Today, I am forced to login into my ESX servers. Some accidents happened and my virtual servers went down. Seems to much snapshots i have made using a scheduler and fill up my datastore entirely.

There is only 2GB left from 500GB of storage. Therefore my machine cannot boot anymore. I tried to use VMware Virtual Client to move some of virtual disks but seems my network was so intermittent and the operations failed over and over.

Well I need to go inside the ESX and manually move the virtual disks. but that the problem, my network is not reliable. I can just let my ssh sessions interrupted while copying the disks.

And worse, ESX does not have screen installed. Hello! that is my favorite tool while playing in CLI. Seems I have to install one, so I can work anywhere as I in the server myself.

I tried to use Yum. But the Yum in ESX is just meant to use for updates only. What a lame!

More research comes up with ESX is built on RH3. That just cool! Just find any rpm that suite that distros, I think it will fit ESX.

And i found it in rpm.pbone.net! the link is:

http://rpm.pbone.net/index.php3/stat/4/idpl/5245464/com/screen-3.9.15-10.i386.rpm.html

and with a dependency that needed:

http://rpm.pbone.net/index.php3/stat/4/idpl/5246885/com/utempter-0.5.5-1.3EL.0.i386.rpm.html

Now, I have it installed and ready to move my virtual disks to external drive I attached to my ESX server!

I am having big headache today. My first dhcp servers with failover went into some problem. This is due to unproper shutdown last night. Tenaga Nasional Berhad (TNB)  should inform us that their maintenance took lot of time yesterday. As our UPS batteries is limited to 30-45 minutes, all servers died unexpectedly.

I have two dhcp server running side by side with failover mode. Next day, when everybody just started their working hours ,  i realized then the dhcp service for master server was down.

Tried to troubleshoot, I got this message over and over again. Quite dissappointed because the web is not helping and Uncle G lost his touch today.

Mar 11 19:53:13 ns3 dhcpd: failover peer dhcp-failover: I move from communications-interrupted to startup

Mar 11 19:53:13 ns3 kernel: [   45.856222] dhcpd3[3869]: segfault at 0 ip b7ea329b sp bfd155b0 error 4 in dhcpd3[b7e82000+94000]

Much has been done. I reinstalled the service, fallback to old config, use vmware to fallback to previous states, but i failed.

Until 6 hours later i found the problem. The clock differs a lot. Such a little error and it have the service mess up.  The date between the two servers differs 12 hours.

A very short command recovered the date correctly.

# sudo date 03111451

After that i restart the service and everything when to normal. Such a headache solved with the simplest command.

It has been a long time I have not touch the squid configuration and installation. Recently, when I tried to install it again, I found that the howtos in Internet was a little bit confusing and I did not manage to setup. Until I viewed the log file (/var/log/auth.log) then I understood what went wrong and managed to solve the problem.

My  objective is to create a new proxy server with limited access controlled by using PAM authentication. The original howto is from this page.  I modified it to suit my environment which is using Ubuntu 8.10 server installed on my ESX server (Virtualization is awesome!).

The steps i did:

1. Update the APT installer to find the latest packages

$ sudo apt-get update

2. Installed your squid and any dependencies.
In Intrepix Ibex, they use squid3 name instead of just squid. It made me mistakenly edited the wrong files several times.

$ sudo apt-get install squid3

3. Edit the main configuration files
We need to add 2 entry here to enable PAM authentication and force the PAM authentication. edit the squid.conf.

$ sudo vi /etc/squid3/squid.conf.

and add this lines to enable PAM authentication

auth_param basic program /usr/lib/squid3/pam_auth
auth_param basic children 5
auth_param basic realm Squid
auth_param basic credentialsttl 2 hours

And add this to force authentication to every user using it

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
acl pam proxy_auth REQUIRED
http_access allow pam

4. Configure the pam modules for Squid
Create a new file with name squid in /etc/pam.d/ and populate with this entry.

$ sudo vi /etc/pam.d/squid

Add the below lines. This is the alteration i did from the previously mentioned  howto.

auth             required        pam_unix.so
account         required        pam_unix.so

5. Start the squid service

$ sudo /etc/init.d/squid start

The service should starts smoothly if you are using the same distro and packages that i used. Actually configuring squid is quite straightforward but maintaining and managing different distros with different styles and packages versions is the confusing part.

Below you will find list of top 10 web vulnerabilities classified by OWASP, here is also description of the problem and some examples.

