Posted by EvolutionCrazy on May 6, 2012 in
Uncategorized
Lately I’m seeing chargen service being abused a lot to execute distributed denial of service attacks.
It’s not just “standard ddos”… it’s a reflected ddos with a massive aplification rate!!!
(Amplification rate can be as high as 512x… that means with that just a 100mbit pipe a malicius attacker could easely accomplish a 10gbit+ ddos!)
What is chargen?
From wikipedia:
<<In the UDP implementation of the protocol, the server sends a UDP datagram containing a random number (between 0 and 512) of characters every time it receives a datagram from the connecting host.>>
Apparently there’s absolutely no handshake at all with chargen… only the TCP version (obviously) requires handshake…
How are hosts running chargen (UDP) used as botnets?
To execute the attack people are sending spoofed UDP packets with a forged source IP address to hundreds of hosts running chargen (and there are many of them!).
These hosts just reply to the apparent source of such packet as they are intendend to do… the problem is that they are replying to the forged IP address… that host has never requested something to them!
Is my machine vulnerable?
To test if your machine could be exploited just run:
echo t | nc -u X.X.X.X 19
replace X.X.X.X with an IP running chargen… If you got a reply you just found a host that can be used as part of a ddos botnet…
How can I make my machine secure?
details on how to disable chargen service:
http://shalb.com/kb/entry/10043/
(on that link they refer to another weak point of chargen: looks like it can also be used to let machines running chargen attack each-other…)
if you are running chargen on one of your hosts: CLOSE THAT FUCKING PORT (IN UDP 19)!
if you are a carrier/ISP that allows spoofed traffic to leave your network: HOPE YOU GET BANKRUPT AND CLOSE YOUR FUCKING DOORS FOR GOOD!
ktnxbye
Posted by EvolutionCrazy on Apr 25, 2012 in
Uncategorized
I was missing the holidays calendar into a specific google calendar account…
in order to add it back again this is the calendar address:
it.italian#holiday@group.v.calendar.google.com
just add it as it was a new calendar you want to link
another special calendar you might want to add is:
#contacts@group.v.calendar.google.com
Posted by EvolutionCrazy on Apr 12, 2012 in
howto
Upgrading munin on CentOS/RHEL/Scientific Linux using the rpm from EPEL repositories results in an empty plugin list on the nodes:
ls -al /etc/munin/plugins/
easy fix:
munin-node-configure --suggest --shell | sh ; service munin-node restart
to verify what was detected just run:
ls -al /etc/munin/plugins/
Tags: CentOS, munin
Posted by EvolutionCrazy on Mar 25, 2012 in
howto
If your clock is wrong you might have a wrong hwclock set…
yum install ntp
ntpdate -s it.pool.ntp.org
hwclock -w
on a side not to change the timezone on RHEL 6.x adjust the clock settings config file:
nano -w /etc/sysconfig/clock
set it as you wish:
then set the localtime
cp /usr/share/zoneinfo/Europe/Rome /etc/localtime
Tags: CentOS
Posted by EvolutionCrazy on Mar 29, 2011 in
howto,
snippets
BFD is an easy to use brute force detection script that plays very nicely when combined with APF…
currently it does support certain daemons out of the box… but vspftd is not one of those 
This a *very basic* (it does not pass the offending username to bfd) script to add VSFTPD support to BFD.
You just need to create a file named “vsftpd” into the BFD ./rules/ directory and paste this content into it:
REQ="/usr/sbin/vsftpd"
if [ -f "$REQ" ]; then
LP="/var/log/vsftpd.log"
TLOG_TF="vsftpd"
#Mon Mar 28 23:57:38 2011 [pid 9897] [asdasd] FAIL LOGIN: Client "127.0.0.1"
## VSFTPD
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -w 'FAIL LOGIN' | sed -r 's/^.{0,}Client .//' | sed 's/"/:vsftpd/g'`
fi
This script refers to the standard vsftpd rhel/centos installation…
If the logfile is placed elsewhere (vsftpd_log_file) or if the option “syslog_enable” in vsftpd.conf has been enabled it needs to be adjusted
PS: this was a NON-WORKING test (usernames with a space in it where making it fail):
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -w 'FAIL LOGIN' | awk '{print $12":"$8}' | tr '[]"'`
Tags: brute force detection, CentOS, vsftpd
Posted by EvolutionCrazy on Jan 23, 2010 in
howto
“somehow” Microsoft (or Hewlett Packard?) dropped HP PSC 2100 series support in Windows 7…
but you can still get it working…
Read more…
Tags: drivers, seven, windows
Posted by EvolutionCrazy on Jun 11, 2009 in
Uncategorized
As I’m going to close down “evcz.altervista.org”, will archive here something from my past…
phpipblocker (last version 0.99j)
phpipblocker archive
php2dns (last version 0.91beta)
php2dns archive
Tags: php2dns, phpipblocker
Posted by EvolutionCrazy on Oct 21, 2008 in
howto
*POST UPDATED – now referring to centos6*
I get in touch with many people related to centos reinstall… I’m aware in certain conditions it’s a pain to have it rolling properly…
I do this for work, just contact me if you want it done for a small fee
There are some ISPs in the dedicated servers market that are offering crappy CentOS installs…
With “crappy” I mean: broken/modifed images…
The worst example I had the opportunity to try was OVH.
OVH is in general a very good dedicated hosting provider offering very nice services at an impressive low price… but they have the bad attitude to install custom operating systems that many times cannot be reverted back to the original kernels
One of them is their CentOS 5 install… Lucky for us it’s not a big problem as, most times, it’s possible to do a clean CentOS install
Read more…
Tags: CentOS, vnc