Brainfish Eat Fishbrain

Cpanel: Monitoring :2082 logins

2009-10-26T03:07:00.000-07:00

Simple script to send you all new logins of the day. Seeing something strange would trigger further research.

#!/usr/bin/perl

chdir('/root');

$d = `date +%m/%d/%Y`;
chomp($d);

@logins = `cat /usr/local/cpanel/logs/access_log|grep $d|awk '{print \$1 " " \$3}'|sort|uniq`;

$x = "";

foreach(@logins) {
 chomp; 
 /(.*?)\ (.*)/;
 next if $2 eq "-";
 $z = `whois $1|grep addres|tail -n 1`;
 chomp($z);
 $x.="$z $1 $2\n";
}

if (not -f "./latestscan") {
 `touch ./latestscan`;
}

$y = `cat ./latestscan`;

exit if $y eq $x;

open(F, ">latestscan");
print F $x; 
close F;

 $sendmail = "/usr/sbin/sendmail -t";
 open(SENDMAIL, "|$sendmail") or die "Cannot open $sendmail: $!"; 
 print SENDMAIL "Reply-to: root\@myserver.org\n"; 
 print SENDMAIL "Subject: Login report hostf1\n"; 
 print SENDMAIL "To: alerts\@yourserver.com\n"; 
 print SENDMAIL "Content-type: text/plain\n\n"; 
 print SENDMAIL $x; 
 close(SENDMAIL);

Watching series; I don't want to touch my computer

2009-10-25T00:58:00.000-07:00

When I watch series I don't want to touch my computer and I watch all episodes in one fell swoop; if I do something like mplayer *.mpg it crashes, so that doesn't work. This does, run like;


./play "*.mpg"


./play "*.avi"

The code;


#!/usr/bin/perl

$a = "";
foreach(@ARGV) {
 $a.=" " if $a; 
 $a.=$_;
}

while(1){foreach(glob("$a")){`mplayer -fs \"$_\"`}}

Cpanel security: scanning for usage or upload of c99 shell script (or other scripts)

2009-10-24T05:08:00.000-07:00

Sometimes users upload stuff to your server or use scripts you don't want used. To detect them fast, I wrote this script.


#!/usr/bin/perl
    
use Digest::Perl::MD5 'md5_hex';

chdir('/root/');
`touch ./scanned` if not -f "./scanned";

%h = ();
open(F, "scanned");
while() {
 chomp;
 $h{$_} = 1;
}
close F;

@x = `cd /etc/httpd/domlogs/; grep c99me *`;
open(F, ">>scanned");
$s = "";
foreach(@x) {
 chomp;
 $m = md5_hex($_);
 next if $h{$m};
 print F "$m\n";
 $s.=$_."\n";
}
close F;

if ($s) {
 $sendmail = "/usr/sbin/sendmail -t";
 open(SENDMAIL, "|$sendmail") or die "Cannot open $sendmail: $!"; 
 print SENDMAIL "Reply-to: root\@myserver.org\n"; 
 print SENDMAIL "Subject: Found some illegal stuff on server\n"; 
 print SENDMAIL "To: alerts\@somewhere.com\n"; 
 print SENDMAIL "Content-type: text/plain\n\n"; 
 print SENDMAIL $s; 
 close(SENDMAIL); 
}

Cpanel security: cron update all Wordpress installations on your server

2009-10-24T04:21:00.000-07:00

Two simple scripts. Use with caution and at your own risk. Might eat your machine and piss off all your users.


!/usr/bin/perl

`rm -fR wordpress`;
`wget http://wordpress.org/latest.zip`;
`unzip latest.zip`;

@all = `ls -la /home/|awk '{print \$3}'|grep -v root`;

foreach(@all) {
 chomp;
 next if /^$/;
 `./updatewp $_`;
}


#!/usr/bin/perl

$host = `hostname`; 
chomp($host);

$u = $ARGV[0]; 

exit if !$u; # user as arg

exit if not -f "/home/$u/public_html/wp-config.php"; # not wp install

# you shouldn't actually have the readme.html, but if it's there it's a bit faster
$v1 = `cat /home/$u/public_html/readme.html|grep Version > dev/null`;
$v1 =~ /Version\ (\d+\.\d+\.\d+)/;
$v1 = $1; 

$v2 = `cat wordpress/readme.html|grep Version`;
$v2 =~ /Version\ (\d+\.\d+\.\d+)/;
$v2 = $1;

exit if $v1 eq $v2; # already updated

`cp -a wordpress /home/$u/wp_int`;

