DDoS reflection attacks – udp 1900

Posted by EvolutionCrazy on Aug 12, 2014 in networking

So it happened… today a company I work with received their first ddos attack with source port 1900 udp.

Recorded attack peak was 1301 MBit/s with 530463 packets/s

I didn’t had the time to take a full network traffic dump as the attack cheased shortly, these were three most offending attackers in case someone is looking for additional infos/reasearches/inspections:
Nmap scan report for adsl-77-109-241-234.kymp.net ( 
Host is up (0.098s latency). 
1900/udp open|filtered upnp 
Too many fingerprints match this host to give specific OS details
Nmap scan report for 74-36-12-13.dr01.aurr.mn.frontiernet.net ( 
Host is up (0.022s latency). 
1900/udp open|filtered upnp 
Aggressive OS guesses: Aerohive HiveAP 320 WAP (HiveOS 3.4) (95%), AirMagnet SmartEdge wireless sensor, or Foxcam FI8904 or Instar IN-3010 surveillance camera (95%), Allnet 2210 webcam, Cisco MDS 9124 or 9216i switch (SAN-OS 3.1 - 3.2), or Nortel IP Phone 1535 (95%), Aruba 3400 or 6000 wireless LAN controller (ArubaOS 3.3.2) (95%), AT&T 3G MicroCell WAP (95%), Avocent AutoView or DSR2020 KVM switch (95%), Avocent DSR1021 KVM switch (95%), AXIS 211A Network Camera (Linux 2.6) (95%), AXIS 211A Network Camera (Linux 2.6.20) (95%), Buffalo TeraStation Pro III NAS device (95%) 
No exact OS matches for host (test conditions non-ideal).
Nmap scan report for 
Host is up (0.020s latency). 
1900/udp open|filtered upnp 
Aggressive OS guesses: Sphairon Turbolink IAD DSL modem (97%), 3Com OfficeConnect 3CRWER100-75 wireless broadband router (96%), 3Com OfficeConnect 3CRWER100-75 wireless router (96%), Aastra RFP L32 IP DECT WAP (96%), Acorp W400G or W422G wireless ADSL modem (MontaVista embedded Linux 2.4.17) (96%), Actiontec GT701 DSL modem (96%), Aerohive HiveAP 320 WAP (HiveOS 3.4) (96%), AirMagnet SmartEdge wireless sensor, or Foxcam FI8904 or Instar IN-3010 surveillance camera (96%), Alcatel-Lucent OmniPCX Enterprise PBX (Linux 2.4.17) (96%), Sirio by Alice VoIP phone (96%) 
No exact OS matches for host (test conditions non-ideal).

Apparently those are just residential IP addresses running vulnerable routers with UPNP services exposed on the WAN side.

There were tens of thounsands attacking a single IP in total… Single pps rate was very very low (for example was pushing out just 200pps and it was one of the top offenders)



Blocking outgoing wordpress bruteforces

Posted by EvolutionCrazy on Jul 24, 2014 in networking, snippets

Just an emergency fix to deploy while searching for the root cause of outgoing bruteforce hacks

iptables -I OUTPUT -p tcp -m multiport --dports 80 -m tcp -m string --algo bm --string "wp-login.php" -j DROP



Amazon SES postfix relay on centos

Posted by EvolutionCrazy on Apr 15, 2014 in howto

Following at the letter the amazon SES tutorial:

but auth is not working and giving errors like

No worthy mechs found
SASL authentication failed; cannot authenticate to server

and so on?