I will just give you the list in case you missed it before, i will not comment on any of these as there is already hot discussion about this matter on several sites/forums.

So here it starts:

1. Cross site scripting (XSS)

The problem: The “most prevalent and pernicious” Web application security vulnerability, XSS flaws happen when an application sends user data to a Web browser without first validating or encoding the content. This lets hackers execute malicious scripts in a browser, letting them hijack user sessions, deface Web sites, insert hostile content and conduct phishing and malware attacks.

Attacks are usually executed with JavaScript, letting hackers manipulate any aspect of a page. In a worst-case scenario, a hacker could steal information and impersonate a user on a bank’s Web site, according to Snyder.

Real-world example: PayPal was targeted last year when attackers redirected PayPal visitors to a page warning users their accounts had been compromised. Victims were redirected to a phishing site and prompted to enter PayPal login information, Social Security numbers and credit card details. PayPal said it closed the vulnerability in June 2006.

How to protect users: Use a whitelist to validate all incoming data, which rejects any data that’s not specified on the whitelist as being good. This approach is the opposite of blacklisting, which rejects only inputs known to be bad. Additionally, use appropriate encoding of all output data. “Validation allows the detection of attacks, and encoding prevents any successful script injection from running in the browser,” OWASP says.

2. Injection flaws

The problem: When user-supplied data is sent to interpreters as part of a command or query, hackers trick the interpreter — which interprets text-based commands — into executing unintended commands. “Injection flaws allow attackers to create, read, update, or delete any arbitrary data available to the application,” OWASP writes. “In the worst-case scenario, these flaws allow an attacker to completely compromise the application and the underlying systems, even bypassing deeply nested firewalled environments.”

Real-world example: Russian hackers broke into a Rhode Island government Web site to steal credit card data in January 2006. Hackers claimed the SQL injection attack stole 53,000 credit card numbers, while the hosting service provider claims it was only 4,113.

How to protect users: Avoid using interpreters if possible. “If you must invoke an interpreter, the key method to avoid injections is the use of safe APIs, such as strongly typed parameterized queries and object relational mapping libraries,” OWASP writes.

3. Malicious file execution

The problem: Hackers can perform remote code execution, remote installation of rootkits, or completely compromise a system. Any type of Web application is vulnerable if it accepts filenames or files from users. The vulnerability may be most common with PHP, a widely used scripting language for Web development.

Real-world example: A teenage programmer discovered in 2002 that Guess.com was vulnerable to attacks that could steal more than 200,000 customer records from the Guess database, including names, credit card numbers and expiration dates. Guess agreed to upgrade its information security the next year after being investigated by the Federal Trade Commission.

How to protect users: Don’t use input supplied by users in any filename for server-based resources, such as images and script inclusions. Set firewall rules to prevent new connections to external Web sites and internal systems.

4. Insecure direct object reference

The problem: Attackers manipulate direct object references to gain unauthorized access to other objects. It happens when URLs or form parameters contain references to objects such as files, directories, database records or keys.

Banking Web sites commonly use a customer account number as the primary key, and may expose account numbers in the Web interface.

“References to database keys are frequently exposed,” OWASP writes. “An attacker can attack these parameters simply by guessing or searching for another valid key. Often, these are sequential in nature.”

Real-world example: An Australian Taxation Office site was hacked in 2000 by a user who changed a tax ID present in a URL to access details on 17,000 companies. The hacker e-mailed the 17,000 businesses to notify them of the security breach.

How to protect users: Use an index, indirect reference map or another indirect method to avoid exposure of direct object references. If you can’t avoid direct references, authorize Web site visitors before using them

5. Cross site request forgery

The problem: “Simple and devastating,” this attack takes control of victim’s browser when it is logged onto a Web site, and sends malicious requests to the Web application. Web sites are extremely vulnerable, partly because they tend to authorize requests based on session cookies or “remember me” functionality. Banks are potential targets.

“Ninety-nine percent of the applications on the Internet are susceptible to cross site request forgery,” Williams says. “Has there been an actual exploit where someone’s lost money? Probably the banks don’t even know. To the bank, all it looks like is a legitimate transaction from a logged-in user.”

Real-world example: A hacker known as Samy gained more than a million “friends” on MySpace.com with a worm in late 2005, automatically including the message “Samy is my hero” in thousands of MySpace pages. The attack itself may not have been that harmful, but it was said to demonstrate the power of combining cross site scripting with cross site request forgery. Another example that came to light one year ago exposed a  Google vulnerability allowing outside sites to change a Google user’s language preferences.

