Comments Off

By admin, October 30, 2009 15:24

Hot:

If you’ve attempted to upgrade your Java from Sun and encountered this error, you probably were left scratching your head,  The link to Sun’s Help Resources have no effective solution at the time or writing this, it simply states:

The actual root cause of this issue is still under investigation…

Isn’t that helpful…I have discovered a solution hopefully it will work for you.

Continue reading 'Sun Java Error: 25099 Unzipping Core Files Failed – Fix discovered'»

Comments Off

By admin, October 25, 2009 13:11

Hot:

Released to the public on October 22 Canonical’s latest and greatest Ubuntu yet “Karmic Koala 9.10“.  For many folks using a Linux distribution probably ranks up there with a visit to the dentist, but I have to say that as the kernel keeps improving in leaps and bounds the software wrapped around it can just work on the majority of hardware without issue.

Sure many folks may try it out and find out that it ‘does not work’ with their specific hardware, but compared with last years 8.10 the numbers are down with the sad exception of two particular vendors; ATI and Intel.  ATI recently dropped support for much of their older hardware, but then released a new series of drivers that do support.  Thankfully using the older drivers or using the open source communities versions can at least get them working, if you have problems with the more supported drivers.  Intel on the other hand has basically thrust it’s middle finger up at the linux community with a blatant refusal to provide open source to allow many distributions to be able to integrate support, so for many it means booting to a broken system, and downloading proprietary drivers and praying it works.  Obviously this isn’t the end of the world, but from my perspective a seriously ‘good’ reason to avoid using Intel hardware,  especially if you want to use wine to run Windows games or applications, you’d do so much better with non-Intel chipsets.  nVidia has the best support out of the box for most people not only linux users, but also windows users that it’s becoming a staple requirement.  Don’t get me wrong, Intel does provide drivers, but do not expect them to work directly from installation.  In some cases the generic drivers get installed and it works, in other cases you’re faced with non-working hardware and off to the various support forums seeking a solution.  Thankfully they are available.

In my situation I decided to get a new laptop and specifically bought a Compaq CQ60 which features NO Intel or ATI hardware, simply so I could avoid any hassles.  I’m pretty good at fixing these issues, but if I am spending money and the amount is equal, why buy something with hardware that will not work?    So without further adieu, I release my notes on installing Ubuntu 9.10 x64 on this laptop.

Continue reading 'Ubuntu 9.10 “Karmic Koala” Release Candidate – Installation Notes'»

Comments (2)

By admin, January 13, 2009 14:03

Hot:

Are you one of the folks who has an Google email account? They are not hard to find, and very easy to get and many folks find it very handy. But for most Windows users, trying to adopt a webmail-like email such as GMAIL in place of typical clients like Outlook Express can have some problems.

Enter Google Notify. Its a great little tool that simply monitors calls to email and redirects them to your Gmail account. No more clicking on email links on web pages and getting outlook express popping up. Now the request generates a gmail compose message and seems to work very well. It will also tell you when you have new mail!

What if it doesn’t work?

Continue reading 'Google notify not working?'»

Comments Off

By Admin, November 9, 2007 12:53

Hot:

Really? A FREE YEAR of Broadband?!? Nobody gives away a free year…

Recently I’ve received copies of a Phishing Attempt that looks like it’s from Shaw (a cable/internet/telephone service company in Canada). This phishing attempt is congruous to the Ebay and banking phishes of the recent past, in that it actually does NOT resemble a ‘real’ email, rather a fictional email to get people excited, in this case instead of warning the user it attempts a positive reaction from “getting free internet for a year”. Whoopie! A years worth of internet from Shaw isn’t that expensive. Phishing attempts are typically NOT viral or malware orientated but certainly can and do use such methods. In this case it looks like a standard email spam sent via exploited web sites.

This is a sophisticated method. It uses a similar style as Shaw uses in their correspondence and uses a legit; if inappropriate, email address. The email was generated and sent using multiple methods so tracking it will be harder to accomplish. Additionally, I shall show the details of the spam and my analysis. Our whois data will be included in the rest of the article.

First off, I will advise of the RED FLAGS in this phishing attempt

#1- “A Free Year of Broadband” – This doesn’t make sense. Shaw has trademarks and service marks that it would use to advertise it’s broadband internet service. Only someone ignorant of Shaw’s trademarks would say this. It’s really unlikely anyone who really works for Shaw would make this error.

