     | kel_wordpress | kel_mysql_user |
| localhost             | kel_wiki      | kel_mysql_user |
| localhost.localdomain | kel_wiki      | kel_mysql_user |
+———————–+—————+—————-+

There is also a benchmark suite in the ‘sql-bench’ directory (under the MySQL installation directory) that you can use to compare how MySQL performs on different platforms.  The benchmark suite is written in Perl, using the Perl DBI module to provide a database-independent interface to the various databases.  The following additional Perl modules are required to run the benchmark suite:

DBI
DBD-mysql
Data-Dumper
Data-ShowTable

shell> ./run-all-tests -user=root -password=xxxx

Database Administration

Exporting and Importing into and from ASCII Files using Load Data

Pulling data from MySQL into an external, ASCII File:

USE bugs;

mysql>     SELECT * INTO OUTFILE ‘users.dat’
FIELDS OPTIONALLY ENCLOSED BY ‘”’ TERMINATED BY ‘;’
FROM profiles;

Importing the external file:

mysql>    CREATE DATABASE martin;
mysql>    use martin;

mysql>    CREATE TABLE profiles (
->    userid mediumint (9) NOT NULL  auto_increment,
->    login_name varchar (255) NOT NULL default ‘‘,
->    cryptpassword varchar (34) default NULL,
->    groupset bigint (20) NOT NULL default ‘0’,
->    disabledtaxt mediumtext NOT NULL,
->    mybugslink tinyint (4) NOT NULL default ‘1’,
->    blessgroupset bigint (20) NOT NULL default ‘0’,
->    emailflags mediumtext,
->    PRIMARY KEY (userid),
->    UNIQUE KEY login_name (login_name)
->  ) TYPE=InnoDB;

mysql> desc profiles;

mysql>       LOAD DATA LOCAL INFILE ‘users.dat’
->    INTO TALBE PROFILES
->    FIELDS OPTIONALLY ENCLOSED BY ‘”‘ TERMINATED BY ‘;‘;

Exporting and Importing using Msqldump

mysqldump –user=root  –password=xxx –opt bugs > bugs.sql
mysql> create database bugs;
mysql> exit;
mysql> –user=root –password=xxx bugs < bugs.sql

Adding New users to MySQL

You can add users two different ways:  by using GRANT statements or by manipulating the MySQL grant tables directly.  The preferred method is to use GRANT statements, because they are more concise and less error-prone.

First, use the mysql program to connect to the server as the MySQL root user:

shell> mysql –user=root –password=xxxx mysql

Then you can add new users by issuing GRANT statements:

mysql>    GRANT ALL PRIVILEGES ON *.* TO bugs@localhost
IDENTIFIED BY ‘some_pass’ WITH GRANT OPTION;

Mysql>    GRANT ALL PRIVILEGES ON *.* TO bugs@’%’
IDENTIFIED BY ‘some_pass’ WITH GRANT OPTION;

Recovering from Password Problems

If you garble your GRANT commands or forget passwords and find that you don’t have access to the critical mysql table – even as the root user – don’t panic.  Become the superuser on the operating system (e.g. the UNIX root, not the MySQL root) and kill the MySQL process.  On a RedHat Linux system, you might be able to end MySQL through the command:
shell> /etc/rc.d/init.d/mysql stop

Now start uo MySQL again, bypassing the grant tables and assign a new password for the MySQL root yser:

shell> cd /usr/local/mysql/bin
shell> ./mysqld_safe –skip-grant-tables 1>/dev/null 2>&1 &
shell> mysql -u root
mysql> use mysql
mysql> UPDATE user SET Password=PASSWORD(‘newpassword’) WHERE user=’root’;
mysql> exit;

Now, find all MySQL Processes and kill them explicitly as root:

shell> ps ax | grep mysql
shell> kill xxxx  or killall mysql

Now, you can start MySQL again with the normal startup parameters, the password is now changed:

shell> /etc/rc.d/init.d/mysqld start

Database Backups

Because MySQL tables are stored as files, it is easy to do a backup.

mysqldump –user=root –password=xxxx –opt mysql > mysql.sql
mysqldump –user=root –password=xxxx –quick mysql > mysql.dump
mysqlhotcopy –user=root –password=xxxx –allowold –keepold mysql /home/zahn/backup

This is from a presentation that Solomon Chang gave some years back at an SGLUG meeting.  Pretty clever dude.

Nokia N900, part deux

It has been two years since I got this bad actor and it continues to serve me well.   I can remember all of my important appointments, find anyone with whom I’ve ever spoken with and their phone number, send and receive pictures, Skype with my Mother (Wait!  She doesn’t have a computer!) log into any of my networks, oh and I can make a phone call.

Nokia gave up the ghost on Maemo with a head-fake to Meego and then an about-face to Windows Mobile.  There is a community built around Maemo and I still get updates  from community repos.

