Saiweb

Part 2 has finally arrived …. don’t all cheer at once now …

In part two I will cover how to run an IP range scan using bash script, and if the host can be pinged retrieve the MAC address of the connected host.

Now bare in mind this script was written to run from a MAC running OSX Leopard.


#!/bin/bash
#colours
function colours {
CLEAR='\e[00m';
GREEN='\e[0;32m';
RED='\e[0;31m';
YELLOW='\e[1;33m';
}
#ipscan
function ipscan {
IPS_START=1;
IPS_END=254;
IPS_RANGE=192.168.1.
echo "Now running IPSCAN $IPS_RANGE$IPS_START - $IPS_RANGE$IPS_END"
for ((i=$IPS_START;i<=$IPS_END;i+=1)); do
RESULT=`ping -c 1 -t 1 $IPS_RANGE$i | grep "bytes from"`;
if [ -z "$RESULT" ]; then
echo -e “$IPS_RANGE$i:$RED DEAD $CLEAR”;
# If you comment out the above to report just the alive hosts, bash gets a bit funny about not processing anything here, so uncomment the below to keep it happy
#holder=$i;
else
MAC=`arp $IPS_RANGE$i | awk ‘{ print $4 }’;`;
echo -e “$IPS_RANGE$i:$GREEN ALIVE $CLEAR ($MAC)”;
fi
done
}
colours;
$1 $2


To make this work on your Linux distro replace -t in the ping command with -W and check the awk entry for the arp output, a display of (no) means that no ARP entries could be found for the host, and change the IP range to that of your network.

That’s it for this part, dump this is a file and chmod +x as useual and run with ./script.sh ipscan.

Tags: bofh, Linux, Mac, sysadmin

Getting this email on a regular basis?

“Please find attached a statement of fees as requested, this will be
posted today.

The accommodation is dealt with by another section and I have passed
your request on to them today.

Kind regards.

Hannah ”

Yes it is a virus the attached .doc.exe file seems to vary daily in it’s choice of virus.

So far it has been:

TROJ_AGENT.ANID
TROJ_ZBOT.WB (No page exists for this variant at the moment)
WORM_SYSTEM.AA

All 3 of which were not detected in the most uptodate pattern from trend, having to instead resort to their CPR release (Controlled Pattern), after emailing these samples to their labs (Another unknown variant was received today, and sent to Trend labs).

This brings into question the validity of “Honey pot” accounts to catch these viruses, the only reason I am able to attain these “samples” before they become a problem is due to the fact I have a “Honey pot” email account with a generic often spammed address format for this purpose.

This is making “Honey pots” more of a NEED now instead of an “Über Techies” box of tricks the end user is afraid to go within 30 meters of.

If you run a windows based network I suggest you do some research into how to setup a good honey pot (DO not use an account on your exchnage server that would be REALY stupid), you can also post a comment or use the contact for for advice.

Once setup make it part of your daily routine to test samples as they some in against your anti virus solution, making sure you know how to send samples to the providers labs for analysis.

Tags: Honey pot, TROJ_AGENT.ANID, TROJ_ZBOT.WB, Virus, WORM_SYSTEM.AA

OK so I’m a little behind here, last friday 22/08/2008, hackers broke into Red Hat.

http://www.pcworld.com/businesscenter/article/150212/hackers_crack_into_red_hat.html

If you run a Red Hat system grab the script from here:

http://www.redhat.com/security/data/openssh-blacklist.html

And check for potentialy compromised packages.

Tags: Red Hat

In the last 24 hours I have received one email every 30-40 minutes from the red hat network alerting me to a “bug” fix …

Each time to a different package … so I have no idea as to why the sudden explosion of updates at the moment, either something was royally screwed in the last set of releases or somone slipping pro plus in the developers coffees.

I’m hoping it’s the later.

UPDATE: Never good news is it? I was all for the developer hopped up on caffeine see this forum here:

http://forums.remote-exploit.org/showthread.php?t=16564

“They got hacked last Friday and had to cancel and reissue all their PGP keys.”

Tags: Red Hat

Well the intrest in this subject seems to be picking up!

I am currently researching two pass encoding using libx264 and libfaac to allow low bitrate (fast loading) HD streaming.

As I figure this out you can see the results here: http://www.saiweb.co.uk/linux/very-basic-c-gdb-tutorial

The embeding is handeled using a wordpress plugin I have written, I will make this available shortly.

I will be getting part one “FFMPEG” installation up today regardless.

Tags: ffmpeg, HD, libfaac, libx264

The thing that has realy annoyed me lately is the lack of documentation to be found for FFMPEG, the documentation you can find is by way of MAN pages, and makes the assumption you allready know all the terms that go with video encoding.

Well I am to change that.

Over the next few days I will be producing a Video set “Build your own HD YouTube” covering installation of FFMPEG, to building a basic PHP front end (without using PHP-FFMPEG), and finaly a summary covering methods you should use if you want to use the methods covered in a production envrionment.