#2 – Canadian Law states that any ‘contest’ or ‘giveaways’ contain details of said event. In most cases it’s prudent to disclaim whether or not the contest is allowed in Quebec, since the law is vastly different, and Quebec law generally does NOT allow this type of Contest. (disclaimer: I’m in no way a lawyer, but I am aware of consumer rights.). Missing the disclaimer is a definite flag

#3 – The email that is seen in the From: header is not a normal Shaw correspondence email account.

#4 – The link clearly shows a ‘secure’ link, but in no way is it going to a ‘secure’ site.

#5 – Typical email headers (on email from Shaw) missing

So just upon a quick review of this email we can deduce that it’s not a valid email. To get more pertinent details I’ll analyze these email in detail. I won’t paste the email headers in entirety, any ambiguity will be displayed by ‘XXXXXXXX’, to avoid email harvesting, but I will show you what details were more noteworthy.

The return-path was interesting. One was:

apache@utel16.besthosting.com.ua

, the other one was:

nobody@omega.omc.net

This would indicate to me that the web server sent this email, and in typical hosting fashion, it would be doing so via script on one of the hosts or virtual hosts on the system.

None of the received headers would indicate anything unexpected here, “omega” even has SSL/TLS

enabled but verify set to no.

The header in one of the emails is very interesting:

Date: Thu, 08 Nov 2007 20:49:28 +0200

From: “Shaw Communications Inc.” service@shaw.ca

Subject: Win a year of free broadband

To: XXXXXXX@shaw.ca

Reply-to: service@shaw.ca

Message-id: XXXXXXXXXXXXXXXXX@utel16.besthosting.com.ua

MIME-version: 1.0

Content-type: text/html

X-PHP-Script: 213.186.117.120/~loveterra/indexzz.php for 82.208.212.146

Date and time indicates a East European Time zone. I know Shaw doesn’t have any servers in Europe…

The X-PHP-Script header shows a very interesting detail of where this email came from. We’ll come back to this IP in a bit. But this is a key indicator of an exploited web site on a hosting company or something similar. This IP definitely hosts a web server, and with the above mentioned user account, but at time of checking this link generated a error.

The for address 82.208.212.146 is interesting as it resolves to:

whois -h whois.geektools.com 82.208.212.146 …

GeekTools Whois Proxy v5.0.4 Ready.

Final results obtained from whois.ripe.net.

Results:

% This is the RIPE Whois query server #1.

% The objects are in RPSL format.

%

% Rights restricted by copyright.

% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.

% To receive output for a database update, use the “-B” flag.

% Information related to ’82.208.212.0 – 82.208.212.255′

inetnum: 82.208.212.0 – 82.208.212.255

netname: ITSOLUTIONSNET

descr: ITSolutions, Obrenoviceva 124 4/10

descr: 18000 Nis

descr: Serbia and Montenegro

country: CS

admin-c: IS1188-RIPE

tech-c: AZ919-RIPE

status: ASSIGNED PA

mnt-by: PTTSRBIJANET-MNT

source: RIPE # Filtered

person: Ivan Stankovic

address: ITSolutions

address: YU

e-mail: i.stankovic@my-its.net

phone: +38118512796

fax-no: +38118512797

nic-hdl: IS1188-RIPE

source: RIPE # Filtered

person: Aleksandar Zakic

address: ITSolutions NET

address: CS

e-mail: a.zakic@my-its.net

phone: +381-63-222-361

fax-no: +381-18-512-797

nic-hdl: AZ919-RIPE

source: RIPE # Filtered

% Information related to ’82.208.192.0/19AS13091′

route: 82.208.192.0/19

descr: JP PTT Srbija

descr: PTT Srbija Net

origin: AS13091

mnt-by: PTTSRBIJANET-MNT

source: RIPE # Filtered

Results brought to you by the GeekTools WHOIS Proxy

Server results may be copyrighted and are used with permission.

Reviewing the other IP address of the X-PHP-Header gives us this info:

whois -h whois.geektools.com 213.186.117.120 …

GeekTools Whois Proxy v5.0.4 Ready.

Final results obtained from whois.ripe.net.

Results:

% This is the RIPE Whois query server #3.

% The objects are in RPSL format.

%

% Rights restricted by copyright.

% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.

% To receive output for a database update, use the “-B” flag.