`cp -rpf /home/$u/public_html/wp-config.php /home/$u/wp_int`;
`cp -rpf /home/$u/public_html/wp-content/* /home/$u/wp_int/wp-content/`;
`cp -rpf /home/$u/public_html/.htaccess /home/$u/wp_int/`;

`chown $u.$u /home/$u/wp_int`;

`cp -a /home/$u/public_html /home/$u/wpback\`date +%d%m%y\``;

`cp -rpf /home/$u/wp_int/* /home/$u/public_html/`;

`rm -fR /home/$u/wp_int`;

$x = `lynx -dump http://$host/~$u/wp-admin/upgrade.php`;

if ($x =~ /Database Upgrade Required/isgm) {
 `lynx -dump http://$host/~$u/wp-admin/upgrade.php?step=1\&backto=`;
}

print "Updated $u\n";

Mac OS X Firefox 3.5 intervals to 100% CPU about every 30 seconds

2009-08-03T07:37:00.000-07:00

Yesterday suddenly my Firefox started to show the busy mouse pointer about every 30 seconds. Very annoying as it was completely unusable during about 5 seconds, and then 30 seconds later again etc.

I removed my Profile in ~/Library and checked if it was FF or something in my profile. Ofcourse it was something in my profile.

Checking my files I saw one file that looked 'odd' ; places.sqlite was rather huge (I do browser a lot), however sqlite can handle quite big databases. Anyway; I ran a

rm -f places*

and restarted FF. No more 100%. Fixed.

What is going on I don't know; it looks like FF is running some kind of really bad query on that sqlite every +/- 30 s which is messing up the whole thing.

Checking/repairing all MySQL tables

2009-06-30T01:18:00.000-07:00

Caution: on busy servers this will make a lot of load. Use only when you suspect/know tables are broken.


#!/usr/bin/perl

$mysql = "/var/lib/mysql";

@res = `cd $mysql; find .|grep MYD`;

foreach(@res) {
 chomp;
 /\.\/(.*?)\/(.*?).MYD/;
 $tab = $1.".".$2;
 print `mysql --execute='repair table $tab'`; 
}

A simple, non bloated script for Amazon S3 backups (Linux, easy portable) - II - recurse to subdirs

2009-02-06T03:44:00.001-08:00

To follow this, please read this post first.

We needed to backup our images from http://www.picturepush.com to S3 for our premium members so we were searching for a simple script to do that one time. As in my previous post; there is no such thing. Bloated, uninstallable shit is the only thing there is.

So I changed the code a bit and added;


foreach($_SERVER["argv"] as $d) {
 recurse_copy($d, $d);
}
exit;

function recurse_copy($d, $org) {
 foreach(glob("$d/*") as $d1) {
  if ($d1=='..' || $d1=='.') continue;
  if (is_dir($d1)) {
   recurse_copy($d1, $org); 
  } else {
   // put on s3
   global $s3;
   global $bucket;
   $s3->putObjectFile($d1, $bucket, $d1);
   echo "Storing: ".$d1."\n";
  }
 }
}

below the last;


array_shift($_SERVER["argv"]);

A simple, non bloated script for Amazon S3 backups (Linux, easily portable)

2009-01-03T09:01:00.000-08:00

While searching for scripts to backup files from Linux -> S3 (servers) I was surprised how difficult it was to find any nice, trim ones. There are huge java jars filled with crap to do it ofcourse;


dbserv01:~# ls -lah js3tream.jar 
-rw-r--r-- 1 root root 3.2M 2007-12-19 15:07 js3tream.jar

Come on. 3.2M... What does that include? Windows Vista?

Sure js3tream is actually nice software. Portable and it works. It's incredibly, mindbogglingly slow (but ofcourse, Java is not slow these days as many people tell me...) on my quad Xeon servers. But yeah, it has the features you would want. Except encryption of the files I upload; you arrange that in a different way please. Come to think of it; other features are missing as well.

There is S3Sync in Ruby which is actually nice and working well, but still too much hassle to get going as simple script. But no complaints about the speed or size of that.

Then there is some rsync thing in Python (I forgot the name and the HELLLLLLLLLLLLLLLLLL I went to to install it will not make me remember it any time soon).

So, as almost all things in life, if you want it done right, you just have to do it yourself. I don't find it pretty at all, but it weighs in, including comments, at 36 kbs, which is, by far the smallest possible script I could find for the purpose I needed.

I'm not counting rar or gpg as they are not included in the other ones either, but when counting them it wouldn't go over 1 mb.