Tags: ffmpeg

ffmpeg comes with a tool to re-order the MP4 “atoms” (Seriously don’t ask what are MP4 atoms it’s geek for the sake of geek).

find the file in ffmpeg_src/tools/qt-faststart.c

compile with gcc


gcc qt-faststart.c -o qt-faststart


And run.


/path/to/qt-faststart /path/to/src_vid.mp4 /path/to/output.mp4


NOTE: This only seems to work for h264 encoded videos (libx264).

Tags: ffmpeg, qt-faststart

Just try to find documentation on this … absolute nightmare is an understatement, so here are my notes of the steps I took to compile ffmpeg with a selection of codecs:


up2date automake autoconf libtool
wget http://downloads.sourceforge.net/faac/faac-1.26.tar.gz
wget http://downloads.sourceforge.net/faac/faad2-2.6.1.tar.gz
wget http://superb-west.dl.sourceforge.net/sourceforge/lame/lame-3.98b6.tar.gz
wget http://downloads.xiph.org/releases/ogg/libogg-1.1.3.tar.gz
wget http://downloads.xiph.org/releases/theora/libtheora-1.0beta2.tar.gz
wget http://downloads.xiph.org/releases/vorbis/libvorbis-1.2.0.tar.gz
wget http://downloads.xvid.org/downloads/xvidcore-1.1.3.tar.gz
wget ftp://ftp.videolan.org/pub/videolan/x264/snapshots/x264-snapshot-20080805-2245.tar.bz2


NOTE: The above are current at the time of writing, check for more recent versions at the relevant sites.

Extract:


for i in *.tar.gz; do tar -xzvf "$i"; done
for i in *.tar.bz2; do tar -xjvf "$i"; done


cd to relevant directories and run the following:

faac & faad2: ./bootstrap && ./configure && make && make install
xvidcore: cd build/generic; ./configure && make && make install
libx264: ./configure –enable-shared –disable-asm && make && make install
The rest: ./configure && make && make install

NOTE: You must install libogg prior to libvorbis and libtheora

The following is required otherwise ffmpeg will display errors about being unable to find libraries:

i.e.


ffmpeg: error while loading shared libraries: libavdevice.so.52: cannot open shared object file


FIX:


echo '/usr/local/lib' > /etc/ld.so.conf.d/buzz-saiweb.conf
ldconfig


You must run “ldconfig” any time you install a new lib you want to use with ffmpeg!

Install FFMPEG

svn checkout svn://svn.mplayerhq.hu/ffmpeg/trunk ffmpeg

./configure --enable-libmp3lame --enable-libvorbis --enable-libxvid --enable-shared --enable-libfaac --enable-libfaad --enable-gpl --enable-libtheora --enable-libx264

make

make install


NOTE: If you allready havea checkout of ffmpeg and run an update to get the latest code, make sure you run


make distclean


Prior to running the configure line.

et voila job done ….

Tags: faac, faad2, ffmpeg, h264, lame, libogg, libtheora, libvorbis, libx264, rhel4, xvid

The information for this is VERY very sparse, so here is a summary of what I have found.

Install libx264

Get the libx264 package from here: http://www.videolan.org/developers/x264.html

Extracts the bz2 file


tar -xjvf /path/to/x264-snapshot-20080805-2245.tar.bz2


And now the useual


cd /path/to/x264-dir
./configure --enable-shared
make
make install
ldconfig


Get a nice error message:


[root@dev01 x264-snapshot-20080805-2245]# ./configure
No suitable assembler found. Install ‘yasm’ to get MMX/SSE optimized code.
If you really want to compile without asm, configure with –disable-asm.


You do want MMX/SSE at somepoint for the time being I am disabling this though (lack of time to find a valid RHEL source). so I added the disable asm line.

Install ffmpeg

For this I use subversion.


cd /path/to/where/I/want/sources
svn checkout svn://svn.mplayerhq.hu/ffmpeg/trunk ffmpeg
cd /path/to/where/I/want/sources/ffmpeg
./configure --enable-libx264 --enable-gpl --enable-shared
make
make install


et voila ffmpeg is now installed with libx264 (h264).

---

error while loading shared libraries: libavdevice.so.52: cannot open shared object file: No such file or directory

To fix this:


vi /etc/ld.so.conf.d/custom-libs.conf


Add the line : /usr/local/lib

And run ldconfig.

UPDATE: I am writing a full set of notes blog entry for installing ffmpeg with codecs on RHEL4

Tags: ffmpeg, h264, libx264

Prompted by the following remarks today …

Kerm: “;) there is always an abbreviation in the CLI as all sysadmins are lazy feckers”

Kerm: “Someone might think you actually do work occasionally, god forbid!”

Sysadmins are NOT inherently lazy, we just know how to save time, and are quite adept at doing so …ok?