% Information related to ’213.186.117.0 – 213.186.117.143′

inetnum: 213.186.117.0 – 213.186.117.143

netname: UTEL-DC5

descr: Utel DataCenter networks. Colocation

country: UA

admin-c: UNOC-RIPE

tech-c: UNOC-RIPE

status: ASSIGNED PA

mnt-by: AS6877-MNT

remarks: INFRA-AW

source: RIPE # Filtered

role: Utel NOC

address: 101, Volodymyrska str.

address: 01033, Kyiv, Ukraine

phone: +380 44 2359001

fax-no: +380 44 2304560

e-mail: noc@utel.net.ua

admin-c: OLE-RIPE

tech-c: BES100-RIPE

tech-c: OLE-RIPE

tech-c: JIM-RIPE

tech-c: ALT-RIPE

tech-c: UHM-RIPE

nic-hdl: UNOC-RIPE

mnt-by: AS6877-MNT

source: RIPE # Filtered

% Information related to ’213.186.112.0/20AS16124′

route: 213.186.112.0/20

descr: Utel DataCenter, Ukraine

origin: AS16124

mnt-by: AS6877-MNT

source: RIPE # Filtered

Results brought to you by the GeekTools WHOIS Proxy

Server results may be copyrighted and are used with permission.

So, it looks like someone possibly in Serbia and Montenegro, ran a cross site script residing on a server in the Ukraine, against utel16.besthosting.com.ua which sent the email. One would actually have to test this out, which I have not done to confirm this. This is a dangerous step I decided to avoid for brevity.

[page_break]

Looking at another similar email we see:

Date: Tue, 06 Nov 2007 23:24:54 +0100 (CET)

From: “Shaw Communications Inc.”

Subject: Win a year of free broadband

To: XXXXXXXXX@shaw.ca

Reply-to: service@shaw.ca

Message-id:

MIME-version: 1.0

Content-type: text/html

X-Authentication-warning: omega.omc.net: Host localhost.omc.net (127.0.0.1)

claimed to be omega.omc.net

But we can see the authentication warning from this server. No detail unfortunately.

Regardless, the viewable content of these two emails is identical, including an ‘offical’ Shaw footer to further reinforce it’s legitimacy, but it’s futile. These are NOT from SHAW.

The content included in plaintext: However to ensure not even ‘google’ browses the evil link from our site I have sanitized it so it breaks. Details to fix will be below the actual email content:

Content-Transfer-Encoding: 8bit

209.85.15.18 is the address removed above with “Removed.example.com”. This address resolves to:

11/09/07 14:19:19 whois 209.85.15.18@whois.geektools.com

whois -h whois.geektools.com 209.85.15.18 …

GeekTools Whois Proxy v5.0.4 Ready.

Final results obtained from whois.arin.net.

Results:

OrgName: Everyones Internet

OrgID: EVRY

Address: 390 Benmar

Address: Suite 200

City: Houston

StateProv: TX

PostalCode: 77060

Country: US

ReferralServer: rwhois://rwhois.ev1servers.net:4321/

NetRange: 209.85.0.0 – 209.85.127.255

CIDR: 209.85.0.0/17

NetName: EVRY-BLK-15

NetHandle: NET-209-85-0-0-1

Parent: NET-209-0-0-0-0

NetType: Direct Allocation

NameServer: NS1.EV1SERVERS.NET

NameServer: NS2.EV1SERVERS.NET

Comment:

RegDate: 2005-12-14

Updated: 2006-11-28

RAbuseHandle: ABUSE477-ARIN

RAbuseName: Abuse Department

RAbusePhone: +1-713-579-2850

RAbuseEmail: abuse@ev1servers.net

RNOCHandle: NOC1445-ARIN

RNOCName: Noc

RNOCPhone: +1-713-579-2850

RNOCEmail: noc@ev1servers.net

OrgAbuseHandle: ABUSE271-ARIN

OrgAbuseName: Abuse

OrgAbusePhone: +1-214-782-7802

OrgAbuseEmail: abuse@theplanet.com

OrgNOCHandle: NOC1445-ARIN

OrgNOCName: Noc

OrgNOCPhone: +1-713-579-2850

OrgNOCEmail: noc@ev1servers.net

OrgTechHandle: VST3-ARIN

OrgTechName: Stinson, Valarie

OrgTechPhone: +1-713-579-2850

OrgTechEmail: admin2@ev1servers.net

# ARIN WHOIS database, last updated 2007-11-08 19:10

# Enter ? for additional hints on searching ARIN’s WHOIS database.

At this point this site seems to be up. Anyone receiving any email similar to this should simply delete it.

If you think it really is legit, call Shaw directly and ask them BEFORE you click on the link. I feel this analysis is accurate and is limited in it’s conclusions. However I hope it serves to help or assist any other who seeks to eliminate phishers, and other scammers.

