On Friday I definitely noticed something was not quite right but I was not sure, as the day progressed I felt that the left side of my face was being odd and my eyes were hurting. In a conference call I really noticed it as I started to speak and mentioned in IRC that I was having difficulty speaking clearly.

[17:25] <Scott-Mc> something is definitely wrong ,  even struggling to talk with the mic on the left side of my face:|
—– then 10 minutes later —–
[17:36] <Scott-Mc> god knows what is wrong with me, but I am even struggling to speak

After the conference was finished at about 6PM I started to think about all the things over the past few days and realized something wasn’t quite right and maybe it just wasn’t a bump to the head. So I decided to call the NHS direct 24/7 helpline and after describing my symptoms and answering some questions I got put through to a nurse. She started asking more specific questions because previously I had been unsure exactly what was wrong or how to describe it but within about 5 minutes she had determined what was wrong, told me what it was and had arranged for me to visit the doctor at the A&E.

During the call she asked me to go stand in front of the mirror and smile, it was then I realized that it wasn’t the left side of my face at all – this was perfectly normal, it was the right side. It was paralyzed and it was at this moment I freaked out, especially because she said I should go to the A&E just now.

It was very helpful just to speak to someone as otherwise I would have waited till Monday to go to the doctor if it had not cleared up but speaking to someone made me go immediately. The symptoms did rapidly get worse between about 2PM-6PM as I never noticed it when I looked in the mirror earlier.

I arrived at the A&E about 20 minutes later and waited 3-4 minutes to see a doctor. Again I described my symptoms and he told me I had Bell’s Palsy and explained it alittle. He prescribed me steroids for 1 week and some eye drops. When I asked if he knew how long it would take he said and I quote, “I wont lie, it can take awhile”. I was unsure what to make of this but when I returned home it was straight onto google to read more on it.

As it turns out the vast majority recover from it (85%) and they don’t know what causes it. So far it’s been 8-9 days and I would say that on the fourth day it showed signs of improvement that I definitely noticed (I could smile slightly more) but since then I don’t think it’s improved any which is alittle disappointing. I would really like it to go away ASAP!

At this point I have another appointment with the Doctor on Monday to check the progress, I am hoping it’s cleared up fully in about 2-3 weeks. I hope this is realistic but to be honest it doesn’t really effect me all that much. As I work from home I don’t notice it, the only thing I notice is my right eye can be alittle painful as I have to manually blink it but this has been improving in the past few days also. Overall I have a feeling I should treat this a serious thing but I have not been, still can’t believe it’s been over a week with it already (I was going to blog about it the day after).

What is surprising is the number of number of friends and friends of friends have had this, especially as I had never even heard of it before last week, the good news is that all of them it cleared up just fine, the bads news is that one of them took 6 months.

So in effort to find the initial cause of this with no real data to work from I had a search around the system for the usual suspects but couldn’t find any particular culprit. Manually inspecting nearly 2 million files was not an option so opted to carry on with the usual setup and enforced posix ACL’s against the apache user and setup some more explicit bandwidth monitoring to obtain data when an attack was occurring.

A few hours later an alert came in that the outbound bandwidth exceeded the threshold so I promptly begin investigating, The process list doesn’t seem to show any obvious usual culprits. After spending a few minutes with iftop and tcpdump I identified the targeted IP and that the traffic was being directed to a DNS server (port 53). I filtered traffic to this IP while investigating the source, as there was no unusual processes I decided to have alook at the apache status and found the GET request containing the destination IP and port (xxx.php?target=xx.xx.xx.xx&port=53).

I got the vhosts path from the httpd.conf and reviewed the file and it looks like a simple php script to perform a UDP flood to the target,

$sock=socket_create(AF_INET,SOCK_DGRAM,SOL_UDP);

while(true)
{
if(!socket_sendto($sock,$data,strlen($data),0,$target,$port)) die("Error SendTo!!!");
}


That is a snippet of it. It is very unusual to see these PHP based which is the reason for this blog entry and a definite new addition to the search list.