Download http://undesigned.org.za/2007/10/22/amazon-s3-php-class

And install:

- rar (apt-get install rar)
- gpg (apt-get install gnupg)
- php (apt-get install php5-cli php5-curl)

Then edit the Amazon S3.php; put on top of it;


#!/usr/bin/php


if (sizeof($_SERVER["argv"])<4) {
 echo "Usage: ./s3backup bucket ident dir dir dir\n";
 exit;
}

$bucket = $_SERVER["argv"][1];
$ident = $_SERVER["argv"][2];

define('PHPARTIALS_FILE_AWS_S3_ACCESSKEY', '');
define('PHPARTIALS_FILE_AWS_S3_SECRETKEY', '');
define('PHPARTIALS_FILE_RAR_ENCRYPT', '');
define('PHPARTIALS_FILE_GPG_ENCRYPT', '');

$s3 = new S3(PHPARTIALS_FILE_AWS_S3_ACCESSKEY, PHPARTIALS_FILE_AWS_S3_SECRETKEY);

#print_r($s3->getBucket($bucket));exit;

$l = $s3->listBuckets(true);

if (!in_array($bucket, $l)) {
 $s3->putBucket($bucket, S3::ACL_PRIVATE);
}

$fn = $ident."-".strftime('%d%m%y%H%M').".rar";

array_shift($_SERVER["argv"]);
array_shift($_SERVER["argv"]);
array_shift($_SERVER["argv"]);

$f = implode(' ', $_SERVER["argv"]);

$cmd = "rar a -hp".PHPARTIALS_FILE_RAR_ENCRYPT." $fn $f";

echo `$cmd`;

$fn1=$fn.".enc";

$cmd = "gpg --batch --yes --trust-model always --encrypt --recipient '".PHPARTIALS_FILE_GPG_ENCRYPT."' -o $fn1 $fn";

echo `$cmd`;

$s3->putObjectFile($fn, $bucket, baseName($fn1));

print "Backup created!\nSize: ".filesize($fn1)." bytes\n";

unlink($fn);
unlink($fn1);

exit;
?>

Rename the S3.php to something like s3backup and chmod 700 s3backup to make it executable.

You put your 2 keys for Amazon S3 in the Amazon defines, a password for rarring in the RAR password define and the name of the user your public key is for on that system to GPG encrypt the rar.

To add a public key for GPG, just put your GPG Public key in a file, say /root/mypub.key and run;

gpg -a --import /root/mypub.key

And all will be fine.

Filthy Rotten Scriptkiddies - Blackmailing Siteowners

2008-11-24T19:55:00.000-08:00

A friend of mine owns a site which has very little traffic and sells a niche product. Because he gets so little traffic, alarm bells immediately sound when suddenly there is a spike.

If there would be a spike, he would be rich probably, but the chances of that happening are very slim.

Anyway, this night, the guy called me up at 3:30 saying he received an email from some hotmail address saying something like ;

I understand how much revinue you bring in each month, I can bring that down to 0 if I wish. Think I'm kidding? Think this is a joke?

And then his demands.

So, me thinking this was indeed a joke, asking why he )(@#%()#@% woke me. But it wasn't a joke. The site was down. Very much so for 1.5 hour already. Costing my friend money.

A bit groggy from sleeping I could not imagine this being anything else than some lame DOS attack; one or a few computers bonking away on :80.

Unfortunately that was not the case at all.

This was a quite (for this kind of lame threat / blackmail) heavy DDOS. After a few minutes I already collected (and blocked) over 200 unique ips (from different classes mostly).

In this blog I have shown more than ones some ideas for catching and blocking DDOS attacks from within Linux and this one was rather a simple one and could be simply blocked using;

List of Linux tricks

Few notes here; Apache (or whatever you might use) queues all those income connections and leaves them connected even though they are blocked. Because of this,
during the attack, I run from the cron; */10 * * * * service httpd restart. Making Apache immediately kill of those bad connections, but finish off the real ones with a real response. At least you'll have service for most people using this method.

Ofcourse it required a bunch of tweaking as the attacker changed his strategy quite often to make it more difficult.

I don't get people who do this and I certainly don't understand how they can mount such a huge attack with so many different IPs.

Edit: attack has been going on for 9 hours now... site doing fine.

MacOSX / Bootcamp / Installing Windows XP without SPs / there is not enough disk space on $ntservicepackuninstall$ to install service pack bla

2008-11-13T15:11:00.000-08:00

Sometimes you have to do things you don't want. Today I needed to install something under Windows to convert some fileformat (media file format) for which I cannot find Linux or Mac converters. Not even Mplayer can play it. Only some weird proprietary Windows app.

So basically; I needed Windows. And I hate Windows. And not without passion; I really hate it. But ok, enough about that.

I have a Mac Mini standing on my desk gathering dust (oh did I mention I hate Mac OS X too?), so I thought ; I can install on that.