Comments Off

By Admin, May 21, 2007 17:09

Hot:

I recently took the challenge to try out the new Snort 3.0 alpha that Marty Roesch released upon the world. I was glad to see a new version of this tool available and was eager to see it work. I have had extensive use of snort over the years and can say I’m quite happy with the current 2.6.x.x builds. They are however very good working builds and are capable of doing what they’re configured for but they seem overly complex for the job at hand.

Honestly I can say that the instructions are very good at installing but like most people…who follows instructions? Don’t we all want to trailblaze?

I was at the time running Ubuntu 6.06 and getting ready to upgrade to 7.04 and decided to do the upgrade before I tried to build snort. I had a current 2.6.x build installed and also a 2.7.0.1 beta that were working. I removed the 2.6 build and left the 2.7 beta1 which managed to work with a bit of fixing.

After confirming this was fine and did a complete image backup of the computer. This ensures I can reload this image to disk and reboot the computer immediately. In fact I use disk partitions but I think you get the idea. This is my saving and backup method of choice. I use Restorer 2000 Pro Net to perform these tasks to a networked storage box. Restorer allows you to mount images also to partially restore or to test backups. Image backups can be quite handy let alone time saving.

Well I decide to pop in the 7.04 cd and start the upgrade process. What? No upgrade process? Cheap buggers, well I’ll just have to make my own. Using the Synaptic Package Manager, I run a full upgrade check and compare against the latestest versions on the CDROM. Then I force it to apply all upgrades.

This gets to about 25% of the way and then fatally errors with something I don’t recall. The system now boots but not completely and even though to some degree I can use it, really it’s not.

So, back to the drawing board I restore the original partition and decide to do the proper upgrade to 6.10. Well this worked very well. I was quite happy with myself so much I made another backup after successfully using my 6.10 installation. Then I went ahead and did the 7.04 upgrade. This worked also very well. Afterwards I found myself enjoying my new Ubuntu package I recalled that I was doing this for my snort alpha testing!

Back to work I get the snort alpha copied over to this box using wget, awesome. Unpacking the tar.gz I review the README to discover I need LUA and LIBDNET and UUID in addition to LIBPCAP. Well I have libpcap working fine as I have snort 2.7 working fine. Ok, so I need to get lua and libdnet (at this point) for sure since I’m pretty confident I have e2fsprogs installed fine (which was the recommended means to get the UUID stuff). I attempt to get the source for lua and compile it, but I get stupid errors with readline. I realize the *dev package doesn’t version match the readline package and as a consequence doesn’t want to compile nice and easy.

Cursing, I decide either I figure out how to get readline to compile or I find out how I revert back to an older libdnet/lua. Then I remembered that Marty mentioned that it worked with 6.10 so I figured this must have had a matching revision for these packages to their devel counterparts! So I went back to the 6.10 install and then tried the same thing. This was a better success, but still ended up encountering errors with libdnet. This was befuddling but this time the errors were specific to finding the files that ‘should’ be there. Guess what? They weren’t. I hadn’t installed the devel packages so I realized that I needed to actually ‘make’ these installs instead of using synaptic. While I was running around looking for the actual downloads, I realized the ’3rdparty’ directory that actually included both these tar files. Sure lets use these. First I did libdnet and it worked fine. Attempted to make snort again, and it still didn’t work, but this time I had no errors on libdnet. So I decided to go ahead and make lua from the snort package and then attempted to make snort. It got past lua and then found a new complaint.

This time it complained about UUID. In fact I did not have the UUID headers and again was dumbfounded over the missing headers. I did a quick google however and came up with a forum for some other product with a similar problem, and everyone complaining about having to download the entire e2fsprogs-devel package to get them. Someone then stated that the uuid-dev package would have them (for debian) and have been recently added to the 3rd party repo’s for this very reason. A quick ‘sudo apt-get install uuid-dev’ did the trick for me I’m quite happy to say.

After this I completed the make of snort and was able to quickly start testing it out.

It looks to have some very effective ways to process traffic, but have only finished the suggestions of the README. I’m curious to see how well it develops into a future version. Using LUA was a big concern for me, but really doesn’t seem to be causing any resounding concerns. I’ve become accustomed to it for now, but I’m not actually using it for development either. Hopefully I’ll update my experiments with it in short time.

For now Snort 3.0.0.a1.4 gets a thumbs up as a usable alpha program, now back to testing!