How to protect users: Don’t rely on credentials or tokens automatically submitted by browsers. “The only solution is to use a custom token that the browser will not ‘remember,’” OWASP writes.

6. Information leakage and improper error handling

The problem: Error messages that applications generate and display to users are useful to hackers when they violate privacy or unintentionally leak information about the program’s configuration and internal workings.

“Web applications will often leak information about their internal state through detailed or debug error messages. Often, this information can be leveraged to launch or even automate more powerful attacks,” OWASP says.

Real-world example: Information leakage goes well beyond error handling, applying also to breaches occurring when confidential data is left in plain sight. The ChoicePoint debacle in early 2005 thus falls somewhere in this category. The records of 163,000 consumers were compromised after criminals pretending to be legitimate ChoicePoint customers sought details about individuals listed in the company’s database of personal information. ChoicePoint subsequently limited its sales of information products containing sensitive data.

How to protect users: Use a testing tool such as OWASP’S WebScarab Project to see what errors your application generates. “Applications that have not been tested in this way will almost certainly generate unexpected error output,” OWASP writes.

7. Broken authentication and session management

The problem: User and administrative accounts can be hijacked when applications fail to protect credentials and session tokens from beginning to end. Watch out for privacy violations and the undermining of authorization and accountability controls.

“Flaws in the main authentication mechanism are not uncommon, but weaknesses are more often introduced through ancillary authentication functions such as logout, password management, timeout, remember me, secret question and account update,” OWASP writes.

Real-world example: Microsoft had to eliminate a vulnerability in Hotmail that could have let malicious JavaScript programmers steal user passwords in 2002. Revealed by a networking products reseller, the flaw was vulnerable to e-mails containing Trojans that altered the Hotmail user interface, forcing users to repeatedly reenter their passwords and unwittingly send them to hackers.

How to protect users: Communication and credential storage has to be secure. The SSL protocol for transmitting private documents should be the only option for authenticated parts of the application, and credentials should be stored in hashed or encrypted form.

Another tip: get rid of custom cookies used for authentication or session management.

8. Insecure cryptographic storage

The problem: Many Web developers fail to encrypt sensitive data in storage, even though cryptography is a key part of most Web applications. Even when encryption is present, it’s often poorly designed, using inappropriate ciphers.

“These flaws can lead to disclosure of sensitive data and compliance violations,” OWASP writes.

Real-world example: The TJX data breach that exposed 45.7 million credit and debit card numbers. A Canadian government investigation faulted TJX for failing to upgrade its data encryption system before it was targeted by electronic eavesdropping starting in July 2005.

How to protect users: Don’t invent your own cryptographic algorithms. “Only use approved public algorithms such as AES, RSA public key cryptography, and SHA-256 or better for hashing,” OWASP advises.

Furthermore, generate keys offline, and never transmit private keys over insecure channels.

9. Insecure communications

The problem: Similar to No. 8, this is a failure to encrypt network traffic when it’s necessary to protect sensitive communications. Attackers can access unprotected conversations, including transmissions of credentials and sensitive information. For this reason, PCI standards require encryption of credit card information transmitted over the Internet.

Real-world example: TJX again. Investigators believe hackers used a telescope-shaped antenna and laptop computer to steal data exchanged wirelessly between portable price-checking devices, cash registers and store computers, the Wall Street Journal reported.

“The $17.4-billion retailer’s wireless network had less security than many people have on their home networks,” the Journal wrote. TJX was using the WEP encoding system, rather than the more robust WPA.

How to protect users: Use SSL on any authenticated connection or during the transmission of sensitive data, such as user credentials, credit card details, health records and other private information. SSL or a similar encryption protocol should also be applied to client, partner, staff and administrative access to online systems. Use transport layer security or protocol level encryption to protect communications between parts of your infrastructure, such as Web servers and database systems.

10. Failure to restrict URL access

The problem: Some Web pages are supposed to be restricted to a small subset of privileged users, such as administrators. Yet often there’s no real protection of these pages, and hackers can find the URLs by making educated guesses. Say a URL refers to an ID number such as “123456.” A hacker might say ‘I wonder what’s in 123457?’ Williams says.

The attacks targeting this vulnerability are called forced browsing, “which encompasses guessing links and brute force techniques to find unprotected pages,” OWASP says.