Not that easy. Requires an XP disk with SP2. And ofcourse I didn't have that. As I really don't want to pay for stuff I already have, I took an XP version from 2001 (so without any SPs) and tried to find a way to install that on the Mac Mini. Legal as I don't even have the computer anymore on which is belonged, but I have the 'authentic Windows crap sticker' still.

The installation from within Bootcamp went 'smooth', although Windows doesn't want to shutdown or restart, you have to force it down by holding the shutdown button.

And almost none of the software/drivers Apple provides work without SP2. Even worse (well... not much worse); Mac OS X doesn't boot anymore.

Anyway; I got the SP2 download and burnt it on a CD under Linux and tried to install it under the non-SP version on the Mac Mini. Unfortunately, it started yelping about some missing 4 mb's of space....... 4 mbs. Ofcourse I have more than 20 gb free so that could not be right.

Quite annoyingly, the Mac community is not of the technical details; when searching for these kind of problems, people keep repeating in forums that I insulted my Mac by installing Windows OR that I did not read and MUST HAVE SP2 Windows install CD OR that I should just reinstall everything. All very helpful. Not.

So I was faced with two problems;

- no more Mac OS X
- Windows couldn't install the SP so I couldn't install any drivers etc

The former was not that important for me as I don't like Mac OS X that much and certainly never use it if I can avoid it.

But for the latter I started this whole adventure, so I couldn't give that up.

I read all messages about this problem and the solution turned out to be very (very) simple;

Windows-R (Start->Run)
regedit

Add a String

key = BootDir
value = C:\

To

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup]

And rerun the SP2 installer.

Why didn't they just SAY so?

Anyway; if/when I have Mac OS X back I'll report it here and people can use nice old CD's of XP they find in car boot sales, instead of paying money to that company we all love.

Edit: Well, that was ofcourse kind of simple;

- remove the read only flag from c:\boot.ini
- edit boot.ini
- put at the end c:\CHAIN0="Mac OS X"
- save
- put this file in you c:\
- reboot

Not Boot Camp, but working fine.

Creating databases in cpanel remotely

2008-10-04T11:40:00.000-07:00

Lately I was wondering how one would go about creating databases in cpanel without having to log on. Do it from PHP or something and create a somewhat 'nicer' interface to that 'nice' cpanel stuff.

It proved to be trivial to do anything with the system; that is in face kind of nice and has been a relief for me as I thought it would be (much) more difficult.

Here is a code snippet how to do this easily. It return PHPartialsResult, but you can replace that with 'true' or something.


  function remote_account_create_db($host, $user, $pass, $dbname) {
   $conn = "http://$user:$pass@$host:2082/frontend/x3/sql/addb.html?db=$dbname";
   file_get_contents($conn); 
   return PHPartialsResult::ok();
  }

  function remote_account_create_dbuser($host, $user, $pass, $_user, $_pass) {
   $conn = "http://$user:$pass@$host:2082/frontend/x3/sql/adduser.html?user=$_user&pass=$pass&pass2=$pass";
   file_get_contents($conn); 
   return PHPartialsResult::ok(); 
  }

  function remote_account_create_dbuserconnection($host, $user, $pass, $_user, $_db) {
   $conn = "http://$user:$pass@$host:2082/frontend/x3/sql/addusertodb.html?ALL=ALL&user=$_user&db=$_db";
   file_get_contents($conn); 
   return PHPartialsResult::ok(); 
  }

Using tcpproxy for http forwarding? Add X-Forwarded-For!

2008-04-25T15:05:00.000-07:00

TCPProxy is one of the most beautiful tools I know of; it was nicely programmed, but above all; it has no bugs. None. We are routing millions of pageviews a day of hundreds of thousands of unique users through it and it has never let me down. It is fast, uses almost no CPU and is very very robust (I miss FTP support, but further it is totally perfect).

This unlike Apache (proxy pass) or Squid or the many other, less known, proxies I tried. Apache is especially crappy; proxy pass is riddled with bugs; under load it simply is unusable. And most of them are feature-heavy; too feature heavy; they are a pain to set up, but trivial things like not binding to 0.0.0.0 etc or simple config files they have not.

We have the necessity to route web traffic via different machines in different places and ofcourse I wanted to use tcpproxy for the task, but it has no x-forwarded-for and so we were pissing our users (with forums, blogs etc) off. So I decided to hack tcpproxy for this. And it works. Serving the millions of pages through it. With x-forwarded-for.