For those of you interested the customer already had MRTG installed and below is the last week which shows the attack saturating the uplink (100Mbit) when it was occurring but has since been stopped.

While I work with and “hack” linux all day long modifying my phone was something I have never had the real urge to do.  I very rarely use my phone as I always either have or am close to a computer/laptop and the t-mobile 3g signal is useless.  I decided as I have some free time today that I will give it a go anyway – to my surprise it is actually surprisingly easy,  all of the work is already done for you amongst the very large community of users.

I initially looked at these 2 forums,

forum.xda-developers.com
modmygphone.com

Which then I simply ended up using

http://www.ryebrye.com/blog/2009/08/16/android-rooting-in-1-click-in-progress/ but did also read http://androidandme.com/2009/08/news/how-to-root-a-t-mobile-g1-and-mytouch-3g-android-phone/

Overall I am still surprised how much of the work is actually done already.   One thing that worried me was the differences between the US and UK in the phones themselves as I do not pay much attention to phone modding this is something that could potentially be a problem, I wasn’t sure if I should be worried about it (Especially with all the disclaimers about being targeted for the US version only) but it seems to have worked fine.  I only ran into 1 issue which had nothing to do with that and I will describe the details below below.

I mostly followed the ryebrye instructions and this is what I did.

-  On my laptop I downloaded http://g1files.webs.com/Zinx/flashrec-20090815.apk ,  copied this over to the SD card.
-  Used the market to find a file browser as I couldn’t see one by default.  The one I downloaded was FileDroid Lite.
-  Installed flashrec,  opened it,  clicked “Restore Backup Recovery Image” then  “Flash Cyanogen Recovery 1.4″

I then rebooted the phone into recovery mode by turning the phone off,  then holding the home button and the power button at the same time.   The recovery system did appear as described,

I selected the “nandroid backup” at this stage to backup the phone settings.  At this point I had thought that was it completed but this is actually only to be able to load the images.  So I booted the phone again.    Then on my laptop I downloaded, update-cm-4.1.99-signed.zip from http://n0rp.chemlab.org/android/experimental/ and copied this to the sd card.  I rebooted the phone again back into recovery mode and selected “wipe data/factory reset” and then “apply any zip from sd” and selected update-cm-4.1.99-signed.zip.   After hitting home and waiting for it to install I rebooted the phone.  It was said to be patient as it takes longer to boot but after 20 minutes I realized something was up as it was still stuck at the t-mobile logo.   I powered it back into recovery mode and instead of selecting “restore latest backup” I accidentally selected nandroid backup again which I paniced, aborted (pulled the battery out) but after turning back into recovery mode it was unable to restore the good image as it had already been overwritten.   At this point I had thought that I have bricked my phone as without a card reader I have no way to put an image to the SD card but as it turns out you can mount the SD card from the recovery console.

So I selected “go to console” from the menu and plugged the data cable back in to my laptop then executed,

echo /dev/block/mmcblk0 > /sys/devices/platform/usb_mass_storage/lun0/file

Which done the trick,  I was able to copy new roms to the sdcard and get my phone back and working.  From reading the forums (This thread) I read the instructions again and noticed signed-dream_devphone_userdebug-ota-14721.zip was required from http://developer.htc.com/adp.html#s3 so I copied this to the SDcard and booted back into recovery mode.

I selected “apply any zip from sd” and then signed-dream_devphone_userdebug-ota-14721.zip , once this was installed and the phone rebooted (I held home again) I selected “apply any zip from sd” again then selected the previous image (update-cm-4.1.99-signed.zip). Once this finished installing I rebooted the phone and success! it actually booted this time. After filling in the gmail info everything seems to work fine and all my contacts are there.

The first thing I done was check the console which this rom comes with a nice app “Terminal Emulator”, I executed “su” and was prompted to allow the superuser permissions (I assume this is from the “superuser permissions” app which seems to be installed and low and behold I was root.

Overall very easy process so a huge thanks to all the people that I linked to during the course of writing this. Hopefully I will get some time to play around more and write some scripts/apps that will benefit me and others.