Real-world example: A hole on the Macworld Conference & Expo Web site this year let users get “Platinum” passes worth nearly $1,700 and special access to a Steve Jobs keynote speech, all for free. The flaw was code that evaluated privileges on the client but not on the server, letting people grab free passes via JavaScript on the browser, rather than the server.

How to protect users: Don’t assume users will be unaware of hidden URLs. All URLs and business functions should be protected by an effective access control mechanism that verifies the user’s role and privileges. “Make sure this is done … every step of the way, not just once towards the beginning of any multi-step process,’ OWASP advises.

Comments and introduction to Top-10 list can be found on following:
www.owasp.org ( www.owasp.org )
www.networkworld.com (http://www.networkworld.com/news/2007/100407-web-site-vulnerabilities.html?page=1)
www.infoworld.com (http://www.infoworld.com/article/07/10/05/Top-10-reasons-Web-sites-get-hacked_1.html)
www.computerworld.com.au (http://www.computerworld.com.au/index.php?id=1126870565&eid=-6787)

Original article: http://www.zone-h.org/content/view/14865/1

Find seven top management errors here

Number Seven :
Pretend the problem will go away if they ignore it.

Number Six:
Authorize reactive, short-term fixes so problems re-emerge rapidly

Number Five:
Fail to realize how much money their information and organizational reputations are worth.

Number Four:
Rely primarily on a firewall.

Number Three:
Fail to deal with the operational aspects of security: make a few fixes and then not allow the follow through necessary to ensure the problems stay fixed

Number Two:
Fail to understand the relationship of information security to the business problem — they understand physical security but do not see the consequences of poor information security.

Number One:
Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job.

Source : http://www.sans.org/resources/errors.php?ref=3811

Spyware authors have ramped up their malicious code to invade users’ privacy at unprecedented levels. The following list describes some of the most malicious activities of today’s spyware, illustrating the need for solid antispyware defenses.

Changing network settings: To prevent signature updates for antivirus and antispyware tools, some spyware alters the infected machine’s network settings. This type of attack could edit the infected machine’s hosts file, apply outbound IP filters or alter the system’s DNS server so that all names are resolved by an attacker-controlled DNS server.

Disabling antivirus and antispyware tools: To prevent disinfection, some spyware disables antivirus and antispyware tools to lengthen the time the attacker can control the victim machine.

Turning off the Microsoft Security Center and/or Automatic Updates: Some spyware disables the Microsoft Security Center because its warnings about an inactive firewall or antivirus program could alert the user. Also, a few spyware specimens disable automatic updates to prevent the installation of patches.

Installing rogue certificates: Web browsers are configured by default to trust a small number of certificate authorities to vouch for SSL certificates from Web sites and code-signing certificates for software distribution firms. Some spyware extends the browser’s trust by adding the attacker.s own SSL and/or code-signing certificate to the browser’s trusted store.

Cascading file droppers: Once an attacker gets one spyware program installed on a machine, that sentinel program can grab other programs on a periodic basis, with each new program, in turn, grabbing others in a cascade. By spreading this cascade over several days, the attackers can stay ahead of antispyware signatures.

Keystroke Logging: Some spyware grabs keystrokes from the machine when a user visits a financial services or e-commerce Web site. To address this threat, some organizations use virtual keyboards, where an image of a keyboard on a screen prompts the user to click on-screen buttons to enter a password. Attackers have responded by using malicious code that grabs small screenshots around the mouse pointer to capture the user’s password even with a virtual keyboard.

URL monitoring, form scraping, and screen scraping: Some spyware monitors all of the URLs a user visits. When sensitive sites are accessed, this spyware grabs a copy of all form elements submitted to the site, in an attempt to gather account and authentication information, a technique called form scraping. Screen scraping spyware grabs a screen image with sensitive data on it.

Turning on the microphone and/or camera: Some malicious code can turn on a microphone or even a video camera attached to a system, thereby substantially invading the users’ privacy.

Pretending to be an antispyware or antivirus tool: Some particularly nefarious spyware pretends to be an antispyware, antivirus or other security tool. These programs tell the user that they are defending against attack, while actually attacking the user, in a classic Trojan horse scenario.

Editing search results: A few spyware specimens locally edit the results of a user’s search, injecting ads into the search pages. The user thinks the ads came from the search engine itself, unaware that they are generated by locally installed spyware.

Acting as a spam relay: Some malicious code turns the victim machine into an e-mail spam relay, so an attacker can spew millions of messages through a group of controlled systems. Blacklisting and tracking down the attacker become far more difficult with an onslaught of spam-relay systems.