This was tested on 1.1.9;

In tcpproxy.c, search for these lines;


int proxy_request(config_t *x, int cfd)
{
int     sfd, rc, bytes;

and change to:


int     sfd, rc, bytes, first=1, i;
char    *hp, *hp1;
char    tmp[4096];

then search for;


  else if (write(sfd, buffer, bytes) != bytes) {
                                syslog(LOG_NOTICE, "client write() error");

and change that to;


else {
if (first && (
 (buffer[0] == 'G' && buffer[1] == 'E' && buffer[2] == 'T') ||
 (buffer[0] == 'P' && buffer[1] == 'O' && buffer[2] == 'S' && buffer[3] == 'T') ||
 (buffer[0] == 'P' && buffer[1] == 'U' && buffer[2] == 'T')
 )) {

 hp = &buffer;
 *(hp+bytes)='\0';
 hp = strstr(buffer, "\r\n\r\n");
 if (hp) {
  hp1 = &buffer;
  i = abs(hp1-hp);
  *hp = '\0';
  memcpy(tmp, buffer, bytes+1);
  strupr(buffer);
  if (!strstr(buffer, "X-FORWARDED-FOR")) {
   sprintf(buffer, "%s\r\nX-Forwarded-For: %s\r", tmp, x->client_ip);
   hp = &tmp;
   hp += i + 1;
   i = bytes - i - 1;
   bytes = i + strlen(buffer);
   hp1 = &buffer;
   hp1 += strlen(buffer);
   memcpy(hp1, hp, i);
  }
 }
}
first = 0;

if (write(sfd, buffer, bytes) != bytes) {
                                syslog(LOG_NOTICE, "client write() error");
 
           break;
                                }

}

Compile it and it'll add X-Forwarded-For.

Debootstrap must be the most brilliant thing ever conceived

2008-04-09T04:41:00.000-07:00

Are you lazy?
Are you tired of installing the same shit across Linux servers?
Are you sick of compiling the latest & greatest bag of mplayer/ffmpeg/lame on all your systems?
Are you becoming suicidal when someone asks you to send you a 'working out of the box version'?

You don't need to be :) Install once, run anywhere (on Linux ofcourse, but what else would you run anyway huh);

Install debootstrap;

apt-get install debootstrap

I personally find it nicest to have everything in a file (so you can easily copy one file and leave it at that);

First make a loopdevice (3 gb file);

dd if=/dev/zero of=/myETCH bs=1M count=3000

Set up kernel loopdevice if you didn't;

insmod loop.o

Set up the loop device;

losetup /dev/loop0 /myETCH

Format the loopdevice with ext3;

mkfs.ext3 /dev/loop0
mount /dev/loop0 /myETCH

then remove everything again;

umount /dev/loop0
losetup -d /dev/loop0

Your loopdevice is now ready for use!

mount it with;

mount -t ext3 /myEtch /etchinstall -o loop=/dev/loop0

If you do not want a loopback device, simply run;

mkdir /etchinstall

After this you can proceed with installing Debian etch;

debootstrap etch /etchinstall

Wait for it to be done.

Then mount proc;

mount -t proc proc /etchinstall/proc

then you can chroot it;

chroot /etchinstall

And there you are; your own nice, contained version of Debian Etch.

Install whatever you want into it. Provide your friends with the loop file /myEtch when you want to have 100% the environment as you!

Heavy encrypting files on your linux box

2008-03-31T15:50:00.000-07:00

After some nasty run-in with reality I decided to day to take better care of my passwords. By encrypting them with GnuPG, I thought I would stand a much better chance when my laptop gets stolen. I am lazy so I already have my HD encrypted, but, for the super paranoid, as I am becoming more and more, I now also have my passes seperate encrypted in a vault file with 4096 gpg encryption.

How? Very simple; first generate a pub/priv key pair;

gpg --gen-key

then add two files to your path;

enc;


#!/usr/bin/perl

$file = $ARGV[0];
$file1 = $ARGV[1]; 

if (!$file or !$file1) {
 print "Usage: ./enc input output\n";
 exit;
}

print `gpg --encrypt --recipient 'Your Name' -o $file1 $file`;

dec;


#!/usr/bin/perl

$file = $ARGV[0]; 

if (!$file) {
 print "Usage: dec input\n"; 
 exit;
}

print `gpg --decrypt $file`;

Then make sure you have zero writing tool to delete the original, to be encrypted, file and you're all done :)

Mysql (or other) dump in PHP

2008-03-09T21:09:00.000-07:00

I a lot of sourcode I see the calling of mysqldump to dump tables. Doing so needs all kind of OS dependent path settings and so on, so I thought I share a simple function for dumping a table from MySQL in PHP:


  function _mysqlDump($table, $toFile) {
   $f = fopen($toFile, "w");
   $qry = "select * from $table";
   $q = mysql_query($qry);
   if (!$q) {
    echo "Could not dump $table\n";
    return;
   }
   while($r = mysql_fetch_assoc($q)) {
    $i1 = ""; $i2 = "";
    foreach($r as $k=>$v) {
     if ($i1) {$i1.=","; $i2.=",";}
     $i1.=$k;
     $v = mysql_real_escape_string($v);
     $i2.="'$v'";
    }
    fputs($f, "insert into $table ($i1) values ($i2);\n");
   }
   fclose($f);
  }

The advantage of this is that it creates total inserts which is handy when you want to recreate the database with the content intact.