Not knowing what to write about is generally what made me always not bother and then when there is a subject I am actually not that good at being creative.  The truth is though it is actually just lazyness that has stopped be.

So from today onwards I have decided to have an average of 2 blog posts per month and these can be about anything be it useful information,  a rant about a product/service or just a general meaningless post.

I have made a quick guide on how to setup a server specifically for MFA sites from start to finish. The server will consist of,

• Web server – Apache
• Database – mySQL
• Scripting Language – PHP
• FTP Daemon – vsFTPD
• DNS Server – Bind

We are going to assume you are using centOS and have yum available. This should only be used on a fresh install. So lets begin,

Installing Services

To make this quick we are just going to use the RPM’s available from the depositories. At the shell prompt execute,


yum -y install httpd httpd-devel mysql mysql-server mysql-devel vsftpd bind bind-libs bind-utils php php-cli


Once this completes you should see something like this,

Now that the services are installed it’s time to configure them.

Configure Apache

Depending on which centOS version you are using you will either have apache 1.x (centos4) or apache 2.x (centos5) we are going to assume apache 2.x however as the change are only minor config changes they are the same anyway.

Rather than opening and configuring we will just do a quick replacement on the file for the NameVirtualHost and to include a single file in which we will keep all the vhosts.


perl -pi -e 's/#NameVirtualHost \*:80/NameVirtualHost \*:80\ninclude conf\/domains.conf/g' /etc/httpd/conf/httpd.conf


This will edit the config for you and if you view the config you should see something like this

Configure DNS

When configuring the DNS we are only going to setup 1 domain which will be the primary nameservers, we will use masterdomain.com as an example throughout. There will not be any domains actually setup other than the primary nameserver domain as these will be setup later with the script we build.

Setup the standard configuration (recreating as centOS 5 does not provide /etc/named.conf)

cat >/etc/named.conf <<EOM
// Default named.conf generated by AdminGeekZ

EOM


Now setup the nameservers we will be using the following for our example,

- ns1.masterdomain.com -> 10.1.1.1
- ns2.masterdomain.com -> 10.2.2.2


cat >/var/named/masterdomain.com.db <<EOM
$TTL 6200
@ 6200 IN SOA ns1.masterdomain.com. server.masterdomain.com. (
2006070312
6200
7200
1419200
6200
)

/etc/init.d/named restart


Now we create a dns zone template, this is for our bulk setup script later.


cat >/etc/template.named <<EOM
$TTL 6200
@ 6200 IN SOA ns1.cdomain.com. server.cdomain.com. (
2006070312
6200
7200
1419200
6200
)

cdomain.com. 6200 IN A 10.1.1.1
EOM


Your /etc/named.conf should look something like this now,

That’s all that is required for this section of bind now.

Setting up FTP/SSH Account

For ease of use we will have all domains managed by one FTP account of the username node which accesses /home/httpd/domains


mkdir -p /home/httpd/domains
adduser -d /home/httpd/domains node
echo "my??password12" | passwd node --stdin


You will have to chown and chmod this directory later for extra security.

Creating Setup Script

We will now use a script which can be used to add domains easily, this will use the base we already setup earlier.

The Script

cat >/root/setup.sh <<EOF
#!/bin/bash

EOF
chmod 700 /root/setup.sh


That’s the script created and to add a domain you simply run

/root/setup.sh domain.com

Bulk Adding Domains

Now that everything is setup and ready the last part is to bulk add all of your domains. To do this we are going to have them in a list (without www.) so have a file called domains.txt which should look something like this,

google.com
msn.com
yahoo.com

When you have your list and want to setup the domains first comment out the apache and named reload lines from the /root/setup.sh script to make this go much faster (you can reload once completed) and then loop through the domains by using something like this,


for i in `cat domains.txt`;do /root/setup.sh $i;done


Once completed reload named and apache


/etc/init.d/named reload
/etc/init.d/apache reload


Final Touches

Now that your server is setup and you can add domains easily the last thing to do is to start all the services and make sure they start on boot. You may wish to optimize the server aswell as any other misc tweaks (Such as adding index.php to the DirectoryIndex).


