Processing mysql dumps in hurry (convert single insert to extended insert)

Posted by EvolutionCrazy on Jan 5, 2013 in howto, snippets

Most time there’s little time, sometime there’s NO TIME!

A few days ago I had no time, and had to manipulate a badly exported database (2million+ single myisam insert statements) tuning mysqld was useless, insert delayed useless, increasing buffers useless… and so on… import was taking hours (many hours) on the target box due to impressively high disk io!

So I just fired up a vmware instance with 32gb of ram, 10gb hdd and 8cpu cores (of a xeon L56xx) and did everything in ram.
What was going to take hours on the target box took just 2minutes on the vmware instance…
Then I did a proper “mysqldump –opt” and imported it back into the target box in just 20seconds πŸ˜€

yum upgrade -y
wget -q -O - http://www.atomicorp.com/installers/atomic | sh
mkdir -p /var/lib/mysql && mount -v -t tmpfs -o size=24G none /var/lib/mysql
yum install mysql mysql-server -y
nano -w /etc/my.cnf

tune it up a little, in my case


was enough πŸ™‚

service mysqld restart

and you are good to go!

import the bad export and after that export it making use of all the proper settings (extended queries, locking and so on) … –opt handles all of them by default πŸ™‚

So yes… sometime I make use of “the cloud” too :O

PS: I do the same (storage on ramdisk) when I’ve to compile a linux kernel.

Tags: ,


wget ftp download specific directory content – no recursion

Posted by EvolutionCrazy on Jan 4, 2013 in snippets

This one command allows you to download the content of a directory to a local directory without doing recuirsive searches

wget -np -N --cut-dirs=1 -A .dem ftp://user:password@host.tld/tf2/orangebox/tf/*

specifically this one downloads all the “.dem” (-A .dem) (team fortress demo files) located into the remote “/tf2/orangebox/tf/” directory.
Files are saved into the current directory (–cut-dirs=1)

Additionally it makes use of timestamping (-N) in order to not download already existing files when doing a subsequent run.



Romania – DDoS botnets trash can

Posted by EvolutionCrazy on Dec 7, 2012 in networking

As I’m tired of contacting useless abuse desks (rackspace is a perfect example of what I consider a useless abuse desk, If you ever got in touch with them I’m sure you know what I mean) I’ll start collecting here offending IPs.

Latest attack went beyond what’s “reasonable” as it exceeded by large the 1 million packet per second rate threshold.

So here comes the first batch of *possibly infected* hosts…
I’m sure this list will be useful for both building a banlist or to expand your botnet with vulnerable hosts…

52 hosts accomplished a short 1M+ pps attack: 226 milions total ddos packets processed (dropped) by the firewall totalling 6.5 gigabyte of traffic

Read more…



Map a network – PTR / reverse DNS values [php]

Posted by EvolutionCrazy on Oct 18, 2012 in snippets
$start = '';
$end = '';
$first_ip = ip2long($start);
$last_ip = ip2long($end);
$current_ip = ip2long($start);
if($last_ip <= $first_ip){
	die('I saved you from an infinite loop.');
echo "IP\t\tREVERSE\n";
while ($current_ip < $last_ip){
	echo long2ip($current_ip)."\t\t".gethostbyaddr(long2ip($current_ip))."\n";



Munin 2 CGI graphs generation cpu usage

Posted by EvolutionCrazy on Oct 16, 2012 in snippets

This is what happens when you move a munin master node from CRON to CGI graphs:


Tags: ,


Telecom Italia making use of ARIN / AT&T networks for internal private routing

Posted by EvolutionCrazy on Oct 15, 2012 in networking
C:\Users\Marco>tracert -w 100
Traccia instradamento verso su un massimo di 30 punti di passaggio
  1    &lt;1 ms    &lt;1 ms    &lt;1 ms  internet.gateway []
  2     *        *        *     Richiesta scaduta.
  3     9 ms     9 ms     9 ms
  4     9 ms     9 ms    10 ms
  5    18 ms    19 ms    20 ms
  6    17 ms    15 ms    15 ms
Traccia completata.

More amusing traceroutes can be seen here:

NetRange: -
OriginAS:       AS7132
NetName:        SIS-80-8-2012
NetHandle:      NET-172-0-0-0-1
Parent:         NET-172-0-0-0-0
NetType:        Direct Allocation
RegDate:        2012-08-20
Updated:        2012-08-20
Ref:            http://whois.arin.net/rest/net/NET-172-0-0-0-1

Are they aware that only is reserved for private use and not the whole 172/8 as per RFC1918?

You are copying the bad things of fastweb…Β We want FTTH connections not RFC violations!

Read more…


Softlayer private network routing on centos6

Posted by EvolutionCrazy on Sep 29, 2012 in snippets
echo ' via' > /etc/sysconfig/network-scripts/route-eth0
service network restart

where is your private network ip gw and eth0 is your private network interface

Tags: ,


Solaris in.routed (udp 520) reflected ddos

Posted by EvolutionCrazy on Jul 28, 2012 in networking

Another service being exploited…
this time instead of chargen or the usual dns (UDP 53) the sources of the attack appeared to be running Solaris in.routed service (source port UDP 520)

if you are running an unsecured box please CLOSE THAT FUCKING PORT (IN UDP 520) or at least do some proper rate limiting!
if you are a carrier/ISP that allows spoofed traffic to leave your network: HOPE YOU GET BANKRUPT AND CLOSE YOUR FUCKING DOORS FOR GOOD!

read more for additional details and logs

Read more…



È successo: fastweb + ip bogon ( = EPIC FAIL

Posted by EvolutionCrazy on May 18, 2012 in networking




EDIT: per una spiegazione piΓΉ completa:


Chargen (UDP port 19) – Reflected ddos

Posted by EvolutionCrazy on May 6, 2012 in networking

Lately I’m seeing chargen service being abused a lot to execute distributed denial of service attacks.
It’s not just “standard ddos”… it’s a reflected ddos with a massive amplification rate!!!
(Amplification rate can be as high as 512x… that means with that just a 100mbit pipe a malicius attacker could easely accomplish a 10gbit+ ddos!)

What is chargen?

From wikipedia:
In the UDP implementation of the protocol, the server sends a UDP datagram containing a random number (between 0 and 512) of characters every time it receives a datagram from the connecting host.

Apparently there’s absolutely no handshake at all with chargen… only the TCP version (obviously) requires handshake…

How are hosts running chargen (UDP) used as botnets?

To execute the attack people are sending spoofed UDP packets with a forged source IP address to hundreds of hosts running chargen (and there are many of them!).
These hosts just reply to the apparent source of such packet as they are intendend to do… the problem is that they are replying to the forged IP address… that host has never requested something to them!

Is my machine vulnerable?

To test if your machine could be exploited just run:

echo t | nc -u X.X.X.X 19

replace X.X.X.X with an IP running chargen… If you got a reply you just found a host that can be used as part of a ddos botnet…

How can I make my machine secure?

disable chargen service:
(please be aware of another weak point of chargen: looks like it can also be used to let machines running chargen attack each-other… guess what happens when you have two chargen sending packets each other with to&from port 19 udp… we got a loop! :D)

if you are running chargen on one of your hosts: CLOSE THAT PORT (IN UDP 19)!
if you are a carrier/ISP that allows spoofed traffic to leave your network: HOPE YOU GET BANKRUPT AND CLOSE YOUR DOORS FOR GOOD!


read more for additional details and logs

Read more…


Copyright © 2018 evcz.tk All rights reserved. Theme by Laptop Geek.