Inserting the content back into the database is trivial ofcourse:


   $f = fopen($toFile, "r");
   while($s=fgets($f, 128000)) {
    if (trim($s)) mysql_query($s);
   }
   fclose($f);

Commandline Rapidshare.com downloader

2008-03-08T21:28:00.000-08:00

Sometimes you would want to download files from rapidshare via the commandline because the webinterface sucks. Did I say sometimes? You *never* want to use the webinterface :)

You have to have a premium account to use it.


#!/usr/bin/perl

$user = $ARGV[0];
$pass = $ARGV[1];
$file = $ARGV[2];

`mkdir ~/.cookies; wget --save-cookies ~/.cookies/rapidshare --post-data "login=$user&password=$pass" -O - https://ssl.rapidshare.com/cgi-bin/premiumzone.cgi > /dev/null`;

open(F, $file);
while() {
 chomp;
 next if /^$/;
 print `wget -c --load-cookies ~/.cookies/rapidshare $_`;
}

Automatic destruction of phishing sites

2008-03-08T00:50:00.000-08:00

The Americans are getting worse with their phishing 'resolutions'; a lot of provider down your server and others implement draconian measures like giving you less than 1 hour to remove the site before they shutdown your equipment. Because we are a small company, we cannot sit behind email 24/7. So we had to be smart instead of hiring more people.

How does it work? Make an 'abuse' gmail account, have your mailsystem forward all abuse mails to it. Then run the below program in CRON */5. It'll basically remove all scamming sites from existence after a complaint.

Ofcourse you need to tweak it for your purpose/host.


#!/usr/bin/php

$mbox = imap_open ("{pop.gmail.com:995/pop3/ssl/novalidate-cert}INBOX", 
        "xxyyzzaabbccdd@gmail.com", "yourpass");

$msgs=imap_headers($mbox);
foreach ($msgs as $index=>$header) {
 $content = imap_body($mbox, $index+1);  
 $header = imap_fetchheader($mbox, $index+1);
 $msg = $content;
 $content = $header.$content;

 $res  = array();

 preg_match("/Subject: (.*)/", $content, $res);
 $res = $res[1];
 if (strpos($res, "Abuse")!==false) {
  $res1=array();
  preg_match_all("/(.*.yourdomain.com)/", $content, $res1);

  foreach($res1 as $r) {
   foreach($r as $r1) {
    $i = strpos($r1, ".yourdomain.com")-1; 
    $user= "";
    for(;$i>0;$i--) {
     if (in_array($r1[$i], array(' ', '/', '\n', '\r'))) break;
     $user=$r1[$i].$user;
    }  
    kill_user($user);

    mail("abuse@yourhoster.com", "Re: $res", 
        "Dear,\nThis account has been removed.\n\nThank you,\nA Friend\n\n\n$msg", 
        "From: afriend@yourdomain.com\n");
   }
  }

 }

}
imap_expunge($mbox);
imap_close($mbox);
?>

postfix, cannot connect to mysql server localhost

2008-03-03T13:49:00.000-08:00

When trying to run Postfix with virtual maps in MySQL, you can get the following error:


connect to mysql server localhost: Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' postfix

This error is because postfix is running in chroot /var/spool/postfix. So it cannot find the unix socket for MySQL.

If you have the option to run mysql on 127.0.0.1 or on another IP, simply go to;

/etc/postfix

run;

grep localhost *

and replace all localhost to 127.0.0.1 or the IP in all files starting with mysql-virtual.

If you insist on running via unix sockets, you can simply fix it by running;

mkdir /var/spool/postfix/var
mount --bind /var /var/spool/postfix/var

Ater this, all will work fine.

Stupid DDOS attacks - a simple script and common sense

2008-02-29T11:24:00.000-08:00

Today we had some fun; a DDOS attack from some kind of botnet. We can hundreds (thousands) of IPs sending something to Apache like;


$MyNick Aando|$Lock EXTENDEDPROT

The new Linux kernel iptables can DROP/REJECT based on strings, but I was not going to recompile and install an experimental kernel for this 'little problem', risking more downtime than need-be.

