8 Bit Pipe

See a suspicious IP on your box and wonder what it’s doing? Here’s a one-liner that will list the files that IP is accessing:

# lsof -p $(netstat -npat | gawk ‘$5 ~ /127.0.0.1/ {print $7}’ | cut -d”/” -f1 | tail -n1)

Well with Anonymous‘ attempt to take down the internet a couple days ago, one of the words that keep popping up is

“…the use of computers and computer networks as a means of protest to promote political end”hacktivist. According to wikipedia defines hacktivism as

This is not to be confused with hacktavision, which is hacking your old activision game console to play mame games.

I am curious as to what these people are protesting as all I ever seem to hear is that they are attacking someone to protest something. I personally don’t feel that a protest has as much weight as individuals publicly voicing there opinions. Anonymity seems to fall into obscurity in my opinion. Now if you tell everyone who you are and still hacktivate an attack, always remember, it’s the martyr that gets all the credit.

Further Reading:

• Hachtivism
• Will hacker group Anonymous bring down the Internet on 31 March?
• Activision (There’s a really cool video of Transformers: Fall of Cybertron)

Here’s a nifty little trick with vimdiff, say you want to compare the output of to commands. You can do so with a little redirections:

# vimdiff <(cat /etc/passwd) <(cat /etc/shadow)

I know this is silly since you can simply vimdiff the files directly without the redirects. But say you want to compare who is currently logged in with who was last 10 people logged in.

# vimdiff <(who) <(last|head)

Boom.

Note: the space between th ‘)’ and the ‘<’ is required.

This is a quick setup of MySQL replication, but only works if both server are new builds with no dataset

On the master:

1. Put the following in my.cnf in the [mysqld] section:

server-id=1
log-bin=master-bin

2. Run the following one-liner:

# /etc/init.d/mysqld restart; mysql -e “GRANT REPLICATION SLAVE ON *.* TO ‘$user’@'$slave_ip_addr’ IDENTIFIED BY ‘$password’;”; mysql -e “RESET MASTER;”

On the slave:

1. Put the follwing in my.cnf in the [mysqld] section:

server-id=2

2. Run the follwoing one-liner:

/etc/init.d mysqld restart; mysql -e “CHANGE MASTER TO MASTER_HOST=’$master_ip_addr’, MASTER_USER=’$user’, MASTER_PASSWORD=’$password’, MASTER_LOG_FILE=’master-bin.000001′, MASTER_LOG_POS=98;”; mysql -e “START SLAVE;”

Often times when being hit by a plethora of connections, it is good to tally them all up and see if there is a specific locale that may be of questionable origin.

netstat -an | grep “ESTABLISHED” |awk ‘{print $5}’ |cut -d “:” -f1 |sort |uniq -c |sort -n

Post Office Protocol (POP) is one of the protocols used to retrieve mail from an email server. The term is generally used that email is ‘popped’ of the server and stored on the client. The most commonly used version is POP3.

Further Reading:

• Post Office Protocol

1. Download the latest version of cacti from the dag repository.

# wget http://packages.sw.be/cacti/cacti-0.8.7g-2.el5.rf.noarch.rpm

2. install cacti

# rpm -Uvh cacti-0.8.7g-2.el5.rf.noarch.rpm(this will restart the apache process)

3. Create the MySQL database:

# mysql
mysql> create database cactidb
mysql> GRANT ALL ON cactidb.* TO cactiadmin@localhost IDENTIFIED BY ‘$PASSWORD’;
mysql> flush privileges;

4. Import the default cacti database:

# mysql cactidb < /var/www/cacti/cacti.sql

5. Edit include/config.php and specify the database type, name, host, user and password for your Cacti configuration.

# vi /var/www/cacti/include/config.php
$database_type = “mysql”;$database_default = “cactidb”;$database_hostname = “localhost”;$database_username = “cactiadmin”;$database_password = “$PASSWORD”;$database_port = “3306″;

6. Set the appropriate permissions on cacti’s directories for graph/log generation. You should execute these commands from inside cacti’s directory to change the permissions.

# chown -R cacti /var/www/cacti/rra/ /var/www/cacti/log

7. Update snmpd.conf to allow cacti to pull info and restart snmpd

# vi /etc/snmp/snmpd.conf
view    systemview    included   .1.3.6.1.2.1.0view    systemview    included   .1.3.6.1.2.1.25.1.0view    systemview    included   .1
#/etc/init.d/snmpd restart

8. Update cacti vhost to allow IP addresses and reload apache.

# vi /etc/httpd/conf.d/cacti.conf

Allow from 127.0.0.1 $YOUR_IP

# /etc/init.d/httpd reload

9. Add a line to your /etc/crontab file similar to:

# crontab -e
*/5 * * * * cacti php /var/www/cacti/poller.php > /dev/null 2>&1

10. Finish the configuration

Default pageclick next
Ensure “new install” is selected.click next
All the defaults should be green. If there are a bunch of read, ensure that it is looking in the right place for the files.Click Next
Login with admin admin and set the password to ‘$PASSWORD’

Nifty little one liners to find who’s running that problematic cronjob:

for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l; done

Contrary to popular media, the CSI has been around for nearly forty years. Their focus is computer and network security, not creating hokey computer references to catch criminals.

Further reading:

• Computer Security Institute
• CSI via wikipedia

User said they changed clients and now saw UIDs in place of usernames. At first I thought it was a client issue, as it turns out, it is a client issue on how it’s requesting data. Unfortunately, the client was not smart enough to know the syntax was wrong with the new command set. proftpd has a setting to disable the list of modes it supports, so the client establishes the connection with the older command set. Here is the information on the switch.

FactsAdvertise

Syntax: FactsAdvertise on|off
Default: FactsAdvertise on
Context: server config, ,
Module: mod_facts
Compatibility: 1.3.2rc2 and later
The FactsAdvertise directive is used to control whether the mod_facts module advertises its MLST support via the FEAT command.

By default, the mod_facts module will list MLST in the FEAT response. FTP clients use this to determine whether to use the newer MLSD/MLST commands, or the older LIST/NLST commands. Some FTP clients, though, will attempt to use the newer commands just as if they were equivalent to the older commands, including supporting glob/wildcard characters. Section 2.2.2 of RFC3659 explicitly states that wildcard characters are not supported in the MLSD and MLST commands. Thus, to prevent problems when using such FTP clients with proftpd, you can disable the advertising of support for those commands using e.g. the following in your proftpd.conf:

FactsAdvertise off