/etc/init.d/httpd restart
/etc/init.d/mysqld restart
/etc/init.d/vsftpd restart
/etc/init.d/named restart
chkconfig httpd on
chkconfig mysqld on
chkconfig vsftpd on
chkconfig named on


Summary

We setup the following,

• 3 Domains (google.com/msn.com/yahoo.com) for both dns and web
• A master FTP account (username: node / password: my??password12)
• 1 master nameserver (masterdomain.com) which all domains use

If you followed this from start to finish you should now have a fully working server for your MFA sites where you can add new domains easily and manage all the domains from one account.

After all these years you would think basic password security would be drilled into everyone who uses the Internet, yet time and time again I always come across people who still have not learned the basics.  Really what is so hard about remembering a password that is not text only?  One simple `odd` character in the word would make it a reasonable secure password.  Yet people still do not get the message that adding just one character really makes a difference.

When I see people who get compromised due to passwords it just makes me cringe.  I have yet to understand why they do not learn until someone takes advantage of their weak password.  It happens so often now I even have an example ready now for weak passwords.

You can still have a secure password which is easy to remember, it does not have to be full of random characters, just one or two really does make a difference.

Take my name for example, Scott Mcintyre, that’s 13 characters long and easy to remember all you have to do now is throw a few odd characters in there such as,

Sc0tt`Mcintyr?e

Which is easy to remember, it includes capitals and has a number, and is more than 10 characters.

Do you test you’re passwords?

Now it brought me on to the fact that does anyone actually test their password against dictionaries?  Both users and system administrators should test them regularly and the reaction I get when I guess the passwords is quite strange as if it has never happened before.

System Administrators

I personally only work with *NIX and test passwords atleast once a week on every single server with user accounts I manage.  On one time work the successrate for more than 100 passwords is generally 1-10%, however today I did get a 58% success-rate which sparked this entry.

As a *NIX administrator I feel it’s my job to ensure peoples passwords are updated also, I often use tools like John The Ripper against the /etc/shadow file to acheive this.  You may view my guide http://www.hostgeekz.com/guides/Security/67/Password_Security.htm if you are unsure how to this.

End Users

End users should not have to test their passwords and should be using a password that gives them 100% reassurance.  Ultimately if you feel the need to check you’re password against dictionaries then you’re password is not good enough.

Multiple Locations

Do you use you’re password in multiple locations?  If so why? While it might be easy to remember it always leads to problems if by the off chance you’re password was ever compromised.  I feel this form of basic password security is the one that is the one that is not taken seriously the most.  I used to do it myself however have since realized it was bad just because of the number of people I have been bad things happen to.  There are methods of keeping you’re same password principal yet not using the same password. Take our above example,

Sc0tt`Mcintyr?e

You could change the position of the question mark for each different location, such as you’re instant messenger password could be S?c0tt`Mcintyre and you’re email could be Sc?0tt`Mcintyre, this is just different variations yet it keeps you’re password simple to remember.

Changing passwords

Do you change you’re password after a certain period?  This is generally a good idea if you use the same password in multiple locations.  Personally I do change my passwords around once every 3-4 months.  I do it so I can remember them easier, newer passwords will stay fresh in the mind whilst older passwords can be forgotten and confused with others.

Conclusion

As it seems I have joined the list of thousands, possible millions, of other articles/rants about password security but I think it has to be said that it’s quite shocking the number of people that totally ignore the basic concept.

Some big music corporation sites have been defaced both sonymusicstudios.co.uk and warnermusic.com.tw.

Could this be a result of ThePirateBay going down recently? Could it be a coincidence, I think not.  It makes me wonder what will happen in the next few weeks because I suspect there will be a waive of these type of defacements.

One comment states,

“Just wait for the defacements tomorrow is all I can say.. (PRQ/TPB aren’t to be taken lightly when it comes to defacement support..)”

Which does indicate we should expect to see more of this in the coming days.

I wonder how both Sony and Warner Music will respond to these attacks.