So I used sniffing to detect problems:


tcpdump -n -vvv -i eth0 -A|grep -B 1 \$MyNick|grep \.80: > /tmp/ip.log

(grepping for port .80: because it is attacking my webserver)

Then a killer perl script to block the offending IPs:


#!/usr/bin/perl

%ips=();
open(F, "tail -f /tmp/ip.log|");
while(){
 chomp;
 /.*\)\ (\d+?\.\d+?\.\d+?\.\d+?)\..*?\>/;
 $ip = $1;
 next if $ip=~/127.0.0/;
 if (!$ips{$ip}) {
  $ips{$ip} = 1;
  `iptables -A INPUT -p tcp  --source $ip --dport 80 -j REJECT`;
  print "$ip blocked\n";
 }
}
close F;

This'll do it; server freed up and we could serve again nicely :) No need for recompiling at all!

Apache logs: simple log analyzer in Perl - II

2008-02-28T02:07:00.000-08:00

I added top 30 and bandwidth / minute;


#!/usr/bin/perl

# get handler to the logfile
open(LOG_FILE, "tail -f /var/log/httpd/access_log.users|");

# start the main loop
%users = ();
$cp=0;
$ct=time();
while() {
 chomp;
 
 $cp = time() + 5*60 if $cp==0;
 if (-f "/tmp/killtraffic") {
  %users=();
  `rm -f /tmp/killtraffic`;
 }

 my $t1 = time(); # timestamp for checkpointing

 my ($dom, $ip, $date, $req, $code, $ref, $client, $in, $out) 
                = /(.*?)\ (.*?)\ .*?\[(.*?)\]\ \"(.*?)\"\ (.*?)\ .*?\"(.*?)\"\ \"(.*?)\"\ (.*?)\ (.*)/;

 my ($method, $uri, $proto) = ($req =~ /(.*?)\ (.*?)\ (.*)/);

 my $get = 0;
 if ($uri =~ /(.*?)\?(.*)$/) {
  $uri = $1;
  $get = $2;
 }

 my $url = $dom;

 if (!$users{$url}) {
  $users{$url} = $in + $out;
 } else {
  $users{$url} = $users{$url} + $in + $out;
 }

 $cpc = time();
 if ( $cpc > $cp ) {
  $cp=0; 
  my $s="";
  $m = (time()-$ct) / 60;
  $count = 0;
  foreach(keys %users) {
   $s.=($users{$_}/1024)." kb - ".($users{$_}/1024/$m)." kb/min - ".$_."\n";
   $count++; 
   last if $count>30;
  }
  `echo "Count started $m minutes ago\n" > /tmp/traffic.log`;
  `echo "$s"|sort -n -r >> /tmp/traffic.log`;
 }
}


# never get here:
close LOG_FILE;

Apache logs: simple log analyzer in Perl

2008-02-28T01:38:00.000-08:00

Get Apache to log your bandwidth by putting in httpd.conf/apache2.conf;

LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %I %O" combined_io
CustomLog /var/log/httpd/access_log.users combined_io

And run the following perl script;


#!/usr/bin/perl

# get handler to the logfile
open(LOG_FILE, "tail -f /var/log/httpd/access_log.users|");

# start the main loop
%users = ();
$cp=0;
while() {
 chomp;
 
 $cp = time() + 5*60 if $cp==0; # set to refresh the traffic.log file every 5 min
 
 my $t1 = time(); # timestamp for checkpointing

 my ($dom, $ip, $date, $req, $code, $ref, $client, $in, $out) 
                = /(.*?)\ (.*?)\ .*?\[(.*?)\]\ \"(.*?)\"\ (.*?)\ .*?\"(.*?)\"\ \"(.*?)\"\ (.*?)\ (.*)/;

 my ($method, $uri, $proto) = ($req =~ /(.*?)\ (.*?)\ (.*)/);

 my $get = 0;
 if ($uri =~ /(.*?)\?(.*)$/) {
  $uri = $1;
  $get = $2;
 }

 my $url = $dom;

 if (!$users{$url}) {
  $users{$url} = $in + $out;
 } else {
  $users{$url} = $users{$url} + $in + $out;
 }

 $cpc = time();
 if ( $cpc > $cp ) {
  $cp=0; 
  my $s = "";
  foreach(keys %users) {
   $s.=($users{$_}/1024)." kb - ".$_."\n";
  }
  `echo "$s"|sort -n -r > /tmp/traffic.log`;
 }
}


# never get here:
close LOG_FILE;

By viewing /tmp/traffic.log, you'll see what/who is using most traffic.

A better killall and such

2008-02-24T23:09:00.000-08:00

Didn't you sometimes wish you had a 'superkill'; a kill that kills all processes with a certain text in it. Killall is supposed to do that, but actually never does, as you have to type the complete command which is a pain. So I usually type:

ps auxw|grep -i apache|awk '{print $2}'|xargs kill -9

in this case killing Apache (1 and 2).

