bsd.m3th.org
Yet another *nix admin blog

I made a request to TM for reverse dns delegation on static IP address ranges that were assigned to office SDSL accounts. 2 thumbs up for their prompt response and action on my query. Now my name servers are managing the pointers for the IP address ranges. I’m a user of DJB’s tinydns. Below are tinydns data entries. The IP addresses value and domain are masked.

=router.mydomain.com:124.99.199.41
=firewall.mydomain.com:124.99.199.42
=ns3.mydomain.com:124.99.199.43
.41.199.99.124.in-addr.arpa::ns1.mydomain.com:3600
.41.199.99.124.in-addr.arpa::ns2.mydomain.com:3600
.41.199.99.124.in-addr.arpa::ns3.mydomain.com:3600
.41.199.99.124.in-addr.arpa::ns4.mydomain.com:3600
.42.199.99.124.in-addr.arpa::ns1.mydomain.com:3600
.42.199.99.124.in-addr.arpa::ns2.mydomain.com:3600
.42.199.99.124.in-addr.arpa::ns3.mydomain.com:3600
.42.199.99.124.in-addr.arpa::ns4.mydomain.com:3600
.43.199.99.124.in-addr.arpa::ns1.mydomain.com:3600
.43.199.99.124.in-addr.arpa::ns2.mydomain.com:3600
.43.199.99.124.in-addr.arpa::ns3.mydomain.com:3600
.43.199.99.124.in-addr.arpa::ns4.mydomain.com:3600
.44.199.99.124.in-addr.arpa::ns1.mydomain.com:3600
.44.199.99.124.in-addr.arpa::ns2.mydomain.com:3600
.44.199.99.124.in-addr.arpa::ns3.mydomain.com:3600
.44.199.99.124.in-addr.arpa::ns4.mydomain.com:3600
.45.199.99.124.in-addr.arpa::ns1.mydomain.com:3600
.45.199.99.124.in-addr.arpa::ns2.mydomain.com:3600
.45.199.99.124.in-addr.arpa::ns3.mydomain.com:3600
.45.199.99.124.in-addr.arpa::ns4.mydomain.com:3600
.46.199.99.124.in-addr.arpa::ns1.mydomain.com:3600
.46.199.99.124.in-addr.arpa::ns2.mydomain.com:3600
.46.199.99.124.in-addr.arpa::ns3.mydomain.com:3600
.46.199.99.124.in-addr.arpa::ns4.mydomain.com:3600


The Lookup

%dig 42.199.99.124.in-addr.arpa NS

; <<>> DiG 9.3.4 <<>> 42.199.99.124.in-addr.arpa NS
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1968
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4

;; QUESTION SECTION:
;42.199.99.124.in-addr.arpa. IN NS

;; ANSWER SECTION:
42.199.99.124.in-addr.arpa. 3600 IN NS ns1.mydomain.com.
42.199.99.124.in-addr.arpa. 3600 IN NS ns2.mydomain.com.
42.199.99.124.in-addr.arpa. 3600 IN NS ns3.mydomain.com.
42.199.99.124.in-addr.arpa. 3600 IN NS ns4.mydomain.com.

;; ADDITIONAL SECTION:
ns1.mydomain.com. 22258 IN A 202.191.74.118
ns2.mydomain.com. 22260 IN A 203.175.167.108
ns3.mydomain.com. 22260 IN A 124.99.199.43
ns4.mydomain.com. 22260 IN A 212.214.138.2

;; Query time: 44 msec
;; SERVER: 161.142.2.17#53(161.142.2.17)
;; WHEN: Wed Oct 15 12:21:10 2008
;; MSG SIZE rcvd: 195


%nslookup 124.99.199.42
Server: 161.142.2.17
Address: 161.142.2.17#53

Non-authoritative answer:
42.199.99.124.in-addr.arpa name = firewall.mydomain.com.

Authoritative answers can be found from:
42.199.99.124.in-addr.arpa nameserver = ns4.mydomain.com.
42.199.99.124.in-addr.arpa nameserver = ns1.mydomain.com.
42.199.99.124.in-addr.arpa nameserver = ns2.mydomain.com.
42.199.99.124.in-addr.arpa nameserver = ns3.mydomain.com.
ns1.mydomain.com internet address = 202.191.74.118
ns2.mydomain.com internet address = 203.175.167.108
ns3.mydomain.com internet address = 124.99.199.43
ns4.mydomain.com internet address = 212.214.138.2

If you are using TM streamyx and noticing whenever you mistype something in the address bar and your browser turns up with this address http://landing.netmyne.com/index.jsp?mode=search&nlia=error_keyword, Guess what! TM has added wildcard to its DNS caching servers to capture typo and forward to its error page, ads, internet keyword search site, landing.netmyne.com.