I learned today that while there are quite a few spin-offs from the Nokia change in direction to Windows that there is a new start-up complete with funding that is picking up the Meego patents and is going to produce a phone before the year’s end.

 

YAOS: Yet Another Operating System

I tend to try to simplify my life whenever possible.  I enjoy the Unix way of life: never do anything a second time if you can copy it from the first time.  What I’m trying to say is that I definitely haven’t done that here and may have, in fact, lost my way.

I obviously haven’t been paying attention recently because if I had I would have noticed before now that I’m supporting at least six operating systems in my daily life.  1) I sit in front of an XP desktop at my day job; 2) most of the people at my day job are running Windows 7; 3) my laptop (yesterday) was running Slackware Linux (as is kel.ly), 4) my semi-archeaic phone is running Maemo, a Debian-based Linux distribution, 5) my wife is sporting an iPad running iOS 5.1.1, and 6) today I’m typing this on a brand new 13″ Mac Book Pro running OS X Lion.  For grins, we deliver (at the day job) products on a Linux platform and also on a Windows Server 2008 platform.  Our infrastructure servers at work are a mixture of CentOS and Scientific Linux.

What the hell?  You only live once, right?

 

Since none of my buddies believe me….

Maybe they will believe someone else.  You are not in Kansas anymore.

Check out this article: http://arstechnica.com/security/2012/05/how-to-harden-your-smartphone-against-stalkers-android-edit

Oh, and the CBS show “Person of Interest” is total fiction with no base in reality.

 

Tagged

The Eye Doctor

Did I mention that my Primary Care Physician thought that I needed an eye exam?  Well, he did.  That and a colonoscopy.  Yeah, that’s from a different dude and a different story.

So I sit in the chair and a Technician starts the testing with a vision test.  There’s a nice eye chart on the wall and I start in.  I read a couple of rows and so the Tech skips a row and we go straight to the hard stuff.  I struggle with the first couple of characters then I nail a couple and then I get completely stuck on the last one.  Hmmm, ahh, ohhh, ummmm.  You get the idea.  Well, the Tech apparently gets tired of waiting and for some reason is reluctant to call the test due to darkness so it says “it’s a number.”  Wow.  We test the other eye and in the process never get to the same line instead stopping on the previously skipped line.

Later, when the Doc and I are discussing the results the subject of my 20-20 vision comes up as demonstrated by the fact that I don’t wear glasses.  Does it count that my readers are hanging in plain sight from my shirt collar? Apparently not.  Did I mention that not only do I not have 20-20 vision but that I haven’t had 20-20 vision in four of five years?  I’m still trying to decide just how much credence I should place in my eye exam.

Cracked!

Gad Zooks!  We’re going old school with “cracked” instead of “hacked” but the bottom line is that the wiki got defaced.  Looking back I now see four clues that I should have heeded.  Not all are related but they are all clues.

May 31: I start with our DLS provider to get the reverse DNS settings straightened out for some of the mail servers.  One of our sister machines here is the mail server for our local LUG and those guys don’t seem to miss much.  This takes two weeks to complete and likely doesn’t have anything to do with any of these issues.

June 9: mail from bugtraq starts timing out. Well, they recently changed mail servers and I’ve got rDNS issues so I’m not sure where this falls.  I’m concerned that one of my milters is peeved about the names moving.

June 10: Logwatch reports a seg fault in one of the daemons.

June 12: Logwatch reports an attempt to use a known hack on the apache daemon.

June 18: STARTTLS posts a strange error.

June 20: I notice that the wiki is defaced.

So I’ve upgraded mediawiki, changed the creds, and restored from backup so it looks good.  I’m not paranoid but I am cautious so I’ve alerted my users, set some traps, and am waiting patiently in the bushes to see what crops up.

June 22 update: It appears that this may have just been a small misunderstanding, specifically the kind of misunderstanding that comes from not reading all of the docs.  I _may_ have allowed anonymous posting (default) and just confused defacing with bot editing.  Oops.

N900 from Nokia

I’m sporting a new phone.  Since Palm doesn’t seem to have a big future I figured that this might be a good time to jump ship and step into the 21st century.  I’ve had a Palm Pilot, a Visor, a Treo 90 (still no phone), and finally a Treo 600, complete with a phone bolted on but that’s it for me.  There appears to be no good way to get my contacts off of this thing and in this day and age, that’s a problem even for me.

Of course I can get the basic contacts off but no one seems to know what to do with the proprietary stuff like the four customizable fields or the contact categories.  Naturally that’s where I kept birthdays, spouses, kids, and anniversaries.  That’s 625 manual edits that I need to make.  Anyway, that’s why I decided to abandon ship and move to something else, hence the N900.  Okay, that and my Wife saying “when are you going to get a new phone?” and Kyle at Linux Journal singing the praises.