To make life easier, as a regular part of my Debian and Ubuntu installs, I now have the command 'sk' (superkill) in /usr/sbin/sk;

#!/bin/sh

ps uaxw|grep -i $1|grep -v $0|grep -v grep|awk '{print $2}'|xargs kill -9

allowing me to run;

sk apache

and gone it is.

Now that I am writing this anyway; here is another missing command :)

find /some/directory -maxdepth 1 -type f -mtime +2 -exec rm {} \;

Into a file /usr/sbin/ro;

#!/bin/sh

find $1 -maxdepth 1 -type f -mtime +$2 -exec rm {} \;

Talking to SMTP / Mail via telnet to diagnoze mail problems on a server

2008-01-07T07:30:00.000-08:00

Mailserver diagnoses can be tricky: I personally find the easiest way to do it still using telnet in combination with the server logs to find out what exactly is wrong.

It is very easy to do:

telnet thehost.com 25

helo: myhost.com
mail from: me@myhost.com
rcpt to: someone@thehost.com
data

... type some data ...
.

quit

That is all; it will help to exactly determine where it goes wrong.

The case we had today;

- postfix didn't send mail ; it gave connection refused
- thoughts; firewall, network, dns etc.
- we tried the above and it worked fine, meaning postfix was the one refusing, not the network/firewall etc
- we fixed the postfix config and all was fine

PHP Posting to ASP.NET (ASPX) pages / sites

2008-01-06T08:30:00.000-08:00

If you want to post anything (for instance a login/password), you need to take the viewstate in order to be able to post anything to any aspx page, so request the page for the first time, in the same session:


  $ch = curl_init();

  curl_setopt($ch, CURLOPT_URL, $login_url);
  curl_setopt($ch, CURLOPT_HEADER, 1);
  curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
  curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
  curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');
  curl_setopt($ch, CURLOPT_POST, 0);
  curl_setopt($ch, CURLOPT_POSTFIELDS, array());
  $data = curl_exec($ch);

Then you collect the viewstate;


  $vars = array("login"=>$user,
                "password"=>$pass);

  $i = strpos($data, "__VIEWSTATE");
  $i = strpos($data, "value=", $i);
  $i += 7;
  $j = strpos($data, "\"", $i+1);
  $viewstate = substr($data, $i, $j-$i);
  $vars['__VIEWSTATE'] = $viewstate;

After that you can safely login to the site;


  curl_setopt($ch, CURLOPT_URL, $login_url);
  curl_setopt($ch, CURLOPT_HEADER, 1);
  curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
  curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
  curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');
  curl_setopt($ch, CURLOPT_POST, 1);
  curl_setopt($ch, CURLOPT_POSTFIELDS, $vars);
  $data = curl_exec($ch)

Analyzing MySQL usage; finding and fixing bottlenecks

2007-12-24T11:11:00.000-08:00

MyTop and Mtop are nice tools to analyze MySQL load and queries, however long running systems require another system, so I present a simple script to analyze longer running multi user databases for abusers and bottlenecks. The code is very easy to alter to retrieve other stats.
Otherwise you can always mail me to fix it for what you might need.


#!/usr/bin/perl

while(1) {
 # load all previous data, if any
 %users = (); 
 if (-f "./sql.log") {
  open(F, "./sql.log"); 
  while() {
   chomp; 
   # user no_queries tot_length
   /(.*?)\ (.*?)\ (.*)/;
   $users{$1} = "$2 $3";
  }
  close F;
 }

 @p = `mysql -u yyy --password=xxx --execute='show full processlist'`;
 for($i=3;$i<scalar(@p)-1;$i++) {
  $r = $p[$i]; 
  chomp($r); 
  @cols = split(/\t/, $r);

  next if $cols[4] eq "Sleep";

  $q = ""; 
  for($j=7;$j<scalar(@cols);$j++) {
   $q .= $cols[$j]." ";
  }
  next if $q=~/show full processlist/;
  next if $q eq "NULL";

  $u = $cols[1];  
  $l = $cols[5];

  $res = "";
  if (!$users{$u}) {
   $res = "1 $l";
  } else {
   $res = $users{$u}; 
   $res =~ /(.*?)\ (.*)/; 
   $l += $2;
   $t = $1 + 1;
   $res = "$t $l";
  }
  $users{$u} = $res;
 }
 
 open(F, ">./sql.log");
 foreach(keys(%users)) {
  $res = $users{$_};
  print F "$_ $res\n";
 }
 close F;
}