%dig wtf

; <<>> DiG 9.4.2-P1 <<>> wtf
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21728
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;wtf. IN A

;; ANSWER SECTION:
wtf. 0 IN A 203.106.203.238

;; Query time: 9 msec
;; SERVER: 202.188.0.133#53(202.188.0.133)
;; WHEN: Tue Sep 16 19:37:07 2008
;; MSG SIZE rcvd: 40

Instead of intercepting that Non-Existent Domain (NXDOMAIN) response, TM Nameservers send the IP address of Netmyne ad server as the answer. When the browser visits that page, the user sees a default search box from google and TM’s promotion ads on the right, hijacking user’s browser to show its cheap ad. It seems like TM is repeating Earthlink/Barefruit mistake.

Quoting from wired.com site, Security expert, Dan Kaminsky has demonstrated the vulnerability by inserting a YouTube video into Facebook and PayPal domains. But a black hat hacker could instead embed a password-stealing Trojan and allow hackers to pretend to be a logged-in user, or to send e-mails and add friends to a Facebook account.

This is nothing new! but TM is repeating others mistake and putting its subscribers at risk. BTW, I have added a nice tag line in the image for TM, All_your_base_belongs_to_us wannabie.

My account was added at new site of the Honeynet Project. It can be found at http://newww.honeynet.org/kevin.foo. Guess I will use the blog there for publishing my research work.

There have been many reported cases of a new scheme of scam involving generally a Chinese domain registration firm asking for people to register some domain names through them because “a third party” was trying to register them. Normally a dot.com domain owner who would receive an unsolicited email from those bogus companies claiming that someone else was trying to register some .cn of the same domain, so they wanted the company owner to register these domains first with them to “protect their trademarks”.

In the process, they earn fee for so-called service offered in disputing non-existent third party registration. In another word, they create demand triggered by fear.

Nevertheless, it make sense to register and park a .cn, if China is a targeted new operation ground for your company. This will block it being snapped by cybersquatters, competitors or even Chinese scammers mentioned earlier.
Here are the some samples communication of my attempt to lure them.

(more…)

Perhaps I missed out this news on TV / Newpapers (maybe it was published in _the_tiny_little_column_that_we_always_miss_out). Or perhaps, they are still busy with the press restriction at lobby of the Malaysian Parliament.

Here are some photos that were forwarded to me. Street protest is bad. But what else could they do?

(more…)

As good citizens, security.org.my initiated Month of Malaysian Government Websites Bugs (MoMGWB) which aims to provide independent review, gather vulnerabilities submitted by volunteer hackers and disclose/reveal security issues of .gov.my websites to GCERT prior to public disclosure.

I found it rather ridiculous as such noble initiative ended up being accused as a project to attack/hack .gov.my websites! duh! (Encik, do you read English, really?) This stirred up a bit of panic among .gov.my.

You can view the email corresponds from .gov.my and security.org.my at Xwings’ blog.

Fear the spoonman!!!!!!!!!!!!!!!!!!!!

%deluge
no existing Deluge session
Starting new Deluge session…
deluge_core; using libtorrent 0.13.0.0. Compiled with NDEBUG.
Applying preferences
terminate called after throwing an instance of ‘boost::bad_lexical_cast’
what(): bad lexical cast: source type value could not be interpreted as target
Abort
%

Deluge refused to restart after my computer was not properly shut down. Simple workaround is to remove deluge config directory (don’t be too worried about your previous torrent download) and fire up deluge.

%rm -r ~/.config/deluge && deluge

Add your previous torrent seeds and select the previous directory where you saved them. Deluge will check your previous downloads and resume them.

This is funny. UN against Open Source

“Tun Dr Mahathir Mohamad has expressed regret at the use of a video clip that purportedly showed he admitted that he had framed Datuk Seri Anwar Ibrahim.

Dr Mahathir said those who attended the talk understood the context of his speech but the Opposition took one part and distorted it.”

Source thestar

Seriously, I don’t know how true this is. Judge it yourself.

Here’s the note with easy steps to get pound running with SSL signed by CA.

Generating Certificate Signing Request
# cd /etc/ssl
# openssl req -new -nodes -subj '/C=MY/ST=Wilayah Persekutuan/L=Kuala Lumpur/CN=myshinny.webserver.com/O=My office./OU=IT department.' -key host.key -out host.csr

After generating certificate signing request, you need to copy and paste the contain of host.csr to Verisign for signing. Once you have got your certificate signed, save it as host.crt. Note: the naming convention here is for the demonstration below.

Obtaining Verisign intermediate CA certificate
Depending on which type of certificate that you have purchased, you could obtain Verisign CA certificate from this page. Copy the certificate content and save it as verisign.pem.

Now you have 4 files: host.key, host.csr, host.crt and verisign.pem. Only 3 of them are needed for pound ssl. Prepare the certificate to use with pound. Note: In server.pem that will be created, it is important that you follow the sequence as such.

1 Your key
2 Your certificate
3 CA certificate

# cat host.key host.crt verisign.pem > server.pem

Example pound configuration, pound.cfg:-

---snip---
ListenHTTPS
        Address x.x.x.x
        Port    443
        HeadRemove "X-SSL-.*"
        HeadRemove "X-Client-Verify.*"
        Cert    "/etc/ssl/server.pem"
        CAlist "/etc/ssl/verisign.pem"
        Ciphers "ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL"
---snip---

End

Replace x.x.x.x with your server IP address. Restart pound and you are done!