Skip to main content

Posts

Showing posts from 2016

Joined #TOKUGAWA

The first track-back (reversal) I did was on some Japanese hackers who staged out of South America. Here's an excerpt from the log of the server they attacked:

200.165.33.242 - - [18/Jun/2006:19:16:50 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 51
200.165.33.242 - - [18/Jun/2006:20:32:28 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 62
200.165.33.242 - - [18/Jun/2006:20:32:34 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 6568
200.165.33.242 - - [18/Jun/2006:20:33:04 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
200.165.33.242 - - [18/Jun/2006:20:33:08 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 6564
200.165.33.242 - - [18/Jun/2006:20:33:14 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
200.165.33.242 - - [18/Jun/2006:20:33:19 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 6574
200.165.33.242 - - [18/Jun/2006:20:33:25 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
200.165.33.24…

Guesswork

Dear Mr. Perez, the CIA does not engage in "guesswork." To say on national news (CNN 12/12/2016, 12:02PM Pacific, COX channel 1031) that the CIA used "guesswork" to conclude that "Russians" were engaged in cyber-espionage to influence our electoral process is insulting to an army of people who have dedicated their lives protecting your right to say that they are engaged in "guesswork."

This national concern with the FBI and CIA and their "counter" analysis of the cyber activity around the DNC/RNC "hacking," is a clear show of how the American public has lost trust in its intelligence community. I wonder when the mistrust of these organizations started. Could it be the way in which Hollywood has depicted them? I can't remember the last movie I saw where FBI cyber operations was portrayed in a positive manner.

The FBI investigates crime. For crime to happen there has to be a victim. You could argue "liberty" and &…

Tyranosaurus'rex'

Today I discovered REX. This is the regular expression extract tool for splunk. As I stared at these syslog records I wonders, how can I get the IP addresses of that shiznit? rex was the answer.

A simple rex for a WatchGuard log to get the allow/deny on a report:

[the search] | rex field=_raw ".(?Allow|Deny)."

Yes, that's a pipe, because you are piping the results through rex. Splunk just gets more and more fantastic.

Alas, I am at 82% of my license. I'm going to have to fork over another G-note to expand my collection. It's worth it because I love to bask in the orgy of denial.

Chrome and Google DNS

You should lock down your DNS. No machine should be calling out to the DNS upstream. You should setup a local DNS relay so that all DNS goes through that, and that machine can then relay upstream to the ISP DNS.

That said, you may find one day that your box is calling out to DNS on 8.8.8.8 or 8.8.4.4. A quick ARIN lookup on those and you see it's Google. Turns out, if you are using Chrome, then you will see these DNS requests appear in your logs.

Chrome calls up to 8.8.8.8 and 8.8.4.4 to check "internet" health. If it can't get a connection to those IP addresses then it boldly proclaims there is no internet connection.


401K and IRA

You asked why I don't like to invest money into 401K and IRA funds. Well, I do. The problem with a 401K is in the government management and oversight. The small business I own is designed for heavy weight at the top of the salary scale as it's a Subchapter S corporation. That means all of the profit passes through to the principal shareholder at the end of the fiscal year. That pushes my income to very high levels sometimes, much higher than the employees. As a result, the audit on the 401K causes a reimbursement of funds to make it "fair."

Every year I get a fat check back out of the 401K that I don't want. So what' the point of investing money into a retirement fund that refuses to grow past an arbitrary limit. it's a waste for me and so I don't put excess money into it.

The IRA is another fun vehicle. There are limits on how much you can put into that type of fund. Then you have to hope that it grows. I have a Legg-Mason IRA and for about 5 years i…

Robot Me

Some time ago, feels like years, my cousin's daughter proclaimed that she wanted to be a robot. She was 6 at the time, I think. Samurai Lucy probably knows the exact date of this conversation I had with my cousin, as it was on facebook.

I told my cousin that her daughter was the greatest robot ever built. Indeed we are. Our soft bodies are cushions for the hard endoskeleton that keeps our body able to be rigid. We have control circuitry distributed throughout our bodies with a central computer. That central computer is controlled by an expert system that knows how to integrate signals and train several connected neural networks.

We are the greatest robot ever built because we are self-locomotive. We create our own energy, don't need to get an external battery to replace old ones. Our computer is capable of work using single electrons and their quantum spin. Our ligature learns how to adapt to its environment, like those incredible Boston Dynamics [1] robots.

We are the greates…

Splunk To root or Not To root

Today I added some add-ons to my splunk and did some sysadmin on the server. Restarted and noted the splunkd was not running. Ahh, well, that's typical. Starting the splunk daemon is easy enough:

Start Splunk - from the people who made splunk.

There are two ways to start splunk, as you can read from above. One is to run the "splunk" process from your root shell after logging in. This will run splunk as root. The other is to use the nifty systemctl service script to daemonize the process.

Prior to today, I had the same problem and ran the splunk process as root. This was foolish. If you happen to have once started splunk as root, and then successfully started splunk as the "splunk" user, you will find that your splunk login page is empty. You get the background picture, but no input controls.

Damn. Google that, nada. Damn again.

Today, I learned alot more about selinux and permissions and labels, so I investigated the "web_service" log (/opt/splunk/var/…

DNS Custom Logs and selinux

If you google "named custom logs selinux" you will find quite a bit of chatter about setting up custom logs outside of /var/log for DNS (named). These posts are interesting, but they tend to be run on posts about learning selinux and becoming an expert on named.

What you need to know? If you have setup custom logging locations in your /etc/named.conf file, such as:

    channel default_file {
        file "/var/log/named/default.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };

Then you will likely see errors like this in /var/log/messages:
Oct 26 11:41:13 namedsvr setroubleshoot: SELinux is preventing /usr/sbin/named from write access on the directory /var/named/chroot/var/log/named. For complete SELinux messages. run sealert -l 6eab4aaf-e615-4ade-9e88-4efdc789eaf2
Then you run the sealert command as suggested by the very friendly selinux audit log and you are told:
#============= named_t ============== #!!!! The source type 'named_t'…

To N or Not To N, That is The Question?

In Microsoft SQL Server you can hash using T-SQL[1]: declare @hash varchar(200)
set @hash = '15174141714252'
print hashbytes('MD5', @hash)
This is a nifty feature, of course, because you can now send your passwords over the unsecured SQL connection and do your hashing on the server. Secure your connection [2], please, before doing this.

Note the use of varchar(200) in the code block. The Microsoft sample shows the use of nVarChar. Does it matter what we use? Turns out, yes. The code block above returns: 0x5B17965D4E33B04FD8848E536165D013 That is also the same hash produced using System.Encoding.GetBytes(blah) and the .NET MD5 digest provider.

If you opt to use nVarChar:
declare @hash nvarchar(200)
set @hash = convert(nvarchar(200), '15174141714252')
print hashbytes('MD5', @hash)
You will get something different: 0xBA48394E1385A2C633AB7F8339231B56 nVarChar and nChar use Unicode encoding [3] to process the string bytes. The default encoding on…