You cheeky sods!

So let me clear up one instance in which I take a lot of information, and make it quickly and easily accessible using a “Lazy feckers” abbreviation …

Be warned this is a very jaded write up, read on at your own peril.

Right then, onto the point of this post, the sysadmin script part 1, this is going to cover how to check how many connections to a specific port you have on your server.

Trust me this becomes very useful when you have exhausted all other options when trying to figure out why your web server is running like a dog with no legs …


netstat -ant


After running the above on your SSH session you will see lines, and lines … and yet more lines of network connection information, especially if you just run this on a busy server.

Example (colours added):

tcp 0 0 ***.***.***.***:25 ***.***.***.***:32794 ESTABLISHED

Key:

PROTOCOL Tx Rx LOCALHOST:PORT FOREIGN_HOST:PORT CONNECTION STATE

From this information it’s pretty easy to spot this is an inbound SMTP connection.

(If you can’t see why, don’t worry it’s ok maybe it’s genetic)

Now this may be handy, but other than taking all this information and dumping it into a spreadsheet (god knows you love those spreadsheets !!! ), how are you going to figure out how many connections are occurring from that external host?

How infact are you going to be able to easily see how many total connections to that port you have ?!?!

Bash script, now for some history, Bash is the Bourne Again Shell, or as I like to think of it, it is the verb for what I will do to your head if you ask me what BASH / SSH / Shell is again …

Now create a directory:


mkdir ~/.sysadmin
cd ~/.sysadmin


Note the prefixing dot, this will create a “hidden” directory in your home directory (~), the reason for this is so you don’t have system admin script sat in your home directoy, as if you are like me, all sorts of crap moves in an out of that directory on a daily basis, and the last thing you want to do is to have to rummage through backups trying to find “that script you wrote to diagnose connection problems a year ago“.

The point is these scripts will become part of your workflow, once written they will rarely need updating, and should never be called directly, (I mean we’re lazy right? WTH do we want to be typing the full script path for? … oh yeh it saves time!).

In this case:


vi ~/.sysadmin/buzz.sh


You can of course call your script whatever you want, and use any text editor you want, if you don’t like / know vi …


#!/bin/bash
# Sysadmin script PART 1 http://www.saiweb.co.uk
# Provided under the MIT license (http://www.opensource.org/licenses/mit-license.php)
# © D.Busby
function usage {
echo "Usage: portcon port";
echo "i.e. portcon 80";
}
function portcon {
echo "----- Active Connections For Port $1 -----";
netstat -ant | grep "ABC.DEF.HIJ.KLM:$1 " | wc -l
netstat -ant | grep "ABC.DEF.HIJ.KLM:$1 " | awk '{ print $5 }' | awk -F \: '{ print $1 }' | sort | uniq -c | sort -n
}
if [ -z "$1" ]; then
usage;
exit
fi
$1 $2


Ok so the above code is provided with two functions usage and portcon.

MAKE SURE YOU REPLACE “ABC.DEF.HIJ.KLM” WITH YOUR LOCAL IP ADDRESS

CHMOD this file to allow execution.


chmod +x ~/.sysadmin/buzz.sh


Now edit your bashrc file.


vi ~/.bashrc


And add the following:

alias buzz=’~/.sysadmin/buzz.sh’

Now exit (logout) your SSH session and log back in (or SU root > SU your_user for testing).


[buzz@buzz_srv ~]$ buzz
Usage: portcon port
i.e. portcon 80
[buzz@buzz_srv ~]$


Now run the portcon check …


[buzz@buzz_srv ~]$ buzz portcon 80
—– Active Connections For Port 80 —–
505
1 ***.***.***.***
3 ***.***.***.***
3 ***.***.***.***
4 ***.***.***.***
4 ***.***.***.***
5 ***.***.***.***
11 ***.***.***.***
14 ***.***.***.***
16 ***.***.***.***
76 ***.***.***.***
373 ***.***.***.***

(Yes before you ask ***.***.***.*** does display the correct IP address, I have purposely removed them for security).

So, I have taken something that would of resulted in netstat output > spreadsheet to formulas > at a estimate 30mins a time analysis to something that now takes less than 5 seconds to type, and get the relevant output, for roughly the same initial effort (30 mins scripting time).

You could argue you can keep a spreadsheet pre-setup with the right formulas / pivot tables and just dump the data each time, well yes you could but that’s no where near as quick as this …

And no trying to convince me it is as quick and better than the script above, for

1. You have to wait for excel to open the spreadsheet
2. You have to copy paste the data
3. You have to wait for excel to process the formulas

If you have a machine that can do that in time equal to or less than the time it takes the script above to output the data, the only thing I have to say is, stop spending such a budget on desktops and get a better server.

Final Thoughts:

This write up is in jest, and is intended to be read as such, the code and methods provided above are factual. etc …

Tags: bofh, Linux, sysadmin