Planting a rootkit or otherwise altering the system to prevent removal: The most pernicious spyware alters the operating system in very subtle yet powerful ways to prevent its detection and removal. Uninstalling some spyware is so onerous that users are sometimes faced with complete reinstallation of their operating system and applications.

Installing a bot for attacker remote control: Some spyware comes bundled with a bot, a tool attackers user for remote control of large numbers of systems, in ranges from tens of thousands to millions of infected systems.

Intercepting sensitive documents and exfiltrating them, or encrypting them for ransom: Some targeted spyware, especially that associated with spear phishing attacks, is designed to steal sensitive documents from a specific organization. Other variants encrypt the data, letting the attacker offer the decryption key in exchange for a ransom payment.

Planting a sniffer: A few spyware specimens include sniffers to grab network traffic, including user IDs and passwords from other systems near the infected machine.

Source :
http://www.sans.org/resources/top15_mal_spyware.php?ref=3726

I have just tried NetBeans again. Last time I tried, it didn’t caught my intention much. May be that day, Eclipse serve me enough. But last night I tried the NetBeans again, and I quite impressed with the software.

There is code templates for PHP language, I tried to search on Internet for the code templates lists but I can’t found anything that can helped. It will really helpful if we have a cheat sheet for that.

So I listed the code templates here. Maybe someone will found it helpful.

]]> http://abechik.wordpress.com/2008/10/08/netbeans-php-code-template/feed/ 1 fadli http://abechik.wordpress.com/2008/08/24/pidgin-failed-to-connect-to-yahoo-behind-firewall/ http://abechik.wordpress.com/2008/08/24/pidgin-failed-to-connect-to-yahoo-behind-firewall/#comments Sun, 24 Aug 2008 03:03:20 +0000 fadli http://abechik.wordpress.com/?p=92 ]]>

I am running my Pidgin behind a firewall that is blocking Yahoo port 5050. It is keep me annoyed and made me to use Meebo to keep connecting. I can just use official Yahoo IM client to connect but well…… I just preferred OSS applications to prop’s apps.

Currently, Pidgin  do not support Firewall with no proxy option which make the connection to yahoo is painful. However I stumbled upon this page that give me an idea how to make it posibble.

http://developer.pidgin.im/wiki/Protocol%20Specific%20Questions#WhycantIconnecttoYahoofrombehindafirewallorNAT

I have change the default port from 5050 to 80 and alhamdulillah! It is connecting!

Change the default port! then lets pray.....

Ketika sedang troubleshoot network (DNS server problem) kat tempat aku, aku terjumpa tool ni. Very good and quite easy to deploy. First time tengok laman web dia dah terasa ada something interesting la.

OpenDNS ialah public DNS server yang turut tawarkan web content filtering. Senang citer dns server yang ble prevent orang dari pi kat laman2 web yang tak senonoh tu. haaa tu dia. nak guna dia senang je.

1. create satu akaun untuk manage content filterer
2. setkan ip yang korang selalu guna, ada option static ip and dynamic ip kat sini
3. kat internet browser tu setkan dns server untuk guna server OpenDNS ni
   (208.67.222.222 and 208.67.220.220)

Lepas tu bila orang nak pi ke laman tak sepatutnya, ia akan blok site tu dari dilayari. contoh macam bawah ni:

Untuk network kat tempat aku, oleh sebab dah ada dns server sendiri dan perlu hos domainname company maka aku tak ble guna cara yang straight forward untuk block users. jadi aku setkan forwarders kat setting dns server aku (kira macam set dns proxy la ni). senang je oooiiii. dua line je dah jalan.

Macam ni, kat file /etc/init.d/named.conf atau /var/named/chroot/etc/init.d/named.conf tu appendkan dua line ni kat bahagian options. macam gambar ni:

Lines yang perlu ditambah dalam config file

Ok! dah settle. reload semula server tu. tak yah restart la, buang masa je.

/etc/init.d/named reload

ok, dah reload tu. lps tu korang akan dapat result yang sama dengan bila korang terus adjust setting web browsers. tapi lebih mudah untuk buat deployment sebab tak ada perubahan lain korang buat pada komponen lain dalam network korang atau setiap browsers pengguna.

Sekarang dah web filter dah jalan dah tapi aku nasihatkan korang untuk ketatkan security firewall, setkan semua connection ke dns server ke luar harus melalui dns server korang. jangan bagi diorang bypass dns server tu. ala guna iptables command je.