Make sure you have the proper auth libs installed

yum install cyrus-sasl cyrus-sasl-plain cyrus-sasl-md5

Tags: , , ,


Show all the IP addresses available on a linux server

Posted by EvolutionCrazy on Apr 15, 2014 in bash

This command will show a list of all the IP v4 addresses available on a linux server

ip addr | grep inet | grep -v | grep -v inet6 | awk '{ print $2; }' | awk -F'/' '{ print $1; }'


NTP reflected ddos list and iptables ruleset

Posted by EvolutionCrazy on Jan 20, 2014 in networking

Just a list if you are looking to build your own botnet out of servers badly managed running unsecure NTP daemon installations that can be exploited to deliver reflected ddos attacks.

iptables filtering ruleset (when not running an ntp daemon)

iptables -t raw -I PREROUTING -p udp --dport 123 -j DROP

870 hosts totalling 2.5gbit/sec, full list follows

Read more…

Tags: ,


Google cloud SQL – adding a new user with GRANT privilege

Posted by EvolutionCrazy on Nov 2, 2013 in Uncategorized

Google cloud sql does not support the



in order to create a new user with (almost) all the privileges access the cloud sql console and run these commands:

CREATE USER 'newuser'@'%' IDENTIFIED BY 'newpassword';
GRANT ALL ON `%`.* TO 'newuser'@'%' IDENTIFIED BY 'newpassword';

Those will create a user named “newuser” with password “newpassword” able to connect from every host and able to create new users while granting them access to other databases


Convert Prestashop tables from mysisam to innodb using phpmyadmin

Posted by EvolutionCrazy on Sep 23, 2013 in howto, snippets

First run this query replacing databasetoconvert with the database name you want to convert

SELECT CONCAT('ALTER TABLE ', table_name, ' ENGINE=InnoDB;') AS sql_statements 
FROM information_schema.tables AS tb 
WHERE table_schema = 'databasetoconvert' 
ORDER BY table_name DESC LIMIT 0, 10000 ;

then copy the output and run it again against the database you want to convert


whmcs {php}base64decode tickets

Posted by EvolutionCrazy on Jan 26, 2013 in snippets

create a .php file with this content:

$checkvars = array('subject','message'); 
foreach ($checkvars AS $checkvar){
	if(strpos($_REQUEST[$checkvar],'{php}') !== false){
		header('Location: http://www.interpol.int/');

and place it into whmcs /includes/hooks/ directory

Tags: ,


Processing mysql dumps in hurry (convert single insert to extended insert)

Posted by EvolutionCrazy on Jan 5, 2013 in howto, snippets

Most time there’s little time, sometime there’s NO TIME!

A few days ago I had no time, and had to manipulate a badly exported database (2million+ single myisam insert statements) tuning mysqld was useless, insert delayed useless, increasing buffers useless… and so on… import was taking hours (many hours) on the target box due to impressively high disk io!

So I just fired up a vmware instance with 32gb of ram, 10gb hdd and 8cpu cores (of a xeon L56xx) and did everything in ram.
What was going to take hours on the target box took just 2minutes on the vmware instance…
Then I did a proper “mysqldump –opt” and imported it back into the target box in just 20seconds 😀

yum upgrade -y
wget -q -O - http://www.atomicorp.com/installers/atomic | sh
mkdir -p /var/lib/mysql && mount -v -t tmpfs -o size=24G none /var/lib/mysql
yum install mysql mysql-server -y
nano -w /etc/my.cnf

tune it up a little, in my case


was enough 🙂

service mysqld restart

and you are good to go!

import the bad export and after that export it making use of all the proper settings (extended queries, locking and so on) … –opt handles all of them by default 🙂

So yes… sometime I make use of “the cloud” too :O

PS: I do the same (storage on ramdisk) when I’ve to compile a linux kernel.

Tags: ,


wget ftp download specific directory content – no recursion

Posted by EvolutionCrazy on Jan 4, 2013 in snippets

This one command allows you to download the content of a directory to a local directory without doing recuirsive searches

wget -np -N --cut-dirs=1 -A .dem ftp://user:password@host.tld/tf2/orangebox/tf/*

specifically this one downloads all the “.dem” (-A .dem) (team fortress demo files) located into the remote “/tf2/orangebox/tf/” directory.
Files are saved into the current directory (–cut-dirs=1)

Additionally it makes use of timestamping (-N) in order to not download already existing files when doing a subsequent run.


Copyright © 2017 evcz.tk All rights reserved. Theme by Laptop Geek.